Internal Audit’s expanding role in cultural oversight

April 08, 2025

Traditionally, Internal Audit focused on financial controls and operational risks. Today, its mandate extends to evaluating corporate culture, ensuring governance structures support ethical behaviour, and identifying conduct risks.

The Global Internal Audit Standard calls for auditors to assess whether an organisation’s culture aligns with its ethics and values. It states that internal auditors must recognise and report conduct inconsistent with organisational ethics while promoting an ethics-based culture. Increasingly, stakeholders such as the Board, Audit Committee, and regulators expect Internal Audit to provide cultural assurance. The value that Internal Audit can bring is clear:

Responsive Stylized List

1. Providing comfort to the Audit Committee and the Board
2. Understanding of the culture across the organisation and within groups/teams/pockets
3. Knowledge of practices across the organisation gained through ongoing internal audit reviews
4. Ability to understand cultural and behavioural root causes
5. Being independent of the business

Despite this emphasis on culture, a 2016 IIA survey revealed a significant gap: many organisations lacked structured cultural assurance, leading to the critical question:

How is your Board getting assurance over the culture within the organisation?

The survey was sent to around 900 Heads of Internal Audit, with approximately 220 responses. The results were as follows:

A Structured Approach to Auditing Culture

To effectively audit culture, organisations can apply the Three Lines Model:

This line consists of the functions within the organisation responsible for directly managing and owning risks. It includes operational management and staff who are involved in day-to-day activities that generate, assess, and manage risks inherent in their activities.
The first line is responsible for identifying and assessing risks, implementing controls to mitigate those risks, and monitoring the effectiveness of those controls.
From a cultural context the first line is responsible for setting, communicating, and modeling the organisations desired values and conduct.

The second line includes risk management, compliance, and internal control functions.
The primary role of the second line is to provide oversight and guidance to the first line to ensure that risks are managed effectively and in accordance with the organisation's policies, procedures, and regulations.
From a cultural context the second line would be tasked with developing ethics programs, monitors culture-related risks and compliance with culture-related policies and procedures, and provides advice to the first line.

The third line refers to the internal audit function of the organisation.
It also evaluates and assesses the effectiveness of the first and second lines. It examines whether risks are being managed appropriately and whether controls are effective in mitigating those risks.
From a cultural context the third line's role is to evaluate adherence to the organisation’s stated and expected standards and assess whether the corporate culture supports the organisation’s purpose, strategy, and business model. Internal audit assesses the overall culture and identifies areas where the culture is weak.

Culture is a powerful force—either a driver of success or a catalyst for risk. Auditing culture isn’t about box-ticking; it’s about ensuring that an organisation’s values aren’t just words on a page but a lived reality. By proactively assessing cultural risks, Internal Audit can provide the Board and leadership with the insights needed to build a stronger, more ethical, and ultimately, more successful organisation.

This article is the second from a series of three. The first article gave a generic overview of the auditing corporate culture and ethics, while the upcoming article will look into effective approaches and practical steps for auditing culture.

Reference: Auditing Culture, 2^nd Edition, Global Practice Guide

Explore more publications

Contact us

Bonavent Gauci

Advisory Partner, PwC Malta

Tel: +356 2564 7090

Vyas Isnoo

Senior Manager, Advisory, PwC Malta

Tel: +356 7975 6979

Today's Issues Services Sectors Insights Careers About us Site map

© 2019 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.