Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Beneath the Surface

Auditing culture requires practitioners to delve deep into the organization’s core, beyond mere surface-level analysis.

Comments Views

​After wake-up calls from a long list of organizations — including Volkswagen, FIFA, and Wells Fargo — some observers might expect significant progress by now in addressing culture-related issues. But instead, high-profile cultural failures continue to plague the corporate landscape as the list of examples keeps growing.

Internal audit has a critical role to play in identifying and assessing problems with an organization’s culture. Through a barrage of webcasts, presentations, and publications, most internal auditors are likely now attuned to the importance of examining this aspect of the organization. By now, practitioners should be aware that:

  • Culture is a critical component of organizational governance and often the root cause of significant issues.
  • Culture is not defined by documents and processes, but by employee perceptions and how things actually get done in
    an organization.
  • There is no single culture in an organization, but a complex weaving together of multiple layers involving a tangled undergrowth of subcultures.
  • There is no single right culture — optimal culture varies depending on the organization.

Still, many internal auditors have difficulty getting started with cultural audits, finding the subject matter hard to manage. Practitioners need to dig deep into this topic, well beyond the superficial mantle, and understand what to examine — as well as approaches to avoid. Stakeholders must have an accurate assessment of culture before damaging issues erupt in a torrent of organizational harm.

Weak Audit Evidence

Auditors like hard evidence, such as written approvals, formal contracts, and documented transactions. Hard evidence is objective, and typically it can be gathered by less experienced auditors and interpreted quickly.

In terms of auditing culture, hard evidence often relates to items such as:

  • Communications from the C-suite on ethics — whether communications cover the important aspects of behavior and ethics and are sufficiently frequent.
  • Ethics policies — whether policies are formalized, supported by training, and understood by
  • the employees.
  • Hotline calls — the number of calls, the policies on how calls are addressed, and evaluation of whether calls are addressed correctly.
  • Turnover statistics — average sick time, rate of employee turnover, etc.
  • Compensation programs —whether the programs are designed to reward the right behaviors and avoid incentivizing undesired behaviors.

These areas, and the hard evidence that can be obtained about them, certainly support culture. But even when programs and policies are in place and operating effectively, culture can still be a problem. Focusing on these aspects of culture is at best incomplete, and it could be misleading.

Culture is not primarily a set of policies and programs — it is defined through how employees behave in their day-to-day work. Expertly auditing and obtaining hard evidence has value, but it does not enable auditors to peel back the exterior of an organization and see what is really happening inside. Even surveys, though useful, provide limited insight on organizational culture (see “What About Surveys?” at right). Hard evidence cannot stand on its own and needs to be supplemented.

Stronger Audit Evidence

​What About Surveys?

Client surveys might be convenient and produce hard data, but are they useful in auditing culture? Consider these observations:

  • Culture-related issues that are significant enough to cause serious damage to an organization do not need to be widespread. A serious cultural issue that results in bribery in a foreign country, sexual harassment, or altering the accounting numbers in a noticeable way can occur in an isolated group of the organization because of a subculture unique to that group. Knowing that 99 percent of employees have not seen an incident of bad behavior is not helpful in detecting this type of issue.

  • "Do senior executives keep their word?" is a question that may often be found in employee surveys related to culture. While this seems like a useful question, is it asking about all executives or excluding the one rogue executive? Does it encompass any kind of issue or only important ones? Does it apply to the last quarter or the last 10 years? An employee taking the survey likely does not have enough context to know how to answer, and the responses yielded will probably provide little useful information to the organization. Most survey questions seem to ask for responses in normal circumstances, for most employees, on average. This information will not identify a specific problem in a culture.

  • Suppose employees observe an aspect of culture that is toxic. They may feel powerless to address it without jeopardizing their job. They may believe that if managers were truly concerned with culture, they would not have allowed this situation to persist. Upon receiving an employee survey from human resources, will they be motivated to answer the survey honestly? Aren't those caught in a toxic culture the ones who might hesitate to answer honestly, fearing their responses may not be anonymous?

Surveys can be useful, but they shouldn't be a primary source of evidence on culture. Although surveys can highlight certain issues and messages, they don't necessarily identify all important cultural issues. In this sense, surveys can provide a false sense of accomplishment and potentially neglect to identify hidden issues in culture.

When considering audit evidence about culture, internal auditors may want to envision a volcano — where, buried deep inside, lava and gases are collecting and could erupt from the earth’s crust without warning. A volcano serves as an apt metaphor for how culture operates in an organization. On the outside, even when an eruption is imminent, everything might look fine. The form appears normal, the exterior is solid, and while a few small vents may show smoke, no major issues are evident.

Likewise, based on a surface-level assessment, the board and top management may conclude the organization appears sound. However, the effects of a toxic culture can be bubbling deep inside, and eventually an eruption occurs that no one seems to have predicted. A problem remained buried in the mountain that could have been identified or predicted, yet no one uncovered the truth and brought it to light.

How can internal auditors help prevent, or at least caution about, the next eruption? Perhaps more importantly than looking at the organization’s structures and foundation — the top-down, hard evidence — they need to get inside to see whether an eruption may be close at hand. A volcano contains a great deal of soft evidence, though examining these areas can be uncomfortable and somewhat risky. Diving deep into the organization to examine culture is the only effective way to perform the role required of internal auditing.

Where and when do auditors gather this soft evidence? Everywhere and all the time. Internal auditors do this primarily in two ways: as part of every engagement, and during their informal interactions with clients.

During Every Audit Internal audit projects provide an opportunity to get out of the office and engage directly with employees at all levels of an organization. Internal auditors should use this opportunity. Although focus groups and structured interviews can be somewhat helpful, they are artificial devices — participating in a prearranged session with an agenda, facilitators, note takers, and overseers is not the same as going about daily activities. Evidence pertaining to culture will more likely be identified after building relationships with audit clients and observing how they operate. On this foundation, culture will reveal itself to practitioners as they ask themselves several questions:

  • How does management engage with the internal auditors? Throughout planning, fieldwork, and reporting, is management supportive of the audit or does it exhibit reactions ranging from dismissiveness, to a lack of responsiveness, to outright interference with the engagement?
  • Does management’s style and approach foster the right mindset among employees in the group being audited? Does management reward the right behaviors? Does it communicate effectively and demonstrate transparency? Is it open-minded and accepting of new ideas? Do its actions reinforce that the end does not always justify the means?
  • What is the tone of the employees in the area audited? Are they positive, supportive of management, and focused on the best interests of the organization? Do cliques exist within the group that hinder its success? Has groupthink so overtaken them that important ideas or concerns cannot be expressed?
  • Are the core values of the organization expressed in what internal audit has observed? Most organizations adopt values around respecting people, doing the right thing, working collaboratively, or similar objectives. Do employees and management exhibit these core values throughout their activities, or are they all too willing to ignore them as they pursue alternative motives?

Beyond these topics, potential issues identified during an audit project need to be closely analyzed for their root cause. In fact, finding root causes related to culture is common. Given how frequently significant issues arise from toxic cultures, every audit issue should be examined to determine whether culture is part of the root cause.

One option to more formally bring culture into focus on audits would be to require the internal audit team to assess culture on each project. Initially the team may find this effort difficult, as evaluating all aspects of culture effectively takes experience and insight. The process is best learned through practice. Requiring a cultural assessment on each audit forces the practice, enables full consideration of different team members’ perspectives, and helps build higher level observations on culture. If the team members on an audit project have insufficient experience auditing culture, their assessment does not need to be shared with client management. Audit managers can conduct the process strictly as an internal exercise until the team has gained the requisite level of competency.

While Walking the Hallways One of the major advantages of an internal auditor versus an external party is the ability to gain insight about the organization every day, from multiple angles. Internal auditors converse with all levels of employees as part of formal meetings, email exchanges, and even impromptu discussions in the hallways. They should use these interactions to gather evidence on culture, such as what is valued, what is rewarded, who is favored, and how problems are viewed. Moreover, effective internal auditors establish themselves as objective, unbiased professionals. In this capacity, employees will seek out the internal auditor to discuss their concerns and observations, providing further opportunity for cultural insight.

Pulling It All Together

Whether through audit projects or walking the hallways, internal auditors should stay continually attuned to key audit evidence that may provide information on the organization’s culture. Throughout the process, practitioners need to remember that a volcanic eruption caused by toxic culture is usually not an immediate event. Instead, it builds over time, accompanied by numerous causes and indicators.

Auditors need to stop the frantic pace of simply completing audit projects and consider what they observe in the different cultures present in their organization. Soft evidence on culture is not captured on a single audit, in a single way, through a single process. But when cumulative evidence is aggregated, internal auditors should have enough evidence to assess culture. They just need sufficient experience, understanding, perspective, and potentially courage to pull it all together and determine what it means. That is the nature of auditing culture.

Doug Anderson
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author



Douglas J. AndersonDouglas J. Anderson<p>Douglas J. Anderson, CIA, CRMA, is managing director, CAE Solutions, Professional and Stakeholder Relations, at The IIA.​​</p>


Comment on this article

comments powered by Disqus
  • Galvanize-September-2020-Premium-1
  • FSE-September-2020-Premium-2
  • Auditboard-September-2020-Premium-3