Home / Blog / Internal Audit

Ethics Audit: 9 Steps to Audit and Monitor an Ethical Culture

Jamal Ahmed
September 11, 2019

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our
DECLINE ALL
×
ACCEPT ALL
Cookie Policy. Read more

D
oes your organization have a fully developed culture of ethics and compliance — and do you
know how to audit and monitor it? In this article, Jamal Ahmed, Vice President of Internal
Audit at Day & Zimmermann, breaks down the nine steps that led his organization to
receive a consecutive A ranking from Transparency International.1 Read on to learn how to implement,
audit, and monitor a culture of ethics and compliance, and download a list of key questions to ask
employees when conducting ethics audits.

What Is an Ethics Audit?

An ethical culture is the foundation of effective internal controls. Every auditor knows that internal
controls are best practice and necessary to ensure compliance with applicable laws and regulations and
to ensure that there is a system of checks and balances to detect inappropriate transactions. Yet,
without a culture of ethics and compliance, people will find ways to circumvent internal controls,
policies, and procedures.

While there is no set ethics audit definition, an ethics audit can include reviewing the code of ethics,
reviewing past incidents and the response by the individual and the organization, and interviewing
employees to understand their perspective on the organization’s ethics. Some choose to utilize
different ethics audit types. The ethics audit types vary from assessing individual employee awareness
to understanding the overall ethical culture. In the end, ethics auditing is similar to any other audit. We
approach the audit by defining an organizational objective, risks, and controls. The objective is to build
a strong ethical culture and the risks include lack of awareness, weak incident reporting, and poor
commitment from management. When considering the repercussions of a weak ethical culture, why
ethics is important in auditing.

What Is the Purpose of an Ethics Audit and Building an Ethical Culture? 

The purpose of an ethical culture is to help steer employees to choose to do the right thing by ensuring
that company values are embedded in everyday work practices. This raises the question: how does an
organization create an ethical culture?

How Does an Organization Create an Ethical Culture?

Whether your company is looking for effective ways to audit and monitor an ethics program or is just
getting started building out an ethical controls program, this article will walk you through a process for
creating and maintaining an ethical culture. We will dive into the nine steps Day & Zimmermann has
adopted from the Defense Industry Initiative (DII) to implement and monitor an ethical culture
program, and share a downloadable list of questions to ask employees during a range of ethics audits to
ensure that all components are working as intended. 

Key Interview Questions for Ethics Audits

Step 1. Company Values

An organization should have clearly stated values to establish its culture of ethics and compliance.
Values that shape a company’s ethical culture through daily work practice could include: integrity,
respect, diversity, safety, conscientiousness, creativity, and more. For instance, safety is our company’s
number one value — it might not seem an obvious choice, but our people work in nuclear plants,
manufacturing, and construction worksites that may contain dangerous hazards. Thus, we’ve made
safety a top value that is fundamental to our ethics programs and prioritized in our peoples’ everyday
work practices. 

Step 2. Code of Ethics and Code of Conduct

The values chosen in Step 1 should be incorporated into the organization’s code of ethics — our
guidelines about behavior and principles to govern decision-making — and the code of conduct, which
applies the code of ethics to a range of situations and actions. Both documents should also include
high-level guidelines regarding ethics and compliance risk areas. For the code of conduct to be
effective at guiding everyday work practices, it should give direction to employees on applying the code
of ethics to specific issues that are important to the company. For example, if an employee is working
in a foreign country, the code of conduct should provide guidance on complying with the Foreign
Corrupt Practices Act rules regarding gifts, gratuities, and entertainment.

Of course, having a formal code of conduct doesn’t guarantee real-world compliance. A code of conduct
audit will assess whether the code of ethics and code of conduct that exists in paper form is understood
and internalized by employees in their lived experience. Internal audit should: 

Ensure the code of conduct is provided to all employees, directors, and agents.

Assess what is done to ensure that employees understand the code of conduct and are familiar
with its requirements.

Internal audit should also assess whether the employee code of conduct training is effective in
ensuring employees understand its requirements.

Download Key Interview Questions for Ethics Audits for a list of questions to help assess the
effectiveness of the code of conduct training program in your company.

Step 3. Risk Assessment

Once your company has a code of ethics that employees understand and believe in, the next step is to
understand compliance risks as well as risks in the code of conduct guidelines that you provided. To
accomplish this, perform a risk assessment to ascertain whether your company is focusing on current
business risks as a result of changes in organizations, business practices, and laws and regulations.
When preparing each business unit risk assessment for compliance with applicable laws and
regulations, be sure to include issues that stem from the code of conduct guidelines such as anti-
kickback, anti-bribery, protection of company assets, or harassment issues.

Step 4. Ethics and Business Conduct Policies

An effective ethics and compliance program should include policies and procedures addressing the
particular risks facing a company. For example, policies and procedures relevant to international trade
should address risks related to import and export controls, anti-boycott measures, and money
laundering, among others. 

An ethics and business conduct policies audit will assess whether employees are aware of, understand,
and are following these policies. Internal audit should examine the list of policies to see if high risk
areas from the risk assessment and the code of conduct are addressed. For current policies, conduct
employee interviews to assess awareness of relevant policies. Ask employees how well they understand
their responsibilities in connection with ethics and business conduct policies, naming each policy
individually.

If an employee says they are not aware of the company’s guidelines on a listed policy, refer them
to the relevant section of the code of conduct and the applicable policy.

Identify policies with which the majority of the employees were not familiar so that additional
training can be provided in these areas.

Step 5. Awareness Training Audit

It is not sufficient for a company simply to have policies in place — there must be a program that trains
employees to be aware of relevant ethics and compliance issues. When developing or evaluating a
training program, you will want to consider:

How is this training delivered to employees? Is it an online program or live sessions? Is the
delivery method adequate to reach all employees who must take the ethics and compliance
courses? 

How is one considered to have completed a course? Is there a quiz after a training course with a
minimum score requirement?

If a tracking mechanism is used to see the completion status of required courses, what percent of
the employees have completed their required courses? What recourse is taken to follow up with
employees who have not completed or passed training? 

Step 6. Inquiry and Reporting Mechanisms

It’s important that your ethics and compliance program includes a process for employees, suppliers,
customers and others who do business with your company to ask questions or report concerns about
ethics or violations of laws, regulations, and company policies. To assess the process for investigating
concerns reported through mechanisms, such as the company hotline, internal audit should consider
the following:

Is there a prioritization of concerns received based on the severity of the issues raised? 

Is there a formal protocol for deciding who investigates what? 

Is there a formal protocol to ensure that all investigations are done using certain guidelines and
consistent standards for thoroughness?  

Were investigations documented in formal reports?

Were investigations completed in accordance within the established timeline?

Were the investigations thorough enough to reach a conclusion regarding the validity of the
concerns?

Was there any explanation for actions taken, or not taken, as a result of the concerns received
and investigations done?

Was ensuing actions taken with appropriate management approvals  and consultation with
functional experts (e.g. Law, HR)?

Were the callers made aware of the results of the investigations?

Download Key Interview Questions for Ethics Audits for a list of questions to help assess the
effectiveness of a Hotline reporting mechanism. 

Step 7. Communication Program

Develop a communication plan to increase ethics awareness and remind employees that ethics and
compliance are important to the company. The most effective communication programs should engage
all audiences with specific messages about ethics using a variety of media.  Effective communication
program components include: 

Separate pages on ethics and compliance in the company’s internal and external websites.

Internal ethics blogs from senior executives to help set the tone from the top.

Incorporate a variety of messages, short videos, and Q&A about ethics issues in the company’s
newsletter.

Ethics posters with the toll-free hotline number and ethics officer contact information should be
displayed prominently at locations where employees gather frequently. Posters should clearly
state that concerns can be reported anonymously, and that there will be no retaliation for
reporting a concern even if it turns out to be unsubstantiated. 

Ensure that the code of ethics, code of conduct, and ethics messages are distributed in all native
languages of employees.

A strong communication program will keep ethics and compliance top of mind for all employees!

Step 8. Ethics and Compliance Program Assessment and Evaluation

At all points in the process of implementing an ethics and compliance culture, it is important to
maintain continuous program evaluation. There should be regular internal and external audits of your
ethics program, and an assessment of how often internal controls are tested. Conduct employee
surveys and focus groups to assess employee impressions of the ethics and compliance culture. A
constant vigilance and program evaluation is necessary to maintain a strong culture of ethics. 

Step 9. Leadership Commitment

To achieve and maintain an ethical company culture, there must be strong commitment from the top
to create the perception that ethics and compliance is important to the company. Leadership
commitment may be the final step in this list, but it is fundamental throughout the previous eight
steps that management take responsibility for demonstrating through their actions the importance of
ethics and compliance. There are many ways that organizational structure and activities can
demonstrate leadership commitment: 

Have the CEO make a statement to formalize your company’s commitment to the highest ethical
conduct in all aspects of your business. 

The leader of the Ethics organization can report directly to the Board of Directors or Chief
Executive Officer.

An Ethics and Compliance Committee with a senior executive as Committee Chairman can
provide leadership and oversight to the ethics program and review the status of ethics program-
related activities. The committee itself might consist of senior leaders from Legal, Human
Resources, Internal Audit, Operations, Communications, Security, IT and other departments. 

How to Start an Ethics and Compliance Culture

A culture of ethics and compliance starts at the top, but most employees at a company will never meet
the CEO — for them, ethical culture is what they see up front every day. The message of ethical
behavior should flow from the top leadership down to the lower-level supervisors who directly manage
the company’s business on a day-to-day basis, and from them to all employees.

Download Key Interview Questions for Ethics Audits for a list of questions to ask managers to assess
the effectiveness of leadership commitment to ethics and compliance. 

Develop a Strong Culture of Ethics

To be effective, ethics can’t just be a program administered by the Ethics and Compliance function —
an ethical culture must be a process and a responsibility shared by all employees. Developing a strong
culture of ethics that employees believe in will help to ensure that internal controls are not being
circumvented due to lax ethical standards on the ground. Following these nine steps will help enable
internal audit to implement, audit, and monitor an ethical culture where the organization’s values are
embodied in its people’s everyday work practices.

1. Transparency International is an independent, UK-based, non-profit organization known for

assessing ethics and compliance and anti-corruption in governments around the world ↩

Jamal Ahmed is the Vice President of Internal Audit at Day & Zimmermann, Inc. (D&Z)
in Philadelphia, PA. The D&Z Ethics Program, under Jamal’s leadership, received an A
ranking from Transparency International (TI) in its 2015 Defense Companies Anti-
Corruption Index.

Related Articles

INTERNAL AUDIT INTERNAL AUDIT INTERNAL AUDIT

How GoHealth Streamlined IT Dependency (ITD) Al Mawji Shares IA’s

Communication During Validation Process Best Powerful Enterprise-Level
Their First... Practices... View...

Schedule a Demo
Fill out the form below to schedule a live, personalized demonstration of the AuditBoard platform.

First Name: * Last Name: *

Email Address: * Job Title: *

Company Name: * Phone Number: *

Country: *

Schedule a Demo

About AuditBoard PLATFORM RESOURCES COMPANY

AuditBoard is the leading cloud-based platform transforming how enterprises

RiskOversight Blog About Us
manage risk. Its integrated suite of easy-to-use audit, risk, and compliance solutions
streamlines internal audit, SOX compliance, controls management, risk management, SOXHUB Resource Library Leadership
and security compliance.
CrossComply Ebooks Customers

OpsAudit AuditBoard TV Partners

Events & Webinars Investors

On-Demand Webinars News

Careers

Technology & Security

Contact Us

1 (877) 769-5444

Copyright © 2022 AuditBoard Inc. Privacy Policy