Studying this technical article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We'd suggest that you use this as a guide when allocating yourself CPD units.

Business leadership is looking to the audit function to assess not only tone and conduct at the top of the organisation, but also how and if those things are reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees.

Internal audit leaders have often had to adapt their practices and rethink their roles in their organisations to meet the challenges they and their teams face – from helping the business to navigate a financial crisis, to assessing the risk of new technologies.

Many internal audit leaders have started to recognise the importance of partnering with boards of directors and senior management to create greater transparency, establish sound corporate governance and better understand risk exposures. Today, many internal auditors serve as strategic advisers to the business – a role they fully embrace.

A fundamental shift toward collaborative working is required from any internal audit function. One can wonder if collaborative working would impact internal audit’s ability to be independent and objective. However, the reality shows that collaborative work environments foster trust which, in turn, helps to support a more effective audit process.

Core values

Nowadays, we find many internal auditors staring down yet another challenge that places them into unfamiliar and somewhat uncomfortable territory: auditing risk culture. Business leadership is looking to the audit function to assess not only tone and conduct at the top of the organisation, but also how and if those things are reflected throughout the business. They want to know if the company’s core values and strategic vision are understood and actively practiced by employees

For many of the organisations featured in Protiviti’s Internal Auditing Around the World® XIII, risk culture audits are new endeavours that are only at the planning or pilot stage. Senior management and boards are looking to internal audit leaders to help the business develop the right approach for, and get the most value from, these types of audits. The function has a clear opportunity to play a transformative role in responding to the needs of key stakeholders, particularly boards, who want assurance that the organisation is aware of and addressing all types of potential risk.

Strong risk culture

Weak organisational cultures in entities across the world’s financial system are widely considered to be one of the primary causes of the global financial crisis a decade ago. Perhaps as a result, maintaining a strong risk culture is an imperative for all major businesses today – as well as an expectation by their stakeholders, regulators and customers. Many of these organisations look squarely to their internal audit functions to provide assurance that their risk culture is indeed effective. 

Fulfilling this mandate requires internal auditors to tread carefully and adhere to a well-structured approach. The definition of internal auditing from The Institute of Internal Auditors (The IIA) sheds light on why:

"Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes."

Auditing risk culture seems to fall neatly under internal audit’s mandate to help the organisation improve the effectiveness of its risk management and governance. However, when considering other components of The IIA’s definition – namely, the word ‘objective’ – it becomes clear why an internal auditor would view auditing any aspect of the organisation’s culture as potentially problematic. The core concern is that, in reviewing and measuring an intangible thing like culture, the internal auditor would be at risk of making a subjective assessment of the state of that culture.

Defining culture

Culture is complex and different within every organisation. There are some guideposts available – for example, risk culture, as defined by the Risk Management Association (RMA) and Protiviti, is ‘the set of encouraged and acceptable behaviours, discussions, decisions and attitudes toward taking and managing risk within an institution.’ But even when defined, culture remains largely abstract.

Through our research for Volume XIII of Protiviti’s Internal Auditing Around the World®, we learned that the internal audit leaders in many of the organisations already auditing, or that intend to audit, their risk culture are taking great pains to create methodologies, frameworks and processes that can give structure to the abstract.

Some internal audit groups are taking incremental steps toward formalising an approach to assessing and monitoring risk culture. Some have modified their quarterly enterprise risk management dashboard to include a specific line for culture. Other internal audit departments look to their organisation’s guiding principles and core values – as well as its ‘tone at the top’ – to help give structure to their process for auditing culture.

Several of the leaders we interviewed said they recognised early the importance of examining and strengthening the culture within the internal audit function before moving to assess the culture elsewhere in the organisation.

The right approach takes time

A company’s culture may be abstract, but one thing is clear from an internal audit perspective: developing the right approach for auditing an organisation’s risk culture takes time and careful planning. And for any business, the value of undertaking this process is developing a better understanding of the cultural causes that create risk – in short, human behaviours. Ironically, it is the internal audit function – the objective eye of the organisation – that is uniquely qualified to bring a ‘systematic, disciplined approach’ to a potentially subjective process.

We hope that the profiles in Protiviti’s Internal Auditing Around the World provide valuable insight on how an organisation can approach auditing its risk culture. It is a new frontier for many internal auditors. But just like partnering effectively across the organisation and working in a collaborative environment, it is a challenge worth conquering.