Organisational Culture – an Internal Audit perspective

25 October 2019
6 min read

Although culture is somewhat intangible and difficult to define, a positive workplace culture is undeniably an essential element of any successful organisation. Our Audit team discuss how auditors go about defining and auditing organisational culture.


In recent years, and in response to ongoing corporate failings, international regulators have been increasing the focus on Boards and Senior Management, assessing their ability to articulate and evidence appropriate corporate culture and conduct management.

When the internal audit function is requested to undertake an audit of organisational culture, it is important for the audit team to understand how culture can be defined.

What is organisational culture?

The use of the term culture in the organisational context was first introduced by Dr. Elliott Jaques in his book The Changing Culture of a Factory, in 1951. In that book, Jacques suggested that organisational culture includes the values and behaviours that contribute to the social and psychological environment of a business. Jacques argued that the organisational culture influences the way people interact and how resistant they are to change, as well as how knowledge is created.

It is commonly considered that culture includes the organisation's vision, mission, values, norms, systems, symbols, language, assumptions, environment, location, beliefs and habits. The complexity of this definition raises concern amongst stakeholders around how to measure and therefore audit organisational culture. A common definition of organisational culture adopted by APRA is:

‘…a system of shared values (that define what is important) and norms that define appropriate attitudes and behaviours for organisational members (how to feel and behave)’.

Considerations of culture are not straightforward. Cultural complexity is increased when you consider work undertaken by Kotter in 1992 that introduced the concept of organisational subcultures. Kotter concluded that although a company may have its "own unique culture," in larger organisations there are sometimes co-existing or conflicting subcultures because each subculture is linked to a different management team. During my MBA studies in the mid 1990’s, our study of “culture” was largely limited to studying how to do business overseas and manage different cultures from an international perspective.

Whatever your preferred definition of organisational culture, a distinguishing feature of leading organisations is their culture. Culture affects performance, employee engagement and the ability to create an innovative and positive work environment.

Andrew Bailey, CEO of the UK based ,Financial Conduct Authority notes, “A firm’s culture emerges in large part from inputs that are its responsibility. It is for firms to ensure that their desired culture is consistent with appropriate conduct outcomes, to identify the drivers of behaviour within the firm and control the risks that these drivers create’.

Why is culture important?

We will explore this topic in greater detail in future posts, however 90% of CEOs and CFOs believe that improving culture would improve the value of their company. [1] Research has shown that culture, leadership and engagement have a direct impact on organisational performance. Culture impacts the appetite for change, innovation and risk awareness.

The Report of the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry (the Hayne Report) made four recommendations in relation to culture:

• Assess the entity’s culture and its governance.

• Identify any problems with that culture and governance.

• Deal with those problems.

Determine whether the changes it has made have been effective. As a result, conversations around culture have increased in Australia, with regulators and Boards more focused on poor culture to detect warning signs of broader organisational issues.

Internal Audit has traditionally focused on the ‘hard controls’ such as those documented in policies, procedures, standards and guidelines. However, during my 20+ year career in Internal Audit, it has often been the human factors that impact the effectiveness of the hard controls and are usually the root cause of reputational, operational and financial risks. These ‘soft controls’ are often more difficult to measure, investigate and report on.

Approaches to a culture audit

In a paper released in December 2017, titled ‘Managing Culture - A good practice guide’ co-authored by Chartered Accountants Australia and New Zealand, Institute for Internal Auditors Australia (IIA-Australia), Governance Institute Australia and the Ethics Centre, the authors noted that internal and external audit, the Board and management, all have a role to play in ensuring good conduct across the organisation. IIA-Australia requires internal audit to evaluate the design, implementation and effectiveness of the company’s ethics related objectives, programs and activities. [2]

Audit and Risk Committees (ARC) are increasingly asking the Internal Audit function about organisational culture. In fact, a number of ARCs that I am involved with include a standing question after each internal audit review around the culture of the department or function that has been audited. This is one way to check the cultural pulse of an organisation through the internal audit function. Internal Audit could include an element of culture into every risk-based audit using a testing program, survey or both. Another mechanism is to undertake a dedicated culture audit or adopt a thematic analysis across all internal audit work. There are also a number of research-based tools and techniques in the market to assist organisations to measure and improve culture.

An internal audit of culture is often best undertaken by the most experienced members of the audit team, using a range of diagnostic tools including surveys and interviews. New skills around behavior assessment, organisational psychology and sociology will assist an auditor’s understanding. It is indicative for internal audit to consider:

• Any internal measures around culture, engagement or leadership that the organisation already has in place.

• A summary of key policies and processes used to establish cultural values, but more importantly; to survey staff and stakeholders on the implementation of this framework.

• Processes in place to establish, communicate and implement cultural values.

• Processes to capture and report policy or compliance breaches.

• Processes to assess sub-cultures across branches or departments.

• Alignment of culture and strategy

In my experience some key aspects of positive soft controls relate to clarity of roles and responsibilities, transparency of individual behaviour, accountability for misconduct, performance recognition, leadership and mentoring which relate to engagement.

If you would like further information on internal audits, including cultural audits, please speak to your adviser.

[1] Corporate Culture Evidence from the Field’ October 2015
[2] IIA International Standards for the Professional Practice of Internal Auditing