Organisational culture has become an audit priority

As organisational culture moves from buzzword to boardroom priority, the IIA’s Organisation Behaviour Topical Requirement aims to equip internal auditors with the skills to provide meaningful cultural assurance, writes Jack Manning

Hands put together in a huddle

Organisational culture is at the forefront of many professionals’ minds, not least because of the seemingly continuous stream of high-profile scandals and failures that cast a spotlight on corporate behaviour.

Once seen as a nebulous concept or “nice-to-have”, organisational culture and the individual behaviours that underpin it are now rightly recognised as the critical strategic, operational and reputational risks they have been for some time.

The internet era has ushered businesses into a vulnerable reality where lightning-fast communication facilitates the rapid spread of reputational damage, but which remains no less arduous to remedy.

These intensified risks are reflected in the 2024 UK Corporate Governance Code, which requires Boards to demonstrate how desired culture is embedded and reported across the organisation.

Organisations can no longer simply state their values; they must walk the walk—cultural claims should be clearly manifested in observable actions.

The IIA Organisational Behaviour Topical Requirement

At their recent conference, the Institute of Internal Auditors (IIA) observed that culture is often the root cause of many organisational failures.

In response, it is publishing the Organisational Behaviour Topical Requirement (TR) in December 2025, effective from Q1 2027, to equip internal auditors with practical guidance on providing cultural assurance.

Topical Requirements provide a baseline criterion for auditors. They apply only when internal audit is providing assurance and the topic is:

  • Included in the audit plan;
  • Identified during an engagement; or
  • Specifically requested outside the original plan.

The term “culture” itself suffers its own brand of reputational baggage. Long viewed as subjective and ambiguous in organisational contexts, it can provoke no small sense of discomfort among evidence-driven, quantitatively minded auditors.

The IIA eschews the term entirely in the TR, opting instead for “organisational behaviour”. As part of a culture review, auditors are going to be asked whether:

  • Behavioural expectations are clearly defined and owned;
  • Behavioural risks are identified, monitored and addressed;
  • Internal communications and leadership styles align with the expected tone;
  • Reporting channels are credible and trusted; and
  • Incentives and consequences support ethical outcomes.

How cultural assurance works in practice

Cultural insights often rely on what is felt and observed. This can frustrate auditors’ natural impulse to seek hard evidence to support findings and recommendations.

Employees may be unwilling or unable to put complaints in writing, and behaviours are inherently intangible. Effective cultural audit approaches include:

  • Leadership and employee interviews, focus groups and targeted surveys;
  • Observing decision-making forums and behaviours in real time;
  • Analysing trends in whistleblowing, complaints, employee hiring and turnover, and survey data;
  • Evaluating organisational monitoring, escalation protocols, and employee voice mechanisms; and
  • Assessing incentives, disincentives, issue management, and tone at all management levels.

Internal auditors or cultural arbiters?

Behavioural risk is highly material but often overlooked. Poor behaviours can become normalised within an organisation, making them harder to identify and remedy. (A mindset of “this is just how things are here” may become entrenched.)

At the 2025 Internal Audit Conference in London, speakers emphasised that internal audit’s role is not to label a particular culture “good” or “bad”, but to provide assurance on whether cultural expectations are being met.

Accepting that humans drive corporate governance means auditors will be required to make cultural judgments based on qualitative and unstructured data.

As Sandro Boeri, immediate past president of the IIA, wryly observed, behavioural risk becomes irrelevant only when humans no longer play any role in what’s being audited.

In other words, unless robots are auditing robots—and we’re not (quite) there yet—culture will remain a necessary and material consideration in most audits.

Jack Manning is an Internal Auditor at CIÉ