Reading time: 29 minutes

How to Audit Diversity, Equity and Inclusion

Diversity, equity and inclusion have been hot topics for some time now and recent research leading to better understanding, a greater general awareness and regulatory movement, are prompting new practices in organisations. It is extremely important that internal audit is prepared and able to provide assurance in this area, which not only has regulatory implications, but more importantly impacts on staff morale and ability, and therefore performance of the organisation.

This guidance seeks to help internal auditors understand this complex landscape, highlight risks, potential controls and key questions that internal auditors may wish to ask during internal audit engagements. It is focused on the diversity, equity and inclusion relating to employees only.

What are diversity, equity, and inclusion?

Diversity is appreciated by many to mean the breadth of knowledge, experience and characteristics which bring representation. Diversity in an organisation encompasses employing, engaging, and serving a diverse group of people that’s reflective of the society in which the organisation exists and operates.

There is diversity where you have two or more people. As humans we are all different from each other and some of these include gender, family background, educational background, marital status, age and socio-economic background. It is about recognising that there are different views and opinions which are generated from the wealth of differences that exist across the population.

Equity is centred around the right of everyone to be treated equally, but also more recently a recognition that it is about equality of opportunity. Treating everyone the same does not result in the same outcome. For example, allowing everyone to watch a football game from behind a 5-foot-high fence, could be seen as equal treatment, but if one person is too short to see over the fence, then they do not have an equal opportunity. By providing them with a platform to stand on to see over the fence, a reasonable adjustment is made for the individual to enable them to have equity of opportunity.

Inclusion is the practice of ensuring that everyone from all diverse backgrounds and characteristics are included and able to participate in activities and tasks and predominantly there is no discrimination. The Chartered Institute of Personnel and Development (CIPD) defines inclusion as “where people’s differences are valued and used to enable everyone to thrive at work”. Inclusion is a collective and respectful organisation/environment that encourages the participation and contribution of all. It embraces an organisational effort and practices in which different individuals or groups from different backgrounds are culturally and socially accepted, equally treated and welcomed.

It is the three together - diversity, equity and inclusion, which lead to equality and organisations often refer to this as DEI, as this guidance will also.

The Legislation, Regulation and Requirements

Diversity, equity and inclusion are not areas which appear in isolation in regulation in the UK or Ireland but there are multiple pieces of regulation at play. The Equality Act 2010 is at the heart of the legislation in this area and promotes the fair and equal treatment of all. Northern Ireland has a similar approach as does Ireland. Following devolution in the UK there were changes and clarifications made:

In addition, the Public Sector Equality Duty (PSED) came into effect on 5 April 2011, and is a legal duty created under the Equality Act 2010. It is a way of ensuring public sector organisations take account of equality in their day-to-day work as well as considering the impact of policies and procedures on people who share protected characteristics. There are also reporting requirements for public sector bodies (which includes regulators such as the FCA, central and local government, police and NHS) and compliance with these is a sensible area for internal audit work.

There are other Acts which are connected to DEI and in particular the areas of discrimination, and the other regional regulation above also reflect these.

Employment Law also features here as well such as the Modern Slavery Act, and Gender Pay Gap Reporting, as does case law, which regularly provides insight into the application of DEI in the workplace.

In addition, the Human Rights Act sets out the rights and freedoms that everyone in the UK is entitled to and links to the European Convention on Human Rights. Both detail Articles, including the Prohibition of Discrimination, which apply to everyone – with no exceptions. Therefore, while it does not discuss or explicitly promote the benefits and need for diversity, it does explain requirements in relation to equity and supports inclusion.

The Irish Government published a DEI Strategy in March 2022, and several UK Ministries have done the same, for example the Competition and Markets Authority in 2020, and the Financial Conduct Authority, last updated in 2024. These examples not only look at how those organisations meet the DEI related regulations themselves, but also how they can support the DEI interests of the general public as a regulator of organisations.

Some regulators also call out internal audit as having a specific role in relation to DEI, for example the Prudential Regulatory Authority (PRA) and the Lloyds Market.

Keeping pace with changes

In the previous 24 months of writing this guidance more has been issued either in final or as a consultation. The below are key examples:

The Bank of England, Prudential Regulation Authority and Financial Conduct Authority have issued consultations on DEI which place requirements on regulated firms, including around reporting.
Regulation around sexual harassment and non-financial misconduct came into force in October 2024 which uses the Equalities Act, but places more requirements on employers to take reasonable steps to prevent sexual harassment.
The Lloyds Market with Lloyd’s recent Principle 13 – Culture with new expectations for all managing agents in relation to inclusivity, psychological safety, diversity and reporting.
The FCA’s Diversity and inclusion on company boards and executive management Policy Statement published April 2022 explains the targets and reporting requirements around diversity on boards.
The UK Corporate Governance Code effective from January 2025 includes two specific requirements around appointments to the Board (Principle J) and the annual report from the nominations committee (Provision 23).

There is more to come too. For example, the Labour manifesto referenced enacting the socio-economic duty of the Equality Act. This doesn’t mean that socio-economic background will become a protected characteristic, but that public bodies need to consider the impact of decisions on socio-economic inequities (already in place in Wales and Scotland). If this comes in, public bodies may decide to apply this to their suppliers as well.

Internal auditors need to stay up to date on DEI.

What is clear is that the regulation and best practices around DEI are ever changing. Therefore, it is important that not only are internal auditors up to date when providing assurance in this area, but that they also look at how the organisation is keeping itself up to date and then changing policies and practices to meet the moving expectations and requirements.

To help understand the practicalities of DEI in the workplace CIPD has many resources which organisations and internal auditors can use to help understand what good looks like in DEI. These cover a variety of topics covering the protected characteristics and ways in which to enable equity and inclusion, including the legal obligations.

The Assurance Approach

How DEI is reflected within an audit universe can be a challenge due to its pervasive nature and its significance for the organisation’s reputation, employee engagement and regulatory requirements. It is certainly an area which when risk assessed is going to be high on the agenda for inclusion in the internal audit plan. However, there is a lot to provide assurance on as can be seen from the list of regulations alone and there are many processes which are impacted. Therefore, chief audit executives need to think carefully about how DEI is reflected in the audit universe.

DEI may also need to be one of the criteria used in the risk assessment of the audit universe, to really recognise its significance. So alongside assessing the audit universe entities for finance and customer impact, an assessment of the auditable area in terms of DEI may also be appropriate. This can be encapsulated in an assessment criteria of Regulation, but DEI is more than the regulation as we see from the lack of regulation around socio-economic considerations but also the benefits of DEI on staff moral and therefore productivity.

Looking to the Global Internal Audit Standards and Standard 9.5 – Coordination and Reliance, there may be an opportunity to work with second line functions, such as HR, and review what assurance they are providing and how, as part of the internal audit plan development. This may determine that reliance can be placed on their work and no additional assurance is needed from internal audit. However, it could also identify gaps which can mean specific internal audit engagements are added, for example a review of recruitment or DEI reporting, without needing a full scope DEI audit engagement.

Another approach is to have DEI as a standing audit objective for every audit engagement that is on the internal audit plan, if it is deemed appropriate from the risk based internal audit planning. This supports the need to embed DEI and therefore providing assurance on this area for each engagement can provide real focus for each of the audit clients. This approach has organisation-wide benefits too:

Root cause analysis of the findings in each audit engagement can identify systemic causes, leading to recommendations which address issues across the organisation, rather than in one area.
DEI can also be one of the themes deemed significant to include in the annual reporting, as required in Global Internal Audit Standards, Standard 11.3 – Communicating Results. As the findings from across all the engagements are aggregated, an assurance opinion can then be provided over DEI explicitly.

There are challenges of this approach, however, as this can be used for other organisation wide risks, such as health and safety, data protection, and IT security, which can mean that every internal audit engagement’s time is taken over by organisation wide risks and therefore allows less time for those specific to the auditable area. Therefore, a balance is clearly needed.

Chief audit executives need to determine the right assurance approach for DEI for their organisation.

This is going to be influenced not only by the risk assessment, but also the DEI maturity of the organisation. In a similar way to assessing risk management maturity, a chief audit executive can collate information to determine the level of maturity for DEI. In a DEI naïve organisation, the assurance approach may be more of an organisation wide assurance engagement, focusing on Governance, Policy and Awareness, or advisory work as the organisation moves to implement DEI practices. Whereas in a DEI embedded organisation then a standing DEI audit objective, or continuous auditing may be more appropriate.

Chief audit executives also need to take into account the combined assurance approach and look to what assurance is coming from where and how. This will impact on the assurance approach too, as ensuring that the right level of assurance is provided into the governance of the organisation is critical to internal audit’s purpose.

Risk and Control Landscape

To achieve equity in an organisation it is important that the risks to DEI are identified and understood. For an organisation to be truly equitable then there can be no discrimination and full inclusivity, however is this possible given that unconscious bias will always exist? There are regulations targeted at the areas of discrimination and which support inclusivity and therefore can provide internal audit with a structure to use for the audit universe.

If the risk is that the organisation does not support DEI and therefore equality, then the next layer of risks include:

Gender discrimination
Sexual orientation discrimination
Physical disability discrimination
Mental health discrimination
Race discrimination
Age discrimination
Socio-economic discrimination

A control framework typically includes 8 elements and can be applied to DEI:

Governance – where the DEI policy is approved and reports monitoring the DEI policy are presented for discussion. This can include a DEI champion within the governance structure, potentially a Non-Executive Director.
DEI Policy – the document explaining why this is an important area for the organisation and explaining the overall control framework.
DEI Objectives – the direction of travel for the next 3 to 5 years, including strategic objectives, significant initiatives and relevant performance measures. This may be supported by a shorter operational plan which reflects incremental objectives to support achievement of the strategy.
DEI Risk Management – a risk register which is used to support decision making around DEI and is updated with data on an ongoing basis to monitor exposure to the DEI risks.
DEI Process – there can be multiple processes and these can be informed by the regulations, but also best practices that are highlighted by external bodies, such as CIPD.
People – DEI responsibilities need to be documented and clearly understood and can be included in job descriptions, organisation values and Codes of Conduct.
Training and Awareness – incorporating diversity, equity and inclusion into induction and regular training on DEI itself, but also embedded into all other training and having awareness campaigns on a regular basis to support embedding of DEI.
DEI Monitoring and Reporting – overseeing performance of DEI procedures and ensuring that lessons are learnt, and reports are made into the executive and non-executive governance structures for discussion and challenge. This will include the external reporting requirements as well.

This structure can be used for DEI as whole, but also for each discrimination risk, with a policy, processes responsibilities and training clearly defined and in place for each individually. However, it is really important to recognise that DEI and the associated risks are organisation-wide – there is no one process where this sits, it is in everything. The best approach to DEI in an organisation is one which embeds DEI considerations and practices into everything, as a matter of ‘habit’ or as part of the organisation’s DNA and culture. DEI should not be a ‘bolt on’ or an afterthought.

For example:

In the employee benefits structure, do the benefits available to employees provide sufficient flexibility to accommodate differing needs? An example here might be being paid a salary every 4 weeks instead of monthly as this is the rent payment period for employees who are living in supported housing.
At the annual staff conference taking place at a hotel venue, have rooms been set aside for prayer or for a quiet place for employees who experience over stimulation?
In recruitment, are applicants from a variety of backgrounds able to complete the application form in the format provided without signalling their protected and non-protected characteristics?

Internal audit needs to think carefully about its role in the provision of assurance and how this is done.

DEI is not a process in itself and in organisations where it is treated as such this can become an issue impacting on employees and customers, which can have regulatory implications. Therefore, the assessment of the design and performance of controls across the organisation and the evaluation of findings need to be mindful of DEI.

Internal audit also needs to understand that they are key role-models for DEI in the way they behave. For example, some parts of an organisation may come into contact with the head office rarely, and when they do they look to those individuals to understand the culture and expected behaviours. Internal auditors can also use their own experiences of DEI with their clients, helping them to find ways to improve or enhance their local practices.

DEI Risks and Controls

The below table tries to encapsulate some of the risks in relation to DEI which internal auditors can consider for their DEI engagement or as a prompt for audits of specific DEI components, such as areas focusing on anti-discrimination.

Potential Risks	Potential controls
The organisation has no clear direction for DEI, resulting in an organisation which is not treating employees, customers or stakeholders equally or inclusively.	A diversity and inclusion strategy which is in line with organisational objective is in place and has been approved by the board The strategy should be periodically reviewed and updated to ensure it is suitable for the needs of the organisation
Poor DEI decisions are made, due to a lack of knowledge and expertise in DEI within the organisation.	Appointment of a diversity and inclusion expert, to drive the diversity and inclusion agenda in the organisation Appointment of a diversity and inclusion champion at board level Use of Employee Research Groups (ERG) which are employee-led groups whose aim is to foster a diverse, inclusive workplace. Diversity and inclusion committee with clear terms of reference Regular reporting to senior management on diversity and inclusion matters Appointment of diversity and inclusion champion across the organisation with the responsibility for promoting diversity and inclusion
Poor decisions are made which do not support embedded DEI in the organisation.	A mechanism should be developed for collecting, maintaining, and reporting on quantitative and qualitative diversity and inclusion data Reported qualitative and quantitative diversity and inclusion data should be scrutinised and challenged by the diversity and inclusion committee and used to support recruitment and business decisions Data analytics can be used to collate and analyse data around the employee lifecycle to review any barriers to equity or progression

Potential Risks

Potential controls

Poor DEI culture is in place, impacting on retaining and attracting the best talent and therefore performance. A secondary impact could also be a breach of the Equality Act 2010 and other connected regulations.

Diversity and inclusion guidance, policies and procedures are in place, up to date and have been communicated and available to all staff.
Diversity and inclusion action plan with objectives and targets
2^nd Line assurance checks on compliance with organisational diversity and inclusion policies and procedures including legislative requirements
Organisational self-assessment against the Equality Act including compliance with the PSED (Public Sector Equality Duty)
Regularly audit, review and evaluate diversity and inclusion progress, using quantitative and qualitative data on both inclusion and diversity, to highlight where barriers exist.
Benchmark progress against other organisations, e.g., Stonewall and Progress Together, and explore what others are doing to adopt and adapt ideas where appropriate.
Network with others from inside and outside the organisation and include diversity issues in induction programmes (including raising awareness of employee network groups), so that all new employees know about the organisation’s values and policies.
Embed inclusion and diversity in line managers’ job descriptions; they have a key role to play in behaving in an inclusive way and contributing to achievement of the organisation’s diversity goals.

Questions internal audit can ask

It is impossible in this short guidance to provide a full list of every question that internal audit should ask when providing assurance on DEI. Therefore, the table on the next page is not meant to be exhaustive and focuses on an audit of DEI as whole. However, the questions can be tailored to align with individual risks, for example replace ‘DEI’ with ‘Anti-Race Discrimination’.

In addition, the questions in the ‘process’ section of the table can be adopted to focus on non-DEI processes. For example, in the question ‘What mechanism does the organisation have for creating a culture where staff feel comfortable to be themselves in the workplace and where staff feel that they can ask for help as appropriate?’ you can replace the word ‘organisation’ with ‘department’ or ‘team’ to give this a more local focus.

Element	Question
Governance	Does the organisation have adequate governance structure in place to provide oversight on their DEI programme and are targets scrutinised and monitored? Does the organisation have a DEI charter? If so, is it in alignment with the organisational culture? If not, is the board open to the idea?
Policy	Is there a DEI policy in place which has been endorsed by the board? Does the DEI Policy reflect the up to date regulatory landscape and best practices?
Objectives	Is there a DEI strategy in place which has been endorsed by the board? Does the strategy reflect increasing representation within the workforce and leadership that reflects the organisation’s communities, customers and suppliers/3rd parties? Does the organisation have DEI objectives? Is this reviewed regularly? Is there a DEI action plan?
Risk Management	Is there a DEI risk register which is up to date and used to support decision making?
Process	Is the organisation committed to the ambition to become an inclusive employer and are there adequate arrangements for achieving this? What mechanism does the organisation have for creating a culture where staff feel comfortable to be themselves in the workplace and where staff feel that they can ask for help as appropriate? Are there processes and policies in place which benefit all staff, and whether processes proactively guarantee fair understanding and support and make it easy to understand how to address instances of oppression or discrimination? Does the organisation maintain both qualitative and quantitative DEI data and would these enable management to identify and understand its workforce; its needs; and DEI gaps in order to take action? Does the organisation have a DEI checklist which would be used to measure and assess whether it is diverse and inclusive? Having one would enable management to identify gaps and inform action for diversity and inclusion through organisational policies and practices. How does the organisation achieve psychological safety? Does the process in place provide equity of opportunity for everyone? Are there any assumptions or process steps which encompass a negative
People	Is there an executive level sponsor for DEI? This would demonstrate top level support and set a clear ‘tone at the top’ Is there a DEI champion and specialist in the organisation? This would help to raise awareness and contribute to the creation of a diverse and inclusive culture depending on the level of influence and authority both may have. Are responsibilities for DEI clearly stated in relevant role descriptors, policies and procedures? Are the DEI responsibilities and associated behaviours included in performance reviews or linked to promotion and remuneration decisions?
Training and Awareness	If a DEI charter exists, has it been communicated effectively to all levels of the organisation? Does the organisation have an effective DEI awareness and learning programme? Do staff fully understand DEI and are they committed to educate, upskill, and challenge themselves? Do the process specific training programmes include DEI considerations to ensure that employees are aware of the potential negative biases and therefore know how to avoid them in their decision making?
Monitor and Reporting	Are DEI targets defined in the organisational charter or diversity and inclusion a DEI action plan? If so, how does the organisation monitor progress towards those targets? Do organisation processes monitor negative bias in decision making, and collate and learn from these by improving processes and training?

Conclusion

As well as raising awareness of the merits of DEI to stakeholders, internal audit can also lead by example within its own function. Specifically making diversity a consideration when recruiting and establishing an effective and efficient internal audit function culture can add great value. Internal audit, though, needs to ensure appropriate analysis is in place to support the organisation’s DEI strategy and that risks associated with it are identified and addressed, with clear communication and oversight. A strong DEI culture contributes to the achievement of organisational as well as DEI specific objectives. Internal audit will likely need to provide ongoing assurance around DEI as new strategies, best practices and regulations evolve.