Hard internal controls, such as procedures and segregation of duties, are traditionally the first line of defence against business risks such as fraud and misconduct. Research has demonstrated, however, that simply increasing the number of rules when new risks or incidents are detected results in risk and control frameworks becoming so large that they can become counterproductive and cease to be effective. Creating too many rules may have the effect of taking the responsibility and initiative for identifying fraud and misconduct away from people. Consequently, something other than the traditional rules based approach is needed to ensure that organisations continue to retain effective risk and control frameworks.
Soft controls and their related instruments can play an important part in making internal control systems more effective. Whilst hard controls tend to be formal, objective and quantitatively measurable, soft controls tend to be informal, subjective and intangible. Soft controls relate to the culture: the way people do their work to meet the objectives of the organisation; hard controls relate to the processes and activities those people do.
Business risks, including fraud, can never be completely eliminated. Due to the fact that hard controls and systems are static whilst the environments in which organizations organisations operate are constantly changing, some risks, or their effects, can never be effectively managed by just having proper procedures and systems. For an organisation to effectively manage its fraud risk, both hard and soft control environments should be strong. Hard controls alone do not fully mitigate fraud risk and, indeed, there is a tipping point at which additional hard controls become counter-productive as individuals seek to override the controls because they believe that the controls inhibit the way they operate.
Fundamental to every organisation is the behaviour of its employees and management. The culture and attitudes of staff impact upon the effectiveness of internal controls. Most investigations highlight that systems and processes were in place to prevent fraud but the controls were weakened and made ineffective by the culture within the organisation.
In organisations where hard controls have been rationalised or decreased due to changes in the business or because of budgetary constraints the soft control environment plays a greater part in managing fraud risk.
Soft control instruments include areas such as training, performance reviews, whistle-blower guidelines, codes of conduct and general awareness raising. These are all tools which organisations can use to influence and promote certain behaviour.
Soft controls affect the performance of individuals within their organisation, their personality and beliefs, and include measures affecting motivation, loyalty, integrity, inspiration and values. Broadly soft controls encompass the culture and attitudes of an organisation.
Organisations are increasingly becoming aware of the impact that an effective soft control environment can have upon their overall risk framework. KPMG research has identified the following to be eight key soft controls for organisations to consider:
Key Soft Controls:
- Clarity: Is the desired organisational behaviour clear to management and employees?
- Role Modelling: Do senior management lead by example and "set the tone from the top" in terms of demonstrating the desired organisational behaviour?
- Achievability: Is there sufficient time, information, capacity and resources to achieve an organisation's aims?
- Commitment: Do management and employees actively endorse and uphold the organisation's interests?
- Openness: To what extent can employees discuss ethical dilemmas within the organisation?
- Transparency: Is employee behaviour and its subsequent impact upon the organisation sufficiently visible?
- Comfort to report misconduct: Do management and employees feel comfortable to report incidents of misconduct?
- Enforcement: To what extent are employees punished for irresponsible behaviour and rewarded for responsible behaviour? To what extent are lessons learnt from incidents and fed back into the business?