AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Lloyds of London

Insurance market

Internal audit uses root cause analysis built into the scope of every audit to explain the people risk that has caused any issues. Internal audit also uses the results of an annual people and risk survey to pinpoint what is not right and to identify where to conduct reviews. 


Internal audit has always had informal conversations about the cultural aspects when auditing but it is writing it down which makes it a challenge. They have always audited people, process and technology. It is usually the people risk that causes issues. Within this they have assessed the ability of the people to do the job but have only raised this by exception and orally. Now it is built into the scope of every single audit.

The initial challenges were around how to evidence it. Using gut feel is hard to explain to people and put into words so needs to be backed up with evidence e.g. the survey.  This is difficult the larger the organisation is.

What the cultural issues are

In the time that the HIA has been there, the organisation has undergone a big cultural change from a ‘civil service’ set up with a large committee structure to a more streamlined set up.  The organisation is in a unique position in that it is a service provider as well as a supervisory body.

The IIA’s Effective Internal Audit in the Financial Services Sector acted as a catalyst to the focus on risk and control cultural issues. 

Internal audit's approach to assessing culture

From Q1 2013, a Big 4 firm has administered a confidential annual people and risk survey containing about 70 questions. Internal audit use the survey to pinpoint what is not right and to identify where to conduct reviews. They will also assess the actions stemming from the survey results to see what has and hasn’t been implemented.

These surveys start to get to the nub of the issues but the Big 4 are still grappling with the surveys and what and how you ask questions. It is a moving feast and they are not there yet. There are 5-10 questions (stemming from the survey) that internal audit looks to drill down further and answer in every audit to ensure a consistent approach.

Difference between risk culture and culture

Culture as well as risk culture needs to be taken into account as the risk culture e.g. in the technical team may be very good but if they are not for example collaborating with other as they should be then that is the overall culture and will need to be audited against as it will affect outcomes.

The results will be written down in a report and presented to the audit committee but the regulators will also be able to see the report so it is important to be confident of the factual accuracy behind the judgement.

The audit committee appreciate that the cultural aspects of the audit can be fairly judgemental but is taken seriously as the audit process is robust enough to consider why there are issues. 


When they do an HR audit look at how the values are set and how HR are embedding them. The second line should be raising any issues with how and why the values are not being embedded. 

They will do a tone at the top review in three years’ time. Tone at the top very much affects if people are scared to raise issues or not and this in turn affect the flow of information i.e if people do not fear speaking up then the flow of information is very good.

Skills and abilities

There is considerable use of co-sourcing in the organisation so the Big 4 have the combination of technical and people skills to audit cultural aspects. If the internal team make the assessment then it has to be more experienced/senior internal audit staff who have seen enough go wrong to make a more credible judgement.

Back to practical examples  |   Next: Old Mutual Group

Content reviewed: 30 August 2023