AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Providing ethical assurance to boards

Some organisations may not regard ethical assurance as a priority. But opportunities can be created when investors, customers and suppliers are attracted to doing business with organisations they trust. 

What is ethical assurance?
What are the benefits of ethical assurance?
First steps
Recognising and coordinating assurance providers
Gathering and assessing evidence

What is ethical assurance?

The Institute of Business Ethics defines ethical assurance as:

"The application of ethical values to business behaviour. Business ethics is relevant both to the conduct of individuals and to the conduct of the organisation as a whole. It applies to any and all aspects of business conduct, from boardroom strategies and how companies treat their employees and suppliers to sales techniques and accounting practices.

Ethics goes beyond the legal requirements for a company and is, therefore, about discretionary decisions and behaviour guided by values."

Ethical assurance looks at whether the discretionary decisions and behaviour in the organisation align with ethical values and commitments. 

What are the benefits of ethical assurance?

During a time of austerity, some organisations may not regard ethical assurance as a priority. However, opportunities can be created when investors, customers and suppliers are attracted to doing business with organisations they trust.

Consequently they want to know what the organisation stands for - its values, intentions and commitments.

They want to know that the organisation can be trusted to do the right things. In this era of social media and consumer power, now more than ever organisations must avoid hitting the headlines for the wrong reasons.  Recent high profile ethical scandals include:

  • bribery and corruption cases;
  • instances of mis-treatment of labour in the supply chain (and use of child labour); and,
  • financial scandals including: LIBOR/tax evasion / executive pay and bonuses.

As a consequence, boards are interested in understanding and managing their reputational risks and want to know that management is responding to these risks.

But it’s not just about management of reputational risk. New business opportunities can be created when customers and suppliers are attracted to doing business with companies that respect the interest of others and can even lead to a competitive advantage. A strong ethical culture makes sound business sense. 

Relationships of trust can be enhanced when investors are confident that the board is monitoring compliance with its ethical policies.

Ethical assurance helps boards quantify adherence to stated ethical standards and objectives. It helps boards monitor whether objectives for long term value and sustainability are being achieved. Boards need assurance that their message is understood in the business and is driving appropriate behaviours.

Ethical assurance therefore has a critical role to play in strengthening an ethical culture by providing reassurance that the business is adopting the ethical policies and behaviours laid out by the board, or identifying weaknesses to be addressed. 

First steps 

The organisation must have a clear idea of what ethics means in the environment in which it operates. This includes a defined set of ethical values with policies that are communicated and well understood by the people in the organisation.

Board members and senior executives also need to have thought about ethical risks and their impact and have a good idea of the assurance they want. A programme of awareness and training around these aspects that talks about the importance of assurance would therefore be helpful.

The Institute of Business Ethics identified the following as being pre-cursors of assurance in an effective programme to build ethical culture:

  • The articulation of a set of values;
  • An ethics programme containing, as a minimum, training and communication;
  • A mechanism to support high ethical standards (such as for raising concerns and reporting misconduct).

Some organisations choose to establish a working group or committee to structure and organise ethical assurance and to give ethical issues an additional profile. This creates an opportunity for internal auditors. They can help to establish an effective assurance framework, work with other assurance providers as well as provide assurance.

Questions to address

With all these things in place some basic questions about ethical assurance can be addressed:

  • Who do we want to assure?
  • Why do we want ethical assurance?
  • Are there any internal or external pressures to carry out ethical assurance such as regulatory requirements, disclosure requirements or expectations of good practice?
  • How do we currently monitor ethical performance?
  • Is the timing right?
  • What will it cost?

Sometimes cost is used as an argument to discourage or defer ethical assurance. What is overlooked is that it can be an investment that creates benefits. 


The next stage is to spend further time thinking about what the organisation wants assurance on. This will revolve around the organisation's key ethical risks and their potential impact.

Every organisation will have an individual view upon its assurance needs and there are a wide range of issues to consider. 

The list below groups ethical issues to highlight some, not all, examples of where assurance can be provided.

Investors and shareholders

  • Delivering commitments on governance.
  • Applying covenants and agreements.
  • Accuracy and reliability of communication and reports.

Government and communities

  • Obeying laws and regulations - in different jurisdictions.
  • Protecting the environment and people.
  • Achieving sustainable development.

Employees and contractors

  • Consistent application of HR policies and procedures.
  • Fair treatment in recruitment, remuneration, promotion and training.
  • Effective employee communication and engagement.
  • A safe and healthy working environment.
  • Applying delegations of authority.


  • Delivering on pledges and commitments.
  • Responding to customer feedback and complaints.
  • Security of personal data.
  • Working with customers who uphold our values.
  • Applying anti-bribery procedures.


  • Honest, open and consistent treatment.
  • Effective due diligence.
  • Applying fair payment terms.
  • Responding to feedback and complaints.
  • Applying anti-bribery procedures.


  • Competing fairly; not engaging in anti-competitive practices.
  • Safeguarding our organisation's confidential information and intellectual property in discussions with competitors.

There are a number of questions to consider in scoping ethical assurance:

  • What are we seeking to assure ourselves about?
  • Will the assurance focus on specific or all aspects of our ethical performance and risk?
  • Will the assurance cover all areas of our business activity in all locations?
  • In the 3 lines of defence model who else in the organisation is or might be providing assurance e.g. the compliance function, risk management etc?
  • What criteria will we use to measure performance?
  • Is assurance already provided on some elements, for example, bribery and corruption?
  • What kind of evidence will we need?
  • What form of assurance reporting will be required?

Criteria are the benchmarks used to measure or evaluate the underlying subject matter. Suitable criteria are required for reasonably consistent measurement or evaluation. They need to be relevant, reliable, neutral, understandable and complete. The IBE suggests that organisations begin by assuring their ethical performance against the standards set by their own code of ethics.

Recognising and coordinating assurance providers

Organisations have a number of assurance options to choose from to gather and assess evidence.

In some cases managers may be best placed to provide assurance to the board (audit committee). This refers to the use of ongoing performance management arrangements, for example, self-certification by managers and employees confirming they have seen and are applying the company's code of ethics is a useful tool to provide ethical assurance.

In the UK, a key principle of the UK Corporate Governance Code (B.6) states that 'the board should undertake a formal and rigorous annual evaluation of its own performance and that of its committees and individual directors.'

As part of this review process, board members need to ask themselves how well they lead the company in living up to its values. Thus self-certification at both the board and management level can be used to feed into the ethical assurance review.

Internal audit offers the most independent and objective form of assurance to the board (audit committee). The importance of ethical assurance is emphasised in Performance Standard 2110.A1 relating to governance, which states:

'the internal audit activity must evaluate the design, implementation, and effectiveness of the organisation's ethics-related objectives, programmes, and activities'.

For some organisations, ethical assurance is so important it is a feature of every internal audit engagement, while for others it appears as a single review within the annual internal audit plan.

The organisation may also have managers or management teams who have a specific oversight or assurance role such as compliance managers, health and safety, risk managers etc who provide assurance on specific ethical issues.

Understanding who provides assurances in the form of an assurance map is therefore a good idea as it will identify possible gaps and overlaps in assurance to the board.

As part of this, it is also important to see how well assurance is being co-ordinated, for example by a working group or committee considering the effective use of assurance resources.

This might include reviewing the HR Director's monitoring mechanisms to ensure they are comprehensive and relevant and checking that manager's self-assessment declarations are accurate.

Gathering and assessing evidence

To provide assurance internal auditors need to develop a good understanding of ethical risks in their organisation in order to assess how well issues are being managed. When looking at the management of ethical risks internal audit should ensure there is:

  • Responsibility for managing risks allocated;
  • Clear definition of objectives and criteria for mitigating risks;
  • Full analysis of the impact; and,
  • A monitoring and review process.

Internal auditors may need to go beyond traditional testing when gathering evidence to provide ethical assurance as attitudes and perceptions are relevant when considering the level of commitment to policies and procedures.

Examples include:

  • Surveys and interviews, which may provide useful indicators of behaviour.
  • Trends within health and safety logs.
  • Customer complaints.
  • Staff turnover/absenteeism reports. 
  • Supplier feedback forms can also indicate a changing attitude and culture. 

While evidence may be gathered from data already available and perhaps already reported, the key difference in an audit engagement is bringing it together to add a new or wider perspective of the key issues. 


Providing an assurance opinion is the final stage in the assurance process. There are two ways in which this can be done.

1. Traditional approach

In the first, more traditional approach, the internal auditor or other assurance provider comments on whether and to what extent, the organisation is living up to its values according to the criteria used for evaluation.

The sufficiency of evidence will be used to back up the opinion provided. This report will focus on ethical assurance and using the various criteria will identify issues and make recommendations.

2. Combination approach

The second approach is to offer an overall opinion based on criteria and findings in different audits (eg Health and Safety, Human Resources, Procurement) and then combine all the findings from these audits into a single report at the end of the year.

It can be supplemented with specific cases to indicate changing attitudes which may or may not be indicative of a wider problem. Success stories reflecting right behaviours should also be highlighted as they will provide the right balance.

Overall, in the second approach, the key focus is to use a combination of indicators embedded in other audits together with some key trends and incidents and present it as an annual statement.

Frameworks for narrative reporting

Finally, the need or desire to assure external stakeholders is on the increase and there are a variety of organisations that have developed frameworks or standards to support narrative reporting, including:

Where the organisation chooses to issue an external report, there may be a requirement to ensure the content is accurate and reliable through assurance. This may involve an external assurance provider who may look at the reliability of internal assurances as a starting point.

Further reading


2110. A1 Governance

Practice advisories

2050-1 Coordination
2050-2 Assurance maps
2050-3 Relying on the work of other assurance providers


Coordination of assurance services

External resources

The Institute of Business Ethics offers a wide range of information, case studies, research and training courses.

The Good Corporation carries out independent assessments of responsible business management. Their web-site includes standards and case studies.

The Global Reporting Initiative develops and disseminates globally applicable sustainability reporting guidelines for voluntary use by organisations.

Through their standards Account Ability offers research, and strategic advisory services to help organisations become more accountable, responsible, and sustainable.

Content reviewed: 1 February 2023