The number of large corporate collapses in the past two decades has shed light on the importance of establishing effective internal control systems in organisations to protect stakeholders’ interests, and has elevated corporate governance to prominence.

In much the same way on a more recent scale, corporate scandals including those affecting Volkswagen and the Banking Royal Commission, have brought organisational culture to the forefront of consideration when it comes to impact on internal control systems.

Why the ‘soft stuff’ matters

For those corporate failures in the early 21st century, the common themes involved a lack of commitment and accountability across the organisation, and the acceptability of self-interest and unethical behaviours.

Now, these same themes are echoed from the findings of the Banking Royal Commission. The prevalence of similar conduct occurring across all of the major entities indicates that characterising misconduct as merely ‘a few bad apples’ ignores the root causes of conduct, which often lie within the systems, processes and culture cultivated by an entity.

Such behavioural risks are pervasive across all levels of an organisation, and unless identified and accounted for within an organisation’s culture, can critically undermine the effectiveness of even the most robust internal control system.

Organisational culture

Organisational culture is set by top management and is essentially ‘what people do without being told to do’.

Cultural norms are a critical driver of behaviour, both at a process and an entity level, by conveying expectations for acceptable behaviours and compliance with internal processes.

These norms require continuous management to ensure that desired and ethical behaviours are exhibited, and to ensure that behaviour-influencing factors, or so-called ‘soft controls’, do not undermine the achievement of organisation objectives.

The upshot of this is that a positive organisational culture can effectively mediate gaps in an internal control system by influencing behaviour as part of a holistic internal control system. Similarly, it can prevent the negative impacts on efficiency and effectiveness associated with excessive and redundant layers of hard controls.

Culture and the role of Risk and Internal Audit

Risk and Internal Audit assurance functions have a critical role in understanding and reporting on the human factors that impact on the processes, risks and the overall control environment.

Historically, when things go wrong within an organisation, the response has been to add layers of hard controls such as additional authorisations, reduced delegations, or extra performance metrics to attempt to close the gap. However, we know from experience that increasing layers of hard controls does not necessarily improve organisational performance. People are at the heart of every organisation, and it is the human factors that drive decision-making, organisational performance, and the effectiveness of the internal control system.

Assessing these human factors can be incorporated in several ways, most notably:

  • adding cultural considerations to existing internal audits, compliance and risk review
  • performing stand-alone cultural deep dives
  • expanding the typical risk and audit universe to include areas with cultural salience, or that may indicate red flags (e.g. whistleblower hotlines, incentive programs, employee engagement).

Across these three approaches, Risk and Internal Audit are well placed within organisations to support increased awareness and capability to manage cultural and behavioural considerations, particularly in the following capacities:

  • Serving as a culture promoter: Starting and supporting dialogue with boards and executive leadership about the critical connection between culture, strategy and risk; helping the board understand their role in culture and to gain buy-in from top management.
  • Understanding the current state: Considering how cultural expectations have been defined, communicated, understood and embedded. To measure the organisational culture, internal auditors may apply root cause analysis, observe behaviours and consider what data is available in the organisation to gain insight into culture (e.g. exit interviews, engagement survey results, hotline reporting). Traditional data inputs can then be complemented by other audit procedures including surveys, facilitated workshops, focus groups and advanced analytical techniques like sentiment analysis.
  • Evaluating culture over time: Understanding perceptions about what is happening within the organisation, what is working well, and what are the barriers to achieving organisational goals, including key red flags that may be present.
  • Providing insights and promoting collaboration: Sharing what other organisations are doing, and collaborating with different lines of defence to evolve the framework.


Cultural red flags

  • Pursuit of short-term financial benefits with little to no consideration of customers.

  • Focus on the letter rather than the spirit of the law and regulations.

  • Regarding risk management and controls as an inconvenience.

  • Lack of prompt, proper management action to address known issues.

  • Active concealment of problems, lack of openness.

  • Failure to challenge the status quo.

As a result, Internal Audit can play a strategic role as a culture advisor within an organisation without overstepping its remit or abandoning current approaches to conducting audits. Deficiencies in either cultural or behavioural factors can lead to significant risk exposure, and should be reported to leadership and boards to allow for more informed decision making and to drive meaningful cultural change. Considering soft controls in internal audits will enable boards to receive thematic analysis of behavioural trends over time, challenge management insights, uncover hidden behavioural drivers to allow for improved remediation, and provide a better understanding of what is ‘really’ going on in the organisation.

Similarly, as culture is a critical factor in the achievement of organisational objectives, Internal Audit can add value by assessing existing culture and providing recommendations to management as input for the design of more efficient internal control environments that are able account for both hard and soft controls, and take advantage of their respective strengths and weaknesses.

Questions to consider

  • How do you monitor cultural and behavioural risks?

  • Are these captured in risk reporting and governance structures?

  • Have you seen repeat issues, non-compliances, fraud or misconduct across the organisation?

  • Is there complacency within the organisation when it comes to awareness of culture and likelihood of risks?

  • Does the board place sufficient focus on non-financial risks?

  • Does the board provide sufficient challenge to senior leadership when it comes to handling misconduct and policing the closure of issues?


Our approach

It is necessary to consider the human factors that influence culture to really understand what is happening within an organisation. In response to this, KPMG has developed a model that integrates a consideration of soft controls into our audit and assurance methodology to help us identify, measure, monitor and report on staff behaviours and its impact on the control environment. The model is based on extensive scientific research by Prof. Dr. Muel Kaptein, a partner from KPMG Netherlands and global subject matter expert, and has been in use in the Netherlands for more than 10 years. For more information on the model, refer to Behavioural Risk Advisory.