AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

BAE Systems

Global defence, security and aerospace company

The majority of audits comment on cultural issues and in each audit there is a cultural checklist which prompts audit managers to consider the ethical behaviour elements in their audits. They also try and dig beneath the surface of what they are being told by using a wider sample base than was the case previously.


The organisation had undergone a cultural metamorphosis since the early 2000s.  Ethical business conduct issues were at the heart of what the organisation needed to address following a series of high-profile corruption investigations.  Staff morale at the time was also very low due to the negative national news coverage about the organisation.

What the cultural issues are

In 2008, the Woolf Report was published. A Committee of independent experts chaired by Lord Woolf, produces a fact-based account of the company’s ethical business conduct worldwide.

There was agreement, even before the report was released, that the company would implement all the recommendations. The report eventually included 23 recommendations, several of which related to internal audit and the audit of ‘cultural’ issues.

As a result internal audit was given a very clear mandate to audit cultural issues and the internal audit charter and the Global Audit Process were changed. This was key in contributing the success of auditing cultural issues.

The Charter now includes:

‘To provide assurance that ethical business conduct and the management of matters that could lead to reputational risks is being maintained and adhered to’.

Recommendation 6 in the Woolf report 

'The Company’s internal audit function should ensure that ethical business conduct and the management of reputational risk is specifically assessed in all audit reports and the results, and progress made against recommendations, provided to the Corporate Responsibility Committee (CRC). The additional skills and resources required for Internal Audit should be provided to achieve this.'

Dick Olver

In a recent speech (at Tomorrow’s Company) the outgoing chairman said that:

'The culture we’ve tried to develop is one in which our people take the company’s core ethical values into account in every decision they take. One where doing the right thing becomes an almost subconscious response. And one where - within the constraints of customer confidentiality - we are as open as we possibly can be about what we do and why. It’s not just about what we do but how we do it'.

Olver said that mistakes could only occur because the corporate governance, ethos and structures in place at the time allowed them to. He added that the changes they made are designed make sure those mistakes are not repeated.

Olver said he believed there were five structural elements to driving deep cultural change:

  1. Board structure (world class) i.e. the right proportion of NEDs and executives.
  2. Right Executive group i.e. the board needs to walk the talk.  Tone at the top is crucial and the appraisal process of the top 50 people needs to bring that out.
  3. Objective understanding of where culture is today and where you need to move it tomorrow. This was done in BAe Systems by commissioning a high profile external review which they committed to adopting all the recommendations.
  4. Embed the new culture across the business and grow it over time.
  5. Apply values to forge new relationships including with regulators and key customers.

Internal audit's approach to assessing culture

The way that audit is viewed in the company is that the business is very comfortable with it. The board, audit committee and senior management recognise and support the role of internal audit in auditing cultural issues. This along with the risk maturity and other helpful foundations such as the audit charter make it easier to conduct these audits.

The culture change journey is ongoing so it was critical to put in place a robust mechanism for continuous improvement. The policies and processes outlined in the organisation’s operational framework set out the principles of good governance which, together with their culture, guide their behaviour and work.

Their mechanism for continuous improvement articulates that everything they do will be delivered through adhering to their values and that the values are fundamental to their culture.

The aim is for people to take core values into account in every decision they take. The values are used in the performance management process but they don’t audit specifically against this directly. 

Codes of conduct provide all with practical guidance on principles, standards, and personal behaviour they should display. Codes of conduct have become the norm, but there is a perception that there is a conflict between ethical business conduct and enhanced financial performance. It is, therefore, vital to embed those codes through consistent training and communication at all levels in order to strengthen the link with good financial returns.

On skills, the skillset and process needed revising and the competencies they needed required team members to receive extra training e.g. in interviewing skills, and conducting surveys.

Risk culture is seen as an integral part of culture so internal audit would review the ethical risks during its audits as well as the other more traditional elements of the audit.  It links closely to the risk appetite ad risk maturity of the organisation.

The majority of audits therefore comment on cultural issues and in each audit there is a cultural checklist which prompts audit managers to consider the ethical behaviour elements in their audits. They also try and dig beneath the surface of what they are being told by using a wider sample base than was the case previously.

For example when they were auditing the European Working Time Directive (EWTD) they interviewed employees at all levels, including night shift workers, Trade Union representative and community representatives, during the audit. Previously they would have just talked to the managers who were ‘used to being audited’. 

Internal audit reports to the corporate responsibility committee as well as to the audit committee. A lot of the confidence the internal audit team has on making judgements on cultural/ethical issues in their audits stems from the audit committee Chair who realises a lot of it will be more subjective than is traditionally the case with audit activity but asks them to be confident in sharing their opinions as he wants to hear them.

This confidence then builds with time and experience.  Not all comments on cultural issues will lead to a recommendation, they may just be observations.

There is a mature process in terms of tracking audit recommendations. 

Back to practical examples  |  Next: TUI Travel plc

Content reviewed: 25 August 2023