This article aims at providing you with a practical guide to how and why internal audit plays an essential role in monitoring Organizational Culture, and introduces the KPMG Soft Controls Model. This model offers a set of pragmatic tools and methods to get a clear picture of your current culture, identify the issues, and take targeted action.

Numerous scientific papers and articles have been written about this topic, but still there is no real consensus on how to define Organizational Culture. As each individual's behavior shapes your Organization’s Culture, it is probably most straightforward to describe it as “the way we do things around here”.

We can also refer to Organizational Culture as a set of intangible behavior-influencing factors in an organization, which are important for achieving its objectives. People are at the heart of every organization, and human factors are essential drivers of decision-making and organizational performance. Consequently, culture should be linked to your organization’s control environment, as it can promote and reinforce “right” thinking and behavior, and can sanction “wrong” thinking and behavior.

To capture the organization's dynamics, it is crucial to consider these human factors influencing attitudes and behaviors. Auditing culture can therefore help to detect early warning signs of broader organizational issues and so that you can take action in a timely fashion, before things go south. KPMG’s soft controls view enables you to single out hard control gaps or weaknesses, and trace their root causes of behavior to empower management to develop tailored and meaningful actions.

Crises like COVID-19 put organizations under pressure, as well as each individual within the organization. In periods of crisis, we are confronted with an increasing number of dilemmas and organizations and their employees need to act rapidly, with only limited support from traditional procedures and guidelines. Under these circumstances, where more static ‘hard controls’ can only provide limited support to organizations, it is more important than ever to have a sound organizational culture. Your culture has to be open and needs to encourage conversations about the choices that need to be made while facing those emerging dilemmas.

During these periods, your organizational culture will reveal its true colors, and this will shape your business in both the near and far future.

KPMG has developed a framework and methodology that helps you to understand, identify, measure and monitor organizational culture. This framework consist of eight elements, also called soft controls, which are an integral part of your organization’s control environment and should consequently be subject to review by internal auditors.

An organization’s internal control environment consists of several elements:

• ‘Hard’ or formal controls are the established, often legally enforced, standards of striving for optimal degrees of management control. This type of control has been subject to internal audit reviews for decades.

• A couple of classical instruments in formal control are risk analysis, internal auditing, segregation of duties and responsibilities, rules and procedures, and recording, which can take the form of registration systems, codes of conduct, and job descriptions. Hard controls should be seen as the necessary rules of the game. However, it is scientifically proven that these are rarely sufficient to keep organizations in control.
• To be effective, hard controls should be embedded in a system in which soft controls play an important role. Your company’s soft controls are specific manifestations of a more general culture, which concerns beliefs, values, and norms prevailing throughout the organization about what is good or bad.
• We make the distinction between soft controls, which are intangible aspects, and soft control instruments, which are an embodiment of the former and are designed to put the organization’s soft controls into practice. Trainings, performance reviews, recruitment interviews, and assessments are only some of many examples in this area.

KPMG’s Soft Controls Model differentiates between three categories of soft controls:

1. Preventative soft controls

a)     Clarity: Desired organizational behavior and expectations are clear, comprehensive, and understandable for management and employees.

b)     Role modelling: Alignment and congruency in expectations and concrete management behavior.

c)     Commitment: Management and employees feel called to actively uphold organization’s interests. They can identify with the company values.

d)     Achievability: There is sufficient time, resources, information, capacity and authority allocated to realize responsibilities.

2. Detective soft controls

a)     Transparency: Behavior and its consequences are sufficiently visible to employees and management.

b)     Openness: Management and employees feel comfortable discussing dilemmas or conflicts they experience on a day-to-day basis.

3. Responsive soft controls

a)     Accountability: Management and employees feel comfortable reporting misconduct, either formally or informally. People are then held accountable for their actions.

b)     Enforcement: Desired behavior is rewarded and misconduct is addressed. People can learn from mistakes and incidents.

In order to have a holistic view on all aspects shaping a company’s culture, KPMG proposes an integrated culture model.

In this model, we distinguish between three intertwined layers:

• The cultural layer is compiled from the eight soft controls from KPMG’s Soft Controls model, and refers to the intangible aspects (see previous chapter).
• The policy layer refers to the tangible aspects, what we earlier called ‘soft control instruments’ used to put an organizations values and norms in practice.
• The final and binding layer denotes Tone at the top. This, as well as role modelling and commitment by top management plays a critical role in the success of the aforementioned layers.

Even when you succeed in capturing all these layers, we are well aware that trying to assess organizational culture is complicated by the reality that you are trying to hit a moving target. But it is feasible and, in doing so, your approach should be dynamic and iterative:

1. Assessment of the current situation – assessing the needs of the organization, taking into account its context, strategy, main risks. 
2. Design – defining which measures need to be taken to fulfill the needs of the organization.
3. Implementation – implementing these measures (pragmatically) into the organization.
4. Evaluation – verifying whether these measures are properly defined, implemented, and if they serve their proper purpose.

Especially in the first and last step, internal audit can and should play a crucial role in monitoring whether the organizational culture is appropriate and in line with the strategy, vision, mission and objectives of the organization. 

By now, we all agree that culture is one of the main risks that internal audit should consider. There are different ways to audit culture:

1. Cultural framework audit: Builds an understanding of how the control environment supports behavior. The focus is mainly on the control instruments which the organization can use to promote desirable behavior and prevent undesirable behavior. Within this approach, you focus more on the policy aspect of the cultural framework within your organization. You will evaluate the presence, quality, connectivity, and implementation of soft control instruments such as: corporate values, code of conduct, integration in risk assessments, whistleblowing policy, related trainings and communications.
2. Cultural assessment: Provides insight into the current organizational culture by inquiring with each employee within the organization on their personal perception of the quality of soft controls within the organization. This can be done by performing an (anonymous) organization-wide survey, supported with a selection of face-to-face interviews. This questionnaire evaluates the eight soft controls and will give you get a clear view on the current strengths and improvement points within the organizational culture.
3. Integrating the cultural aspect in every audit:

a. Evaluating soft control conditions: This can be done by assessing the soft control instruments as a condition for the operating effectiveness of the key hard controls within the audited process. With this approach, you will assess the risk of control failure by evaluating the maturity of the soft controls at the basis of each individual process-level control.

b. Performing thorough root cause analysis on your observations (assessing ‘the why of why’): By performing behavioral root cause analysis for identified issues, these can be traced back to ineffective soft controls. By applying the eight soft controls as a frame of reference for possible root causes for audit findings, you can make better audit recommendations. Besides this, it will also allow you to give on a periodic basis a more holistic view on the most recurring root causes during your audits and therefore give an insight in the key attention points of the organizational culture where management should focus on.

• As people are at the heart of every organization, and are driving decision-making and organizational performance, it is crucial to consider these human factors that influence attitudes and behaviors (so called ‘soft controls’) to really understand what is happening within your organization.
• Auditing culture supports the delivery of stakeholder value by proactively managing risks (early warning signals).
• Soft controls are at the basis of failure of process level hard controls.
• There are different ways of auditing culture, which can be adapted to your organization’s maturity.