Once upon a time, Little Red Riding Hood ventured out into the forest to visit her poor, sick grandmother. Along the way, she encountered a charming wolf who gave her no cause for alarm. Although he asked countless questions about where she was going and distracted her with beautiful flowers, Little Red Riding Hood was not skeptical and paid no attention to why he was asking. 

It wasn’t until she arrived at her grandmother’s house with the front door ajar that she began to feel uneasy. And we know how the story goes from there. She finds the wolf in her grandmother’s bed and it’s at that moment that she starts to see small details seem off. “Oh grandmother, what big ears you have,” “But grandmother, what big eyes you have,” and “Oh grandmother what large teeth you have.” But by then it was too late and with an “All the better to eat you with,” the wolf gobbled up Little Red Riding Hood in a single bound. 

There are many lessons to be learned from fairy tales. In recent conversations about auditing culture, a hot topic in the Internal Audit community, there are often many red flags along the way that may be indicative of a broader issue but it’s up to the auditor to pay attention to them. 

Corporate culture is defined as “the shared values, attitudes, standards and beliefs that characterize members of an organization and define its nature. Corporate culture is rooted in an organization’s goals, strategies, structure and approaches to labor, customers, investors and the greater community.” Internal Audit teams embarking on an audit of their organization’s corporate culture must pay attention to the small signs to ensure there isn’t a pervasive issue. 

Auditing culture may take on different forms. Some Internal Audit teams audit culture as a standalone audit, while others include a “culture rating” in every audit report. If you’re preparing to audit your organization’s culture, here are some topics to consider:

  • Tone at the Top, Middle and Bottom – While the idea of “Tone at the Top” emerged with the passing of Sarbanes-Oxley, culture audits go deeper throughout the organization to look at the system of shared beliefs and how employees engage with each other. Do employees feel “safe” to report concerns? Do they feel empowered to do their jobs? Do employees believe they are accountable for their actions? Internal Audit should interview employees at all levels, not just senior leaders of the organization, to understand the “true” culture of the organization. 
  • Strategy and Goals – A breakdown in corporate culture can often arise from lack of clarity around the strategic objectives of the company. Does the strategy align with the organization’s goals? Do performance management or compensation processes incentivize behavior that contradicts corporate strategy? Has the strategy been communicated consistently and broadly? Internal auditors should pay attention to what the corporate strategy tells them about how the employees of the firm behave.
  • Company Policies – Another red flag would be lack of critical policies that outline acceptable behaviors within an organization such as Code of Conduct, Whistleblower, Travel and Entertainment, Delegation of Authority and Procurement. However, documenting the policies alone doesn’t mean you’re in the clear. How are the policies communicated? How are people within the organization trained? How is compliance enforced? Internal audit should also pay attention to whether there are exemptions or management overrides of these important policies.
  • Reporting to the Board – What and how the organization reports information to their Board should also be considered. Is the Board made aware of statistics from the Whistleblower hotline? Does the Board directly receive reporting from various risk functions such as Compliance, CISO or CAE?  Are the strategic priorities presented to the Board consistent with the strategy communicated to the organization? If the Board’s role is oversight, Internal Audit should make sure they have all the important information to perform their duties effectively.
  • Outside Evidence – Information from sources such as Glassdoor, external auditors, regulators, industry peers and benchmarking data may indicate there is something that should be further examined. What do former employees say about the organization and why they left? Does the company have a “reputation” in the market? Do the external auditors have any concerns relating to culture? It may seem counter-intuitive to look outside an organization to assess the culture inside of it, but Internal Audit can and should examine all the information that is available to them.

When it comes to auditing culture, remember to pay attention to all the signs and make sure you don’t get gobbled up by the Big Bad Wolf.