Company culture is increasingly being attributed to the success or failure of organisations. It can be one of the most powerful influences on whether a company’s strategy successfully unfolds, its reputation is upheld and customers remain loyal.
Culture can be a challenging area for Internal Audit (IA) as it relates to organisational behaviours and influences that are not easily visible or measurable, however KPMG believes the involvement of IA in auditing culture can reap substantial value for organisations.
“Traditionally the focus from an IA perspective has been looking at what we call the ‘hard controls’ – the things that are really obvious and usually documented in policies and procedures,” says Karen Orvad, Partner, Internal Audit – Governance & Risk, KPMG Australia.
“What we are seeing now is much more IA activity around culture and behaviour, the ‘soft controls’, and looking at how people operate within the context of the control environment.”
Culture often starts at the top, with the tone and messaging filtering from the board through to management to employees. For example, is the company primarily focused on financial gain, customer satisfaction or rapid expansion? The answer could impact the type of training staff receive, expectation of staff capabilities, demands on individuals, the way they offer service and how progress is rewarded (these are all examples of soft controls). It can also influence the delegation of power and lines of authority in a business.
Stefanie Bradley, Partner, People & Change at KPMG Australia says putting an IA lens on culture can “give you a sense of a company’s appetite for risk, and their risk culture”. She explains IA can act as a “third-line responder”, highlighting to executive management any thematic issues with culture.
Bradley says putting an IA lens on culture is not a “tick or flick exercise, or a compliance exercise”, but requires a deep understanding of an organisation’s strategy and values. “There is a behavioural element that needs to be observed, there is an underlying values component that needs to be explored, and there is a motivational element that gets into the human psyche and behaviour,” Bradley says.
Orvad says IA’s consideration of culture through soft controls can take place in a number of ways. For example, embedding an analysis of soft controls into each IA project alongside the traditional work done on ‘hard controls’. It can also be done through conducting a soft control audit as a standalone project on a particular process to provide a detailed view on that aspect alone.
Other reviews can include, does a company’s code of conduct and known values align with its strategy? Do the messages communicated to employees align with the values, and the actions that are rewarded? IA can also review if a formal whistleblowing process is available and effective.
IA can add additional value to an organisation by reviewing the aspects of culture that are ‘harder to see’ but could be putting strategy at risk, such as beliefs, attitudes or decision making processes. Interviews, surveys and observation are common auditing techniques for this purpose.
New skill sets may need to be added to the IA function, to bring a deeper understanding of organisational psychology, sociology, and behaviour to the assessment, so that IA can integrate an approach for considering soft controls into each project. “These new skill sets are required because the soft controls can be seen as more subjective and harder to quantify. There is a need for specific skills to assist in bringing a view on how to look at these, to analyse and report on them in a business context,” Orvad says.
Through these reviews, IA may discover that an overemphasis on hard controls can result in organisations having too many layers of control.
“All of the investment you are making in terms of getting the hard controls right can be wasted if you aren’t getting the soft controls working effectively. It is about extracting the most benefit from the framework you set up, as well as the people element, which is behaviour and how things in a business are actually done,” Orvad says.
Orvad gives the example of a company that required multiple senior staff to sign off on each employee mobile phone contract. The goal was to ensure no unnecessary expenses slipped through, but it resulted in a culture where no one took responsibility, as they assumed someone else would check the details.
“What they found was that by adding the authorising signatures, as hard controls, it actually weakened the cultural control around that particular process,” Orvad says.
She explains that if the organisation had a better understanding of balancing hard controls with soft controls, the result would have been more sustainable.
KPMG is investing in new skill sets and extending its traditional Internal Audit methodology to be able to audit both soft and hard controls.
Internal Audit plays a unique role in alerting organisations to emerging risks. Find out more in our article – The role of Internal Audit in addressing emerging risks.