Several months ago, I was a part of a brainstorming session with some of my local colleagues that were assisting me with identifying good topics for the 2007 ALGA conference. I wanted to get a feel for what areas of internal audit interested them the most. So, I specifically asked each colleague to share with me the topics that they felt would be of greatest benefit to their organization.

Fraud was a common topic among them. I was excited to present my findings to the ALGA Conference Planning Committee, only to learn that the fraud session was being challenged by an ethics session at the conference. “Well,” I began to think “why?” Are Memphians just overly concerned about fraud occurring in their organizations? Haven’t government auditors been viewed as the watchdogs against fraud? Don’t the government auditing standards state that auditors should conduct a performance audit to provide reasonable assurance that they will detect illegal acts or fraud related to the audit objective? So the obvious question to me was “why would fraud and ethics be such pressing issues for auditors?”

According to the 2006 Association of Certified Fraud Examiners Report to the Nation on Occupational Fraud & Abuse, the typical organization loses 5 percent of its annual revenue to some type of occupational fraud. The true measurement of fraud occurring in companies will never be known because fraud is normally undetected or unreported. Most executives that commit fraud are either trying to meet short-term earnings expectations or to satisfy excessive greed. The June 2006 Internal Auditor featured an article titled “Will History Repeat Itself,” by Joseph Wells. Mr. Wells writes that “many observers argue that fraud is not committed so much due to a lack of internal controls, but rather because of greed at the executive level.” Cynthia Cooper, team leader that identified the WorldCom fraud, stated in this article that, “The pressure and incentive to commit fraud still exists. Although Sarbanes-Oxley may reduce the likelihood, the market pressures of the past…will continue to influence executive behavior.” The executives that committed the frauds at Enron and WorldCom changed the public perception on executives as a whole. Public trust for executives was lost. Internal auditors and management have implemented hotlines, provided fraud training to management, and purchased fraud software to detect and prevent certain types of fraud. These measures can assist in the detection of fraud in the organization, but they do not change the mind-set or attitudes of some individuals that want to make a quick buck due to a perceived low ethical environment.

The American Heritage Dictionary defines ethics as “the rules or standards governing the conduct of the members of a profession.” Ethical values and integrity are two of the control environment factors that set the tone for an organization, according to the Committee of Sponsoring Organizations of the Treadway Commission (COSO). The Sarbanes-Oxley Act of 2002 has addressed the conceptual issues of the standards of ethical corporate behavior, tone at the top and the appropriate actions of employees.

Many companies established formal ethics programs as a result of the Sarbanes-Oxley legislation. The National Business Ethics Survey released by the Ethics Resource Center in October 2005 noted that formal ethics program initiatives increased dramatically. The survey noted the following:

• Eighty-six percent of employees were aware that their companies had written standards of conduct – an increase of 19 percent over the 1994 report.
• Sixty-nine percent indicated training on ethics had occurred in their organization – an increase of 32 percent over the 1994 report.
• Employees indicated that mechanisms available for providing ethics advice increased 15 percent from the year 2000.
• Installation of hotlines increased 7 percent over 2004.
• Discipline of employees who violated ethical standards rose 4 percent over 2003.

In his article, “Keeping the Company Clean,” (Internal Auditor, December 2006), Russell Jackson states that internal auditors have a responsibility not only to audit for fraud but also ethics. Many auditors say they review ethics every time they perform an audit. In Mr. Jackson’s article, Brenda Cowell, Senior Integrity Coordinator at Nexen Inc., in Calgary, Alberta agrees “There’s an ethics component to every audit” She also stated that there is an “ethics audit” that would allow for the review of the company’s whole ethics program, instead of just the portion addressed during the routine examination. As reported in a survey by the IIA’s Global Audit Information Network, almost 15 percent of internal auditors said they don’t perform ethics audits because they’re “too hard.” According to the survey, another 39 percent said that ethics audits are not part of their mandate or that they are simply not the internal auditor’s job. Russell Jackson maintains that ethics is a part of the internal auditor’s job. According to IIA International Standards for the Professional Practice of Internal Auditing (Standards), “The internal audit activity should evaluate the design, implementation, and effectiveness of the organization’s ethics-related objectives, programs, and activities”.

How do you audit for ethics? Greg Hollyman, a member of the IIA’s Ethics Committee states that “An audit is an audit. An ethics audit uses the exact same processes, interviews, and documents as a standard business audit.” A company’s ethics program can be as complex as a program that includes policy reviews with signoffs, training for employees, communication notifications, committee involvement and investigations; or it can be as simple as employees signing off on the company’s code of conduct. Therefore, internal auditors must have a clear understanding of what they are trying to accomplish and have adequate expertise in-house. Management support for an ethics audit is a key component for the success of the audit. One way to obtain this support is to communicate to management that in order to be in compliance with one component of Sarbanes-Oxley, an assessment of the organization’s tone at the top should be conducted.

Russell Jackson believes that internal auditors need to explain to executives that an ethics audit is really a reputation audit; then the possible consequences of not doing the audit becomes clearer. Executives realize that a good reputation is one step forward in maintaining or regaining trust from a company’s stakeholders. Mr. Russell states that the IIA Practice Advisory 2130-1 requires that a firm’s internal audit activity should, at a minimum, periodically assess the state of the company’s ethical climate and “the effectiveness of its strategies, tactics, communications, and other processes in achieving the desired level of legal and ethical compliance.” According to the IIA, the following areas of the company’s ethical culture should be evaluated:

• A “clear and understandable” formal code of conduct.
• Communications and demonstrations of expected ethical attitudes and behavior by the leaders of the organization.
• Strategies the firm uses to enhance its ethical culture.
• Confidentially reporting misconduct.
• Regular declarations by employees, suppliers, and customers that they understand the requirements for ethical behavior in conducting the organization’s business
• Personnel practices that encourage employees to be ethical.
• Regular use of surveys to determine the organizations’ ethical climate.
• Reference and background checks as part of the hiring process.
• Review of processes that might undermine the organization’s ethical culture.

Although internal auditors may have the competence to appeal to executives and other employees to comply with the legal and ethical responsibilities of the company, it may be beneficial to hire an outside firm to work with the internal audit staff to conduct the first “ethics audit.” Hal Garyn, Director of Internal Audit at PEMCO Mutual Insurance Company in Seattle, Washington states that informing management that the actions of some of their top executives are not consistent with the messages (regarding ethics) they think they are sending to employees may be more acceptable from an unaffiliated outsider.

Now I understand why fraud and ethics are pressing issues for internal audits. Every company is vulnerable to some type of fraudulent activity. The losses associated with fraud and/or unethical conduct can be devastating. I have to agree with my Memphis colleagues and ALGA committee members that fraud and ethics are pressing issues. We cannot audit for one without auditing the other. I have no doubt that hotlines, fraud training, and fraud software can help to detect fraud within an organization. However, having a well-communicated ethics program combined with the aforementioned activities can be a more significant fraud deterrent. The National Business Ethics Survey noted that creating awareness of workplace ethics diminishes fraudulent activity. During initial conversations with my Memphis colleagues, there had been fraudulent activities and ethics breaches reported in the state of Tennessee. Therefore, fraud training was at the forefront. However, during the investigations and discussion of these fraudulent activities, ethics became the topic of discussion. The questions arose as to whether or not there were ethics policies and, more importantly, a low ethics climate. A recent state law mandated that all Tennessee municipalities adopt some sort of ethics guidelines, primarily to heighten the ethics climate.

In conclusion, there is a need for both fraud and ethics training. Not only do auditors need training on auditing ethics for their organization but auditing ethics for themselves. We, as auditors, must continue to be the model for high integrity and the owners of public trust for our organizations.

Elizabeth C. Moore, CFE, CGFM, CBM is the City Auditor for the City of Memphis. A native Memphian, Elizabeth Moore has been employed with the City of Memphis for 28 years; nineteen years in Internal Audit. She was appointed City Auditor in 1999. She received a Bachelor’s Degree in Business Administration from LeMoyne-Owen and a Master’s Degree in Operations Management from the University of Arkansas. Her professional memberships include the Association of Local Government Auditors (ALGA), Institute of Internal Auditors, Association of Certified Fraud Examiners and the Association of Government Accountants. Mrs. Moore has served on the ALGA education committee, membership committee, Board Member at Large (2003) and is currently the Chair of the Education Committee. Mrs. Moore is married with four children.

Average user rating