Auditing non-financial risk in cultural and heritage areas

The UK and Republic of Ireland are rich in cultural heritage organisations, venues, and sites. These can include museums, art galleries, stately homes, historical buildings, archaeological sites, places of national interest or record, public statues, libraries, and archives. Many will assume that such entities concern only public- or third-sector internal audit teams. This guidance will include private collections that have charitable status. However, it is worth considering how many private-sector organisations have large art collections, for instance; certain banks are famous for theirs.

Whether the governing body is national or local government, a private organisation or third-sector body, regular, risk-based audits are necessary. These audits should not only consider the financial aspects of any assets or sites, nor focus solely on statutory responsibilities. There are significant reputational and legal risks associated with culture and heritage. This piece of guidance is not only a refresher about obvious, quantifiable points to audit, but also – and more importantly – about the intangibles. Because when auditing cultural and heritage assets, what is most valuable cannot always be counted.

Why should internal auditors act?
What should you consider?
Where to start?

Why should internal auditors act?

In its investigation into maintenance of the museums estate in England in 2020, the National Audit Office set out its view on the value of such cultural and heritage entities. The report in fact opens by saying that

They have:

  • intrinsic value (the enriching value of culture in and of itself)
  • social value (improving educational attainment and helping people to be healthier) and
  • economic value (the contribution culture makes to economic growth and job‑creation).

Note that economic value comes last in this list of three values.

It will be obvious to most internal auditors, whether in the public, private or third sector, that they should consider the risk of loss or damage to irreplaceable or high-value cultural or heritage assets. Part of any audit should cover quantifiable aspects such as budgets, insuring valuable items, security, access, increasing membership and revenue streams and so on.

How well would you articulate the value and risks associated with intangibles such as community pride in a particular work, or reputational aspects of a particular artefact or collection? A standard review will consider basic questions such as:

  • What are our most valuable assets?
  • Are they displayed or stored securely?
  • Is the insurance sufficient to cover loss or damage, and is it up to date?

This, however, is far from sufficient. Cultural and heritage assets often have risks that, while hard to quantify, far outweigh any easily calculable loss. These can be as obvious as risks to the public from poorly maintained buildings – falling masonry, for example, or trip hazards on carpeted staircases.

The Department for Digital, Culture, Media & Sport’s risk registers identified poor or overdue maintenance as a significant risk in 2019: ‘These included: structural instability; water damage; flooding; risks to the collection, public and staff; and risk of securing insufficient funding to carry out urgent estate work (at the anticipated 2019 Spending Review).’ If this is the case for museums receiving government funding, private sponsorship, and donations, what may be the situation in small, local, or niche museums? As the list indicates, it is not merely a matter of water damage – there is a very real risk of injury or death from poorly maintained buildings.

It is not only the fabric of the publicly accessible building that needs attention; storage sites will house the majority of most museums’ collections. According to the Swiss art magazine Widewalls, only 5% of a typical museum's collection is on display at any one time – storage is therefore critical to preserving assets. Failing to do so obviously incurs financial risk, which can be mitigated by insurance. However, no amount of insurance can mitigate the far greater risk: loss of cultural heritage. 

Another, less immediately obvious risk is reputational, which can lead to negative publicity, reduced sponsorship and visitor numbers (and therefore less revenue), and even removal or closure. Both the US and the UK, for instance, have seen numerous protests in recent years about statues of historical figures. Museums have also been subject to criticism for certain items in their collections, especially human remains: shrunken heads, bound feet and Aboriginal skulls have all been singled out as belonging properly to the tribes or territories of origin, not on display or in storage.

These protests bring into sharp relief the fact that heritage and cultural artefacts may have wider resonance, significance, and risk than their ‘book value’ for insurance purposes may indicate. And the cost of assessing any risks associated with controversial assets or sites is far less than that of responding to public outcry.

Other risks can arise from questions of provenance. National museums will have rigorous procedures and documentation in place to demonstrate that they have acquired items legally. Smaller, local or private museums may not – through lack of either awareness or expertise, or an assumption that this risk will not apply to their collections. Yet a donation made in good faith by a local resident to the town’s museum, or even by a bank chairperson to his or her employer’s art collection, may in fact have dubious provenance.

This can include: 

  • antiquities looted from conflict zones
  • antiquities taken out of countries without official permission
  • treasure that was not reported to the relevant authorities
  • items smuggled or sold illegally by curators or other caretakers and
  • personal property confiscated during conflicts.

Another risk is legal – organisations could face charges of discrimination, and therefore legal and reputational risk. People could state that certain assets contribute to a discriminatory environment; others could point to difficulty accessing sites and collections, if old buildings are not suitably equipped for disabled access. Even without legal action, there is always reputational risk from public complaints and negative media or social media coverage. 

Culture and heritage doesn’t just mean museums, though – it also includes libraries and archives, repositories not just of documents, but also of memory. Internal auditors must of course review physical security and safekeeping, including appropriate light, temperature, and humidity controls. But risks also lie in the nature of the documents. 

Personal, often sensitive information can be found in old correspondence, accounts, and other records. If the people concerned are still alive, how do the libraries or archives balance freedom of information with data protection? If they are dead, but their descendants are active in shielding their memory, what procedures are in place to make documents available while maintaining good relationships with the public? 

In the case of libraries and archives, it may not be as simple as forbidding public access to a document, or de-accessioning it. Public libraries have statutory responsibilities to the general public, of course, while archives are the repositories of government documents. The 1964 Public Libraries and Museums Act states that:

"It shall be the duty of every library authority to provide a comprehensive and efficient library service for all persons desiring to make use thereof, and for that purpose to employ such officers, to provide and maintain such buildings and equipment, and such books and other materials, and to do such other things, as may be requisite."

Meanwhile, the NAO report mentioned earlier lists museums’ statutory duties – which differ according to their relevant structure and legislation – as typically including: 

  • preserving and exhibiting their collections
  • making them available to the public and
  • promoting public enjoyment and understanding of their subject matter. 

Removing items simply to avoid difficult decisions could thus place a museum, library, or archives service in breach of its legal obligations. 

This guidance has so far pointed out many areas of risk and raised many questions. So, what can you do to increase the chances of delivering a truly valuable, risk-based audit, when so much seems intangible?

What should you consider?

The following outlines just some of the questions you can start to ask, depending on the nature of the internal audit subject. The answers should open up a whole realm of new possibilities – and questions needing answers.

  • What do you have, and why do you have it?
  • Where is it?
  • Is it available to the public (if it should be)?
  • Whether it’s publicly available or not, is it securely stored? Consider not just access, protective glass, and atmospheric controls, but also fire-suppression systems.
  • Is insurance up to date and proportionate? What are the exclusions? Do the exclusions – for instance, possibly of items in the public space that may attract vandals or protests – mean accepting the risk or avoiding it altogether, by removing the item?
  • How is building maintenance funded and managed?
  • Are repairs timely and thorough? If not, why not?
  • What maintenance is lacking or poorly done? Why?
  • What risks does poor maintenance imply for staff, the public and physical assets?
  • How is conservation work budgeted and managed?
  • Are there sufficient qualified, skilled staff, either in house or externally, to clean, repair and restore precious works?
  • How does the organisation discharge its statutory obligations to store or display controversial items?
  • What is the policy on loans to or from other institutions? What procedures are in place to safeguard items once they arrive at or leave the home institution?
  • How does it approach the educational aspect of its remit? Does it take into account all relevant scholarship and approaches, or is it stuck in the past?
  • How does the organisation maximise opportunities – for increased visitor numbers, sponsorship, grants, exchanges with similar institutions?

Where to start?

Few internal auditors are specialists in cultural and heritage assets, so you may need to co-source external expert resource. Curators, conservationists, and scholars, among others, can give an independent view on what the greatest risks and likeliest controls are, beyond the purely financial.

However, below is an example of how you could approach reviewing a cultural or heritage organisation. It is taken - with permission – from the risk and control assessment document of an assurance engagement covering a public-sector archives service. The organisation’s name has been replaced by ‘XXX’ throughout for anonymity.

If you are reviewing a museums or libraries service, you can adapt this kind of document accordingly. You will need to consider the specific risks and controls, as well as the relevant industry standards.

A. Asset sub-risk(s) 

A1. Without a formal collection and de-accession policy and process in place, XXX could fail to acquire or preserve valuable assets, or may dispose of assets improperly.

Controls/risk mitigation expected

  • documented, approved policies and procedures
  • staff are aware and comply
  • identification of gaps in holdings
  • donor agreements approved
  • statistics on donations.

A2. Lack of physical storage and handling processes (in line with industry practice, eg BS 5454) could lead to inadvertent damage or loss of assets, especially of rare or fragile documents.  (link to C3, below) 

Controls/risk mitigation expected

  • results of audits against industry standards
  • results of regular monitoring of temperature and humidity
  • actions to house records appropriately (eg acid free boxes, protective covers)
  • unique items segregated
  • up to date fire suppression systems in place (eg if a local catches fire, system should flood area with inert gas such as nitrogen – no sprinklers!)
  • mechanisms for monitoring preservation condition of holdings
  • regularity of whole-of-holdings preservation assessments
  • conservation needs prioritised
  • resources available for conservation work
  • records of conservation work undertaken
  • records and archives that cannot be used because of fragility or physical deterioration.

A3. Lack of robust and sustainable cataloguing procedures/systems can lead to assets being misplaced, lost or otherwise unavailable for users.

Controls/risk mitigation expected

  • cataloguing policies and procedures in place, and levels defined clearly
  • staff are aware and comply
  • levels of cataloguing defined
  • cross-referencing assets if applicable to more than one cataloguing system
  • statistics on uncatalogued material
  • statistics on the size of the backlog for archival processing
  • plans and priorities for addressing uncatalogued material. 

A4. Lack of long-term digital strategy could represent a failed opportunity for XXX to make assets more widely known/available at little physical risk. There is also a risk of internal inefficiency. 

Controls/risk mitigation expected

  • digital sustainability plan in place
  • migration and conversion instances undertaken
  • techniques for monitoring format, software, and hardware dependencies.

B. Reputational, legal, and/or financial sub-risk(s)

B1. Non-compliance with current data protection or other relevant laws could lead to regulatory censure, and legal and reputational risk.

Controls/risk mitigation expected

  • all legislation, standards, codes, and other relevant compliance documents are identified
  • XXX staff know the recordkeeping requirements of compliance
  • risks of recordkeeping non-compliance documented and accepted by XXX
  • records that contain sensitive or personal information identified
  • XXX staff trained in personal data protection
  • monitoring of access breaches
  • complaints about disclosure of personal data
  • a range of written assistance is available to individuals seeking access to data about themselves held by XXX
  • knowledgeable staff available to assist enquirers
  • procedures outlining methods of correcting personal details in records
  • procedure to support gathering and production of organisational records as a result of legal requests
  • able to explain and justify the absence of expected records
  • producing, or absence of, the ‘right’ records causes settlement of legal case
  • compliance with time restrictions on court orders to produce records.

B2. Failure to disclose information could lead to legal and reputational risk.

Controls/risk mitigation expected

  • any complaints received.

B3. Failure to present data in context – through releasing records internally or externally without understanding the context in which they were created – can be misleading and lead to reputational risk.

Controls/risk mitigation expected

  • system allows links among related records
  • providing search and enquiry systems that provide context to users (incl. staff assistance).

B4. Failure to make assets and service more widely known externally (including internationally) could mean XXX and XXX missing out on prestigious and possibly lucrative partnerships and collaborations.

Controls/risk mitigation expected

  • marketing plan
  • briefings, talks and speeches to relevant groups
  • publicity or educational material (brochures etc.)
  • outreach programmes (incl. school visits)
  • work placement for trainees
  • publications, exhibitions, displays
  • participation in professional debates and discussions, and scholarly conferences.

C. Operational sub-risk(s)

C1. Lack of clear, consistent recordkeeping policy, and integrated accompanying systems, within XXX may lead to gaps in or duplication of information, or mistakes in retaining, releasing, or destroying records. As a result, XXX could be hindered in fulfilling its role.

Controls/risk mitigation expected

  • significant participation in 1) analysis for automation, 2) information management planning, 3) information architecture initiatives or 4) for particular processes
  • instances of helping XXX managers identify recordkeeping requirements and improve processes.

C2. Lack of XXX policy on retaining and disposing of data (including loans) could lead to 1) retaining records unnecessarily, resulting in inefficient use of resources and possible legal risk, or 2) inadvertent loss of assets.

Controls/risk mitigation expected

  • defined degree of coverage of records by XXX
  • defined degree of coverage of records by any equivalent body (with whom XXX shares custody of records)
  • record-keeping responsibilities incorporated into individual job statements and included in individual performance reviews/measures
  • record-keeping training included in induction training
  • ongoing/refresher training regularly available
  • formal retention and disposal authorities in place, incl. explicit authorisation for all records destroyed
  • routine processes to destroy time-expired records are in place
  • records systems can provide details of any authorised acts of disposal (including destruction, transfer, loss)
  • procedures identify approved methods of destruction
  • destruction is documented and certified if undertaken by a third party
  • regularity of destruction processes
  • unauthorised destruction reported.

C3. Lack of robust business continuity and disaster recovery plans could both put assets at risk and fail to deliver a service to users.  (link to A1, above)

Controls/risk mitigation expected

  • vital records are identified
  • testing frequency of business continuity plans
  • emergency plans regularly reviewed and updated.

C4. Failure to restrict access and security (physical and electronic) could lead to loss of assets and possibly reputational and legal risk.

Controls/risk mitigation expected

  • justification processes for applying access and security restrictions (or exemptions)
  • proportion of records and archives carrying access security restrictions
  • regular review of access and security restrictions
  • staff training/knowledge of the access and information security policy
  • number of breaches identified or reported.

C5. Failure to make information about service and data available to all interested users could lead to reputational and possibly legal risk.

Controls/risk mitigation expected

  • range of physical facilities provided, for example:

secure storage for bags and coats
access to photocopiers
separate supervised research area
equipment to access records (microfilm/fiche readers, computers etc.)
rest rooms
accessibility of facility, including access for persons with disabilities

  • initiatives to improve physical access to archives and records
  • results of user feedback surveys
  • range of channels used, for example:

web pages
archival portals
listing in directories

  • accessibility of the information within the channels (eg archives/records services linked to organisation’s home page)
  • mechanisms for monitoring that all citations of relevant URLs are operational
  • contents included in channels used, eg:

directions to physical location
ability to book appointments
contact details (email, phone, address)

  • regular content review
  • range of dissemination methods available, eg:

digitisation on demand
quality and quantity of digitised records available
records available for download on the internet
availability of copying services or use of digital cameras

  • fees or charges applied for assistance or copying
  • services available to support users:

counselling services for users accessing sensitive material
availability of reference staff
degree of staff experience and depth of knowledge of the holdings
standards for retrieval times

  • user statistics
  • subject, personal and place names, and location indexing
  • multi-lingual communications.

C6. Without the right number of properly qualified and trained staff at the right level, XXX is at risk of failing to provide service now and in future.

Controls/risk mitigation expected

  • service standards
  • staff satisfaction
  • availability
  • individual staff training and development needs identified
  • professional qualifications
  • participation in professional associations’ events.

D. Governance sub-risk(s)

D1. Lack of clear governance – including purpose (vision/mission), reporting lines and performance monitoring – could lead to ineffective or inefficient service from XXX.

Controls/risk mitigation expected

  • vision statement – regularly reviewed (including staff input), approved and used in management planning
  • consistency of management approaches
  • openness of communication
  • organisational links to related disciplinary services (eg, IT, audit, risk, information management, library, museums)
  • internal performance indicators
  • peer service benchmarking
  • governance bodies include appropriate senior staff
  • regular reports to governance bodies, stakeholders
  • access of staff to governance bodies.

D2. Lack of clear strategic and operational plans could result in short-term, reactive, or ineffective activity within XXX.

Controls/risk mitigation expected

  • strategic plan
  • operational plan
  • review cycle (incl. consultation) of the planning documents
  • performance against the plans.

D3. Lack of robust budget planning and reporting process could lead to inadequate funding of XXX, or poor use of resources within XXX.

Controls/risk mitigation expected

  • formal budget cycles
  • justifications for budget bids
  • independent budget for the programme
  • regular expenditure monitoring and reporting against budget
  • identification of and applications to external funding sources. (link to risk B4)


Internal audit should discuss with the first line – curators, caretakers, and customer-facing staff – what problems the organisation could face, and how best to resolve them. In this way, as in other sectors, organisations and context, internal audit can add value to what may be invaluable. 

Further reading


Collections Trust:

Primary procedures

Introduction to Spectrum 5

National Audit Office - Investigation into maintenance of the museum estate

Department for Digital, Culture, Media & Sport - The Mendoza Review: an independent review of museums in England

Auditor General for Scotland - National Museums Scotland 2018/19 Annual Audit Report

Welsh Government - Expert Review of Local Museum Provision in Wales 2015

National Museum Wales - Annual Review 2018/2019

National Park Service – Chapter 7: Museum Collection Storage

Widewalls – Art storage – museum collections


Public libraries news – Public Library Standards in England

Association of Irish Local Government - The Local Authority Public Library Service

The British Library

National Library of Scotland

The National Library of Wales

National Library of Ireland

Library of Congress - Standards


United Nations – Archives and records management

Scottish Council on Archives - Archive and Records Management Services Quality Improvement Framework (ARMS)

WorldCat - The management of public sector records: principles and context: [a training programme]

The Economist - We must fight to preserve digital information 

Content reviewed: 13 October 2021