Auditing Culture – The Way Forward

In Pakistan, there’s not a lot of emphasis given to the ‘culture’ of a company during an Audit. Since we care so deeply about culture at SadaPay, we wanted to include it in every aspect of our business, including Audits. Interestingly, there is already a lot of research on the importance of culture and behavior for maximum productivity and success in business. Let’s go through some of this research and break down the rise of ‘auditing culture’.

SadaPay is the first organization in Pakistan to include ‘Culture’ in the areas covered (Audit Universe) by its Internal Audit. Recently we carried out a Risk Culture Audit with the help of guidance available in Auditing Risk Culture: A Practical Guide issued by the Institute of Internal Auditors.

Let’s have a look at the evolution of “Auditing Culture” and how it has become an essential assurance activity in the modern organization. Take a look at the following suggestions in the report “Banking Conduct & Culture: A permanent mindset change” issued by G30 (Group of Thirty) in 2018:

  • Banks should explore ways to reward exemplary behavior, both in business decisions and in individual actions.
  • Banks should promote an environment of ‘psychological safety’ that encourages employees to speak up and escalate issues or share feedback without fear of retribution. Bullying or aggressive management styles must not be tolerated.

This isn’t the only report that emphasizes the importance of culture. The Institute of Risk Management (IRM) handbook, ‘Risk Culture: Resources for Practitioners’ published in 2012, includes “Heros” in the language of culture and classifies ‘psychological safety’ at the workplace as a critical success factor for managing hidden risks through constant surveys and open conversations on uncomfortable issues.

These publications point out the necessity of understanding and managing culture after the 2008–09 global financial crisis. Organizational failures despite implementing all layers of control made it clear to the business world what Peter Drucker said in 2006, ‘Culture eats strategy for breakfast’. This phrase, now famous in the business world, implies that the culture of a company always determines success regardless of how effective your strategy may be. These so-called ‘soft’ controls started to gain as much importance as the ‘codified’ controls and assurance service providers started to devise methods to provide insights about culture along with the traditional areas of coverage.

Prior to the direct focus on culture, The COSO internal control framework first introduced in 1992 included ‘control environment’ as one of the five elements that management had to control. Control environment brought elements to the framework that are now included under ‘Culture’. It was defined as the “set of standards, processes, and structures that provided the basis for carrying out internal controls across the organization” and included:

  • Ethical values
  • Organizational structure
  • Commitment to employing competent employees
  • Human resources policies

Going further back in history we find that the concept of company culture started its journey in the 1970’s from the concepts of ‘Norms and Climate’ that had been popular management topics at the time. The difference between an organization’s ‘Norms and Climate’ and its culture is considered to be an issue of depth and order, in that Norms and Climate (perceptions and attitudes) are now considered consequences of an organization’s culture (assumptions, beliefs and values). However, much of the language from the early development of thinking in this field from the days of ‘Norms and Climate’ remains with us today.

We can clearly see that this concept of norms and climate, environment and culture gradually grew to immense importance as assurance service providers realized that root causes of organizational failures are often traced to behavioral and cultural issues making it clear that it’s a big source of risk for the firm. So the question arose, should ‘culture’ be a subject of interest for regulators and assurance service providers? The Institute of Internal Auditors (The IIA), pointedly observes that culture needs to be added to the internal audit workload, ‘Because auditing culture helps the organization manage it’. The IIA Practice Guides – Auditing Culture (2019) and Auditing Conduct Risk (2020) clearly conveyed that the globally recognized standard setting body for Internal Auditing considered culture as an auditable area.

Following this global trend, the People & Culture and Internal Audit teams at SadaPay decided to collaborate on culture. While People & Culture focuses on understanding and managing culture, internal audit is providing independent assessments and insights about the cultural dynamics in the organization. We have a baseline for risk culture that looks amazing for a startup and we will continue to improve on it for increased organizational resilience and be a reliable player in the financial industry. We also hope that the conventional banks and other entrants in the financial industry of Pakistan will catch up with this trend and make auditing culture a priority for the benefit of their internal and external stakeholders.