The foundation of effective and efficient internal controls is an ethical culture within the organization. Internal controls are the bedrock of remaining compliant with laws and regulations. Audit is in place to help ensure that there are checks and balances within the system to detect inappropriate and unethical behavior.
Without internal audit establishing a clear culture of ethics in the organization, those within the organization will always find new ways to bypass internal controls or organizational procedures for their own benefit. Audit can help guide the organization and its employees to stay within the company’s values by embedding those values within internal controls and organizational policies, practices, and procedures.
In order to establish an ethical culture, the organization must begin a process for creating and maintaining it. These steps include but are not limited to:
· Establishing company values – An organization needs a clearly established code of ethics and conduct created by the values that shape the organization. Internal audit needs to ensure that this code of conduct and ethics is effective in maintaining company values and helping employees fully understand the requirements.
· Auditing training – Enacting policies within the organization is not fully sufficient. The organization must establish a program that helps train employees to become aware and familiar with relevant compliance issues throughout the organization.
· Assessing risks – Every organization needs to understand not only its compliance and regulatory risks, but also risks that could be brought about as a result of its own policies such as anti-bribery, harassment, or protecting the organizations assets.
· Reporting – Every ethics and compliance program needs to give the ability for employees or third parties to report any concerns over possible violations of laws and/or company policies.
· Evaluating your ethics and compliance program – Internal audit needs to maintain continuous monitoring of the organizations compliance and ethics programs and systems.There should be regular audits of your compliance programs and continuous tests of internal controls.
Every ethical culture is top down. It starts with the board and executives and filters down to the operational directors and supervisors who directly manage the organizations day-to-day activities.
An ethical culture cannot simply be delegated to compliance functions and systems, but rather an initiative shared by the organization holistically and its employees. A strong ethical culture that permeates throughout the organization is the best tool to ensure that internal controls are working and are effective – not being circumvented or bypassed.Internal audit needs to monitor and implement this ethical culture to ensure that the company values are embedded deep within the companies work practices, procedures, policies, and systems.