There are vivid examples of the link between organizations’ ethical behavior and their bottom lines. At press time, Kraft Heinz Co. announced restated earnings involving irregularities in its accounting procedures and internal controls; the initial report of the U.S. Securities and Exchange Commission’s (SEC’s) related subpoena contributed to an almost 20% single-day drop in the company’s stock price. Similarly, cryptocurrency company Longfin’s shares plunged 30% when it disclosed an SEC investigation last year. And following the news of Volkswagen’s now infamous emissions scandal, its stock, too, experienced a 30% decline.
As evidence mounts that ethical business behavior leads to better business performance — boosting stock price performance by almost 15%, according to one estimate — internal auditors need to sharpen their people skills, listen better, and share what they learn with more moving parts in their organizations’ ethics infrastructures. And they need to step up, state their case, and start getting the credit they deserve for doing so.
Stakeholders may understand that internal audit plays a role in ethics, though they may not fully appreciate the breadth of contributions practitioners can make. Now internal auditors have numbers to show how much value the function actually adds.
Reputation and Culture
The Ethisphere Institute, a global ethics rating and advocacy firm, names its World’s Most Ethical Companies each year, based on the quality of their ethics and compliance programs, organizational culture, corporate citizenship and responsibility, governance and leadership, and reputation. Ethisphere’s belief that “financial performance and ethics go hand-in-hand” is validated, it says, by its “Ethics Premium.” The organization tracks the stock prices of its publicly traded honorees and compares them to a large cap index — and it says those companies outperformed the index by 14% over five years and by nearly 11% over three years.
Is the connection really cause–effect? Does ethical behavior lead directly to better business performance? “I firmly believe it does,” says Karen Brady, corporate vice president of audit and chief compliance officer at Baptist Health South Florida, in Coral Gables — a nine-time Ethisphere honoree. She notes that Ethisphere’s reputation criterion is based in part on a Google search of the organization, adding: “Having a good reputation will get you better business. That’s a pretty-well-known fact.” Ethisphere also cites studies showing that millennials want to do business with companies that have solid ethical reputations, and its CEO Timothy Erblich adds that “employees, consumers, and stakeholders value companies that show a commitment to business integrity.”
Of the elements Ethisphere says undergird an entity’s ethical behavior, the one that contributes most to business performance is culture, Brady says. “It has to be,” she stresses. “The whole thing starts with culture. If you don’t have that tone at the top, the organization isn’t going to be committed to good governance or good citizenship.” Indeed, organizations with a culture that encourages concealment of compliance or other issues, she says, risk severe damage to their reputations.
Jane Keller-Allen, vice president of Internal Audit, Compliance, and Risk at WPS Health Solutions in Madison, Wisc., also stresses culture’s influence on the bottom line, and she agrees that tone at the top is key. “All aspects of an ethics infrastructure are important, but culture contributes the most to business performance,” she says. “The culture of an organization is usually driven by its leaders. If leadership believes in doing things the right way, then compliance programs and corporate citizenship will naturally flourish under that direction.”
Keller-Allen adds that if the organization’s leaders help establish a culture that fosters trust, then employees will be more inclined to report potential compliance issues. And that, in turn, enables the organization to resolve any issues more quickly.
At Baptist Health South Florida, internal audit contributes to ensuring that ethical behavior begets profits in several ways. “From time to time, we audit each of the Ethisphere criteria,” Brady says; that includes informal surveys in the departments and locations they audit. And, she says, “ethics is huge when we assess risks,” citing trends in hotline calls and human resources (HR) statistics as potential red flags. She adds: “If there’s an ethical issue in an area, you can bet there’s going to be a business concern — fraud, noncompliance, or weak controls — too.”
Jeff Dougher, internal audit director at Intel in Portland, Ore., agrees that the profession has an important role in effective assessment of business performance as it relates to ethics — by virtue of being an independent advisor. “That could be as simple as spending time with first-level managers and staff to see how they would raise issues, and teaching individuals how and where to report issues,” he says. Internal audit can help management understand the types of messages business managers proliferate throughout an organization, he adds, and can help “ensure the culture of ethics and compliance is consistently understood throughout each particular group or team.” Intel has been recognized on the Ethisphere list seven times.
Teamwork and Partnerships
Technology that enables compliance and ethics-related information-sharing, including input from internal audit, is becoming increasingly sophisticated, says OCEG President Carole Switzer — and the best may be yet to come. “Technology that incorporates internal audit findings that flag issues — and that sets a process for notifying relevant parties so that they can address deficiencies and respond to the concerns raised — is hugely helpful,” she says. The opportunity for business operations to input their information into the same system as risk, internal audit, and human resources is, she adds, “a bit of a game changer.”
Recent technological advances have enabled central hubs that pull in data from multiple systems inside and outside an organization and make it available across the enterprise, she explains. “That combined with advanced machine learning, other types of artificial intelligence, natural language processing, and predictive analytics,” she says, “represents the real revolution.”
The revolution “benefits internal audit’s ability to really dig in and understand what’s being done to address risk on a completely different level,” Switzer adds. “Internal audit can help other stakeholders use those capabilities to create a living, strategic planning process.”
In fact, internal audit has all kinds of ways to help drive and assess a company’s ethical behavior, Dougher says. Being independent and keeping individuals’ interviews anonymous allows internal audit to “ask clarifying questions that provide accurate information and valuable insight to help management understand their site cultures,” he adds. Teamwork matters, too. “We partner with the Ethics and Legal Compliance (ELC) program for selected audits,” Dougher explains, “helping ensure management has established appropriate ELC programs throughout their business groups and site programs.”
Gerry Zack, CEO at the Society of Corporate Compliance & Ethics and the Health Care Compliance Association in Minneapolis, recognizes the value of such practices. He says high performing organizations “have partnerships between compliance and internal audit and between internal audit and other entities in the enterprise that directly affect culture and ethics.” HR is one of them; so is senior management. Zack says this is often part of internal audit’s advisory role.
Carole Switzer, co-founder and president of OCEG (formerly the Open Compliance & Ethics Group) in Phoenix, also cites the value of cross-functional partnerships. She suggests rotating internal auditors through roles in risk management and compliance to afford them a bigger picture perspective on an integrated governance, risk, and compliance process structure. “The key thing to recognize is any of the moving parts of the ‘ethics infrastructure’ can be the cause of failure,” she says. “You cannot establish strong culture, for example, if you don’t have strong leadership with clear vision and commitment.”
The key to taking a company’s ethical temperature is finding out what its stakeholders think. Ethisphere says its World’s Most Ethical Companies “cultivate a culture of integrity” — by measuring employees’ comfort with speaking up, for example, and their views of leadership’s trustworthiness, and by “leveraging a broad array of tools and techniques to get a sense of their internal ethical cultures.”
Some companies use a dedicated ethics survey process, Ethisphere says, adding that “pulse-type surveys to capture small, but frequent, readings of ethical temperatures across the organization are oft-discussed, but rarely used.” Employee engagement surveys are the most popular ethical thermometers, Ethisphere reports; the percentage using them rose 12 points from 2017 to 2018. Ethisphere adds that such surveys are driven primarily by the HR function, with regular frequency and broad distribution.
Auditing by Walking Around
Surveys themselves won’t provide all the information internal audit needs. In fact, using annual queries in isolation to get a feel for ethical culture is not very useful, Switzer says. “If you have a huge problem, you may find it, but you won’t find the more subtle or complicated things.”
That more nuanced insight requires what Zack calls “the walking around approach, talking with people.” He adds: “The casual conversation that begins with, ‘How are things going?’ can lead to amazing insights if you let it.”
That’s true for small companies, too, Brady points out. “For internal audit to have a sense of the organization’s culture, you have to do site visits,” she says, “even if that’s a ‘department’ visit.”
And that’s what Ethisphere’s World’s Most Ethical Companies are doing; the percentage of those companies conducting site visits jumped 28 points from 2016 to 2018, reflecting what the organization calls “a growing relationship between the compliance function and other control functions, like internal audit, that are regularly in the field.” Indeed, the report that accompanies the Ethisphere listing notes that “more companies arm internal audit with questions to ask during site visits, collaborating more closely with HR and safety.”
As part of Intel’s annual plan, Dougher’s team evaluates international site coverage to ensure it has the right balance of audits. “The audit program evaluates specific risk indicators — including factors such as growth, location, and spending — to understand any changes to the site to better understand if an audit should be performed,” Dougher says. The site audit program includes interviews with all levels, he adds, “to help understand how ethics is interpreted and help management understand the site’s culture.” His team also has used site-level surveys — working with HR and legal on wording — to reinforce messaging, as well as open forums and workshops.
On the Same Page
To help standardize information, Dougher says he partners with Intel’s ELC program to ensure all parties are aware of each other’s coverage. “Whether it is asking a site-specific question or evaluating a particular area, we want to ensure all parties are aligned ahead of time,” he explains. To that end, Dougher says Intel has developed a standard test program and a standard set of questions internal auditors use to identify trends and talk about key points with management. The critical factor from his perspective is “ensuring the template is being used across each audit program and documented within our audit methodology.”
Brady adds: “We all are interdependent.” Part of risk assessment is looking at trends, she explains; internal auditors evaluate hotline data they receive from compliance and may ask why they keep hearing about conflicts of interest, or about a particular compliance issue. “Internal audit needs to make sure the issues are escalated,” she comments, “and thoroughly investigated when necessary.”
Moreover, trends in turnover statistics may prompt a conversation about a department — or an audit may reveal a potential HR concern — and the same applies to quality improvement. “We give feedback to HR, compliance, quality, and other functions when we identify trends or issues that affect them,” Brady says. “That happens routinely.”
Sometimes the ethics-related feedback is especially sensitive. A casual interview in an audit may turn up comments about, for example, sexual harassment, raising the question of how to appropriately use casual comments, body language, and other signals as data for assessing a situation and recommending responses.
“It comes down to people skills,” Brady states. “We do our best to train auditors that when they hear something like that in an interview they should ask the next question: ‘What do you mean by that?’” If that individual doesn’t reveal anything else, she suggests asking others in the department if they have any concerns. “It’s the best you can do,” she says. “Ninety-five percent of the time, it’s successful.”
Zack adds: “Talking to people is an auditing and monitoring step that can be institutionalized. But there’s also a certain percentage of using the information that’s seat of the pants, what your gut tells you.”
Make the Connection
Too often, what the gut says is, “mind your own business,” Brady says. “I hear from a lot of internal auditors who say they’d never start a conversation about culture or diversity or corporate responsibility with their stakeholders because that’s not their stakeholders’ expectation of internal audit.” Too many internal audit functions, she adds, remain “focused on ‘check the box’ compliance or financial audits, and don’t realize that the important thing is to make sure their stakeholders are aware of all risks — not just the traditional ones.”
Stakeholder underestimation needs to change, and the profession needs to change it. “It could be a good approach to link elements of audited programs to strategic objectives of the organization, including business performance,” Zack suggests. When the compliance program is audited, for example, each underlying activity — training in a particular area, for example — could be sized up in part by asking, “How does that help the business? How does it contribute to the performance of the organization?”
Those links then need to be promoted. “We absolutely should talk about it more,” Brady emphasizes, pointing again to the connection between business ethics and performance. “Stakeholders need to understand how important that is and, as chief audit executives, we need to make sure they understand that internal audit has a much broader perspective,” she says. “We need to do more to get that point across.”