I have had the pleasure of being in Italy for a short break. Now anyone who has been to Italy can only marvel at the miracle of luck that is Italian driving. A driving culture with seemingly no rules yet also seemingly leads to not excessive accidents and trauma to pedestrians cars and mopeds that me, is something that me, as an English person can only marvel at.

This got me thinking about risk management. Italy does have a rules based culture. The ban on irons in hotel rooms seems to be rigidly enforced for example. Whenever you approach a historical monument there are reams of rules to follow. Yet Italians seems to be pragmatic about rules. No photos? Well, if no harm, why not? Dangerous steps at the top of a leaning tower? Well just take care. Steep steps on trains, well use common sense and be careful. Not like London’s now incessant ‘mind the gap’!

It is this pragmatic application of rules I as a risk manager and auditor like. It speaks to human nature, being meaningful in a human way. This is so counter to legalist controls and prevention. It is a cultural thing that finds a natural cultural home and balance.

I would, as a auditor, prefer this culture to be captured and documented, not in granular detail, but in principle. Principle based rules only work where the principle is established and then clear examples given. This is invaluable when fraud or other malpractice is involved. I don’t like prescriptive and proscriptive rules, the rule maker will always miss an eventuality and rules date quickly in a way principles do not.

How can auditors apply this in their work? I think through really documenting, unpacking (I hate this word but it helps to explain what I mean), and auditing culture, as well as controls.  It can, in my view, aid understanding of real control. As auditors we should point out the ‘soft’ cultural elements as they will have impact on the non usual, non routine, transactions and risk events that do go wrong at a strategic level.

Reports should not be exceptions to performance and design of actions but be a persuasive analysis and commentary of the whole control environment, including culture. Auditors as independent of the organisation are also well placed to make objective cultural views.

So when did you last audit culture?