Internal audit functions the world over are being challenged to audit culture, or at least consider doing so and the new corporate governance code asks boards to ensure they assess culture. But where do internal audit functions start with this seemingly intangible and knotty topic? Can it really be done, and how do you undertake a risk assessment of this area? This article will cover how you can structure such an audit, and how you can ensure it fits YOUR organisation and helps it achieve its business goals as well as its reporting obligations.

Structured risk assessments really help us in understanding risk across the audit universe and in planning across an audit cycle. However, the historic focus on hard data and specific processes has potentially led to things being missed. If we look at the financial services sector over the last 10 years, a focus on specific conduct processes meant behavioural risks were not typically included in the audit universe, or the risk management framework or indeed the compliance plan. The regulatory focus on ‘conduct’ post 2007 and the identification of tangible conduct measures was an important step; however, it was not enough, and the subsequent focus on risk culture broadened the scope of audits in this area considerably. Internal audit now knows it can go further than this and really understand the enterprise level behavioural risks within a business and be able to form an opinion on them, adding value and understanding to both first and second line. Internal audit really can audit organisational culture.

Building a ‘corporate culture’, like many a construction project, needs building blocks. But what do we mean by ‘culture’? In other walks of life, ‘culture’ is a concept all of us are familiar with. Yet the business community has been playing catch-up in defining corporate culture and the elements that create it.

One definition of corporate culture is ‘the combination of values, attitudes and behaviours that a company exhibits in its operations and relations with those affected by its conduct, eg: employees, customers, suppliers and wider society’. Wijnand Nuijts of the Department of Governance, Culture and Organisation Behaviour at the Dutch National Bank drew two conclusions:

  1. ‘Culture is not a monolithic, but a multifaceted construct that includes numerous components. These components are not tied together through hierarchy, nor through a linear causal relationship. Rather, they constantly mutually influence each other in a continuous cyclical process.’ 
  2. ‘Culture is not static and does not exist in isolation. In fact, culture is (the product of) an adaptive response to environmental influences (at a certain point in time) and develops in order to address the challenges that are created by the internal and external environment. This evolutionary aspect of culture has implications for the manner in which supervisors can, or perhaps even should, supervise culture.’

The survey results contained in Grant Thornton’s recent report Beyond Compliance - The building blocks of strong corporate culture showed that 50% of businesses worldwide have culture as a standing item on their board agenda, while 71% have established internal controls that address culture and employee behaviour.

Boards are heading in the right direction when it comes to culture. But more can be done. After all, regulators – and auditors - cannot develop or embed corporate culture. Culture can only be authentic – and sustainable – if it comes from the leadership of the organisation and is important enough to feature as a key part of its strategy.

So having said all of that, what role can internal audit play in this? Well, the start point of auditing culture is your organisation's own business strategy. There is no such thing as a ‘good’ culture that we can pull off the shelf and audit. Every firm has a culture, and that culture will be defined by its history, location, size, whether it is in a single location, its leadership and the environment in which it is operating. The question is – is it the right culture?

The right culture for an organisation is one that helps it achieve its business goals, it strategy, its vision. It has to be right for your particular business. Not only that but it then has to be embedded across every area of the business with a relentless focus from the top.

So how do leaders implement and embed a culture? Well, there are leadership and management interventions across the organisation at multiple points every single day. Employees subconsciously look for alignment and consistency to the messages and stated culture from the top of the organisation.

These interventions form the drivers of culture, the enablers to having a culture that is aligned and consistent with the business goals. If we know what leaders need to focus on across these drivers in order to embed the culture, then as auditors we know what to test in order to successfully audit culture. We need to cover each of the drivers in our audit, and we need test both design effectiveness and operational effectiveness, testing whether it is actually working on the ground across the organisation, and across each of the drivers.

So what are these drivers of culture? Well, we have already seen that strategy is a key driver, it is the critical start point for culture with the purpose of playing a key role in the achievement of business goals. Leadership is also key, with leaders across the business, and at different levels of leadership, needing to actively and personally engage in the culture going way beyond the traditional ‘tone from the top’. People management is a further driver affecting employees and promoting and encouraging the right behaviours across the organisation. However, the culture drivers do not stop here – the management of other resources, the processes and measures across the organisation, and how change is designed and delivered are also key, as is supply chain management, web presence, external reputation and communication.

An audit of culture does encompass huge swathes of the organisation and can initially be daunting; however, a structured focus on the design and operational effectiveness of each driver can quickly show areas that are misaligned, that are inconsistent, and that mean that the overall culture is not embedded and enabling the achievement of business goals.

The drivers of culture and what we are looking to audit within each is represented by the diagram below and is summarised as follows:


The strategy of an organisation should include both ‘what’ the organisation is looking to achieve and ‘how’ it is going to do it. Strategy should include values, behaviours and ethics. These are the key parts of how the organisation is going to achieve its business goals – and should make it just as important a part of the overall strategy as what the organisation is aiming to achieve.


Leaders must be able to reflect the strategy, articulate it, but more than that: to role model it, and live it out every day for their teams. They need to recognise it in others, to bring their example to the fore and to reward it, either financially, through simple recognition or promotion. Every single day, every single conversation, presentation and action will be observed and noted – it can be challenging but it can also be exhilarating when it works and takes on a life of its own.

Culture change will not be achieved overnight but it is a myth to think that a change in culture can only be achieved over an extended period of time. A relentless focus on culture can see change achieved by large organisations with many thousands of employees over the medium term. Leaders need to design and implement measures so that the organisation knows that the leaders are paying attention to cultural issues and that the ‘how’ matters.

People management

Right across the employee lifecycle there are opportunities to nudge, shape or reinforce the culture. From ensuring that new joiners are not only informed of the company's values, but that interviews, tests and references seek out information about an individual's way of working, ensuring that individuals are recruited not just for their technical capabilities but for what they will bring to the culture, and for their soft skills. This should then be reinforced through the performance management cycle, through objective setting, through talent identification, through promotions and through every learning intervention.

There are many touch points where culture can be reinforced or enhanced, and a company that puts real energy into this and makes every intervention count really will find that the culture is not at all an accident of who happens to work there.


There are many messages conveyed by the organisation that employees pick up on in terms of how organisations deal with their customers, with their supply chains, with regulators, with potential prospects, with the way they manage the office space and the intranet and internet offerings. All of these messages need to be aligned and consistent, otherwise stakeholders such as employees and customers or clients will receive confused messages around the organisation's culture.

Process and change

Some processes in particular are ‘critical to culture’ - for an insurance company this could be the sign-on process or the claims process. For many companies it can include the direct customer contact via web or via a call centre. It is all the individual moments of truth where customers, or employees, touch the organisation and the experience they have is really important.

It is also where the organisation is undergoing change, often with project management and new systems. Much attention is put into whether projects are on time and on budget but very little on the impact of projects or transformation on the organisation's culture - and yet these are critical times in terms of reinforcing culture and behaviour and the direction of both the what and the how of strategy.

Corporate responsibility and reputation

How an organisation portrays itself externally has a key part to play in the culture. Employees are a part of this audience. They see the impact and the position externally - they see positive and negative press, positive or negative impacts on the environment, positive impacts on charities or local neighbours. It forms part of the holistic view of the organisation that they carry with them and it is again vital that it is aligned, consistent and the impact on culture is positive.

Let’s look at just one of these drivers, people management, in more detail.

So what do the HR team need to do in order to ruthlessly embed the culture across the organisation? Well, if we follow the employee lifecycle then the employer brand should be designed to include the values and behaviours so that it is clear to potential employees what the culture of the organisation is, or should be. Then the interview process should include questions to test it. This is not about recruiting clones, and not about a lack of diversity – there are many ways to fit into a culture and many skills and talents to bring to it, but a fit with values is important.

Once recruited, objectives need to be set that not only include what an individual needs to do, but also include ‘how’: how they behave with colleagues, what conduct is expected etc.

Then at each performance assessment the ‘how’ can be discussed and assessed. This does need managers with the capability to have honest conversations, and to have evidenced examples of aligned and non-aligned behaviour. But what it does do is make the culture matter, right across the business and enable great examples to be gathered and communicated more widely. Use of storytelling in this way can further illustrate what the organisation values, what it is looking for in terms of behaviour, and give others the confidence both to reflect the desired behaviours and also to speak up when the values and behaviours are not aligned.

Once the culture is built into the performance review cycle, it can then be used to inform promotion discussions. Promotion interviews and capability frameworks should both include behaviours and values. It will be vital to the organisation to have the leaders and managers of the future able to achieve its business goals over the long term. It can be used in talent assessment – either directly as a measure, or as included in the performance measurement. Then from the talent pool, succession plans can be drawn for senior role succession that will ensure the culture endures over the life of the business strategy and beyond.

Through all of this, learning programmes can be developed that reflect the values and behaviours needed. Then right from induction through to senior manager training, values and behaviours can be reflected in the content, or added as specific modules depending on the need and the degree of change needed.

Whilst looking at the topic of people management, one of the real pitfalls with auditing culture is the ease with which the auditor can slip back into a functional or topic based audit, and with people management in particular, it is really easy to slip into an HR audit – looking at risk and controls across the function - but this is not your purpose here.

An HR audit looks at the risks and controls, looks for a well governed function – looks at whether the function is doing things right.

The people management element of a culture audit looks at whether the function is doing the right things.

But how can audit be the judge of whether they are doing the right things? Surely that is not the role of audit? Our answer lies in going back to the business strategy, in looking at the defined culture and looking at whether the people strategy really enables the delivery of that, and then the whole programme of activity across the function – and into the business – is consistently aligned. If it is, then they are doing the right things.

It is this level of detail that we as internal auditors need to go into for each of the drivers of culture, and then test for the unique desired culture of the organisation so we are actively exploring the design effectiveness, and the extent of deployment – or operational effectiveness across the business. In this way we can spot sub-cultures and find areas where misalignment between culture drivers occurs, providing audit reports that are insightful to both executive and boards.

Sue Jex is a Director at Grant Thornton leading on People and Culture risk and the author of the IA Foundation recent publication A Journey into Auditing Culture.