In Pakistan, there’s not a lot of emphasis given to the culture of a company during an Audit. Since we care so deeply about culture at SadaPay, we wanted to include it in every aspect of our business, including Audits. Interestingly, there is already a lot of research on the importance of culture and behavior for maximum productivity and success in business. Let’s go through some of this research and break down the rise of ‘auditing culture.’

SadaPay is the first organization in Pakistan to include culture in the areas covered (Audit Universe) by its Internal Audit. Recently, we carried out a Risk Culture Audit with the help of guidance available in Auditing Risk Culture: A Practical Guide issued by the Institute of Internal Auditors.

Let's take a look at the evolution of “Auditing Culture” and how it has become an essential assurance activity in modern organizations. In the report Banking Conduct & Culture: A Permanent Mindset Change issued by G30 (Group of Thirty) in 2018, it suggests:

• Banks should explore ways to reward exemplary behavior, both in business decisions and in individual actions.
• Banks should promote an environment of ‘psychological safety’ that encourages employees to speak up and escalate issues or share feedback without fear of retribution. Bullying or aggressive management styles must not be tolerated.

This isn’t the only report that emphasizes the importance of culture. The Institute of Risk Management (IRM) handbook, Risk Culture: Resources for Practitioners published in 2012, includes “Heroes” in the language of culture and classifies ‘psychological safety’ at the workplace as a critical success factor for managing hidden risks through constant surveys and open conversations on uncomfortable issues.

These publications highlight the necessity of understanding and managing culture after the 2008–09 global financial crisis. Organizational failures, despite implementing all layers of control, made it clear to the business world what Peter Drucker said in 2006, “Culture eats strategy for breakfast.” This phrase, now famous in the business world, implies that the culture of a company always determines success, regardless of how effective your strategy may be. These so-called ‘soft’ controls gained as much importance as the ‘codified’ controls, and assurance service providers began devising methods to provide insights about culture alongside traditional areas of coverage.

‍

‍

Prior to the direct focus on culture, the COSO internal control framework, first introduced in 1992, included ‘control environment’ as one of the five elements that management had to control. The control environment brought elements to the framework that are now included under ‘culture.’ It was defined as the “set of standards, processes, and structures that provided the basis for carrying out internal controls across the organization” and included:

• Ethical values
• Organizational structure
• Commitment to employing competent employees
• Human resources policies

Going further back in history, the concept of company culture began its journey in the 1970s from the concepts of ‘Norms and Climate,’ popular management topics at the time. The difference between an organization’s ‘Norms and Climate’ and its culture is an issue of depth and order, where Norms and Climate (perceptions and attitudes) are considered consequences of an organization’s culture (assumptions, beliefs, and values). Much of the language from this early development remains with us today.

We now understand that norms, environment, and culture became critically important as assurance service providers realized that the root causes of organizational failures often trace back to behavioral and cultural issues, making it a significant risk source for the firm. This led to the question: should ‘culture’ be a subject of interest for regulators and assurance service providers? The Institute of Internal Auditors (IIA) clearly states that culture needs to be part of the internal audit workload, because auditing culture helps organizations manage it. The IIA Practice Guides Auditing Culture (2019) and Auditing Conduct Risk (2020) show that the globally recognized standard-setting body for Internal Auditing considers culture as an auditable area.

Following this global trend, the People & Culture and Internal Audit teams at SadaPay collaborated on culture. While People & Culture focuses on understanding and managing culture, Internal Audit provides independent assessments and insights about cultural dynamics in the organization. We have a baseline for risk culture that looks amazing for a startup, and we will continue improving it for increased organizational resilience. We hope that conventional banks and other entrants in the financial industry of Pakistan will catch up with this trend and make auditing culture a priority for the benefit of their internal and external stakeholders.