Introduction: The Controls That Matter Most Are Rarely Written Down
Every organization has two systems of control.
The first is visible: policies, procedures, approval matrices, delegated authority limits, codes of conduct, and formal reporting lines. These are documented, auditable, and familiar to internal auditors.
The second system is invisible—but often more powerful.
It consists of unwritten rules, informal norms, tacit understandings, and shared assumptions about how things really get done. These informal controls shape behavior long before formal controls are applied—and often determine whether formal controls are respected, bypassed, or quietly neutralized.
Most control failures do not begin with broken policies.
They begin when informal rules overpower formal ones.
Yet traditional audit approaches struggle to engage this invisible layer. As a result, auditors may certify control adequacy while missing the real drivers of risk.
In today’s organizations, auditing what is written is no longer enough.
Auditing what is lived is where insight begins.
Why Informal Controls Matter More Than We Admit
Informal controls emerge naturally in response to pressure.
When targets are aggressive, people adapt.
When systems are slow, workarounds form.
When leadership behavior sends mixed signals, norms adjust accordingly.
Over time, these adaptations harden into shared expectations:
- “We escalate later, not immediately.”
- “This approval is a formality.”
- “That policy only applies during audits.”
- “Speed matters more than documentation here.”
These are not acts of misconduct. They are adaptive behaviors—often created to keep the organization functioning under real-world constraints.
But when informal rules drift too far from formal design, they create:
- Control blind spots
- Cultural normalization of deviation
- False assurance
- Systemic risk accumulation
Ignoring them does not make risk disappear. It simply moves it underground.
Why Traditional Audits Miss Informal Controls
1. They Audit Artifacts, Not Behavior
Most audit programs focus on evidence:
- Signed approvals
- Completed checklists
- System logs
- Policy acknowledgements
These artifacts show what should have happened, not how decisions were actually made.
Informal controls live in conversations, timing choices, silence, escalation thresholds, and “common sense” judgments—areas rarely captured in audit files.
2. They Treat Deviations as Exceptions, Not Signals
Isolated deviations are often written off as:
- Human error
- Capacity issues
- One-off anomalies
But informal controls reveal themselves through patterns, not incidents. Repeated small deviations point to an alternative operating logic that deserves scrutiny.
3. They Over-Rely on Management Narratives
Formal interviews tend to produce rehearsed explanations aligned with policy. Insight emerges only when auditors look beyond official stories to understand:
- Pressure points
- Incentives
- Informal hierarchies
- What people believe is expected, not stated
Without this, audits risk validating appearances rather than reality.
What It Means to Audit Informal Controls
Auditing informal controls does not mean abandoning rigor.
It means expanding the definition of evidence.
1. Shifting from Process Mapping to Behavior Mapping
Beyond documenting workflows, auditors ask:
- Where do people pause, rush, or bypass steps?
- Which controls are viewed as critical—and which as symbolic?
- Where does judgment replace rule-following?
This reveals the real control environment.
2. Treating Conversations as Data
Informal insights often surface through:
- Repeated phrases across interviews
- Shared justifications
- Common frustrations
- Similar workarounds across departments
When multiple voices echo the same logic, an unwritten rule is at work.
3. Identifying Cultural Enforcement Mechanisms
Informal controls are enforced socially:
- Praise or punishment
- Inclusion or exclusion
- Career advancement or stagnation
Auditors who observe how behavior is rewarded or discouraged gain powerful insight into the true control system.
4. Connecting Informal Norms to Risk Outcomes
The goal is not to criticize culture—but to translate informal behavior into risk implications:
- How do these norms affect compliance?
- Where do they increase exposure?
- When do they undermine governance intent?
Executives respond when auditors make these links explicit.
What This Looks Like in Practice
In a regional service organization, audits consistently found timely approvals and documented compliance. Yet project overruns persisted.
Behavioral analysis revealed an unwritten rule: approvals were routinely backdated to avoid escalation. The formal control existed—but the informal control neutralized it.
In a financial institution, credit policies were robust. But interviews revealed a shared understanding that certain client segments received “flexibility” during peak growth periods. This norm was never documented—yet it shaped risk exposure more than any written policy.
In both cases, risk did not arise from lack of controls—but from misalignment between formal design and lived reality.
The Auditor’s Dilemma—and Opportunity
Auditing informal controls requires courage.
These findings are often:
- Sensitive
- Politically charged
- Harder to evidence
- Uncomfortable to raise
Yet this is where internal audit becomes indispensable.
By surfacing unwritten rules, auditors:
- Prevent normalization of deviance
- Restore integrity between policy and practice
- Help leadership realign culture with intent
This is not cultural policing.
It is governance in its most mature form.
Conclusion: Governance Lives Between the Lines
Organizations are not governed solely by what they write down—but by what they tolerate, reward, and repeat.
Internal audit that ignores informal controls audits only half the system.
The future of the profession belongs to auditors who can:
- Listen beyond documents
- See beyond compliance
- Interpret behavior as risk intelligence
When internal audit learns to audit the unwritten, it stops being surprised by failure—and starts preventing it.
Our Commitment at AfriAudit
AfriAudit is more than a newsletter. It is a continent-wide campaign to elevate internal audit from silence to influence—from compliance to contribution.
We exist to:
- Equip auditors with a modern, courageous audit mindset
- Position audit functions as value drivers, not cost centers
- Build bridges between audit professionals and executive leadership
- Restore trust in institutions through transparency and strategic oversight
We believe that when audit thinks deeply, speaks clearly, and acts bravely—organizations transform.
And Africa wins.
Let’s Build This Together
Are you a fellow auditor, board member, risk leader, or institutional head who believes that reflection is the next frontier of governance?
- Comment below: How does your board detect drift before it becomes failure?
- Follow AfriAudit for weekly insights that challenge, sharpen, and inspire.
- Subscribe to join the growing network of African audit transformers.
With clarity and commitment,
Titus Wambua
Chief Audit Executive | Governance Advisor | Founder, AfriAudit
Turning internal audit into a boardroom asset—one institution at a time.
