Auditing culture through soft controls

Company culture is increasingly being attributed to the success or failure of organisations – in particular the level of employee engagement as an indicator of culture. Associate Partner – Audit, Todd Dewey, discusses how “soft controls” are an indicator of culture, and what this means for organisations looking to measure and improve their culture.

In order for an internal audit of culture to be effective, the internal audit function must be supported from the top of the organisation, there must be a clear audit charter, staff must feel comfortable to report to internal audit in a confidential manner, and there must be a sound level of risk maturity across the organisation.

Based on my experience conducting fraud investigations, and my own research associated with corporate fraud, the root cause associated with incidents is often related to organisational culture and breakdowns in soft controls – often a lack of commitment or accountability across the organisation, and the acceptance of unethical behaviours.

There are at least four ways we can help to provide assurance in relation to culture and the effectiveness of soft controls.

Is the desired culture clearly defined?

Assurance activity should commence through an assessment of whether the desired culture is clearly defined. This is often defined through the organisation’s Ethical Framework. The Ethical Framework is different from the Code of Conduct or Ethics Statement and should sit at the heart of the organisation’s Governance, and include vision, mission, values and principles.

Is it lived day-to-day?

Secondly, culture can in part be measured by an assessment of the extent to which the organisation’s Ethical Framework is embedded within day-to-day practices i.e. are rules, procedures and expected behaviours clearly defined, is there clear accountability for breaches of those rules and procedures and are staff members comfortable to raise and report issues or incidents?

Is the culture measured?

Thirdly, consideration should be given to the extent to which the Board and Audit and Risk Committee has oversight and is monitoring and measuring culture. This could include measuring the whistleblower program, the extent of customer complaints, internal policy breaches, levels of staff turnover, sick leave, absenteeism and information gained from staff surveys / exit interviews.

Is the desired culture and the reality aligned?

Fourthly an internal audit review should determine whether the actual culture is in line with the desired culture. For example, do managers reflect the organisation values, is there transparency and accountability in staff behavior?

Through adopting this approach to assessing soft controls, internal audit will be able to assist the organisation to understand, identify, measure and monitor culture.

COSO’s Framework

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) makes a distinction between hard and soft controls. Under COSO’s internal control framework, hard controls relate to policies, procedures, systems and structure, whilst soft controls relate to people, including openness, shared values, clarity, competence, expectations and communication.

Traditionally internal audit activity has focused on hard controls; however, we are now seeing much more emphasis being placed on auditing culture through those soft controls. An internal audit of culture can provide stakeholders with a sense of an organisation’s appetite for risk, and what some refer to as a risk culture (APRA Prudential Standard CPS220). The internal audit function is well placed to be able to undertake an audit of culture; the function is internal to the organisation and it is independent and objective.

If you would like further information or assistance with carrying out an internal audit, contact your Findex adviser.