Behavioural auditing


By Jan Otten – Founder of ACS and Partner at ACS Behavioural Auditing & Inge van der Meulen – Partner at ACS Behavioural Auditing


For a long time, studying behaviour in organisations was the domain of specialists in organisational and human behaviour, such as industrial and organisational psychologists, organisational sociologists and anthropologists.

However, in recent years, auditors and accountants have also become aware of the impact of human behaviour on governance and management issues in organisations. Culture and behaviour are now fully accepted as an audit object. How this object should be audited is an issue that is still under discussion within the profession. As outlined in a 2016 Chartered Institute of Internal Auditors’ (IIA) report, auditors and accountants are struggling with this issue.[1] In this article, we introduce behavioural auditing as a tried and tested new approach to gain insight into relevant cultural and behavioural issues in organisations on the basis of solid research.

Culture and behaviour

Auditors often describe culture as ‘the way we do things around here’. The aforementioned IIA report also uses this definition, which was formulated for the first time by Dean and Kennedy in 1982. The behavioural auditing definition of culture and behaviour is slightly different and is inspired by Geert Hofstede. In his famous study of the Shell company culture, Hofstede states that culture is the ‘collective mental programming’ of a group of people.[2] Mental programmes are developed over a lifetime. They are learned by education, social environment, professional training and personal experiences. They are not static and may change over time as a result of new insights and experiences. Mental programmes inspire people to do what they do and how they do it. Culture is, so to speak, the software of the mind. Hofstede’s definition is closely related to the concept ‘mental models’ as developed by Massachusetts Institute of Technology (MIT) researchers, such as Senge, Argyris and Schein.[3] Both concepts are very useful because they focus our attention not only on actual behaviour but also on behavioural drivers.

Many organisations use values as a shorthand for culture. Board and senior management are primarily responsible for defining these values and promoting them into the organisation in order to create a ‘healthy’ or ‘just’ culture. But culture is about more than values. Auditors, for instance, must be careful to distinguish between ‘espoused’ values and ‘lived’ values. Argyris concepts of ‘theory espoused’ and ‘theory in use’ define the difference between the two. ‘Theory espoused’ is what people will tell you about their values and what they feel is important when you ask them. ‘Theory in use’ is what really drives them and reveals their mental models. Argyris stated that although people do not (always) behave congruently with their espoused theories (what they say), they do behave congruently with their theories-in-use, their mental models.[4] Behavioural auditing focusses on the mental models and perceptions that drive organisational members’ behaviour.

Behavioural auditing control framework

A behavioural audit is carefully designed to obtain insight into organisational members’ behaviour, to report on the results and by doing so influencing the socio-psychological climate and the organisational culture. These topics, as such, are not new to auditors. New are their framing in a separate audit discipline, based on new concepts and a different research methodology, techniques and automated support. Behavioural auditing combines theory and research methods from the behavioural and social-cultural sciences in a way that is new to the professional field.

“A behavioural audit is carefully designed to obtain insight into organisational members’ behaviour, to report on the results and by doing so influencing the socio-psychological climate and the organisational culture”

Before discussing the behavioural audit approach in more depth, we need to explain our view on behaviour, culture and behaviour related control issues. Auditors like to use concepts such as ‘hard’ and ‘soft’ controls to indicate the difference between behavioural control measures. Soft controls is usually understood to mean the intangible behavioural factors in an organisation that are important for achieving the organisation’s objectives. This is in contrast to the so-called hard controls. A clear definition, however, is missing. For one author, soft controls are ‘intangible, difficult-to-objectify motives for behaviour’. Others describe soft controls as ‘measures that affect, for instance, the motivation, loyalty, integrity, inspiration, and norms and values of employees’. Other authors do not even attempt to define the concept and assume that by now, everyone knows the difference between hard and soft controls. Apart from the confusion that exists regarding the meaning of the concept soft control, it simply does not make sense to talk about control in relation to terms such as informal, subjective and intangible. Instead of hard and soft controls, we prefer to talk about ‘physical’ and ‘infrastructural’ controls.

Physical and infrastructural controls determine the playing field in which organisation members are deemed to carry out their work. This playing field is created by physical measures, for example, locks on doors, access passes, admission controls and more advanced access systems. These are what we refer to as physical controls. The framework within which organisation members are supposed to act is furthermore determined by formal agreements, rules, procedures, and regulations. Influencing behaviour is also an important part of the leadership duties of board and managers. Together, all the formal agreements, procedures, rules, regulations, as well as the board’s and managers’ verbal or written expressions intended to influence organisational members’ behaviour, whether or not through official channels, we refer to as infrastructural controls. How organisation members actually behave and whether or not they will act within the physically and infrastructurally determined frameworks depends, of course, on the quality of these controls and the control framework as a whole. However, at least as important as the quality of the controls is how they are perceived.

Thanks to the MIT researchers we know that organisation members interpretation of what’s going on in their daily work environment and how they act has to do with their mental programming. These mental models reveal themselves in perceptions, images and assumptions about themselves, other people, their work, the leadership, the organisation, etc. In a behavioural audit, we want to find out how organisation members perceive the organisational environment and how they behave, based on those perceptions.

Behavioural audit methodology

Einstein once said that ‘not everything that counts can be counted and not everything that can be counted counts’. Perceptions and mental models cannot simply be quantified. Quantitative research methods therefore, are not suitable for the kind of research a behavioural audit requires. Qualitative research methods focus on experiences that cannot be counted. They uncover perceptions, behavioural drives and mental models and help us understand why people think what they are thinking and why they do what they are doing. We, therefore, prefer qualitative research methods for our behavioural audits.

Every audit, including the behavioural audit, must be relevant and urgent in the eyes of the (internal) client, be valid and reliable and carried out as efficiently as possible. In this article we cannot discuss every step of the behavioural audit process in detail. We will focus on the main differences between a ‘common’ audit and a behavioural audit (see Figure 1).

Behavioural auditing Ethical BoardroomDuring the preparation phase, auditors and (internal) client together identify preliminary relevant sensitising concepts for the research. Sensitising concepts serve as a guiding tool for the auditors during the fieldwork and give direction without prescribing the way. Shared values, ethical standards, responsibility, communication are some examples of frequently used concepts. Superficially, a set of sensitising concepts may look like a ‘normal’ frame of reference. But, even though the words may be the same, there is a big difference between sensitising concepts and the ‘classic’ frame of reference.

A frame of reference is fixed and provides pre-defined assessment criteria. These criteria reflect the auditor’s opinion of what is important and what should be measured. Sensitising concepts are preliminary. They reflect what the (internal) client and the auditors expect what might be important. Sensitising concepts can either be adapted or changed during the research, based on the auditees’ perceptions of what is important related to the audit question.

In a behavioural audit, the most relevant information is collected during in-depth interviews, or reflective conversations as we prefer to call them. Each interview starts with some noticeable results related to the audit question. How we do this and why this is done is explained elsewhere.[5] Advanced interview techniques combined with a strict interview protocol encourage auditees to reach the desired depth that will bring up their mental models and perceptions. Another important difference with a ‘classic’ audit is that in a behavioural audit we will never ask directly for information about sensitising concepts. But if auditees start talking about them spontaneously, we will invite them to dig deeper into the subject.

All interviews are recorded and fully transcribed. The transcriptions are analysed in three steps. During the first step, interview fragments that accord to the auditors’ opinion are related to the audit question are marked with a code. A code is a keyword or a brief description that characterises the content of the text fragment. In the second phase, related codes are grouped into themes or categories. These themes reflect what the audit team has found to be important in the collected material. Based on the research question, the audit team looks for connections and patterns in and between the clusters. This is the third step in the analysis. The point is to structure the findings in a meaningful way. During this process, the auditors gain an increased understanding of what is going on in the organisation.


After the data processing, the auditors know a lot about the audit subject. They can explain why certain things happened in the past and they can predict what will happen in the future if nothing is changed. But reporting on culture and behaviour may be a tricky thing. A report with findings about the tone at the top, for example, and a negative qualification by the auditor will usually trigger a lot of resistance. Many auditors, therefore, prefer to report only verbally, especially when they have to rely on their gut feeling. That is not what we want.

Behavioural auditing Ethical Boardroom
Effective behavioural audits can reveal how people feel about their organisation

A behavioural audit is a solid research project with a well-defined audit trail and we want acceptance of the results and, if necessary, the willingness to improve. We present the results of the analysis in a two-column format. One column is reserved for quotes from the interviews with the auditees. We order the material in such a way that an ongoing story is created. In the other column, this story is commented on by the auditors. The design is directly related to the purpose of this type of research. It is not about a uniformly formulated final judgment by the auditors. Instead, multiple perspectives are illustrated relating to relevant themes that were found in the research material. Statements by auditees that are displayed in the report are representative of how organisation members perceive the organisation and how they act accordingly.


The concept report is presented to the auditees during a validation workshop. It’s crucial for the auditors to make sure that auditees have the feeling that it’s about them and their daily work. In all cases, immediately after reading the report a lively dialogue starts about the meaning of the story and where improvements are necessary. Following the validation workshop the narrative report is converted into an audit report. We write down the findings of the analysis, supplemented with the dialogue of the validation workshop. We end with a conclusion that is consistent with the conclusion(s) of the participants in the validation workshop. All our audit reports so far have been accepted without any further discussion.


A behavioural audit is not about testing the operating effectiveness of a set of espoused company values. The narrative report is based on solid research and reveals the real issues in the organisation as perceived by organisation members. They accept the story in the report because it’s their own and it urges them to come into action. The findings in all the audit reports we produced later have never been contested.


About the Authors:

Behavioural auditing Ethical BoardroomJan Otten is founder and partner of ACS, and teacher at the post-initial programmes Internal Auditing & Advisory and IT-auditing & Advisory at the Erasmus University in Rotterdam. He is initiator and developer of Management Control Auditing and Behavioural Auditing.


Behavioural auditing Ethical BoardroomInge van der Meulen is partner at ACS Behavioural Auditing, and teacher at the post-initial programme for Internal/Operational Auditing at the Erasmus University in Rotterdam. She is initiator and developer of Behavioural Auditing.




1.See e.g. Organisational Culture – Evolving Approaches To Embedding And Assurance 2016.

2.Geert Hofstede; Culture’s Consequences, International Differences In Work-related Values, 1980.

3.Van der Meulen & Otten; E book Behavioural Auditing,

4.Chris Argyris; Overcoming Organizational Defenses, 1990.

5.See 3.