Evaluating the Risk and Control Culture
Two-Day Seminar Outline
What you will gain from this seminar:
 Understand the latest guidance on this emerging hot topic – how to apply it in the
real world
 Learn how 9 audit departments audit their organization’s risk culture
 Take away 15 proven tools and techniques for evaluating aspects of the risk culture
and 12 examples of audit report comments addressing cultural issues
 Apply what you learn to a fictitious company (“Farbest) in a series of exercises
 Share experiences with other attendees who are working to meet this challenge
Who should attend: senior auditors, audit managers and directors, CAE’s, CRO’s, risk
management personnel.
Why Evaluate the Risk Culture?
Risk culture is a growing concern for internal audit’s stakeholders
What our Standards and the real world say
Challenges, Potential Pitfalls, Keys to Success
Cultural trade-offs
Challenges: complexity and subjectivity of culture, resistance of key players, other
challenges
Keys to success
Executive workshop using a maturity model: Aquila, Inc.
Exercise: using a maturity model with the “Farbest” executive team
Focus Areas
Focus areas identified by the professional guidance and how these focus areas might
be assessed
Metrics that give perspective on the risk culture
A working inventory of soft controls and cultural attributes
Approaches to Auditing Risk Culture
Tips for scope, execution, reporting, and staffing
How nine audit departments – five in financial services, one each in healthcare,
manufacturing, travel, and public sector – are auditing culture
Other possible approaches
Overview of evaluation techniques being used today
Audit Project Evaluation Techniques
Key to success: participative auditing
Five essential principles for evaluating aspects of culture during audit projects
How three audit departments evaluate aspects of culture without formal tools:
 Alina Health
 Securian
 ING
Exercise: Using the organization’s values as audit standards
Bringing cultural issues into the risk assessment
Guidelines for evaluating risk culture during audit projects
Exercise: First audit of Farbest’s mortgage subsidiary
Three proven audit project surveys:
 University of Minnesota – short survey, results in every audit report
 Precision Drilling – short survey, results left with local management
 Lowes – survey developed for a specific audit, IT project management
Exercise: interpret and follow up on Farbest survey responses
Guidelines for developing and administering audit project surveys
Exercise: “connect the dots” to identify cultural issues from a series of Farbest
Mortgage audit projects
Entity-Wide Evaluation Techniques
Two structured interview guides:
 Anonymous – Management Interview Guide & Self-Assessment Tool
 Anonymous – Compliance review
Guidelines for entity-wide structured interviews
Four proven entity-wide surveys
 City of Austin – when HR is doing a cultural survey
 Ameritech – classic model
 Lennox – with very simple language
 Robeco – disciplined method for developing survey content
Exercise: Develop entity-wide survey questions
Exercise: interpret and follow up on Farbest entity-wide survey responses
Guidelines for developing, advising, and assessing entity-wide surveys
Advantages/disadvantages of each cultural evaluation technique
Reporting Cultural Issues
Key to success: participative reporting
Audit report techniques that lower the defensiveness of management
Audit rating systems that include “management awareness of risk”
Guidelines and keys to success
Audit report comments on cultural issues:
 Four excerpts from audit reports based on surveys
 Seven excerpts from a combination of techniques
 Entire report from a combination of techniques