Page 46 - iiA
P. 46
embedding a risk-aware culture that permeates all A healthy risk culture encourages speaking up. IA
levels of the organization. Modern IA functions are evaluates whether whistleblower mechanisms are
moving beyond the “three lines of defense” model confidential, trusted, responsive, and well-utilized
into a more strategic partnership with senior — often comparing usage data across departments
leadership and the board. Internal audit can help or geographies.
“cultivate a risk-intelligent culture” by evaluating
both the formal (e.g., policies, structures) and • Embedding Risk into Operational
informal (e.g., behaviors, norms) dimensions of Audits
risk management. The IA functions are expected
to deliver insights on governance, risk, ethics, IA integrates risk assessments into every audit
and culture, leveraging both qualitative and data-
driven methods. engagement. This helps operational units connect
business objectives with risk exposures, leading
to more informed decision-making and better
Internal Audit’s expanded role includes:
alignment with organizational goals.
• Assessing the effectiveness of risk management
• Identifying cultural weaknesses that could • Partnering in Risk Awareness
undermine risk practices Training
• Reinforcing risk appetite frameworks
• Driving behavioral change through IA collaborates with HR, risk, and compliance
engagement and education to deliver risk-awareness initiatives, such as
scenario-based learning, workshops, and gamified
training modules tailored to specific functions or
risk themes.
• Driving Data-Driven Risk Culture
Insights
IA increasingly uses data analytics to detect early
warning signs of cultural or behavioral issues.
Important indicators include:
• Repeated policy overrides
• Clusters of delayed approvals
• Disproportionate exception handling
• Gaps in mandatory training completion
Key Ways Internal Audit Embeds a Risk- • Employee turnover trends in control functions
Aware Culture
These insights enable IA to triangulate risk culture
• Assessing the Tone at the Top and issues that may not be evident through interviews
alone.
Middle
• Advising the Board on Culture
Culture starts with leadership. IA evaluates
whether leaders consistently model the desired Metrics
risk behaviors and effectively communicate
expectations, not only at the top but also among Boards and audit committees are demanding
middle management, where culture is often most greater transparency into organizational culture.
deeply embedded. IA provides regular dashboards on:
• Evaluating Whistleblower Programs • Policy breaches and compliance failures
and Escalation Channels • Whistleblower activity trends
• Ethics survey results
43 INTERNAL AUDIT TODAY
