Another thing the report notes is that no organization has only a single culture, and so it is unwise to focus only on a broad "culture" as a singular phenomenon. There could, for example, be separate cultures among executives, middle managers and rank-and-file workers. Leaders should seek not to erase subcultures but to get them to work together to the greatest extent. 

Further, the report said, leaders should be mindful that cultures can have dark sides. A company that "considers itself a family," for example, may "unintentionally motivate workers to protect people who cut corners or break rules or laws." 

Regardless, the report said that it's important, when assessing a company's culture, to assign ownership, because if the answer is that "everyone" owns culture, then the number of people taking responsibility for it may be "no one." Ultimately, the report says, it is the board that is responsible. The full board must consider cultural issues in CEO selection, monitor information on the corporate culture and ensure that it is a regularly scheduled board agenda item. The audit committee should be reviewing compliance updates and whistleblower reports and examining deep-dive data from employee surveys. The compensation committee should ensure that the compensation structure supports desired cultural and ethical behavior, and consider culture-related elements in executive compensation. The nominating committee should be considering culture in director selection and board diversity, and review succession planning and process for senior executives. 

The report also pointed to the responsibilities of management on firm culture, particularly in setting the right tone at the top by communicating and visibly adhering to clear, ethical principles and codes of conduct, as well as providing necessary support and resources for robust fraud risk management programs and internal controls. 

For "how" one performs a culture assessment, the report highly recommended what it called a "culture dashboard," which includes metrics from a variety of areas and reports. This dashboard can include such sources of information as employee focus groups, employee dismissals and reprimands, audit findings, employee hotline data, compliance training results, customer support logs, accounting issues, goal setting and performance metrics, cybersecurity metrics, and organizational design. 

The report also stressed the role auditors play in this process. It recommended that culture be assessed as part of internal audits. Auditors can identify root causes in problem areas, as well as identify best practices in good areas; assess governance structures related to culture and conduct; evaluate how well the organization communicates; assess effectiveness of training on various cultural issues; and evaluate employee incentives. The report added that external auditors should also be considering culture in the context of internal controls, as well as submit cultural findings to the audit committee.