3i Group plc
International asset management company
In standard internal audit reports, they provide an overall control assessment of the management of the business unit. As part of the rating system, they take into account a number of factors such as management’s ownership of risk, attitude to control, accuracy and timeliness of management information and response to previous audit findings.
Internal audit's approach to assessing culture
Auditing culture would not typically take place as a standalone audit but could do so; for example, on the back of a major values programme, where internal audit could play a role in its review and implementation.
Culture is inseparable from much of the day-to-day work that audit does.
Operational risk is about people, processes and systems so you cannot ignore behaviours and culture in the audits that you do. The audit function has always taken these people aspects into account but has done so with increasing transparency; for example, through recognition as part of the control assessment ratings used for audit reporting.
The HIA would recommend that every audit team looks at what they are currently doing and for ways to make the assessment of culture and behaviours more explicit in terms of outcomes and reporting. This can be done incrementally without the need for a ‘big bang’ approach.
Audit findings on culture and behaviours do not necessarily need to be communicated in writing. Some areas may need to be handled more sensitively and possibly reported orally. One should exercise careful judgement in what is committed to a written report. The challenge lies in making full use of the different types of communication internal audit has at its disposal.
In standard internal audit reports, they provide an overall control assessment of the management of the business unit. As part of the rating system, they take into account a number of factors such as management’s ownership of risk, attitude to control, accuracy and timeliness of management information, and response to previous audit findings.
Making use of data points outside of internal audit, such as a staff survey, can also provide useful information to help internal audit from a view in the area of attitudes and culture.
Internal audit explains the importance of the above factors to management which helps get buy-in to their overall approach.
When internal audit report to the audit committee they look at outputs from various audits to report on themes and trends. Taking account of culture and attitudes is integral to this work. The end of year ‘state of the nation’ style report also provides high level comments on areas such as the ‘tone at the top’.
In terms of culture’s relationship with risk, it is important to distinguish between commercial risk-taking and risk from an internal control standpoint; for example, a high commercial risk appetite may well be compatible with a strong control culture.
The assessment of culture and risk needs a good deal of judgement and finely tuned communication skills, more suited to more experienced auditors. This experience needs to be built up over time and cannot be easily taught on a training course or otherwise fast-tracked. Less experienced auditors require on the job training and coaching. It also helps to have the right reporting framework in place.
Overall, the approach taken to assessing culture and behaviours needs to fit the chemistry of the business. This is something each organisation needs to determine for itself; for example, an organisation that is global may need to take a very different approach to one that is UK/Europe-centric.
Back to practical examples | Next: Aberdeen Asset Management
