Top tips: making culture part of your audit DNA

Culture has been a hot topic in our world for the past few years. Internal audit teams – and, happily, many audit committees and boards – now understand that a culture audit can get to the heart of what helps or hinders the organisation. The Chartered Institute of Internal Auditors has published several reports and studies that cover this topic; you’ll find a list at the end of these top tips.

However, the idea of proposing, scoping and conducting a ‘culture audit’ can prompt resistance. Who would resist such a useful thing? Well, possibly organisations who see ‘culture audits’ as fundamentally subjective or unreliable; or first line managers who fear the findings. Or internal audit teams with few staff, who cannot see a way to fit a ‘culture audit’ into an already demanding annual plan of testing key controls. Or even large teams that don’t know where to start!

If we look at ‘culture’ differently, though, it should become easier to see how internal auditors can include it as a matter of course in both assurance and consultancy engagements. Culture is simply the way people think and behave in a particular setting. So every time you conduct an internal audit, even on subjects that appear straightforward, quantifiable, even dry – payments, for instance, or IT security – culture will affect every aspect of what you see and hear.

Switch on your ‘audit eyes and ears’, as one head of internal audit says. What do you see and hear that feeds into your assessment of a team or business unit? Internal audit’s opinion is not a mere presentation of test results, management information and statistics – the first line should be aware of what those measures are, anyway.

Insight is essential to a valued internal audit opinion. Observing carefully what people do, how and why, gives meaning to the quantifiable evidence. Another head of internal audit has crafted the following wording to assert the importance of cultural insight:

During our audit, we observed behavioural aspects which by their nature are informal and less tangible. These behavioural aspects may be perceived differently by each individual, making them more difficult to review and to evaluate. These observations are opinions that can help explain why things go wrong; however, they are not subject to verification.

By including this statement in executive summaries, she is achieving two things. First, she is explaining to recipients the value of cultural and behavioural observations to a rounded, insightful internal audit opinion. Second, she is perhaps anticipating – and countering – any objections readers may have to including subjective information.

Subjective, yes – but grounded in fact. Cultural and behavioural observations are not idle speculation, gossip or aura-reading. They are based on what we see and hear during interviews, meetings and fieldwork, all of which we document and substantiate.

Such observations should not appear only in reports; they have their place in all aspects of an internal auditor’s work. Chief executive officers, audit committee members, board members and non-executives should encourage and welcome this kind of insight. Informal observations from internal audit are part of building understanding, insight and relationships throughout the organisation.

So how can we check that our informal observations, however strong their impressions on us, have some basis in fact? The lists below give an idea of behaviour internal auditors may observe during fieldwork, and where they can seek further information or evidence. So…

If you see:

High turnover

Regular or high levels of  short-term sickness; high levels of stress-related long-term sickness

Staff appear disengaged during tasks, walkthroughs, interviews

Staff appear hesitant to approach line managers

Staff seem unable to explain why they are doing something (not just how)

Working patterns appear illogical, onerous or erratic

Staff refer everything to line managers – appear  unable or unwilling to make a decision

Staff and management’s reactions to audit findings seem disproportionate or fearful

…then consider looking at:

Turnover statistics held by HR (please keep in mind that HR should be able to anonymise any information to protect staff confidentiality)

Sickness statistics held by HR (again, anonymised)

Responses (or refusal to respond) to employee opinion surveys

Anonymised data on grievances in the department

Alignment of objectives and targets - department, managers, staff

IT statistics on how many hits there are from a particular area on intranet pages about bullying and grievance procedures, or internet searches for new jobs  

In summary

You see that there isn’t a neat link between a particular behaviour and relevant data. For each behaviour in the first list, several items in the second could prove useful.

In the worst case, internal audit may observe or see evidence of bullying, with staff verbally or even physically abusing others. In these instances, internal audit’s responsibility is to report this behaviour. Even if the organisation appears to tolerate it, the Institute’s Code of Ethics doesn’t and it isn’t in any organisation’s long-term interest!

You may want to build culture into the scope of the audit to accommodate this work and an element of time into the engagement in case it is necessary to look at any data.

Finally, these tips are meant to help you incorporate culture into your regular practice – but without adding to your workload. It’s about seeing how you can make this information and these observations an integral part of each engagement – and in doing so, deliver valuable insight.

Further reading

Ethics, values and culture 


Organisational culture
Auditing culture 


Auditing culture – the clock is ticking 

Research reports

Organisational culture: Evolving approaches to embedding and assurance
Culture and the role of internal audit 

Board briefings

Culture and the role of internal audit 

Content reviewed: 21 September 2020