Case studies - business ethics
The IIA has been talking to heads of internal audit about what business ethics means to them and their approach to carrying out assurance in this area.
Here are some short commentaries that provide food for thought.
VP Internal audit - global pharmaceutical company
Sound business ethics and full compliance with laws and regulations are important to public and private institutions. It is especially important to the pharmaceutical industry as laws and regulations are demanding. Furthermore, it is particularly relevant the more the organisation operates internationally, possibly globally, for example being active in the BRIC countries and other emerging markets. However, in supposing more mature markets, too, there have been many cases of misconduct.
Ethics and compliance standards are rising, for instance the new UK Bribery Act coming into effect in July 2011, so companies need to adapt, need to strengthen their ethics and compliance programmmes. Capital market requirements increasingly put emphasis on good corporate governance and strong internal audit, so do investor analysts. So, investing in sound business ethics and compliance needs to become embedded in the way business is conducted, not bolted but rather, the "way we do things here". This is a journey but companies need to get moving, and aiming to improve as sustainability of earnings and social responsibility increasingly become a differentiating factor, which works both ways.
Since March 2011 we have an Ethics and Compliance Officer on board. We are about to further strengthen procedures e.g. addressing anti-corruption, business conduct, grants and donations and gifts. A Compliance Risk Assessment (CRA) will be embedded into the Business Risk Assessment. We will start with self-assessed CRA-questionnaires. We will raise awareness and help compliance through participation and education in business review meetings. Reviewing the dimensions of ethics and compliance will as well become an integral part of the internal audit work programme. As we have an Audit, Compliance and Ethics committee, a sub-committee of the Main Board, these matters will be have the utmost attention from the top of the house.
Head of internal audit - international travel organisation
Regarding my view on selling the idea of an ethics audit to my stakeholders – I won’t be trying the direct approach! There are just too many other battles still to be won and I feel that this one can be tackled without, initially at least, a direct audit of such an expansive subject.
Hence, my strategy is to initially more subtly include the consideration of the risk in other audits instead to gradually raise awareness, introduce the concept to the risk, start testing it in a phased way and take it from there. If we started unearthing significant issues then a direct and wider audit may then become appropriate. I have on my “must do some time” list, to discuss with our head of sustainability, how this integration into audits can best be achieved.
Head of internal audit - higher education
The University’s chair of council (chair of our board) asked for a specific review of ethical processes around philanthropic gift acceptance. He felt that the University’s policy could be enhanced and needed review and wanted an independent view of the process to feed into Council’s review of ethics. The scope was agreed through discussion with the chair of Council. This was documented and agreed as for all audits. Clear risks were set out to be evaluated.
The delivery was done through discussion and review of the process with University officers supported by review of supporting paperwork. The approach involved interviews with relevant Council members and senior managers to identify the various points of view. The governance, risk management, structural and process issues, rather than a particular ethical or moral stance, were reported. Given the sensitive and highly charged atmosphere surrounding this area of review, draft and potential findings were ‘trailed’ in advance with relevant key stakeholders, in order to shape the report to address known potential concerns and reactions.
Executive chief risk officer and former head of internal audit - insurance
In my mind business ethics refers to specific and clearly defined aspects of the organisation's 'behaviour' which are linked to a particular business activity or strategy. Some examples are:
- Investing in ethical funds.
- Operating only in countries with a good human rights record.
- Working with business partners or suppliers who have similar carbon footprint standards.
- Offering a fair price to customers and suppliers e.g. Fair trade.
- Treating customers fairly
Where an organisation has framed its ethical policy clearly internal audits can be scoped accordingly and managed in 'bite size' chunks. However, for an audit such as treating customers fairly (a regulatory requirement for financial services), this requirement or risk (of unfair outcomes for customers) could be assessed and embedded in every audit within the organisation.
Where the policy refers to non-specific activities e.g. the application of a policy or Code of Conduct which requires all employees to act honestly and fairly, then such an audit would be more complex. For example, the board may be interested in understanding the 'ethical values' or 'ethical culture' currently in operation within the organisation. Such audits could relate to the culture or 'unwritten rules' that may prevail. The approach for such audits may involve:
- Agreeing the purpose of the review e.g. to understand the perceived 'gap' or maturity of the organisation's 'culture', assess the exposure of the organisation to regulatory or reputation risks etc.
- Discussing and agreeing the set of ethical values or behaviours to be assessed.
- Determining a set of outcomes or indicators that demonstrate or confirm a particular behaviour/value.
- Conducting interviews, surveys and workshops across a section of the organisation.
- Review of incidents and events that help inform the outcomes or indicators.
Such audits must have buy-in from key sponsors and carefully planned to avoid it being unwieldy or unfocused. The audit report must also be well presented with clear and informed opinions.
Head of internal audit - UK central government
This is such an exciting area to audit as there are so many topical risks involved. The question of ethics has risen in profile and priority since the MP expenses scandal and with the publicity around the new Bribery Act I believe that the public sector is now more alert to the associated risks. Traditionally this is probably a subject that was avoided – as it may have been considered a bit nebulous or too challenging - but now it is now hitting many public sector internal audit plans.
Ethics can be audited as a subject in its own right – there are central standards and local departmental policies to compare against actual performance. Alternatively a review of ethics can form part of a more general corporate governance or corporate social responsibility review. At a more operational level, reviews of hospitality or expenses can be structured to include an ethical focus that goes beyond mere compliance with procedures.
Whilst it may be a potentially hard audit to initially ‘sell’, I believe that the provision of professional and independent assurance over business ethics and the associated risks will be well received by a mature board. If effectively delivered an audit of this nature can have considerable impact at a senior level and may perhaps encourage board members to see the internal audit service in a different light. Reviewing this subject may take internal audit a little out of its comfort zone, but that is no reason to avoid this increasingly important risk area!
Head of internal audit - financial services
Business ethics are more than just publishing a few policies on an intranet; it is a code set and adhered to by the Board of Directors on behalf of the shareholders. Internal audit’s role is to help the company understand and abide by the tone set at the top. We need to make sure that that the company lives those ethics.
The Bribery Act has helped raise awareness of business ethics and we conduct a regular review of ethical risks in all areas of the business, from customers to suppliers, not just to comply but to exceed the legislation. While I personally do not want to get into the compliance of legislation arena too deeply, the process did open internal audit’s eyes in that there was simply insufficient knowledge of the issues in the business.
We simply decided to talk to managers about ethical risks. The most refreshing aspect for me as I discussed the risks of bribery in our processes was that senior management knew in detail, where bribery, fraud and any other types of risk could damage our reputation with our shareholders and customers. They didn't need a Bribery Act to tell them. However, it was a pleasure to be involved in the education process and left me very proud that my business was "good to the core"!
What was needed though was a bringing together of the policies to stop the areas of overlap, e.g. Anti-money laundering; Anti-Fraud and Anti-Bribery all needed a whistle blowing process, so it made sense to make it easy to see one policy that incorporated ethics and legislative requirements under one umbrella.
So how would you audit Business Ethics? As I said at the beginning, it is more than the policy. I would see how the business reports the associated risk, see what they do with those risk and open discussions with my business contacts to talk about them. Think about the ethics when you perform each review to build up a picture. Yes, you can look at the high risk areas and see how those progress but it isn't possible to tick an ethos. So look, listen, discuss and review areas where you feel that ethics may not be sound.