Explain ethics auditing and explain the different steps in the ethics auditing process

Ethics Auditing
An ethical culture is the foundation of effective internal controls. Every auditor knows that
internal controls are best practice and necessary to ensure compliance with applicable laws and
regulations and to ensure that there is a system of checks and balances to detect inappropriate
transactions. Yet, without a culture of ethics and compliance, people will find ways to
circumvent internal controls, policies, and procedures.
While there is no set ethics audit definition, an ethics audit can include reviewing the code of
ethics, reviewing past incidents and the response by the individual and the organization, and
interviewing employees to understand their perspective on the organization’s ethics. Some
choose to utilize different ethics audit types. The ethics audit types vary from assessing
individual employee awareness to understanding the overall ethical culture. In the end, ethics
auditing is similar to any other audit. We approach the audit by defining an organizational
objective, risks, and controls. The objective is to build a strong ethical culture and the risks
include lack of awareness, weak incident reporting, and poor commitment from management.
When considering the repercussions of a weak ethical culture, why ethics is important in
auditing.
Step 1. Company Values
An organization should have clearly stated values to establish its culture of ethics and
compliance. Values that shape a company’s ethical culture through daily work practice could
include: integrity, respect, diversity, safety, conscientiousness, creativity, and more. For instance,
safety is our company’s number one value — it might not seem an obvious choice, but our
people work in nuclear plants, manufacturing, and construction worksites that may contain
dangerous hazards. Thus, we’ve made safety a top value that is fundamental to our ethics
programs and prioritized in our peoples’ everyday work practices.

Step 2. Code of Ethics and Code of Conduct

The values chosen in Step 1 should be incorporated into the organization’s code of ethics — our
guidelines about behavior and principles to govern decision-making — and the code of conduct,
which applies the code of ethics to a range of situations and actions. Both documents should also
include high-level guidelines regarding ethics and compliance risk areas. For the code of conduct
to be effective at guiding everyday work practices, it should give direction to employees on
applying the code of ethics to specific issues that are important to the company. For example, if
an employee is working in a foreign country, the code of conduct should provide guidance on
complying with the Foreign Corrupt Practices Act rules regarding gifts, gratuities, and
entertainment.
Step 3. Risk Assessment
Once your company has a code of ethics that employees understand and believe in, the next step
is to understand compliance risks as well as risks in the code of conduct guidelines that you
provided. To accomplish this, perform a risk assessment to ascertain whether your company is
focusing on current business risks as a result of changes in organizations, business practices, and
laws and regulations. When preparing each business unit risk assessment for compliance with
applicable laws and regulations, be sure to include issues that stem from the code of conduct
guidelines such as anti-kickback, anti-bribery, protection of company assets, or harassment
issues.
Step 4. Ethics and Business Conduct Policies
An effective ethics and compliance program should include policies and procedures addressing
the particular risks facing a company. For example, policies and procedures relevant to
international trade should address risks related to import and export controls, anti-boycott
measures, and money laundering, among others.
An ethics and business conduct policies audit will assess whether employees are aware of,
understand, and are following these policies. Internal audit should examine the list of policies to
see if high risk areas from the risk assessment and the code of conduct are addressed. For current
policies, conduct employee interviews to assess awareness of relevant policies. Ask employees
how well they understand their responsibilities in connection with ethics and business conduct
policies, naming each policy individually.

Step 5. Awareness Training Audit

It is not sufficient for a company simply to have policies in place — there must be a program that
trains employees to be aware of relevant ethics and compliance issues. When developing or
evaluating a training program, you will want to consider: How is this training delivered to
employees? Is it an online program or live sessions? Is the delivery method adequate to reach all
employees who must take the ethics and compliance courses?
Step 6. Inquiry and Reporting Mechanisms
It’s important that your ethics and compliance program includes a process for employees,
suppliers, customers and others who do business with your company to ask questions or report
concerns about ethics or violations of laws, regulations, and company policies.
Step 7. Communication Program
Develop a communication plan to increase ethics awareness and remind employees that ethics
and compliance are important to the company. The most effective communication programs
should engage all audiences with specific messages about ethics using a variety of media.
Step 8. Ethics and Compliance Program Assessment and Evaluation
At all points in the process of implementing an ethics and compliance culture, it is important to
maintain continuous program evaluation. There should be regular internal and external audits of
your ethics program, and an assessment of how often internal controls are tested. Conduct
employee surveys and focus groups to assess employee impressions of the ethics and compliance
culture. A constant vigilance and program evaluation is necessary to maintain a strong culture of
ethics.
Step 9. Leadership Commitment
To achieve and maintain an ethical company culture, there must be strong commitment from the
top to create the perception that ethics and compliance is important to the company. Leadership
commitment may be the final step in this list, but it is fundamental throughout the previous eight
steps that management take responsibility for demonstrating through their actions the importance
of ethics and compliance. There are many ways that organizational structure and activities can
demonstrate leadership commitment:
The leader of the Ethics organization can report directly to the Board of Directors or Chief
Executive Officer. An Ethics and Compliance Committee with a senior executive as Committee
Chairman can provide leadership and oversight to the ethics program and review the status of
ethics program-related activities. The committee itself might consist of senior leaders from
Legal, Human Resources, Internal Audit, Operations, Communications, Security, IT and other
departments.