posted 15th May 2024
It’s time that GRC professionals, regulators and Internal Audit recognised the importance of auditing culture and behaviour.
I am really happy that GRC professionals, regulators and Internal Audit have started to recognise the importance of “the soft stuff” when it comes to the effective management of risk and maintaining ethical conduct.
This was caused – in a large part – by the recognition that many aspects of the financial crisis of 2007-2008 were caused by short-comings in the bonus culture, and underestimation of the latent risks building up. In addition, there were mis-selling scandals highlighting poor conduct in sales, which did not put the customer first.
In the UK, the importance of culture and conduct in relation to Internal Audit has now been recognised in a code of practice for Internal Audit which says that Internal Audit should consider “the risk and control culture” and “the setting of, and adherence to, risk appetite” when making its plans. However, the definition of key terms ‘culture,’ ‘sub-culture’ and ‘behaviour’ is not always so straightforward and its very easy to come up with ‘so what’ observations. Based on my experience as a CAE but also working in HR for several years I offer some pointers to keeping internal audit work focused with an eye on genuine value add that does not simply repeat what a good HR department might say.
You can read the rest of this article on the ACCA website
