Posted on

Joey Ramone, Dale Carnegie and why culture should be assessed by internal audit

The Ramones formed in New York City the year I was born. Two years later they recorded their debut album. The recording was cheap, eliminating the unnecessary and focusing on substance. The Rolling Stone declared The Ramones the greatest Punk rock album of all time. Spin magazine even declared them the second-greatest band of all time – after the Beatles. 

Punk Culture was working class, dirty in clothing and language. Punks were against the establishment and promoting individual freedom. They were often swearing, spitting and vomiting in public. Also the Ramones were quite dysfunctional, behaving in questionable manner and stealing each other’s girlfriends. 

I sometimes wonder what would have happened if the Ramones had met Dale Carnegie, writer, lecturer and author of the book How to Win Friends and Influence People (while I don’t know for certain, it is unlikely that they did as Dale Carnegie died too early). Carnegie is almost the opposite of punk. He claims that winning friends begins with friendliness and suggests that criticism is dangerous, because it wounds a person’s precious pride, hurts his sense of importance and arouses resentment. 

Why am I telling you that? First, I like the Ramones and their music. Second, punk provides a good example of the difference between conduct and culture – two issues that should be high on Internal Audit’s agenda. And third, after reading the below, you will probably realise that each company should have some Ramones.

***

Oliver Wyman defined culture and conduct in the organisational context. Culture represents the invisible belief systems, values, norms and preferences of the individuals that form an organisation. Conduct represents the tangible manifestation of culture through the actions, behaviours and decisions of these individuals.

Poor organisational culture has been identified as the root cause of many serious issues across numerous industries around the world. The IIA Financial Services Guidance Committee issued a Practice Guide on auditing culture. It states that one of internal audit’s key responsibilities is to assess the adequacy and effectiveness of the internal control environment directly impacted by culture and the conduct that arises from employees acting out and exhibiting their interpretation of the values of that culture. The main reason for that is that culture is connected to the system of internal control. If the culture of an organisation is toxic, it erodes the effectiveness of the other control layers.

In the following I present you with some cultural risk factors, why they matter and how they can be assessed:

Lack of knowledge

Lack of knowledge of a process or task or lack of understanding of the financial, non-financial or regulatory risks associated the execution of the process or task are often root causes of problems. However, the lack of knowledge may also be a cultural risk factor, e.g. if employees who don’t have the competence are nevertheless made the task owner. This is particularly problematic for employees in control functions whose task is to challenge decisions or approve transactions. If they don’t have adequate knowledge, they are not more than a fig leaf. In banking and certain other industries certain control function holders have to meet competence requirements or have to be approved by regulatory authorities. Corporate law in most common law countries includes the so-called business judgment rule for decision making in boards, however, the requirement to have adequate knowledge should be met in all jurisdictions and industries. If there is knowledge that employees could have had or should have had but chose not to have, they are still accountable. Auditors should assess the competence of the task owners as part of their process walkthrough.

Unrealistic targets

If deadlines, profitability targets or other performance indicators are not achievable under normal conditions employees may be incentivised to manipulate the outcome so that the target is nevertheless met. Donald Cressey showed with his fraud triangle that this risk is acerbated if employees can rationalize their behaviour (“others are doing it as well”). Auditors should assess the so-called tone at the top. Tone at the top consists of what management communicates, what it will and will not tolerate in terms of its risk appetite. Procedures for this assessment could be reviews of the tone used in internal communication, in townhalls or other meetings with employees. Auditors could also undertake exit interviews of employees leaving the company and review employee surveys or complaints or hotline / social media activity – the latter especially for areas with external customers. 

Misaligned Incentives

Even if the company’s published targets are the “right” targets (“e.g. we aim for long term success over short-term wins”) cultural risk may still exist if the employees’ incentives are not aligned with target (e.g. bonus payments or promotion for winning customers that bring high revenue but questionable reputation). Great examples how incentives can be aligned are provided by Richard Taylor and Cass Sunstein in their book Nudge. Auditors can discern such misalignments as part of their normal audit procedures, e.g. by comparing different pieces of information gathered throughout their engagement.

Lack of accountability

If employees are not held accountable for the results of their work, their objectives are not measurable or if they can hide behind collective goals successes will be celebrated together and losses are no one’s fault (or blamed on a random employee). Potential signs of lacking accountability are unnecessarily complex organizational structures, undue usage of committees or inflexible hierarchies (where levels can’t be skipped or escalations are hindered). Auditors will be able assess if accountability is clear based on their interviews, walkthroughs or detailed tests. The attendance of meetings or review of meeting minutes can also provide an indication if accountability is clear and the decision-making process more broadly is effective. The composition of decision-making bodies is most effective if the participants are independent from each other and possess tacit knowledge or have a diversity of opinion. Agendas should be clearly structured, associated papers detailed and distributed well in advance of the meeting and discussions should be nuanced and with constructive criticism. The decision-making process should also be reflected in the meeting minutes, i.e. who said what, what was decided first, who disagreed and on which basis was the final decision reached.

(Lack of) consequences

Even if the accountability question is clearly answered the cultural risk does not go away if consequences for acting or not acting are not made transparent or are not enforced. The problem here could be both too much or too little consequence. If employees are in fear of losing their job when they make a mistake, they may be incentivised to disguise the problem or blame someone else. However, if there is no consequence management at all the opposite may occur. People get away with disregarding regulation, missing deadlines or taking excessive cost or undue risk.

Auditors should be aware of typical behavioural biases when assessing culture. Biases may consist of many different facets such as group-think, refusing to acknowledge opposing views or an attitude of hubris (“this never happened here and will never happen”). As said above in the context of committees, diversity typically helps. However, biases should also be considered outside of committees, in smaller groups and other informal settings. James Surowiecki in his book The wisdom of crowds provided a number of examples of this. Diversity expands a group’s set of possible solutions. The order in which people speak has a profound effect on the course of the discussion. Earlier comments are more influential and they provide a framework within which the discussion occurs. In small groups it is easier for a few biased individuals to exert undue influence and skew the group’s collective decision. The presence of a minority viewpoint – the devil’s advocate or the Ramone – can make the group’s decisions more nuanced and its decision-making process more rigorous.

What auditors can do with their culture assessments and how they can report on their observations will be part of a separate article.

Posted on

Auditing 101

I’ve started collating a series of bitesize presentations covering the key issues related to internal auditing that I have observed over the last 20 years. Hopefully you will find them useful.

The first issues are trying to connect some basics that are spread across the mission of internal auditing and various IIA standards as well as pitfalls that I would like you to know when reporting. Remember: The report is our main product and it should never create an expectation gap at the end of the reader.

My main publishing channels for these are my Instagram account and my Facebook site.

More articles will follow. Suggestions for new topics as well comments on existing are welcome.