AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Heads of Internal Audit Virtual Forum

6 April 2022

Please note:

  • All Institute responses are boxed and highlighted in blue
  • Where the chair comments in that capacity, the box is highlighted in yellow
  • For confidentiality, the identities of all delegates/attendees are anonymised


Chair: Derek Jamieson - Director of Regions, Chartered IIA
Institute: Liz Sandwith - Chief Professional Practices Advisor, Chartered IIA

Chair's opening comments

Our last session welcomed Stephen White, Interim CEO for Yorkshire BS who shared his views on the importance of internal audit and its evolving role. He was clear that we are a valuable and indeed critical service to the audit committee, the executive and the organisation overall.  

Stephen also emphasised the importance of culture and behaviours in the organisation and the need for IA to play its role in helping the organisation align its culture and behaviours to its strategic agenda and to the tone expected at the top.

Culture is a subject that has been on our agenda for a number of years now, not least since the launch of the FS Code in 2013, yet for many it is still a topic that we have yet to become comfortable with.

For some the subject is certainly on the agenda and is a fixture in the audit plan while for others it is not as clear. In some cases, the audit committee is not asking for coverage. In others, there is no desire from the executive. In others still, there is some discomfort within internal audit at addressing the subject.

We recently published a report on culture called Cultivating a Healthy Culture - Why internal audit and boards must take corporate culture more seriously in a post-Covid world. The report identified positive progress in the internal audit world but also highlighted the opportunity to do more.

In today’s session, we are going to share the views of four people on the content of the report. All have considerable experience in this area, have performed at HIA level, and have personal perspectives.

Key takeaways

Perceptions from our speakers on the subject of Culture

James Paterson, Director Risk AI, Former HIA for Astra Zeneca/ Trainer for Chartered IIA UK

  • Firstly, the report is saying that everyone is getting engaged, so if you have a board that isn’t, you need to be looking at that as you will be the minority.
  • Culture is not a single risk and should not be considered in a silo. Rather, it has impacts on other business critical risks.
  • We need to ensure we think about this in terms of the Three Lines.
  • The report highlights the limitations of the use of culture surveys – self managed or via consultants.
  • It’s good to see the importance of behavioural risks highlighted, as it demonstrates the importance of non-survey tools, eg behavioural observations, the information recorded regarding incidents and near misses, the remediation of open actions and the importance of robust root cause analysis.
  • We need that evidential data to dig into behavioural risks and themes rather than survey results and discussions.
  • There continues to be a real lack of understanding of the depth and complexity of this subject, e.g. the differences between culture, sub-culture and behaviour, the limitations to the use of cultural analysis tools and the limitations of the use of surveys, focus groups and conversations.
  • It’s important to recognise that some approaches to auditing in one organisation may not work in your organisation. There is no one size fits all with culture.
  • There is a wariness of auditing culture and we need to upskill ourselves in order to talk about behavioural risks rather than an intangible subject internal audit is interested in.
  • The fundamental questions: How we tie this work to the Standards? What are the key behavioural risks in your organisation? What criteria are you using to assess behaviour and culture? And finally, with regards to assurance opinions on culture, how do you make sure an opinion you give today won’t be out of date tomorrow? What traps and pitfalls do we need to avoid so as not to damage our credibility as we move into this space?

Geraldine Smith, Former HIA HSE Ireland:

  • I really welcomed the report and I think it has been an incredible initiative from the Institute. I think the timing is really important, being post-Covid, in a period where organisations have gone through significant change and disruption which have posed challenges to culture.
  • The report allows the opportunity to take stock and assess how we can help organisations align culture and behaviour to the strategic agenda. What are our concerns and reservations?
  • It provides a chance to be clear on the skills and support needed to deliver in this area of work in line with our obligations under the Standards.
  • A key message for me is that this is an area to which boards must pay more attention. The report cites 52.4% of HIAs have not been asked by the Board or permitted to report on culture or EDI initiatives.
  • The language used is important and perhaps the solution for us as internal auditors is to change the language to reframe discussions and talk about behaviours as ultimately it is about how people carry on the business – their values, attitudes and behaviours.
  • The report demystifies what culture audit is about, the methods which are there, and it references the rich sources of data accessible to us as internal auditors.
  • The questions the report poses are also important to help us undertake culture audits.
  • It’s important to remember that internal audit is only one assurance provider as the 3rd Line, so we have a role in providing assurance on those 1st and 2nd line functions and the collaborative role internal audit could carry out in this space. We also could carry out consultancy work in this area.

Sandro Boeri, Head of Staff Development and Culture Assessment, Deutsche Bank group:

  • We audit processes and these are operated by human beings. We need to find a way of engaging with the human condition and ignoring it is a massive area of risk.
  • Putting the focus onto behavioural risk may make it feel a lot more tangible.
  • I am disappointed in the proportion of auditors who don’t engage in this subject, whether they’ve been asked to or otherwise. The report doesn’t really lead us to a ground where we would audit this theme as we would any other theme.
  • We need to think about why aren’t we auditing culture, as we would audit any other theme? Is the human condition really that complex that we can’t audit it? We should become curious about this theme as we would any other.
  • Humans react according to their perception, and that perception is their reality. Humans behave in accordance with that perception. What control processes do we have that influence our employees’ perceptions in a way that influences the ultimate behavioural outcomes of our employees?
  • I was working in financial services and witnessed the devastation during the financial crisis and the austerity which followed, likely a contributory factor to Brexit, leading to what we see today in Ukraine. All are events which lay witness to the failure to interact with the human condition.
  • Finally, internal audit risks becoming irrelevant if it can’t find a way of interacting with the human condition.

Nicholas Crapp, Former CAE, NatWest

  • Culture is about business principles and values. All are ways for organisations to mitigate behavioural risks. This is key – present the question as ‘What are we doing to mitigate that risk?’ Having this risk, which sits on your audit plan takes away confusion around culture; the work has a typical risk and internal audit focus.
  • The reason why culture and behavioural risk is on the agenda is due to corporate failures, such as Patisserie Valerie, Volkswagen and also Wells Fargo.
  • It’s important to remember in these examples that the failures weren’t due to rampant culture failures across the organisation, rather it was down to pockets of the organisation doing things they shouldn’t.
  • You can’t audit everything under ‘culture’. You should focus on key areas where there might be behavioural risks and do more in-depth work in those areas. This may be done on a cyclical basis across the organisation.
  • Finally, we haven’t really thought about the impact of working from home yet on culture. A lot of the work done in this area would have been based on people working together and how they behave. How will this impact culture going forward?

Institute's comments

Thank you. Some fascinating thoughts on culture from our subject matter experts today. The report could have gone further, but we need to take our members with us on this journey. After 13 years, we had hoped that internal audit work on culture would be more embedded than the statistics suggest. The report contains great questions to ask of your organisations and of yourselves.

Before internal audit looks at the culture of the organisation, internal audit should look at the culture within the internal audit team. Does it reflect the culture of the organisation or is it built on the independence of the function and therefore separate and distinct from the organisation? It would be helpful for you to start by looking at your own culture as it will help guide your conversations with the business.

Please do take a look at our Resources section. It includes technical guidance and IIA Global guidance on auditing culture. It’s important to remember that there is no ‘one size fits all’ approach with this. Use the guidance and make your work in this space relevant to your organisation.  

Chair's closing comments

Thank you, Geraldine, James, Sandro and Nicholas. When I read the report, particularly the statistics, I was disappointed and I feel that the profession could come under serious criticism if we don’t get to grips with the subject of culture. We will revisit this area in future.

Our next session will focus on cyber risk. We have moved the date to the 18th May to accommodate the speaker, Magdalena Skorupa, Cyber Director for Reckitt Benckiser Group (in Warsaw, Poland). Poland is coping with a massive influx of cyber-attacks. Magdalena will share what’s going on in her world, working for an international company based in Poland. I think it is fair to say that global events are very much putting the focus on this subject at the moment. Cyber was already at the top of the agenda in our last Risk in Focus report, and was for the previous three years. It will most likely be in the top two in this year’s report.

I would suggest that, for many organisations just now, both sides of the consequence and likelihood equation have moved in the wrong direction as they either review and reposition their connectivity with Russia or reassess their potential to be seen as a realistic target for an attack.

As usual, notes, chat comments will be placed on our web pages in the next 24 hours.

We have a number of events scheduled for the coming months, including our Leaders Summit and our Internal Audit Conference. Please visit our Events section for further details.

Chat box comments and discussion

Q: Geraldine, you did some work regarding a major cultural issue within an organisation. Could you share the circumstances and generalities coming from that work?

A: There was a major scandal emanating from a Chief Executive who was all-powerful and revered. The board was ineffective and enabled the Chief Executive. Like all similar corporate scandals, there was a lack of oversight and there were huge financial issues with the organisation, which ended with a government bailout. Then there was a big change to the corporate governance and root and branch change to the organisation. It had to be rebuilt from scratch in terms of setting out best practice, with a new Chief Executive. It has been a long, hard slog and shows that if governance isn’t effective and issues aren’t dealt with, then the organisation could fail. There are huge reputational risks and rebuilding this with a new board and committees.

Q: Nicholas, you started in RBS not long after the financial crisis and it’s been rebuilt. You’ve started to respond to this word, culture, has your view changed about how to approach this subject?

A: Geraldine outlined the same issues. Poor corporate governance and a very strong CEO is a recipe for disaster. I often say that even if you get rid of a CEO, it still leaves a shadow on the rock, much like from an atomic explosion. We were an early mover and did a lot of work on culture which became behavioural risk and then the business ‘got it’, revealing things the business didn’t know, and became something the business couldn’t get enough of. We then took the behavioural risks and looked at this in dealing with customers and the questions asked of them. What do you put on your website? How do you design this? It all generates behavioural risk from a customer side which then potentially generates conduct risk. The team has 15 people and now at least half the work is being done on the customer side. It would be hard not to have this team given what they’ve uncovered and the value they’ve added.

The Ockenden Report is the report into Maternity Services at Shrewsbury and Telford and this is a worthwhile read as it aligns to today’s discussions but in an NHS setting.