"Good business leaders should be a step ahead of what customers want ... and good auditors often need to be a step ahead of management,” asserts IIA–Singapore’s May 2014 report, The Changing Role of IA: Keeping Watch for the Board. Internal auditors can keep a step ahead of management by anticipating its need for an assessment of the organization’s integrity and ethics safeguards, and placing it high on the audit plan. This is appropriate, given that 87 percent of executives surveyed around the world consider reputation risk to be the most important strategic risk, according to Deloitte’s 2014 Global Survey of Reputation Risk. A reputation that has taken many years to build can be ruined quickly when incidents that diminish the organization’s moral landscape become public knowledge.
Organizations that have clearly articulated values and a strong culture of ethical behavior tend to control fraud more effectively. They usually have well-established frameworks, principles, rules, standards, and policies that encompass the 10 typical attributes of fraud control. These attributes include leadership, an ethical framework, responsibility structures, a fraud control policy, prevention systems, fraud awareness, third-party management systems, notification systems, detection systems, and investigation systems.
Internal auditors need to sharpen their thinking when planning an assessment of their organization’s integrity and ethics safeguards (Standard 2010) and then performing the engagement (Standard 2300). Conducting research across their organization, industry, and region will help them determine the emerging risk areas and potential gaps in organizational safeguards. Four key elements of integrity and ethics safeguards have emerged over the past year related to fraud control planning, handling conflicts of interest, shaping ethical dealings with third parties, and natural justice principles for employees facing allegations of wrongdoing.
Fraud Control Plan
The need for a fraud control plan is borne out by an organization’s potential fraud losses — typically about 5 percent of revenues are lost to fraud each year, according to the Association of Certified Fraud Examiners’ 2014 Report to the Nations on Occupational Fraud and Abuse. A fraud control plan typically will articulate an organization’s fraud risks, controls, and mitigation strategies, including:
- Significant business activities.
- Potential areas of fraud risk.
- Related fraud controls.
- Gaps in control coverage and assurance activities.
- Defined remedial actions to minimize fraud risks.
- Review mechanisms evaluating the effectiveness of fraud control strategies.
Management should review and update the fraud control plan periodically and report the results to the audit committee and senior management (see “The Coordinated Assessment” below). In organizations where internal audit is responsible for reviewing the fraud control plan, it should be performed by the CAE. This review should be integrated into the organization’s wider business planning to ensure synergies exist with other areas, and it should illustrate the specific links to the organizationwide risk assessment and anti-fraud activities.
|The Coordinated Assessment|
A financial institution with a separate manufacturing arm was generating annual net profit of more than US$4 billion through local and global operations (based on real cases). According to news reports, it was expanding its product sales into relatively unknown international markets. The audit committee recognized the organization’s expanding fraud vulnerabilities through separate reports it was receiving on risk topics such as procurement shortcomings, organized criminals infiltrating the organization to gain access to confidential information, allegations of bribery of foreign officials through “facilitation payments,” increasing incidents of cybercrime, and greater digital connectivity. Committee members asked the CAE to facilitate a coordinated organizationwide assessment of fraud vulnerabilities, with the results to be consolidated into a fraud control plan.
The CAE drew together knowledge experts from various business areas to identify potential fraud vulnerabilities. The group considered global research on reported and emerging fraud risk areas, then debated the strength and effectiveness of the organization’s internal controls. Through workshop analysis, the group identified the highest risk areas of potential fraud and their three lines of defense, which included risk owners and management; risk control, compliance, and monitoring areas; and internal audit. In addition, the group noted opportunities to strengthen current fraud risk management arrangements.
The group consolidated the workshop outcomes into a fraud control plan, which was validated by senior management. The analysis also was used to update the organization’s assurance map, which identified and mapped the assurance arrangements over key risk areas, business processes, and organizational objectives into a central record.
The CAE reported the results of the workshop together with the fraud control plan to the audit committee. The CEO assigned ownership of the fraud control plan and the associated actions to senior management and asked the CAE to confer with senior management to provide semi-annual progress reports to the audit committee.
Managing Conflicts of Interest
The Organisation for Economic Co-operation and Development reports, “There is a growing consensus that managing conflicts of interest is critical to curbing corruption.” Reports indicate that unmanaged conflicts of interest continue to cost organizations millions of dollars. To minimize these risks, organizations need a clear and well-understood conflict of interest policy, coupled with practical arrangements to implement and monitor policy requirements (see “A Lack of Governance” below).
The U.K. National Audit Office defines a conflict of interest as a set of circumstances that creates a risk that an individual’s ability to apply judgment or act in one role is, or could be, impaired, or influenced by a secondary interest. The perception of competing interests, impaired judgment, or undue influence also can be a conflict of interest.
Good practices for managing conflicts of interest involve both prevention and detection, such as:
- Promoting ethical standards through an explicit conflict of interest policy as well as well-stated values and clear conflicts provisions in the code of ethics.
- Identifying, understanding, and managing conflicts of interest through open and transparent communication to ensure that decision-making is efficient, transparent, and fair, and that everyone is aware of what to do if they suspect a conflict.
- Informing third parties of their responsibilities and the consequences of noncompliance through a statement of business ethics and formal contractual requirements.
- Ensuring transparency through well-established arrangements for declaring and registering gifts and other benefits.
- Ensuring that decisions are made independently, with evidence that staff and contractors routinely declare all actual, potential, and perceived conflicts of interests, involving at-risk areas such as procurement, management of contracts, human resources, decision-making, and governmental policy advice.
- Establishing management, internal controls, and independent oversight to detect breaches of policy and to respond appropriately to noncompliance.
|A Lack of Governance|
The XIX Commonwealth Games were held in Delhi, India, in 2010 and involved almost 6,500 athletes and officials representing 53 countries. India emerged successfully as both host and competitor, achieving many of the objectives of hosting the games, including large-scale improvements to city and sporting infrastructure.
Inexplicable delays in decision making put pressure on time lines leading up to the event and led to the creation of an artificial or consciously created sense of urgency. The target date was immovable and could only be overcome by obtaining waivers from government procedures. Many contracts were then entertained based on single bids, and some were even awarded on a nomination basis. There were perceptions that competing interests, impaired judgment, and undue influence had led to unmanaged conflicts of interest.
After the games, an independent report by India’s comptroller and auditor general reflected that the games preparations adopted a governance model “in which authority was dissipated, accountability was defused, and unity of command was not provided for or followed.” The report concluded that “eliminating (procurement) competition led to a huge extra burden on the exchequer.” The comptroller and auditor general reflected that, “Taking liberties with governmental procedures … led to elimination of competition. A conclusion from such action which seems obvious is that this could indeed have been an intended objective!” In the wake of the report, the BBC reported the chairman of the Commonwealth Games Committee was fired, arrested along with nine others, convicted of corruption, and jailed.
Statements of Business Ethics
Contemporary business models increasingly involve third parties, with external supplier costs now representing one of the most significant lines of expenditure for many organizations. Such interactions can provide an opportunity for fraud and corruption (see “Improper Deposits” below).
The International Federation of Accountants and the Chartered Institute of Public Finance and Accounting recognize that “an entity’s strong commitment to ethical values needs to be communicated to suppliers through a Statement of Business Ethics,” according to their International Framework: Good Governance in the Public Sector, issued in July 2014.
Many forward-thinking organizations already have codes of ethics in place that set out the values and ethical expectations of both their board members and staff. The board code of conduct should define the behavioral standards for members, while the staff code of conduct should detail standards for employee conduct and the sanctions that apply for wrongdoing. Similar statements also are appropriate for third parties such as suppliers, service providers, and business partners.
A statement of business ethics outlines both acceptable and unacceptable practices in third-party dealings with an organization. Common features include:
- The CEO’s statement on the organization’s commitment to operating ethically.
- The organization’s values and business principles.
- What third parties can expect in their dealings with the organization and the behaviors expected of them.
- Guidance related to bribery; gifts, benefits, hospitality, travel, and accommodation; conflicts of interest; confidentiality and privacy of information; ethical communications; secondary employment; and other expectations.
- Contact information for concerns, clarification, reporting of wrongdoing, and disputes.
Once established, the organization needs to implement a well-rounded communication strategy for the statement of business ethics that includes education of staff members, distribution to third parties, publication on the organization’s website, references to it in the annual report, and inclusion in future tender proposals and bid packs.
The tendering manager at Integral Energy Australia, Dennis Hall, sought expressions of interest for decommissioned electrical transformers from his company’s panel of preferred purchasing tenderers. He and a colleague would usually accept the highest price offered.
The successful bidder was asked to pay the funds by check made payable to “Dennis Hall, the Administrator, Manager, and Trustee for the Scrap Process.” Hall would deposit the funds into his personal account and, if requested, provide a receipt on Integral Energy’s letterhead.
By the time the company discovered his activities after two and a half years, Hall had appropriated almost AU$400,000 (US$294,820). An independent investigation found his dishonest behavior included fraud, theft, embezzlement, forgery, and official misconduct.
Hall was subsequently convicted and sentenced to two and a half years in prison. In the wake of the discovery, Integral Energy strengthened its policies and procedures, and implemented a statement of business ethics detailing the way in which the company would interact with third parties that did business with it, including requirements for checks.
Charter of Rights
Engaged and capable employees underpin the success of most organizations, yet management does not always recognize the bottom-line effects and employee turnover costs when innocent employees are the subject of allegations of fraud and other wrongdoing (see “Guilty Until Proven Innocent?” below). About 60 percent of allegations against employees turn out to be unsubstantiated, according to the 2014 NAVEX Global Ethics and Compliance Hotline Benchmark Report.
A charter of rights compiles in a single document all of the information that respondents to allegations of wrongdoing may require. Such a charter should be written in an easy-to-understand style to meet the needs of its target audience. It should:
- Outline the charter’s purpose, how it will operate, how it supports a robust complaints and allegations system, and how it aligns with the organization’s values.
- Describe how management handles workplace allegations and complaints, and ensure principles of natural justice and other legislative obligations, such as privacy, are in place.
- Provide a high-level overview diagram of the allegation assessment and investigation process, including the channels for submitting allegations; the distinct phases for logging, assessing, and investigating the allegations; and the final decision-making phase.
- Include details of available support such as contact information for human resource specialists, details about an external confidential employee help line, and processes for updates throughout the investigation.
- Illustrate the tiered escalation process for handling allegations that reflects (at one end) how issues of a serious, sensitive, or significant nature are addressed, and encourages (at the other end) the handling of low-level localized issues as close to the source as possible.
- Provide answers to common questions that respondents might have about the process for dealing with allegations, such as “What can I expect?” “Are outcomes always reviewable?” “What does frivolous and vexatious mean?” “What will I be told about the outcome?” and “What happens when a process is concluded?”
- Outline the options for independent reviews of adverse investigation outcomes.
|Guilty Until Proven Innocent? |
Ron White had reached the pinnacle of his career when he was recruited to lead a specialist governance function in a large public sector organization that had total annual expenses of more than US$3 billion. (This story is based on a real case, but White’s name has been changed.) After he had been with the organization for a few months, allegations of inappropriate behavior were raised against White. Although he was subsequently proven innocent, the allegations were of such a serious nature that they could potentially derail his career.
The organization had many policies and procedures covering ethics, allegations, and investigation approaches, but White had difficulty locating all the information he needed to fight the allegations. That information was virtually nonexistent or seemed hidden among other corporate policies, as if it were an afterthought.
Based on his experience, White realized that alleged perpetrators needed some help, through a charter of rights. He broached the idea with the CEO and gained his support. The legal team recognized the natural justice value of having a charter of rights to provide just, fair, and reasonable resources for the organization’s staff. Moreover, the availability and dissemination of these resources could be demonstrated to the courts in the event of a lawsuit against the organization. The executive leadership team was tasked with developing a charter of rights, and did so through a wide consultation process involving staff representatives, lawyers, investigators, the CAE, trade unions, and other stakeholders.
A Step in the Right Direction
Many of the resources produced for the public sector on integrity and ethics safeguards can be adopted for the private and not-for-profit sectors, where similar resources may not be available. The IIA Research Foundation’s 2015 report, Driving Success in a Changing World — 10 Imperatives for Internal Audit, reflects the importance for internal auditors to anticipate the needs of stakeholders. This is consistent with the core principle for internal auditors to be insightful, proactive, and future-focused. Placing an assessment of the organization’s integrity and ethics safeguards high on the audit plan is a step in the right direction.