James C Paterson recently wrote an in-depth article providing a summary of key points concerning common misperceptions on auditing culture: Culture and behaviour and Auditing Culture – A primer (part 1). Paterson is a former Chief Audit Executive and runs training on auditing culture, root cause analysis, the politics for internal audit and a range of other courses for 12 of the IIA organizations in Europe.
In his article, Paterson talks about the role of psychology in culture and behavior, the role of systemic factors in culture and behavior, and short-comings in relation to work done on culture. The most interesting is his view on how to use the IIA Standards in auditing culture.
IIA Standards to the rescue?
I think, when you think about culture and auditing culture from an internal audit point of view, it can help to go back to basics:
- We need to do risk- based audit plans (IPPF 2010) – so that means we need to be clear: is any cultural audit we plan to do actually going to reveal a key risk? Saying that some employees in some areas are not so motivated, or that others employees would like more training may be an interesting point, but what’s this got to do with the key risks the organisation faces?
- We need to have assignments that are aligned to strategies, objectives, risk and control processes (IPPF 2200) – even if we think that not having a compliance culture is a key risk, where exactly will be the areas of greatest concern, and what measures/controls (if any) are already in place to monitor/manage/control the behavioural/cultural risk? (This is why the notion of a culture/behavioural risk assurance universe is very interesting).
- We need to ensure clear, robust, criteria for any assignment (IPPF 2210), against which we can judge any facts obtained. So, if we are inclined to accept a culture framework adopted by management, how are we going to judge whether this framework is well designed? Second, if we want to propose an external framework (e.g. a model/questionnaire from a consultant), why would we choose one framework rather than another? If we choose a model that matches regulatory concerns what may be the other important areas that such a model does not address?
- Co-ordination and Assurance (2050) – we should share information, co-ordinate with, and consider relying upon other internal or external assurance providers; and note that line management assurance is included within this definition! So that means we need to understand how much we can rely on existing culture measurement and management processes before we start doing any audit work on culture.
Of course, there are standards around proficiency and evidence gathering that must be followed as well, and we will explore these issues, and other practical solutions to looking at behaviour and culture, in the next article.
Trainings from James Paterson at IIA Netherlands: