control, and governance
control, and governance
A Groundswell of Risk
Blogs, social networks, and other Internet services can rapidly broadcast news about an organization’s ethical lapses worldwide — and create opportunities to demonstrate good corporate behavior.
Carlo Patetta Rotta, CIA, CFE, CISA
Senior Internal Auditor
Eisai Europe Ltd.
Since the 1990s, the Internet has been used to blow the whistle on companies’ bad working practices and their failure to fulfill social responsibilities. The worst cases have spawned campaigns against corporations judged to have behaved unethically. For example, since 1977 people in several countries have boycotted Nestlé products due to concern about the company’s marketing of breast milk substitutes, which campaigners claimed contributed to child fatalities, particularly in the poorest countries. When the Internet became popular in the 1990s, the number of campaigners grew exponentially and, as a consequence, Nestlé’s sales were seriously impacted. More recently, in 2007, Mattel initiated a recall program to withdraw toys from the market after news spread through the Web that it had sold millions of toys produced in China that were unsafe and could have caused child fatalities.
This kind of social auditing via the Internet is constantly exerted by millions of individuals around the world. Today’s organizations are under greater pressure than before to demonstrate that they haven’t merely adopted a code of conduct or some defined business principles, but also that they actually have put them into practice in their daily activities.
With the advances in Internet technologies and services, such as blogs and social networks, internal auditors have a more prominent role to play in ensuring that a true ethical culture is in place within their organizations. Auditors should be aware that cases of unethical behavior could be amplified greatly on the Internet. The risk that Internet users will perceive the organization as not compliant with generally recognized ethical values could be high: Declining sales, plunging share values, and a ruined reputation could threaten the organization’s very existence. On the other hand, if the organization is perceived to be ethical, the Internet can provide an inexpensive, powerful channel for promoting its products and strengthening its corporate image.
THE SOCIAL MEDIA IMPACT
In the past, organizations of all sizes and nationalities could publicly declare their willingness to apply recognized ethical values, while in reality acting in a much more contradictory manner. The Enron case illustrates how a corporation could act in complete contrast to its code of conduct and officially stated business principles. At the time of the financial scandal in 2001, the U.S. energy company had adopted a 64-page code of conduct, which was distributed to all employees together with an introductory letter from Chairman and CEO Kenneth Lay. In the last paragraph of the letter, Lay stated, “We want to be proud of Enron and to know it enjoys a reputation for fairness and honesty and it is respected.”
In recent years, the Internet has become more sophisticated in terms of the way people communicate and how they exchange opinions, ideas, and advice. What corporate executives publicly declare about their organizations is no longer relevant. What matters is how the public perceives these organizations are conducting business.
In Groundswell: Winning in a World Transformed by Social Technologies, authors Charlene Li and Josh Bernoff of research firm Forrester Research in Cambridge, Mass., coined the term groundswell to describe new Internet-based communication technology. According to the authors, “The Groundswell is a social trend in which people use Internet technology to obtain the things they need from each other, rather than from traditional institutions like corporations.” In essence, the groundswell comprises applications that are becoming more and more diffused among Internet users:
- Blogs provide the opportunity for anyone to start a discussion on a selected topic and take questions and receive comments from other users.
- Forums are similar to blogs, but are more interactive, fostering “many to many” communication.
- Social or business networks are Web sites, such as Facebook or LinkedIn, that establish communication channels, or a virtual community, among individuals.
- Feeds are applications that provide users real-time updates of the content from a specific Web site or Web page. For example, subscribers to a Financial Times feed receive that day’s main headlines on their desktop every time they launch their browser.
- Tags are labels that identify a piece of information, such as a photo or a file, enabling it to be retrieved quickly.
- Review and rating systems enable people to comment on and rate products and services over the Internet, allowing individuals to make comparisons.
The important consequence of this social media phenomenon is a shift of power from organizations to people connecting on the Web. In the Mattel defective toy case, the company’s management officially apologized to the Chinese people after it discovered that the problem was a design issue caused by the company, instead of a Chinese production failure as was initially reported. In the wake of this apology, a group of bloggers posted these comments on the U.S. News & World Report Web site in February: “If Mattel [is] being a responsible company, it should test their products before selling them. The testing should include paints and safety. Instead, they released the product without good quality control. To that part, they should apologize for their negligence to consumers and producers. … These cases reveal how vulnerable our consumers are. Corporations are focused on their profits, not their consumers (or the low-wage workers in China).”
NEW AUDIT RESPONSIBILITIES
From an ethical point of view, the Internet allows a free society to influence the behavior and ethics adopted by organizations. The fact that companies and institutions feel social pressure to be ethical is a positive aspect that will benefit society in the long term. At the same time, internal auditors’ responsibilities have increased in combination with the spread of new Internet social media. These new responsibilities derive from certain threats that the Internet could pose to their organizations and concern the advice auditors are expected to provide to their boards in an attempt to mitigate them. Auditors must consider two specific threats: malicious comments and incorrect information.
Malicious Comments Not all individuals on the Internet behave legitimately. User comments about an organization could come from envious competitors, dissatisfied employees, or unhappy suppliers and, hence, originate from negative feelings.
Internal auditors play an important role in ensuring that the organization is behaving ethically and thus is better positioned to defend its actions and reputation against malicious comments. Auditors can help ensure that the organization complies with laws and regulations and is perceived to behave ethically in any circumstances by:
- Contributing toward establishing a company culture that is in favor of ethics and where compliance with laws and regulations is a vital success factor for employees in advancing their careers within the organization. How senior management is portrayed in its daily activities becomes pivotal. Ethics should become a significant component of its leadership.
- Convincing the board to set up an ethics and compliance department responsible for ensuring that the organization complies with laws, regulations, company policies and procedures, and ethical standards or code of conduct. The department should be managed by a chief ethical officer, or chief compliance officer, who reports directly to the board and is consulted whenever the organization faces any ethical dilemmas.
- Including ethics audits in the audit plan. This type of audit should focus on aspects of processes that could constitute an unintentional temptation for employees and management to commit unethical actions. Essentially, these are processes where the controls are not in place or are not functioning appropriately, leaving room for employees to perpetrate fraud. Purchasing would be a typical area to investigate in an ethics audit.
- Ensuring that a whistleblowing procedure has been set up that allows employees and external parties, such as clients and vendors, to highlight any ethically questionable situations anonymously so that the compliance group or internal auditing can take remedial actions.
In addition to these steps, internal auditing can recommend that the compliance group performs internal surveys to monitor how the organization is perceived by its employees from an ethical perspective. Employees are best placed to indicate the ethical behavior of their employer. The results of these surveys may provide useful information that internal auditors should include in their audit planning process along with a wider risk assessment.
Genuine comments based on incorrect information Another threat occurs when Internet users exchange wrong or misleading information about an organization. This can greatly damage the organization’s good reputation and, in the worst cases, can lead to its bankruptcy.
In the 1980s, Dow Corning was accused of producing breast implants that caused complications to women’s immune systems and, in some instances, breast cancer. When the news spread through the Internet, it caused a drop in sales that, together with the legal costs of several lawsuits, forced the company to file for bankruptcy. However, several large, independent reviews of the scientific literature have indicated that silicone breast implants do not appear to cause breast cancer or any identifiable systemic disease.
Internal auditors should advise the board on measures to decrease the risk that wrong or misleading information will be diffused over the Internet. Specific responsibility for monitoring the organization’s information via the Internet should be assigned to the communications department. The department should implement rigid processes to ensure that information uploaded on the corporate Web site is correct, updated timely, verifiable, and cannot be interpreted as misleading visitors in any way. Moreover, the communications department should constantly monitor the Web to pick up clues and warning signs that could lead to potential litigation against the organization.
Auditors should ensure that the organization has taken preventive measures, as well. The communications department should consider the results of employees’ ethical perception surveys as an effective gauge of the feeling that could spread over the Internet through the groundswell. The main departments — including compliance, communications, internal auditing, and legal — should agree on an action plan that identifies responsibilities and actions to mitigate the damage. Auditors could review the document. An immediate intervention that could be particularly effective is to clarify the wrong or misleading information by communicating directly with Internet users through the company’s blog or forum. Auditors should ensure that the communications department is prepared to act effectively in these instances.
THE INTERNET’S OPPORTUNITY
Given the old adage that for every new threat a new opportunity arises, Internet-related services can be turned into an important opportunity for the organization. Specifically, when organizations succeed in consistently putting ethical values into practice, it will be noticed by the public, who will start to spread the word over the Web. This is a particularly effective and inexpensive way for organizations to:
- Increase employees’ satisfaction and attract high-quality employees. This is particularly true considering the extraordinary impact of Internet communication technology on recruitment processes.
- Increase clients’ loyalty. By behaving ethically the organization builds its reputation for caring about ethics and, as a consequence, clients are more prone to trust it. Several international studies show the increasing importance customers are placing on ethics. In some instances, consumers are willing to pay more than competitors are offering for goods and services provided by companies that have proved they behave ethically.
- Attract investors. The number of socially responsible investors who consider the company’s commitment to ethical issues when selecting stocks in which to invest is increasing. The U.S. socially responsible investment (SRI) market is expected to reach US $3 trillion by 2011, according to global financial services research firm Celent. Europe’s SRI market grew from 1 trillion euros (US $1.41 trillion) in 2005 to 1.6 trillion euros (US $2.3 trillion) in 2007.
Internal auditors can help their organizations mitigate Internet-related threats by making sure that the litigation risk with employees, clients, suppliers, and business partners is kept to a minimum through an ethical company culture and continuous monitoring of how the organization is perceived by Internet users. These initiatives can enable the organization to take full advantage of the opportunities that social media provide. Moreover, as the Internet continues to change economic and business conditions and circumstances around the world, internal auditors have the opportunity to render a set of particularly value-added services to their organization’s stakeholders.
To comment on this article, e-mail the author at carlo.patetta-rotta@theiia.org.
