1. No category

Culture and the role of internal audit

Culture and the role
of internal audit
looking below the surface
Foreword
Public trust in business has ebbed
and flowed over recent years but a
significant minority (circa 40%) of
those questioned by Ipsos MORI
believe companies are ‘not very’ or
‘not at all’ ethical in the way they
behave1. Responsibility and ownership
for addressing this lies with those who
sit in the boardroom. This is supported by
regulators in the way that they now monitor and review the
culture of organisations.
Internal Audit is a unique function within an organisation with
its independence and access to give assurance to those in the
boardroom. This can provide confidence that there is a strong
commitment to good conduct and that it is actually being
translated into everyday behaviours, but also, more importantly,
where it is not. To have this information allows the board an
opportunity to mitigate the risk of integrity failure.
Leaders need to send a message and show by example that
culture and values matter, demonstrating this by putting in
place all the necessary measures. I believe this report will
support boards and audit committees to help rebuild public
trust by making the best use of internal audit as they develop
their thinking around how to improve ethical conduct for the
benefit of customers, employees, all other stakeholders and
for business itself.
Philippa Foster Back CBE
Director
Institute of Business Ethics
June 2014
1 https://www.ibe.org.uk/userassets/briefings/attitudes10yr2013.pdf
Contents
3Introduction
4Executive Summary
6A. Organisational
culture and strategy
7B. Harnessing internal
audit to support
boards in relation to
organisational culture –
the enablers and
the challenges
9C. Approaches to
auditing culture
13Appendix A
Introduction
Following a series of scandals,
fundamental changes in organisational
culture are being called for across
sectors including media, food, retail,
health and banking. A series of
inquiries into culture and ethics all
point to the need to change culture in
order to restore trust across the private
and public sectors and new standards bodies
have been set up to improve behaviours.
Boards and senior management have the prime responsibility
for defining and analysing organisational culture by promoting
their ethics and values and the behaviours these require across
their organisations.
As organisations come under increasing pressure
to demonstrate their commitment to improving standards
of behaviour, internal audit can be a key player in giving
confidence to boards that measures put in place to change
culture and thus behaviour are actually working, and that the
tone at the top is reflected at all levels.
Auditing indicators of culture is complex. Culture itself is an
amorphous concept. Internal auditors need to be comfortable
in their understanding of culture and risk culture before starting
to audit the indicators. There are many models that look at the
components of organisational culture. It is, however, dangerous
to reduce work on culture and behaviour into one set of
indicators based on a particular model. There is no one-sizefits-all solution to auditing culture as organisations can be very
different, even if they are producing the same or similar outputs.
What is clear is that cultural change does not happen overnight,
that this will be an increasingly important part of internal audit’s
work, and that internal audit is only starting out on what is set
to be a long climb.
We are grateful to all those heads of internal audit who shared
their experiences with us. We are also grateful to the panel
members, Ian Barlow and Philippa Foster Back, who advised us
on the report. We hope that this paper, along with our technical
guidance, is useful to the profession as it enters the debate
on the nature of what culture is and how it can be audited.
Dr Ian Peters
Chief Executive
Chartered Institute of Internal Auditors
June 2014
Culture and the role of internal audit – looking below the surface | Page 3
Executive Summary
The problem is; complex organisations, like the NHS,
mean there is no ‘one NHS’. There is a tangled undergrowth
of subcultures that, even if they wanted to march in step,
probably couldn’t hear the drum beat
Roy Lilley, Health Writer and Commentator2
•This report is important for the following reasons:
1How organisations, and individuals within them,
behave has become a matter of public concern.
Poor organisational culture has been identified
as the root cause of scandals in the health,
financial and food sectors among others, and
many have been at great cost to individuals,
organisations and even countries. Boards and
internal audit need to focus on the risks that
culture presents.
2 Effective Internal Audit in the Financial Services
Sector, published by the Institute in July 2013,
recommends that internal audit should include
within its scope the risk and control culture
of the organisation and evaluate whether
the organisation is acting with integrity in its
dealings with customers and in its interaction
with relevant markets. This will require internal
audit to take on new tasks.
3A dialogue is needed between heads of
internal audit (HIAs) and boards regarding the
importance of culture. In the Institute’s latest
annual Governance and Risk Report3, ethics and
culture was one of the top three areas where
HIAs are planning to increase their resources.
Therefore boards and HIAs need to reach a
common view of the importance of culture and
the role internal audit can play in supporting
boards in this area.
•This report will be of value to boards, policy makers,
and regulators as well as HIAs. It shows how internal
audit can be harnessed more effectively to support
boards in the development of organisational
cultures that improve the management of risk and
the functioning of organisations more generally.
•The behaviour of employees at the front line,
such as sales staff, dealers or care workers, needs
to conform to the ethics and culture of their
organisation, and boards need to be assured that
the whole organisation is pulling in the same
direction. This is no easy task but internal audit can
support boards in providing this assurance.
•HIAs play a valuable role in assuring that
processes (such as performance management and
remuneration), actions (such as decision making)
and tone at the top are in line with the values,
ethics, risk appetite and policies of the organisation.
•Our HIAs are taking two main approaches to
auditing cultural indicators. The first approach is
to incorporate culture into each audit, through
techniques like root cause analysis, identifying why
issues occur and how they can be the drivers for
wrong behaviours, and then to join the dots across
individual audits. This takes them beyond focussing
on processes and controls and requires them to
be comfortable with combining hard data with
gut feel. They also need to have a different type
2
3
NHSmanagers.net Roy Lilley blog Climate Change, 27 February 2014
Governance and Risk Report, IIA, October 2013
Page 4 | Culture and the role of internal audit – looking below the surface
of dialogue with the audit committee chair and/
or CEO, using more subjective judgements and
requiring enhanced communication skills. Some say
that this is what any good internal audit has been
doing all along but only now is it being badged as
culture. Others see this as a new departure.
•The second approach is auditing cultural indicators
across the organisation through auditing personal
behaviours as a proxy for culture. Here the key
question for internal audit is how best to gather
evidence to show that culture and values are
at the heart of every business decision and are
being incorporated, for example, at every level in
recruitment, training, performance management
and reward arrangements. This approach is less
common, but, over time, may be adopted more
widely in addition to the first approach if deemed
helpful to the organisation and its circumstances.
The final section of this report outlines the
approaches that organisations are taking as they
start on the journey of auditing culture. We are
not endorsing these in any way but showing
members of the profession how they may be able
to audit the indicators of culture if they are starting
with a blank sheet of paper. We would reiterate,
however, that these are merely suggested starting
points as there is no one right way to do it.
Scope and structure
This report has three sections:
AOrganisational culture and strategy.
BHarnessing internal audit to support boards in
relation to organisational culture – the enablers and
the challenges.
CThe summary results of our example organisations
which have started to audit culture – we
interviewed eight organisations with a range of
approaches to auditing culture to draw some
insights and conclusions on current practice. (The
detailed examples can be found in our technical
guidance note4).
In addition there is an appendix outlining recent
developments in two sectors – health and financial
services – where failures have led to new approaches to
organisational culture.
The Institute is also providing its members with
technical guidance containing examples to help equip
internal audit to play a bigger role in the assessment
of organisational culture which can in turn help to
inform boards and regulators to determine how well an
organisation is managing culture. This guidance will be
made available to non-members for a charge.
4
http://www.iia.org.uk/resources/values-and-ethics/culture-and-therole-of-internal-audit/
Culture and the role of internal audit – looking below the surface | Page 5
A. Organisational culture and strategy
Culture and risk culture
There is no clear-cut agreement on the definition
of organisational culture but it is commonly
interpreted as “the way we do things around here”5.
Professor Gerry Johnson, author of the cultural
web, refers to organisational culture as “the takenfor-granted assumptions and behaviours that
make sense of people’s organisational context and
therefore contributes to how groups of people
respond and behave in relation to issues they
face”. He goes on to say that, as a result, culture
has important influences on the development
and change of organisational strategy6. In other
words, culture binds strategy to outcomes.
Risk culture is a term describing the values, beliefs,
knowledge and understanding about risk shared by a
group of people with a common purpose, in particular
the employees of an organisation or of teams or groups
within an organisation9.
All organisations need to take risks to achieve their
objectives. The prevailing risk culture within an
organisation will significantly affect its ability to
manage these risks. Inappropriate risk cultures will
lead to activities that are totally misaligned with stated
policies and procedures or operate completely outside
these policies. At best this will hamper the achievement
of strategic, tactical and operational goals. At worst it
will lead to serious reputational and financial damage.
Professor Sir Ian Kennedy encapsulated the
interrelationship between culture and an organisation’s
values: “When I talk of the culture of an organisation,
I refer to its values and how these values are translated
into everyday actions”7. This is a theme we hear again
and again in all sectors. However it is the gap between
the stated values and how they are translated into
actions that is of critical importance as the stated values
can often be aspirational rather than descriptions
of the current values the organisation lives by.
The London School of Economics (LSE) Centre for
Analysis and Risk Regulation (CARR)10 asserts that risk
culture is not separate from culture in general. It is
rather a specific kind of framing of the culture problem,
allowing general concerns about culture to focus on
risk-taking and risk control activities. Indeed there is an
interrelationship between the two in that culture both
determines and is influenced by risk culture. The report’s
authors suggest that rather than ask what risk culture
is, it is better to ask about its components – instincts,
attitudes, habits and behaviours, what influences them
and how they can be managed and reported on.
Poor standards in banking are
not the consequence of absent
or deficient company value
statements…They are, at least in
part, a reflection of the flagrant
disregard for the numerous sensible
codes that already existed.
The graph below shows the prevalence of the use of
the term ‘risk culture’. It shows an exponential growth
in the use of the term by practitioners since 200811;
around the same time as the global financial crisis
kicked off. The report’s authors said that they see this
exponential increase in the use of the term as being a
symptom of the desire to reconnect risk-taking with “a
new moral narrative of organisational purpose”.
Parliamentary Commission on Banking Standards8
number of hits obtained
Risk culture searches
200
150
100
50
0
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
Year
5
Corporate Cultures: the Rites and Rituals of Corporate Life, Deal and
Kennedy, 1982
6 Exploring Strategy, Johnson et al, 2014 (10th ed)
7 Kennedy Review of the Response of Heart of England NHS Foundation
Trust to Concerns about Mr Ian Paterson’s Surgical Practice,
December 2013
8 Changing banking for good, Parliamentary Commission on Banking
Standards, June 2013 para 754
9
Under the Microscope – Guidance for Boards, Institute of Risk
Management, 2012
10Centre for Analysis of Risk and Regulation, London School of Economics,
Risk Culture in Financial Organisations, Mike Power, Simon Ashby,
Tommaso Palermo, November 2013.
11Adapted from graph on p.12, Centre for Analysis of Risk and Regulation,
London School of Economics, Risk Culture in Financial Organisations,
Mike Power, Simon Ashby, Tommaso Palermo, November 2013. Page 6 | Culture and the role of internal audit – looking below the surface
B. Harnessing internal audit to support
boards in relation to organisational culture
– the enablers and the challenges
The driver for organisations to pay close attention to
their culture and often to try and change it is usually,
but not necessarily, driven by regulatory forces or
corporate mishaps. This then usually helps gain buy-in
from the top, which is a critical factor in the success
of auditing culture. But sometimes this appetite from
the top is driven from within and does not stem
directly from any external pressures. For example it
may result from an enlightened, forward-thinking CEO
and his/her senior management team who want to
prevent a failure of culture and its negative impact on
organisational outcomes.
We spoke to organisations in a range of sectors about
their approaches to auditing culture. We discovered
some common themes emerging around the enablers
and challenges. We found that some aspects of
auditing culture are already business as usual for
internal audit and they just need to look at existing
audits through a cultural lens. Those HIAs consider
that this is an area they have been auditing implicitly
all along. However, findings from research12 we carried
out on what HIAs were doing within their organisations
to meet the recommendations of the Financial Services
Code revealed that auditing culture is the most difficult
area of the code; and that just over one-third (34%)
of HIAs say this will pose significant challenges.
Most of the organisations we spoke to incorporate
cultural aspects into their standard audit assignments
and were not persuaded of the value of auditing
culture more widely. This may be because auditing
culture as a separate issue across a whole organisation
is a massive undertaking which internal audit, in many
organisations, is unlikely to have the time, skills and
resources to dedicate itself to. Key stakeholders may
also perceive it as not being internal audit’s job and
therefore the HIA is less likely to get traction and be
able successfully to carry out such an audit. Examples
of models – the cultural web, the McKinsey 7S model,
and the Burke-Litwin model – internal audit can use
as a framework for incorporating cultural aspects
into audits can be found in the Institute’s technical
guidance4 on auditing culture.
The enablers and challenges in auditing culture are
summarised below and are drawn from the examples
in section C.
Enablers – crucial foundations necessary
for the audit of culture:
•Organisational culture needs to have been analysed,
properly defined and disseminated by the board/
senior management i.e. what is required behaviour
in the organisation has been made explicit.
•Appetite from the top of the organisation.
•Internal audit being given a clear mandate.
•Writing the mandate into the audit charter.
•A relationship of trust between the audit
committee chair and the HIA that allows informal
discussion about subjective judgements (gut feel)
on culture.
• Position, treatment and regard for internal audit,
and non-adversarial relationships with their clients.
•The ability for clients to report or respond to
surveys confidentially.
•A good level of risk maturity in the organisation.
CONTINUED >
12 Chartered
Institute of Internal Auditors, ”Embedding effective internal
audit in the financial services sector, IIA April 2014
Culture and the role of internal audit – looking below the surface | Page 7
Challenges in auditing culture:
•Organisational culture is often underpinned
by how a statement of values is translated
into concrete actions, so the key question for
internal audit is how to gather evidence and
demonstrate that this is the case and that
the values are being lived at every level.
•Limitations of surveys and interviews. Researchers
at LSE’s Centre for Analysis Risk and Regulation
(CARR)13 asserted that while risk culture may
be tracked and measured in visible ways, the
very instruments which exist to do this e.g. staff
surveys, provide only indirect observations of
behaviour at best. Another potential pitfall of
employee surveys is that they provide an internal
perspective which on its own is not sufficient and
may actually be skewed if not underpinned by a
culture of being able to speak openly and honestly.
•Skills and training:
–For internal audit to move into this space it
needs to upskill in more qualitative methods
such as surveys and interviews, or co-source
in this area. Surveys need to be properly
constructed, administered, analysed and
interpreted to identify weaknesses.
–The use of gut feel plays a part in the audit of
culture and this is likely to take many internal
auditors out of their comfort zone as they are
used to reporting on hard facts. They need to
join the dots and combine the evidence on
hard facts and gut feel when assessing cultural
aspects to obtain a picture of the underlying
assumptions. HIAs will need to combine both
quantitative and qualitative methods to gather
evidence as the basis of their audits. They will
need to make much more use of root cause
analysis i.e. if a problem is found, they need to
ask, “Why was that?” and keep drilling down
until they can go no further. This takes them
beyond their usual methodology of focussing
on processes and controls to looking at the
underlying behaviours.
–Can young and inexperienced auditors
succeed in this realm? Is this an area that
only experienced auditors can operate in as
experience contributes to competence?
•Reporting. The internal audit team needs to
develop and report results in partnership with
those accountable and use appropriate means of
reporting either orally or in writing. According to
the IIA Global Research Foundation14 there are two
main reasons why cultural weaknesses are often
reported orally rather than in writing:
– Managers may agree with the weaknesses orally
but get defensive and take it personally when
they see them written in an audit report. This
in turn may make it more difficult to evaluate
cultural aspects in this unit in the future.
–It can be difficult to express the weakness
in writing and therefore may be open to
misinterpretation which could lead to superiors
unfairly thinking less of the manager in question.
This reporting problem was highlighted in a
recent report by the LSE15 where they found
that risk culture poses some unique problems
of documentation in trying to make soft factors
visible and measurable. They said that evidence
and metrics lie at the heart of the complexity
of making assessments about culture. They
added that the paradox here is that one
organisation may have a ‘worse’ risk culture than
another but is better able to document what
they are doing, thus appearing ‘stronger’.
•Internal audit is part of the culture itself. Despite
ostensibly being independent and objective,
internal audit, without realising it, may have
adopted the same cultural values and ethics as
the rest of the organisation. This raises the issue of
credibility and whether, if it is part of the culture
itself, internal audit can effectively audit it.
–Senior internal auditors will require new
communication and relationship skills to enable
them to conduct more subjective and informal
discussions with NEDs and executives about
cultural issues.
13Centre
for Analysis of Risk and Regulation, London School of
Economics, Risk Culture in Financial Organisations, Mike Power,
Simon Ashby, Tommaso Palermo, November 2013. 14IIA
Global Research Foundation, Best Practices: Evaluating the
Corporate Culture, February 2010.
15Centre for Analysis of Risk and Regulation, London School of
Economics, Risk Culture in Financial Organisations, Mike Power,
Simon Ashby, Tommaso Palermo, November 2013. Page 8 | Culture and the role of internal audit – looking below the surface
C. Approaches to auditing culture
This section outlines a range of approaches organisations are taking as they start on the journey of auditing culture.
We are not endorsing these in any way but showing members of the profession how they may be able to audit the
indicators of culture if they are starting with a blank sheet of paper. We would reiterate, however, that these are
merely suggested starting points as there is no one right way to do it.
Barclays
beyond their usual methodology of focussing on
processes and controls.
Internal audit will both integrate culture as
part of every audit and conduct thematic
reviews of our individual audit reports
and assessments of business areas.
Through assessing the culture, internal audit will
look to answer:
•How to demonstrate that outcomes are desired
and as expected.
•Is the tone at the top right? Is it being lived?
•Are the values being disseminated and adopted
in all stages of the employee life cycle?
Integrating culture as part of every audit
To make such an assessment they will look at a wide
range of information, for example, HR grievance
data, whistleblowing activity, complaints, cultural
surveys, and mystery shopping. They will also
conduct interviews against a structured framework
(organisational psychologists have been brought in
to advise on devising the interview questions).
Thematic reviews
This approach helps internal audit to assess
how well the Barclays values are lived across the
organisation and to what extent colleagues are
operating in line with these values.
Here they will look at systems and processes as
usual but will also examine if there is a good
underpinning risk culture. Root cause analysis
will form the basis of the audits i.e. they will look
at whether there is a cultural driver to any issues
that arise. They will consider whether a certain
behaviour or set of behaviours caused an issue.
This focus on underpinning behaviours takes them
The indicators they are looking at are broadly
similar to the ones set out by the Financial Stability
Board i.e. tone from the top; accountability;
effective challenge; and incentives.
Aberdeen Asset Management
The deputy CEO was made the owner of the
finalised action plan for auditing culture which
comprises 12 actions. These 12 actions will be
reported on at every audit committee meeting.
One of the main actions was for HR to create
enhanced appraisals with a clear link to reward, so
that the values framework was translated into job
descriptions and objectives. Internal audit identified
these as key tools for influencing behaviour.
Aberdeen Asset Management look at culture across
the organisation, as well as considering culture as
part of individual audits within the audit universe,
the latter being separately reported on in each
individual audit.
The overall audit of culture
As with any audit, they have designed specific audit
tests – drawing where they could from management
information available to or used by management,
but also using their experience of past audit issues/
themes and gut feel. Following the performance of
these tests they have facilitated workshops with the
executive and non-executive teams.
With the executives they debated root causes of the
issues. For example, they looked at HR structures
and reporting lines, finding that the business had
grown but the organisation chart had not evolved
sufficiently – a few people ending up with over 20
reporting lines.
Alongside specific testing of culture/behaviour
levers, cultural or behavioural root causes behind
issues will also be assessed (the same approach as
for individual audits).
Integrating culture as part of every audit
As well as the overall audit, culture will be
considered as part of other individual audits within
the audit universe and will be separately reported
on in each individual audit. The risk assessment of
the audit universe will include a cultural heading
and a judgement will be made. They are currently
developing the criteria to be used as part of this
assessment but recognise it will need to include hard
fact and gut feel, again ensuring they utilise their
experience and knowledge of the organisation.
Culture and the role of internal audit – looking below the surface | Page 9
Mersey Internal Audit Agency
The nature of internal audit in the health sector has
changed following the various public inquiries and
NHS-wide reviews e.g. Mid Staffordshire (Francis)
Public Inquiry, the Keogh Review etc.
A concern which was raised in the Keogh Review
of 14 Trusts with persistent outliers on mortality
statistics was a significant disconnect between what
boards identified as key risks and issues within the
organisation and what was happening in wards and
departments. The internal audit team at the Mersey
Internal Audit Agency has therefore piloted a survey
to assess this disconnect between board and ward
level staff in relation to their perceptions around the
five theme areas highlighted in the Keogh Review
– patient experience; safety; workforce; clinical and
operational effectiveness; and governance
and leadership.
A lot of their audit work will include aspects
of culture but they have not undertaken audit
assignments where that is the primary or single
focus. For example, when auditing complaints
they will be forming a view on openness and
Old Mutual Group
The organisation is focused on understanding
its culture and driving positive actions. In the
last few years HR has administered a Barrett
Survey (a cultural transformation methodology
devised by Richard Barrett) annually to do
a values-based assessment. The results are
shared with internal audit. Internal audit
use the results of the survey as a basis for
understanding the business units they audit.
transparency as part of their work. Internal audit
would also look at how the Trust has changed how
they deal with complaints post-Francis including
how issues are escalated to the board and how the
board is engaged through, for example, the use
of patient stories. Internal audit asks and looks for
evidence to show what the board does in response
to complaints handling.
Internal audit looks at an array of targets and
indicators such as staff surveys, patient surveys,
‘never events’, ‘serious untoward incidents’ etc.,
but now do increasing amounts of work around
what outcomes the board wants from those. They
also look at rotas and staff records etc. to build up
a picture through joining the dots. Whistleblowing
can be a useful area of evidence when coming to
judgements around culture but they are cautious as
can often be mixed up with grievances.
The auditor now reports on their views on
observed behaviour that impacts upon the patient
experience. This type of evidence needs careful
interpretation but they do now mention this in
reports and would not have done before.
what they see and observe, and they challenge
each other to come to a consensus. They then
explain how they came up with these scores with
the leaders of each business unit.
These scores, along with the more detailed data
mentioned above and information from the risk
world, are consolidated by business unit and
are then shared with the audit committee, the
remuneration committee and the risk committee.
In early 2014, the HIA and chief risk officer
developed 50 criteria, based on areas the regulator
focuses on, to evaluate the risk and control culture
of each business in the group. The criteria are
assessed subjectively by both of them.
It is about making an ‘educated judgement’ on a
variety of factors that build up to an overall picture.
This is not as straightforward as auditing hard
controls as the HIA needs to become much more
comfortable with shades of grey rather than black
or white.
This assessment will be made every 6-12 months.
The scores they give are based on judgements on
What works for one organisation may not
necessarily fit another organisation.
Page 10 | Culture and the role of internal audit – looking below the surface
TUI Travel plc
Ultimately the culture of an organisation reflects the
risk appetite and effectiveness of its board. It must
provide a clear tone at the top and then ensure an
effective system of control to enforce it.
Internal audit is a part of that system of control
and has the opportunity to play an active role in
helping ‘the tone at the top’ permeate ‘the mood
in the middle’. However to be successful internal
audit often needs to undergo a cultural change
of its own. To be trusted as an honest agent
supporting the board (driving its agenda) and also
line management (representing it fairly) it needs to
develop its methodology and people.
Internal audit methodology should be refined to
support the relationship it’s seeking to have with
the organisation and, for this to work, it needs
to have the right people with the right skills –
competent, compassionate, commercial and,
occasionally, courageous.
Refinements to the internal audit methodology at
TUI Travel include:
Engagement: At the outset of each audit, internal
audit advises management that at the end of the
audit they will provide an engagement rating.
In effect management can choose that rating by
how they choose to interact with the audit team –
openly or defensively.
Context and Credit: Audit reports can cause
resentment amongst management. Internal
audit has developed standard mechanisms to
give ‘context where it’s useful and credit where
it’s deserved’. Knowing that the final report will
reflect the control environment fairly encourages
management to be open with internal audit about
the issues they’re facing.
Lloyds of London
Internal audit has always had informal conversations
about cultural aspects when auditing but it is
writing it down which makes it a challenge.
They have always audited people, process and
technology. It is usually the people risk that causes
issues. Within this they have assessed the ability of
the people to do the job but have only raised this
by exception and orally. Now it is built into the
scope of every single audit. The initial challenges
were around how to evidence it.
From Q1 2013, a Big 4 firm has administered
a confidential annual people and risk survey
Stakeholder feedback: Many internal audit
functions allow management a written response
on findings raised although they sometimes edit
it for the sake of brevity and factual correctness.
At TUI Travel internal audit offers management
the opportunity to give unfettered feedback.
Management’s ratings and comments are reported
in full to the audit committee on a quarterly basis.
The response rates and the feedback given provide
a good insight into the prevailing culture.
Performance reporting: Internal audit provides a
number of performance reports which help build
a picture of the engagement and effectiveness of
individual managing directors. These include:
•The timely closure of corrective actions (showing
the performance on a rolling four quarters basis
and highlighting best and worst performers).
•The appropriate authorisation of date extension
requests (showing that all requests have been
submitted to the CFO).
•The number of repeat requests (showing the
number of times dates are changed, with more
than twice indicating issues of commitment
and/ or competence).
•Compare and Contrast reports (showing the
results of the same audit performed in different
businesses).
•The Risk Management Engagement &
Effectiveness Grid (showing the performance of
each Managing Director relative to their peers).
•Hit Rate & Root Cause Analysis (showing, for
common control weaknesses, how many times
the control was tested, how often it failed, how
badly it failed and why it failed).
Staff surveys: Internal audit has also added
questions to the annual staff survey that provide
a heat map of good culture/ poor culture across
the group.
containing about 70 questions. Internal audit use
the survey to pinpoint what is not right and to
identify where to conduct reviews. They will also
assess the actions stemming from the survey results
to see what has and hasn’t been implemented.
There is considerable use of co-sourcing in the
organisation so the Big 4 have the combination of
technical and people skills to audit cultural aspects.
If the internal team make the assessment then it
has to be by more experienced/senior internal audit
staff, who have seen enough go wrong, to make a
more credible judgement.
Culture and the role of internal audit – looking below the surface | Page 11
BAE Systems
The way that audit is viewed in the company is that
the business is comfortable with it. The board, audit
committee, corporate responsibility committee
and senior management recognise and support
the role of internal audit in auditing cultural issues.
This along with the company’s level of maturity in
assessing risk and other helpful foundations such as
the audit charter (where responsible behaviour and
non – financial risk are explicitly picked up) make it
easier to conduct these audits.
The majority of audits comment on cultural issues:
and for each audit there is a cultural checklist which
prompts audit managers to consider the ethical
behaviour elements in their audits. They also try
and dig beneath the surface of what they are being
3i plc
Culture is inseparable from much of the day-today work that audit does. Operational risk is about
people, processes and systems so you cannot
ignore behaviours and cultures in the audits that
you do. The audit function has always taken these
people aspects into account but has done so with
increasing transparency, for example by recognising
them as part of the control assessment ratings used
for audit reporting.
The HIA would recommend that every audit team
looks at what they are currently doing and for ways
to make the assessment of culture and behaviours
more explicit in terms of outcomes and reporting.
This can be done in an incremental way without the
need for a ‘big bang’ approach.
Making these aspects more explicit does not
necessarily mean communicating everything in
told by using a wider sample base than was the
case previously and looking more deeply into any
matters arising.
Internal audit reports to the corporate responsibility
committee as well as to the audit committee. A lot
of the confidence the internal audit team has on
making judgements on cultural/ethical issues in their
audits stems from the support these committees
give, particularly when subjective judgements are
being made. The committees want to hear the views
of internal audit, knowing they may not be based on
a wholly solid evidence base. The team is trusted to
be responsible by all concerned. Confidence builds
with time and experience. Not all comments on
cultural issues will lead to a recommendation, they
may just be observations.
writing. Some areas may need to be handled more
sensitively and possibly reported orally. One should
exercise careful judgement in what is committed to
a written report.
Standard audit reports provide an overall
opinion on the management of the business
unit. As part of the rating system, they take
into account a number of factors such as
management’s ownership of risk, attitude to
control, response to previous audit findings and
degrees of respect accorded to internal audit.
When internal audit report to the audit committee
they look at outputs from various audits to report
on themes and trends. Taking account of culture
and attitudes is integral to this work. The end of
year ‘state of the nation’ style report also provides
high level comments on areas such as the ‘tone at
the top’.
Page 12 | Culture and the role of internal audit – looking below the surface
Appendix A
Sectoral differences
Ethical behaviour programmes
Culture can be at the root of problems in any
organisation in any sector. In the UK, however, there
are two sectors in particular – financial services and
healthcare – where cultural crises have repeatedly
come under the spotlight at a systemic level, and
these sectors have been the subject of numerous
public inquiries and commissions in the last decade.
Therefore, we will expand on the policy and regulatory
developments in these sectors as they, more than
most, have been buffeted by huge change.
All this disruption has created a rare opportunity to
transform the culture at every level in these sectors.
These developments in turn have created a need for
internal audit to support boards in monitoring and
assessing the success of cultural change programmes.
Financial services
We need a financial system for
the 21st century. What do I mean
by that?... where culture is taken as
seriously as capital, and where the
ethos is to serve rather than rule
the real economy.
Christine Lagarde, Managing Director, International
Monetary Fund16
A number of global financial institutions have
launched high-profile programmes focussing on
ethical behaviour. For instance, all 98,000 employees
of Deutsche Bank, about 13,000 senior bankers at
Goldman Sachs, and Barclays’ 140,000 staff have
been or are being taken through programmes aimed
at reinforcing codes, values, behaviour and a strong,
positive corporate culture. However, a survey by
the Economist Intelligence Unit18 of 392 financial
services executives found that while large majorities
agree that ethical conduct is just as important as
financial success at their firm, 53% also say that
strict adherence to such codes would make career
progression difficult. Furthermore, the Chief Executive
of the Financial Conduct Authority (FCA) said19 that
even though the majority of big banks and firms have
change programmes in place, he has serious concerns
that economic recovery will mean that investor
pressure for growth stock will push cultural questions
to the back of mind.
A number of commentators have noted that training
can only go so far. To encourage responsibility, the
overall business context has to be right. In a Financial
Times article20, Dan Ostergaard, Managing Partner of
Integrity By Design, a Swiss-based group that advises
on culture change and ethical training, points out
that if banks do not address organisational structure,
including the whole process of recruitment, promotion,
remuneration and how they take day-to-day business
decisions, the ethical behaviour programmes could be
“an expensive dog-and-pony show”.
The question about the financial services industry in
particular is whether the organisations within it can
shift their cultures to become more customer-centric.
The Parliamentary Commission on Banking Standards17
said that banking culture has neither a sense of duty to
the customer nor any sense to collective responsibility
to maintain the sector’s reputation.
16A
New Multilateralism for the 21st Century: the Richard Dimbleby
Lecture February 2014
17Changing Banking for Good, Parliamentary Commission on Banking
Standards, June 2013
18Economist
Intelligence Unit, A crisis of culture – valuing ethics and
knowledge in financial services, November 2013
19Ethics and Economics, Martin Wheatley Financial Conduct Authority
speech 04 March 2014
20Bankers back in the classroom, Andrew Hill, Financial Times,
16 October 2013
Culture and the role of internal audit – looking below the surface | Page 13
Standards of behaviour –
structure as well as culture
Regulatory and public policy developments
in financial services
The Economist Intelligence Unit highlighted the need
to address organisational structure as well as culture.
It asserted that many of the financial institutions that
fared well in the global economic crisis adhered to a
partnership structure21, suggesting that this structure
is more effective at linking individual behaviour to
corporate culture.
Proposals for a new organisation to
raise banking standards
In May 2014, after consulting widely, Sir Richard
Lambert outlined his plans for a new independent
voluntary body – the Banking Standards Review
Council – to raise standards in the banking industry.
The body will be funded by banks, paying in
proportion to their size. The main intention is for banks
to publish information annually on how they treat
customers. Good behaviour is to be judged from the
customers’ perspective. It is hoped that the regular
pressure on banks will not just raise the standards of
the worst lenders but mean that the whole sector is
propelled into improving year after year.
According to the economist and journalist, Tim
Harford, incentives for deliberate wrongdoing are
stronger in finance22. He says that even though
surgeons, airline pilots and nuclear plant operators
can and do make mistakes we can usually hope
that they act in good faith. He thinks that no
such hope exists in the financial system where
“the systemic consequences of bending the rules
can pop up far away from the perpetrators and
long after the profits have been banked”.
Most banks had codes of conduct in existence well in
advance of the onset of the financial crisis, and many of
them also had corporate values on prominent display
in their offices. Yet it would appear that the impact on
their overall behaviour was negligible.
Philippa Foster Back, Director of the Institute of
Business Ethics, was quoted in the Financial Times
saying that leaders must remove what she calls the
“say-do gap” and that good conduct, for instance,
needs to be reflected in rewards and bonuses in order
to give weight to the idea that culture and values
do really matter23. The Parliamentary Commission
on Banking Standards report24 reiterated the
importance of elements such as remuneration. It
said, “Remuneration has incentivised misconduct
and excessive risk-taking, reinforcing a culture where
poor standards were often considered normal. Many
bank staff have been paid too much for doing the
wrong things, with bonuses awarded and paid before
the long-term consequences become apparent. The
potential rewards for fleeting short-term success have
sometimes been huge, but the penalties for failure,
often manifest only later, have been much smaller
or negligible. Despite recent reforms, many of these
problems persist.”
The report25 says that the new body will require
participating banks and building societies “to
commit to a programme of continuous improvement
under the headings of culture, competence and
customer outcomes, and to report back on their
performance to the public every year”. The metrics
will, as far as possible, be drawn primarily from
internal reports, staff surveys, and interviews,
and would be intended to show whether the
firm’s culture was enabling good behaviour.
Under the heading of culture, the issues to be
considered should include:
• the extent to which the code of conduct was
understood by employees, and embedded
into recruitment, induction, promotion and
performance management;
• incentive structures;
• diversity; and
• the extent to which whistleblowing and other
policies encouraged employees to raise concerns in
the workplace.
On the latter point, our report on whistleblowing26
highlighted the symbiotic relationship between
whistleblowing and an organisation’s culture whereby
effective whistleblowing arrangements are an
important part of a healthy corporate culture, but the
right organisational culture is also needed to encourage
people to speak out without fear.
We would suggest that these issues, along with those
suggested by the Financial Stability Board (FSB)
outlined in the box on the next page, should be part of
21Economist
Intelligence Unit, A crisis of culture – valuing ethics and
knowledge in financial services, November 2013
22Adapt – why success always starts with failure,
Tim Harford 2012; p.209
23Bankers back in the classroom, Andrew Hill, Financial Times, 16
October 2013
24Changing
banking for good, Parliamentary Commission on Banking
Standards, June 2013 summary
25Banking Standards Review, Richard Lambert, May 2014
26IIA Whistleblowing and Corporate Governance, January 2014
Page 14 | Culture and the role of internal audit – looking below the surface
internal audit’s remit when auditing culture. Examples
of how these issues are considered by internal audit in
practice can be found in our examples in section C.
Regulatory proposals for supervising financial
institutions on risk culture
In April 2014, the FSB published its guidance on
supervising financial institutions on risk culture. It
recommends supervising the following elements:
• Tone from the top: The board and senior
management are the starting point for
setting the financial institution’s core values
and expectations for the risk culture of the
institution, and their behaviour must reflect
the values being espoused. A key value
that should be espoused is the expectation
that staff act with integrity (doing the right
thing) and promptly escalate observed
non-compliance within or outside the
organisation (no surprises approach). The
leadership of the institution promotes,
monitors, and assesses the risk culture
of the financial institution; considers the
impact of culture on safety and soundness;
and makes changes where necessary.
It is worth noting that in its response to the FSB’s
consultation, IIA Global said that they felt the
consultation document was written with a slant
towards risk avoidance. They added that, “risk
culture should be about creating an environment
where undertaking risk on behalf of the institution
is done consistent with the management of risk
within tolerance levels approved by the board and
senior management”. This point has been echoed by
Professor Mike Power, LSE, who believes that we need
to ensure that the risk culture debate does not result in
an organisation becoming more risk averse 27.
The FCA has challenged financial services to change
their culture with a dedicated and persistent focus.
We expect firms to have a culture that places
customers and market integrity at the heart of
their business. Culture is evidenced through
the way firms conduct their business, what
firms expect of staff, and their attitude
towards customers. It is for firms to determine
what culture is appropriate for them and to
demonstrate that culture from the top down.
• Accountability: Relevant employees at all
levels understand the core values of the
institution and its approach to risk, are capable
of performing their prescribed roles, and
are aware that they are held accountable for
their actions in relation to the institution’s
risk-taking behaviour. Staff acceptance of riskrelated goals and related values is essential.
Source: FCA tackling serious failing in firms; a response
to the Special Measures proposal of the Parliamentary
Commission on Banking Standards, June 2014
• Effective communication and challenge: A
sound risk culture promotes an environment
of open communication and effective
challenge in which decision-making
processes encourage a range of views;
allow for testing of current practices;
stimulate a positive, critical attitude among
employees; and promote an environment
of open and constructive engagement.
• Incentives: Performance and talent
management encourage and reinforce
maintenance of the financial institution’s
desired risk management behaviour.
Financial and non-financial incentives
support the core values and risk culture
at all levels of the institution.
Source: Financial Stability Board Guidance
on Supervisory Interaction with Financial
Institutions on Risk Culture – A Framework
for Assessing Risk Culture). April 2014
27Centre
for Analysis of Risk and Regulation, London School of
Economics, Risk Culture in Financial Organisations, Mike Power,
Simon Ashby, Tommaso Palermo, November 2013. Culture and the role of internal audit – looking below the surface | Page 15
In a speech to the Chartered Financial Analysts Society
Clive Adamson, Director of Supervision at the FCA28
explained the areas to be monitored as follows:
1.Tone at the top
Tone at the top refers to the atmosphere created
by the leaders of the organisation. Whatever tone
the board and senior executive set it will have a
trickle-down effect on managers and employees.
For example, if the tone upholds ethical behaviour
and fair customer treatment employees will be
more inclined to adopt the same values. However, if
the organisation’s leaders are solely concerned with
the bottom line, employees will be more prone to
take bigger risks to earn more profit, with little or
no regard to customers. This means tone at the top
is not simply about what you say in your mission
statement and sales literature it’s about actions
or lack of actions. In short, people will generally
mirror the actions of their leaders, what they notice
their bosses are encouraging or accepting as well
as their reactions to events (which may include
irritation or indifference). As such the whole way
leaders conduct themselves will significantly impact
organisational behaviour and culture.
2.Business practices
While the tone at the top goes a long way to
clarifying expected attitudes and behaviours
these expectations have to find their way into
everyday business practices and decision making.
In particular driving the way unexpected problems
and events are managed so that ‘the way things
are done around here’ is applied when anything
unusual happens as well as in normal routine
circumstances.
3.Performance management and rewards
Positive behaviours can easily be undermined
by performance management systems that only
reward tangible outcomes, financial performance
and profit. We have seen in financial services
how high-risk incentive schemes drive sales staff
to earn bonuses at the expense of customers
and the organisation’s reputation. Performance
management must therefore be balanced to
reinforce corporate values, expectations and
maintenance of the defined risk culture.
This extends beyond simple questions of rewards.
It includes questions of who and what roles are
valued or regarded to be in the ‘in crowd’, who is
highlighted by the CEO and senior executives for
doing a good job, who and what is mentioned
in staff magazines, which managers get offered
interesting development opportunities, as well as
who gets promoted. Regulatory requirements for
appropriate remuneration and incentive schemes
that take a longer term view are likely to influence
the organisation’s risk taking culture going forward.
The Prudential Regulation Authority (PRA) for its
part issued a Statement of Policy29 which says that
it expects firms to have a culture that supports their
prudent management. The PRA does not have any
‘right culture’ in mind, rather it focuses on whether
boards and management clearly understand the
circumstances in which the firm’s viability would be
under question, whether accepted orthodoxies are
challenged, and whether action is taken to address
risks on a timely basis. The PRA wants to be satisfied
in particular that designated risk management and
control functions carry real weight within firms.
The point here is that, although board members
and senior executives may think that good advice
is being given to customers and that complaints
and issues are being handled in the right way,
this may not be happening on the ground. This
is why assurance over customer complaints
handling is essential for providing significant
insights into the culture of an organisation
(i.e. taking an ‘outside in’ approach).
28Clive
Adamson, Director of Supervision at the FCA, speech to the
Chartered Financial Analysts Society, April 2013
29The
use of PRA powers to address serious failings in the culture of
firms, Prudential Regulation Authority, June 2014
Page 16 | Culture and the role of internal audit – looking below the surface
The PRA identifies serious failings in culture through its
normal supervisory activity. These may include:
Patient-focused healthcare
and measuring culture
•Evidence of a poorly functioning board that
fails to challenge executives or take a lead in
consideration of conducting business in a safe
and sound manner; which can include setting,
articulating and embedding an appropriate
culture in the firm, and drawing up clear policies
and guidelines that are linked to staff objectives,
training, evaluation and incentives.
The growing interest in patient-focused healthcare in
the NHS, especially in the wake of high-profile failures
going back nearly as far as the inception of the health
service, has underlined the need to measure and then
change culture, especially in hospitals and care settings.
•Evidence of weak control areas such as risk,
compliance and internal audit that may indicate
poor management, lack of resource, or insignificant
representation at board level.
•Evidence of other weaknesses in board or senior
management behaviour and influence on firm
culture, including incentives and their adherence to
the firm’s values.
Healthcare
The culture in financial services is aiming to
become more client-centric. Similarly, the NHS is
attempting to reorient its culture to become more
patient-focused following a number of scandals and
inquiries over the years ranging from Bristol to Mid
Staffordshire. Professor Sir Ian Kennedy, author of
numerous health-related public inquiries told us: “The
leaders need to create a set of values that need to be
that of the service not of the professional group”. This
sentiment was reiterated by Sir Robert Francis QC
when announcing his findings and recommendations
of the Mid Staffordshire Public Inquiry. He said that
an institutional culture which put the “business of
the system ahead of patients” was to blame for the
failings surrounding the Trust.
A key theme from the Mid Staffs seminars, which
formed an important part of the Mid Staffordshire
Public Inquiry31, was that the prevailing culture in
NHS Trusts has a strong influence on the quality
of patient care and experience. It said that there
is surprisingly little focus on measuring culture
despite the significance attributed to it. The report
highlighted that:
•Hospitals are complex organisations that often
contain a multiplicity of cultures where some
wards/services are at odds with the norms and
behaviours expected; and
•Clinicians and managers may intuitively know that
there is a problem in part of the organisation but
lack evidence to pinpoint the nature of it because
the Trust performance information may not
highlight the problem areas.
On quality culture, Professor Sir Ian Kennedy said, “It
is difficult to measure culture in healthcare. But it is
possible through good use of data and interrogation
of that data. Once measures are in place you have to
decide the range of acceptable performance. Then
you need to collect both qualitative and quantitative
information to tell you if there are deviations”. But
therein lies the difficulty. The ability to pick out the
essential information from the blizzard of noise is key
to getting more reliable indicators of what is going on.
Professor Sir Ian Kennedy relates culture to values,
which is a theme we hear in all sectors. Perhaps unique
to the NHS, he adds30 :
“The culture of a hospital is ordinarily set by the Chief
Executive and his senior team. Despite its significance
in terms of its legal responsibility, the culture
historically has rarely been laid down by the board…
the board is the only real mechanism for holding the
Executive to account”…”the history of things going
wrong in the NHS is often a history of an Executive not
being held properly and effectively to account”.
30Kennedy
Review of the Response of Heart of England NHS
Foundation Trust to Concerns about Mr Ian Paterson’s Surgical
Practice, December 2013.
31Mid
Staffs Public Inquiry, Report from the forward look seminars,
November 2011
Culture and the role of internal audit – looking below the surface | Page 17
Regulatory developments in healthcare
The Care Quality Commission (CQC), the independent
regulator of all health and social care services in
England, will assess leadership, culture and governance
in their inspections from April 2014. The aim is
to enable the CQC to identify the key leadership
behaviours and values that should be assessed so
that they can determine whether trusts have the
appropriate leadership in place to ensure they are
performing effectively and improving.
The Health Select Committee, in their most recent
report on the CQC32, urged them to develop the
assessment to go beyond simply measuring board level
governance practices, and properly assesses whether
a culture of openness and challenge exists amongst
front-line staff. The Committee said that assessing both
the number of concerns raised by staff members and
the way in which those concerns have been addressed
would serve as a useful proxy by which regulator can
begin to measure the culture of an organisation.
Our example on the Mersey Internal Audit Agency
shows how this directional change in regulation is
having an impact on the way internal audit approaches
its assessment of culture.
32Health
Committee - Sixth Report 2013 accountability hearing with
the Care Quality Commission, January 2014
Page 18 | Culture and the role of internal audit – looking below the surface
Culture and the role of internal audit – looking below the surface | Page 19
About the Chartered Institute
of Internal Auditors
First established in 1948, we obtained our Royal Charter in 2010. We are the only
professional body dedicated exclusively to training, supporting and representing
internal auditors in the UK and Ireland.
We have over 8,000 members in all sectors of the economy including private
companies, government departments, utilities, voluntary sector organisations, local
authorities and public service organisations such as the National Health Service.
Members of the Chartered Institute of Internal Auditors are part of a global network of
180,000 members in 190 countries. All members across the globe work to the same
International Standards and Code of Ethics.
Over 2,000 members of the Institute are Chartered Internal Auditors and have
earned the designation CMIIA. 800 of our members hold the position of Head of
Internal Audit and most FTSE 100 companies are represented amongst the
Institute’s membership.
www.iia.org.uk
Chartered Institute
of Internal Auditors
13 Abbeville Mews
88 Clapham Park Road
London SW4 7BX
tel 020 7498 0101
fax 020 7978 2492
email [email protected]
© July 2014
Culture and the role of internal audit – looking below the surface

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz