Here’s something I’ve been going on about for a while. The idea or notion that control and organisations are controlled by people. Difficult, challenging, supportive, energetic, inconsistent, frustrating, brilliant, amazing, people. Newsflash – organisations are made up of people!

This means that culture is all important and is an important element at a micro level in terms of how systems are controlled and operated. They are also even more important at a macro level in setting and deciding strategy, allocation of resources, the taking and mitigation of risk and the setting of the organisational moral compass. See Erica Schoenberger’s excellent book The Cultural Crisis of the Firm (1997).

My trusty friends at Harvard Business School blog have provided two further research insights into this. First this blog that argues that honesty starts at the top. See: Essentially if the boss is not honest, this cascades further down the organisation creating an ever bigger problem, as honesty decreases as you go down an organisation. The other finding from this blog is that bosses should be more sceptical of their juniors’ levels of honesty as they are likely to consistently overrate them.  What better way to be sceptical than to have a robust internal audit function to due diligence on senior management’s behalf?

The second blog of interest is this one: where the authors argue that westernised cultures internalise risk management, believing they have the power to control risk. They argue that Asian cultures, in particular, see risks as external and subject to much less control and therefore do not internalise the management of it and instead, work with others to manage and deal with, risk. In the modern world where the scale of risks is seemingly bigger than even governments’ capacities to deal with, it would make sense to share the burden and management of risk with others: suppliers; customers; partners; general society; and insurers. Indeed a great book Risk Intelligence by David Apgar argued, as far back as 2006, that this was a mathematically sensible thing to do; to create a portfolio effect with others over risk.

But this blog post is not about risk management or honesty per se, it is more to point out that culture is  important. Where is culture on most internal audit plans? Where are the report points about culture? Auditors always shy away from looking or talking about such things as they are too ephemeral, too qualitative, to put into an audit report. If you think about  it though, who is best placed within an organisation to independently comment on these things? Who is detached to be objective and trained to think objectively? Who is also close enough to the organisation to really understand and be able to comment on it?

I would suggest the answer to all of these questions is internal audit. I know at my clients who the good, the bad and the ugly are; where the real  issues and problems are; where the opportunities and star performers are. Perhaps we as a profession should make more of this and be braver in our reporting?