The Chartered Institute of Internal Auditors (the UK affiliate of the global IIA) has issued a report,
Culture and the Role of Internal Audit. I believe this merits reading not only by internal auditors, but by risk professionals and board members.
I am not going to disagree with the points made by the authors and their recommendations.
However, I think there are additional aspects that do not appear to have been included in the report:
- Culture is a very broad topic. The governance report referenced in the report relates to risk culture, but internal audit should also consider whether the culture of the organization is aligned with its values and moral code, as well as whether the culture drives desired teamwork, information-sharing, and so on. I would consider breaking any assessment of culture into one or more aspects of desired behavior.
- It is essential to start with a discussion with senior management on what they desire when it comes to culture and what they expect any audit assessment to find.
- My main diversion from the report is that I would retain a risk-based approach. Where and in what way would a failure in culture and individual and/or team actions create the highest risk to the organization? Let's audit there first.
- The more troubling issue for CAEs is when they see culture issues relating to the actions of individuals, especially those in leadership positions. These must be brought to the attention of executives and even the board when necessary, in terms of how they represent a risk to the organization and its success.
You might want to refer also to the
Institute of Risk Management's report on risk culture (PDF).
What do you think? I know a number of people do not think internal audit should try to perform any assessment of culture. Do you? If so, perhaps you can share your views and experiences.