On the Frontlines: Compliance With a Side of Fraud
Blogs Maja Milosavljevic, CIA, CRMA, CCSA, CFE Nov 13, 2023
Have you ever wondered about the difference between ethics and compliance? In certain cases, one can be compliant with all the rules and regulations, but still behaving in an unethical way. This is where ethics differs from compliance.
Auditors typically review if employees are compliant with the relevant rules and regulations. However, this approach can be very limited if we think of possibilities to commit fraud while being compliant. If you wonder how this could be possible, just imagine the following situations:
- Employees traveling excessively for work, as the daily allowances are an additional source of income.
- Employees traveling excessively for work, as they like to travel and would like to see the world at the expense of the company.
- Hourly employees spending too much time on private matters, including too many private phone calls, too many coffee breaks, or overly long lunch breaks, while they are clocked-in at work.
- Hourly employees leaving without clocking-out and making manual entries later.
- Hourly employees often forgetting their badges and making manual entries for clock-in and clock-out.
- Supervisors reporting that their employees completed additional working hours that never happened.
In all the cases above, the employees are complaint with the established rules and ways of working. However, they are not being ethical.
What can internal audit do?
Without going into labor law, internal audit can do a lot to influence the ethical culture of the company.
Advocating for a code of ethics. If not already in place, internal audit can advocate for a code of ethics to be established by the company. The code of ethics should be understandable to everyone in the company and as general as possible to be applicable in any situation. Integrating a decision tree into the code of ethics helps people decide if something is ethical or not, and could be an easy, visual way for the employees to embed ethics in everyday activities.
Making ethics a permanent part of every audit engagement. Integrating ethics into every internal audit engagement is a way to continuously promote the awareness of ethics. Regardless of the audit topic, internal auditors could pay attention to any unethical behavior and find improvement opportunities.
Facilitating ethics trainings. Internal auditors can support ethical awareness in the company by facilitating ethics trainings, organizing workshops, and even providing some examples of ethical and unethical behavior. Using different training methods when considering ethics-related topics could make the training interesting to a broad audience.
Being a role model. Internal auditors need to “walk the talk” if they want to be a positive influence. Following the rules, demonstrating ethical behavior, and not making compromises help internal auditors to be seen as good role models.
Being an ethics ambassador. Internal auditors can serve as ethics ambassadors in their organization. This role would imply that anyone in the company is free to approach any member of the internal audit team to talk about ethics topics and get advice about the specific situation and the possible way forward.
Facilitating an ethics committee. Because deciding on what is ethical or unethical is not always easy or straightforward, internal audit could facilitate an ethics committee that would make decisions on ethical issues and situations. Ensuring a diverse ethics committee should be a top priority, as that would allow the committee to consider topics from different angles, cultures, age groups, etc.
Spreading the awareness of fraud. Internal auditors can use different ways to spread the awareness of fraud and support ethical behavior in the company. Some practical examples include supporting International Fraud Awareness Week — using printouts, reports, posters, and videos on typical red flags — discussing weaknesses that contribute to fraud, or detailing the attributes of fraudsters, etc.
Ethical behavior is a state of mind. Robust processes, strong key controls, and consequence management are necessary for every company. However, continuous work on ethics awareness and the prevention of wrongdoing could potentially have an even bigger influence on employees than the formal procedures that are in place in the organization. By helping to raise the awareness on ethics, internal auditors can play a significant role in preventing legitimate fraud.