Internal Audit: Getting to Grips with Softer Measures

Getting to grips with softer measures

Behaviour and culture are fundamental drivers of business integrity – both internally and in terms of public perceptions. A change in mind-set is enabling Internal Audit functions to address these so-called ‘softer’ measures more proactively.

The integrity of a business is demonstrated in That means management have a clear context for any the behaviours of all its employees. So how can ethical dilemmas their staff face – and IA has both these behaviours be measured? How can internal the playbook and the credibility to define their control audit (IA) teams get a grip on something as environment to include culture and behaviour. intangible as “people” – and formulate consistent That’s not to say leaders set appropriate behaviour in and measureable standards against which their a vacuum. Take the banking sector. Since the financial performance can be assessed? crisis, bank boards have set out clear messages to In pursuit of answers, the focus for many IA teams drive better behaviour – in part driven by a fresh focus is shifting from the traditional view of assessing on culture from newly energised regulators. Leaders what we now think of as ‘hard’ controls, to a have worked to understand the ethical dilemmas more rounded approach. Moves to assess ‘softer’ their staff face, in particular addressing the conflict controls – related to how people actually behave and between client outcomes and commercial targets. operate in the context of the control environment The upshot has been changes in regulation and and understand their impact on how the business incentives; guidance based on real incidents; and promotes (or damages) integrity, is gaining in improved training and monitoring. This all helps relevance in the modern IA world. IA to assess whether employees are acting with integrity, too. Definition and credibility Behaviour – and organisational culture more Soft skills for behavioural ills generally – is partly defined by the tone at the top. This need to look at soft controls requires IA to bring An organisation’s leaders need to set out their core a new set of skills to the table. Teams still need those values clearly – and then live those values through with a solid audit background who can focus on hard their behaviours. Their ‘manner’ will pass on to measures around procedures, internal controls, risk management and employees, whether the leaders analysis and security. But IA also needs a broader like it or not. Vague, unrealistic or overly aspirational skill set. values not reflected in behaviours will quickly be exposed. It needs sociologists, psychologists and even anthropologists who bring a disciplined and Everyone in the organisation needs to know that consistent view on how people react to different the leadership stand by their principles and will act situations. These experts can bring a new angle to quickly and decisively when they see behaviour the key question: why do good people with the best that is not in line with these values. intentions sometimes do the wrong things?

© 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. These skills are especially important when IA has to We have seen a good example of this kind of evolved get a handle on the factors behind loss of integrity. reporting at an insurance company that developed a And that analysis of what went on helps them put in risk culture dashboard. This self-assessment tool was place appropriate procedures and controls to monitor based on the company’s core values, translated to and correct future failures. (Remember, evidence organisational behaviour. of remedial actions could be important in later The first line of defence (management) assessed conversations with regulators.) itself on certain criteria. The second line (compliance These actions might include more rounded and risk management) challenged management on performance reviews; a new approach to promotion their scores. And the third line (IA), investigated the and remuneration; different training and monitoring; entire process to see whether the conclusions could raising awareness of acceptable and unacceptable be justified. behaviour; and firming up whistleblowing guidelines The point was not so much the scores – this is a and policy. continual process, so the aim is to see improvement Four (soft) steps on behaviour in problem areas – but in the dialogue and the added value of the self-assessment. Four factors are needed for IA to address this ‘soft’ opportunity. In this more transparent and connected business environment, the culture and ethics of a business – Support from the organisation’s leaders. Are they increasingly matter to customers and investors. This ensuring that IA has the right skills and capacity shift in stakeholder mind-set needs to be mirrored by to integrate culture into its audit programme? a change in the role of the IA function, merging the – Controls that emanate from a solid framework. more traditional audit approach with a 21st century Only then can culture be considered measurable lens on behaviour and business integrity. on a par with other aspects of the business – and When we talk about soft controls, there is nothing meaningful KPIs constructed and reported to the optional about it. Companies that don’t audit board. behaviour will soon be the outliers. Those that do it – Step-by-step integration of soft controls. The well – with the rigour IA can bring – will see clear culture framework and root cause analysis helps benefits in terms of verifiable business integrity and IA to investigate all issues through the lens of the in growing organisational value. underlying rules. Further reading – Ensure that whatever soft controls are put in – How to create a robust risk culture place are aligned with hard controls. You can only drive the right behaviours if there’s consistency – Five steps to tackling culture between the two – and where they’re poorly – Improving culture in the financial services industry aligned, the hard metric will generally win. – Audit and culture – a valuable relationship Not if, but when All organisations are under a higher level of scrutiny than ever before; the potential for reputational damage has never been greater. Being open and transparent about the softer issues in an organisation, reporting on them continuously and showing progress in addressing them is no longer optional.

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. © 2017 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. The KPMG name and logo are registered trademarks or trademarks of KPMG International. CRT083272 | September 2017