A lot many times, we the internal auditors come across a “Not a Biggie” reaction even to findings representing ethical violations. Not that this reaction is something new we experience because managements ought to be reactionary to every internal audit creation since it offers a review of the management’s stewardship. Neither it bothers us more than it should and does bother the entity itself.
It’s the amazing diversity of hues and colors, we could experience both the issue and the management’s reaction on it that’s mind boggling and makes up a good case for the internal auditors to always look out for these as well, when gathering evidence in reviewing the control environment!
So, let’s first examine management reactions to issues pertaining to ethics and why managements are unable to distinguish between any regular internal audit finding and a finding on ethical misconduct or more appropriately why ethical conduct only deserves a mention in the service rulebook or codes of conduct rather than being an indispensable action.
The significance belief
Managements believe each finding must be significant to merit inclusion in the auditor’s report and to be considered worthy of consideration by the management. In this perspective, the issue ought to be severe in its impact, when in fact ethical misconduct is regularly perceived to be an isolated act of error or omission.
The risk rating hunt
The internal audit findings ought to be rated in accordance with the approved risk-based rating criteria. Ethical misconduct of employees doesn’t even get a place in risk registers, so how could it be a high rated or even a moderately rated risk?
The external audit-based approach
The external audits have over the years developed within managements, a standard way of approaching all audit findings, concept of materiality! Any finding that hasn’t resulted in a significant loss of value / financial loss is not worth anything. It seems they are at a loss to understand how to attribute a value to ethical misconduct related findings.
Nothing has happened
Findings on process deficiencies are usually well understood and taken as these are interpreted in terms of improvements that could be brought into the processes. But ethical misconduct on part of people only become a problem when a violation or a fraud of significant proportion has occurred. It’s hard to act against people on violations not leading to losses because of fear of reprisals and other exposures. But most appropriately action against ethical misconduct might be an admission of a failed recruitment process. So, nothing has happened is the best recourse available to managements.
The gist of all these reactions exhibits a clear lack of understanding of what a control environment is, what it embodies, and the meaning of its hierarchical level in the overall system of internal controls. Since the control environment constitutes principles, rules, governance philosophy, values, ethics, codes of conduct, attitude and approach of those charged with governance and those with management, most of the control environment only manages to secure a place in the entity’s literature exhibited conspicuously but never really understood.
The control environment is seldom walked the talk, it’s only used for sloganeering and making arguments, hardly ever practiced even by the leadership who touts it as something invaluable. And when that’s the case, people never really understand why it sits at the top of the overall control system and thus when it fails not a single component it covers would function the way it should.
Process controls would just be performed as a written procedure, not actually controlling anything, risks would neither be fully identified, assessed, managed and evaluated, causations of failures won’t be known as focus would be on getting symptomatic fixes, reporting would be irrelevant if at all and it won’t be known what should be monitored.
Let’s now, delve into how diversly the ethical misconduct manifests itself.
|
Ethical Misconduct Types |
Telltale Signs (examples) |
|
Hypocrisy |
Pleading for policy exceptions for oneself while denying the same for others. Talking about how the entity needs to manage finances and cut corners while seeking generosity when personal benefits get involved. Market competitive compensation for others but many times more for own person. |
|
Lack of Meritocracy |
Developing a people preference-based scheme for promotions, bonuses. Violating a merited system to allow rewards. Disregarding process re-engineering and performance management when downsizing and selecting people on personal choices. |
|
Disloyalty & Conflicts of Interest |
Preferring personal benefit at the expense of the Entity. Pursuing personal interests rather than the interests of the Entity. Not fulfilling responsibilities and tasks assigned. Consuming official time on personal commitments. |
|
Delaying Action |
Not acting on reported ethical offences. Making fact finding committees teams on clear violations. |
|
Hardcore Violations |
Frauds against systems (financial, non-financial) Records tampering Forgery Policy & Procedural Violations |
|
Taking undue advantage of business relationships |
Obtaining financial, professional, personal benefits in exchange for continued business relationships. |
|
Buying / Selling Conscience |
Begging for promotions, pay raises. Blackmailing for favors. |
|
Lack of Accountability |
No one is accountable for actions / inaction. |
|
Lying / Blabbering |
Talking nonsense all the time! |
Certainly, the listing is inconclusive, and auditors can always experience many more, although all those experiences would continue to fall within the broader classifications / types listed above.
As for auditor’s assurance, even a single sign matching any of the ones listed above, would mean that the entity’s tone at the top, its control environment is rotten, because it just doesn’t stop at that one sign, it becomes pervasive such that the decay gets to the pulp!
But you can have an added assurance too. Such an entity is not steered by Leadership, but only Management, because Leadership is all about values. And yes, sure enough the entity will veer off course no matter how good the risk management system on paper is!