AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

28 July 2021

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised


Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

ESG future topics are being worked through. In the mean time, please have a read of the world view from Anthony Pugliese, President and CEO of IIA Global, in the latest issue Audit & Risk magazine, which touches on this.

A new fraud forum will start in September. It is invitation only. Please contact me (Derek Jamieson) if you are interested in attending. You can reach me on email at

To say that the ongoing pandemic has tested the culture all organisations over the last year or so would be something of an understatement. Culture is at the root of everything that happens in an organisation and can be the real differentiator for success or indeed, for failure.

As we come out of the pandemic, culture is likely to be reviewed as for many organisations there will be change ahead. It is in this context that we welcome Sandro Boeri, Head of Staff Development and Culture Assessments at Deutsche Bank.

Key takeaways 

Q. Why do human beings not do the logical thing?

A. Because they are like grown-up teenagers, they don’t always do as they are told.
Systems and machines are operated by human beings – and we are frail and unpredictable.
As internal auditors, we have two options a) ignore this fact or b) make efforts to learn about it.

Delegates were asked to select elements of the following framework for discussion.

*Click thumbnail below to enlarge image.

Pressure points

  • Internal auditors are not always courageous.
  • Rooting our work on traditional themes makes auditing culture easier. Here are three examples.
    • Recruitment: Who we let into an organisation has a big impact on culture. Auditing recruitment is familiar. Do you audit how a candidate’s values are assessed?
    • Training: How does ab organisation persuade people to behave in the way that’s desired? Auditing the design and uptake of training is familiar. How does an organisation create a hearts and minds connection with the subject matter? Do you audit the behavioural change and the impact of the training?
    • Consequences: How does an organisation deter or encourage people to behave? In other words, these are control processes that impact promotions, rewards, disciplinaries, etc. Audit the design of the consequence’s management framework.

Measure culture

  • Internal auditors are more comfortable with auditing risk culture than culture.
  • It is a similar concept.
  • A grading system (RAG) is common but can have adverse consequences like any rating system.
  • During most risk-based audits at Deutsche Bank, we ask questions about risk management to demonstrate awareness. That controls have been put in place and silos are avoided. And that attempts have been made to do xyz.
  • Understanding what tone at the top is desired. how it is communicated, how it relates to the organisations values, then evaluate how it has landed. Triangulate information: Interviews, focus groups, surveys, external audit and regulator findings. what does the data tell you?
  • IIA Australia published a good document on Auditing risk culture.
  • The competing values framework is a powerful tool to use. It can lead to good discussion on what culture is needed and what transformation is required to achieve it. A simple questionnaire can be useful.

Team culture

  • There are team cultures and individualistic cultures – it is not internal audit’s role to say which is best.
  • Ask open questions about ‘what if’ and look at the consequences of actions.
  • Internal audit’s role is to provide assurance that even risky strategies are being managed.
  • What are the controls in place to encourage the desired culture and discourage the alternative?

Cultural risk management framework

  • You asked if I’ve seen one – no, but I have seen elements of one.
  1. Does your organisation measure the behaviours it sees?
  2. Does the organisation's strategy also articulate the behaviours that are needed to be successful?
  3. Is there a cultural transformation programme that's explicit on what needs to change and how that change is encouraged?
  • Think about your own organisation - is there anything that looks like any of these? 

Institute's comments

Auditing culture can be quite daunting. Breaking it down as Sandro has done is a really useful way to tackle it in bitesize chunks. In addition to auditing risk culture, our recent thought leadership report Mind the Gap looks at auditing cyber culture. This can help you build confidence to then look more holistically at the topic while adding value by looking at areas of high risk.

We are working with the FRC on a culture project as part of the review of the UK Corporate Governance Code. As part of this, we have run a poll to help inform their work (please scroll down for the results of that poll). 

Chair's closing comments

The challenges facing internal auditors and particularly chief audit executives in difficult conversations often come down to culture. We will invite Sandro to join us again to explore more on this topic.

At our next session on 18 August, we will deliver an open discussion on the Institute’s response to the BEIS white paper: Restoring trust in audit and corporate governance. There is also a Local Authority forum on 25 August on fraud.

Please contact me, Derek Jamieson, if you are interested in sharing your experiences on a particular topic with this forum. There is real benefit in sharing as collaboration helps us all to develop and improve. My email address is:        

Chat box comment

If helpful, here are some of the entry points we have used (or heavily lobbied for!) to drive cultural assessments in our organisation.

These are:

  • Clarity over strategy, goals and priorities,
  • Accountability and performance management
  • Organisational decision-making and communication
  • Organisational values – reward and consequence
  • Organisational action on culture information (organisational staff surveys, incident management i.e. whistleblowing)
  • Management of mission-critical risks – risk culture.

Poll results