With regulators getting tougher on business wrongdoing and a minority of employees tempted to cross ethical lines to meet targets in difficult economic circumstances, ethics and compliance programmes have become prominent on boardroom agendas.

How boards and audit committees should share the effort to review and improve standards on ethical behaviour and compliance remains open for debate. Some companies have put ethics and compliance on the main board agenda, which might be an effective way to keep senior executives engaged. Others have struck a new committee to deal specifically with ethics and compliance or have delegated the oversight to the audit committee.

The audit committee’s role

Even when the audit committee is not fully responsible for ethics and compliance oversight, its members need to understand how well the business manages risk in this area. The European Union’s eighth directive requires an audit committee to monitor the effectiveness of internal control. To do so, it needs to have a clear view of the ethical and compliance culture in the business.

Managers behaving unethically, or failing to comply with procedures and regulations, typically has a direct effect on the company’s underlying financial and accounting information – an issue at the heart of the audit committee’s traditional role.

Raising standards

Companies can use incentives to encourage ethical behaviour and reduce compliance risks, such as clear rewards or penalties for specific acts or failure to act. However, the company’s culture provides a more constant and equally powerful influence. In fact, how much a company spends on compliance is less important than how well its compliance programme nurtures an ethical culture. Successful programmes share four key elements:

• Leadership. The board and senior executives must set the right tone at the top. The compliance function itself needs a strong leader with authority and independence.

• A code of conduct, backed by training. Employees need to understand the rules. Case study and dilemma-based training can help make them real.

• Zero tolerance. Employees need to know they will be disciplined or fired if they break the rules. Zero tolerance can apply to markets too, with companies leaving countries where doing business ethically becomes too difficult.

• Monitoring. Good information identifies violations and highlights areas where training or guidance is needed. Internal audit can play a critical role here.

Big data analysis and whistle-blower hotlines can prove other good sources.

Raising concerns

A whistle-blower hotline, often an integral part of a company’s efforts to stop bad behaviour, gives people a confidential way of sharing their concerns – at a high level and outside of line management.

But hotlines are not always effective. EU laws, and some national laws, can limit a company’s ability to offer a hotline, including who can use it and the kinds of concerns employees are allowed to raise anonymously. Laws can also restrict a company from outsourcing its hotline to a specialist service provider.

Other challenges arise when companies fail to offer meaningful rewards or incentives to whistle-blowers, or when they don’t have people with the forensic skills or independence needed to properly follow up concerns. A whistle-blower system can generate such a large volume of alerts that taking stock of all of them can pose its own difficulties for the board or the audit committee. Should these alerts be filtered before they come to the board or audit committee? If so, by whom?

Despite the efforts involved, companies are putting ethics and compliance firmly on their boardroom agendas and are experimenting with and fine-tuning their approaches.

Whichever model the board uses, the audit committee has a clear role to play in helping to identify and manage the associated risks, shaping employees’ behaviour and monitoring compliance.


Christopher Balzan is director in assurance at EY Malta.


Comments not loading?

We recommend using Google Chrome or Mozilla Firefox.

Comments powered by Disqus