Auditing the Unauditable: Ethics and Culture

Auditing the Unauditable - person typing on laptop
Author: Sumedha Adavade, CISA
Date Published: 28 June 2023

The scope of an audit generally encompasses a certain set of functions and parameters. However, there are many intangible aspects of an enterprise that also require periodic review to ensure that they are in good shape. Two of the most important are ethics and organizational culture.

Internal audit functions can play a role in evaluating several factors that are indicative of the presence and proper implementation of good organizational policies related to work ethics and culture.

Ethics are an important aspect of every enterprise. Ethics are embodied in the behavior and work habits of employees at all levels, but there is no definitive way to measure them. Many enterprises create and implement an ethics program to set, achieve and monitor compliance with organizational goals. However, goals can differ within the enterprise, within large departments and even within teams in the same department.

Organizational culture is formed over time, based on the ethics of an enterprise. The influence of culture is recognized by regulators as well. For example, public enterprises have to consider work culture when assessing and reporting internal controls in compliance with the US Foreign Corrupt Practices Act.1 In a survey on the importance of work culture, 92 percent of senior executives responded that a strong work culture increases enterprise value.2 But, because culture is never one-size-fits-all, there is no baseline against which culture can be assessed.

Not assessing certain basic, expected fair behaviors and culture of staff can encourage unjust practices and unethical or unprofessional acts, causing extensive damage to the organization. Internal audit functions can play a role in evaluating several factors that are indicative of the presence and proper implementation of good organizational policies related to work ethics and culture.

The Tone at the Top

The US Sarbanes-Oxley Act of 2002 popularized the phrase “the tone at the top,” which means that employees take their cues from the leadership team.3 Commitment from the board of directors (BoD) and senior management is required for an enterprise to function honestly and ethically. This expectation then flows to middle management and beyond, permeating the enterprise and creating a workplace culture. However, this is easier said than done. Basic values such as honesty and integrity are learned in childhood from one’s parents and other role models. Adults learn to implement these values in their professional lives from their mentors and leaders in the workplace. Hence, it is important for top management to clearly communicate what behavior is acceptable and to lead by example. The latest code of conduct endorsed by the chief executive officer (CEO) can be distributed to employees, but that does not ensure that they will read and understand it.

To assess the tone at the top, the internal auditing function should:

  • Engage staff members to discuss whether their direct manager has supported and stood by their team at all times, good and bad. Ask about incidents of retaliation and escalation. Ask employees about the attrition rate in the enterprise.
  • Discuss the staff’s pain points and ask how their leaders can better support them.
  • Inquire about the number and type of breaches of the enterprise’s policies or code of conduct. Were those violations followed by rationalizations such as “I had no choice” or “That is a stupid rule anyway”?
  • If the leader is held accountable for the team’s wrongdoings, determine whether they have sufficient tools to encourage team members’ best efforts. Does the leader have the power to hire the right people, define policies and shape culture by establishing good work practices?

Tools that can be used to make these determinations include employee satisfaction surveys, attrition data, employee feedback and data on BoD initiatives for staff welfare.

Good Habits and a Proactive Culture

A good workplace culture can be enhanced by encouraging good habits that are ethically sound and by keeping employees organized and disciplined while also empowering them. A proactive culture also deters unethical behavior by imposing standards of acceptable behavior and monitoring actual behavior against those standards. Being proactive means ensuring that resources work in the expected fashion, while being prepared for unexpected circumstances.4 Good habits are those that encourage the proper use of time and available resources. Such habits can be put into practice when leaders are open to new ideas and willing to implement those that help the team work safely and smoothly.

The internal auditing function can assess the proactive nature of the workplace culture by answering questions such as:

  • How frequently does the leader engage in brainstorming exercises with the team to come up with new ideas that add value to routine work?
  • How many of those ideas have been implemented? Which ones? Are the owners of the ideas rewarded?
  • How has the team fared in terms of meeting performance goals in the past? A team with a proactive culture should consistently achieve key performance targets on time.

Tools that can be used to make these determinations include team data on new initiatives implemented, incidents of mismanagement of routine work and attainment of key performance indicators.

Reactive Habits

Reactive habits are just as important as proactive ones, especially in the event of a crisis. A well-defined response mechanism can help stakeholders make the right decisions at the right time to curtail damage to the enterprise’s finances, operations, reputation and customers. Generally, such mechanisms are documented in various policies and procedures. When responding to any adverse event, it is important to maintain integrity, follow established policies and procedures, learn from the situation, modify policies and procedures accordingly, and implement changes.

This parameter is fairly easy to assess, as there are many potential data points. Internal auditors should ask:

  • What does the team’s working environment look like? How are different reactions to the same situation handled and treated?
  • How frequently does the team reach consensus on how to deal with a situation? Does the chosen mechanism comply with the enterprise’s policies, or are workarounds implemented to circumvent them?

Tools that can be used to evaluate reactive habits include incident response resolution data, resolution time, response to information security breaches and handling of customer complaints.

Parity

Equality is one of the pillars of a strong workplace culture. All organizational policies should apply equally to staff at all levels, and noncompliance should be dealt with accordingly. Unfortunately, senior managers are sometimes lax in the event of noncompliance. Employees look up to their leaders and are likely to mimic their behavior. Thus, noncompliance with policy may be perceived as normal and replicated. This is how ethics are eroded over time. Therefore, unbiased application of organizational policies is of the utmost importance. It is also important that employees at all levels feel respected. If they do, they are more likely to act responsibly and with integrity.

Assessing parity is difficult, but there are several questions can help auditors make accurate determinations, including:

  • How are fraud investigations (especially internal fraud) carried out? How well and how far do top managers support such investigations? Are proper disciplinary actions taken against offenders?
  • Have any members of senior management been found at fault? If so, what actions were taken against them?

Tools that can be used include fraud investigation reports, minutes of meetings, interviews with relevant staff and attrition rates at the senior management level. (High attrition could be a sign that something is wrong.)

When ethics are treated as a valued asset in an enterprise, employees take pride in maintaining them.

Employee Appraisal and Feedback

An ethical workplace is one with a positive atmosphere. Patterns of ethical behavior lead to good work habits that become part of the organizational culture. These ethical behaviors should make employees feel empowered to conduct their daily activities, not burdened. Employees should feel valued, and their opinions should matter at all levels.

When ethics are treated as a valued asset in an enterprise, employees take pride in maintaining them.

When assessing this factor, the internal audit function should consider:

  • What is the enterprise’s employee appraisal process? Do employees have a say in the process? Are they given timely, constructive feedback from managers to encourage continual improvement? Does the process include an evaluation of intangible factors, such as whether the employee has maintained good work relationships or contributed innovative ideas?
  • Are there any “speak up” hotlines that allow employees to express their concerns without fear (preferably to an independent third party)?
  • What initiatives are taken to ensure a diverse workplace?
  • During interviews, are candidates given some specific scenarios in which ethics can be challenged and their answers recorded?

Tools that can be used include reports from hotlines, staff appraisals at multiple levels, reports from feedback systems and recognition modules (i.e., An online portal that lets employees thank their colleagues for their work. Sometimes these thank you messages generate points that can be accumulated over time and redeemed for gifts.).

Risk Culture

Risk culture is the output of ethics and culture adopted by an enterprise while using the resources at hand to perform any task that can affect the enterprise in any way in the present or future. Enterprises with a strong risk culture consider what could go wrong and what might be the impact. This deters unacceptable behavior because employees know that bad acts will not go unnoticed and may be subject to punishment. At all functions and levels, risk factors are identified and analyzed, assessed and acted on, and monitored and mitigated. In this type of enterprise, a positive workplace culture is achieved with no special effort.

There are various indicators to assess risk culture, for example:

  • Check how different teams have responded to various incidents and crisis scenarios.
  • Check risk factors identified by the first line of defense. What controls have been implemented to address those risk factors
  • Check the cases handled by the disciplinary committee and the actions taken.

Tools that can be used to assess risk culture include reports of risk assessments (specifically, peoplerelated risk) and minutes of various risk committees (e.g., board level, operational, risk culture and conduct) and the disciplinary committee.

Culture Influencers

In addition to the discussed tools, culture influencers within an enterprise can be very helpful in assessing ethics and culture. Culture influencers can be from any department but they typically have good relationships with individuals inside and outside their departments. For example, an operational risk person may touch base with all the departments in an organization due to various operational risk activities that are generally applicable. Hence, they may be aware of enterprise policies and procedures and their practical implementation at various levels. Any employee who maintains good working relationships with departments outside of their work area can be a culture influencer. To be on the safe side, auditors can cross-check the authenticity of information gathered from culture influencers.

Conclusion

Every enterprise has a unique culture. It defines the enterprise in terms of factors such as service quality, customer support, safety, integrity and reputation.

A strong workplace culture can manifest as little or no fraud, high quality customer service, positive reviews and recognition in workplace surveys. When assessing a culture, it is important to know who owns it. Although the board may ultimately be responsible, managers are responsible for all actions through which culture is defined. Internal audit plays a vital role in providing reasonable assurance to management by making it aware of the strengths and weaknesses of the organizational culture so that management can foster the former and remedy the latter.

Endnotes

1Anti-Fraud Collaboration, Assessing Corporate Culture: A Proactive Approach to Deter Misconduct, USA, March 2020, http://caqantifraprod.wpenginepowered.com/wp-content/uploads/2021/06/afc_assessing_corporate_culture_a_proactive_approach_to_deter_misconduct.pdf
2Ibid.
3 McDonald, C.; “Does the Right Tone at the Top Guarantee Success?” Canadian Business, 19 April 2013, http://archive.canadianbusiness.com/blogs-and-comment/does-the-right-tone-at-the-top-guarantee-success/
4 Scivicque, C.; “What Does It Really Mean to Be Proactive at Work?” Eat Your Career, 26 August 2019, http://eatyourcareer.com/2019/08/what-does-it-really-mean-to-be-proactive-at-work/#:~:text=Being%20proactive%20at%20work%20means,preparing%20for%20what%20lies%20ahead.

SUMEDHA ADAVADE | CISA

Is assistant vice president of IT governance at First Abu Dhabi Bank. She has 15 years of experience providing risk-mitigating solutions and assurance to banks and other financial institutions in the areas of risk and compliance, audit, and information security.