Skip to main content

      What role does Internal Audit play in assessing risk culture?

      Building and embedding desired organisational culture and values has never been so important, with many failures and corporate scandals directly resulting from poor culture and behaviours.

      A sound approach to assessing risk culture provides confidence as to the quality of desired behaviours, both for internal and external stakeholders.

      40 % believe their executive team are the main drivers for a focus on culture and behaviour

      50 % have not developed an approach to assess risk culture within their internal audit function

      A strategic approach to auditing risk culture

      To successfully embed risk culture assessments, internal audit must first consider 4 key elements.

      1. There is alignment between internal audit’s risk culture approach and assessment dimensions, and the overall cultural direction of the organisation.
      2. Stakeholders have been engaged and are supportive (including your Exec & HR).
      3. A consistent approach is undertaken when assessing each area of the business.
      4. Start with the end in mind, consider what it is we want to be reporting, and to whom. 

      Three steps to assessing risk culture

      Step 1 – Define your risk culture assessment strategy and approach

      • Agree in consultation with management, HR, Risk, Exec and Audit Committee the risk cultural dimensions to be assessed.
      • Clearly articulate the roles and responsibilities of risk culture assessment across the second and third lines of defence. 
      • Define and agree method/s and extent to which risk culture assessments will be incorporated into your IA activities. 
      • Communicate

      Step 2 – Embed your risk culture assessment approach

      • Agree the techniques and approaches to assess risk culture.
      • Incorporate your risk culture assessment approach into your Internal Audit methodology and tools.
      • Identify and address capability gaps within the team.
      • Decide how risk culture insights will be reported and presented per internal audit.

      Step 3 – Execute and monitor your risk culture approach

      • Deliver and report risk culture assessments via the agreed method. 
      • Identify key learnings and reflect in enhancing the assessment approach.
      • Theme risk culture insights on an ongoing basis and present to the Audit Committee, Risk and HR as appropriate.  
      • Use risk culture insights to inform focus areas on next year’s IA plan.

      Download the factsheet

      Insights from a poll conducted during our Auditing Risk Culture webinar revealed that half of all respondents have not developed an approach to assess Risk Culture within their Internal Audit Function. For more information on the results of the survey, download the factsheet below.

      download

      Assessing Risk Culture

      Assessing Risk Culture
      Download

      Auditing Risk Culture Webinar (August 2021) 

      KPMG Behavioural Risk experts work through the key insights and recommendations from IIA-Australia around assessing risk culture. 

      Get in touch

      Clare Power
      Clare Power

      National Leader, Governance, Risk & Compliance Advisory

      KPMG Australia

      Maria Basil
      Maria Basil

      Partner, Behavioural Risk Advisory

      KPMG Australia

      Related insights

      Browse KPMG's insights and thought leadership below.

      Filter by: 0 Tags
      info

      No results found.

      We found no results for your search. Please try a different search term.

      Server error

      A server error prevented us from completing your search. Please try again later.