Latest CoverageReworked TVWebinarsResearchPodcastEvents CalendarEditorial CalendarIMPACT AwardsAdvertising
YOUR GUIDE TO THE R/EVOLUTION OF WORK
woman looking through a magnifying glass
Feature

Should We Audit Organizational Culture or Behavior?

7 minute read
Norman Marks avatar
By
February 2, 2026
Employee Experience
SAVED
Auditing corporate culture and behavior may do more harm than good. A risk-based approach shows another path.

The answer to that question, at least in the eyes of the IIA from what I can tell, is that perhaps we should. 

Culture and behavior are not the same: culture can drive behavior, although it is not the only factor. This post talks about organizational behavior, as that is what the IIA talks about, but my comments are applicable to audits of culture as well.

The IIA has issued a Topical Requirement (TR) on Organizational Behavior, but it is not a mandatory audit. The TR only mandates what needs to be included if such an audit were performed.

Should it?

A Definition of Organizational Behavior

Before I can answer my own question, I need a definition of “organizational behavior.”

This is how the IIA defines it: Organizational behavior is the observable choices employees make in doing their jobs and how they work with others. This behavior influences performance and the achievement of organizational objectives. Simply put, organizational behavior is “the way we do things” and is considered a subset of culture. 

That’s unclear to me. It's everything anyone does (or decides not to do).

Are we talking about the behavior of:

  • one or more individuals,
  • a group or business function,
  • a business unit or
  • the whole enterprise?

All but one of the references I found talk about it as a study. So it’s no wonder I am confused. For example, an article on a U.S. government agency's website says: Organizational Behavior (OB) is a discipline of social science that seeks explanations for human behavior in organizations.

The only source I found that is consistent with the topical requirement's use of the term is a useful on article on Forbes, "What Is Organizational Behavior?" It states (emphasis my own):

  • The concept of organizational behavior explains how people behave in organizations when they encounter specific situations. The goal is to determine which behaviors lead to optimal outcomes for companies and then apply techniques to encourage those positive behaviors. Various techniques are applied to better understand how and why people act, think and feel at work.
  • Organizational behavior is related to your company’s culture, but the two aren’t synonymous. The primary difference between the two concepts is internal vs. external. Studying behavior looks to what motivates people to act a specific way in different situations, what they’re thinking and feeling. Your company’s culture represents the shared values, beliefs and policies that serve as the foundation for all its activities and decisions.
  • We associate behavior with individuals, but behavior patterns are also identifiable from the activities of groups and entire companies. The three distinct levels of organizational behavior affect each other in that a change in one area will ripple through the others, even though groups and organizations don’t have the same free will as individuals.
  • The built-in dichotomy of organizational behavior is that only individuals possess the free will that allows them to choose one form of behavior over another. The purpose of organizational behavior is to encourage the people in the company to share behaviors that will help them achieve their common goals.

So we are indeed talking about the behaviors of one or more individuals, a group or business function, a business unit, and/or the whole enterprise.

Should We Audit Organizational Behavior?

Continuing the theme from my last blog post, I believe in a risk-based audit approach and plan. Audit the risks that matter to the success of the organization, the achievement of enterprise objectives.

Is there a risk to objectives from undesirable behavior? Of course there is! But should you perform an assurance engagement that assesses its adequacy, including the controls and process that provide reasonable assurance of desired behaviors? I am not so sure. It can be dangerous.

I would definitely consider some related audit engagements (advisory or assurance), such as:

  • The adequacy of the corporate ethics policy, including related training and testing.
  • Safety training, testing, supervision, monitoring and reporting, and related controls and practices.
  • HR policy (such as harassment) adequacy, understanding and compliance.
  • Compliance with (insert as appropriate) corporate policies.
  • Risk management — which includes many behavioral activities.
  • Selection of vendors and contract negotiation.
  • Hiring, promotion and termination policies and practices.
  • Whether corporate policies provide the necessary guidance to encourage desired behaviors.

When I think about it, most audits include some aspects of behavior. But would I have an engagement purely about organizational behavior?

No, and this is why.

Why I Wouldn't Audit Organizational Behavior Specifically 

1. It will always come down to people. Culture and behaviors are driven by the CEO and their team (and not the board). As Lord Smith of Kelvin (chair of the UK Smith Committee on Corporate Governance) told the IIA International Conference in Singapore, “a fish rots from the head down.”

Are you ready to announce an audit of the CEO, CFO, COO or other top executive?

Is it appropriate for internal audit to provide an opinion on the appropriateness of any employee’s behavior, beyond noting whether it was out of compliance with corporate policies? Are we psychologists?

Are we the right function to audit behavior? Shouldn’t much of this be done by the HR function? In fact, I would often seek to partner with them — as I will describe in a bit.

2. There are so many dimensions of desired behavior (and the culture that drives it), including:

  1. Teamwork, at all levels, including the board.
  2. Thoughtful decision-making.
  3. Imagination, creativity, curiosity.
  4. Sharing (or lack of sharing) of information.
  5. Risk-taking (too much, too little or just right?).
  6. Treatment of employees, co-workers, contractors, vendors, customers, etc.
  7. Ethics, honesty, integrity.
  8. Attitude towards compliance.
  9. Bias.
  10. Speed of decision-making.
  11. Dedication.

3. Can you define all the desired organizational behaviors, given that there are inherent conflicts between some dimensions (such as speed of decision-making, risk-taking, compliance, teamwork and thoughtful decision-making)? If they cannot be clearly defined, how can you determine whether they are present at the desired level.

Learning Opportunities
Webinar
Shaping cookies
On demand
Fuel Your Front Line: Workforce Trends Shaping 2026
Get expert insight into the tools and tactics top frontline teams will need in 2026.
Watch Now
Webinar
Solving puzzle
On demand
Fix the Disconnect Between Projects and Profit
Your margins are hiding in disconnected data. Let's find them.
Watch Now
Webinar
AI team is working
On demand
AI in Customer Service: Faster Resolutions, Happier Customers
Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.
Watch Now
Webinar
Healthcare Ops with AI
On demand
Accelerating Healthcare Ops with AI
Sign up to see how your peers are putting AI to work — and making it stick.
Watch Now
Webinar
Chameleon Tech: A chameleon changing colors to blend with various tech environments, symbolizing adaptability and versatility in technology solutions.
On demand
From Nice-to-Have to Non-Negotiable: Prove the Value of Your EX Stack
Transform your tech stack: prove its value, secure your future.
Watch Now
Webinar
Deskless workers communication
On demand
The Great Workforce Breakdown (And How to Stop It)
Disconnected employees. Failing communication. It’s time to turn things around.
Watch Now
Webinar
Shaping cookies
On demand
Fuel Your Front Line: Workforce Trends Shaping 2026
Get expert insight into the tools and tactics top frontline teams will need in 2026.
Watch Now
Webinar
Solving puzzle
On demand
Fix the Disconnect Between Projects and Profit
Your margins are hiding in disconnected data. Let's find them.
Watch Now
Webinar
AI team is working
On demand
AI in Customer Service: Faster Resolutions, Happier Customers
Don’t let rising demand burn out your team. See how to build a smarter, more resilient support org.
Watch Now

4. Culture and behavior vary and should vary across the extended enterprise. Do you want Legal, Sales, Human Resources and Finance to have the same attitudes towards risk-taking, imagination or the speed of decisions?

They also vary and should vary over time and as business conditions change.

5. There’s a better way.

Why Risk-Based Auditing Is a Better Approach

With risk-based auditing, we only perform audits where the risk (and value) justifies our time.

While some areas, such as those I described above, are safe to audit, other issues can result in identifying deficiencies in specific people (including senior executives and even board members) and how they behave.

Are you going to put in an audit report any of these situations?

  • The CFO doesn’t understand risk management.
  • The CEO doesn’t listen.
  • The manager discriminates against (you name it).
  • The procurement manager is biased.
  • A member of the audit committee is not interested in reading the materials provided.
  • The corporate controller doesn’t understand some basic accounting principles.

Those are not safe audit engagements for the auditor.

But when there are indicators of undesirable behavior by individuals, groups or even the organization as a whole, regardless of the level of risk, something has to be done.

Those indicators tell us that there is a risk to be addressed. Conversely, when there are no indicators such as whistleblower complaints, lawsuits, observed inappropriate actions, loss of valued employees, etc., perhaps the risk doesn’t justify action by us.

There Are Other Ways to Handle Undesirable Behavior

I believe in handling the possibilities of undesirable behavior as quietly as possible, generally in partnership with Legal and HR, by talking to the appropriate level of management.

One approach, for example, when there is a concern about employee motivation or trust in leadership, is to work with HR on an employee survey. If possible, get them to conduct the survey but help with advice on the questions to include, making responses anonymous, and the handling and reporting of results.

Let me give you some examples of situations I have handled in the past.

  • Several senior executives were bypassing the CFO and going to the Corporate Controller for advice. I talked to a few people and found out that these executives lacked confidence in the CFO. I handled this by talking to the CEO privately.
  • When I attended mandatory safety training, I saw that some employees were helping contractors who didn’t understand the rules pass the test. I had a quiet conversation with the senior manager of the area.
  • A senior vice president who had been given responsibility for a newly acquired business was ignoring it. Its issues, including the loss of key employees, went unaddressed. This was because his goals and objectives for the year had not been updated to include the performance of the acquisition. I spoke to the CEO.
  • The CEO was not only bullying his direct reports, but was also setting them against each other. In at least one case, he gave two people the same task to see who would perform better. I talked to the chair of the audit committee.
  • One of the operations centers at the refinery had posters of nearly nude women on its wall. I spoke to the refinery manager.
  • A manager told one of my team that her manager was discriminating against her. I spoke to the HR Director and asked him to investigate.
  • My team found that a finance director didn’t trust his team just because none were CPAs. I spoke to the business unit CFO.

So my answer to the question above is that I would not audit either “organizational behavior” or “culture.” But I would perform “safe” audits like those I listed, where justified by the level of enterprise risk.

For everything else, my team and I would quietly monitor actual behavior against what we believed was desired by the board and top management.

Where there were indications of inappropriate behavior or an undesirable ‘culture’, I would talk to and, especially listen to people to get a better understanding of what is happening and why. It would not be an official “audit”. 

I might partner with Legal and HR, especially with HR, to conduct a survey or selected interviews to understand whether there was a problem and what needed to be done about it.

Maybe I could get Legal or HR to investigate. 

If there was sufficient evidence, I (or HR/Legal) would discuss the underlying issues with the appropriate level of management. 

You don’t need an audit to discuss issues with management and drive action. In one way or another, I would address the risk.

About the Author
Norman Marks

Norman Marks, CPA, CRMA is an evangelist for “better run business,” focusing on corporate governance, risk management, internal audit, enterprise performance, and the value of information. He is also a mentor to individuals and organizations around the world, the author of World-Class Risk Management and publishes regularly on his own blog. Connect with Norman Marks:

Main image: Houcine Ncib | unsplash
Tags
company cultureemployee behaviorsinternal auditgrcrisk managementrisk
Featured Research
Featured research
Research Report
The ROI of Employee Experience
Data-backed insights on what drives ROI across engagement, retention and performance
Featured research
On-Demand Webinar
See What’s Driving or Derailing AI Adoption
See how Nexthink’s AI Drive and Adopt help enterprises boost adoption, cut shadow AI and prove real ROI.
Featured research
Research Report
From Participation to Performance: Measuring The True Value of Learning
Demand for proof of ROI is rising but just 16% of orgs are ready. Are you?
Featured research
eBook
Is Your Software Really Being Used Effectively?
Learn the secrets to successful software adoption
Featured research
Buyer's Guide
Unlock ROI With Smarter Software Adoption
Cut friction, reduce tickets and drive measurable productivity gains
Featured research
eBook
7 Strategies to Optimize Your Communication Efforts
97% of employees say communication affects their daily work, so why are your messages getting missed?
Featured research
White Paper
The Comms Strategy That Actually Reaches Frontline Workers
Nearly 1 in 4 deskless workers feel left out. Reconnect with a comms strategy built for the frontline.
Featured research
Guide
Rethink Your Intranet Strategy for 2025
Discover which platforms actually improve comms, engagement and employee experience - without starting from scratch.
Featured research
Guide
Learning Experience Platform (LXP) Market Guide Executive Summary
How to choose the right LXP for your business needs
Featured research
Research Report
The State of the EX Leader
Insights from the Annual Employee Experience Leader Survey