The Delicate Business of Auditing Culture

Recently I had a post exploring four phases of maturity for corporate culture, as defined by the chief accountant of the Securities and Exchange Commission. And by sketching out a path for corporate culture to progress to a higher state, that speech raised another important question.

How can one audit corporate culture, to see whether the organization is moving along that path?

Earlier this spring I talked with numerous chief audit executives about that very point. The task isn’t easy under the best of circumstances; some said they weren’t even sure how to begin.

Still, the U.S. Sentencing Guidelines say that a corporate compliance program should assess its effectiveness regularly. Assessing how well a process works is what audit executives do. Moreover, regulators now talk about the importance of corporate culture constantly. (SEC chairman Jay Clayton delivered his own speech about corporate culture several weeks ago, too)

So whether internal audit executives want to identify the “baseline” corporate culture, with all the strengths and weaknesses therein; or to assess the organization’s efforts to improve culture — auditing corporate culture is a concept that is here to stay.

First, Define the Scope of Your Culture Audit

Defining scope is a standard step for internal auditors, but “auditing culture” is an especially vague notion that needs clear boundaries.

 Another reason, however, is because the CEO cites workforce diversity and pay equity as corporate priorities.

For example, I know one firm that audits pay equity by both gender and race. Does a sense of equitable pay practices among your workforce improve culture? Sure, and that’s one reason why the firm looks at those issues. Another reason, however, is because the CEO cites workforce diversity and pay equity as corporate priorities. So this firm is trying to assure that the tone struck by the CEO is in step with what the workforce actually believes.

Let’s not kid ourselves, either: pay, gender, and racial data is something every company has — and gross disparity in pay can lead to litigation risks from unhappy employees. To a certain extent, the auditor is assessing practical risks that generate real data he can audit, with practical recommendations the audit function can present to HR and senior management.

But the whole exercise is designed to see how tone at the top aligns with the “real” culture in middle and lower ranks. It’s smart.

Identify Values & Incentivize Reaching Them

To my thinking the best discussion of culture from a regulator came from William Dudley, now former CEO of the New York Fed. Last year he recommended three steps organizations should take to analyze corporate culture.

  • Decide on your purpose and core values — or, as Dudley put it, “What are you for?”
  • Measure how well the workforce is striving to achieve that purpose (and how well your firm compares against peers on that score).
  • Then, after the firm determines how far it is from its purpose and values, engineer your incentives so employees work harder to achieve those goals.

The magic words there, of course, are “values” and “incentives.”

Corporate values are what the board and CEO say they are; auditors won’t usually get an opportunity to “audit” the wisdom of some values compared to others. Incentives, on the other hand, are something that auditors can audit.

For example, auditors could explore how much of the sales team’s compensation hinges on incentives or performance bonuses, and whether that formula is roughly in step with the company’s peers. Then you could examine issues like suspicious payments, high gifts-and-entertainment expenses, or “product returns” that miraculously arrive just after end of the period (and when the executive hit the performance target).

From those clues, audit executives can start to piece together the puzzle of corporate culture.

Company Culture Audits Are Puzzles to Piece Together

Astute readers will notice I glossed over Dudley’s second point, “measure how well the workforce is striving to achieve that purpose.” After all, isn’t that what auditing culture actually is?

Yes, and my example about incentives shows the path forward. Rather than documenting what the culture is (that can be done with an employee survey), look for processes that drive employee behavior and perceptions and that can be measured in an objective way.

Incentive-based pay, suspicious payments, questionable returns: they can all be measured.

Incentive-based pay, suspicious payments, questionable returns: they can all be measured. Insights about those subjects, coupled with culture surveys that HR or the compliance department compile separately — that brings you much closer to figuring out why the corporate culture is the way it is, and how the company might amend policies, procedures or controls to change it.

Those clues about corporate culture can exist in several metrics. Data about retaliation, for example, are a rich vein to explore: How many reports come in about a certain manager, or a certain level of manager? How many reports are there on a certain type of complaint? Do investigations into retaliation take longer than investigations about other issues?

Approaches like that let auditors do what they like to do: study the data, understand a process, identify the root cause of weaknesses, and recommend improvements. Those steps, marshalled with other efforts from the HR and compliance team, can take you from auditing culture to improving it. And that’s the goal.

eBook: 25 Simple Yet Overlooked Ways to Boost Your Ethics and Compliance Program

Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.

The Element of Surprise Keeps Things Honest

Differentiating a Root-Cause Analysis from a Risk Assessment & Internal Investigation

The DOJ’s Evaluation of Corporate Compliance Programs adds a new element to the 10 Hallmarks of an Effective Compliance Program released in the 2012 FCPA Guidance. That element is a root-cause analysis, which is now required whenever there is a reportable compliance failure. Learn what a root-cause analysis is and how it fits into your current compliance risk assessment and investigations processes.
Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

Managing Employee Risk Requires a Culture of Compliance

The steps to create a culture of compliance is more than just checking the box for employees and leaders within an organization. A culture of compliance is essential to prevent unethical or illegal actions, not just clean up after something unethical or illegal happens. Learn how a culture of compliance is more than just having a CCO or providing annual training.
Next Post Previous/Next Article Chevron Icon of a previous/next arrow.