October 2004

The Ethical Climate Barometer

Stormy weather could be ahead if your organization’s culture is based on the wrong values. Learn to read, recognize, and evaluate your company’s corporate culture to ensure bright days are on the horizon.

Curtis C. Verschoor, phd, cpa, cia, cma, cfe
Chairman and Chief Executive Officer
C.C. Verschoor & Assoc. Inc.

Since the Enron ethics scandal became global news some three years ago, there have been massive efforts to restore public and investor trust in business through regulatory and corporate dictums. Many of these efforts, such as the U.S. Sarbanes-Oxley Act of 2002, revisions to the listing requirements of several stock exchanges, as well as those to the U.S. Sentencing Guidelines, focus on strengthening the ethical culture — or DNA — by implementing an effective ethics and compliance program and maintaining it through appropriate governance.

In one of the first speeches U.S. Securities and Exchange Commission Chairman William Donaldson made after his confirmation last year, he strongly emphasized the importance of ethics to a sound corporate culture. He noted that governance can define the parameters of an inviolate corporate culture by answering simple questions such as “What kind of moral compass do we want guiding this corporation?” “What ethical standard do we want embedded in this corporation’s dna?” and “How will we demonstrate it in our every action?”   

Many internal auditors are now heavily involved in launching their organization’s responses to the global initiatives as well as monitoring their effectiveness after installation. Consequently, learning to assess the ethical climate should be a top priority for internal auditors, as it is at the heart of the control environment.

THE IMPORTANCE OF ETHICAL CULTURE

Governments and governing bodies around the globe that understand the importance of ethics and values to the overall well-being of an organization are developing regulations and guidelines to help steer organizations to the right conclusions. International bodies and associations such as the World Bank and the Organisation for Economic Co-operation and Development, have recommended governance principles that include the ethical relationships of employees and management.

According to The IIA’s International Standards for the Professional Practice of Internal Auditing, internal audit activities must “evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities.” To comply with this mandate, internal auditors must accomplish a wide scope of audits and examinations, including those concerned with evaluating the effectiveness of the organization’s internal controls, monitoring the operation of the organization’s code of conduct system, and ascertaining compliance with relevant requirements for confidential reporting of legal and ethical violations.

In addition, internal auditors should keep in mind the paramount importance of integrity and ethical values — the ethical climate — to the effectiveness of internal control. In the United States, this is especially relevant to management’s evaluation and public report on internal controls, which is now required of publicly held companies by Section 404 of Sarbanes-Oxley. To this point, the American Institute of Certified Public Accountants audit guide, Consideration of Internal Control in a Financial Statement Audit, says: “The effectiveness of internal control cannot arise above the integrity and ethical values of the people who create, administer, and monitor them. Integrity and ethical values are essential elements of the control environment, affecting the design, administration, and monitoring of other internal control components. Integrity and ethical behavior are the product of the entity’s ‘corporate culture’ (i.e., ethical and behavioral standards, how they are communicated, and how they are reinforced in practice). These values include management’s actions to remove or reduce incentives and temptations that might prompt personnel to engage in dishonest, illegal, or unethical acts. These values also include the communication of entity values and behavioral standards to personnel through policy statements and codes of conduct and by example.”

In 2004, the U.S. Sentencing Commission also tightened its requirements for compliance and ethics programs: “Organizations must promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. In particular, boards of directors and executives must assume responsibility for the oversight and management of compliance and ethics programs.”

There are other reasons that internal auditors need to regularly assess the ethical climate. Section 406 of Sarbanes-Oxley requires public companies to have a code of ethics for senior financial and executive officers or explain why they do not. The U.S. listing exchanges have extended this concept to directors, officers, and all employees as a requirement for continued listing. Also, Section 301 of Sarbanes-Oxley requires public company audit committees to be directly involved in developing a confidential system to report concerns regarding accounting, internal controls, and auditing. As a consequence of these requirements, internal audits of the design and effectiveness of ethics and compliance systems — and their impact on the ethical culture — can provide significant benefit to the organization.

The essential value of an ethics and compliance system audit is in defining the “behavior versus standards gap.” Although it is important to know what should be done — standards — it is crucial that the standards be translated into behavior. Starting with top management, emphasis must be placed on communicating and modeling those behaviors that demonstrate the organization’s core values.

METHODS OF ASSESSMENT

There are several methods for assessing an organization’s ethical climate. Using all or a combination depends on the company’s structure and the desired results.

Internal Auditing Structure

A key indicator of an organization’s ethical climate can be found in how the internal audit function is structured:

  • Does the board, audit committee, and senior management respect the function’s mission and contribution to the organization? Does the rest of the organization?
  • Is the function adequately resourced to accomplish its mission?
  • Does the function offer a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes?

Internal auditors should raise these issues as a part of their periodic internal assessments of quality.

The ability to fulfill an appropriate mission while practicing the core values of the organization provides a deep and ongoing confidence among the internal audit staff that the ethical culture of the organization is sound.

Ethical Features

Although an “attitude review” by the organization’s internal audit staff is a good indicator of larger problems, auditors should periodically make a more formal assessment of the company’s ethical culture. One method internal auditors can employ is to determine how many important ethical features of healthy organizations their organization possesses. Borrowing from the Institute for Business, Technology, and Ethics, an organization devoted to promoting good business through appropriate technology and sound ethics, the following list will help them make that determination:

  • Unquestioned Integrity at All Levels. Honesty, consistency of policy application, and transparency are all aspects of a strong ethical climate. They lead to an outlook and approach of trust that is absolutely essential in today’s technologically oriented business environment. Achieving integrity and consistency through the frequent communication and continuous application of the ethical principles contained in a code of conduct is essential to having a strong ethical organizational climate.
  • Accountability and Personal Responsibility. The environment should have a focus on “fixing the problem” rather than “fixing the blame.” An attitude of avoiding responsibility leads to denial and cover up instead of to strengthening the offending process or product. Teamwork results in the best solution, not just the most expedient one.
  • Openness and Willingness to Take Risks. Innovation and risk-taking within appropriate limits of control requires openness and trust. Internal auditors should encourage better understanding and evaluation of the risks involved in strategic approaches, not countenance an attitude of stifling and fearful control that threatens an organization’s vitality.
  • Accepting Mistakes and Learning from Them. Punishing those making honest mistakes tends to stifle creativity in others. Learning lessons from mistakes encourages healthy experimentation and converts negatives into positives.
  • Commitment to “Be the Best We Can Be.” Mediocrity is easy to achieve, but superior performance requires hard work. Best-in-class organizations continuously engage in improving their processes and practices. The internal auditing activity should be a leader in constant improvement and use its ability to spread best practices on an organizationwide basis.
  • Collaboration and Holistic Thinking. Parochial approaches and turf wars for recognition of the contribution of one segment create distrust and smother full achievement of organization goals. Integrating the latest ideas and the best people from all disciplines into collaborative teams tends to multiply the strength of an organization as a whole.

The more widespread the existence of these six characteristics within an organization, the higher the possibility of an inspiring, shared mission at the organization’s core. Their presence also suggests that the organization’s leadership is competent to achieve that mission.

Ethics and Compliance Programs

Internal auditors also can assess the organization’s ethical climate by evaluating the design and implementation success of its ethics and compliance program. Section 406 of Sarbanes-Oxley defines the term code of ethics as written standards that are reasonably designed to deter wrongdoing and to promote:

  • Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships.
  • Full, fair, accurate, timely, and understandable disclosure in reports and documents that a registrant files with, or submits to, the Commission and in other public communications made by the registrant.
  • Compliance with applicable governmental laws, rules, and regulations.
  • The prompt internal reporting of violations of the code to an appropriate person or persons identified in the code.
  • Accountability for adherence to the code.

Each covered company has the obligation of designing systems and processes to best achieve these legal objectives in accordance with its own culture, size, and structure.

Although not prescriptive in content or mandatory in methodology, the revised New York Stock Exchange (NYSE) listing requirement that each company must have its own code of business conduct and ethics provides the most extensive guidance concerning recommended content: “No code of business conduct and ethics can replace the thoughtful behavior of an ethical director, officer, or employee. However, such a code can focus the board and management on areas of ethical risk, provide guidance to personnel to help them recognize and deal with ethical issues, provide mechanisms to report unethical conduct, and help to foster a culture of honesty and accountability.”

According to the NYSE, the most important topics that should be addressed in a listed company’s code include:

  • Conflicts of Interest. A conflict or potential conflict between an individual’s personal interests and those of the organization.
  • Corporate Opportunities. Using of corporate information or assets for personal gain.
  • Confidentiality. There should be no disclosure of nonpublic information that could benefit competitors or harm the organization.
  • Fair Dealing. Requiring employees, officers, and directors to abstain from any unfair treatment of customers, suppliers, competitors, and employees. Examples include manipulation, concealment, abuse of privileged information, and misrepresentation of material facts.
  • Protection and Proper Use of Assets. Using assets efficiently and avoiding theft, carelessness, and waste.
  • Compliance With Laws, Rules, and Regulations. Proactively promoting compliance.
  • Encouraging and Reporting of Any Illegal or Unethical Behavior. Proactively promoting ethical behavior and not allowing retaliation for reports made in good faith.

The commentary to the NYSE rule notes: “Each code of business conduct and ethics must also contain compliance standards and procedures that will facilitate the effective operation of the code. These standards should ensure the prompt and consistent action against violations of the code.” Best practice suggests that the internal audit activity should include some level of review of its organization’s ethics code and compliance system in each year’s work plan.

The regular internal audit of the organization’s ethics and compliance program adds great value to the organization. It is the cornerstone of management’s assessment of internal control over financial reporting, as required by Section 404 of Sarbanes-Oxley. It also gives assurance to the audit committee regarding its responsibilities for oversight of the organization’s confidential reporting system, as required by Section 301 of Sarbanes-Oxley. Finally, it provides assurance concerning the organization’s code of ethics as required by the stock or Sarbanes-Oxley’s Section 406, although many companies have decided on a separate code of ethics for their senior executive and senior financial officers, which would require a separate audit.

Interviews, Surveys, and Focus Groups

Other effective tools for measuring the corporate climate are employee interviews, attitude surveys, and focus groups. Survey questions need only elicit agreement or disagreement responses to issues such as:

  • ABC is serious about acting in strict accordance with the core values it sets forth.
  • My co-workers and I share the same core values as ABC.
  • I believe my personal behavior has a direct influence on ABC’s reputation for integrity.
  • I have witnessed no violations of the ABC Code of Conduct during the past year.
  • I am confident that anything I report to the confidential reporting system will not be used to retaliate against me in any way.
  • If I report something to the confidential reporting system, it will be taken seriously, investigated thoroughly, and resolved appropriately.

Administered periodically and always confidential, such surveys provide additional support to the internal auditors’ assessment of employee attitudes and perceptions about the organization’s management style, ethical climate, code of conduct, and confidential reporting system. Focus groups and employee surveys should always be implemented by independent professionals to help preserve confidentiality and best allow measurement of variability within the organization.

Personnel Practices

Additional evidence of a strong organizational culture can be gathered by analyzing the organization’s personnel practices to determine whether they help enable employees to contribute to a positive corporate ethical climate. Internal auditors should consider whether pre-hire background checks and other investigations include drug screening, integrity tests, prior convictions, and similar measures. Because internal auditors have their fingers on the ethical pulse of the organization, any conclusions drawn from this information should be compared with ongoing perceptions.

The chief audit executive should periodically evaluate the organization’s promotion, compensation, and other reward systems to ascertain whether any formal or informal biases exist that could undermine the ethical culture. It is not enough to give lip service to the core value of integrity if senior management turns a blind eye. Finally, the audit committee should ensure that the board compensation committee is aware of the achievement pressures created by any incentive programs it may approve.

INTERNAL AUDITORS' UNIQUE ETHICAL RESPONSIBILITIES

As a practical measure, being alert to the ethical pulse of the organization’s culture should be an integral part of every audit. Auditors should listen carefully and evaluate critically what they hear from executives, managers, and employees. They should consider putting into their report anything that could represent a compromise of the commitment to act in accordance with the organization’s stated mission and core values or code of conduct and ethics.

As internal auditors must possess a high level of trust and integrity to accomplish their mission, they must also serve as effective ethical role models who advocate appropriate conduct at all levels of the organization. They should make proper disclosures of inappropriate, unethical, or illegal conduct to their chief audit executive whenever it comes to their attention. Internal audit activities must ensure that procedures exist to investigate relevant allegations of misconduct and report findings. Professional practitioners of internal auditing do not have the luxury of just “going along” with something they know to be wrong.

In short, individuals who provide internal auditing services have unique ethical responsibilities in that they must act in compliance with the profession’s code of ethics as well as that of their own organization. They must apply the principles of integrity, objectivity, confidentiality, and competency to all aspects of their relationships with the audit committee, management, suppliers, and employees.

BEYOND THE COMFORT ZONE

Although auditors may find it easier to assess the strength of application and process-oriented controls, they should resist the tendency to spend time where they may be most comfortable. The ethical climate and other “soft” controls are so important to the control environment that they deserve a considerable share of auditor attention. Because of the legal and stock exchange requirements that mandate careful consideration of the organization’s ethical climate, its assessment should rightfully receive the highest audit priority.

To comment on this article, e-mail the author at cverschoor@theiia.org.

 

 

 

February 2012

CCH 2012-2

 GAM March 2012

 

 Write for FSA Times

  

 

 Twitter

facebook IAO 

IA APP