Culture & Internal Auditing – part 1

I’ve had a run of requests to do speaking on Culture and Internal auditing, first for my friends at UNIAC, for about 30 Audit Committee members, then my friends at the IIA NorthWest and then CIPFA in London.

It’s a bit of a challenge trying to summarize the key headlines from the one day training workshops that I run into just an hour, but here are some key points:

My first key message is that looking at culture is an inevitable part of the development of Internal Audit as a profession, 15 years ago we started to take a greater interest in Risk management; then 5 years ago it was governance related issues, and now it is culture. To me this is just a natural part of Internal audit finding its place at the top table, since often the underlying reasons for issues that audit finds are cultural in origin (see also my blogs on Root Cause analysis).

In the UK financial services sector the need for audit to look at culture was identified in an interesting report “Effective Internal audit in the Financial services sector” issued in July 2013.

The report is short and easy to read and makes points that are pertinent to internal audit functions in the public sector and other private sector areas. I urge readers to look at the report if they are not familiar with it and to use it as a useful guide for the development of their internal audit strategy.

Of course, there is a reason that internal audit has not audited culture extensively up to now – it’s hard to audit! Specific barriers to an audit include:

  • It would not naturally appear in an audit universe;
  • It is not clear how one would define culture in the first place;
  • Questions about the sort of evidence that could be gathered to carry out a cultural audit;
  • A sense that it might be hard to agree criteria by which to judge the culture (although a number of regulators appear to be trying to do this).

Needless to say these points (and others) do explain why internal audit needs to be “on its guard” when looking at culture. However, this is not an area that is impossible to audit. Indeed, internal auditors are often aware of a range of cultural and behavioural issues that they might face from time to time, that give insights into the culture of an organization. Specific issues might include:

  • Disagreements who is accountable for an area that is about to be audited
  • Delays in providing audit with information
  • A lack of awareness of key risks and controls with an expectation that “audit will find out what’s going on for management”
  • A view that audit findings are hypothetical and within the “risk appetite” of business as usual (though this may not have been explicitly signed off).

The key message here is that internal auditors can get so used to certain behaviours that they almost become invisible – but these familiar ways of working are precisely what makes the culture of an organization. Remember culture is: “The way we do things around here”.

I like to say that “culture hides in plain sight” – so, in practical terms, a key message for audit functions is to pay much closer attention to these audit behaviours, to record what happens, and to start to discuss these patterns with key stakeholders.

Of course there are many other cultural points audit can to pay attention to and these will be discussed in more detail in subsequent blogs.

Further information about the Auditing culture workshop is provided on the Training and events section of the website.

Also see my ‘thought piece’:  Culture: Surveys vs. Root Cause Analysis (PDF)

Join our mailing list

We will keep you updated with news and events.

Contact

Contact and appointments:

Risk & Assurance Insights
T: +44 (0)7802 868914
Email

Please also use our contact form