Obtaining an independent view on culture

Obtaining an independent view on culture

Culture correlates to a company’s success; hence, investors and stakeholders are keen to obtain deeper insights into a company’s culture. Assurance practitioners are well placed to provide increased credibility to the range of information that organisations disclose and stakeholders require including gaining an understanding of and assessing elements of an organisation’s culture.

Related content

View of city skyscrapers

Why culture is business critical

In a world where business decisions need to be made quickly and often less formally than in the past, a strong business culture can empower managers and staff to make decisions and take action whilst successfully managing risk.

The GFC created a sharp focus on the, at times, catastrophic effects of a poor corporate culture, particularly amongst players in the global financial services industry. But corporate culture is relevant to all organisations, particularly those with a retail customer base. An ineffective business culture can result in financial penalties, reputational and brand damage and, ultimately, compromise business viability.

Given the high stakes, independent assurance practitioners can play an important role by understanding, assessing and reporting on an organisation’s culture and values.

But, exactly what is 'good culture’?

Consideration of culture is often made more difficult by a lack of clarity as to what we mean by ‘culture’. Each organisation is unique. The organisation’s current culture is the collective learned response to the challenges and successes of the past.

The ‘right’ culture will depend on the current and future priorities facing the organisation. There is no one-size fits all ideal culture. Any assessment of culture should consider these unique characteristics and the ‘ideal culture’ articulated by the organisation’s leaders through statements of Purpose, Vision and Values (or equivalents).

The benefit of independent assurance over organisational culture

Auditors already implicitly consider aspects of business culture through many facets of their existing audit. Strengthening that business culture focus can deliver both deeper insight and preventative benefits. It is often possible, after the event, to identify how cultural failings contributed to a high profile corporate scandal or collapse. It is also possible, in many instances, to see that a targeted consideration of culture by a company’s oversight functions (the board, Human Resources, Risk Management), internal audit and external audit could help identify failings before they prove fatal.

Focus on culture: in practice

The following are examples of how auditors can focus on culture:

  • An understanding of culture informs an auditor’s assessment of the client’s risk management framework and control environment. Areas of higher risk are identified and audit effort is targeted appropriately.

    Example: One part of a business suffers poor staff engagement survey results, staff absenteeism and high levels of customer complaints. This could indicate a higher risk of control failure. As a result, the auditor considers the extent to which they should undertake more procedures over financial or non-financial information originating from that part of the business.
  • Consideration of culture indicators and risk factors supports the assessment and audit of fraud risk. “While fraud can occur in any organisation, the largest, most damaging examples of fraud typically involve some form of financial statement manipulation and these frauds almost always occur in an environment where the culture is poor and 'tone at the top' is inappropriate”. Gary Gill KPMG Forensics Partner

    Example: A remuneration structure that incentivises short-term focus, a culture of fear and bullying, previous incidents and high staff turnover are all indicators of a higher fraud risk.

  • A focus on culture requires many of the same data points as the existing statutory and regulatory audit obligations.

    Example: An assessment of business culture and risk uses finance, risk and compliance function data, for example: incident reporting and breaches, error rates and complaints, turnover, performance management and remuneration practices.

  • In more extreme examples, cultural failings may create direct financial statement implications.

    Example: Early consideration of remuneration of, and incentives offered to financial planners could highlight the sale of large volumes of products to investors that breach licensing or regulatory requirements, which may impact the valuation of related business unit assets.

  • Incorporating a focus on business culture aligns with compliance/risk management audit obligations, particularly in the financial services sector (risk management (CPS 220), AFSL and compliance plans) and the regulatory focus of ASIC and APRA.
  • External audit evaluation of culture complements the work of internal audit and risk functions in this area.

Stakeholder's perspectives


The public fallout from instances of poor business culture mean that regulators are focussing on culture more than ever. Without visible action from impacted industries, more intensive monitoring and regulation is likely. Greater regulation will increase the cost burden on business.

“We need the financial sector to take up the challenge to put in place better incentives for prudent behaviour, so as to prevent problems emerging in the first place. That is likely to be far more productive than spending our time removing so-called ‘bad apples’ after the fact.” Wayne Byres, APRA Chairman, AFR Banking and Wealth Summit 5 April 2016.


Some analysts and investors have concerns that a focus on culture may distract the external auditor’s attention from the financial statement audit. This concern is not supported by fact.

Corporate culture is an important driver of every organisation’s control environment. A structured approach to understanding and assessing culture supports a robust and reliable assessment. When an external auditor considers culture, it can directly and positively impact the robustness of the control environment and the associated insights delivered.

For example, consider a bank’s engagement process with third party brokers. Accrediting the wrong type of broker could result in an increase in the submission of poor credit quality mortgage applications, and ultimately over the medium term heighten the credit risk of the mortgages portfolio. Having the ability to better understand and assess the cultural ‘fit’ of such third parties provides greater comfort over the types of brokers being engaged with, and the resulting impact on the mortgages portfolio.

Investors are attracted to companies that have (or appear to have) a balanced culture focussed on short and long term value creation. Consequently, investors value transparency on culture KPIs and metrics. There is benefit in obtaining an independent view on the extent of the alignment between an organisation’s actual and perceived culture and behaviours.

Assurance practitioners can opine on an organisation's culture

Elements of culture can be objectively assessed, for example, whether an organisation has implemented an operating model for risk culture. An engagement might deliver assurance over specific assertions made by management which form a part of the cultural framework and which are supported by internal controls. For example: “We have a cultural framework that is annually reviewed and available on our web site.” “All of our staff are trained on our core values and decision making process.” It may be challenging to measure and evaluate actual behaviours, but an indication of an organisation’s readiness for the future, whether there is an appropriate culture framework in place and the level to which it is embedded, can be independently assessed.

Culture: the way forward

In a rapidly changing business environment, assurance practitioners should reconsider the traditional scope of their activities. By doing so, they can better position themselves to support a business’ oversight and governance functions in understanding and assessing the culture and providing increased credibility to the range of information that organisations disclose and stakeholders require. Obtaining an understanding and independent view of corporate culture is increasingly important and auditors are uniquely placed to provide it. After all, culture is not just a trend, it is a key determinant of whether a business will succeed or fail.

Audit and Assurance

Independent audit services to help enhance the reliability of information prepared by clients for use by investors, creditors and stakeholders.

Read more

Connect with us


Request for proposal



KPMG's new digital platform

KPMG's new digital platform