Auditing the Invisible: Assessing Culture, Tone, and Change Readiness

A polished balance sheet and a flawless compliance checklist can hide evidence of a rotting corporate core. While traditional auditing excels at spotting misallocated funds and missing approval signoffs, it is often blind to the “soft side” of corporate culture—those unwritten rules, silent anxieties, and behavioral shortcuts that raise ethical concerns and eventually contaminate financial and operational results. To truly help the organization create and protect value, internal auditors must expand their approach beyond traditional auditing practices to understand behavioral dynamics.

This isn’t just about finding what’s wrong. It’s about assessing how culturally healthy the organization’s soft side is, and if it is as resilient as the financial statements, operational processes, and computer platforms.

Another aspect of these types of assessments is looking at the organization’s ability to adapt and innovate, which has never been more important as the adoption of Artificial Intelligence has accelerated rapidly. Change readiness, a key ingredient for future success, depends heavily on workers’ feelings of psychological safety, agility, adaptability, engagement, and healthy communications. In other words, change readiness depends on a healthy corporate culture.

Defining the Organizational ‘Soft  Side’

To audit culture, we must first define what it is. If the hard side of a business consists of its infrastructure, and the technological, operational, and financial systems, the soft side is the invisible engine that drives how people operate within this infrastructure. We want to understand if there is a gap between what a company says it does in its published reports and what employees actually do when no one is watching.

To highlight the importance of looking beyond the policy statements, Fuad Kalashli, audit, risk, and governance professional and president of the Azerbaijan chapter of the Institute of Internal Auditors, learned from an assessment he did that small, everyday behaviors and unwritten norms could override official guidance. “Even with clear expectations, the culture was shaped by subtle signals from leaders and peers, showing that understanding culture requires paying attention to how people actually act and interact, not just what the rules say,” says Kalashli.

The Journey Toward Transformation

Moving beyond traditional auditing requires a fundamental shift in focus from outputs to the human element of risk and the related behaviors. While most KPIs and management reports tell us that a target was met, they remain silent on whether that goal was achieved through innovation and excellent performance or through ethical shortcuts. There are three key elements we must understand as we begin this transformational journey:

• Behavioral Norms:These are characterized by action patterns and unwritten understandings that result in speak-up cultures that value dissent or a safety-in-silence mindset.

• The Ethical Climate: This goes beyond signed codes of conduct and focuses on the tone at the top, the way middle management translates corporate values into daily practices, and performance pressure.
• Cultural Health: This is the psychological state of the workforce as evidenced in the level of burnout, fear of failure, or a culture of achieving results at any cost. These matter because they are leading indicators of future financial and reputational disaster.

How Are Culture Reviews Done?

For decades, the internal auditor’s arrival has been greeted with fear and the frantic closing of spreadsheets and filing cabinets. The traditional “gotcha” mindset that focused on finding errors and assigning blame is the primary obstacle to auditing culture. Auditors cannot assess the soft side of a business if employees are too intimidated to be honest. To unlock the truth behind an organization’s climate, auditors must transition from being the corporate police to serving as trusted advisors and governance, risk, and compliance (GRC) coaches.

This shift is fundamental. It involves real partnership. Instead of acting as a judge assigning ratings of pass or fail, modern internal auditors need to adopt a strategic lens and help management identify cultural gaps before they become financial crises. When internal auditors approach an engagement with the sincere intent to help the business succeed rather than just catch it slipping, the relationship transforms from adversarial to collaborative.

This transformation is rooted in the IIA’s Global Internal Audit Standards, which emphasize that internal audit must provide not just assurance, but also insight and advice. As stated in Standard 1.2, “an organization’s ethical culture is rooted in its ethical expectations as documented in a code of ethics, a code of conduct, ethical risk and control processes, and policies related to professional behavior.” By aligning cultural audits with these items, internal auditors move beyond the policing stigma and set their sights on improving organizational value.

Some key strategies for making this transformation include:

1) Secure Board and Senior Management Buy-In
Build a reputation for objectivity and business acumen, which is essential for gaining the go-ahead to perform sensitive cultural assessments. To secure the trust of management and the board, auditors must demonstrate emotional intelligence (EQ) alongside technical proficiency. By showing a genuine interest in the “why” behind the “what,” internal auditors prove they are invested in the long-term health of the organization. This credibility is essential to successfully navigate the sensitive, often political waters of these types of reviews. Mary Ann Kalil, Governance and Risk Assurance expert states “organizational readiness, timing and sponsorship are critical. Without sponsor / stakeholder genuine willingness to listen, reflect, and invest in cultivating a healthy culture, in consideration of industry and geographical context, culture audits risk dismissal or unintended consequences.” She adds that beyond the formal hierarchical leaders on the org chart, auditors should “identify formal and informal influencers to understand where the real power sits, particularly where (concentrated) influence exists in absence of accountability.”

2) Replace “Findings” with “Insights”
Rather than simply listing errors, frame observations as opportunities to strengthen the corporate culture.

3) Adopt a “Coach” Approach
Work with management to understand whycultural pressure points like unrealistic sales targets exist, and help management design behavioral controls to mitigate them.

This shift may appear unnecessarily nuanced, but it makes a big difference. For example, the traditional “policeman” might report that an employee bypassed a protocol, while a “trusted advisor” will go further and seek to understand if the company’s high-pressure culture made bypassing that protocol the only way for the employee to survive.

Identifying Cultural Indicators Beyond Finance

The greatest challenge in auditing the “soft side” is the perception that culture is too fluffy to be measured. However, culture leaves a trail. To gain a comprehensive view of an organization’s health, auditors must look beyond individual and separate data points and instead triangulate findings using a blend of quantitative and qualitative metrics. While quantitative data often provide the what, qualitative indicators provide the why.

Quantitative metrics provide evidence of trends and anomalies across the organization. These metrics often act as early warning indicators and include:

• HR Data: High turnover rates, excessive overtime, or unused vacation time that may indicate a toxic management and a culture of burnout, especially in high-performing teams.
• Whistleblower Hotline Activity: Either a sudden spike in reports or suspicious silence can indicate issues. While a healthy culture has a steady stream of reports, a lack of activity often indicates a fear of retaliation or the perception that management will ignore reported concerns.
• Training Statistics: If employees are consistently speed-clicking through ethics training, or completing it past the deadline, it may suggest that integrity is viewed as a hurdle to be cleared rather than a value to be lived.

Qualitative Indicators, on the other hand, help us read between the lines to gain valuable context and identify root causes. Exit meeting notes, surveys, interviews, and focus groups can provide insights into employee experiences and themes regarding important topics. Some other qualitative indicators include:

• Tone at the Top vs. Tone in the Middle: While the CEO may champion integrity at the top, the message may get distorted or diluted by the time it reaches middle management. With this in mind, the question becomes, are supervisors prioritizing making the numbers over doing the right thing?
• Behavioral Observations and Inputs: During walkthroughs, we need to ask about the “vibe” in the office. For example, are employees empowered to speak up in meetings, or is there a culture of hierarchical power and going along to get along to achieve ritualistic harmony?
• Siloed Behavior: Is information shared freely, or do departments hoard data like power? Excessive siloing is often an indicator of a low-trust culture where competition clouds the collective mission.

When selecting hard and soft evidence, Hal Garyn, managing director of Audit Executive Advisory Services, suggests we “start with mission, vision, and especially values. The values should be the expression of the culture the organization seeks to prioritize through desired behaviors.”

The most powerful insights occur where these two types of data intersect. For example, if a department has low whistleblower activity (quantitative) but interviews reveal a high fear of management (qualitative), a high-risk situation is present. Similarly, “to translate qualitative signals into audit findings and risk ratings, auditors synthesize observations, interviews, and behavioral patterns to identify gaps between expected and actual conduct. Each signal is assessed for severity, frequency, and potential impact on the organization’s culture. Red flags, such as repeated policy violations, disengagement, retaliation, or ethical lapses, should trigger timely escalation to leadership or the audit committee to mitigate risk and reinforce accountability,” says Maher Elsahaar, an internal audit, compliance, and risk management consultant.

According to Mary Ann Kalil, a consultant and internal audit expert, “qualitative signals, when corroborated with hard signals and evaluated against the agreed behavioral framework and values, should be assessed for consequences, like decision quality, compliance failure, attrition, safety, or complaints. The risk rating should consider pervasiveness and impact.”

Tools for Assessing Culture

Since culture is felt differently at various levels of the organization, the most effective internal audits use a combination of tools combining broad-based data collection with deep-dive investigative techniques.

• Anonymous Culture Surveys: Surveys are the thermometer of an organization. When designed correctly, endorsed by senior management, and administered anonymously by a credible party, they provide a safe channel for employees to share their reality. Additionally, a large-scale survey provides statistical weight to convince senior leadership that a cultural issue is systemic rather than anecdotal.
• Targeted Interviews and Focus Groups: While surveys tell you what is happening, interviews tell you why. Interview individuals and conduct focus groups with different seniority levels and functions to determine if the cultural experience is consistent across the organization. Regarding interviews and surveys, Audit Executive Advisory Services’ Garyn shares an additional perspective: “Executive interviews should be used to learn how they each approach modeling the desired behavior and how they themselves prioritize emphasizing the values. Are there gaps? Then an employee survey instrument that is fully anonymous should be used to evaluate how company employees feel about each value,” he says.
• Walking the Physical and Virtual Floor: These are often called “Gemba Walks” or Management by Walking Around (MBWA) and their objective is to observe the environment in its natural state. This may include physical observations that help to assess the energy in the breakroom, find out if posters about core values are faded, peeling, and covered, and if leaders interact with staff in the hallways. In a hybrid or remote world, this can be done by joining Slack channels, observing and using AI to perform sentiment analysis to assess the tone of email threads and chat rooms. Internal auditors may also sit in on Zoom, Teams, or Google Meet department meetings as a silent observer to gauge the vibe. Kalil also practices walking the floor as a means to observe informal engagement. She says such observations that may provide “insights that formal mechanisms miss, revealing tone, pressure points, and informal influence dynamics.”
• Leverage AI: As use cases grow and the technology matures, AI is also emerging as an important tool in assessing softer aspects of the organization, such as culture and adaptiveness.  Consider exploring AI to identify emerging trends, such as Generative AI simulation testing, where AI is used to help simulate ethical dilemmas and stress-test decisions to understand behavior under pressure.

Su Joun, principal of Diversity@Workplace Consulting Group, advises internal auditors to use “existing data from previous assessments to know the current culture to decide best methods for further assessment. For example, if a past employee satisfaction survey results show that people have trouble speaking up, then perhaps conduct small focus groups, focus groups without leaders, or even one-on-one meetings to gather information with assurances of confidentiality.”

For these tools to work, internal auditors must guarantee psychological safety. If employees fear their feedback will be used against them, those tools will only capture a sanitized, performative version of the culture. To avoid this outcome, Elsahaar advises internal auditors to implement strict confidentiality protocols, including anonymizing responses and limiting data access to authorized personnel only. “Clear communication about the purpose of the review and assurances against retaliation are essential to foster candor and trust,” he says. “Additionally, using secure data collection methods, documenting consent, and providing safe channels for reporting concerns ensure that sensitive cultural information is gathered ethically and responsibly.”

IIA Azerbaijan’s Kalashli also considers “emerging tools and practices like pulse surveys with real-time analytics, sentiment analysis, and network mapping to better understand communication flows and influence patterns across the organization.” These tools can help assessors detect issues sooner, identify hidden risks, and formulate more precise recommendations. Also, integrating structured feedback mechanisms with follow-up monitoring helps to ensure that changes are tracked and improved cultural enhancements are sustainable.

For all of this to work, Kalil reminds us that failure to maintain a reputation of trustworthiness is essential and “failure to do so can severely damage credibility.” Furthermore, the importance of context cannot be ignored. “Industry and geographical context matter,” she says. “In jurisdictions where societal norms discourage open challenge or speaking up, internal auditors will need to adapt their methodology and rely on corroborated evidence. Otherwise, the review risks producing compliant responses instead of real authentic insight.”

Integrating Culture into the Audit Plan: From Theory to Practice

Cultural assessments should be tailored to the organization’s industry, size, and risk profile. While a comprehensive assessment could be done as an enterprise-wide review, it may be too complex and time consuming for some internal audit departments. Instead, it may be best to limit the scope to selected units or woven through every engagement. For example:

• Travel and Expense (T&E): Don’t just look for missing receipts or expenses above a threshold. Rather, look for signs of an entitlement culture. A culture at the top of “rules for thee but not for me” creates a permission structure for fraud in the middle and the bottom.
• Sales and Compensation: Audit the pressure. If sales targets are consistently set at the edge of impossibility, the culture is likely encouraging “channel stuffing” or overly aggressive revenue recognition. Analyze the incentive compensation plan to see if it rewards “how” results are achieved or only “how much was achieved.”
• Onboarding and Offboarding: During onboarding, is the focus on company values or just on getting the laptop, passwords and access badges? Conversely, analyze exit interview data for indicators about why people leave.
• Procurement and Vendor Management: Look for favoritism or cronyism. If certain vendors are consistently chosen despite higher costs, lower quality, and poor performance, it may indicate a culture where personal relationships, kickbacks, and conflicts of interest override the procurement policy.
• IT and Cybersecurity: Assess the security mindset by searching for indicators that employees may be focused on finding workarounds around security protocols because they view them as hurdles. The culture should not prioritize speed over security.

Issuing Audit Reports on Culture

Reporting on the soft side requires a delicate balance. When presenting to the board and senior management, internal auditors should:

1. Connect Behavior to Risk: For example, don’t say “the culture is aggressive.” It is better to state, “the high-pressure sales culture has increased the risk of fraudulent financial reporting by X percent.”
2. Use Visuals: For example, a Heat Map or Cultural Health Dashboard with data from different departments can show the board where toxic hotspots are forming.
3. Provide a Path Forward: As a trusted advisor, it is best to avoid just dropping bad news and leaving or making vague recommendations like “improve morale.” Instead, provide suggestions that lead to actionable remediation and cultural improvements. For example, recommendations may focus on revised incentive structures, awareness programs, or leadership training.

In addition to connecting behavior to risk and using data-driven visuals, also consider these critical pillars for impactful reporting:

• Avoid the “Upward Filtering” Problem: Employees often sanitize feedback to their supervisors, who further polish it before it reaches executives, creating an unrealistically positive view that hides issues. The solution is to provide anonymized direct quotes from employees to provide a more accurate description of the daily employee experience.
• Differentiate Between “Stated” vs. “Lived” Values: Highlight gaps between official mission statements and actual daily practices. For example, if a company champions innovation but the assessment shows that employees are penalized for every minor failure, this misalignment is a fundamental threat to strategic goals.
• Share Results Strategically: Results should be communicated to key stakeholders, and “HR should be a collaborator and executives should be briefed, starting with the CEO first”, says Garyn.According to Elsahaar, “culture and tone review findings should be tailored for each audience: the audit committee receives strategic insights with risk assessments, senior management gets operational analyses with practical recommendations, and HR benefits from behavioral trends to inform policies and development programs,” he says.

By mastering these reporting nuances, the internal auditor fulfills their ultimate role of providing the board with the clarity needed to protect not just the bottom line, but the company’s integrity and long-term future. The goal is not just to correct a specific error; it is to transform organizational behavior.

The Mandate for Modern Auditing

Kalashli shares that a key lesson from a past culture and conduct review was “noticing how stated values don’t always match what happens in practice. In one organization, the code of conduct highlighted collaboration and open communication, but interviews and observations revealed that employees were hesitant to speak up because managers often unintentionally discouraged differing opinions. After identifying this, we worked with leadership to provide targeted coaching, create safe feedback channels, and adjust recognition programs to encourage transparency.”

The era of the checkbox internal auditor is ending. As organizations face increasingly complex risks, the ability to decode the soft side of corporate culture and the human element is no longer a luxury but a professional imperative. “To truly understand culture, auditors must look beyond checklists, listen to people, observe behaviors, and connect the dots between what is said, what is done, and what is valued,” says Kalashli.

The transition from corporate police to trusted advisor requires courage and a fundamental shift in mindset. It demands that we build credibility and use a sophisticated mix of quantitative data and qualitative insights to tell a story that the numbers alone cannot tell. When we report the uncomfortable truth to the board, we provide more than just assurance; we provide the clarity needed to protect the organization’s most valuable asset: its integrity.

The challenge is clear. We recognize that too many of the largest corporate failures were preceded not by a failure of accounting practices, but by a failure of character and a breakdown of shared values. Will internal auditors remain historians of past errors, or will they step forward as strategic and trusted business partners helping to secure the organization’s future? The tools are ready and boards are listening. It is time to look beyond the checklist and audit the soul of the organization. 

Dr. Hernan Murdock , CIA, CRMA was VP of Audit Content at ACI Learning and the MIS Training Institute (MISTI). Prior to that he held various audit positions while leading and performing audit and consulting projects for clients in various industries. He is also the author of several books, including The Change Agent: Transforming an Underperforming Internal Audit Department.