Ethics Codes Help Audit Committees Monitor Behavior.
January 23, 2006
If a positive “tone at the top” is essential for establishing ethical behavior within a company, then a corporate code of conduct helps management communicate that tone firm wide while helping audit committees monitor management behavior.
“The tone at the top is set by what you do when you actually conduct business and convey yourself to the public,” says Gary Haroian, audit committee chair for five technology firms, including Phase Forward, Aspen Technology, Network Engines, Embarcadero Technologies and Lightbridge.
Codes of conduct can help guide management and employees identify ethics risks, recognize and deal with ethical issues, report questionable conduct and create a culture of honesty and accountability.
“[The code of conduct] plays an important role in preventing fraud and management override of internal controls,” says Haroian, a retired technology executive. “That extra step that every employee takes makes them aware [of the code] and acts as a deterrent against fraud.”
Both the Sarbanes-Oxley Act (S-O) of 2002 and the revised New York Stock Exchange (NYSE) listing standards require disclosure of codes of conduct. S-O requires a company to say whether it has a code of ethics for senior financial officers, and if it has granted waivers to these officers.
The NYSE rules go further, requiring that a company actually adopt and disclose such a code, as well as disclosing any waivers.
KPMG Forensic’s Integrity Survey 2005-2006 concluded that employees in companies with ethics and compliance programs reported fewer instances of misconduct than those companies without such programs, although the difference was small.
The survey of 4,056 employees revealed that 65 percent of those workers without ethics programs observed misconduct while 59 percent of those with such programs observed misconduct.
Overall, 74 percent of employees nationwide had observed misconduct, which was defined as deceptive sales or anti-competitive practices; submitting false invoices to customers; breaching computer network controls; accepting kickbacks from suppliers; or doing business with third parties involved in money laundering.
Kenneth Daly, executive director of KPMG’s Audit Committee Institute (ACI), notes the importance of the code of conduct in creating and maintaining a culture of ethical behavior and responsible business conduct throughout the entire organization.
“In several of the Fall 2005 Audit Committee Roundtables, a number of participants emphasized that while the tone at the top is critical, it’s not enough,” Daly says. “The tone at the top must be communicated and become the tone throughout the entire organization.”
Amid the largest accounting fraud ever, former telecommunications giant WorldCom did not have a formal code of conduct or ethics when the fraud perpetrated by its management was discovered in June 2002.
In 2003, following a report by former SEC Chair Richard Breeden for the federal bankruptcy court, the newly re-formed MCI hired a new board of directors and required top company officials to abide by a new code of ethics and business conduct.
But even a company with a code of conduct can veer off course if the code isn’t integrated with business processes, and corporate managers are not committed to ethical business practices.
Former Enron chairman Kenneth Lay, whose federal fraud and conspiracy trial is scheduled to begin soon, presented a 65-page code of ethics to employees in July 2000. Only a year later, the energy trader was accused of illegally manipulating the energy market and causing an energy crisis in California.
No matter what’s in the code of conduct, if management can’t demonstrate its belief in its professed ethics, the company is bound to have problems. KPMG Forensic’s survey showed that 52 percent of employees reported that one of the root causes of employee misconduct was that employees thought upper management did not take the code of conduct seriously.
The Antifraud Programs and Controls Task Force of the American Institute of Certified Public Accountants (AICPA) also emphasized the importance of management?s commitment to the code of conduct.
In “Management Override of Internal Control: The Achilles’ Heel of Fraud Prevention,” released last year, the Task Force said that “the extent to which management is perceived to be committed to conduct sanctioned by the code will influence the audit committee’s ability to deter, prevent or detect management override of internal controls.”
“The code of conduct can help set the corporation’s expectations for business conduct and compliance,” KPMG’s Daly says. “But for the code of conduct to be taken seriously, management must integrate it into the company’s business practices and procedures.
“Management also must establish mechanisms to report violations, and resolve alleged violations of the code promptly, thoroughly and fairly,” Daly says.
While a code of conduct is considered essential, it’s not clear just what that code should entail. Industry observers recommend that to be effective, the code of conduct should reflect a company’s commitment to industry and regulatory standards, as well as to the company’s culture.
For one of the nation’s largest companies by market capitalization, the code of conduct is extensive and thorough, and was developed with employee input from all levels of the corporation.
“One of your most important internal controls are your employees,” Kate Oberlies O’Leary, senior counsel of litigation and legal policy for General Electric Co. (GE), said at a recent conference on internal investigations.
GE, a multinational conglomerate with more than 300,000 employees worldwide, calls its code of conduct “The Spirit & Letter,” which is given to employees via video and print. Every employee has to sign off on the code after a training session.
The code tackles such issues as improper payments, international trade controls, money laundering, supplier relationships and conflicts of interest. Written in 31 languages, the printed version of the GE code is meant to identify potential risks and develop action plans to manage them.
O’Leary, speaking at a conference sponsored by KPMG and Cadwalader, Wickersham & Taft in New York City last November, said GE has found that classroom instruction is the best way to teach new employees about the code of conduct.
In addition to classroom instruction, the code of conduct provides for periodic meetings with managers to identify possible compliance risks.
“We have a regular meeting we call a ‘Session D’ compliance review,” she said. “The CFO and other types of executives go to different managers to see what their risks are. They do a bottom-up process before management comes in to talk.”
Industry groups also have weighed in on corporate codes of conduct and the role of the audit committee. For instance, in its guidance on internal controls, the Committee of Sponsoring Organizations (COSO) of the Treadway Commission says that “the audit committee should be routinely furnished with the results of any surveys of employees regarding corporate behavior.”
Such surveys can be part of management’s efforts to communicate the importance of the code of conduct to employees and give them some ownership in the process.
“The code of conduct is an important element in driving the appropriate tone throughout the entire organization,” says Holly Gregory, a partner with the New York law firm of Weil, Gotshal & Manges LLP.
“It is important that the code of conduct be tailored to the specific issues that arise for a company,” she says. “They should not be boilerplate.”
By Gary Larkin, Managing Editor, Audit Committee Insights
Courtesy of http://www.kpmginsiders.com
