This article explores how to assess the strength of an organization’s integrity capabilities and operationalize integrity processes with contributions from Professor Eugene Soltes, Ph.D., of Harvard Business School, plus Jon Feig, CPA, and Andrew Reisman, J.D., of Ernst & Young LLP’s Forensic & Integrity Services practice.
You’ve been promoted to be the internal audit lead for your organization’s recent overseas acquisition. Management, of course, has high expectations for its new subsidiary, including continued growth and margin improvement driven by a successful sales model and a strong global brand. But as an anti-fraud professional, you know that you’ll need extra time to discover more about the acquisition’s operations.
You begin where pre-deal due diligence left off. You learn that sales are based on local relationships, and, unfortunately, gifts and entertainment cement those relationships. You know that some customers are owned by the government, but you don’t know the extent of the government connections en route to market. Sales and inventory records show odd transaction patterns at the end of financial quarters. You’re concerned that competitors know each other socially, and you haven’t seen aggressive price shifts in the market.
The acquired company does have a code of conduct and supporting policies and procedures, but local management is adamant that what they describe as an “entrepreneurial culture” drives sales, and changes to the company’s sales culture or compliance policies would likely negatively affect financial results.
You report this ethical dilemma to your management, which asks for an integration plan with the objective of implementing the parent company’s operating, financial and code-of-conduct standards. What framework can you use to meet those goals? How will you measure your progress? What changes do you recommend that the subsidiary can enact so it doesn’t lower the parent company’s integrity level?
Determining your integrity agenda
“Integrity is conforming reality to our words – in other words, keeping promises and fulfilling expectations,” wrote educator and author Stephen Covey in his book, “The 7 Habits of Highly Effective People.” Integrity is at the core of every organization’s risk, compliance and anti-fraud program. A successful organization stays true to its mission, keeps its promises and respects laws while understanding ethical norms.
An organization’s announced intentions might be clear: Policies and codes of conduct are in place, and senior leaders demonstrate commitment via formal and informal communications. Yet, recent high-profile scandals at major corporations show that executives’ unethical conduct has persisted. When the misconduct finally surfaces publicly in these cases, expensive investigations ensue, senior executives lose their jobs, fines mount and individuals are prosecuted, while market capitalizations decline.
EY’s recently published
15th Global Fraud Survey shows that 52 percent of respondents in emerging markets believe that bribery and corrupt practices happen widely in their countries, and 19 percent of the respondents say they can justify cash payments to win or retain business when helping a business survive an economic downturn.
“More than ever, we see companies react to the increased cost of compliance programs. They look at the effectiveness of their programs through the lens of cost/benefit and risk tolerance.” — Jon Feig, partner with EY's Forensic & Integrity Services practice
Yet many organizations don’t confront integrity risks directly. “More than ever, we see companies react to the increased cost of compliance programs. They look at the effectiveness of their programs through a lens of cost/benefit and risk tolerance,” says Jon Feig, partner with EY’s Forensic & Integrity Services practice.
Of course, organizations must consider cost efficiency in a challenging, competitive environment. However, the question is whether they balance cost considerations with adequate prevention, detection and response capabilities for risks that can cause the most impact.
Organizations must maintain a focus on their integrity initiatives and related communications, especially when they enter emerging markets. Those that emphasize integrity and transparency in their relationships with their business partners and other stakeholders can more confidently operate in high-risk countries, navigate new markets and potential acquisitions, and integrate innovative solutions and processes to increase business transparency.
Perhaps, more to the point, doing wrong things means lost opportunities to do right things:
- What more could an organization have accomplished if it had focused on innovation instead of covering up frauds?
- How would an organization have improved if its leaders prioritized integrity and quality over setting unrealistic revenue targets?
Can organizations do better? Of course. We know that leaders set the tone at the top and define standards of behavior. Integrity or compliance functions — along with human resources, finance, security (physical and data), legal and internal audit — provide programmatic support by infusing process discipline, governance and focus based on cultures of trust. Regulatory and legal standards of compliance and personal and professional ethics also guide these programs.
The point of tension is the gap between an organization’s intentions and its actual performance.
Reduce gap between intentions and actual behavior with an integrity agenda
EY’s Feig states that his firm developed a structured approach for an integrity agenda to address that point of tension “in order to close the gap between intent and performance. Organizations should focus their efforts on improving the effectiveness of their compliance programs. They should assess corporate culture, controls, governance from an integrity perspective, while leveraging new technologies to provide better data insights.”
Feig suggests an organization can best operationalize an integrity agenda by evaluating four foundational elements that align actions with organizational objectives:
- Governance: The structure of integrity management, which encompasses board, line management and corporate functions, and the policies that guide organizational behavior.
- Culture: The commitment to integrity that guides decisions across the extended enterprise. A culture of trust is vital for success, which we see in changed employee behavior.
- Controls and procedures: These embed integrity into daily operations to deter and detect violations of laws and policies.
- Data-based insights: These insights about emerging risks and integrity performance drive measurable program effectiveness and enrich employee knowledge and awareness.
The science of compliance — fulfilling established regulatory and legal standards within organizational programs — and the art of using innovative techniques to bridge the gap between organizational intentions and actions guide these foundational elements. The imperative of measuring outcomes to validate effectiveness also guides the elements and helps organizations decide what actions actually help minimize the gap.
How can organizations improve their integrity?
“Leading companies are beginning to be more aware of the value of measuring the impact of their compliance initiatives. This starts by moving beyond overly simple statistics like percent completion and amount of time or effort spent on training exercises.” — Professor Eugene Soltes, Ph.D., of Harvard Business School
Professor Eugene Soltes, Ph.D., of Harvard Business School, observes that many companies start with codes of conduct to explain their expectations and guide employees on how to deal with difficult issues. A code is a good starting point for employees, but they also need specific policy guidance, education and compliance advice as practical issues arise. For example:
- An employee is faced with a situation where providing a gift to a government inspector could save a plant from a temporary shutdown.
- Getting a client to complete an order with a deferred payment to the next quarter can help an employee meet sales goals.
- Contributions to a politician’s favored charity could help influence legislation that might be favorable or unfavorable to the company.
- Or, using our opening case, an employee needs to know the tipping point between generous entertainment and bribery when trying to obtain contracts in private or government sectors.
(Soltes was a keynote speaker at the 28th Annual ACFE Global Fraud Conference. See the article,
Why do they do it? Inside the mind of the white-collar criminal, Fraud Magazine, July/August 2017. — ed.)
A code of conduct is a valuable resource but only if people use it and believe that its statements reflect their beliefs. To communicate a meaningful code, Feig suggests that organizations build them from the ground up by asking managers and employees how they’d resolve hypothetical integrity issues and define the values that led to their decisions. This includes protecting the company and the employee.
While a code is the starting point, business leaders must support the right path. Do employees feel that using the internal hotline helps to protect the organization? Do they feel that the organization will reward them for choosing the right paths or will regard them as troublemakers? Can employees easily access the code of conduct and in their local language?
Elements come to life
Let’s quickly put the model to work in a business context. In the following examples, the four elements — governance, culture, controls and procedures, and data-based insights — come to life. (Many of these examples, which use bribery and corruption risk, are commonplace.)
Governance
Does the organization have an established governance structure that provides decision-making and support for the capital needed to support the integrity programs? Are functional and business leaders included in this program? How does the board oversee these structures? Are the governance structures designed for diversified and decentralized operations? Do business units and local leaders have the resources and information they need to stand accountable for integrity and compliance outcomes?
In our opening case, the organization’s chief compliance officer and the VP of internal audit jointly sponsor a quarterly risk and compliance update with the CEO and her direct reports. They discuss the acquisition and how the integration could affect results. They also clearly describe the risks inherent in the target company’s current operating model.
Good governance would help to make sure that leadership is behind the proposed changes and will support the integration team during a potentially turbulent time. Good governance also puts other functions in a position to assist with HR issues and financial approvals, among others.
| Organizational activities around governance |
| Organizational vision and mission, and the ethical obligations they influence |
| Integrity function design and controls |
| Inclusive teams with diversity of skills |
| Resource allocation |
| Code of conduct and organizational values |
Culture
Does the organization’s culture focus on transparency? Does it perceive individuals who raise concerns as troublemakers? Employees work for a company for numerous reasons, but is their main reason to earn income or prestige? Do employees know that the organization encourages them to speak up and that it’ll protect them when they do? Put differently, has management created a culture where that employee will risk putting food on the table to protect the company? How does the organization incentivize and reward employees?
For example, in the implementation plan described in the opening case, the internal audit leader launched an employee survey to better understand the culture of the company as a way to measure progress in the areas of culture, ethics and awareness of key anti-fraud policies.
In a “what would you do?” case study scenario, some survey questions include respondents choosing among a number of various options to an ethical dilemma. Management can then evaluate certain trends, anomalies or training opportunities across the business. The company further strengthens the culture with code of ethics messaging campaigns — electronic (email and mobile applications) and printed across the offices — to drive home the message.
| Organizational activities around culture |
| Tone at the top and leadership commitment |
| Training and education |
| Open and transparent communication, confidential reporting lines |
| Risks, pressures and beliefs that influence employee decisions |
| Behavioral patterns — positive and negative |
| Employee selection and separation |
| Third-party due diligence and management |
Controls and procedures
Has the organization thought through where the main risks lie and invested in controls and procedures to protect the company and its employees?
Controls provide prevention, detection and response. Compliance controls should be as robust as controls for revenue-producing activities; indeed, organizations should embed compliance requirements in daily operational steps, for example, to protect sensitive customer data, supervise sales agents or confirm export arrangements.
The more automated the business processes, the firmer the compliance controls and the greater the data to measure processes and effectiveness. For example, in the opening case, the new audit leader in the implementation plan uses an existing financial control for the “procure-to-pay” process (covering, for example, hiring consultants to obtain business permits) — the vendor master file. He revises it to mark third parties as high risk based on such attributes as interactions with government employees or results from the third-party due diligence findings.
| Organizational activities around controls |
| Technology-enhanced procedures, which provide data about performance and impact to management and employees in the field |
| Assessments, including fraud risk program assessments, cyber risk assessments and investigations |
| Continuous improvement of controls, e.g., reduced high-risk transactions, improved employee survey feedback, improved employee decisions based on scenario training, and increased sales or success stories based on ethical decision-making, etc. |
Insights
The last section of our integrity agenda includes the importance of measuring effectiveness. How do we know that all the efforts are really working to improve culture, and identify and manage risks?
Organizations have made substantial progress in increasing business transparency using data analytics. The key is to focus on primary sources of information, such as the whistleblower hotline where key insights could include spotting trends in data.
Other insights might include assessing how consistently the organization has disciplined wrongdoers, spared senior executives or was gender-biased. Conducting transactional analysis, such as review and risk scoring of payments, can also provide key insights into high-risk third parties or employees.
In our case, the internal audit leader, during the course of implementation planning, worked with the IT implementation team to understand the data system integration plan and designed analytics around key risk areas including procure-to-pay and expense reimbursements. The company tailored these analytics to be simpler during the course of the implementation but more complex as data availability increased.
Expense reporting highlighted key risks including fraud, bribery, corruption and competition law risks. Procure-to-pay utilizes a risk-based approach to identify trends and red flags inherent in the data. (See the “Innovation Update” column,
You can’t monitor what you can’t measure, Fraud Magazine, March/April 2018, for a specific example of gaining insights from data analytics in this context.)
| Organizational activities around insights |
| Risk and controls monitoring |
| Analytics into the matters reported through employees via the hotline or through other communications |
| Forensic data analysis, e.g., transaction or communications monitoring |
| Investigations and root-cause analysis |
| Board and management reports of system performance |
| Sharing insights with an organization’s people to enrich their knowledge, facilitate good decisions and strengthen culture, e.g., mobile apps, email communications, video clips, newsletters, etc. |
Measuring effectiveness
The above four elements help embed integrity in an organization, but the key to making progress on reducing the gap between organizational intent and actual behaviors is to know if management action has produced measurable improvements. Focusing on outcomes is vital to guide future actions and investments of scarce resources.
“Leading companies are beginning to be more aware of the value of measuring the impact of their compliance initiatives,” says Soltes. “This starts by moving beyond overly simple statistics like percent completion and amount of time or effort spent on training exercises. Instead, anti-fraud and compliance leaders should consider what they want to achieve with a particular initiative and then design measures that more precisely capture that output. For example, did recent code-of-conduct training impact certain behaviors we see among our sales force? Or, is the total dollar amount of suspicious transactions flagged in our monitoring system going down over time as a result of recent monitoring enhancements?”
Soltes’ research explores how organizations that focus on measurement drive greater compliance innovation. “A company might begin with an effective governance structure and system of controls, but then recognize that there are additional opportunities for improvement,” he says. “This is where leading organizations are becoming proactive with data analytics.”
What can anti-fraud professionals do to bridge the integrity gap?
Soltes suggests that organizations should move beyond the silos of traditional reputational, regulatory and compliance risks. That is, most companies have accountability and metrics for different risks within different parts of their organizations — such as compliance, HR, internal audit, security — but not holistically across their businesses.
This causes deep problems if departments don’t coordinate functions because the responsibility to fully understand integrated sets of risks and opportunities are spread across different parts of an organization. For example, while the compliance department might report information to the audit committee, compliance has to hurdle the obstacle of not having accountability or authority over to say, HR, related to their specific compliance risks.
Consequently, one of the best ways to improve is to introduce an integrity agenda at the senior executive and board level where multiple aspects of the organization are represented. In these higher-level discussions, the word “integrity” applies to everyone and suggests more of a cultural responsibility — not just a compliance or an anti-fraud policy.
Anti-fraud professionals’ call to action
Anti-fraud professionals can help bridge the risk of employee integrity gaps by bringing together their legal, compliance, internal audit and other risk function colleagues, and making holistic assessments of their organizations’ integrity agendas.
If you’ll use the levers of governance, culture, controls and insights to increase the discussion around your organization’s integrity agenda, you’ll help provide measurable improvements and increased business transparency to your organization and, once again, help keep it out of trouble.
Vincent M. Walden, CFE, CPA, is a partner with Ernst & Young LLP’s Forensic & Integrity Services practice. Contact him at vincent.walden@ey.com. He edits the “Innovation Update” column in Fraud Magazine. Contact Jonathan C. Feig, CPA, partner at Ernst & Young LLP’s Forensic & Integrity Services practice at jonathan.feig@ey.com, Professor Eugene Soltes, Ph.D., of Harvard Business School, at esoltes@hbs.edu, or Andrew E. Reisman, J.D., a senior manager at Ernst & Young LLP’s Forensic & Integrity Services practice at andrew.reisman@ey.com.