Conducting a meaningful ethics audit

Look beyond the ethics policy in an ethical audit

Most auditors start an ethics audit by reviewing the organization's ethics policy and confirming that new hires have all signed off on it. While confirming the existence of such a policy is a good first step, the policy has little to do with an organization's daily actions and decisions. The example companies mentioned earlier had good ethics policies in place and likely required all employees to sign the policy in acknowledgment. A better first step in an ethics audit would be to survey the employees about areas that point to a weakening ethical culture, paying special attention to factors that point to a tone at the top that prioritizes profits at all costs. For example, the factors of pressure, opportunity, and rationalization can lead an employee to fraudulent behavior. In the survey, consider directly asking if the employee feels pressure to act in a way that compromises their ethical standing. 

Here are some other potential questions you might use in an ethics audit survey:

• Are you aware of the ethics misconduct reporting hotline/website?
• If you were aware of misconduct, would you be willing to report the behavior anonymously?
• Have you observed any misconduct in the last 12 months?
• Have you avoided reporting any misconduct due to fear of retaliation?
• Do you feel pressure to achieve company goals no matter the cost?
• Have you felt pressure to act in a way that made you uncomfortable about achieving a goal?
• Has this pressure come from your manager, coworkers, vendors, or senior leadership, or is it a general feeling throughout the organization?
• Do you feel like those who act unethically are held accountable or rewarded for getting the job done?
• Do you believe the organization holds everyone accountable to the same ethical standard?
• Do you believe your manager would support your decision to act ethically, even if it means missing a goal?
• Do you believe your coworkers act ethically?
• Do you believe senior leadership acts ethically in all decisions?
• Do you think senior leaders say you should act ethically, but they really want you to do whatever it takes to get the job done?

Each of the questions above will help you gauge the current ethical culture of the organization. To make the best use of a survey like this one, the audit team should consider gathering this information in a way that allows them to get a sense of the organization as a whole, but also to narrow the responses down to an area within the organization, like the finance team or human resources team, while still maintaining anonymity for the responders. 

Test for fraud red flags in ethics audit

The next step in conducting a meaningful ethics audit can include tests that indicate the potential for fraud. Fraud red flags can indicate a weak internal controls environment and highlight the potential for unethical practices. We can group the most common fraud red flag testing into two types: control testing and transactional testing. Auditors are familiar with testing controls and transactions in financial, technical, and operational audits, but the concepts apply equally in an ethical audit.

Control testing

Controls must be properly designed to be effective. In an ethical audit, control design focuses on whether the controls apply to all cases or if the controls are created with intentional overrides and loopholes. The audit team can test for areas where controls are designed with a way for management to override or bypass them and for times when controls are ignored completely. For example, purchasing is an area where unethical acts can occur. In a control design review, auditors should look for controls around gathering bids, making selections, conducting IT security assessments, and negotiating contracts. If the policies allow for deviation from the policy, the team should consider these as a possible way to override the control. Consider this example. A purchasing control states, “All software purchases over $250,000 require the purchasing team to issue a request for proposals (RFPs). At least three RFPs should be considered. The RFP process is not required if the team believes only one provider can meet their needs.”

Testing the control with an ethical audit perspective shows the control is designed with several loopholes:

• The materiality threshold is high, as many purchases will be below $250,000.
• The dollar amount does not consider whether this is a one-time purchase or the total contractual agreement from a recurring charge tied to a subscription.
• The amount does not specify if this includes only the software or if services are included.
• The control provides an override for skipping the RFP if the team thinks only one vendor meets their needs without requiring any due diligence.

The control is poorly designed, as it allows the organization to choose vendors without considering alternatives. Unethical managers could award contracts to friends disguised as the only choice available. They could also commit the organization to contracts well above the intended material threshold and still meet the criteria design of the control as written.

The next step in testing the control, the team could then gather an inventory of critical applications currently in use and tie these back to contracts. As a test procedure, they can test the following attributes:

• What was the total cost for the software, including all services and consulting, for the first year and the total cost of the contract?
• How many of these purchased systems have a total cost within the contract period above the threshold?
• Were any systems purchased without an RFP? What was the rationale?
• Is due diligence required by an independent team when claiming the sole source exemption?
• Are purchases that bypass the intent of the control coming from the same department or individuals?

These types of exceptions can point to a culture willing to make unethical choices. Controls like this one are designed to allow people to intentionally bypass the point of the control. Often, the reason given for controls like this is to allow the organization some flexibility, to make decisions quickly, and to allow managers to get business done. In reality, this allows for bad practices and sends the message that the organization will allow managers to bend the rules if it serves their needs.

Transactional testing

In an ethical audit, we can test for fraud red flags to indicate that unethical practices may be present. Common fraud red flags also appear in transactional testing, and this level of detailed testing can expose larger issues. Audit teams can quickly test large data populations using data analytics to look for red flags. However, the existence of a red flag is only an indicator of the potential for fraud.

Using the purchasing example, we could test for payments made to software companies. Certain payments made for software can be classified as either an operating expense or a capital expense, depending on the nature of the software and expense type. Suppose we notice that all software expenses are capitalized. In that case, this is a red flag since many software providers offer software as a service (SaaS), and SaaS subscription payments are an operating expense. Some companies attempt to capitalize all software expenses to inflate assets and overstate profitability.

Performing a meaningful ethics audit

With so much focus on financial and compliance audits, ethical audits may slip to a lower priority. Still, an ethics audit can highlight culture and tone at the top issues that impact the team's other audit work. With the steps outlined above, your team can perform a stand-alone ethical audit or add ethical audit test procedures to other audits and produce more meaningful results. Ethical survey results can gauge the organization's culture and help target areas that may already experience an eroded ethical culture. Using surveys and analyzing the results, can prepare the audit team for possible resistance if there was an indicator of an unethical tone at the top. If you add survey questions to other audits, this approach should be consistent and done as a first step to allow time to gather and review results.

Control testing may uncover red flags that warrant additional investigation. If the controls are poorly designed or allow overrides and loopholes, the team can look for patterns in those who take advantage of the weakness. Likewise, transactional testing can point to ineffective controls and potential red flags that require further investigation. Many auditors are probably including control testing already, so an ethics evaluation of the control design and testing for fraud red flags can be included as an expanded procedure in existing audits.

A culture that prioritizes ethical behavior starts at the top and influences the actions of everyone in the organization. Internal auditors must understand the organization's culture through ethical auditing and call out instances when that culture drifts away from ethical practices.