Culture Audits: 3 Tips for Assessing Your Corporate Culture

Culture Audits: 3 Tips for Assessing Your Corporate Culture

Culture audits often make internal auditors nervous. The idea of auditing something as vague as behavior sounds confusing when we are used to auditing processes with clear inputs and outputs. How can a business systematically evaluate something as ephemeral as organizational culture? 

Building and maintaining a healthy, unified, and focused working environment begins and ends with culture. Having a healthy company culture comes down to more than platitudes and statements about an organization’s values or the company’s vision. To reap the benefits of a positive company culture, an organization occasionally has to get its bearings and make sure it’s heading in the right direction. Formal culture audits with a resulting audit report can unveil gaps or mismatches in the company’s culture, employee engagement, recognition programs, and communication styles that have a tangible effect on operations and the bottom line.

 In this article, we’ll take a look at culture audits and how an organization can get started with this important addition to their audit toolkit.

What Is a Culture Audit? 

A culture audit is unlike any other project the internal audit department will perform. While most audits start with a set of risks within a given process, a culture audit revolves around the potential for behavioral risk from employees, vendors, and other stakeholders that can impact operations and reputation. We can’t address cultural audits without first understanding company culture and the costs of poor workplace culture.

What is Organizational Culture?

Culture and conduct are highly intertwined. In many cases, a culture audit seems like a daunting task since we are asked to audit something we don’t initially think we can observe. To understand a culture audit, we need to start with a few basic definitions. In a recent practice guide titled Auditing Culture, The IIA defines organizational culture as “the invisible belief systems, values, norms, and preferences of the individuals that form an organization.” They also define conduct as “the tangible manifestation of culture through the actions, behaviors, and decisions of these individuals.” By understanding the connection between culture and conduct, we learn culture is the underlying driver of conduct, and conduct is the observable outcome of culture.

Company culture formalizes materially in recognition programs, communication styles, employee engagement, and even decision-making throughout the organization, which can be measured and observed.  When an organization’s culture is poor, toxic, or unethical, there can be significant ramifications, especially with the proliferation of the internet and social media. Thus, culture carries an inherent risk — and the keys to business success.

With this understanding, a culture audit includes reviewing how management’s tone and leadership style influences employee behaviors and conduct. As we have seen in many examples, observable conduct may differ from the culture management wishes to portray. When Enron collapsed in the early 2000s, its corporate culture was put under the public spotlight. On paper, the culture was supposed to be exemplary, but the reality was that Enron had a  toxic environment and valued profit over ethics, creating an environment where fraud could take precedence

2024 Focus on the Future Report

What Does a Cultural Audit Include? 

A culture audit includes reviewing both subjective values within an organization and the actual, observable conduct by employees and contractors.. Conducting a culture audit can be especially difficult since the audit department itself is influenced by the same culture they will audit, making it a potential challenge to maintain independence and professional skepticism. By taking a systematic approach, reinforcing a message of ethics, and acknowledging our potential bias, we can perform a meaningful audit. 

A culture audit will follow the same format as any other audit: planning, fieldwork, and reporting. In this type of audit, there will be more of an emphasis on interviewing and direct observation than usual. Often the culture audit starts with an anonymous cultural audit survey sent to all stakeholders, like team members, staff members, and contractors to gain a surface-level understanding of the culture. In the planning phase, the audit team will collect information and research from previous culture assessments, review prior culture-related documentation, and set the timeline and objectives for the audit.

During the fieldwork phase, the audit team starts with a review of company culture on paper. The review is meant to establish management’s intended culture or at least how management wants to portray the culture. 

Some supporting documentation to review includes:

  • The mission and vision statements, and any values the company states publicly.

  • The mission and vision statements, and any values industry peers state (for comparison).

  • Statements about management styles used in recruiting or training materials.

  • Backgrounds and bios for senior management.

  • Organizational history and origins.

  • Statements about organizational goals and direction.

  • Code of conduct and ethics.

  • Human Resources policies and procedures.

Data analysis should also extend beyond a review of documents. Audit teams can see evidence of company culture in:

  • Hiring, termination, and retention trends.

  • Wage and pay equity across demographics.

  • Use of fair success metrics.

  • Responses to incidents such as a data breach or cyber attack.

  • Use of tip lines.

  • Handling of fraud cases.

Taking a consistent approach during the culture audit will make it easier to compare different parts of an organization. Remember, a review of the culture within one region, country, city, or even department within an organization may look completely different from others.  The localization of a bad culture was evident in a well-known scandal at Wells Fargo. An inappropriate metric was set for the number of new accounts bank branch managers needed to open, and the staff resorted to opening fake accounts. The conduct was influenced by a culture of greed that led to setting unrealistic goals.

In addition, as part of fieldwork, the team performing the culture audit should conduct one-on-one interviews, focus groups, and potentially culture surveys to obtain the best and most thorough understanding of company culture that they can. Conducting a culture audit requires just as much legwork and teamworkas other types of audits, and pose their own set of challenges.

Image: What Goes Into a Culture Audit

After completing planning and fieldwork, and documenting the results of their audit procedures, the audit team responsible for the cultural audit must not compile their findings into an aggregate audit report for the target audience. A good practice for any type of audit report is to include gaps and recommendations whenever permissible. 

Based on the culture audit report, leadership can then make informed decisions about the company culture, like whether coordinated cultural change is required.

Why Is a Cultural Audit Important?  

Workplace culture is viewed as one of the most critical factors for predicting overall success. A cultural audit is important because it allows an organization to assess the current state and take corrective actions before unacknowledged cultural issues derail its success. Culture can make or break an organization, and if it breaks there may be no coming back. Not all cultural issues lead to an implosion, but a bad culture, even a localized bad culture, can hurt an organization. 

culture audit can help management address issues like toxic management, race and gender discrimination, low morale, high absenteeism, low productivity, diversity, equality and inclusion, and high turnover. All of these findings are symptoms of a bad culture. 

One common example: In a large multinational company that manages multiple brands, there will be a variety of cultures at work. In one segment, management is tasked with increasing revenue even though they are managing a mature commodity product. Management puts pressure on the sales team to increase sales for the year. They enforce the pressure by tying the team’s commissions to an unattainable goal. When sales inevitably do not increase, the sales team is discouraged, and management is irate. When management reports their results, senior management increases the pressure even more in an effort to drive unrealistic results. This scenario is all too common in the corporate world and leads to many of the symptoms listed. When a culture audit survey shows low morale, analytics show high turnover, and interviews uncover toxic management, an organization has some cultural issues it has to work through. Why Corporate Culture Is Important   

It’s no secret that corporate culture has been at the forefront of recent news. CEOs have stepped down, lawsuits have been filed, and audit teams look at more culture-specific audits. However, IIA’s 2021 North American Pulse of Internal Audit suggests only 4 percent of audit effort is being allocated to governance and culture. With operational, financial, IT, cyber, and fraud all taking precedence, does internal audit have the resources to impact an organization’s culture?

A common approach for internal audit teams when addressing potential culture issues is to first send out baseline independent and confidential cultural audit surveys, which can be included as part of ongoing COSO entity-level controls. These cultural audit surveys can be broken down by category into such areas as perceived management tone at the top, management inclusion, company change, innovation, risks taken, governance controls, and knowledge of the code of conduct as well as staff’s knowledge about the whistleblower program. Responses should be reviewed for any trends, and internal audit teams should follow up and work with management for any identified issues in order to help address them.

3 Simple Tips to Assess and Audit Your Corporate Culture

As COSO entity-level controls help monitor culture, internal audit teams also add audits to improve company culture. Here are three simple tips to kick off your corporate culture audit, so you know where to start.1. Perform a root-cause analysis to identify cultural weaknesses.

As issues are identified during your various internal audits, evaluate what underlying behaviors, or “root causes,” contributed to the issues. This step helps you go beyond processes and controls to identify cultural weaknesses.

Performing root-cause analyses can help organizations meet their goals and build a strong cultural tone at the top from management that supports the code of conduct and ethics. Organizations can be successful when they address each root cause, whether it be a lack of understanding about internal controls, training, or trust and transparency.

If there are existing cultural risks already flagged in your risk register, these should be included in any audits or assessments of company culture and treated like any other risk.

2. Break up the culture audit into digestible focal points

Start small and grow the initiative. Many auditors are hesitant to perform audits of cultural behavior. The results could be taken as a personal attack on management’s tone at the top. The issues might be due to the lack of measurability with some behaviors. If auditing culture is not your specialty, then it may be more effective to perform smaller audits focused on a specific area of your entity’s culture or even a specific department. Here are some ways to start:

Perform audits in areas indirectly tied to culture. 

These types of culture audits often indirectly reveal potential cultural risks. Example audits include T&E (time and entry), workforce planning, talent acquisition, learning and education, compliance training, and sales compensation.

Create focal points within cultural-specific audits. 

While there are opportunities to address culture in most audits, teams can narrow their focus to critical areas where culture plays a more substantial influence. Start with risk and cyberculture and look at varying tolerances and controls in place to monitor risk.

Find a champion.

Find an executive who supports auditing workplace culture. Define the roles of what internal audit can do to help improve governance. Consider incorporating governance auditing in your internal audit charter.

3. Be patient. Improvements require time, effective communication, and follow-through.

A culture audit is not something that’s done quickly. As mentioned before, tone at the top of the organization is critical to success — that also includes having core values that are agreed upon, written, and expressed regularly. Next, employees need to understand the company’s values and receive training on roles, responsibilities, and expectations. You shouldn’t anticipate having all of these values naturally fall into place. There should be a review of current testing practices, positive and critical communication of successes and gaps, and matching of controls with the desired behavior. The amount of time required to execute this initiative differs depending on an organization’s time, skills, and resources.

It takes a lot of time to address cultural issues. Internal audit needs time with management to figure out a path for change. Management is often tied up working on day-to-day functions and may not have time to immediately address all the issues. This is where corporate sponsorship at the executive level of management and the board can be helpful in allocating resources and setting the right priorities. Most importantly, internal audit needs to be skilled in communicating and elevating any cultural issues requiring change and work with management as a change agent to help make it happen.

First Culture Audit? Don’t Navigate It Alone.

If this is your first organizational culture audit, don’t navigate it alone. Head over to our planning an audit checklist to begin planning your next culture audit.

Frequently Asked Questions About Culture Audits

What is a culture audit?

A culture audit involves assessing and evaluating a company’s culture.

What does the culture audit include?

A culture audit might include confidential culture questionnaires, one-on-one interviews, focus groups, and/or other data analysis.

Why is a culture audit important?

Culture audits are important because company culture is directly tied to productivity and maintaining an excellent company culture contributes to business success.


Vice Vicente started their career at EY and has spent the past 10 years in the IT compliance, risk management, and cybersecurity space. Vice has served, audited, or consulted for over 120 clients, implementing security and compliance programs and technologies, performing engagements around SOX 404, SOC 1, SOC 2, PCI DSS, and HIPAA, and guiding companies through security and compliance readiness. Connect with Vice on LinkedIn.