Assess Your Organization's Code of Ethics
It is the auditor’s job to pull apart, test, and challenge an organization’s code of ethics.
ROBERT W. RUDLOFF, JR. CIA, CFE
VICE PRESIDENT, INTERNAL AUDIT
Ethics — or lack thereof — has great visibility in the world today. Charles Keating, Ken Lay, Bernie Ebbers, Andy Fastow, Martha Stewart, Bernie Madoff, Nevada Sen. John Ensign, former Illinois Gov. Rod Blagojevich, and South Carolina Gov. Mark Sanford are names that, when heard, raise the same question: “What were they thinking?”
Each of us will face ethical challenges at some point during our lives. It’s the choices that we make when faced with a dilemma — not the dilemma itself — that will shape who we are. And because the organizations we work for are made up of people, each of whom may be dealing with their own personal dilemmas, our organizations are at risk. So where do we turn for ethical guidance?
Our organizations should have codes of ethics to guide us through those tough decisions and keep them out of harm’s way. But how good is that code of ethics document? How easily will it help employees navigate through the myriad of decisions that need to be made?
QUESTIONING THE CODE OF ETHICS
Asking the following 15 questions can help auditors assess their organization’s code of ethics. Although you don’t need to answer “yes” to all of them, affirmative responses indicate how strong — and effective — the code likely is.
- Does the organization have one code or two? Having two codes of ethics is not necessarily bad, but they both need to have the right context. One of the issues that led to the problems at Enron was that there were two codes: one for most of the employees and a second less-stringent code for a select few. One code is preferred, but if the organization is going to have two, the more restrictive code must apply to all of the senior people in the organization.
- Is the code of ethics accessible? It is a plus to already have an established code of ethics, but it will not do much good if it is not easily accessible to employees. Ask your fellow employees if they know where to find the organization’s code of ethics. How many know? If too many don’t know where, or how, to find the code, it’s time to implement a communication plan.
- When was the last time the code was updated? Review the organization’s code of ethics to determine if it has been updated recently. There are new risks, technologies, and laws that create dilemmas that were never considered 15, 10, or even five years ago. If the code is out of date, employees cannot get answers to the questions they have today. Accordingly, it’s not just about adding to the code; issues that no longer pertain to today’s businesses should be removed.
- Does the code talk about the organization’s values? Without a values statement, the code can be an empty document with no relevance to the organization. But if it talks about values — and employees can tie those values statements to how they see their organization behave — the code will have more of an impact on them.
- Did the code get the right kind of input before being written? If the code is written by the legal staff alone, without input from human resources, management, and an employee task force, it will read like a legal document. If it’s written by human resources, it will likely be easier to read and understand, but could miss some key legal issues. An organization’s code of ethics needs input from several different points of view. Obviously, the code needs to be “legal,” so the legal department may be the last stop, but when several different parts of the organization provide input, the code likely will be a better document.
- Is the format effective and inviting? Is the organization’s code of ethics 20 to 30 pages of run-on text, neatly organized around topics and subtopics, or is it in an electronic format with colorful text, hyperlinks to related topics, and photos? To engage employees, the document needs to be presented in an appealing format that invites them to browse and easily get from one place to another. Moreover, the code — especially when in an electronic format –— should include examples that will help employees relate it to their own dilemmas.
- Is the code organized in a useful way? Sometimes an organization’s code of ethics grows by adding the latest topic to the end of the document without giving much thought to its appropriate placement within the code. Hyperlinks within an electronic code of ethics can simplify the document’s organization by allowing employees to move from topic to topic easily. But when not in an electronic form, the document should be organized in a way that makes sense and simplifies finding the needed guidance. Aids like an index, glossary, or other cross-referencing tools go a long way toward making the code user friendly.
- Does the code lead to other useful sources of information? Not every answer can come from the code of ethics itself. The code should lead the reader to human resources policies, accounting and reporting guidelines, regulatory guidance, and other relevant sources of information.
- Do employees certify to respect the code of ethics? If employees don’t sign off that they have read, understand, and agree to comply with the code, it will be more difficult to hold them accountable when bad behaviors start making their way into the workplace. All employees who need to be bound by the code should sign an acknowledgment — hard copy or electronic — on the day they become an employee and then at least once a year thereafter.
- Can employees ask questions about the code? It’s not just about being able to ask questions, but it’s getting the questions to the appropriate people and getting a prompt answer. How does that process work in the organization? If a process isn’t in place, management will have to rely solely on the employee’s interpretation of the code to his or her own situation. While we hope our employees will be able to make the right decision, countless publicized frauds show that’s not always the case.
- Is the code translated? Many organizations employ people whose primary language is not English, but what have they done to assist them in navigating through the code? An organization’s code of ethics should be offered in each of the languages represented by its employee base.
- Is the code global? This may not apply to many organizations in the gaming industry, but for those organizations expanding beyond the border of their home country, has global expansion been considered in the organization’s code of ethics? Business practices and customs may vary significantly from our home country, yet the organization’s values should not change. Those value principals need to be reflected in the code wherever the organization chooses to do business.
- Is the code distributed to third parties? We can have an organization built around a high ethical standard — one that is built on clearly defined values. However, unless that information gets to third parties (e.g., contractors, tenants, vendors, consultants, and suppliers) engaged with the organization, the understanding of the code will be incomplete. Organizations need to take a stand about how they choose to do business and state that any third-party organization that deviates will risk losing the opportunity to continue the business relationship. Furthermore, it may prompt the organizations with which we do business to let us know when one of our staff members starts behaving inappropriately.
- Is there a communication plan for the code? How does the organization let employees know about the plan? There should be an official policy in place to ensure that employees not only learn about the plan once, but also are periodically reminded that the code is available as a tool to help them and their co-workers.
- Is the code both legal and ethical? The code has been written, approved, formatted, and is available to all employees and third-parties, but is it revisited periodically to ensure that its content is both legal and ethical, and that the organization does not direct employees to perform in a manner contrary to the law or sound ethical practices?
For internal auditors, the challenge is to take a new look at their organization’s code of ethics — pull it apart, challenge it, and test it. Think of issues that the code doesn’t address. Then work diligently to see that the code is brought into the 21st century and becomes a beacon that lights the path for everyone within the organization.
Robert W. Rudloff Jr., CIA, CFE, is vice president of internal audit for MGM Mirage in Las Vegas. He has more than 28 years of internal audit experience, 23 of which are in the gaming industry. Rudloff is a member of the Gaming Audit Group Committee.