AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Old Mutual Group

International investment, savings, insurance and banking group

HR administers the Barrett Survey annually to do a values-based assessment. The results, which are shared with internal audit, are used as a basis for understanding the business units they audit.

The HIA and Chief Risk Officer have developed 50 criteria, based on areas the regulator focuses on, to evaluate the risk and control culture of each business in the Group.  The criteria are assessed subjectively by both of them.  


The organisation has always had a set of core values. There was a change of CEO in 2008 and until then the values were well defined but didn’t go any further. The new CEO developed these further to bring about a vision-led values organisation. 

As well as the values, there are a set of ‘act now’ (acronym) behaviours with detailed descriptions sitting behind each one.  The organisation is focused on understanding its culture and driving positive actions.

What the cultural issues are

A lot of background work on risk and control culture has been done in the last five years e.g. the measurement of how many audit actions have been left open and ongoing monitoring of actions.

The internal audit team now has a lot of data on the state of play regarding how audit actions are being addressed and timeliness of actions. There used to be poor follow-up of issues but over time this has fallen substantially. All the data provides a strong indication of attitudes to risk and control.

Internal audit's approach to assessing culture

In the last few years HR has administered the Barrett Survey annually to do a value-based assessment. The survey involved each employee choosing 10 words from a list of 100 which are indicative of different cultural aspects that resonate most closely with them personally. The more aligned their values are to those of the organisation indicates a healthy corporate culture. The survey is filled out anonymously and there is an 85% response rate.

The results are shared with internal audit and the results of the survey are used as a basis for understanding the business units they audit.

For example, the Barrett survey results for one unit were broadly satisfactory, but when they drilled down to the executive team’s results for that unit they found that the picture was very different as they were at war with one another. Internal audit encouraged these results to be shared with the board which in turn enabled the board to focus on the problem areas within the executive team of that unit.

From Q3 in 2014, internal audit will opine on the risk and control culture in every audit, which they are in the middle of designing at the time of writing. 

In early 2014, the HIA and Chief Risk Officer developed 50 criteria, based on areas the regulator focuses on, to evaluate the risk and control culture of each business in the Group. The criteria are assessed subjectively by both of them. The criteria fall under the following broad headings:

  • Effective risk management
  • Adequate management information
  • Effective leadership and communication
  • Escalation
  • Strategy
  • Decision making
  • Controls
  • Recruitment
  • Reward

This assessment will be made every 6-12 months. The scores they give are based on judgements from observations and they challenge each other to come to a consensus. They then explain how they came to these scores with the leaders of each business unit, however the results at this stage are not up for negotiation.

These scores along with the more detailed data mentioned above, together with information from the risk world, is consolidated by business unit and is then shared with the audit committee, the remuneration committee and the risk committee.

The organisation’s broader approach to culture has helped underpin the risk and control work. When passing judgement on softer controls you have a point of view which is valid but is more likely to be open to different points of view unlike hard controls where your findings are unlikely to be challenged. It is important, therefore, to be able to justify and explain how and why you have come to those conclusions.

It is about making an ‘educated judgement’ on a variety of factors that paint a picture. This is not as straightforward as auditing hard controls as the HIA needs to become much more comfortable with shades of grey rather than black or white.

What works for one organisation may not necessarily fit another organisation. 

Back to practical examples  |  Next: Mersey International Audit Agency

Content reviewed: 25 August 2023