AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

TUI Travel plc

British leisure travel group

There are a number of elements to their approach:

  1. Stakeholder engagement: an assessment of the business unit’s level of engagement with the audit

  2. Reporting balance: the provision of context and credit around the reporting of key control weaknesses in each audit

  3. Auditor accountability: the ability of stakeholders to voice their perception of the performance of the internal audit team and the value added by each audit

  4. Stakeholder accountability: the reporting by peer group of relative engagement and effectiveness of the different business units

  5. Cultural heatmap: Incorporation of questions relating to culture into the annual 'Your Voice' staff survey


The prevailing culture of an organisation is ultimately a reflection of the risk appetite and effectiveness of its board. The board, which is responsible for the nature and extent of risk-taking being undertaken on its behalf, must communicate its attitude to risk and control and ensure that an effective system of internal control exists to enforce it throughout the organisation.

If the board projects a strong presence in the minds of management (through a clear tone at the top, a strong commitment to competence and ethics, appropriate incentivisation etc) then it will provide internal audit (IA) and also other control functions with a strong fulcrum off which they can leverage their work.

In reality the degree to which IA can be effective in the organisation is determined as much by the commitment and competence of the board in setting and enforcing the right tone at the top as it is by the commitment and competence of the IA itself. 

What the cultural issues are

A strong commitment to risk and control by the board is often reinvigorated by a risk and control failure. In TUI’s case a financial control failure in one of its businesses in 2010 became the catalyst for change. The board’s focus on and commitment to the risk and control agenda hasn’t wavered in the four years since and the system of internal control has developed significantly as a result.

Since 2010, and with the full support of the board, the IA function has provided active thought leadership in the development of a robust system of internal control. When the board signals its appetite for an improved control environment it’s vital that the IA function responds with pace and energy to support it.

Control improvements at TUI Travel have included, amongst other things:

  • the introduction of a COSO programme (to provide the management with a common language and framework of control)
  • the development of risk & control objectives (to incentivise desired behaviours) 
  • the strengthening of the three lines of defence (to establish structure and defence in depth)

The second line of defence in particular was strengthened through the establishment of Group compliance functions (for finance, IT and legal and regulatory) which have further strengthened the control culture and infrastructure of the organisation through a programme of ‘education’, ‘self-certification’ and ‘validation’ with direct reporting through to the audit committee.

The Chairman of the audit committee invests considerable time and energy in pre audit committee meetings which sets the tone and ensures efficient and effective committee meetings. The commitment of the board to competence and cultural change is reflected in the strong and active presence at audit committee.

In addition to the members and typical attendees (i.e. CFO, Director of Financial Control & Reporting, Director of Internal Audit & Risk and External Audit) the company Chairman and CEO attend every committee meeting.

This sends a clear message to management re the board’s expectations.

The audit committee has developed a strong presence in the minds of management and internal audit use their position within the organisation to support the Chairman of the audit committee in consolidating and extending this authority. It’s now standard practice at TUI Travel that divisional MDs join their FDs at the audit committee to present on their risk and control environment.

As a result, risk and control has become highly relevant to the MDs – they have come to appreciate that they are expected by the board to be able to articulate with ease how the system of internal control operates within their business areas and to have identified the next areas for improvement.

In this way risk and control moves centre stage rather than being an FD side show. IA support management by providing them with a framework for presentation to the audit committee (TUI uses COSO) and by  guiding them through the process. Management appreciate this support and it helps to build a relationship with, and trust in, the IA function.

The sustained level of expectation and the consistent level of follow up by the audit committee and the board has been a critical success factor in ensuring that the ‘tone at the top’ has progressively permeated the ‘mood in the middle’.

Under the board’s steady gaze old ways of working have become unfashionable and increasingly unacceptable. In this period of cultural change an effective IA function can play a full and active part in supporting the board’s risk and control agenda and it’s important not to waste the opportunity to do it.

Internal audit's approach to assessing culture

The positioning - the three Rs (Reporting line into the Board, wide Remit & appropriate Resource) - are fundamental to the effectiveness of an IA function. However ‘hard’ positioning is only part of the solution. The real key to IA success lies in its ‘soft’ positioning (Relationships and the influence it has through the organisation). 

Often, in order to support the board in achieving its cultural change agenda, IA needs to drive a cultural change of its own.

IA needs to be trusted as an ‘honest agent’. Not just an agent acting for the board (doing the board’s bidding, supporting and progressing the board’s agenda) but also an agent acting for management (ensuring that the expectations of the board are understood and that all reporting to the board about management is fair, honest and transparent). If IA can achieve this then it can start to earn a position of trust and influence within the organisation. This, in turn, enables it to accelerate the pace of change in culture and competence to the benefit of both board and management alike.

The process - It is important that IA’s methodology supports the relationship it is seeking to have with the organisation. If management believe that they are unlikely to benefit from any interaction with IA then the relationship will be cold and unproductive.

However if the IA methodology allows management to build a positive profile with the board and  shows them how they can do it then it’s relationship with management is likely to be positive and productive to everyone’s benefit (including the board’s).

Some of the mechanisms used at TUI include:

  1. Engagement
  2. Context and credit
  3. Stakeholder feedback
  4. Performance reporting
  5. Staff surveys


At the beginning of each audit IA advise management that, at end of each audit, it will add a statement in the report highlighting for the reader the level of engagement shown by management during the audit. In this way it is very clear to management at the  outset that they can, in effect, choose their audit engagement rating by the way in which they approach the audit from that point on.

If management embrace the audit with ‘Honesty, Openness & Transparency’ (these HOT principles have been fully endorsed by the board) and their report will include a sentence to that effect - ‘Management were fully engaged and co-operative with the audit’.

If management respond promptly to requests for information but offer little more and the report will reflect this lower level of engagement – ‘Management co-operated with the audit’ i.e. but fell short of open and proactive engagement with internal audit.

If management behave defensively and/ or obstruct the audit and their report will not include any reference to engagement, the space where the engagement rating would normally be inserted will stand empty so its implication clearly visible to the board.

At the end of the year IA produces a table of the number of audits per business area and the number of respective ‘engagement ratings’. This gives the board a good sense of the differing cultures that exist across the organisation. It also helps to encourage management to adopt an ‘honest, open and transparent’  approach to the audit process.

Context and credit

Audit reports carry an inherently high risk of causing resentment amongst management as weaknesses are identified and reported and understandable this can feel quite personal for the managers concerned. IA is very conscious of these sensitivities and is keen to give ‘context’ where it’s useful and ‘credit’ where it’s deserved.


Many IA functions  advise the report reader of the background to the audit so the findings can be put into context. This is important to the relationship with management but often get overlooked. For instance, in one of the TUI Travel business divisions, management have undertaken a merger of three separate companies, a right-sizing programme, a change of head office location and a change of accounting system. It’s very useful for the reader of the report to be reminded of this context and it’s also supportive of divisional management that IA makes a point of reporting it.

It’s also important that the control weaknesses identified are put into context in other ways. For instance, rather than just reporting the key control weaknesses as IA is expected to do i.e. ‘there were five key control weaknesses’ it adds a summary sentence to put these control weaknesses into context i.e. ‘Of 30 key controls tested, five required management attention’. This balance helps to put the issue into context i.e. more 80% of controls are adequate and operating effectively and helps to change the culture with management becoming more engaged with the process.


IA also seeks to give credit where management were aware of the control weaknesses reported and were taking appropriate action to address them. Knowing that the report will fairly reflect the control environment encourages management to be open with internal audit re the issues they’re facing. This doesn’t need to clutter up the reporting. IA simply adds an asterisk next to each control weakness where relevant along with a footnote indicating that management were aware of the control weakness and taking appropriate action.

Stakeholder feedback

As with many IA functions auditees are invited comment re their acceptance (or otherwise) of the issues raised in the audit. However sometimes management comments have to be challenged (because they’re factually incorrect/ misleading) and/or shortened.

However, at TUI Travel, so as not to gag management, IA offer management the opportunity to give unfettered feedback after each audit project and this is reported unedited to the audit committee. Two questionnaires are used (one very short questionnaire for the director of the business area/ business process under review and a second questionnaire with two additional questions for middle management who were more impacted by the audit process).

This gives IA and the audit committee a very useful insight in to the prevailing culture of the organisation. When IA introduced this feedback mechanism last year it was amazed by the management response.

The response rate in the first quarter was 34% and it has grown progressively each quarter and last quarter it reached 65%. Of the comments made 81% were positive (15% were neutral and only 4% negative).

The response rate and the positive feedback given were all the more remarkable given that more than 60% of the responses over the last year have related to audits where  management controls had been assessed as either ‘Unacceptable ‘or ‘Unsatisfactory’.

This level of engagement and feedback reflects well on the IA  team but more importantly it reflects very well on the management teams completing them. Reporting these quantitative results, along with qualitative management comments, on a quarterly basis to the audit committee gives the committee a good, continuous pulse check on the prevailing culture of the Business.

Some IA functions prefer not to use these feedback forms because of the negative scoring/ emotive comments. This is understandable but potentially it misses an opportunity to use the mechanism as ‘an engagement hook’ to pick up with the lack of response or negative scores  given in order to develop better working relationships for future engagements. The feedback can help to identify valid issues within the IA team that need to be addressed but, of course, it can also help to expose pockets of poor cultural attitude within the organisation. 

Performance reporting

The IA function at TUI Travel report on the performance of individual MDs across a number of measures:

1. The timely closure of audit findings

This report gos to the audit committee. It shows a rolling four quarters performance for all areas highlighting the best and the worst performers and this information is shared openly with the Business.

2. The appropriate authorisation of date extension requests

Where management need to revise their due dates they are required to submit a formal request to the CFO along with reasons why along with a new revised date. The extent to which they comply with this process is also reported as is the number of repeat requests.

3. Repeated requests for date extensions

When an MD has requested any more than two date extensions to the same action this becomes a reflection of their commitment and/ or competence.

4. Risk management

In addition, all MDs are rated and ranked on their engagement and effectiveness in relation to their risk management processes. Again IA is open and transparent about this process, the criteria used and the results achieved and are accountable to management for the assessments made.

Performance is assessed quarterly and reported widely (business MDs, group risk management committee, audit committee and ultimately the board).This exposes poor culture and also taps into the competitive spirit of the MDs as they engage with Group Risk function to improve their ratings relative to their peers.

5. Compare and contrast

Also IA also provides ‘Compare and Contrast’ reporting on ‘themed audits’ (i.e. the same audit performed in different business areas). These reports lay businesses side by side and show how each business area has performed in relation to its peers against the Risk & Control Matrix that forms the audit test programme.

This is as much a test of the consistency of approach and judgement of the geographically dispersed internal audit function as it is of the control environments overseen by the MDs. All of this information helps to profile the MDs before the audit committee and how their performance is trending and the process is fully transparent

6. The relative commitment and competence of different divisions

This is also discussed by the control communities (i.e. Group functions and external audit) to develop a good sense of differing profiles.

7. Hit rate and root cause analysis

IA also measure the ‘hit rate’ for 36  common control weaknesses i.e. how many times were particular risks tested, how often did they fail, how badly did they fail and, most importantly, why did they fail (i.e. the root cause)? This also provides good insight into the reason why control weaknesses exist e.g. lack of awareness of the risk or lack of alignment with the risk appetite of the board.

Staff surveys

In order to further emphasize the culture of Honesty, Openness and Transparency IA have added specific questions into the company’s ‘Your Voice’ staff survey to provide another opportunity for cultural insight.

The survey now includes questions such as ‘I could report instances of unethical or dishonest behaviour to the appropriate level within the organisation without fear of reprisal’. This has also helped to give the board a clear sense of pockets of poor culture across the organisation.  

All of this information puts the MD at the centre of focus as the Chief Risk & control Officer for their business and it provides the board with a good sense of the culture, commitment and competence that exists within different parts of the Business.

People - ultimately, of course, culture is all about people – both in the IA function and in the organisation.

Internal audit

The Director of IA has high expectations of the IA team. Internal Auditors are expected to have an appropriate mix of hard and soft skills. It’s this mix that enables them to show sound judgement and drive appropriate change. If the IA team can achieve this it will be trusted by the Business and will become a ‘go to’ consultative function where arguably it can  do its best work.

They believe that trust to ‘assess controls’ is earned when IA demonstrates competence and compassion (competence to audit and compassion in how the audit is performed and reported e.g. giving credit where it’s deserved etc).

They believe that trust to ‘drive change’ is earned when IA demonstrates commercial acumen and courage (commercial acumen to know what really matters and what doesn’t and courage to challenge at all levels, including the board, as required).

The organisation

IA talks openly to the audit committee and to management about three categories of engagement in relation to risk & control. ‘Contempt, Compliance and Commitment’ and the overlay of various indicators such as those mentioned above (1-6) helps to give the IA function and the audit committee a good sense of where different management teams sit on this 3Cs spectrum.

Where individuals have shown positive commitment to the new culture and, in some cases, courage of conviction IA recognises and promotes their behaviour at all levels in the organisation as being examples of managers who are aligned with the ways of working expected by the board. Each year IA charts and reports good progress in behaviours and competence being displayed across the organisation.

The changes noted above are small and simple but they’re making an impact because they are being consistently and fairly applied with openness and transparency.

Behavioural change (compliance) is taking root because risk & control  performance mechanisms are  personal and tailored to individual MDs. IA helps management to improve (giving them guidance and tools to do the job) and holds them to account (openly, through individual performance reporting). The choice for management becomes simple ‘comply or explain why’… to the board.

Deep and meaningful cultural change (commitment) will take longer but firm and steady pressure applied over time is already driving significant behavioural change and the IA function can already see much evidence that this behavioural change is beginning to drive the deeper cultural change that the board is seeking to achieve. 

Back to practical examples  |  Next: 3i Group plc

Content reviewed: 25 August 2023