FEBRUARY 2010

 

 

 

Bonita K. Peterson Kramer, PHD, CIA, CPA, CMA

 

 

Given the numerous widely publicized corporate financial reporting scandals in recent years, more companies are adopting codes of conduct (COC) to demonstrate they are promoting and maintaining the highest standards of business conduct — but are they effective? The 2007 National Business Ethics Survey from the Ethics Resource Center (ERC) reported that ethical misconduct was, alarmingly, back at pre-Enron levels. Specifically, it found that during the previous year more than half of the employees surveyed witnessed ethical misconduct of some sort. Further, many employees stated that they did not report unethical conduct because they were afraid of retaliation and doubtful that their report would make any difference. The latest National Business Ethics Survey, released in late 2009, initially reports more positive findings as measured by all of the ERC’s key measures: fewer employees witness misconduct at work, whistleblowing occurs more frequently, ethical cultures are stronger, and the pressure to cut corners is lower. However, the report emphasizes the implications of the 2009 results surface only when viewed in context of the past 15 years of data gathered by the ERC. Specifically, the ERC warns that the positive results are likely only temporary because businesses are currently experiencing an ethics bubble: during difficult economic times, ethics improve.

The internal auditor’s role with a company’s COC can help to break this cycle and strengthen the company’s ethical culture when the economy improves. Involvement by internal auditors with the company’s COC underscores management’s commitment to a strong ethical culture and, consequently, can empower employees to do the right thing, both in their daily actions and in reporting suspected violations.

DEFINING THE CODES

All NASDAQ-listed companies are required to develop and adopt a COC that applies to all directors, officers, and employees; is publicly available; and provides a means of enforcement. The enforcement mechanism must ensure not only prompt, consistent enforcement, but also clear and objective compliance standards, a fair process by which to determine whether a violation has occurred, and protection for any person reporting questionable behavior. In addition, the New York Stock Exchange (NYSE) corporate governance rules require listed companies to adopt and disclose a code of business conduct and ethics for officers, directors, and employees. Any waivers of the code for directors or executive officers must be disclosed promptly. Often, the terms COC and code of ethics (COE) are used interchangeably. The U.S. Sarbanes-Oxley Act of 2002 requires publicly held companies to report whether they have adopted a COE for their CEO and senior financial and accounting officers. The act defines a COE as “such standards as are reasonably necessary to promote: 1) honest and ethical conduct, including handling of actual or apparent conflicts of interest between personal and professional relationships; 2) full, fair, accurate, timely, and understandable disclosure in the periodic reports required to be filed by the issuer; and 3) compliance with applicable rules and regulations.” NASDAQ rules require that the company’s COC satisfy this definition of a COE.

In its 2007 International Good Practice Guidance: Defining and Developing an Effective Code of Conduct for Organizations, the International Federation of Accountants (IFAC) noted that the term COC does not have an authorized definition, and provided this working definition: “Principles, values, standards, or rules of behavior that guide the decisions, procedures, and systems of an organization in a way that: a) contributes to the welfare of its key stakeholders and b) respects the rights of all constituents affected by its operations.” Some organizations view the COE as referring to employee and director conduct at a very high level and written to be outward (customer) facing, while the COC addresses conduct for all employees (e.g., equal employment, no sexual harassment) and is written to be inward (employee) facing.

INTERNAL AUDITING’S ROLE

The IIA’s International Standards for the Professional Practice of Internal Auditing Standard 2110.A1 states that “the internal audit activity must evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.” Consistent with this requirement, IFAC notes that internal auditors may be involved with a COC in two ways: assessing whether the code is effective in minimizing the risk of improper conduct, which includes determining whether noncompliance is being reported; and reporting to the audit committee.

The American Institute of Certified Public Accountants (AICPA) notes in AU316.86, Consideration of Fraud in a Financial Statement Audit, that a company’s COC reflects management’s value system and is one factor the external auditors can consider when assessing the risk of materially misstated financial statements due to fraud. It notes the COC should reflect the core values of the entity and guide employees in making appropriate decisions during the workday.

EFFECTIVE CODES OF CONDUCT

IIA standards require internal auditors to evaluate the design of ethics-related objectives; consequently, it is helpful to identify key criteria that should be present in the code. The goals of a COC are to formally establish the organization’s expectations pertaining to business ethics and to give employees some guidance if they should find themselves in situations where there is no obvious “right” way to act.

IFAC recommends developing a “values-based code,” which acknowledges it is impossible to develop a code that describes every unethical action. Instead, a values-based code uses the organization’s values as the foundation for ethical decision-making, without a detailed listing of rules. Numerous rules can unintentionally invoke a checklist mentality among employees and possibly encourage some employees to search for loopholes to avoid following the code. IFAC recognizes that a COC is unique to each organization and will reflect organizational context. However, it suggests that an effective COC possesses these additional key principles:

• Commitment from the board of directors, including oversight of the code’s development.
• Code development led by a multidisciplinary and cross-functional group, including international personnel (where applicable).
• Clear identification of the process for defining, developing, and reviewing a code to promote understanding and agreement on key stages and activities.
• Applicability to all jurisdictions in which the organization operates.
• A continuous awareness program that sustains interest in, and commitment to, the code, as well as promotes awareness of the consequences of violating the code.
• A values-driven code is best suited for a rapidly changing business environment and should assist an employee in “doing the right thing” by ingraining the company’s values in the code’s framework.

 

The Institute of Business Ethics, based in London, notes that there are some best practices to follow in developing a COC:

•  All levels of staff (and in all jurisdictions, if applicable) should be involved in developing the COC content and its implementation.
• The values incorporated in the COC must come from the top; consequently, involvement by the board of directors is critical. Furthermore, the chairman and/or CEO should endorse the COC, and regular reports on the COC’s operating effectiveness should be provided to the board.
• One size does not fit all. Each company must design its own COC, based on its own core values.

A COC in and of itself will not guarantee ethical behavior. The COC must be understood, taught, used, monitored, and regularly re-evaluated and revised as necessary.

The Association of Certified Fraud Examiners’ (ACFE’s) Fraud Prevention Check-up notes that environment-level anti-fraud controls are one of seven important fraud prevention processes to have in place to help reduce an organization’s fraud risk. Dominating the environment-level anti-fraud controls is the presence of a COC. The ACFE suggests the following features related to a COC:

• The code should apply to all employees, be based on the organization’s core values, and give clear guidance on behaviors and actions that are permissible and those that are prohibited.
• All personnel should receive training on the content of the COC, as well as how to seek advice in questionable situations and how to communicate suspected wrongdoing.
• Communication systems should be in place that allow employees to seek advice before making a difficult ethical decision and to communicate suspected violations of the code.
• Provisions should be made to allow anonymous communications, but strong efforts should be made to create an environment supportive of open communication.
• For systems allowing open communication, provisions should be in place to protect callers from retribution.
• Suspected violations should be investigated promptly by the appropriate department (e.g., internal auditors, legal counsel, human resources (HR)). A plan should be in place to determine which department will investigate and resolve which type of complaint, and how the resolution will be communicated to those who raised the concern.
• Compliance with the COC should be monitored at least annually.
• Regular surveys of a statistically valid sample of employees should be conducted, measuring their attitudes toward the organization’s ethics/compliance activities and their belief that management acts in accordance with the code.

The ACFE’s 2008 Report to the Nation on Occupational Fraud and Abuse provides some empirical evidence of the effectiveness of a COC in helping to prevent fraud. According to the report, the median fraud loss suffered by an organization without a COC was US $232,000 versus a loss of US $126,000 for an organization with a code — almost a 46 percent reduction. Further, the anonymous communication mechanism is important to consider because one of the most consistent findings among national and international fraud surveys is that tips are the most common means of fraud detection.

EVALUATING EFFECTIVENESS

Preventing fraud requires a strong emphasis on promoting ethical behavior in the workplace and encouraging employees to report any known or suspected violations. The ACFE states, “Although ‘soft’ controls to promote appropriate workplace behavior are more difficult to implement and evaluate than traditional ‘hard’ controls, they appear to be the best defense against fraud,” especially when top management is involved.

So-called “soft” controls such as a COC may be difficult for internal auditors to evaluate. A code focuses on providing guidance for acceptable behavior within the organization, and auditing behavior is inherently abstract. Thus, just as there is no one-size-fits-all COC, there is no one ideal way for internal auditors to review a code’s effectiveness. However, internal auditors should always consider a company’s overall compliance and ethics program in the audit planning process.

The logical first step in planning the audit is for internal auditing to obtain an understanding of the company’s COC, including the structure and tone of the documents, and whether a separate COE exists for senior financial management. To develop appropriate scoping for the review auditors should obtain a general understanding of how management implements and enforces the COC and COE. Prior audit documentation should also be reviewed if available, and industry best practices should be researched to ensure the audit procedures are relevant and current.

After initial discussions with management and a high-level review of existing documentation, internal auditing should develop a list of risks applicable to the process of developing, implementing, and enforcing the COC and then determine which risks will be addressed during the review. These risks should reference authoritative guidance as well as company-specific risks. Examples of applicable risks include:

• There are material policy gaps in the COC and COE (e.g., Sarbanes-Oxley, NASDAQ requirements).
• The COC is not received and reviewed by all employees.
• The COE is not signed by senior financial management.
• Reported fraudulent activity and ethics violations are not adequately addressed, resolved, and documented.
• COC and COE violations are not reported to the audit committee.
• Related files are not secured correctly.

The identification of risks, while generally a good practice in planning an audit, is particularly important for the review of the COC and COE to ensure that the review is objective and standards-driven and focuses on how management has addressed these risks. Internal auditing should also develop specific audit procedures to address each of these risks.

Communication Once the audit plan is developed, the auditors should communicate with relevant business owners via a notification letter. This letter serves as a road map for the process owners, summarizing the procedures internal auditing will perform. Although the letter does not list specific details of the audit procedures, it provides the recipient with a clear understanding of the overall audit objective, scope, and general audit approach. It also identifies the time frame and auditors involved, along with the process of communicating audit results. This type of communication should help alleviate concerns that management may have with a review of such confidential material. An example of a COC audit notification memorandum can be found at the end of this article.

Noncompliance with regulatory requirements The risk of the company’s COC and COE containing material policy gaps requires the auditors to have a solid understanding of any applicable regulatory requirements (e.g., Sarbanes-Oxley, NASDAQ, NYSE), and determine whether these key provisions are contained in the company’s COC and COE. (See "Risk of Code's Noncompliance With Applicable Regulations Checklist," below.)

Employee Training There is a risk that once management publishes the COC, employees become less familiar with the content of the COC over time. It is important to reinforce the code periodically to serve as a reminder of the continual importance of the principles in the COC. Employees should be required to review and certify understanding of the code soon after their hire date and periodically thereafter (at least annually). This certification may take many forms, including completing a checklist, signing a copy of the COC, or completing an electronic certification. However, the most effective methods are those that require employees to explicitly certify — via signature or initialing — to their awareness of and compliance with the COC.

Testing by internal auditing should involve obtaining a list of newly hired employees and verifying that each employee participated in the training within a reasonable time after the hire date by comparing the list against the training database, which may be maintained by in-house legal counsel. Testing also should include determining whether all executives and directors have taken the COC training within the past year. Similarly, because Sarbanes-Oxley requires that a COE be established that applies to the chief financial officer, chief accounting officer, and any other person who performs similar duties, testing in organizations subject to Sarbanes-Oxley should verify that each of those individuals acknowledges the code at least annually.

Code Violations A code without discipline lacks substance, which can render it grossly ineffective and essentially meaningless. Thus, this aspect of testing by the auditors is critical for the ongoing robustness of the code. Review, investigation, and resolution of code violations should be delegated to a group within the organization with enough authority to enforce conclusions reached and provide a safe outlet for any company employee to raise concerns and violations without losing confidentiality. Depending on the structure of the organization, this task may be the responsibility of the legal or HR department. Internal auditing may assist or take the lead in an investigation. The organization may also require that a report summarizing the investigation be provided to the audit committee.

A company’s COC should be available to all employees (electronically or otherwise), while the COE for directors and employees should be posted publicly on the company’s Web site. Employees should be encouraged to contact the designated individual or department (e.g., legal counsel, HR) with concerns via telephone, e-mail, fax, or postal mail. When the appropriate authority receives these submissions, they can fall into one of the three general categories (see “Classifications of Submissions,” below):

• Inquiry. The employee asks a question or requests information pertaining to the COC.
• Investigation. The employee complains of a possible COC violation.
• Other. The submission does not constitute an inquiry, and no investigation is required.

Internal auditing should obtain an understanding of how the organization addresses, resolves, and tracks each of these submission types. Auditors should consider whether there is potential for anyone to filter or block submissions anywhere during the process. Internal auditing should focus on how the company ensures the completeness of the submission listing.

Armed with this understanding, internal auditors should obtain the file containing submission-related documentation and review the submissions received during the past year. From a review of the documentation, internal auditors can determine whether each investigation or inquiry was investigated adequately and resolved timely. Submissions should be sequentially numbered to ensure completeness. In addition, internal auditors need to evaluate whether appropriate action was taken and whether documentation is complete.

For other submissions, auditors should determine whether the documentation is adequate and the matter was resolved timely. Further, auditors should consider whether a formal investigation should have been performed. Auditors should also address consistency in the handling of all contacts.

INVOLVING HUMAN RESOURCES

Some submissions relate to sections of the COC pertaining to the HR department’s area of expertise (e.g., equal employment opportunity, harassment, and drug-free workplace). Consequently, HR personnel should perform the investigations for these cases. Ultimately, management should review the recommendation submitted by HR and approve it or suggest a different course of action. To gather evidence that reporting of all submissions, including those investigated by HR, is complete, internal auditors can interview the director of employee relations and review the documentation related to the submissions.

SECURITY OF CONTACT FILES

Given the confidential nature of all contacts, security over related documentation must be sufficient. Auditors can determine this through their previous procedures involving management interviews and through observation of the location where documents are stored. Auditors also should consider printers and fax machines where confidential information may be sent and confidentiality statements that should be attached to outgoing communications relating to an investigation.

REVIEWING THE COC

Perhaps the ultimate test of the effectiveness of a COC is determining whether it is practiced. Internal auditors should provide an independent review of the code, including assessing whether key criteria are present in the code, how often acts of misconduct are reported, whether timely investigations follow, and whether appropriate responses for misconduct occurred. When employees understand that independent internal auditors are involved in this objective manner, it can enhance the code’s effectiveness by encouraging reporting, either anonymously or even openly without fear of retaliation. A strong internal audit presence can enhance the feeling of empowerment by employees and, consequently, the code’s overall effectiveness.

No organization today can afford to ignore developing and enforcing standards of acceptable business conduct that are essential to the growth and success of the organization. When management’s philosophy and operating style are consistent with the highest standards of ethical conduct and an effective values-based COC is developed that reflects management’s attitude and actions, the organization is well positioned to be one of the most respected and valued companies in its industry.

To comment on this article, e-mail the authors at bonita.kramer@theiia.org.

Share This Article: