When former Penn State University head football coach Joe Paterno died in January, his reputation as one of college football's most successful coaches — as well as that of the university — was left clouded by his reportedly astounding ethical lapses involving former assistant coach Jerry Sandusky, who was convicted of child sexual abuse. An investigation revealed that the revered Paterno had concealed his knowledge of Sandusky's deeds.
Since then, state prosecutors in Pennsylvania have charged the university's former president, Graham Spanier, and two other top university officials on counts that include obstruction of justice, conspiracy, and failure to report allegations of child abuse.
The scandal is the latest in a litany of ethics fiascos involving high-ranking executives of organizations. Many of those organizations may have had codes of ethics in place to which the top-level players involved in the scandals were expected to comply. But that doesn't mean that a more aggressive approach by internal audit to assess compliance with those codes could have prevented the meltdowns. Rather, the nature of auditing compliance with ethics codes, internal audit professionals point out, makes those reviews especially challenging to conduct, report on, and re-assess after fixes are implemented, especially when the suspected violators hold important positions within the organization. In those situations, auditors aren't simply pointing out a mistake that an employee may have made — they are effectively telling a high-ranking individual that he or she is engaging in law-breaking activities that also can damage the organization itself.
Still, internal audit should try to identify lapses in compliance by executives, despite the complications they may encounter. The good that comes from successful investigation and remediation of problems — whether they be in the code itself, in its supervision by management, or in employees' compliance — far outweighs the frustration auditors may experience when their best efforts are stonewalled by top executives. Just be sure you know going in who your allies are.
Weighing the Risks
The Auditor's Ethics Responsibility
Assessing an organization's compliance with its code of ethics isn't a voluntary activity. IIA Standard 2110.A1 states that the "internal audit activity must evaluate the design, implementation, and effectiveness of the organization's ethics-related objectives, programs, and activities." And, assessments of tone at the top are required for U.S.-listed companies that must comply with the U.S. Sarbanes-Oxley Act of 2002, YCN Group's Stephen Minder adds.
There's plenty of guidance available. One example is a new IIA practice guide, Evaluating Ethics-related Programs and Activities. "It includes examples of an entitywide and audit project survey," AuditTrends' James Roth explains, "as well as a maturity model that could be used in an ethics audit." Other practice advisories (PAs) and guides that auditors can refer to when reporting ethical noncompliance include:
- PA 2400-1: Legal Considerations in Communicating Results.
- PA 2410-1: Communication Criteria, especially No. 13 on separate reporting to the board.
- PA 2440-2: Communicating Sensitive Information Within and Outside the Chain of Command.
- PA 2440.A2-1: Communications Outside the Organization.
- Practice Guide: Interaction With the Board.
Part of any audit of compliance with an ethics code is determining the risk to the organization posed by noncompliance and, to the extent possible, quantifying that risk for management and the board. Companies with more mature risk management functions may identify potential consequences of risks laid out in risk rating tables and matrices, notes Stephen Linden, director of global risk at internal audit consulting firm Protiviti, who works in Perth, Australia. Such tables may include decreased staff morale if cheating at the top is discovered, financial penalties for specific misdeeds, impaired reputation and the damage to the organization that can entail, inefficiencies, inability to achieve organizational objectives, or worst of all, being forced out of business.
As well, a hostile work environment "may lead to class action lawsuits when a member of management at any level fails to act, even when he or she may not have every fact or influence," says Stephen Minder, CEO at YCN Group, a software vendor and internal audit consulting firm in Sherman, Ill. And if an executive is forced out over an ethical lapse, he estimates it will cost three times that executive's annual salary to recruit and train a replacement, adding to the less-tangible damage to corporate reputation and overall employee morale.
Another example is when a foreign customer demands a secondary payment to a friend to get a contract or otherwise do business. "If such payment falls under the U.S. Foreign Corrupt Practices Act (FCPA)," Minder points out, "penalties can be very material."
Ethical lapses that foul the environment have tangible and intangible costs, adds Angelina Chin, general director, Audit Services, at General Motors Co. in Detroit; fines can top US $50,000 a day in some instances. Other regulations spell out fines and penalties as well, and, she notes, "you can use some of the judgments and decisions made by regulators against other companies as an estimate."
Avoiding costly penalties isn't the reason to audit executives' compliance with ethics codes, though, Minder says. "Basically, you want to have the reputation that anyone would want to do business with you. Who wants to invest with Bernie Madoff right now?"
How Clear is the Policy?
An internal audit team that's trying to audit compliance with its organization's code of ethics may want to start with an entitywide review of ethics-related policies and activities, Linden advises (see "The Auditor's Ethics Responsibility" above right). Such a review would identify consistency among policy statements, identify policies lacking ethical statements, and determine whether statements are specific and concrete enough to be meaningful. Auditors also should make sure those policies and activities actually address ethics, do so consistently, and are effectively communicated, says James Roth, president at AuditTrends LLC, an internal audit training and consulting firm in Hastings, Minn. That can include the obvious policies, such as the code of ethics itself, as well as function-specific policies such as sales, customer service, and investments.
And, Minder says, "many audit departments include specific procedures as part of their audit methodology to obtain evidence as to whether the code is being followed; for example, reviewing foreign payments really cannot be done without considering the FCPA and other guidance in the organization's code of ethics." Also, Roth adds, some internal audit departments assess specific ethics-related activities such as the compliance function, ethics training, and the employee hotline.
Does Management Have Your Back?
Ethics audits are sensitive, so it helps to know going in that management will support your efforts and results. But how do you make sure that's the case?
"You've got to have a dialogue with the audit committee in very frank and direct terms," YCN Group's Stephen Minder advises. He recommends private meetings with the chairman of the committee and an executive session with the full committee. "Also," he says, "I suggest a discussion and possibly a written agreement among senior management, the audit committee, and the CAE when he or she takes on the job of reviewing the ethics programs."
Minder recounts this example from his own experience as a CAE: "I told my boss, 'We're not going to make anybody happy with this. We have to tell them what they've done wrong from a code of conduct perspective — and that their behavior is unacceptable, such as inappropriate behavior with staff or violating company mandates or government laws and regulations.' I had bosses who understood and accepted that and who had my back, and I also had bosses who said they had my back but all they had were smiles on their faces."
The problem with many tactics designed to uncover ethical lapses by executives, Roth warns, is "they tend to be limited to the design and implementation of the ethics policies: 'Is management doing the right things to encourage the values in the code of ethics?' As such, they can miss the most important thing — effectiveness: 'Are those activities accomplishing what they are intended to accomplish? Has management internalized those values and does it behave accordingly?'" He recommends two techniques in particular to evaluate the latter:
Employee surveys. Roth says surveys can be an effective measure of the ethical climate if they are anonymous and if employees believe management will address issues that arise. Surveys can be entitywide or more focused, and they can be administered by internal audit, human resources, or an external vendor. They also can be used on individual audit projects.
Structured interviews. An audit department can, for example, conduct periodic "culture of compliance" surveys in which a skilled interviewer asks a sample of employees a carefully constructed set of questions and probes for more information when he or she senses discomfort in a positive answer.
Some of those activities actually may be part of what many internal audit departments are doing day to day anyway, Minder points out, while "complete audits of compliance with the organization's ethics program should be a recurring audit in the plan, but may not be annual." He notes that most of the steps in such audits will be familiar to most auditors, while others may involve alternatives such as voting technology, focus groups, employee surveys, and transactional statistical analysis.
If an organization does not have a code of ethics in place, Roth notes internal audit can provide assurance on the actual state of the organization's ethical climate. As well, "internal audit should work in an advisory role to persuade management and the board of the importance of a code of ethics," he says. Chin points out that IIA guidance outlines several steps internal auditors can take to provide assurance and advice, including interviewing the CEO and senior management responsible for key departments such as human resources, compliance, purchasing, and accounting on expectations regarding ethical behavior.
Only the Brave
One of the biggest differences between most audits and an audit of executive compliance with an ethics code is the kind of impediments to investigation that an internal audit department may face. The problem, Minder says, is ethics audits generally are "very touchy. The board and management must have internal audit's back or there will be a change in chief audit executive (CAE) when really bad information is reported" (see "The Backlash Against Whistleblowers" below right). He adds, ominously: "Every audit of senior executives' ethics code compliance is cause for the CAE to put his or her job on the line. A CAE doing an audit of this impact and implication must be willing to stand up for what he or she knows is right, regardless of any repercussions that may occur." That's a job for only "the most ethical, strongest, and confident CAEs," he says, even though those reports will provide management and the board with vital governance information.
The Backlash Against Whistleblowers
It may not be easy to get employees to report lapses in compliance with an organization's ethics code. And those hesitant employees are justifiably concerned, it turns out. A recent report by the not-for-profit Ethics Resource Center, Retaliation: When Whistleblowers Become Victims, finds that employees who report misconduct to a superior or through a hotline increasingly judge their subsequent treatment as shoddy.
Twenty-two percent of respondents who reported observed misconduct say they subsequently experienced retaliation, up 46 percent from a 2009 survey. Forty-six percent of respondents who experienced retaliation feel disengaged from their organizations, and 23 percent plan to seek new employment within the next year. The percentage of whistleblower respondents who say they were subject to managerial retaliation, such as being denied a raise or promotion, grew from 43 percent in 2009 to 55 percent last year.
"The only thing you can do to protect employees from legitimate concerns about retaliation is to guarantee confidentiality," Audit Trends' James Roth concedes. "If the assurance is made face to face and you have the credibility and a relationship of trust with the person, that might be enough. Generally, though, the process used for reporting unethical behavior must be absolutely anonymous for people to feel safe."
Both advises auditors that when the problem in an assessment of ethical lapses can be traced back to a high-ranking executive, internal auditors should gather their evidence and go to the audit committee. "Have your resume updated beforehand," he cautions, "even if you're right." If the audit committee chairman is the problem, the response from internal audit will be even more challenging. "Your responsibility as an internal auditor is to report wrongdoing up to and including the audit committee," he explains, "but it ends there. If the audit committee does not act, but you believe that is not acceptable, you should resign your position as CAE, get personal legal counsel, and then go public — but not as the company's chief auditor."
Even if matters don't get that serious, internal auditors are likely to face roadblocks in their efforts to uncover and assess ethical lapses by high-ranking officials. One common pushback, Minder notes, is the ethics code "gets in the way of carrying on business as usual" — even if it actually, as he puts it, "provides an avenue for meaningful corrective action to organizations that truly want to do the right thing." A similar impediment is top-level staffers who complain that the code requires the organization to do what legal, moral, or ethical principles require — instead of doing what's best for the financial bottom line.
Additionally, Linden points out, if tone at the top is poor, internal audit may struggle to have audits of ethics code compliance included in the audit plan. "Also, keep in mind," he says, "that companies often operate in numerous countries that have varying ethical values, so internal auditors must determine which are right and which are wrong — and how variations should be reported." And, of course, if senior management is acting unethically, it may try to dissuade the internal audit department from conducting ethics reviews in the first place. That's one of the reasons Chin suggests conducting interviews for those audits under attorney-client privilege, if that isn't already standard practice.
Of course, all the best intentions and cleverly designed controls in the world won't fix problems with ethics code compliance if the fixes put in place by management don't work or aren't followed. As in other engagements, internal audit's work is not complete without circling back to reassess the state of code compliance after the fact. "After an acceptable time allowing for the revised controls to take effect, internal audit would likely conduct a follow-up review," Linden notes. "The shape or form of such a review — a project review; an entitywide staff survey — would depend on the nature of the initial findings and remedies put in place." Indeed, he adds, all internal audit reports should require a response from management that provides an action plan for addressing recommendations. These reports should be in writing, Minder notes. "Ethics issues raised by auditors are significant and deserve written attention," he says.
One tactic internal audit departments often rely on for follow-up assessments is trends revealed by survey results, Roth says. If survey trends don't show improvement, the auditor should follow up to find out why. Or auditors could "ask carefully selected people how they feel about the fixes and whether they seem to be working," he suggests. In all cases, auditors should present their follow-up assessments to management very tactfully — especially if the news isn't good . "Give them full credit for the things they tried to do," he says, "and make the point that sometimes something they didn't — and couldn't be expected to — think of gets in the way."
For most of the steps in auditing executives' compliance with corporate codes of ethics there's guidance in place for internal auditors. The specifics in the code are generally clear, and the steps involved in assessing compliance are well-understood by most audit departments. Just remember that even if ethics issues don't pose make-or-break risks to an enterprise, they may still be the most sensitive and most challenging to assess. Auditors should keep their wits about them and make sure they know who their allies are from the start.
Information about possible lapses in compliance with a code of ethics can come from sources outside the audit process, as well as the interviews, document reviews, and surveys performed during regular audits, notes General Motors Co.'s Angelina Chin.
When planning audits, auditors should identify high-risk areas for noncompliance with the codes and be alert to red flags. For example, in a purchasing audit, be alert to red flags of potential favoritism to particular vendors. In expense audits, be alert to employees splitting payments to bypass approval limits, making payments to government employees, or routing payments to their own accounts or to related parties.
Review the annual ethics and compliance report submitted to the audit committee. Pay attention to the number of allegations and how many are substantiated, their trends over time, as well as the nature of the allegations and corrective actions taken by management. "That gives you a good overall picture of the compliance climate in the organization," Chin notes.
Examine results of employee surveys, because some have statements about tone at the top, ethics, integrity, and compliance topics.
Review news reports, lessons learned, and public information, she advises, because problems at other companies "can prompt you to look at whether your company has the same vulnerabilities."