The right stuff

Most of us like to think we do business by a reasonable code of ethics. But how can you be sure everyone shares the company line on ethical behaviour? Richard Young delves into the world of the ethics audit

In April, Lord Woolf published the findings of his review of BAE's ethical procedures in the wake of the Serious Fraud Office's abandoned corruption probe into a multi-billion arms deal with Saudi Arabia.

The report said that BAE lacked an identifiable set of ethical standards and that the company's reputation had been damaged as a result of corruption allegations. Lord Woolf has recommended that BAE should develop, publish and implement a global code of ethical business conduct; put a team in charge of an annual internal ethical audit; and publish an external audit of ethical business conduct.

But what might that look like? How should companies such as BAE go about compiling an ethics audit? And is there any reason for organisations not currently concerned about their conduct to engage in a formal ethics evaluation?

The answer to the last question is perhaps most important. 'Ethics is just good business practice,' says Mike Barber, partner and leader of the corporate responsibility practice at Deloitte. 'And good business practice is the best way to deliver good performance.'

More importantly, any business might be subject to the reputational fallout that BAE has suffered. The whole point about unethical behaviour is that it's not an explicit part of the business plan - which means unless you actively look for it, you're unlikely to find out about it until it's too late. 'A board should know whether and how it's exposed to reputational risk, especially if it has operations around the world and can't make its own first-hand judgments,' says Leo Martin, co-founder and director of GoodCorporation, an ethics consultancy.

So what is 'ethical'?

But there's a problem. What exactly is 'ethical conduct'? Superficially, the answer is simple: obeying the laws of the jurisdiction in which your business is operating. Yet Lord Woolf, perhaps mindful that the subject of his report had been cleared of criminal charges, said 'unethical behaviour' went beyond strict criminal liability and included the sort of thing that might land you in the pages of satirical magazine Private Eye - a much broader definition than merely 'illegal', and much harder to check up on or audit.

'The areas an organisation chooses to report on will usually depend on what they do,' says Barber. 'A high-impact business - like mining - would naturally focus on environmental effects and the health and safety of its workers. But in financial services, there would be much more input around consumers - how they're affected by the structure of products and the way they're marketed, for instance.'

More broadly, many - perhaps most - organisations now publish mission statements and lists of their 'core values'. Some of these truly reflect the attitude within an organisation. Others are compiled to create what the board thinks is a positive image for their company. Either way, however, they need to be made real if ethics are to mean anything in practice.

'We take an organisation's code of conduct or core principles and translate the high-level statements into language that everyone - employees, suppliers and other stakeholders - can understand,' says Martin. 'That means things such as clear terms of employment or disciplinary rules; for customer relations, it's about having clear guidance on gifts, or clarity in contracts.'

Or as Dan Swanson, an internal audit veteran and expert on ethical auditing, summarises: 'It's all about management having a focus on governance practices, strong risk management and ethics - all of which serve the strategic efforts of the organisation. Good governance is also about setting the right tone from the top.'

Ethical audits

'The fact is that people do what you review,' says Barber. So having some kind of framework around ethical compliance is important. And complacent management teams might find that failing to conduct a structured audit costs them more in the long term. 'It's much better to do the right things first time - become proactive, rather than constantly reacting to scandals either within your own company or more generally,' says Swanson.

There are several ways to go about the audit. GoodCorporation uses its own checklist of 55 areas to evaluate client organisations. 'We create a list of business practices that they can assess,' says Martin. 'Then we look at records to see whether the company is living by its own code of ethics. But we also interview staff, customers, suppliers, regulators - even NGOs - to generate a complete picture. The resulting report is then sent to the board with recommendations for any corrective action.'

Deloitte takes a slightly different approach. 'We break it down into four dimensions: workplace, marketplace, environment and community,' says Barber. 'Organisations need to conduct an assessment in each of these areas, asking who are the stakeholders and how the company touches people within each dimension.' It also tests the relationships with these constituencies to come up with an evaluation of ethical performance.

Who's responsible for ethics?

Compliance? Evaluation? This is clearly accountant territory. 'Apart from anything else, poor ethical behaviour often has a financial dimension - whether that's bribery or fraud - so accountants are well-placed to evaluate it and report back on its bottom-line impact,' says Martin.

And according to the Open Compliance & Ethics Group (OCEG) - a US-based non-profit organisation supported by global entities such as Microsoft, Unilever, Wal-Mart and Aon - the finance function is well-placed to lead the ethics charge: 'The objectivity, skills and knowledge of competent internal auditors can contribute to the effectiveness of an organisation's governance processes,' says the foreword to its 2007 guide on GRC (that's 'governance, compliance, risk management, and ethics' in the jargon).

Swanson, who wrote the guide, argues that without the discipline to monitor and report on conduct, ethical concerns become mere hand-wringing. So how should internal auditors handle the process?

'First, you have to establish management accountability within a formal compliance programme,' he says. 'That's extremely beneficial: it gives the management team a point-person for the efforts around ethical compliance and it forces discussion around the intentions for the ethical audit. It also helps embed ethics within strategy. Secondly, you need a strong internal audit function that can offer concrete assurances to the board - and identify opportunities for improvements.'

Deloitte's Barber adds that external agencies can make a major contribution. 'You need to marry up the innate skills of accountants with specific knowledge in the areas you're looking at,' he says. 'Identify the areas where you need to bring in experts.' In the supply chain field, for example, organisations such as Sedex and the Ethical Trading Initiative have databases and tools to help companies comply with their own best intentions - not some arbitrary third-party standards - on product sourcing.

And according to Martin, when it comes to ethics, using an external agency can help you get closer to the truth. 'Sometimes it's hard for people to take the internal audit team at face value,' he says. 'Because we're a specialist firm, people take the process more seriously when we interview them, and we're able to get people to be much more frank. They're less likely to gloss over any problems.'

The attestation problem

Even if the ethical audit works internally, there's still little appetite for a regulated, mandatory ethical audit. A spokesperson for the Financial Reporting Council told accounting & business that it monitors the ethical behaviour of auditors and it's also responsible for the Combined Code on Corporate Governance. But there are no plans to put an 'official framework' on auditing ethical behaviour. The sub-text? This could be a minefield for regulators and external auditors more suited to being watchdogs than bloodhounds.

It also waters down Lord Woolf's call for BAE to publish the independently verified findings of its ethical audits. 'Reporting without attestation could be seen as fundamentally flawed,' says Tim Copnell, head of KPMG's Audit Committee Institute in the UK. 'And if you did have some kind of verification system in place - whether it was voluntary or mandatory - who would do it? And under what rules, set with reference to whose expertise?'

In fact, suggest the experts, the key to ethical audit seems to be… not to focus on ethics at all. 'It's really about internal audit focused on governance, risk and compliance activities,' says Swanson.

The problem with creating a box labelled 'ethics' as part of the internal audit is that there's simply too much overlap with other areas. Is pollution an ethical issue? Or a regulatory one? Perhaps environment needs its own box? (Half of audit committees surveyed by KPMG already consider it explicitly on their agenda.) 'A board must identify all the risks it faces,' says Copnell. 'It needs to identify what assurances it needs that they're being managed; and make sure processes are in place to avoid anything falling through the gaps.'

So in the same way that ethical practice really needs to be embedded in an organisation's DNA, so the auditing of ethical compliance should simply drop out of the routine processes for managing risk. 'Organisations do see value in this,' concludes Barber. 'Ethical business might have started as corporate philanthropy or an exercise in being seen to do the right thing. But there's now acceptance that there's real shareholder value in being an ethical organisation.'

Ethical due diligence

British legislation outlaws the paying of inducements to customers, wherever the deal takes place; companies will also find themselves in dangerous territory if they breach clauses in the Anti-terrorism, Crime and Security Act 2001. The Foreign Corrupt Practices Act (FCPA) empowers the US Government to levy fines and other penalties on companies for unethical conduct. Indeed, most jurisdictions now have laws covering some ethical aspects of business behaviour. Compliance with these regulations - checked via some kind of audit - is just good risk management.

For many companies it’s not just how they monitor their own activities, but whether they may be taking on ethical problems when they make an acquisition. A high-profile example was the proposed buy-out of US defence company Titan by aerospace giant Lockheed Martin. The deal was announced in 2003, but by 2005 pre-acquisition due diligence had uncovered several instances in which Titan would fall foul of the FCPA, meaning Lockheed would have become liable for its previous transgressions. Lockheed eventually walked away from the deal; an SEC investigation ending up costing Titan $28m in fines.

'Too many businesses remain unaware of what constitutes a transgression under a law such as the FCPA,' says Jennifer Hammond, a director in KPMG’s Forensic practice. 'How can you flag up a potential problem when you’re not sure what you’re looking for?'

That's one reason consultancies such as GoodCorporation is doing due diligence work. 'We provide a guidance for companies that are buying, or have bought, a business and want to understand how well it's run,' says Martin. 'Sometimes a new MD will come into a business and wants to know whether it's a clean ship - or whether there might be problems he or she needs to address.'

What does an ethical audit look like?

Canadian corporate ethics consultancy EthicScan has produced a handy guide to the production of an social audit - which encompasses ethical compliance.

1. Values-based standard setting: the goals and aspirations of the corporation, its stakeholders (including staff, shareholders, regulators, clients, and the general public) and institutional standards (including the law) are all important.
2. Document review: an in-depth look at the manual of administration, the corporate code of ethics, board minutes, and corporate policies in terms of business practices, conflict of interest, harassment, privacy, and so on. Do board decisions tally with its values?
3. Benchmarking: the audit team compares the organisation's performance to other agencies or businesses of a comparable size and mandate. This should also help reveal ethical risks in the marketplace.
4. Environmental scan: to address changes in an organisation's situation or its market, a social audit must examine macro-scale social, political, economic and technological shifts.
5. Stakeholder surveys: confidential surveys can show how satisfied staff are with the operations of the organisation - as well as shareholders, clients, regulators, suppliers and the general public.
6. Action-enabling recommendations: recommendations for changes to company behaviour should be action-oriented and numerous, as they touch on a variety of changes, some of which are immediate, while others are long term.
7. Disclosure and external verification: Simon Zadek, of the Institute of Social and Ethical AccountAbility, is convinced that the full contents of audits must be disclosed. Quality of disclosure, in his analysis, is a function of openness, honesty, and making sure that the integrity of the auditors is not compromised. Click here to read the full report.

Richard Young is a freelance writer and was founding editor of Real Finance magazine.