AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

16 September 2020

Please note:

  • All Institute responses are boxed and highlighted blue.
  • Where the chair comments in that capacity, this box is highlighted in yellow.
  • Comments from the President/CEO of IIA Global are highlighted in heather.
  • For confidentiality, the identities of all delegates/attendees are anonymised.

Chair’s comments

Thank you for joining what looks like being a particularly interesting session on culture today, the fourth of the series leading up to the end of the year.   

We have the pleasure of welcoming today Richard Chambers, President/CEO of IIA Global, who will be answering some questions towards the end of the session. 

We have previously talked about data analytics - a brief update on this will be provided at the end of the session today. 

It is the Institute’s belief that culture is critical whether in a crisis or not, but it is particularly critical in a crisis. It is at the root of an organisation’s existence and something that your team or organisation holds onto as an anchor.

It is an important subject to the Institute: it is in our Standards and it is in our Internal Audit Codes of Practice. In the FS Code, particularly, it is seen as good practice now (in many organisations it is standard practice), and in financial services it is minimum practice.

In the words of Peter Drucker: “Culture eats strategy for breakfast.”

Today’s speakers will talk about internal audit’s work on culture from their own perspective within their internal audit activities.

The three questions that will be asked today are:

  • What are the key challenges you have experienced in initiating the review?
  • What was your approach to the review?
  • What value has this derived/is this deriving for the organisation?


Suzanne Clark – Head of Internal Audit, Yorkshire Building Society and Non-executive Director for Leeds Teaching Hospital’s Trust

Chris Miller – Group Director of Internal Audit, Royal London

Reflections/Key takeaways

This is a challenging topic – It is a topic we are still trying to get to grips with. There are various approaches that can be adopted to tackling the topic, and there is no single best route. Deciding which approach to take and how to shape the approach will depend on the organisation and what works best for them.

Tone at the top – Does anyone actually feed back to the board to ensure that the tone at the top is being delivered? Board members need to know whether the culture is just words on a wall or whether the organisation is living these values. 

Where to start 

  • The organisation's purpose, strategy, and values.
  • Internal audit must have a view of what the organisation's culture is. 


  • Looking at how consistently the values and behaviours prescribed were applied, the communication of those values and behaviours, and the appropriateness of the escalation of the feedback channels. 
  • Blending different approaches together, layering through one another and intentionally not calling this an audit. This is a strength and culture study and the objective of it is to provide practical insights and recommendations to help the board sustain, protect and develop the company’s culture. There are merits and limitations of every approach and this layering is an attempt to try and deal with things like bias and limitations. 

Resources – Are the capabilities to undertake the work available with the in-house resource or could it be done through partnering eg universities, psychologists, or outsourcing? 

Outdated views – On the areas of work undertaken by internal audit. 

Sector expectations – Regulators and what their expectations are in relation to the culture of organisations. 

Time taken – Shaping the review as it is quite a challenging and complex subject to unpack. Along with providing the necessary resource and focus to do justice to the audit. As well as consulting with internal and external stakeholders.

Academic perspective – Time invested by one organisation talking to researchers at different business schools who have reviewed a range of literature. The consequence of that is that internal audit has a far richer grasp of the subject matter, which was important in building credibility with stakeholders.

Change in mindset – Quite a bit of time has been spent wrestling with ambiguity and uncertainty as we naturally like to look at things in black and white and as effective or ineffective.

Planning  Through diligent planning, upfront investment has resulted in a very robust plan that serves as a compass in how to navigate on the journey. The path is not exactly known as to the delivery of the project or what the outcome is going to be. But there is a sense of being comfortable with that ambiguity.

Tools used – These are some of the tools that have been used during audits: surveys, focus groups (including virtual focus groups where larger numbers can attend), in-depth interviews, scenario planning built in conjunction with the business unit.


  • Through partnering arrangements and use of a model obtained, provided an understanding of regression testing and the statistical information shared. Linking to high performance organisations provided a good understanding and the confidence that would give us. This will give us a different set of insights to help inform our discussions when we report our results. 
  • Using the richness of internal data indicators that are available, which often flag red or amber warnings when you look at them. 

Output and feedback The output from the range of tools used has resulted in some really rich themes coming out which are being shared with the board. They are finding that this information is something that they are not getting from anywhere else in the organisation. Incorporating the findings into a workforce plan and then supporting some of the individuals who had been identified with coaching. 

Reporting – As previously said, one size does not fit all. In some cases, a full audit report with agreed management actions may be produced. 

For other organisations, the report may not necessarily be the standard audit report, for example it may not be rated or for any comment to say whether the culture is wrong or right. Providing access to the report to the entire function, not just to the leadership team, is helpful. 

Institute's comments

I think culture is a journey and it will be for some time. Going back beyond 2013 and talking at audit committees in the early 2000’s about culture, whether it was appropriate, was it a role for internal audit were frequent discussions. At that time, the view was: this is very much a HR role rather than something for internal audit. Since then, the journey has progressed: significant corporate collapses and the financial crisis lead to the FS Code that included culture, but we are still moving forward. There is more to do!

I am delighted to hear that people are auditing culture. I think that if you wind the clock back even two years, there would have been less people talking about auditing culture than there are today. We are moving forward, and we are getting to a better place in terms of organisational culture reviews. Internal auditors have often started the journey by undertaking a review of the risk culture in their organisation, something they are more familiar with.

The whole concept of organisational culture, the message set by the board, how this is cascaded down through the organisation is absolutely key. It is going to become more important. I was reading a publication from the regulators last week. They are talking about using culture as an indicator as to whether organisations are conforming with a variety of things, including equality, diversity and inclusion. As a result, organisations are going to be looking more to internal audit to undertake work in this area. 

IIA Global’s guidance has been highlighted in the chat box on auditing culture, the Institute has also produced guidance on this subject, so whether you look at IIA Global’s publication or the Chartered IIA’s there is information out there to help you, as well as the conversation today to get you where you need to be.


President/CEO of the IIA comments

Culture is a topic that I have been speaking regularly on since 2013. I have done a presentation over a number of years on the subject, which has continued to evolve, and I think I have finally made it a chapter in one of my books. The title of the presentation is: ‘When Culture is the Culprit’. When you look at any number of scandals or debacles anywhere around the world, you start to peel back or look at the root cause, you will find that something has been going on in the culture of that organisation.

I previously gave a speech to a group of board of director chairs' in some big publicly traded companies, on internal audit's role in culture. One person stood up, and I share this because it is one of the most insightful thoughts that I have come across with regard to internal audit and auditing culture. They said: “you know, I’ve listened to your remarks about auditing culture and I would offer this observation: as auditors, you are normally relying on your senses of sight and of hearing.” If we are evaluating evidence, we are looking at documentation, we are listening to testimonial evidence or interviews., But then they said: “to audit culture you must also employ your sense of smell.” I thought it was particularly astute because I think what they were trying to say is: don’t rely on what you see and even what you hear when it comes to looking at culture, because a toxic culture often looks okay on the surface, and often everyone saying the right things. But, as an auditor, you have to use the scepticism to employ all of your senses.

It has been a while since I was a CAE. When I led internal audit departments, we were always looking at the tone at the top, so I feel like we were looking at culture. But if I were auditing today and looking at the cases that I alluded to earlier, and many others, the one common thread that seems to run through these corporate debacles was that culture was the culprit.

What got measured was what got done and if you have corporate values, one place to start to look at what the culture of that organisation is really like and what your real risks are: are the executives, the employees and the company being measured in terms of their performance against those values or do the ends justify the means. All too often, in these corporate debacles the ends justify the means.

I think internal audit has a very important role to play. I don’t advocate that internal audit can do an enterprise wide review of culture, I think that we start by looking at culture in every audit we undertake, and that is where we can really start to expose the kinds of things I was talking about. If I am doing an audit in the contracting department of the company, I will want to make sure that those contracting officers and the people who are handling and managing the contracts, that what are they measuring and doing are the right things. If you are mature and sophisticated enough as an audit department to take an enterprise wide look at culture great, but you can certainly work your way up to it by addressing culture in every audit, and then what you can begin to do, as you see a cultural problem in one audit and then see it replicating somewhere else is to connect the dots and draw a picture for management and the board on the culture.

The following question was raised:  Some time ago (in 2014 to be precise) you said that we need to do auditing "at the speed of risk”. Now, when the velocity of risk impacts have increased tremendously, do you have any thoughts about advice given back then?

I have been writing a lot about this. I have been talking about auditing at the speed of risk for a number of years (my last book was called ‘Auditng at the Speed of Risk’) and honestly, the velocity of risk, I don’t think has ever been more dynamic than it is in 2020. 

So, really, we have to be agile, I know there is a lot that has been written about agile auditing. I have always been more inclined to talk about small ‘a’, agile mindset than formal big ‘A’ agile auditing. We need to be agile in this environment, working out how we get our audits done quickly and appropriately, so that we can get results in people’s hands. 

The risk profile in some organisation’s is changing almost weekly depending on what the latest news is, coronavirus, health trends, fiscal and economic matters, the dynamic nature of the risk that we are dealing with today has never made a more compelling case than to be able to audit in a more agile manner and get results out quickly. 

If I am taking three, four, five weeks to get an audit report out, and that is fast for some audit departments, my guess is that there is a completely different set of risks the organisation is facing when I hand someone an audit report. They are then going to say: that would have been helpful five weeks ago but today this is my problem. So, auditing at the speed of risk is a very critical imperative for 2020. 


Chair’s comments

Culture is still a journey, we have said that many times already, I suspect we might want to include this on our agenda in the new year and possibly specific aspects of culture.

For those who have not had questions answered this afternoon, I will follow up with you individually.

I have been talking to an organisation as to how we can go forward with data, following the session a few weeks ago on data analytics. We are looking to create a small group to look at how we take this subject forward, I have had some interest from those wishing to participate in the group. We will be meeting as a group initially, before Christmas to decide how we move forward for the benefit of helping everyone who is interested in the subject; formulating a plan, and then sharing this. If anyone is interested in participating in the group, please contact me at

Our next meeting will be on the 7th October and the subject will be Risk in Focus. 

The report on Risk in Focus 2021 is due out on 22nd September. I recently recorded a Talk to Internal Audit live stream on Risk in Focus 2020, with Liz Sandwith, Chief Professional Practices Advisor, looking back at the findings from last year's report. You can watch this live stream on the Institute's Facebook channel. Liz and I will shortly be doing a follow-up live stream on Risk in Focus 2021 - keep an eye out for that on Facebook.

Thank you for joining today. If there are more subjects you would like to add to the agenda, please contact me.