Unlike clearly defined internal controls, “soft” controls are subjective, intangible, and hard to audit, according to a recent issue of Credit Union Directors Newsletter.
“Best Practices: Evaluating the Corporate Culture,” published by the Institute of Internal Auditors Research Foundation, considered organizations’ creative practices meant to ensure soft controls’ success.
- Integrity and ethical values;
- Commitment to competence;
- The structure of reporting relationships;
- Employee motivation; and
- Information flow throughout the organization.
Also important are the extent of board or audit committees' understanding of the organization, management leadership, and efforts to establish mutual trust in the workplace.
Past results indicate the need for assessing the integrity of soft controls. “It’s essential to provide management and the board assurance that the organization won’t join the ranks of those that have been brought to their knees by lagging ethics and a weak corporate culture,” the auditing group says.
But business units can still create a contradictive subculture even if executive management models good ethics. This magnifies the difficulty of assessing soft controls in determining whether a gap exists between stated and actual corporate values.
Some guidelines on reporting and evaluating soft controls:
- Require formal reports so long as an adversarial relationship isn’t created with audited managers.
- Auditors must provide persuasive evidence, express their perception to the responsible manager, and allow individuals to fix the situations without involving upper management.
The report calls Enron the “worst practice” example. Its formal governance structure seemingly was strong, but the information communications and management behavior created a culture almost diametrically opposed to its stated values.
An internal audit department evaluating soft controls likely would have identified the gaps between declared corporate values and values actually practiced.