Manifold Conceptions of the Internal Auditing of Risk Culture in the Financial Sector

This exploratory study investigates the manifold conceptions of the internal auditing (IA) of risk culture prevalent among four influential actors of the financial sector—regulators, normalizers, consultants, and implementers. By inductive analysis of 20 interviews and 295 documents, we illustrate a two-step interpretive scheme utilized by the four actors in their IA approaches of risk culture: defining broad goals and designing visibility schemes. The visibility schemes were tied to the demarcation, measurement, as well as the IA data collection techniques of risk culture. Our results indicate two dichotomous interpretations among the four actors concerning the IA of risk culture. The first interpretation, prevalent among regulators and implementers, promotes the control of risk culture primarily through verification. The second interpretation, adopted by consultants and normalizers, promotes the control of risk culture by IA along with the empowerment of employees through training programs. Our results not only contribute to understanding IA expansions, specifically to non-tangible domains such as risk culture but also enrich the literature exploring the mechanisms different stakeholders utilize to shape weakly professionalized IA practices.