ICAEW.com works better with JavaScript enabled.

The challenge of auditing culture

Assessing the corporate culture of your own organisation is not easy, but done well it can be a valuable exercise. Christos Skapoullis, head of internal audit at the Bank of Piraeus, outlines the potential pitfalls and how to avoid them.

When an organisation’s Board’s commissions an internal audit of corporate culture it is to obtain assurance on the appropriateness of the entity’s cultural framework and, most importantly, to gain confidence that the behavioural rules and norms as set by the Board are being adhered to. 

This is a major challenge for an internal auditor, primarily because the subject matter is inherently ambiguous and subjective, however, if the approach is appropriately planned and structured, such an audit can prove to be a value-adding undertaking. 

What is culture?

If we simply interpret culture as ‘the way people behave’, similarly corporate culture can be inferred as the way employees behave. The framework of acceptable behaviour is shaped by the entity, approved by its Board and communicated to its employees. This communication often takes the form of principles and norms, some of which may be open to different interpretation.

These principles are based on the values of the entity such as: integrity, fairness, professionalism and trust, for example. To be successful, it is critical for the entity to make as transparent as possible to staff how these rules are expected to be applied. 

Some entities in their Codes of Conduct provide explanations, examples and tree diagrams of what could be interpreted as a violation of the set behaviour standards. However, the application of these rules might not limited to the behaviour between employees and with the entity’s stakeholders, and extend further than the workplace’s physical boundaries. 

One such example is social media activity, where the statements and actions of an employee online may have an impact on the entity’s reputation. There have been cases on Code of Conduct breaches relating to the use of social media. 

Aligning standards

In regulated industries, such as banking, the behaviour standards are set by the regulator and the entity should be in a position to understand the regulator’s view on professional ethics and, of course, ensure that it complies accordingly. This alignment of views directs the entity to form its own tolerance levels when dealing with incidents of behaviour-related violations and could assist the auditor to highlight the significance of any issues identified. 

In recent years, effort to support changes to improve culture and restore trust of the stakeholders has focused on individual accountability. This approach accepts the seemingly obvious, that behaviour is the outcome of an individual’s decisions and actions, and stresses the ‘implications’ for the individual. This is why in many Codes of Conduct the individual decision-making stage is emphasised and the behaviour expected from employees is guided through principles and values. 

It is vital for an entity’s management to align its interpretation of the broadly defined rules with that of the employees’ understanding of those rules. If the auditor finds that concept of ‘conducting business professionally’, for example, is not perceived in the same way by both groups then it will be necessary to assess the entity’s methods of disseminating its desired culture and recommend revisions, if appropriate. 

Before the audit

After the Board has given its support for an assessment of corporate culture, it is of paramount importance for the internal auditor to understand the expectations of the Board and ensure that the scope of the assignment is defined accordingly. It could be the case, for example, that some of those expectations might be better addressed by a specialist organisational behaviour consultant. 

Once a clear mandate has been secured from the Board this will help the internal auditor to deal with potential employee resistance, which may be anticipated from those within middle and semi senior management in particular. The backing of the Board will also help the auditor to deal with potential conflicts in areas where the management’s own tolerance has gradually increased the gap between expected and actual behaviour. 

In planning an internal audit of this type a good understanding of regulation and best practice in corporate culture may not be sufficient to assess the appropriateness of the cultural framework in place. On the other hand, an auditor doesn’t have to be familiar with Aristotle’s writing on ethics to be able to develop an acceptable audit approach. 

The crucial competence is the ability to comprehend the entity’s culture – particularly any non-adherence to standards and the underlying behaviour – which will make root-cause analysis meaningful. To that extent, human resources or compliance functions may be able to assist the internal auditor in understanding the situation under review and the drivers of the observed behaviour. 

A regular review?

A key decision that the auditor will have to take ahead of embarking on the audit, is whether the approach will be a ‘one-off’ project or make the culture assessment part of his or her annual audit plan. 

If the assessment of culture is restricted to merely a gap-analysis project this will, in my opinion, offer no real benefit to the entity. In taking this approach the internal auditor runs the risk of providing comfort on the existence of a relevant framework while failing to detect that rules and regulations were not obeyed – contributing to a situation termed as ‘superficial culture’. 

The continuous and recurring approach, meanwhile, provides the Board and management with more insight into whether rules and norms are being adhered to across the entity and how the violations are dealt with by those who are charged with the task of ensuring compliance. 

The human element

Another critical factor to consider at the planning stage of the audit is human nature: when someone is overseeing, the rules are usually adhered to. Data from systems are more solid and usually less challenged. Where this type of evidence is available it should be used to support the conclusions drawn. 

In addition to the audit work designed to identify actual behaviours, one should analyse the views of employees who are able to reveal underlying issues that are affecting culture. This may take the form of questionnaires which can be completed anonymously, for example, which allow employees to freely express their concerns. 

These responses should, however, be analysed with caution. In organisations where the understanding of appropriate conduct between management and employees is not aligned, it is very likely that there will be a lot of noise in the responses making it difficult for the auditor to reach a safe conclusion. At this stage the contribution of human resources and compliance teams will valuable in interpreting the feedback. 

Prepare to be challenged

When performing the audit, apart from the standard gap analysis, great thought should be given on the design of the audit tests. Depending on the type of the entity and the area under review, the tests should ideally capture evidence that can be clearly linked to cultural issues.  It is a difficult task and often evidence may not be as tangible as one may expect. The auditor should be prepared that some of the audit conclusions will probably be challenged. 

Obviously, the more refined the rules are, the less likely that any views and arguments will be exchanged. However, if a closing meeting that addresses staff-behaviour issues becomes intense the internal auditor should be prepared to accept criticism for being one of the pillars of the entity’s culture since there is no clear line between the entity’s culture and the internal audit’s culture.

Reporting recommendations

The most challenging part of internally auditing corporate culture is the reporting stage and particularly the recommendations related to behaviour. Factors that often need to be considered include: the sensitivity of the issue being discussed; the possible limitation in skills to handle culture change; and a potential lack of commitment to change the whole ‘behaviour’ system.

Organisational models developed by consultants could assist the auditor to approach the issues in a more meaningful manner, but whether the internal auditor is in the best position to incorporate these soft factors in the recommendations, is something that also needs to be assessed. For example, plain and straightforward corrective actions may only touch on the surface of the problem and not have the desired outcome, threatening the perceived value of the assignment.

Meanwhile, an audit approach, which could be perceived as strict by staff in terms of applying the rules, may trigger employee dissatisfaction, especially in cases where rules were not properly explained to staff and conduct-related training was insufficient or non-existent. 

Due to the nature of this type of audit, there will be cases where the auditor’s concerns will not be sufficiently substantiated. It could prove useful for the auditor to informally discuss with the entity’s management these concerns and gain better insight about employees’ behaviour. By encouraging such discussions, management will be collecting the small pieces to complete the puzzle, which will consequently enable them to comprehend the complete picture of what is really going on in a business segment. 

There is no doubt that, assessing an entity’s culture poses numerous challenges for an internal auditor, but if the approach is well considered and performed it can provide significant value to an entity and its stakeholders.

About the author 

Christos Skapoullis is a member of the ICAEW’s Internal Audit Panel and the head of internal audit at the Bank of Piraeus in Cyprus. 

Join the debate 

Join the ICAEW Internal Audit Group on LinkedIn to share your experiences and discuss the latest developments in internal auditing practice with a community of more than 650 practitioners.

ICAEW's assurance resource

This page is part of ICAEW’s online assurance resource, which replaces the Assurance Sourcebook.

Find out more.


Open AddCPD icon

Add Verified CPD Activity

Introducing AddCPD, a new way to record your CPD activities!

Log in to start using the AddCPD tool. Available only to ICAEW members.

Add this page to your CPD activity

Step 1 of 3
Download recorded
Download not recorded

Please download the related document if you wish to add this activity to your record

What time are you claiming for this activity?
Mandatory fields

Add this page to your CPD activity

Step 2 of 3
Mandatory field

Add activity to my record

Step 3 of 3
Mandatory field

Activity added

An error has occurred
Please try again

If the problem persists please contact our helpline on +44 (0)1908 248 250