The involvement of internal auditors in audit activities related to risk culture

By employing an explanatory sequential mixed methods research design, this study is conducted in two phases. In Phase One, a quantitative method (survey) is used to investigate: (i) the extent of internal audit function (IAF) involvement in audit activities related to risk culture issues; and (ii) the factors associated with the extent of IAF involvement in risk culture assessment. In Phase Two, the qualitative method (interview) is used to investigate internal auditors’ experiences of operationalising risk culture audit. The survey data analysis of 217 internal auditors from 32 countries (most of them from Australia and the United Kingdom, hereafter, UK) suggests that IAFs are involved in audit activities related to risk culture issues. Assessment of root causes of risk issues is a key area of focus for participants, followed by an audit of conduct risk, assessing employees’ compliance with risk management strategies, and risk culture assessment. However, the participants are least involved in assessing the alignment of remunerations with the organisation’s risk management strategies, risk climate assessment, and assessment of the adequacy of authority and resources for employees to fulfil their duties congruently with risk management strategies. The extent of this involvement (the time spent on them) mainly falls within the visible layers of risk culture (i.e., artefacts and espoused values and norms). Specifically, IAFs in this study spent 10.13% of their work hours on risk culture assessment, 14.82% on conduct risk audit, and 16.28% on other audits related to risk culture issues. The results also suggest that audit activities related to risk culture issues enabled most of the participants’ IAFs to identify fraud risk factors, conduct risk factors, and root causes of risk management weaknesses. Nonetheless, the extent to which risk culture assessment enables IAFs to identify those three issues is significantly greater than other audit activities related to risk culture. The findings suggest that the extent of IAF involvement in risk culture assessment is associated with the outcomes-oriented organisational culture (OC), performance risk culture, enterprise risk management (ERM) maturity, IAF competency in risk culture assessment, lower level of IAF job autonomy, oversight by the audit committee (AC)/board of directors (hereafter, board) over IAF, and being in the financial industry. Furthermore, the extent of IAF involvement in risk culture assessment is indirectly associated (via mediation or moderation) with innovation-oriented OC, being in publicly traded/listed or privately held companies, organisation size, issuance of the sustainability report, IAF funding sufficiency, and IAF outsourcing/co-sourcing structure. Semi-structured interviews are conducted with 13 survey participants to deliver a greater substance to the survey data about IAF involvement in risk culture audit. Multiple interviewees indicated that their IAFs’ involvement in risk culture audit is voluntary. Some interview participants’ IAFs are involved in surface-level cultural risk assessments, while other participants’ IAFs perform a deep-dive risk culture audit. The findings indicate that the quality of IAF involvement in risk culture audit is promoted by IAF capabilities, IAF adopting the helper role, having risk culture audit mandated in the audit charter, and oversight by the AC/board of IAF’s risk culture audit. The results also suggest that the risk culture audit is vulnerable to false assurance risk, because subjective judgment is a key attribute in the risk culture evaluation. Despite this, the participants indicated positive implications of the risk culture audit for enhancing internal stakeholders’ knowledge about the organisation and its risk. Using a mixed methods research approach in this study enriches and extends the findings of prior studies to provide a comprehensive understanding of the various ways IAFs are currently involved in audit activities related to risk culture and how they differ from normative practices proposed by regulators, professional bodies and academics. The study enriches understanding of new roles that IAFs can perform to add value to organisations and meet the expectations of the AC/board and senior management. While this study contributes to the limited literature on the influence of OC on IAF activities, it is also one of the initial attempts to investigate key factors associated with the IAF’s increased involvement in risk culture assessment. Furthermore, this study contributes valuable knowledge to several stakeholders (e.g., organisations, the IIA, and regulators) by providing timely perspectives on IAFs’ response (and capacity to respond) to regulators’ increasing requirement for organisations to have a mechanism for overseeing risk culture issues.