How to Conduct an Ethics Audit
When it comes to corporate ethics, bad news is good news. According to the Ethics Resource Center’s 2009 National Business Ethics Survey, on-the-job misconduct is down, whistle-blowing is up, and ethical organizational cultures are stronger. Despite these trends, there may be no better time for human resource managers to conduct or participate in ethics-related audits.
Setting the Tone
Several legal developments in recent years have placed newfound focus on how companies behave. An example is the Sarbanes-Oxley Act, with its emphasis on "tone at the top" and its requirement that publicly traded companies disclose whether they have a code of ethics to deter wrongdoing. The Federal Acquisition Regulation and the Federal Sentencing Guidelines also have a significant impact on organizations’ ethics policies and practices by requiring or providing incentives to encourage businesses of all kinds and sizes to adopt codes of conduct, train their employees on these codes, and create effective audit and reporting mechanisms.
HR professionals play a crucial role in shaping corporate ethical codes, policies and procedures and then communicating and teaching that information to the workforce. In many companies, the top HR manager either serves as the de facto chief ethics and compliance officer or works with the person in that role to manage ethics and compliance programs. Apart from the chief executive officer, there may be no more important ethical role model in the organization than an HR manager.
"Employees watch HR like hawks, and they should," says Phillip Daniels, SPHR, HR manager for Montgomery College in Rockville, Md. "If HR managers mess up, how can we expect employees to adhere to the ethical standards that we’re promoting? As HR managers, we essentially need to serve as the poster children for ethical behavior."
HR managers who thrive as ethical role models almost always play central roles in conducting ethics-related audits, notes Marjorie Doyle, principal of ethics consulting firm Marjorie Doyle & Associates in Landenberg, Pa., and a member of the Advisory Board of Directors for the Society of Corporate Compliance and Ethics. As a former chief corporate ethics and compliance officer, "I spent a lot of time with HR," she says.
HR managers are "trying to get people to do the right thing. They also tend to manage the annual performance review process and operate the communications network within the company, both of which are crucial to ethics audits," Doyle says. "They have a feel for whether certain behaviors are as ethical as they need to be."
Daniels agrees. "As an HR manager, you have to be out there listening and identifying potential problems," he says. "Not every unethical behavior or practice exerts a direct financial impact, but we should be looking for those issues because doing so can help improve the organization."
Six Steps to Highly Effective Ethics Audits
These tips can help companies conduct effective ethics audits:
Start with a detailed foundation. An ethics audit is a comparison between actual employee behavior and the guidance for employee behavior provided in policies and procedures. The more descriptive and specific ethics-related policies and procedures are, the easier it is to make these comparisons.
Develop metrics. Ethics audits may not be as black-and-white as financial or operational audits, but they run more smoothly when tangible ethics measures are in place. Consider adding ethics goals to annual performance reviews and, where possible, tying compensation to ethical behavior.
Create a cross-functional team. Include an HR professional familiar with people in the business unit being audited. Most ethics audit teams include an ethics and compliance manager where possible as well as an internal auditor and legal managers.
Audit efficiently. Audits frequently disrupt normal operations in business areas subjected to review. Before scheduling an audit, find out if internal auditors or the finance team may be conducting reviews of the same area. If so, combine these efforts to limit disruptions. Once the audit has been scheduled, create a plan that spells out employees to be interviewed, information that requires review and any processes that require observation.
Look for other issues. Keep an eye out for other improvement opportunities, and share those with relevant colleagues. For example, ethics issues in a sales area may have revenue-recognition implications from a financial reporting perspective.
Respond consistently and communicate. Discipline ethics violations in complete accord with policies and procedures and the code of conduct every time. Also, use ethics issues, when possible, as grist for "lessons learned" in ethics-related communications and training.
Laying the Groundwork
Ethics audits ensure that behaviors an organization espouses in its code of conduct and policies and procedures exist in practice and that behavior forbidden in these documents does not occur.
The risk of neglecting ethics audits can be severe. After its ethics-related implosion, Enron became well-known for the fact that the framed values statements in conference rooms were at odds with employees’ behavior on trading floors. And, more-immediate problems potentially exist for companies that do not conduct ethics audits: "Employees’ faith in the organization can deteriorate," says Art Crane, SPHR, president of HR advisory firm Capstone Services in Sherman, Conn. "Morale can decline. A company sets a dangerous precedent by letting something that violates its ethics policy slide."
The danger can spread to other stakeholders, including customers, suppliers and community members. "If word gets out that you are not an ethical organization, you run the risk of losing business," Crane notes.
Conducting an ethics audit requires a team effort as well as a clear definition of ethical behavior. While many larger companies staff a chief ethics and compliance officer position, that individual is not solely responsible for each employee’s behavior.
For this reason, Conway, Ark.-based Nabholz Construction Co. has an ethics committee consisting of top legal, finance, HR and operational executives. "We want to have diverse skills on the committee and to make sure all of our geographies are represented," says Andrea Woods, SPHR, vice president and corporate counsel for the private company with about 850 employees.
Nabholz Construction’s ethics committee takes responsibility for monitoring and investigating ethics hotline calls and e-mails. The hotline system is managed by a third-party provider, an arrangement that Woods says strengthens objectivity and independence. The committee conducts ethics audits as part of an annual internal audit process. In addition, a divisional controller, an HR employee and Woods conduct spot ethics audits on the recommendation of the committee.
The frequency Woods describes—annual audits on all ethics-related areas and spot ethics audits on an as-needed basis in response to risk assessments—jibes with what ethics consultants recommend. Depending on company size and auditing resources, Crane notes, some companies may audit their entire ethics programs only once every two years. However, the occurrence of a major organizational realignment may necessitate more frequent ethics audits in its wake.
Whether or not corporate leaders seek outside help on ethics audits depends on the nature and magnitude of the issues. "If the issue involves something very important to the company, it helps to get an outside perspective and the impartial judgment that a third party provides," Crane says. "If the company conducts the audit internally and outside stakeholders are paying close attention to the issue, it can be more difficult to say, ‘Yes, we audited our ethics internally and everything is just fine.’ That may be received as a matter of the fox guarding the henhouse."
Making It Tangible
Regardless of whether ethics audits are woven into internal audit processes, performed internally in response to changing risk profiles or conducted by an external auditor, the question is "What are you auditing against?" says Mark Snyderman, senior knowledge leader at LRN, a company that helps businesses develop ethical corporate cultures.
The answer requires a distinction between two disciplines frequently lumped together in corporate America: ethics and compliance.
Ethics refers to the amorphous area of behavior. Compliance refers to adherence to legal regulations. A company may be fully compliant yet still engage in unethical practices. While that may seem like a clear distinction on paper, it becomes muddled in a global business environment.
"There are many countries around the world that don’t have antitrust laws," says Snyderman, who previously served as chief ethics and compliance officer and assistant general counsel for Coca-Cola. "A company could in theory engage in price fixing in those countries. From an ethical standpoint, however, I would recommend that every company take the position, ‘We are not going to do that.’ "
Compliance audits compare internal behaviors to external regulations. Ethics audits compare internal behaviors to internal guidelines on behavior—guidelines that exist in corporate codes of conduct and ethics-related policies and procedures. Of course, some compliance problems may stem from ethical lapses; others may arise from process or operational bugs. That’s why many business leaders conduct ethical audits in tandem with financial or operational audits.
"Your code of conduct—some companies call it a code of ethics—represents your central document," Snyderman says. "This document should be generated from the company’s values."
The code should be translated into specific guidance within policies and procedures. "You don’t need to start out with the 10 commandments and 500 related rules, but you do need to have something specific to audit against," Doyle says. For example, what does an ethical violation related to bribery or conflict of interest look like? "Be very descriptive in your policies and procedures about what these things mean," she recommends. Also, have managers and employees establish performance goals related to ethics and compliance so employees can be evaluated against those objectives.
Doyle says greater specificity in ethics-related policies and procedures paves the way for ethics-related performance objectives and metrics. These metrics help enable more-tangible ethics audits. "One of the most difficult challenges is making this highfalutin-sounding concept of ethics actually become very granular," she adds.
Filling the HR Role
An ethics audit resembles a financial or operational audit. It involves interviews with employees and managers, reviews of records and other information, and, sometimes, observations of processes and practices.
The most common ethics audits, Snyderman and Crane report, examine conflicts of interest, access to company information, bidding and award practices, giving and receiving gifts, and employee discrimination issues.
Snyderman describes the actual audits as time-consuming and based on checklists. They involve a team that typically consists of an HR professional, an internal auditor, legal managers, and an ethics and compliance manager. The team visits an area of the organization to conduct research in response to a specific incident or as part of an ongoing auditing cycle.
The primary mission is to compare ethics guidelines with actual behaviors, but team members also look for other issues that may need to be addressed through communications, training or subsequent audits.
The team clearly identifies who will be interviewed and what information and observations are required. "Generally, the HR person on the team knows people in the department and will introduce the team," Doyle says.
HR professionals also play a pivotal role in responding to ethical or legal issues or violations that the audit identifies, whether the response takes the form of disciplining an employee, conveying educational material about the topic to a larger audience or integrating the topic into training. If the ethics audit concerns employment issues, HR typically takes a lead role in conducting the audit, Snyderman reports.
During her previous work as a chief ethics and compliance officer for DuPont and VetcoGray, Doyle says, HR managers were her "main partners," ones she worked with to incorporate ethics-related measures into annual performance reviews. At VetcoGray, now a General Electric oil and gas business, for example, she teamed with HR managers to tie 20 percent of employees’ base salaries and 20 percent of bonus compensation to specific ethics performance measures.
"If there is an ethics and compliance officer in the company and they have not contacted the HR manager, the HR manager should knock on that person’s door, sit down and talk about how your jobs are very much intertwined," Doyle advises.
The author is a freelance writer based in Austin, Texas.