Auditing Soft Controls

Perspectives from NextGen Internal Auditors

Introduction

Ernst & Young Advisory hosted a Roundtable on soft controls in their Amsterdam office. According to theory, soft controls can be viewed as all controls that cause employees and management to behave in the way that the organization considers desirable and are typically not directly observable. Examples of soft controls include behavior, tone at the top, morale and motivation. By considering behavior as an important aspect, process improvements are more likely to become embedded into an organizations culture and to be sustainable over time. However, internal auditors still struggle with the definition of soft controls and how to take these into account when performing audits. This led to an interesting discussion between NextGen Internal Auditors representing various industries, such as the financial, energy, retail, consumer products, technological and public sector. The Internal Audit Roundtable is part of a series of recurring events and aims to provide a platform for companies to collaborate with peers. The goal is to identify, through deliberations, practical step change solutions that can contribute towards maximizing the value that organizations can derive from their investments in managing risks.

Auditing Soft Controls Perspectives from NextGen Internal Auditors

The status of soft controls

During the Internal Audit Roundtable, the Head of Internal Audit of a large maritime organization illustrated auditing soft controls by discussing the risks involved in a project at the company using the Agile Scrum Method. This project management technique focuses on people and interactions, cooperation with the client, continuous improvement, direct communication and dealing with change. It differs from techniques we are more familiar with because it does not involve tools and processes, negotiating contract terms, sticking to a plan and clear and concise documentation. The first impression of an Agile Scrum project is pure chaos; while the project time and budget are fixed, milestones are defined and monitored quite different compared to normal projects. As a consequence, none of the traditional project management tools seem to apply to this method and it is difficult to identify what to audit and which audit techniques to use. An internal auditor from the consumer products sector mentioned that she had experience with auditing projects that were based on the Agile Scrum Method. She experienced similar challenges mentioned by the presenter relating to the fixed time and budget combined with the undefined tasks to fill these. Additionally, the audience was wondering how such a project could be approached in terms of structure: when auditing the project, are there any controls or norms which assure the outcome?

The presenter explained the audit approach and the way that the risk assessment was conducted. This risk assessment also included a review of less tangible risks and led to the identification of a number of (soft) risks: I mplementation of a inappropriate style of leadership; I nsufficient participation of users; I nadequate communication within the team between users and developers; I nsufficient management of expectations with the environment. The NextGen Internal Auditors wondered if these werent typical project risks? The presenter agreed, but found it important to illustrate the difference with usual project risks by showing that these could not be audited by reviewing clear documentation and checking compliance with guidelines: During their audit, the internal auditors of this organization were not able to look at the adherence to guidelines by the project team members and scan through documentation, but they needed to take into account the more softer aspects of an audit, such as: A udit the project through direct observation instead of by ticking and tying the project documentation; T he skills of the project manager and the project employees; C ommunication in and about the project; T he cooperation within the project team; I nvolvement, support and ownership; S timulation of creativity.

In order to do this, the internal auditors needed to assess elements as: Do people listen to each other?, Is the project leader facilitating for the entire team?, Do the team members stimulate each other?, and Are people able to think of simple and creative solutions?. The internal auditors tried to discover key values inherent to a successful Agile Scrum Method: creativity, simplicity, honesty, equality, succeeding together, responsibility and independence. In order to provide assurance over this project management technique, the internal auditors used the following audit techniques: I nterviews; S urveys; O bservations on site (a lot of observations on site!). In summary, the project was audited mostly through direct observation instead of by ticking and tying project documentation and reviewing milestones. The visible behavior that could be observed, consisted of the following aspects: D o people listen to each other? I s there room for feedback for everyone? D o people meet agreements? D o the team members keep each other focused? D oes the team also have fun with each other? A re team members able to come up with simple and creative solutions?

Ernst & Young

Behavioral Engineering Auditing Model (in short BEAM) is Ernst & Youngs behavioral auditing model that has the capacity to strengthen knowledge about how people impact an organizations risk profile to head to a more progressive internal audit. Through an analysis of behavioral and cultural issues, this approach seeks to provide a fresh insight into current control problems and provides a more refined and practical approach to deliver recommendations and improvement areas. The model is applied to more appropriately inform and assess changes in an organization's risk and control framework, including the implementation of processes and control recommendations arising from Internal Audit projects.

The BEAM Framework consists of 6 human and organizational categories and over 130 key areas of strong cultural behavior are used to isolate behavioral characteristics and recommendations or actions for transformation from technical/design actions. The diagram below is illustrating each of the 6 categories and 23 of the more than 130 key areas impacting on behavioral performance.
Organizational factors Individual factors
1 Information Vision and objectives Expectations Standards Feedback 2 Resources People Time Organization structure Equipment Tools Systems

6 Motivation Committment Affiliation Achievement

2 6

Success factors
5 Application Walking the talk Coaching Embedding learning

5 4

3 Incentives Positive and negative reinforcement Career development Salary increases Sanctions

Organizational factors
4 Competencies Skills Knowledge Training

Individual factors

Auditing Soft Controls Perspectives from NextGen Internal Auditors

An organizations control environment is only as good as the behaviors and culture of the personnel responsible for applying the controls. Just having the best designed control process is not enough when people are prepared to bypass those controls because of work or performance pressure, results pressure or even ambivalence or cultural issues. Ultimately, culture is defined by behaviors so the best way to assess the control environment is to look at behaviors. Examples may include: D  elegations of authority are in place (the design is good), but if people dont escalate or act on breaches (the behavior is unwanted), then the control is not working and it wont work until the behavior changes; T  here are controls in place to prevent early revenue recognition but the control owner has a bonus target based on sales. The control may be designed well, but the control owner has an incentive to not perform the control.

Organizational factors information, resources and incentives are extremely important as these are the aspects of an organization that leaders can control, and are therefore the best place to focus initial efforts. The tone must be set from the top, with the right incentives in place. If this does not happen, even with all other factors in place, behavior will not change. Individual factors competencies, application and motivation are much harder for an organization to influence. However, competencies in some cases/ organizations will be easily influenced through training as they are largely under the control of individuals. Whilst it could be tempting to focus on these components, it is important to note that all components are interconnected. If you get the organizational factors right, the individuals factors fall into place. Fieldwork techniques The BEAM Framework describes several techniques in performing fieldwork. 1. Ask open ended questions A person who is uncomfortable answering open-ended questions either does not understand the question or does not want to answer the question. Furthermore, open ended questions can lead to long answers therefore it is important to filter information so that it is relevant. To make answers brief be specific when asking questions.

2. Consider written documentation Behaviors can also be displayed through written communication/work output. Language can say a lot about individual attitudes. Documentation and how it is maintained, may also evidence behavioral issues. For example, a lack of documentation sign off in accordance with policies and procedures could mean that either the individual does not understand the purpose and therefore importance of sign off of the individual is not confident to sign off as they do not want to be held accountable/failure to accept accountabilities. 3. Informal communication factors may also be important Communication styles and frequency to assess impact on job security or the creation of other uncertainties in the work force may lead to ambivalence or malice. Informal KPIs being established (such as false deadlines) may force behaviors to circumvent controls.

Ernst & Young

The audience was wondering how the first project audit results were received by the client, especially as the project was still in process. The Head of Internal Audit replied that instead of making recommendations, findings have been objectively reported. The ones that most fitted the idea of the client were implemented in the project. One of the participants asked how to address points such as the leadership style was not of a good influence on the progress of the project? The presenter explained that it is key that the auditee understands the source of the finding and that the auditor is able to provide solid examples to substantiate these. By doing this, the auditor shows his understanding of the project and project management style. Another question was posed about the risk of being too close to the project. This is a potential pitfall: being too closely involved that you become blind to risks. The Head of Internal Audit agreed that this is a risk that you have to take into account, but that he sees a difference between auditors: there are auditors that come and go, and there are auditors that come, analyze and are of value for the organization. Thorough knowledge and understanding of the company is key.

BEAM allows auditors to audit people and the organization as a collective group of people. This can be quite politically charged. Therefore, good interpersonal skills are critical and should always be conscious of professional skepticism. Since behavioral questions asked are likely to be confrontational, the level of honesty and transparency should be constantly considered. A professional attitude should be maintained with the client. Discussions should be purely business and control focused and should not get too personal.

After the interesting presentation by the Head of Internal Audit of a maritime organization and the discussions during the presentation, the participants were asked for ideas for a next session for NextGen Internal Auditors. The participants mentioned the following topics, which Ernst & Young will make sure to address in their future IA Roundtables: How can auditors in public organizations perform audits that help the organization in reaching their strategic objectives? Can we gain insights from a benchmark on maturity models linked to IA practices? What are the required skills for becoming an Internal Audit director? How can we make the audit process more efficient? Soft controls: having a more in-depth focus on working with different cultures. How to relate soft controls to an international / national scale? How can IA provide additional value to risk management? How can IA mirror, reflect or communicate their insights through audits? What is the best way for collaboration between different audits to provide an improved integrated audit to the client?

Concluding, the Head of Internal Audit of this maritime organization showed us that auditing soft controls (in project management audits) can be viewed as follows: 1.  In the risk assessment all aspects that could be of importance for the project to succeed have to be taken into account. 2.  Within these aspects, less tangible ones are likely to be found. These could be referred to as 'soft controls'. 3.  However, audits should not be just focused on these soft controls, but on controlling the hard and the soft aspects.

Birgit Stein MSc

Senior Advisor +31 88 4078583 birgit.stein@nl.ey.com

Maarten van Gerner

Senior Advisor +31 88 4071771 maarten.van.gerner@nl.ey.com

Tonny Dekker RA
Partner +31 88 4071004 tonny.dekker@nl.ey.com

Auditing Soft Controls Perspectives from NextGen Internal Auditors

Ernst & Young Assurance | Tax | Transactions | Advisory

About Ernst & Young Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, our 167,000 people are united by our shared values and an unwavering commitment to quality. We make a difference by helping our people, our clients and our wider communities achieve their potential. Ernst & Young refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit www.ey.com. 2012 Ernst & Young LLP. All rights reserved.

www.ey.com/nl