Internal auditors to step up on risk culture in organisations

Sydney: July 5, 2021: With the number of financial scandals and recent failures of governance across a range of sectors from casinos to mines, internal auditors will now have a practical guide for auditing risk culture to improve the risk management processes in organisations.

The Institute of Internal Auditors-Australia (IIA-Australia) today released a 40-page guide ‘Auditing risk culture – A practical guide’ to help internal auditors, senior management, board audit committees, and other assurance providers in all sectors of the economy.

The guide was authored by Macquarie University Professor Elizabeth Sheedy, Kiel Advisory Group Managing Director Elizabeth Arzadon, and QSuper’s Head of Internal Audit Regardt Du Preez.
IIA-Australia CEO Mr. Peter Jones said: “the guide will complement ASIC’s focus on culture from the perspective of its mandate as a conduct regulator, and APRA’s focus on risk culture as an element of governance and risk management frameworks, reflecting its prudential mandate”.

“While setting risk culture sits with an organisation’s board, and management has accountability for driving that risk culture throughout the organization, the internal auditor provides an objective and independent view of the governance processes around risk culture and reporting”.

“Internal audit is ideally placed to observe business practices within an organisation that shed light on actual as opposed to desired risk culture”, he said.
Mr. Jones said: “The guide provides a practical evidence-based approach to auditing risk culture and includes a robust model as an example to assist internal auditors, in not only the financial services sector, but in other sectors in the economy”.

The non-mandatory guide outlines ten practical steps, starting with a review of the current risk culture audit approach and the internal auditor’s role, to delivering an effective audit program, monitoring, and reviewing it. It provides internal auditors a ‘how-to’ approach to managing the risk culture audit process in small or large organisations.

“The guide is practical and contains a toolbox of risk culture audit techniques, which should be particularly helpful to small internal audit groups, but also to larger heavily resourced internal audit providers,” he said.

Professor Elizabeth Sheedy said “the guide was non-mandatory and contained an evidence-based risk culture audit method. The university has agreed to offer a free license to those organisations wishing to use the Macquarie University Risk Culture Scale internally for assessing their own risk culture. This will be a benefit to those wishing to adopt a more rigorous methodology for survey measures of risk culture”.Internal Audit Better Practice Guide for Financial Services in Australia