The importance of ethics: At a time when companies are conducting business at the speed of thought, it is prudent for internal auditors to keep risk management in their thought process

The importance of ethics: At a time when companies are conducting business at the speed of thought, it is prudent for internal auditors to keep risk management in their thought process – Risk Watch

Larry D. Hubbard

HE COMMITTEE OF sponsoring Organizations of the Treadway Commission’s (COSO) Internal Control — Integrated Framework provides a framework, or model, for meeting business objectives. According to the private-sector group, internal control systems help achieve business objectives and consist of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. Auditors can use this framework as an “agreement” with management about what to review in their audits.

The base of this agreement is the control environment, or corporate culture. Ethics and integrity are essential to the structure of corporate culture and examples of what have come to be called “soft controls” — intangible, difficult to verity, essential controls necessary to run any organization.

Lack of soft controls, such as management philosophy, integrity, and ethics, increases the possibility that other, more traditional controls, such as approvals and reconciliations, may be overridden. Soft controls are the primary focus of many newspaper articles we’re seeing now on the unfolding bankruptcy of Enron Corporation.


Auditors can begin to evaluate soft controls by answering the following:

1. Regarding the organization’s core beliefs, my supervisors and associates:

* Don’t know what they are.

* Think they are just words people use.

* Strive to achieve them.

2. The culture and level of integrity of people in my workplace are:

* Going downhill.

* About the same.

* Getting better.

3. Our organization’s reputation in my community is:

* Getting worse.

* Remaining steady.

* Getting better.

4. Our organization’s business ethics policies:

* Are unknown to me.

* Are for appearances only.

* Are known and followed.

5. Our organization’s policies and procedures:

* Are in shambles.

* Are sometimes useful.

* Help me do my job.

Auditors who predominantly choose the last answer probably work for an organization that has ethics and integrity — two soft controls that help in achieving business objectives. Auditors who choose mostly the first and second answers are with companies that can still meet business objectives, be profitable, increase shareholder value, and strive to achieve stakeholders’ aspirations. However, the risk formula changes if ethics and integrity are not considered important in meeting business objectives.

Ethical risks increase and business objectives may fail, not because of specific internal or external threats, but because management’s philosophy or operating policy is wrong for the circumstances, there is a low level of commitment to competence, or even because Wall Street doesn’t trust management’s ability to report financial results.


To ensure that internal controls are effective, auditors need to gather audit evidence and information about ethical risks in their organizations. Normally, auditors use one of three methods to gather soft-control information: structured interviews, self-assessment workshops, and self-assessment questionnaires.

In a structured interview, auditors ask the same questions of many people (20, 30, or more employees) at different levels of the organization. If they get substantially the same answers, the consistency of the answers constitutes audit evidence — as auditors, we believe it to be true. For example, auditors could use the five statements above to provide audit evidence of the ethical climate of the organization if almost everyone interviewed gave the same answers. It’s not as persuasive as audit evidence if the answers differ, because that shows that everyone does not view those items the same way.

Auditors also use self-assessment workshops, where a facilitator asks soft-control questions, to gather audit evidence. Facilitators often use anonymous voting technology to ensure accurate results and eliminate the fear of reprisal.

Finally, many auditors also use self-assessment questionnaires to ask soft-control questions. Many audit groups follow the questionnaires with group meetings, or workshops, to discuss the results.


Management doesn’t always see the merits of gathering information about ethical risks in their organizations or the value of the COSO approach to internal controls. Auditors have a responsibility to reach an agreement with management on what internal controls mean in the organization and the level to which management will buy in to the COSO definition.

If an organization’s internal control definition focuses on meeting business objectives and the importance of soft controls, as COSO does, auditors must be sure management understands that that is the case. There could even be a training curriculum that teaches managers how to meet business objectives. Internal auditors would be wise to modify the COSO concepts or those training curriculum concepts to be consistent when talking about the role of internal controls in meeting business objectives.

Before concluding that the COSO model is the right path for their organization and beginning to provide management with soft-control information, auditors might first want to consider several questions:

1. Does management want to hear about soft controls?

2. Does management think soft controls are controls?

3. Does management have a published ethics policy or standards of business conduct on which to base soft-control information?

4. Does management think that auditors are the right group to look at soft controls?

If the answer to one and two is no, it might be because the concepts are unfamiliar to management. It is the audit group’s job to educate the executive arm of the company and win them over. In an organization that values authoritative statements, the best starting point might be a brief presentation on COSO — or a similar document more relevant in the particular country. Be sure to include the audit committee. In an organization that perceives COSO as red tape, auditors might start by translating the COSO concepts into the organization’s common language and talking about them informally. During this education period, auditors can begin to move into soft-control areas little by little in their audit work.

If the answers to questions one and two are yes, but the answer to three is no, auditors should agree with management on what ethics and conduct issues are important to the organization. If the first three answers are yes, but the answer to four is no, there could be another group in the organization, such as organizational development or human resources, that is well-trained to gather this type of information.

COSO doesn’t say the auditors have to be the ones to gather soft-control information — just that for internal controls to be effective, management must get the information in some effective way. In this, case, auditors can fulfill their mandate to evaluate soft controls by evaluating the process in place. Is the group charged with this responsibility asking the right questions? Will their process produce sufficient, relevant, competent, and useful information? Is it consistently applied? If the answers to all four questions are yes, then auditors can begin effectively gathering audit evidence about soft controls, or ethical risks.

On the other hand, management may never fully accept the concept of soft controls. In that case, auditors have to accept management’s understanding of internal control, But they must also recognize that to the extent they do not evaluate soft controls, they are not in compliance with The IIA’s Standards for the Professional Practice of Internal Auditing, which require that auditors evaluate risk management and governance. Consequently, they will not be able to say that the audit was conducted in accordance with the Standards in their reports. They might want to discuss this with senior management and the audit committee to confirm that these groups do not want a fully compliant internal audit department.

Ethical risks affect everything an organization does. Managing these risks is essential to internal control under the COSO framework, but internal auditors cannot effectively evaluate ethical risks without management’s buy-in.

LARRY D. HUBBARD, CIA, CCSA, CPA, is principal of Larry Hubbard & Associates in Bethesda, Md. He can be reached at

COPYRIGHT 2002 Institute of Internal Auditors, Inc.

COPYRIGHT 2002 Gale Group