The number of large corporate collapses in the past two decades has shed light on the importance of establishing effective internal control systems in organisations to protect stakeholders’ interests, and has elevated corporate governance to prominence. In much the same way on a more recent scale, corporate scandals including those affecting Volkswagen and the Banking Royal Commission, have brought organisational culture to the forefront of consideration when it comes to impact on internal control systems.

For those corporate failures in the early 21st century, the common themes involved a lack of commitment and accountability across the organisation, and the acceptability of self-interest and unethical behaviours.

Now, these same themes are echoed from the findings of the Banking Royal Commission. The prevalence of similar conduct occurring across all of the major entities indicates that characterising misconduct as merely ‘a few bad apples’ ignores the root causes of conduct, which often lie within the systems, processes and culture cultivated by an entity.

Such culture risks are pervasive across all levels of an organisation, and unless identified and accounted for within an organisation’s culture, can critically undermine the effectiveness of even the most robust internal control system.

Organisational culture is set by top management and is essentially ‘what people do without being told to do’.

Cultural norms are a critical driver of control, both at a process and an entity level, by conveying expectations for acceptable behaviours and compliance with internal processes.

These norms require continuous management to ensure that desired and ethical behaviours are exhibited, and to ensure that behaviour-influencing factors, or so-called ‘soft controls’, do not undermine the achievement of organisation objectives.

The upshot of this is that a positive organisational culture can effectively mediate gaps in an internal control system by influencing behaviour as part of a holistic internal control system. Similarly, it can prevent the negative impacts on efficiency and effectiveness associated with excessive and redundant layers of hard controls.

Whilst traditional Internal Audit methodologies do not sufficiently assess culture or consider behavioural drivers, leading Internal Audit functions are acting now to evolve their audit programs to include cultural assessments of these soft controls.

Historically, when things go wrong within an organisation, the response has been to add layers of hard controls such as additional authorisations, reduced delegations, or extra performance metrics to attempt to close the gap. However, we know from experience that increasing layers of hard controls does not necessarily improve organisational performance. People are at the heart of every organisation, and it is the human factors that drive decision-making, organisational performance, and the effectiveness of the system of internal control.

Assessing these human factors can be incorporated in several ways, most notably:

• adding cultural considerations to existing internal audits (e.g. behavioural root cause analysis)
• performing stand-alone culture internal audits
• expanding the typical Internal Audit universe to include areas with cultural salience, or that may indicate red flags (e.g. whistleblower hotlines, incentive programs, employee engagement).

Across these three approaches, Internal Audit is well placed within organisations to support increased awareness and capability to manage cultural and behavioural considerations, particularly in the following capacities.

• Serving as a culture promoter: Starting and supporting dialogue with boards and executive leadership about the critical connection between culture, strategy and risk; helping the board understand their role in culture and to gain buy-in from top management.
• Understanding the current state: Considering how cultural expectations have been defined, communicated, understood and embedded. To measure the organisational culture, internal auditors may apply root cause analysis, observe behaviours and consider what data is available in the organisation to gain insight into culture (e.g. exit interviews, engagement survey results, hotline reporting). Traditional data inputs can then be complemented by other audit procedures including surveys, facilitated workshops, focus groups and advanced analytical techniques like sentiment analysis.
• Evaluating culture over time: Understanding perceptions about what is happening within the organisation, what is working well, and what are the barriers to achieving organisational goals, including key red flags that may be present.
• Providing insights and promoting collaboration: Sharing what other organisations are doing, and collaborating with different lines of defence to evolve the framework.

As a result, Internal Audit can play a strategic role as a culture advisor within an organisation without overstepping its remit or abandoning current approaches to conducting audits. Deficiencies in either cultural or behavioural factors can lead to significant risk exposure, and should be reported to leadership and boards to allow for more informed decision making and to drive meaningful cultural change. Considering soft controls in internal audits will enable boards to receive thematic analysis of behavioural trends over time, challenge management insights, uncover hidden behavioural drivers to allow for improved remediation, and provide a better understanding of what is ‘really’ going on in the organisation.

Similarly, as culture is a critical factor in the achievement of organisational objectives, Internal Audit can add value by assessing existing culture and providing recommendations to management as input for the design of more efficient internal control environments that are able account for both hard and soft controls, and take advantage of their respective strengths and weaknesses.

It is necessary to consider the human factors that influence culture to really understand what is happening within an organisation. In response to this, KPMG has developed a model that integrates a consideration of soft controls into our audit and assurance methodology to help us identify, measure, monitor and report on staff behaviours and its impact on the control environment. The model is based on extensive scientific research by Prof. Dr. Muel Kaptein, a partner from KPMG Netherlands and global subject matter expert, and has been in use in the Netherlands for over 10 years. For more information on the model please refer to KPMG’s soft controls model.