Ethics is the foundation of any successful organization and internal audit has a key role to play by auditing the organization’s ethical program.
Ethics is all about behavior, choices and doing what is right.
Internationally there have been developments around ethics and how organizations handle this. Many multinational companies have, over the past few years, appointed a senior executive with the responsibility for promoting ethical behavior throughout the company. While such appointments are more common in the United States than the rest of the world, this does not mean that ethics is not one of the priorities of a company. The ‘Tone at the Top’ is all about the board, chief executive officer and senior executives demonstrating their personal commitment to ethical behavior.
Ethics is the basis of good governance and ultimately the basis for the success of an organization. The lack of ethics can be safely described as the reason for many high profile corporate fraud cases.
Most organizations have a code of ethics for their workforce which prescribes expectations of the behavior expected of employees. In some cases, the code of ethics extends to consultants, contractors and suppliers. However, a robust ethics program is more than just a code of conduct; it also includes policies, regular communication, response protocols for ethical violations, etc. Regardless of who is responsible for the ethics program, the effectiveness is not always assessed. Therefore an audit of ethics becomes important to provide an independent view on the state of the organization’s ethics program.
The Role of Internal Audit
Internal auditors have often avoided the challenge of auditing ethics because it is difficult. Far easier to do a simple compliance or financial audit where hard controls are easier to audit than soft controls. However, the International Standards for the Professional Practice of Internal Auditing (The Standards) issued by the Institute of Internal Auditor (IIA) state that (Standard 2110.A1):
“The internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.”
In 2011, as part of a global IIA survey, a research report1 showed that ethics audits were one of the top five topics for internal auditors to focus on over next five years. These results were fairly consistent across the type of organization (private, publically listed or government) and its location. Surprisingly, the region with the highest percentage of respondents expecting ethics audits to be performed in the next five years was the Middle East.
The Scope of an Ethics Audit
The IIA Practice Guide ‘Auditing Ethics-Related Programs and Activities’2 states that the four pillars of organizational governance are the board, management, internal audit, and external audit, and that ethics is an integral part of this organizational governance structure. This means that any assurance provided around governance needs to take into account ethics. Internal audit needs to audit ethics in order to provide an opinion to the audit committee and senior management on its effectiveness.
An audit of ethics should at least cover the following:
- Tone at the top – commitment of the board and top management to ethics.
- Ethical principles – how well these are adhered to by all levels of the organization, including stakeholders and suppliers.
- Risk management – recognition of the need for risk management and effective implementation of risk management throughout the organization.
- Information – availability of information relating to ethical conduct such as a documented ethical program, awareness activities, and breaches of ethical guidelines.
- Sharing – active sharing of information relating to the ethical program and its results.
- Alignment – risk management alignment with the organization’s ethical culture.
Key Considerations to Auditing Ethics
There may be several approaches to take when carrying out an ethics audit such as reviewing ethics policies and procedures, reviewing the work of the ethics or compliance department or surveys / interviews with employees. Regardless of the approach taken, there are several considerations that should be taken into account:
- The audit committee should identify specific ethics-related issues on which to focus. In some settings, the committee may decide to conduct a comprehensive ethics audit. In other organizations, the committee may focus on specific ethical issues that are especially important in those settings.
- An audit of ethics needs to be risk-based and based on a risk assessment. The internal auditor must establish the key risks to the organization’s ethics program which will help to focus the audit objectives.
- Realistic audit objectives need to be set, which are likely to include such things as whether:
- There is compliance with laws, regulations and policies.
- The organization has a documented ethics program and adequate means of measuring its effectiveness.
- There has been effective implementation of the ethics program.
- Breaches of the ethics program have been properly investigated and adequate sanctions imposed on offenders.
- Lapses in ethical behavior have an impact on the efficiency, effectiveness and economy of business operations and, if so, what is the impact on the organization.
- Assets are properly safeguarded from unethical conduct.
- Opportunity for fraud and corruption is minimized.
- Determine how to audit controls around ethics:
“Internal auditors should help a company improve its ethical culture”
- Tone at the top from the board, chief executive officer and senior executives.
- Employee awareness.
- Assurance regimes to identify unethical conduct and its impact on the organization.
- Code of conduct and treatment of breaches.
- Reporting arrangements for alleged unethical conduct.
- Investigation protocols and if these are independent.
- Effectiveness of whistleblower mechanisms and treatment of whistleblowers.
- Report the audit results without fear or favor to the audit committee and senior management.
- Monitor and follow-up to ensure recommendations are effectively implemented and meaningful change occurs in a timely way.
The IIA’s Practice Guide2 gives more guidance on how to audit ethics and to evaluate the maturity of an ethics program.
7 Elements of a World Class Ethics Program
In a maturity model2 provided by the IIA, the following elements are considered to be an integral part of a world class ethics program (not a comprehensive list):
- Detailed guidance on key components of the Code of Ethics including the use of an anonymous reporting hotline.
- Periodic surveys of employees to understand perceptions on the organization’s ethical climate.
- Review of disciplinary action in response to ethical violations takes place by an independent party to ensure consistency.
- Openly praising employees for demonstrating ethical conduct.
- Regular communication on the importance of the code of ethics and reporting on the ethics program in the company’s annual report.
- Investigations are conducted by experts in accordance with a defined investigation protocol.
- Ethics related metrics are included as part of an employee’s performance goals.
Conducting an ethics audit requires a team effort as well as a clear definition of ethical behavior. Auditing ethics is not only required by the IIA’s Standards but it is essential for the overall health of the organization. Even though there is no “one size fits all” approach to auditing ethics, the internal audit department should still take steps to audit the ethics program. Just because it is a difficult audit to do is no reason to ignore it especially when the risk of not carrying out an ethics audit can be severe.
- What’s Next for Internal Auditing?, The Institute of Internal Auditors Research Foundation (2011)
- The Institute of Internal Auditors’ Practice Guide: Evaluating Ethics-Related Programs and Activities (June 2012)
AlShareef Marwan AlKhouli, CPA, MBA, CPA, CFE, CPM, CRA, CRP, CFC is General Manager – Head of Internal Audit Group at Oman Arab Bank .