By Richard F. Chambers – President & CEO, The Institute of Internal Auditors
There is never a right time to relax on ethical behaviour. Recent headlines provide ample proof of the consequences of leaving open even a tiny window of opportunity. Human nature has shown time and again that, in the right (or wrong) circumstances, even smart people can do dumb things and good people can behave badly.
Commitment to ethics must be more than a once-a-year ‘ethics day’, with a picnic and a brief chat from the CEO. It requires constant attention, regular activities and ongoing follow-up, all focussed on expectations of zero defects in ethical behaviour. It starts with setting the tone at the top: ethical conduct modelled by the board and senior management and expected of employees at all rungs of the organisational ladder. So important is tone at the top that I believe a tone that is strong but inappropriate can undermine even valid, well-crafted internal control processes and policies.
Boards and executives have a leading role to play in ensuring the right plans are in place before and after an ethical misstep and internal audit can provide strong support.
Why internal audit?
It is no surprise that I would advocate for the benefits that internal audit can bring to many facets of business, including ethics. I am an internal auditor by training and experience and I now lead The Institute of Internal Auditors (IIA), the world’s largest organisation of internal audit professionals.
The IIA takes ethics seriously; in fact, the organisation requires adherence to a Code of Ethics to be a member and to hold its certifications. The IIA’s Code of Ethics is built on four pillars that define the behaviour expected of those engaging in internal audit activities: integrity, objectivity, confidentiality and competency. Internal auditors who perform their duties in alignment with these pillars build trust with audit clients, inspire confidence in the validity of their findings, avoid conflicts of interest and communicate the results of their work with transparency and empathy.
This standard of behaviour is critical because of the role internal audit plays in most enterprises’ whistle-blower programmes. In many cases, internal auditors uncover evidence of ethical breaches during regular or management-requested audits. In addition, internal audit is often responsible for the enterprise’s whistle-blower programme, a duty sometimes shared with the legal and/or compliance functions. Even in enterprises where internal audit does not manage the whistle-blower programme, it generally receives copies of all complaints (the most common exception being HR-related issues).
An efficient and effective internal audit function is crucial for enhancing and protecting organisational value – value that can be quickly and, potentially, permanently eroded by ethical breaches.
Before an ethical breach
Establishing an ongoing ethical awareness and response programme is similar to holding certain insurance policies: we buy them and keep up the payments in the hope we will never need them, but appreciate their value when we do. Waiting until after a breach happens to get started on creating an ethics programme is, at best, too little, too late. At worst, it may reflect a dereliction of governance responsibility.
Ethics programmes vary by organisation, but they generally specify a need for board oversight, management responsibility, written policies and procedures, risk assessments, training, monitoring, reporting and corrective actions. The following are some activities that can underpin the ethics programme and support enterprise preparedness.
Set up a defence-in-depth structure Organisations that are serious about addressing risks, including those that accompany ethical breaches, know better than to rely on only one safeguard. They implement risk-based controls designed to prevent the occurrence of ethical misbehaviour (the first line of defence is business line management, responsible for setting, communicating and modelling desired behaviour). If those controls break down, internal monitoring should detect it (the second line – the management and oversight function, which monitors risk and compliance and provides advice to the first line). Finally, internal audit (the third line, which evaluates adherence to the organisation’s standards and its corporate culture) must have the authority to report the issue directly to the board. Some enterprises consider senior management and the audit committee as fourth and fifth lines because of their responsibility for ensuring the other three lines are established and working smoothly.
When the three (or more) lines work together effectively, the enterprise has a fighting chance to avoid a whistle-blower situation.
Ensure a relationship of trust between the audit committee and the chief audit executive (CAE) The CAE is the ranking staff member responsible for internal audit and the audit committee is the board’s eyes and ears relative to audit issues; therefore, their relationship must be built on complete trust. In other words, the audit committee must feel secure that the CAE will bring forward any significant risk and the CAE must believe that problems surfaced will receive appropriate attention and action by the audit committee. They must share the conviction that no part of the organisation is off limits to internal audit.
“Boards and executives have a leading role to play in ensuring the right plans are in place before and after an ethical misstep and internal audit can provide strong support”
This may seem obvious, but it is not universally practiced. A recent Internal Audit Foundation survey of nearly 15,000 internal auditors worldwide, from staff to CAEs, reported shocking evidence of a betrayal of trust: a global average of 23 per cent reported receiving pressure at least once to modify or suppress audit findings (an additional 11 per cent ‘preferred not to answer’). Especially dismaying was the fact that, among those who reported being pressured to change an audit report, 43 per cent indicated that the pressure came from the CEO, the board, the audit committee, or legal/general counsel.
Build employees’ trust of internal policies (especially the whistle-blower policy) Most organisations would prefer that employees report suspected issues internally for investigation and remediation, rather than marching straight to an external agency with whistle in hand. Yet, companies sometimes overlook a defining factor in ensuring that outcome: building employees’ trust in the company’s policies. When employees trust the company, they feel confident that their concerns will be heard, respected and acted upon and they will suffer no negative ramifications for speaking up. If they sense they will not be heard or their career growth will be affected, they may feel the need to go public.
So, how can employee trust be fostered? First, ensure that the whistle-blower policy clearly treats whistle-blowers as concerned, diligent employees, not ‘snitches’. Second, make it a regular practice to talk about ethics. Board members, executives and management should openly discuss ethical complexities that may arise in a work environment, treat ethical behaviour as non-negotiable, show respect for differing opinions and acknowledge examples of ethical conduct.
Go beyond hotlines While company hotlines are a common means by which employees can report a concern, they are not the only way to uncover potential ethical issues. Watch for comments posted on Facebook, Twitter, or other platforms. Investigate relevant remarks made by employees in their exit interviews. Pay attention to anonymous emails or calls that suggest the existence of an ethical issue. Make it easy and comfortable for employees to walk into the internal audit department, or security, or human resources to discuss a problem.
Communicate the whistle-blower process When the whistle sounds, the response plan must be executed immediately, effectively and entirely. This happens only when all parties understand the process well in advance. Employees should be informed how to report, to whom to report and what will happen after the report. Responders must know what to do and whom to involve. Boards need to know there is a programme in place to protect the enterprise and they should be provided with periodic reporting on the status of investigation and remediation activities.
After an ethical breach
Despite the most thorough and well-vetted plans, the most open and consistent communication and the most effective training, an ethical issue may still arise. So, policies must clearly outline what happens next. The following are a few suggestions.
Start strong Any process that involves multiple steps, departments and individuals is likely to contain many critical junctures at which something can go wrong. The first and perhaps most important of these junctures in an ethics response plan is triage, in which the organisation hears a new allegation, sorts through the details and decides how to respond. Making good decisions requires an understanding of the legal, accounting and reputational implications of the reported misdeed – a breadth of knowledge that may be beyond the capacity of just one person. For that reason, some enterprises appoint a committee to perform triage, bringing a more diverse perspective to the decisions needed.
Call in internal audit Because of their everyday activities, internal auditors generally have a working understanding of all parts of an organisation. Couple that with their independence and objectivity and they are well-suited to handle allegations competently and confidentially. As mentioned earlier, in many organisations internal audit ‘owns’ the whistle-blower programme or is engaged in its review and evaluation, so it is a natural fit for the board to rely on internal auditors for assurance that the programme’s policies and procedures are applied appropriately when an instance occurs.
Remain alert Despite the natural desire to breathe a sigh of relief and relax after an ethical incident is remediated, it is critical to continue diligently executing the programme. There are many things a board can do to ensure a continued focus. Ensure that the whistle-blower programme’s policies are reviewed on a regular basis and updated as needed to reflect changes in the enterprise’s culture, industry, technology, business model, or laws and regulations. Demand frequent reporting on ethics programmes and activities (perhaps a dashboard that reports information, such as ethics violations, hotline calls and customer complaints). Ensure that ethics and other culture-related issues appear regularly on board and audit committee agendas. Build executive compensation packages and reimbursement policies that discourage ethical breaches. Review selected messages the CEO sends to the employees; do they emphasise the importance of ethical behaviour and assure a blame-free environment for those who raise concerns?
Addressing ethics through a focus on culture
In addition to the suggestions I have already described, I have a recommendation I feel certain will improve every enterprise’s ethical position and it is an activity that boards can single-handedly bring about: charge internal audit with the responsibility to audit organisational culture. The culture within an enterprise is the petri dish in which ethical failures grow or wither. Assessing it is a proactive step to ensure behaviours match expectations – from the corner office to the loading dock.
Many internal audit teams include a review of culture as part of the annual audit plan’s scheduled activities. However, in cases where a risk-based evaluation has identified an area of special concern, internal audit may perform a specific audit outside the annual plan. Regardless of the approach, the effectiveness of culture audits depends on the board’s and audit committee’s vocal support of internal audit’s efforts and expectation of full staff cooperation.
Surveys can be useful inputs to culture audits. A survey may consist solely of ethics and culture-related statements, such as ‘I have received ethical training for my position’, to which employees respond using a scale from ‘strongly agree’ to ‘strongly disagree’. Or, an organisation may simply include some culture and/or ethics questions in an already existing enterprise-wide employee survey.
“The culture within an enterprise is the petri dish in which ethical failures grow or wither. Assessing it is a proactive step to ensure behaviours match expectations — from the corner office to the loading dock”
Negative survey responses should be investigated by internal audit to determine whether there is corroborating evidence. Evidence found should be reported to the board, along with recommendations for improvement. If no corroborating evidence is found, the outcome should be reported to appropriate management. The negative response may reflect a misunderstanding of the processes in place, which management can correct via clear, direct communication.
Sadly, it is unlikely that an organisation can eliminate ethical missteps entirely, but awareness, engagement by the board and audit committee, preparedness and a well-crafted response plan can certainly create a hostile environment for them.
About the Author:
Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA, is president and CEO of The Institute of Internal Auditors (IIA), the global professional association and standard-setting body for internal auditors. Chambers has more than four decades of internal audit and association management experience, mostly in leadership positions. Accounting Today named him one of the Top 100 Most Influential People in Accounting and he has been named one of the most influential leaders in corporate governance by the National Association of Corporate Directors (NACD). Chambers has authored two award-winning books: Trusted Advisors: Key Attributes of Outstanding Internal Auditors in 2017 and Lessons Learned on the Audit Trail in 2014.