Auditing Corporate Culture

Do we care?

An article recently from the IIA, published around the end of 2015, talks about the importance of auditing corporate culture. This article has raised several comments and threads on specialist blogs and Linked In. To my surprise.

Quite frankly, even to the limited number of people out there interested in Internal Audit issues, the real question one can ask is: do we care? And I do not mean this in a disrespectful way.

Borrowed from this IIA article again: the Confederation of British Industry (CBI) describes the culture of an organisation as ‘the mix of shared values, attitudes and patterns of behaviour that give the organisation its particular character’.

Great so far. But when I say out loud “Corporate Culture”, in my head I have images of young trendy hipsters in an Apple Store or Christmas parties wild celebrations. What has that got to do with audit?

Not much if you asked me, but it is getting a lot of attention, so I’m deducing that it must be an important issue.

If you have met us at 3003 Consulting or if you have visited our website, you will know that we are great believers in everything “lean”: lean startup, lean management and therefore in lean auditing too. As part of our internal audit methodology, we work on the following matrix:

Objectives > Risks > Controls > Audits > Issues > Report > Follow-up

These are also the pillars on which we have built our upcoming audit application #kob. It is lean, it is explainable, it is measurable and most of all…even I can understand it.

Now, we asked ourselves a question: if you try to apply the above model to Corporate Culture, does it work? It still works, but it gets trickier. Why?

Hard vs. Soft Controls

Before my audit life, if you asked me which industry was definable by Hard and Soft, I would have immediately thought at a very specific and profitable type of business…But then adult life takes its toll on you and when you get asked about Hard vs. Soft there is only one thing in your mind: controls.

Little refresher:

Hard controls are the easier one to measure the “hard truths”, the “hard facts of life”, the “hard documentation”…stuff that was there, is there and will always be there: contracts, policies, invoices, statements and so on and so forth. Auditors’ best friends, in short.

Soft controls are the tricky ones “soft skills”, “soft approach”, the grey areas, the in between the lines, the inherent, the stuff that takes experience or discussions to get to grips with. Auditors’ worst nightmare, in short.

Now Corporate or Organisational culture is by definition mostly about soft controls. The key question is: how can you measure, monitor and compare values, attitudes, behaviours?

If confused, stick a model in it and hope for the best

Over the years I have developed a theory: people use and abuse models and hide behind them. Models have multiplied and proliferated: in the early days we used to talk about SWOT, Pestel, 5Ps and essentially they were used to summarise and simplify a concept or an analysis.

I have noticed that this early models have become parents and then grandparents to more complex and more exotic models, so we went from using a model to summarise a concept to models that come with an instructions book because they are so complex and out of touch that their practical application needs a manual (usually available in a premium business school near you).

The above-mentioned article goes on saying basically that organisations and their culture are becoming more and more complex and that there are some models out there to help you understand this complexity. Fine. But what has this got to do with auditing corporate culture?

Compare and benchmark

The biggest misconception around audit in my opinion is that many executives still think that the it’s the department for the busy-bee, stick your nose in it bunch of people that love nothing more than fighting windmills. Although I have met some professionals with the tendency to stick their nose in and go down the judgmental route when auditing, the majority of professional Internal Auditors have a very distinct and methodical approach to tackling audit work and reports.

For an audit to be effective, it needs to be comparable and whenever possible substantiated by documented analysis. I feel that, in many cases, companies are not at the mature stage of their internal audit trajectory to support their teams to undergo a measured and comparable assessment of the organisational culture. This results in what a separate report by the Chartered Institute of Internal Auditors defines as the reliance on gut feeling.

A balanced approach

This second and more detailed paper by the Chartered Institute of Internal Auditors offers a more balanced approach to the issue. An approach that I totally share.

The essence is that any sensible professional will find going by their gut feeling quite dangerous and most internal audit departments are not yet equipped to effectively assess, document and compare soft controls.

A slow and steady progression is therefore needed to effectively audit what is broadly defined as “organisational culture”. Tools such as checklists, surveys, self-assessment questionnaires along with the involvement of departments and functions not usually directly connected to audit, will form part of an approach to assess corporate culture. It has to be however integrated: a concerted effort and a structured approach to avoid over reliance on misguided soft controls auditing, which would if nothing else, discredit the audit function.

A new Internal Audit function

The above is just the latest topic in a series of discussions on new areas of the modern organisation in which the audit function is asked to be part of. It all feeds in to one common theme, which I defined as the value-added audit function.

In the post-crisis world, the Internal Audit function needs also to reinvent itself from a pure control and monitoring to a value-added business consulting role. One of the areas in which Internal Audit can become more than an evil necessity (for some) and a misunderstood function (for many) is the measurement and coordination of soft KPIs. This role can however be achieved if the Internal Audit function has a leadership role and a coordinated and integrated approach: gone are the days of the clipboard holding Internal Auditor disconnected from the day to day life of the business.

Keep it Lean

The important element in a complex setup such as auditing corporate culture is to cut through the complexity and ensure that the drivers are identified early on.

In this respect our model works very well also when applied to corporate culture auditing. It requires of course significantly more thought process than in more standard audit cycles for example procure-to-pay or hire-to-retire, but it offers a structured and effective approach to identify objectives right through issues and remediations, for hard and soft controls alike.

From setting objectives to following up identified risks, we as auditors, need to ensure essential measurability and comparability through an integrated internal model.

Only this way internal auditors can become that value added support that businesses are crying out for.

Free to share and republish, please credit the author Roberto Zambelli (roberto.zambelli@3003consulting.com) and the source.

Roberto is a management consultant specialized in project and change management, lean management, audit and investigations. He is also the founder of the upcoming internal audit platform #kob and its siblings.

Available for speaking opportunities, lecturing and writing collaborations.