■ ■
■
The amount of tangible evidence.
■ ■
■
The degree of detail and specificity contained in the allegation.
■ ■
■
The seriousness of charges.
■ ■
■
Related complaints.
Best practice is for the assessment to be made by a committee rather than by the CCO or the CAE act-
ing alone. Many organizations use committees composed of a representative from the compliance, human
resources, internal audit, and legal functions. It is important to include human resources personnel on the
committee because allegations of misconduct often involve issues such as disgruntlement with supervisors,
perceived unfair treatment, or other personnel matters. Only about 13 percent ultimately pertain to cor-
ruption or fraud, while another 38 percent relate to company or professional code violations, employment
law violations, or environment, health, or safety.
10
Performance incentives and disciplinary actions
.
Organizations must not only “talk the talk” of com-
pliance and ethics, but “walk the walk” by actually enforcing their policies and procedures through disci-
plinary actions and by providing incentives to act ethically. The organization should take a “zero tolerance”
position by removing personnel who commit fraud and demonstrate serious misconduct from the organi-
zation and prosecuting them as appropriate. As is the case with all disciplinary actions, dismissal from the
organization should be consistently applied to all personnel regardless of position. While compliance and
ethics programs in most organizations tend to focus on negative incentives, positive incentives are also
important. Most importantly, the organization’s compensation and incentive structure should be designed
to support the compliance and ethics program.
Response to criminal conduct and remediation
.
Appropriate steps should be taken when an organiza-
tion discovers an incidence of potential misconduct. Best practice suggests that, at
least in
large organiza-
tions, a formal response plan should be developed. The response plan should define the specific actions to
be taken when a potential case of serious misconduct is uncovered. The plan should outline the steps to be
taken and articulate specific remediation roles and responsibilities. The plan should address, for example,
who is responsible for investigating the potential misconduct, when and how the board should be notified,
who will inform outside parties, and who will determine and implement remedial action. It is particularly
important that organizations develop a process for recording responses to both actual and potential mis-
conduct. This record allows the organization to demonstrate to regulators, prosecutors, and the courts
that
it
is committed to compliance and to maintaining a strong ethical culture.
CASE STUDIES
Case Study 2: Auditing the Compliance
and Ethics Program
Internal Auditing: Assurance & Advisory Services
, 4th Edition © 2017 by the Internal Audit Foundation,
1035 Greenwood Blvd., Suite 401, Lake Mary, FL 32746, USA
Page 12
