Research report: Culture and the role of internal audit
This report looks at how boards and audit committees can help rebuild public trust by making the best use of internal audit as they develop their thinking around how to improve ethical conduct for the benefit of customers, employees, all other stakeholders and for business itself.
Download the full report (pdf)
Overview
• In financial services auditing culture is a key feature of the IIA Code2. But there is a similar need across many other sectors.
• Internal audit can play an advisory role on processes and controls in cultural change programmes. But the ownership of such programmes must lie with the executive.
• Internal audit’s role is to analyse to what extent processes (such as performance management and remuneration), actions (such as decision making) and tone at the top are in line with the values, ethics, risk appetite and policies of the organisation. They can therefore help boards judge whether measures put in place to change culture and thus behaviour are actually working.
• Auditing culture and its indicators is complex. Culture is an amorphous concept.
• Internal auditors need to understand their own organisation’s culture, including risk culture, before starting to audit the indicators. There are many models that look at the components of organisational culture. But it is dangerous to reduce work on culture and behaviour into one set of indicators based on a particular model.
• There is no one-size-fits-all solution to auditing culture as organisations can be very different, even if they are producing the same or similar outputs.
• Cultural change does not happen overnight, and providing assurance to boards on change programmes and their effects will be an increasingly important part of internal audit’s work.
• It is important that audit committees engage with internal audit on culture from the start, so that policies and processes can be developed that build in the need for assurance.
