This article aims at providing you with a practical guide to how and why internal audit plays an essential role in monitoring Organizational Culture, and introduces the KPMG Soft Controls Model. This model offers a set of pragmatic tools and methods to get a clear picture of your current culture, identify the issues, and take targeted action.
Numerous scientific papers and articles have been written about this topic, but still there is no real consensus on how to define Organizational Culture. As each individual's behavior shapes your Organization’s Culture, it is probably most straightforward to describe it as “the way we do things around here”.
We can also refer to Organizational Culture as a set of intangible behavior-influencing factors in an organization, which are important for achieving its objectives. People are at the heart of every organization, and human factors are essential drivers of decision-making and organizational performance. Consequently, culture should be linked to your organization’s control environment, as it can promote and reinforce “right” thinking and behavior, and can sanction “wrong” thinking and behavior.
To capture the organization's dynamics, it is crucial to consider these human factors influencing attitudes and behaviors. Auditing culture can therefore help to detect early warning signs of broader organizational issues and so that you can take action in a timely fashion, before things go south. KPMG’s soft controls view enables you to single out hard control gaps or weaknesses, and trace their root causes of behavior to empower management to develop tailored and meaningful actions.
Crises like COVID-19 put organizations under pressure, as well as each individual within the organization. In periods of crisis, we are confronted with an increasing number of dilemmas and organizations and their employees need to act rapidly, with only limited support from traditional procedures and guidelines. Under these circumstances, where more static ‘hard controls’ can only provide limited support to organizations, it is more important than ever to have a sound organizational culture. Your culture has to be open and needs to encourage conversations about the choices that need to be made while facing those emerging dilemmas.
During these periods, your organizational culture will reveal its true colors, and this will shape your business in both the near and far future.
KPMG has developed a framework and methodology that helps you to understand, identify, measure and monitor organizational culture. This framework consist of eight elements, also called soft controls, which are an integral part of your organization’s control environment and should consequently be subject to review by internal auditors.
An organization’s internal control environment consists of several elements:
KPMG’s Soft Controls Model differentiates between three categories of soft controls:
1. Preventative soft controls
a) Clarity: Desired organizational behavior and expectations are clear, comprehensive, and understandable for management and employees.
b) Role modelling: Alignment and congruency in expectations and concrete management behavior.
c) Commitment: Management and employees feel called to actively uphold organization’s interests. They can identify with the company values.
d) Achievability: There is sufficient time, resources, information, capacity and authority allocated to realize responsibilities.
2. Detective soft controls
a) Transparency: Behavior and its consequences are sufficiently visible to employees and management.
b) Openness: Management and employees feel comfortable discussing dilemmas or conflicts they experience on a day-to-day basis.
3. Responsive soft controls
a) Accountability: Management and employees feel comfortable reporting misconduct, either formally or informally. People are then held accountable for their actions.
b) Enforcement: Desired behavior is rewarded and misconduct is addressed. People can learn from mistakes and incidents.
In order to have a holistic view on all aspects shaping a company’s culture, KPMG proposes an integrated culture model.
In this model, we distinguish between three intertwined layers:
Even when you succeed in capturing all these layers, we are well aware that trying to assess organizational culture is complicated by the reality that you are trying to hit a moving target. But it is feasible and, in doing so, your approach should be dynamic and iterative:
Especially in the first and last step, internal audit can and should play a crucial role in monitoring whether the organizational culture is appropriate and in line with the strategy, vision, mission and objectives of the organization.
By now, we all agree that culture is one of the main risks that internal audit should consider. There are different ways to audit culture:
a. Evaluating soft control conditions: This can be done by assessing the soft control instruments as a condition for the operating effectiveness of the key hard controls within the audited process. With this approach, you will assess the risk of control failure by evaluating the maturity of the soft controls at the basis of each individual process-level control.
b. Performing thorough root cause analysis on your observations (assessing ‘the why of why’): By performing behavioral root cause analysis for identified issues, these can be traced back to ineffective soft controls. By applying the eight soft controls as a frame of reference for possible root causes for audit findings, you can make better audit recommendations. Besides this, it will also allow you to give on a periodic basis a more holistic view on the most recurring root causes during your audits and therefore give an insight in the key attention points of the organizational culture where management should focus on.
T: +32 (0)473 55 43 12
T : +32 (0)472 54 14 99