Guest Blog:
Once upon a time, Little Red Riding Hood ventured out into the forest to visit her poor, sick grandmother. Along the way, she encountered a charming wolf, which gave her no cause for alarm. Although he asked countless questions about where she was going and distracted her with beautiful flowers, Little Red Riding Hood was not skeptical and paid no attention to why he was asking.
It wasn’t until she arrived at her grandmother’s house with the front door ajar that she began to feel uneasy. And we know how the story goes from there. She finds the wolf in her grandmother’s bed and it’s at that moment that she starts to see small details that seem off. “Oh grandmother, what big ears you have; “But grandmother, what big eyes you have;” and “Oh grandmother, what large teeth you have!” But by then it was too late and, with an “All the better to eat you with,” the wolf gobbled up Little Red Riding Hood in a single gulp.
There are many lessons to be learned from fairy tales, and Little Red Riding Hood is no exception. One of the themes of the ageless, cautionary children’s story is that the woods are filled with layers of detail, both beautiful and harmful, and its important to see them all for what they are. Corporate culture is similar. There are good and bad aspects of culture at most companies, and we can’t get lulled into missing those small clues and suggestions that something might be amiss underneath the surface. In recent conversations about auditing culture, a hot topic in the internal audit community, there are often many little red flags along the way that may be indicative of a broader issue, but it’s up to internal audit to pay attention to them.
What is Corporate Culture?
Corporate culture is defined as “the shared values, attitudes, standards, and beliefs that characterize members of an organization and define its nature. Corporate culture is rooted in an organization’s goals, strategies, structure, and approaches to labor, customers, investors, and the greater community.” Internal audit teams embarking on an audit of their organization’s corporate culture must pay attention to the small signs to ensure there isn’t a pervasive issue.
Timing is also important. If you embark on a culture audit when there are already signs of big underlying culture problems or when a reputation-threatening incident has already occurred, you may be the young lady in red finding the Big Bad Wolf already inside grandmother’s house. Poor corporate cultures are corrosive and can quickly seep deep into the ranks of the organization, breeding discord and encouraging damaging behavior. Internal auditors must assess the culture and sound the alarm bells when problems are evident, well before it bares its ugly teeth.
What to Look for
Auditing culture may take on different forms. Some internal audit teams audit culture as a standalone audit, while others include a “culture rating” in every audit report. If you’re preparing to audit your organization’s culture, here are some topics to consider:
° Tone at the Top, Middle, and Bottom: While the idea of “tone at the top” emerged with the passing of the Sarbanes-Oxley Act, culture audits go deeper into the organization to look at the system of shared beliefs and how employees engage with each other. Do employees feel safe to report concerns? Do they feel empowered to do their jobs? Do employees believe they are accountable for their actions? Internal audit should interview employees at all levels, not just senior leaders of the organization, to understand the true culture of the organization. Managers at the middle levels may feel more at liberty to talk about how things really are and help internal auditors see all of those ugly teeth, while senior managers may say what they think internal auditors want to hear and only show internal audit big eyes and ears.
° Strategy and Goals: A breakdown in corporate culture can often arise from lack of clarity around the strategic objectives of the company. Does the strategy align with the organization’s goals? Do performance management or compensation processes incentivize behavior that contradicts corporate strategy? Has the strategy been communicated consistently and broadly? Internal auditors should pay attention to what the corporate strategy tells them about how the employees of the firm behave. Understanding the wolf’s strategy may have helped Little Red Riding Hood from sending the wolf to her grandmother’s house in the first place.
° Company Policies: Another red flag would be lack of critical policies that outline acceptable behaviors within an organization such as a solid code of conduct, and policies that outline whistleblower protections, travel and entertainment expense reporting, delegation of authority, procurement, and other functions. Documenting the policies alone, however, doesn’t mean you’re in the clear. How are the policies communicated? Are they being followed? How are people within the organization trained? How is compliance enforced? Internal audit should also pay attention to whether there are exemptions or management overrides of these important policies. The little girl was not concerned by the wolf’s words, but she might have been more cautious if she paid closer attention to his actions.
° Reporting to the Board: Internal audit must also consider what information the organization reports to the board of directors and how it is reported. Is the board aware of statistics from the whistleblower hotline? Does the board directly receive regular reporting from various risk functions such as compliance, chief information security officer, and chief audit executive? Are the strategic priorities presented to the board consistent with the strategy communicated to the organization? If the board’s role is oversight, Internal Audit should make sure they have all the important information to perform their duties effectively. If Little Red Riding Hood’s mother had more information about the dangers that lurk in the woods on the way to grandma’s house, it’s unlikely she would have ever let her go in the first place.
° Outside Evidence: Information from sources such as Glassdoor, external auditors, regulators, industry peers, and benchmarking data may indicate there is something that should be further examined. What do former employees say about the organization and why they left? Does the company have a “reputation” in the market? Are there unethical practices that are prevalent in the industry to look out for? Do the external auditors have any concerns relating to culture? It may seem counterintuitive to look outside an organization to assess the culture inside of it, but internal audit can and should examine all the information that is available to them. Maybe if there was information available about the prevalence of wolves in the woods, the young girl could have been more prepared or have gone another way.
Corporate culture is a lot like the woods that Little Red Riding Hood travels through to grandmother’s house. It is multilayered with detail, full of beauty but also danger, and it can be both wondrous and difficult to navigate. It’s important to take it in and also be on guard for what could be lurking in the trees. When it comes to auditing culture, remember to pay attention to all the signs and make sure you don’t get gobbled up by the Big Bad Wolf.
Jill Agudelo has almost twenty years of experience in internal audit, Sarbanes-Oxley (SOX), and risk management. She is a senior leader and the national SOX lead within the Risk and Compliance practice at CrossCountry Consulting, a business advisory firm. Additionally, Jill oversees CrossCountry’s client delivery for a Fortune 100 company.