The Question
Can ethical culture be audited? That’s the question we recently received from the internal audit department of a Fortune 250 company. Their inquiry wasn’t so much about measuring ethical culture (the company had recently completed an ethical culture survey), but rather about actually auditing ethical culture, using standard auditing protocols and methodologies. The audit would provide an independent, risk-based assurance of the company’s control environment and processes for identifying, evaluating and managing ethical culture risk, including a definable and repeatable process for continuous improvement.
The Response
In developing our response, we reviewed some of the leading research into ethical culture[1] and drew upon our own experience managing ethics and compliance programs. We also looked at several white papers on auditing ethical culture from the Institute of Internal Auditors (IIA) [2].
While the IIA documents were helpful, we found that their focus was not on auditing ethical culture per se, but rather on auditing the traditional components of an ethics and compliance program (i.e., policies, training, hotline, investigations, third-party due diligence). In our view, these papers rely on a misleading assumption – that the presence of an ethics and compliance program is indicative of an ethical culture. It is not.
Certainly, an ethics and compliance program is a necessary condition for an ethical culture, but it is not necessarily a sufficient one. Rather, an ethical culture requires alignment between the formal (ethics and compliance program) and informal (cultural) systems within an organization. Therefore, an ethical culture audit needs to focus on the informal components of ethical culture, not just on the traditional components of an ethics and compliance program.
The Audit
In developing our ethical culture audit, we identified the following key auditing activities:
1. Define the informal indices of an ethical culture.
At a minimum, this would include the areas of ethical leadership, organizational justice, and speak up culture/fear of retaliation. There may be others, but we would start with these three as there is an abundance of behavioral science and research to support their understanding and evaluation.
2. Identify the internal control processes related to each of these indices.
Using ethical leadership as an example, we can explore the processes and controls related to ethical role modeling and ethical management in an organization. For example, do managers in the organization model expected behaviors and hold others accountable for their ethical behavior? Do performance reviews or job candidate interviews include aspects of ethical leadership?
3. Create meaningful data points and metrics for each of these indices.
With organizational justice, for example, we can look to internal investigations metrics for “procedural justice” outcomes (i.e. is the investigation process consistent and fair). We can also look at the resulting disciplinary measures for “distributive justice” metrics. For example, are employees held to the same disciplinary measures at different levels of the organization? Sadly, we often see that leaders are held to a lessor standard of discipline than line managers – a clear warning sign for ethical culture.
4. Look for evidence of continuous improvement across these cultural indices.
Does the organization identify opportunities to improve their culture, not just based on the outcome from an employee engagement or ethical culture survey, but based on actual data and process control failures related to ethical culture? Are employees incentivized to speak-up? What are the rates of retaliation and where does it occur? How many improvements to the compliance program are focused on ethical culture or originate from an employee that “spoke-up?”
We believe there are more areas of ethical culture that can be identified, measured and evaluated. Over time, we also expect more companies to adopt a greater focus on ethical culture and the informal systems within their organization.
The Conclusion
Ethical culture can be audited, not just measured. Using proven internal audit methodologies and processes, an ethical culture audit can provide an independent risk-based assurance of a company’s control environment and processes for managing ethical culture. An ethical culture audit can help transform a company’s ethics and compliance program by treating ethical culture as a core program element not just a by-product of the compliance program. To be sure, companies should be conducting regular audits and self-assessments of their formal ethics and compliance program. They should also be conducting regular ethical culture surveys (no longer an emerging best practice, but a standard program requirement). Overall, we believe that ethical culture audits are the next step in the evolution and maturity of effective ethics and compliance programs.
[1] Linda K. Trevino and Katherine A. Nelson, Managing Business Ethics, Straight Talk About How To Do It Right. Sixth Edition. Wiley (2016).
[2] “Evaluating Ethics-Related Programs and Activities.” Practice Guide (June 2012); “Sustaining and Ethical Culture.” Tone at the Top (June 2014); “A Hard Look at the Soft Stuff” Global Perspectives and Insights (June 2016)
