CEB Blogs


Risk & Audit

5 Ways for Auditors to Create a Culture of Integrity

Creating and maintaing an ethical culture is one of the most critical components of corporate success misconduct continues to plague organizations around the globe in both the private and public sectors. Any given month will see numerous news stories about misconduct that results in significant damage to a company’s product quality, to its market capitalization, to its reputation or, worse, to the wellbeing of its employees.

Take for example the recent issues plaguing BNP Paribas – or those faced by American Apparel. CEB data show how widespread employee misconduct is:

  • 13% of employees observed harassment.
  • 11%+ of employees observed misconduct in the workplace.
  • 10% observed a conflict of interest.
  • 7% observed fraud.

No matter the type of misconduct, every incident is a direct risk to a company and will corrode any attempts to introduce the right culture, ethics and behaviour. CEB research shows clearly that incidents that are observed and not reported (around 60%) or are reported but result in no action from managers, seriously damage corporate culture. This damage inevitably leads to an increase in misconduct and lower reporting rates. A classic vicious cycle.

More on controlling miscount at work with Risk Clarity

Why Integrity is So Important

It is incumbent on senior managers, then, to instil a “culture of integrity.” This is a corporate culture where all employees are comfortable speaking up when they witness potential misconduct and, crucially, expect wrongdoers to be punished (i.e., they have faith in the organization’s sense of justice). As a piece in Forbes recently pointed out, “a culture of integrity functions as a potent risk management tool.”

In fact, CEB data show that organizations with this kind of transparency and strong, open communication deliver shareholder returns an average of 5% higher than their peers. And, a high-integrity culture decreases the most significant forms of misconduct by 41%. In short, integrity may be one of, if not the, most critical components of corporate risk management success today.

The Role of Internal Audit (and Middle Managers)

While misconduct and reporting rates will vary by region, the type of incident and the grade of employee, it is critical that every head of audit and their team understand the health of their firm’s corporate culture and include considerations of culture and employee behavior into the audit plan and methodology.

In terms of culture, investing in the right “tone at the top” (something American Apparel clearly failed to do) has been and always will be important but it isn’t enough to correct the culture itself.

Any expected trickle down effect through employees observing their managers’ behavior is incredibly limited. “Tone in the middle” must be taken as seriously as tone at the top; senior managers should ask themselves, “How do our middle managers demonstrate correct behavior? How do they respond to a member of staff discussing an ethical dilemma in the workplace?”

It is without question that middle management needs to know the policies and undergo the proper training, but unless their behaviour is actually changed no benefit will have been gained.

Getting Ahead of the Curve

Some heads of audit are hesitant to take on the idea of employee misconduct and corporate integrity. These are not risks are either clear cut or quantifiable. Moreover, heads of audit worry that their teams don’t have the right skills to audit something as intangible as “corporate culture.” But the best audit teams do measure misconduct, and have put procedures in place to get on top of corporate risk management and do their part to create a corporate culture based on integrity.

CEB’s work with some of these teams shows that the best teams do five things in particular.

  1. Review past issues reported by audit and identify the common root causes.

  2. Review employee surveys to extract relevant intelligence about how culture is perceived across the organization.

  3. Use existing metrics as a proxy to identify potential hot spots of concern, such as:

    Details of accidents, insurance claims, litigation, employee tribunals, exit interviews.

    Analysis of management success in implementing timely action plans that resolve issues reported by audit, regulators, and other assurance teams.

  4. Introduce a second conclusion as part of every audit to report upon management awareness of control.

  5. Develop an audit methodology to either build a work-program for a standalone audit of culture, or to embed human capital risks into every audit.


A version of this post originally appeared on the Huffington Post.

More On…

Leave a Reply



Recommended For You

Why Learning Italian Will Make You a Risk Leader

The firms that are best at risk management, see every decision as a risk decision,...