December 2005

Navigating Through Change

The dynamic nature of corporate ethics requires auditors to stay abreast of evolving standards and reflect change when appropriate.

Russell A. Jackson
Freelance Writer

Change is a corporate constant, and approaches to business ethics are no exception. What constituted “ethics” a generation ago may bear little resemblance to that concept today, and in the same way, what constituted “ethical corporate behavior” as little as five years ago may not mean much in an increasingly complicated, global business environment. And of course, changes in the nature and execution of corporate ethics directly affect internal auditors, whose role in developing and monitoring ethics policies and codes is largely dependent on the organization’s approach.

Indeed, internal auditors’ ethics mandates are more critical than ever. In today’s business environment, audit and ethics experts stress, companies must not only have strong, clear ethics policies; they must demonstrate their commitment to ethics to the outside world. Just as in politics, image is reality, especially in light of recent accounting scandals and the vastly increased public scrutiny of companies’ behavior by the general public. Moreover, internal auditors are often tasked with helping the organization monitor ethical directives and making sure that policies continue to represent both universal concepts of ethical behavior and a company’s “personal” code of conduct. And they may also be asked to help ensure employees not only recognize the existence of ethics policies, but incorporate them into their day-to-day activities. It’s imperative, then, that internal auditors stay aware of changes in corporate direction and mission, social mores, and their firm’s “tone at the top” — and that they do their part in making sure those changes are reflected in the company’s operations and in the way its directors, executives, and staff members conduct themselves professionally day in and day out.

EVOLVING STANDARDS, NEW APPROACHES

The nature of the very notion of “ethics” and “ethical corporate behavior” is changing, says Michael Cox, chief internal auditor at Television New Zealand Ltd. in Auckland. Organizations are grappling with new situations, new technologies, and evolving standards in society, he explains, and a more progressive approach to ethics may be needed to meet these challenges. “I would suggest that ethics as a concept is universal,” he says, “but that all companies also have an individual approach to ethics that’s reflective not only of its owners, but of its culture, geographical location, and employees — and takes into account legislative and religious concerns as well.” Internal auditing, therefore, needs to be aware of the evolving nature of ethics and to reflect change when appropriate.

Another key change internal auditors should monitor and respond to is the structural modifications many organizations have made in their approach to ethics, notes Scott Mitchell, president and CEO at the Open Compliance and Ethics Group (OCEG) in Scottsdale, Ariz. The investments many firms have made to comply with the U.S. Sarbanes-Oxley Act of 2002’s Section 404 provisions have led to a more systematic approach, he explains, as companies look to leverage those investments in areas other than financial controls. “A written document is fine,” he explains, “but it has limited effect on employees’ beliefs about doing the right thing.” The gist of recent research, he points out, is that if a company asks an employee about whether the firm expects workers to “make their numbers” or “do the right thing,” the existence of a written code doesn’t correlate with a feeling that the firm expects employees to do the right thing. “A written document is worthless by itself,” Mitchell notes. “It’s only effective in conjunction with soft controls like employee perceptions about leadership. Is management saying and, more importantly, doing the right thing? Are colleagues? Do people get punished if they’re caught? Do you report misconduct if you see it? That’s how you monitor the current climate.”

Of course, Mitchell says, information on soft controls can be misleading, too, without a clear understanding of who’s providing that information and what their personal situations are. “Surveys give you a pulse on a specific day at a specific moment,” he explains. “But what if one employee had a tough few days at the office and a supervisor just made him or her angry? That kind of general, underlying dissatisfaction is important to know about.”

Typically, though, if there’s smoke, there’s fire, Mitchell notes, so if an entire department says largely the same thing, a legitimate problem likely exists. But to gain a more complete picture, he says, internal auditors conducting ethics audits increasingly are looking at three points: perception surveys, hotline calls, and performance evaluations, where supervisors can note any lack of employees’ meeting the values of the organization. “You have to ask ethics questions in the broader context of employees’ perceptions about their compensation and their supervisors,” he says.

Joyce Drummond-Hill, head of internal audit for Her Majesty’s Prison Service, London, seeks to expand her view of employee perceptions through “staff-satisfaction surveys.” This tool, she explains, yields information on an ongoing basis that can be used in the event of an ethics audit.

“The surveys can offer a very good handle on how people generally feel about the tone of the organization and how their complaints of different types are dealt with,” Drummond-Hill says. Internal auditors performing ethics audits needn’t prepare an audit-specific list of questions for employees to use just during such audits, she adds, because the staff-satisfaction surveys “cover the whole range of work.” The survey instrument includes exactly the type of perspective internal auditors need to measure an ethics program’s resonance in the broad employee population. “Does your boss listen to you? Does management investigate your concerns? Is remedial action taken?” That, she explains, is the type of information she gathers throughout the year that can then be integrated with audit-specific queries to paint a more complete picture of what’s going on in employees’ minds.

Interestingly, she notes, the questions she asks in those staff-satisfaction surveys are changing because employees today are much better attuned to the existence of, purpose for, and execution of the firm’s ethics policies and programs. “People are much more aware of governance now and of how the board communicates throughout the organization,” she says. “Many organizations are more open with the type and level of detail in the information about ethics they provide to people lower down in the company, so employees’ responses are easier to obtain.”

But those who audit ethics must get as well as they give, so to speak, comments Norman Marks, vice president, internal controls and process assurance, at Maxtor Corp., a worldwide producer of digital storage devices. It’s not enough to simply measure employee comfort and compliance with ethics policies. Organizations must also do something about the information they gather.

“Whenever management assesses employee perceptions about ethics,” Marks stresses, “it must be ready to listen to, accept, and then take action on matters that arise. Management also needs to communicate with the employee population on the results and what management will do about them. Otherwise, surveying can have a negative effect: Employees will believe that management does not listen and does not care.”

RULES VERSUS PRINCIPLES

Some experts point to other changes in how organizations and their auditors approach ethics. Warren Malmquist, vice president for global internal audit and ethics at Molson-Coors Brewing Co. in Denver, points specifically to a move over the last decade away from rules-based ethics policies to principles-based policies. He also sees as a distinction between companies’ codes of conduct and their ethics programs rather than the tighter integration that some industry watchers see.

“Ethics is slightly different,” Malmquist explains. “Your code of conduct covers certain things, while ethics involves principles for arriving at a decision within the values of the company.” His firm’s code, he explains, is tailored to practical application all over Molson-Coors’ vast worldwide operations. “It doesn’t vary by country,” he says, “but the questions and answers related to marketing, operations, and general and administrative departments that accompany it do.” Before its merger with Molson earlier this year, he adds, Coors received an ethics-related award for its “values-based program and application to where an employee works.” Also, he says, in a hypothetical world where nobody has access to any company assets that could be misused, a rules-based code of conduct could work fine. But he prefers an approach that enables employees to make better decisions. “A rules-based approach would increase our cost of administration because we’d have to respond to all exceptions,” he says.

Not so, Marks says. Although he favors a principles-based ethics program, he says a rules-based program and set of policies would actually be easier and perhaps less costly to audit and manage. “You’re auditing against a defined rule instead of a principle,” he emphasizes. “And the cost would not go up because good internal auditors use their judgment all the time.” Although he wouldn’t recommend a rules-based approach, he says it might actually be less expensive because the program could rely on less-experienced auditors, with less worry about the appropriateness of policy and practice.

Drummond-Hill agrees. “A basic rules-based policy is easier to audit,” she states, “because it involves compliance-oriented auditing. You could probably use auditors with lower-level skills. A principles-based audit demands probably a more strategic approach and involves making more decisions about the spirit of the policy.” Still, she emphasizes, a principles-based approach is “a lot better because it can be applied more generally across different countries where a company operates.”

Laurie A. Murray, corporate auditor at Canada Post Corp. in Ottawa, also cites the value of guidance as opposed to hard-and-fast rules. Although she says a company’s ethics policies have to be sufficiently detailed to provide a usable and effective resource for employees, she points out that the more “black and white” issues are generally not the problem. Rather, ethics problems arise in the shades of gray. “I don’t think you can give a comprehensive list of activities indicating what is right and what is wrong,” she notes. “An effective ethics program gives employees the tools to make sound decisions when there is no obvious right answer. The policy must provide examples to make points relevant to employees’ work environment and must take them through a series of questions, elaborating on what the company’s values, policies, and practices say — providing them a frame of reference where employees are required to reach their own decision.”

Whatever approach to detailing acceptable ethical behavior a company adopts, it needs to have something that not only its executives and other employees are aware of, but that the rest of the world sees and understands as well. “There is increased attention paid to ensuring that companies are not only doing what is right, but are seen to be doing what is right,” Murray explains. Although each country’s laws define the legal or regulatory minimums for ethical behavior, she says, company values and policies “add more detail and may impose responsibilities that go beyond the minimums established by law.”

Marks concurs. “The world needs to know that there is a policy, that it is appropriate, that management and the board believe its principles and apply them diligently, and that violations are investigated impartially and fairly, with appropriate actions taken,” he says. But he cautions against going too far with publicizing the results of investigations into potential violations of the corporate ethics policy. “There are limits to transparency,” he cautions, “especially when it comes to investigations and their results.”

AN INTEGRATED APPROACH

Of course, where some see the need for doing what’s being done only better, others call for complete changes in the very nature of the way things are done. Thus, some ethics and audit experts are calling for a much more visible and powerful part for internal auditors to play in their companies’ ethics operations. OCEG’s Mitchell is one of them. He stresses the importance of an integrated approach to corporate ethics — with, in some cases, a lead role for the internal auditor in managing and monitoring the combined executives’ efforts.

“Part of our mission is to bring together internal auditors, lawyers, risk managers, human resources professionals, compliance officials, and professional ethics officers,” Mitchell says, “and the internal auditor’s role ought to be significant.” In fact, he adds, he hasn’t seen a significant enough role for internal auditors. That’s partly because of Sarbanes-Oxley, he concedes, which can weigh internal auditors down in soft controls when they’re used to hard controls. But internal auditors are increasingly involved in setting and monitoring compliance with ethics policies, he says. “They’re arguably part of the control environment,” Mitchell states, “and The Committee of Sponsoring Organizations of the Treadway Commission’s internal controls and enterprise risk management guidelines include references to the importance of the tone at the top and of the company’s ethical culture. We feel there should be some repeatable methodology that internal auditors can use to make some sort of judgment about individual ethics policies.”

That’s a lot to bite off, Mitchell concedes. But it’s important that it go down in a single swallow — and internal auditors may as well be the ones taking the bite. “Increasingly, companies are combining compliance and ethics,” he says. “And they really ought to. We see the integration of governance, compliance, and ethics management as critical. If you don’t combine them, you run the risk of having a lot of different silos — and that can cause problems.” Integration may take place in the internal auditor’s office, if he or she is “the most talented executive,” he adds. One compliance officer he works with, in fact, has the title of “vice president of internal audit, compliance, and ethics.”

Malmquist’s shop is configured along these lines. “I’ve been responsible for the company’s code of conduct,” he says. “It kind of fell in my lap for the primary reason that I have a passion for it and because in terms of resolving issues on behalf of the company, my staff and I have been able to get things done without any problems.” He’s assisted in his efforts by a director of global ethics and business conduct who reports to him. He developed the Molson-Coors code of conduct with input from the CEOs from all the company’s divisions and units and from the corporate CEO and audit committee. He personally reports to the committee, which maintains direct oversight authority for the code. “We also engage human resources, employee relations, legal, and at times, security, as well as anybody else who has a vested interest in either the code or the ethics program,” he notes. “Our ongoing role is to manage the ethics program and, within that context, to develop training and communications for the code of conduct and the overall program.”

Interestingly, while he manages the ethics program from his office, he gets assistance in auditing it from other departments. “We have not embarked on an audit of the ethics program,” he points out. “Under Sarbanes-Oxley, the external auditors, in reviewing and attesting to our internal controls at the company level, consider our ethics and code of conduct programs. Internally, we work with other groups to ensure that we have a complete program.”

Careful delineation, says Drummond-Hill, is key to successful integration. In fact, while she says closer ties between ethics, audit, and compliance might work well at smaller organizations, in a larger company “it might not be a good idea unless you’re absolutely clear in what capacity you’re acting, whether as ethics monitor or head of internal auditing.” Indeed, she recommends melding audit and compliance before trying to add in ethics auditing as well. “You’ve got to keep your independence,” she cautions. “It’s a bit like the argument about risk management. The internal auditor can facilitate programs and policies, but when it comes to actually doing it, I’m not sure it’s a good idea.”

DOING THE RIGHT THING

Plus ca change, plus c’est la meme chose — the more things change, the more they stay the same. Ethics may change, and approaches to ethics may change, but when it’s all said and done, most internal auditors still must help monitor compliance with ethics policies and then periodically check to make sure the policies are still relevant — and still in place. And while the very structure of ethics and ethics management may be evolving — from rules to principles, from separate silos of authority to an integrated, multi-departmental approach — many experts still say internal auditors must not ever have ownership of the process.

“Internal auditing can play a leading or supporting role in developing a code of ethics,” Cox stresses. “But enforcing a code is a different question. That is a responsibility of management. Ethics is just another business process that management is responsible for. Internal auditing can advise on policies, procedures, and frameworks, but responsibility should not lie with that office.”

Marks agrees. “Internal auditing can lead, but it cannot perform management functions without the prior consent of the audit committee,” he says. “Auditing can act as a compliance officer in some cases, but must be careful where the line is drawn.”

 

To comment on this article, e-mail the author at russell.jackson@theiia.org.

 

April 2012 IA Online Cover

CCH 2012-2

 On-site Training

 

 Write for FSA Times

  

 

 Twitter

facebook IAO 

IA APP