The number of large corporate collapses in the past two decades has shed light on the importance of establishing effective internal control systems in organisations to protect stakeholders’ interests, and has elevated corporate governance to prominence. In much the same way on a more recent scale, corporate scandals including those affecting Volkswagen and the Banking Royal Commission, have brought organisational culture to the forefront of consideration when it comes to impact on internal control systems.
The number of large corporate collapses in the past two decades has shed light on the importance of establishing effective internal control systems in organisations to protect stakeholders’ interests, and has elevated corporate governance to prominence. In much the same way on a more recent scale, corporate scandals including those affecting Volkswagen and the Banking Royal Commission, have brought organisational culture to the forefront of consideration when it comes to impact on internal control systems.
For those corporate failures in the early 21st century, the common themes involved a lack of commitment and accountability across the organisation, and the acceptability of self-interest and unethical behaviours.
Now, these same themes are echoed from the findings of the Banking Royal Commission. The prevalence of similar conduct occurring across all of the major entities indicates that characterising misconduct as merely ‘a few bad apples’ ignores the root causes of conduct, which often lie within the systems, processes and culture cultivated by an entity.
Such culture risks are pervasive across all levels of an organisation, and unless identified and accounted for within an organisation’s culture, can critically undermine the effectiveness of even the most robust internal control system.
Organisational culture is set by top management and is essentially ‘what people do without being told to do’.
Cultural norms are a critical driver of control, both at a process and an entity level, by conveying expectations for acceptable behaviours and compliance with internal processes.
These norms require continuous management to ensure that desired and ethical behaviours are exhibited, and to ensure that behaviour-influencing factors, or so-called ‘soft controls’, do not undermine the achievement of organisation objectives.
The upshot of this is that a positive organisational culture can effectively mediate gaps in an internal control system by influencing behaviour as part of a holistic internal control system. Similarly, it can prevent the negative impacts on efficiency and effectiveness associated with excessive and redundant layers of hard controls.
Whilst traditional Internal Audit methodologies do not sufficiently assess culture or consider behavioural drivers, leading Internal Audit functions are acting now to evolve their audit programs to include cultural assessments of these soft controls.
Historically, when things go wrong within an organisation, the response has been to add layers of hard controls such as additional authorisations, reduced delegations, or extra performance metrics to attempt to close the gap. However, we know from experience that increasing layers of hard controls does not necessarily improve organisational performance. People are at the heart of every organisation, and it is the human factors that drive decision-making, organisational performance, and the effectiveness of the system of internal control.
Assessing these human factors can be incorporated in several ways, most notably:
Across these three approaches, Internal Audit is well placed within organisations to support increased awareness and capability to manage cultural and behavioural considerations, particularly in the following capacities.
Cultural red flags
|
As a result, Internal Audit can play a strategic role as a culture advisor within an organisation without overstepping its remit or abandoning current approaches to conducting audits. Deficiencies in either cultural or behavioural factors can lead to significant risk exposure, and should be reported to leadership and boards to allow for more informed decision making and to drive meaningful cultural change. Considering soft controls in internal audits will enable boards to receive thematic analysis of behavioural trends over time, challenge management insights, uncover hidden behavioural drivers to allow for improved remediation, and provide a better understanding of what is ‘really’ going on in the organisation.
Similarly, as culture is a critical factor in the achievement of organisational objectives, Internal Audit can add value by assessing existing culture and providing recommendations to management as input for the design of more efficient internal control environments that are able account for both hard and soft controls, and take advantage of their respective strengths and weaknesses.
Questions to consider
|
It is necessary to consider the human factors that influence culture to really understand what is happening within an organisation. In response to this, KPMG has developed a model that integrates a consideration of soft controls into our audit and assurance methodology to help us identify, measure, monitor and report on staff behaviours and its impact on the control environment. The model is based on extensive scientific research by Prof. Dr. Muel Kaptein, a partner from KPMG Netherlands and global subject matter expert, and has been in use in the Netherlands for over 10 years. For more information on the model please refer to KPMG’s soft controls model.
©2021 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
For more detail about the structure of the KPMG global organisation please visit https://home.kpmg/governance.