AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

05 April 2023

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised


Chair opening comments | Derek Jamieson | Regional Director, Chartered IIA UK and Ireland

 It’s been 10 years since the first Internal Audit Code of Practice was published, initially for financial services and subsequently for other sectors, requiring internal auditors to audit risk and control culture. Since then, there have been numerous scandals across all sectors. The environmental changes in the last few years alone - economy, covid, hybrid working - all impact on people and ultimately, behaviour and culture.

Today’s forum is a panel session designed to provoke and inspire on the topic of auditing culture:
Emily Daniels (ED) Director at Deloitte UK
Nicholas Crapp (NC) former CAE NatWest Bank now consultant with Grant Thornton
Sandro Boeri (SB) Group Audit Co-Head of People Enablement & Head of Culture Assessment, Deutsche Bank

Results of poll questions

Are you providing meaningful culture assurance?

Yes 37% 

No 63%

Should culture be in scope for internal audit?

Yes 97% 

No 3%


Key Takeaways

1. Why should we audit culture? What’s the point?


  • We all care about the profession – it could become irrelevant if we continue to report on the outcomes of our work such as failing processes and controls – if we don’t engage with culture we are missing an opportunity to identify one of the main root causes of the issues we identify.
  • We need to give insight into why people behave as they do.
  • Auditing culture makes internal audit valuable.
  • From a culture perspective at the moment audit functions are too often auditing the box not the software. We need to get into it, to understand human behaviour and behavioural science, the dynamics of emotional intelligence - as internal auditors we need to be able to triangulate data from a variety of sources it’s not as simple as doing a survey or an interview.


  • Back in 2013, I worked with a progressive audit committee chair and we needed to quickly get our heads around culture.
  • Wanted to get around the word ‘culture’, looking around at the problems within the financial services sectors it was clear that it was about behaviours, I met with an organisational psychologist and so the behavioural risk team was born.
  • Identified issues such as potential mis-selling due to the nature of incentives and flawed data that was used for performance metrics due to how the data was captured.


  • If we don’t look at root cause and keep focusing on the findings (symptoms) we’re missing a trick.
  • Need to look at the whole picture, there is typically a link back to culture/behavioural risk.
  • If we don’t call this out, organisations miss the opportunity for meaningful change.
  • If someone has high emotional intelligence, an ability to think deeply and join the dots – they can bring value – an internal auditor doesn’t have to be an occupational psychologist.

2. With all the changes taking place in the last few years (e.g. hybrid, flexible or condensed hours working) culture is probably better anyway, so what’s the issue?


  • The question for internal auditors is what has changed culturally or behaviourally in your organisation, what do you see happening and how might these impact in the long term?
  • I would challenge, how many of the organisations that have increased flexible working post pandemic and reduced office space have actually performed a risk assessment rather than assume that it will work post pandemic as it did during lockdowns.
  • I would argue that the ‘wartime spirit’ is no longer in place, there is less cohesion as people join and junior staff are losing out on in situ mentoring/learning and therefore developing slower.
  • Some organisations are likely to face significant consequences in about five years.


  • If teams are not in the office how do good cultures develop – sitting alongside colleagues, overhearing interactions, informal coaching conversations, promoting positive values – how does this happen virtually?


  • I talked to my GenZ children about this as I am conscious about being a dinosaur. There are ways that GenZ use digital platforms for social interactions.
  • Organisations need to get cleverer at getting people into offices while respecting hybrid – using the in office time to get across the cultural messages that need to be effected.

3. Even if it is a requirement, how can we (internal auditors) be expected to audit culture?


  • Be aware of the big picture, look at audit opinions across the year(s), have exposure to senior people and think about the data – how does it tie together – think deeper about the information.
  • Start with adding a paragraph into an opinion, progress to a culture audit, then add to all engagements with a rating or comment.
  • At the more mature end of the spectrum, good use is made of continuous monitoring, data analytics, and behavioural scientists.
  • First point is to step back and think.


  • Some controls routinely audited that enable management of behavioural risk – such as
    • recruitment controls prevent or enable us to employ specific types of people who will impact culture
    • how training is communicated, organised and delivered
    • how do we apply reward schemes and promotions – are they aligned with values and behaviours we want to see
  • At a basic level all internal auditors are engaged in auditing culture – recognising the routine controls is a first step before thinking about cultural frameworks etc


  • I asked an occupational psychologist about root causes that drive poor behaviours – naturally discover these in audit work and need to ask what impact it could have and look for evidence
    • Assumed roles and responsibilities.
    • Hard targets/scorecards – unintended consequences of exclusive focus.
    • Misaligned lines of defence
    • Perceived unfairness

View from the Institute

 As internal auditors we need to get better at this. Chief audit executives should be using their closed meetings with the audit committee wisely to raise concerns about toxic individuals. And perhaps we should be talking less about culture and more about behavioural risk.


Chair closing comments

We will come back to this topic. Today is a beginning. We all need to step up and support each other to be more comfortable with providing assurance on this subject.

Our next meeting on 10th May will focus on Strategic Change. What are HIAs doing to understand strategy and strategic change within their organisation, particularly in relation to the change in culture which could result. How are we auditing change and its links to strategy.

Chat comments including Q&A

Comment | Isn't there a real difficulty that culture usually starts from the top, so auditing culture is really like auditing the C-suite behaviours?

NC | Culturally toxic people can be at any level, there can be pockets of behavioural risk where there’s a good board , and also where there’s an issue with a board member. Need to look at the pockets.

ED | What is the relationship with the audit committee chair. Key to landing difficult messages. Internal audit needs an advocate at audit committee to spark debate and have a safe conversation.

SB | The clock is ticking internal audit cannot wait for the audit committee to be ready to sponsor a culture audit. Chief audit executives need to introduce it via the back door, call it something different - put it in a different wrapper to make it work - criticising people at the top needs an act of courage.

Comment | How do you assist an organisation who you know has cultural issue when you are aware that the cause is right at the top or within the senior management; but this is not accepted by these individuals?

SB | When delivering difficult message to powerful people, read the room, think carefully about language, be political, use allies to influence.

NC | Like all other audits, you need concrete evidence to support opinion. Difficult conversations are part of auditing.

Comment | Challenging at the top is difficult but important and can be more positive than you expect; a Director of Governance who was causing harm to an organisation I worked in was moved out of the role on the back of the conversation I had with the Audit Committee (with no officials present) and then a discussion with the CEO about my assurance opinion.

Comment | We did a first attempt at auditing culture - it was difficult to scope and we looked at the controls in place within the organisation that are there to influence culture and we had a number of interviews with management to develop some insights and observations. It wasn't easy - I think the benefit for me was putting it on the board and ARAC radar and reminding them of the importance of culture and their role in influencing it.

Comment | Our first attempt at a standalone culture audit was challenging to scope. We ended up using a hybrid of McKinseys 7s and the Lloyd's culture tool kit alongside the firm's values to build a scope. It has been more challenging to build into individual audits which is the stage we are at. 

Comment | Root cause is fundamental surely?!

Comment | All colleagues have access "on the whole" to manage procedures, pay slips and internal comms via their own device. There is also no direct link from remuneration to results. However, I am sure that it is one measure of performance and therefore the key thing to look out for is return rate, as certain colleagues may get "missed". 

Comment | Working across government, I sense an increasing interest in and demand for internal audit work in the areas of organisational design and culture, but this demand is primarily for advisory input / sharing of insights as to what other government departments are doing rather than audit opinions.

Comment | I think one has to be mindful about sensitively reporting "culture issues" that are deeply embedded or inherent within an organisation - outlining the benefits and dis-benefits and root causes of the issues - and how the benefits can be grown. For example a culture clash between two groups within an organisation.

Comment | If we talk about behaviour, there is a link in the draft Global Internal Audit Standards)

Comment | There has been such focus on culture post-COIVD, are we finding that people are starting to suffer from culture focus fatigue? 

Comment | Commenting on controls is less emotive than commenting on a person / groups behaviours. 

Comment | Although you can review whether certain mechanisms and frameworks exist in a business to set and monitor an appropriate culture, getting to the truth can be really challenging.

Comment | Is there a risk that we might marginalise those who can easily come into the office 1 or 2 days per week versus those who have changed their working practices perhaps moved further away from the office and what might the impact of this be on the organisation?

Response | Is there not also a risk that in doing so, these people have marginalised themselves from being part of / or shaping the culture?

Response | I think it is hard for new starters, but I am not sure this has changed much. "Head Offices" and their geographical locations have always been more accessible for some over others. 

Comment | Hybrid is a challenge for organisations that are reliant on physical and less formal control environments, increased risk of reduced supervision etc

SB | easier to defraud when not personalised, possibly increased in the world of virtual working

NC |possible  that some people are still doing 2nd jobs while working remotely, might still be working hard but are they giving you contractual hours

ED | takeaway from this session shouldn’t be a war on working from home, it just introduces new risks and we need to be aware of that

Comment | Another question is whether management information has kept pace with working practices - has it changed to be more outcome focused that input focused?

Comment | I don't think fraud risks have materially increased or decreased because of the post COVID ways of working, I think the risks have changed. And companies need to re-perform fraud risk assessments and adapt controls - and not rely on pre-COVID fraud risk assessments. 

Comment | My argument would not be against hybrid working (works for me!) but that robust controls, second and third lines are even more important post pandemic

Comment | Also, when decisions relating to overriding of controls, obtaining approval and ratification on overriding's may end up in mere words that may be denied at a later date.

Comment | Remote work would reduce productivity to an extent where it reduced the focus and attention towards what you do - the workers could end up doing work being on vacation mode, like work from a holiday home extending his weekend to Monday & Tuesday as well.