Auditing Soft Controls - Perspectives From NextGen Internal Auditors

7/30/2019 Auditing Soft Controls - Perspectives From NextGen Internal Auditors

1/8

Auditing Soft Controls Perspectives fromNextGen Internal Auditors


2/8

2 Auditing Soft Controls Perspectives from NextGen Internal Auditors2 Auditing Soft Controls Perspectives from NextGen Internal Auditors

Ernst & Young Advisory hosted a Roundtable on soft controls in their Amsterdam office. According totheory, soft controls can be viewed as all controls that cause employees and management to behave in theway that the organization considers desirable and are typically not directly observable. Examples of softcontrols include behavior, tone at the top, morale and motivation.

By considering behavior as an important aspect, process improvements are more likely to becomeembedded into an organizations culture and to be sustainable over time. However, internal auditors stillstruggle with the definition of soft controls and how to take these into account when performing audits. Thisled to an interesting discussion between NextGen Internal Auditors representing various industries, such asthe financial, energy, retail, consumer products, technological and public sector.

The Internal Audit Roundtable is part of a series of recurring events and aims to provide a platform forcompanies to collaborate with peers. The goal is to identify, through deliberations, practical step changesolutions that can contribute towards maximizing the value that organizations can derive from theirinvestments in managing risks.

Introduction


3/8

3Ernst & Young

During the Internal Audit Roundtable, theHead of Internal Audit of a large maritimeorganization illustrated auditing softcontrols by discussing the risks involvedin a project at the company using the

Agile Scrum Method. This projectmanagement technique focuses onpeople and interactions, cooperation withthe client, continuous improvement,direct communication and dealing withchange. It differs from techniques we aremore familiar with because it does notinvolve tools and processes, negotiatingcontract terms, sticking to a plan andclear and concise documentation.

The first impression of an Agile Scrumproject is pure chaos; while the projecttime and budget are fixed, milestones aredefined and monitored quite differentcompared to normal projects. As aconsequence, none of the traditionalproject management tools seem to applyto this method and it is difficult to identifywhat to audit and which audit techniquesto use.

An internal auditor from the consumer products sector mentioned that she hadexperience with auditing projects thatwere based on the Agile Scrum Method.She experienced similar challengesmentioned by the presenter relating tothe fixed time and budget combined withthe undefined tasks to fill these.

Additionally, the audience was wonderinghow such a project could be approachedin terms of structure: when auditing the

project, are there any controls or normswhich assure the outcome?

The presenter explained the auditapproach and the way that the riskassessment was conducted. This riskassessment also included a review of lesstangible risks and led to the identification

of a number of (soft) risks: Implementation of a inappropriate styleof leadership;

Insufficient participation of users; Inadequate communication within theteam between users and developers;

Insufficient management ofexpectations with the environment.

The NextGen Internal Auditors wonderedif these werent typical project risks? The

presenter agreed, but found it importantto illustrate the difference with usual

project risks by showing that these couldnot be audited by reviewing cleardocumentation and checking compliancewith guidelines:

During their audit, the internal auditorsof this organization were not able to lookat the adherence to guidelines by theproject team members and scan throughdocumentation, but they needed to takeinto account the more softer aspects ofan audit, such as:

Audit the project through directobservation instead of by ticking andtying the project documentation;

The skills of the project manager andthe project employees;

Communication in and about theproject;

The cooperation within the projectteam;

Involvement, support and ownership; Stimulation of creativity.

In order to do this, the internal auditorsneeded to assess elements as: Do peoplelisten to each other?, Is the projectleader facilitating for the entire team?,Do the team members stimulate each

other?, and Are people able to think ofsimple and creative solutions?.

The internal auditors tried to discover keyvalues inherent to a successful AgileScrum Method: creativity, simplicity,honesty, equality, succeeding together,responsibility and independence.In order to provide assurance over thisproject management technique, theinternal auditors used the following audittechniques:

Interviews; Surveys; Observations on site (a lot ofobservations on site!).

In summary, the project was auditedmostly through direct observationinstead of by ticking and tying projectdocumentation and reviewing milestones.The visible behavior that could beobserved, consisted of the followingaspects: Do people listen to each other?

Is there room for feedback foreveryone?

Do people meet agreements? Do the team members keep each otherfocused?

Does the team also have fun with eachother?

Are team members able to come upwith simple and creative solutions?

The status of soft controls


4/8

4 Auditing Soft Controls Perspectives from NextGen Internal Auditors

Behavioral Engineering Auditing Model (in short BEAM) is Ernst & Youngs behavioral auditing model that has the capacity tostrengthen knowledge about how people impact an organizations risk profile to head to a more progressive internal audit.Through an analysis of behavioral and cultural issues, this approach seeks to provide a fresh insight into current control problemsand provides a more refined and practical approach to deliver recommendations and improvement areas.

The model is applied to more appropriately inform and assess changes in an organization's risk and control framework, includingthe implementation of processes and control recommendations arising from Internal Audit projects.

The BEAM Framework consists of 6 human and organizational categories and over 130 key areas of strongcultural behavior are used to isolate behavioral characteristics and recommendations or actions fortransformation from technical/design actions. The diagram below is illustrating each of the 6 categoriesand 23 of the more than 130 key areas impacting on behavioral performance.

1

2

3

4

5

6

Successfactors

1 InformationVision and objectivesExpectationsStandards

Feedback

4 CompetenciesSkillsKnowledgeTraining

6 MotivationCommittmentAffiliationAchievement

5 ApplicationWalking the talkCoachingEmbedding learning

3 IncentivesPositive and negativereinforcementCareer developmentSalary increasesSanctions

2 ResourcesPeopleTimeOrganization structureEquipmentToolsSystems

Organizationalfactors

Organizationalfactors

Individualfactors

Individualfactors


5/8

5Ernst & Young

An organizations controlenvironment is only as good as thebehaviors and culture of thepersonnel responsible for applyingthe controls.

Just having the best designed controlprocess is not enough when people areprepared to bypass those controlsbecause of work or performancepressure, results pressure or evenambivalence or cultural issues.Ultimately, culture is defined bybehaviors so the best way to assess thecontrol environment is to look atbehaviors. Examples may include: Delegations of authority are in place

(the design is good), but if peopledont escalate or act on breaches(the behavior is unwanted), thenthe control is not working and itwont work until the behaviorchanges;

There are controls in place toprevent early revenue recognitionbut the control owner has a bonustarget based on sales. The controlmay be designed well, but thecontrol owner has an incentive tonot perform the control.

Organizational factors information,resources and incentives are extremelyimportant as these are the aspects of anorganization that leaders can control,and are therefore the best place to focus

initial efforts. The tone must be set fromthe top, with the right incentives in place.If this does not happen, even with allother factors in place, behavior will notchange.

Individual factors competencies,application and motivation are muchharder for an organization to influence.However, competencies in some cases/organizations will be easily influencedthrough training as they are largely underthe control of individuals. Whilst it couldbe tempting to focus on thesecomponents, it is important to note thatall components are interconnected. If youget the organizational factors right, theindividuals factors fall into place.

Fieldwork techniquesThe BEAM Framework describes severaltechniques in performing fieldwork.

1. Ask open ended questions A person who is uncomfortableanswering open-ended questions eitherdoes not understand the question or doesnot want to answer the question.Furthermore, open ended questions canlead to long answers therefore it isimportant to filter information so that it isrelevant. To make answers brief bespecific when asking questions.

2. Consider written documentationBehaviors can also be displayed throughwritten communication/work output.Language can say a lot about individualattitudes. Documentation and how it is

maintained, may also evidence behavioralissues. For example, a lack ofdocumentation sign off in accordancewith policies and procedures could meanthat either the individual does notunderstand the purpose and thereforeimportance of sign off of the individual isnot confident to sign off as they do notwant to be held accountable/failure toaccept accountabilities.

3. Informal communication factorsmay also be importantCommunication styles and frequency toassess impact on job security or thecreation of other uncertainties in thework force may lead to ambivalence ormalice. Informal KPIs being established(such as false deadlines) may forcebehaviors to circumvent controls.


6/8

Birgit Stein MScSenior Advisor

+31 88 [email protected]

Maarten van GernerSenior Advisor


Tonny Dekker RAPartner


6 Auditing Soft Controls Perspectives from NextGen Internal Auditors

The audience was wondering how thefirst project audit results were receivedby the client, especially as the projectwas still in process. The Head of InternalAudit replied that instead of making

recommendations, findings have beenobjectively reported. The ones that mostfitted the idea of the client wereimplemented in the project.

One of the participants asked how toaddress points such as the leadershipstyle was not of a good influence on theprogress of the project? The presenterexplained that it is key that the auditeeunderstands the source of the finding andthat the auditor is able to provide solidexamples to substantiate these. By doingthis, the auditor shows his understandingof the project and project managementstyle.

Another question was posed about therisk of being too close to the project. Thisis a potential pitfall: being too closelyinvolved that you become blind to risks.The Head of Internal Audit agreed thatthis is a risk that you have to take intoaccount, but that he sees a differencebetween auditors: there are auditors thatcome and go, and there are auditorsthat come, analyze and are of value forthe organization. Thorough knowledgeand understanding of the company is key.

BEAM allows auditors to audit peopleand the organization as a collectivegroup of people. This can be quitepolitically charged. Therefore, goodinterpersonal skills are critical and

should always be conscious ofprofessional skepticism. Sincebehavioral questions asked are likely tobe confrontational, the level of honestyand transparency should be constantlyconsidered.

A professional attitude should bemaintained with the client. Discussionsshould be purely business and controlfocused and should not get too personal.

Concluding, the Head of Internal Auditof this maritime organization showedus that auditing soft controls (inproject management audits) can beviewed as follows:1. In the risk assessment all aspects that

could be of importance for the projectto succeed have to be taken intoaccount.

2. Within these aspects, less tangibleones are likely to be found. Thesecould be referred to as 'soft controls'.

3. However, audits should not be justfocused on these soft controls, but oncontrolling the hard and the softaspects.

After the interesting presentation by theHead of Internal Audit of a maritimeorganization and the discussions duringthe presentation, the participants wereasked for ideas for a next session for

NextGen Internal Auditors. The participants mentioned the followingtopics, which Ernst & Young will makesure to address in their future IARoundtables:

How can auditors in publicorganizations perform audits that helpthe organization in reaching theirstrategic objectives?

Can we gain insights from a benchmarkon maturity models linked to IApractices?

What are the required skills forbecoming an Internal Audit director?

How can we make the audit processmore efficient?

Soft controls: having a more in-depthfocus on working with differentcultures. How to relate soft controls toan international / national scale?

How can IA provide additional value torisk management? How can IA mirror,reflect or communicate their insightsthrough audits?

What is the best way for collaborationbetween different audits to provide animproved integrated audit to theclient?


7/8


8/8

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & YoungErnst & Young is a global leader in assurance, tax, transactionand advisory services. Worldwide, our 167,000 people areunited by our shared values and an unwavering commitmentto quality. We make a difference by helping our people, ourclients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of memberfirms of Ernst & Young Global Limited, each of which is aseparate legal entity. Ernst & Young Global Limited, a UKcompany limited by guarantee, does not provide services toclients. For more information about our organization, pleasevisit www.ey.com.

2012 Ernst & Young LLP.All rights reserved.

www.ey.com/nl

Auditing Soft Controls - Perspectives From NextGen Internal Auditors

Documents

Transcript of Auditing Soft Controls - Perspectives From NextGen Internal Auditors