July 16, 2020
In essence, audits of organizational culture are about determining whether an organization’s actual culture and behaviours conform to its professed, desired culture. This implies that the first requirement in a culture audit is to have a good understanding of the desired culture in the audited organization, including a clear picture of the expected behaviours that would embody this culture. From this point, auditors can proceed to identify areas where a gap between desired and actual behaviours could present significant risks to achieving an organization’s objectives. During this risk assessment process, auditors should pay particular attention to red flags that may indicate cultural issues worth examining further.
These red flags can include, among others:
 |
Some financial or safety controls are frequently overridden. This may indicate a cultural bias toward producing outputs at any cost, to meet unrealistic organizational targets. |
 |
Failure to enforce codes of conduct and related policies and procedures. For example, compliance violations are noted but bring no consequences. |
 |
Mistrust of auditors and regulators, and poor track record of implementing recommendations made by them. |
 |
High rates of discontent expressed in employee surveys, across the organization or in specific divisions. |
 |
High rates of complaints about the organization (or its personnel) filed by staff, clients, or the public. |
 |
High staff turnover and absenteeism rates. |
 |
Long-standing unresolved issues are not addressed. For example, when similar audit observations have been made many times over the years and no concrete actions have been taken to resolve the identified problem. |
 |
Lack of actions or incentives to support organizational values. For example, no actions are taken to improve gender equality despite a stated goal to that effect. |
 |
Lack of alignment of performance incentives and metrics with the organization’s policies and values. For example, incentives may only reward the delivery of projects on time and on budget, while the organizational values emphasize excellence of products and quality of services. |
Auditors can obtain information to support risk assessment and to identify red flags in various ways. They can start by reviewing previous audits and an organization’s rate of implementing recommendations. They can also consult other financial and performance auditors who know the organization well and ask for their opinion on its culture. Next, they can review available information on the organization’s values and ethical commitments before requesting and analyzing staff survey reports, human resources policies, performance incentives, documentation of exit interviews, minutes of key management meetings, and so on. Of course, conducting interviews with management to obtain additional information is also part of the usual risk assessment process.
Liked it?
There is much more to learn in our Research Highlights article on Auditing Organisational Culture in the Public Sector.
See more Audit Tips
LinkedIn
Twitter