Culture is not merely the articulation of an organization’s mission and values; it is the ongoing effort to ensure that those values are reflected in its attitudes and interactions. Anyone can pay a marketing firm to develop a mission statement for them. It’s much harder to walk the talk in a credible and authentic manner—to make sure that these values as reflected in written procedures are actually demonstrated (and perceived by employees) in how the business operates. And that’s where internal audit can step in.
Auditors have viewed measuring culture with hesitation because culture itself is subjective, taking auditors themselves—who are process-oriented and seek objective measures—out of their comfort zone. Yet evaluating culture and the effectiveness of a compliance program certainly fits within the bailiwick of the audit skill set. It is, however, much more than a checklist and requires consideration of the qualitative aspects of the business. Still, it can be approached in a systematic and methodological manner.
While there’s no specific framework for auditors to conduct an audit of culture, the COSO Internal Control–Integrated Framework provides a starting point. The evaluation of the control environment is one that should already be leveraged by internal audit to apply to compliance program effectiveness (as well as to fraud control standards). Auditors can refer to the points of focus in the new framework to enhance their understanding.
Auditors are familiar with several techniques used to evaluate corporate culture as areas of focus of the control environment. Most audit projects should already look at the tone at the top of whichever functional area is in the scope of the audit, including communication flows among senior managers, middle managers, and rank-and-file employees, to help gauge that tone. Some audit departments integrate soft control evaluations into their everyday audit procedures. Others conduct structured, entity-level interviews and may combine those with the use of focus groups.
Keep in mind that that the points of focus under the first COSO principle that, “The organization demonstrates a commitment to integrity and ethical values,” closely aligns with the promotion of ethical conduct under the Federal Sentencing Guidelines. The updated internal controls framework provides four points of focus which sound familiar to the compliance officer: setting the “tone at the top;” establishing standards of conduct; evaluating adherence to standards of conduct; and addressing deviations in a timely manner.
Although auditors might meet some resistance when they take a discussion about culture to the highest levels of the organization, this is an opportune time to really step up and demonstrate the value of a robust evaluation of your company’s culture.
Most audit projects should already look at the “tone at the top” of whatever functional area is within the audit’s scope, including communication among senior managers, middle managers, and rank-and-file employees to help gauge that tone. Some audit departments integrate soft control evaluations into their everyday audit procedures. Others conduct structured, entity-level interviews and may combine those with the use of focus groups.
Surveys as a cultural assessment tool
Employee surveys that allow anonymity continued to be one of the most effective and efficient ways to measure corporate culture. Such questions probe areas related to the tone at the top/middle, and management's overall commitment to upholding the company's ethical and legal standards.
Developing a custom-designed survey is hard work and should be approached carefully. Survey design entails crafting precise questions, answer design and selection, question sequencing, validity checks, and pilot testing. Pilot testing provides crucial insights from typical respondents about the length, clarity, ease of completion, and technical issues related to taking the survey.
A useful approach is to take advantage of existing rigorous surveys such as the National Business Ethics Survey (NBES) by the Ethics & Compliance Initiative. The technique here is to select key questions from the NBES and incorporate them into your broader company employee survey that is typically managed by human resources or an external firm. In this manner you can analyze results and trend internally over time, while comparing externally to comprehensive and historical NBES data.
Overall the NBES is quite extensive, but several core questions get to the heart of the ethical climate areas of most significance to a compliance program. Academic studies have indicated that there are certain features of a compliance program and consequential employee perceptions that are more significant than others. In particular, perceptions on leadership authenticity regarding ethical values and the handling of reported misconduct (including observations of retaliation), appear to be the most significant factors.
In deploying a survey, employees respond on a standard Likert five-point scale, from strongly agree to strongly disagree. Examples of cores NBES questions to adopt include:
The leader of my organization sets a good example of ethical business behavior;
My manager sends a clear message that unethical behavior is not tolerated;
I do not feel pressured to compromise the company’s Code of Conduct;
I have no fear of retaliation for reporting unethical behavior;
If I report unethical behavior, I am confident the appropriate corrective action will be taken.
When companies use these questions for the first time, they’re often surprised by the results. For example, corporate leaders might believe they are saying all the right things, but then realize that employees look beyond the words and perceive other messages. The survey results can be drilled down to determine specific areas of concern (business segment, value of the hotline process, and the like) and be used to determine corrective action plans. Don't assume that culture is uniform across departments or locations, or that line employees will have the same opinion of the company’s values as the executives.
Surveys, while useful, provide limited information, however. And audits come with their own baggage, being perceived as negative and/or a checklist exercise.
Depending on your survey results, you may want to dig deeper to elicit root symptoms and other causes. Culture is a challenge to measure, in part, because of built-in structural and behavioral forces that can keep CEOs and senior management from having their finger on the pulse of the organization. Employees often have a difficult time sounding off to management. Executive leaders also have a vested interest in getting the CEO’s approval, and if that approval only goes to people who report what leadership wants to hear, it can mean the true state of affairs is not known.
A deeper dive would combine a number of measurement tools most likely entailing more extensive interviews with a wider scope of individuals, as well as facilitated focus groups. Interviews and discussions would be open-ended and include identifying potential ideas for improving culture and remediating persistent problems.
The FINRA Targeted Exam Letter made good on that promise that culture will be a major focus by asking firms questions on how they communicate, reinforce, monitor, and measure organizational values. These questions provide ideas for conducting an audit of your culture or performing a deeper dive. Probe on the following:
whether control functions are valued within the organization, including having key policies and processes by which the firm establishes cultural values
whether policy or control breaches are tolerated
whether immediate managers are effective role models of firm culture
Although auditors might meet some resistance when they take a discussion about culture to the highest levels of the organization, this is an opportune time to really step up and demonstrate the value of a robust evaluation of your company’s culture. Achieving a high-performance culture deserves to be a top agenda item for every company hoping to stay competitive.