AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Board briefing: Culture and the role of internal audit

Audit committee briefing

Culture iceberg 500X143

Download the board briefing (pdf)

Read the full research report

Key points

Boards and senior management have the prime responsibility for establishing the right organisational culture by promoting their ethics and values and the behaviours these require across their organisations.

The behaviour of employees at the front line, such as sales staff, dealers or care workers, needs to conform to the ethics and culture of their organisation, and boards need to be assured that the whole organisation is pulling in the same direction.

Internal audit can be a key player in giving assurance and confidence to boards as organisations come under increasing pressure to demonstrate their commitment to improving standards of behaviour.


In financial services auditing culture is a key feature of the IIA Code. But there is a similar need across many other sectors. Internal audit can play an advisory role on processes and controls in cultural change programmes. But the ownership of such programmes must lie with the executive.

Internal audit’s role is to analyse to what extent processes (such as performance management and remuneration), actions (such as decision making) and tone at the top are in line with the values, ethics, risk appetite and policies of the organisation. They can therefore help boards judge whether measures put in place to change culture and thus behaviour are actually working.

Auditing culture and its indicators is complex. Culture is an amorphous concept.

Internal auditors need to understand their own organisation’s culture, including risk culture, before starting to audit the indicators. There are many models that look at the components of organisational culture. But it is dangerous to reduce work on culture and behaviour into one set of indicators based on a particular model.

There is no one-size-fits-all solution to auditing culture as organisations can be very different, even if they are producing the same or similar outputs.

Cultural change does not happen overnight, and providing assurance to boards on change programmes and their effects will be an increasingly important part of internal audit’s work.

It is important that audit committees engage with internal audit on culture from the start, so that policies and processes can be developed that build in the need for assurance.

Enablers and challenges

In order to harness internal audit’s support of boards in relation to culture most effectively, boards need to be aware of the enablers and challenges that internal audit faces. 

Enablers – crucial foundations necessary for the audit of culture:

- Organisational culture needs to have been analysed, properly defined and disseminated by the board/senior management i.e. what is required behaviour in the organisation has been made explicit.

- Appetite and support from the top of the organisation.

- Internal audit being given a clear mandate.

- Writing the mandate into the audit charter.

- A relationship of trust between the audit committee chair and HIA that allows informal discussion about subjective judgements (gut feel) on culture.

- Position, treatment and regard for internal audit, and non-adversarial relationships with their clients.

- The ability for clients to report or respond to surveys confidentially.

- A good level of risk maturity in the organisation.


Challenges – issues facing internal audit in carrying out work on culture:

- Organisational culture is often underpinned by how a statement of values is translated into concrete actions. The key question is how to gather evidence and demonstrate that this is the case and that the values are being lived at every level.

- Limitations of surveys and interviews. While culture may be tracked and measured in visible ways, the very instruments which exist to do this e.g. staff surveys, provide only indirect observations of behaviour at best. Employee surveys may be skewed if not underpinned by a culture of being able to speak openly and honestly.

- Skills and training:
  • Internal audit will need to develop more qualitative methods such as surveys and interviews, or co-source in this area. Surveys need to be properly constructed, administered, analysed and interpreted to identify weaknesses.

  • The use of gut feel can play an important part in the audit of culture. Internal auditors who are used to reporting hard facts will need to develop soft skills to obtain a picture of what underlies culture. They will need to employ root cause analysis i.e. going beyond processes and controls to look at behaviours that influence decisions.

  • Senior internal auditors will require new communication and relationship skills to enable them to conduct more subjective and informal discussions with NEDs and executives about cultural issues.

- Reporting. The internal audit team needs to develop and report results in partnership with those accountable, appropriate means. This can be problematic:
  • Managers may agree with the weaknesses verbally but get defensive when they see them written in an audit report. This in turn may make it more difficult to evaluate cultural aspects in the future.
  • It can be difficult to express weaknesses in writing which could then be open to misinterpretation leading to superiors making unfair judgements on the manager in question.

- Internal audit is part of the culture itself. Despite being independent and objective, internal audit, without realising it, may have adopted the same cultural values and ethics as the rest of  the organisation. Internal audit needs to distance itself from cultural drivers, such as remuneration.


Following a series of scandals, fundamental changes in organisational culture are being called for across sectors including media, food, retail, health and financial services. How organisations, and individuals within them, behave has become a matter of public concern.

Poor organisational culture has been identified as the root cause of many scandals, which have resulted in great cost to individuals, organisations and even countries. 

In the IIA’s latest annual Governance and Risk Report, ethics and culture was one of the top three areas where Heads of Internal Audit (HIAs) are planning to increase their resources. This suggests that boards and their HIAs will increasingly be engaging in dialogue on culture and the role of internal audit. 

The IIA report aims to assist that dialogue. The IIA financial services Code highlights the importance of culture in one particular sector. It recommends that internal audit should include within its scope the risk and control culture of the organisation and evaluate whether the organisation is acting with integrity in its dealings with customers and in its interaction with relevant markets. This is an important message relevant to many other sectors, in particular those that are regulated.

Auditing cultural indicators 

The IIA report shows the role internal audit is playing in relation to culture. HIAs are taking two main approaches to auditing cultural indicators:

Approach 1

The first is to incorporate culture into each audit, through techniques like root cause analysis, identifying why issues occur and how they can be the drivers for wrong behaviours, and then to join the dots across individual audits.

This takes them beyond focussing on processes and controls and requires them to combine hard data with gut feel. They also need to have a different type of dialogue with the audit committee chair and/or CEO, using more subjective judgements.

Some say that this is what any good internal audit has been doing all along but only now is it being badged as culture. Others see this as a new departure.

Approach 2

The second approach is auditing cultural indicators across the organisation through auditing personal behaviours as a proxy for culture.

Here the key question is how best to gather evidence to show that culture and values are at the heart of every business decision and are being incorporated at every level in recruitment, training, performance management and reward arrangements. 

This second approach requires internal audit to engage in new ‘soft’ techniques and work more closely with other functions, such as HR. This approach is less common, but, over time, may be adopted more widely in addition to the first approach if deemed helpful to the organisation and its circumstances.

The report contains summaries of concrete examples of the different approaches that organisations are taking as they start on the journey of auditing culture.

We are not endorsing any particular model, as there is no one right way to do it. But the examples point to some options for starting work in this area and show some of the challenges being encountered. The Institute is also providing its member internal auditors with technical guidance to help equip internal audit to play a bigger role in the assessment of organisational culture. It contains full detail on the examples of the different approaches.



Content reviewed: 1 February 2023
Download PDF

Technical question?

Name: Email: