June 2017 30 Internal audItor
causes of poor
nron, Worldcom, FIFA, General Motors, Volkswagen, and
Wells Fargo are just a few examples of scandals caused by
organizational cultures that encouraged inappropriate behavior. The reputation risk cries out for audit coverage, yet only
42 percent of internal audit functions are auditing their organization’s culture, according to The IIA’s 2016 North American Pulse of Internal Audit study.
Auditing an organization’s culture can be challenging
because of its complexity, its subjectivity, and the potential
resistance of key players. However, approaches and techniques pioneered by some
internal audit functions can help auditors successfully enhance coverage of culture.
Complexity of Culture
One definition of culture is “the actual values that influence everyday behavior
within the organization.” These are not the organization’s stated values or desired
values, but the values people actually live by in the workplace. Culture is shaped
primarily by tone at the top, but it is also influenced by factors such as business
strategy, organizational structure, incentives, employees’ personal values, and
human resource practices. Each factor interacts with the others in a complex web.
Adding to this complexity are:
Subcultures Managers create subcultures within their spheres of influence,
which might not be consistent with the organization’s culture. This challenge is
Illustration by Edwin Fotheringham