KnowledgeLeader provides best practice articles, tools, guides and other resources on ethics and corporate culture. This page contains some examples of the many resources and tools on ethics and corporate culture that are available for download on KnowledgeLeader. The tools are provided in downloadable versions, so they can be customized for use in your organization.
Academic Conflict of Financial Interest Certification Policy
This sample outlines a set of policies and procedures for avoiding any possible conflict of interest in the conduct of grant or contract activities for academic institutions, to prevent employees or consultants from using their positions for purposes that are, or give the appearance of being, motivated by a desire for private gain for themselves or others, such as those with whom they have family, business or other ties.
Acceptable Use Policy
The following sample outlines a set of policies and procedures governing the acceptable use of technology resources. Inappropriate use of technology resources can expose companies to risks including virus attacks, compromise of network systems and services, and legal issues.
AML Audit Checklist
The USA PATRIOT Act requires that all financial institutions maintain an anti-money laundering (AML) program that is tested by independent auditors. This audit checklist is intended to assist financial institutions in preparing for the independent tests of their AML programs. It identifies areas that are generally within the audit scope, and lists the types of information that the auditors will likely request.
AML Lookbacks: Top 10 Lessons Learned
If your institution is facing a lookback, consider the lessons in this perspective to maximize efficiency and value.
Anti-Bribery Compliance Program Policy
This sample outlines a set of policies and procedures to prevent violation of any and all national and international anti-bribery and anti-corruption laws and treaties. All employees, agents of the Company, joint-venture partners, or anyone else doing business in Company X’s name, are required to comply strictly with the FCPA, all other applicable anti-bribery and anti-corruption treaties, and all national laws.
Best Practices in Managing an Ethics and Compliance Hotline
An ethics and compliance hotline is an anonymous reporting mechanism that facilitates reporting of possible illegal, unethical, or improper conduct when the normal channels of communication have proven ineffective, or are impractical under the circumstances. This guide provides the best practices for managing an ethics and compliance hotline.
Beware of the Fake Presidents
What steps can be taken to reduce your organization’s susceptibility to fake president fraud? In this article, we will review this and other methods to protect your organization from fraud.
Beware of the Slippery Slope: When Gifts, Entertainment, Favors and Philanthropy Become Problematic
Protiviti's Scott Moritz discusses the various ways in which gifts, entertainment, favors and charitable giving can lead to some pretty negative outcomes.
Blog and Social Networking Policy
The purpose of this policy is to ensure that all employee blog and social networking activities incorporate consistent standards to maintain and reinforce the corporate image.
Bogus Vendors are the Single Most Common Way Companies are Defrauded
In this article, Scott Moritz, Protiviti Managing Director, says the most common fraud committed against a company relates to vendors that either don’t exist, are corrupt, or are secretly owned by a company insider who is directing business to them.
Business Ethics Questionnaire
This questionnaire is designed to help risk management professionals determine how well their companies are addressing risks in this area and to bring awareness to ethics programs. It also provides guidelines on how to measure the performance of business ethics processes.
Code of Business Conduct and Ethical Guidelines Policy
The purpose of this policy is to help employees understand the values and beliefs of an organization. Topics covered include: Foreign Corrupt Practices Act, employment practices, antitrust compliance, and ethics hotlines.
Code of Business Conduct Policy
This sample provides a wide range of business practices and basic principles to guide all employees and officers of a company.
Code of Conduct Questionnaire
If there is one constant for success in a rapidly changing global marketplace, it is the immutable bedrock of an unwavering commitment to ethical and responsible business behavior. This document discusses important questions for boards and management to consider when designing and implementing an effective code of ethics.
Complaint Handling Policy and Procedures (Non-U.S.)
This sample outlines a set of policies and procedures governing the handling of complaints regarding harassment, discrimination and bullying.
Compliance Issue Resolution: Responsible Business Conduct in Financial Services
This article discusses four expectations for "responsible business conduct” in a 2013 bulletin published by the Consumer Financial Protection Bureau (CFPB).
Conducting Whistleblower Investigations, Part 1: Preparation
Preparation, of course, is best done in advance, and not in the heat of battle. It’s a good idea to have in an investigative plan and investigative protocols in place before they are needed.
Conducting Whistleblower Investigations, Part 2: Triage and Gathering of Evidence
Part of the investigative planning process includes breaking down the investigation into component parts and developing a list of investigative steps designed to gather information on each part in an effort to prove or disprove what has been alleged.
Conducting Whistleblower Investigations, Part 3: The Interview
This article focuses on the third and most crucial stage of investigations—confronting the subject in an investigative interview.
This policy outlines procedures concerning confidential company information. This applies to the public disclosure of confidential company information by any company employee, i.e., any information not publicly announced that could reasonably affect the market price of the company's stock if it were disclosed to the public. Examples of such information include: expected financial results, new product announcements of a significant nature, significant product defects or modifications, material pricing changes, stock splits, new equity or debt offerings, acquisitions, significant litigation exposure, and changes in dividend policy.
Confidentiality Policy: Sample 2
This policy defines the guidelines concerning confidential company information and applies to all company employees worldwide. In this sample, the company prohibits the public disclosure of confidential company information. Confidential information includes all information not publicly announced that could reasonably affect the market price of the company’s stock if it were disclosed to the public. It is defined as the type of information or technical data which would give the company a competitive edge in the marketplace and which, if released without authorization, could result in harmful consequences for the company. Confidential information is a valuable asset to the company and must be protected from unauthorized disclosure to ensure success.
Confidentiality Policy: Sample 3 (Healthcare)
This policy outlines a set of procedures to protect patients' right to privacy, to protect confidential information regarding the business, and to document that each person understands his/her role in protecting confidential information as well as the consequences for violating the policy. Employees should not discuss confidential information with employees who do not need the information to perform their job or with anyone outside of the company, except in the case of properly authorized communication with consultants or governmental agencies.
Conflict of Interest (Trust Company) Audit Work Program
This audit work program focuses on the conflict of interest between a trust company and its affiliates. It addresses factors such as employees' access to the company's code of ethics, authorization from the governing trust instrument, disclosure of terms, fees charges, fiduciary accounts, securities transaction agreement, monitoring of the soft dollar arrangement, compliance with the safe harbor provision, service agreement, and investments.
Conflict of Interest Policy
This sample outlines a set of policies and procedures to help a company and each of its direct and indirect subsidiaries and senior officers and directors identify and properly address potential conflicts of interest.
Corporate Responsibility Audit Work Program
The objectives of this audit program are to assess the effectiveness of a corporate responsibility program (CRP) and to ensure that the company is continuing to put into practice the seven elements of an effective compliance program. This audit program explains the scope of the audit and covers topics on integration of compliance into policies and/or procedures, education, environmental assessment, hotline/investigative reporting, and corporate integrity agreement/settlement agreement.
Corruption Risk Management Questionnaire
Anti-corruption has become a major global initiative. Still, it is naïve to expect that legislators, regulators, international trade organizations and other parties can eradicate customs and behaviors that have evolved over many centuries. This board of directors and management questionnaire focuses on corruption risk, the Foreign Corrupt Practices Act (FCPA) and other key considerations.
Customer Fraud Risk Key Performance Indicators (KPIs)
This tool template explains the business risks related to customer fraud and outlines best practices to counter credit card fraud, identity theft, theft of intellectual property and phony online auctions.
Developing an Effective Code of Conduct
Executing a successful code of conduct depends on three key elements: proper definition, effective communication and appropriate warning signals as monitoring tools. This guide describes the elements of a successful code and lists ethics warning signs to watch for.
Diversify Workforce Audit Work Program
This audit work program evaluates a company's diversity and inclusion compliance processes.
Diversify Workforce RCM
This document outlines risks and controls common to the diversify workforce process.
DOJ "Yates Memo” Reminds Us that People, Not Corporations, Commit Crimes
In this article, we detail the six steps that the Yates Memo sets out six steps to government attorneys should take to ensure individuals believed responsible for corporate crime are held accountable.
Electronic Discovery: An Academic Exercise or Your Next Crisis?
Electronic discovery (or e-discovery) refers to the process by which relevant electronically stored information (ESI) is produced when an organization faces legal or regulatory action. This process is important because parties in a lawsuit can now demand from each other word processing documents, e-mails, voice mail and instant messages, blogs, backup tapes and database files. Failure to comply with these electronic production obligations can lead to serious sanctions, sometimes to the tune of millions of dollars, and increased compliance costs. The harsh consequences of non-compliance are growing exponentially. This issue of The Bulletin provides ideas for companies to implement practical approaches in proportion to their litigation risk exposure and ongoing operations that will significantly reduce the cost, burden and time associated with records retention and e-discovery.
Employment of Related Persons Policy
This policy outlines a set of procedures for employment of related persons in order to maintain an atmosphere of fair and impartial treatment of employees.
Employment: Conflicts of Interest Policy
The purpose of this policy is to communicate a company’s position on what matters could constitute a conflict of interest to employees, and to establish a protocol for disclosing and dealing with such conflicts of interest. Many conflicts of interest may not be obvious to an employee. The policy clarifies the employer’s perspective on what constitutes a conflict of interest and what the consequences may be if the employee if found to be in a conflict of interest.
Entity-Level Controls Fraud Questionnaire
Fraud prevention is essential to set the right tone for an effective internal control framework. This excel-based template links the COSO components to a number of control objectives for entity-level fraud controls. Within the questionnaire you can document items such as whether the control exists; whether it was designed properly; related test procedures; and the management action plan for deficiencies.
Entity-Level Controls Audit Work Program
This sample audit work program evaluates the entity-level controls in an organization, specifically focusing on the control environment, risk assessment, information and communication, control activities, and monitoring.
Entity-Level Controls Memo
This memo outlines a process for reviewing entity-level controls.
Entity-Level Fraud Risk Assessment Process Report
This sample report provides an overview of the process one company undertook to satisfy the requirements of evaluating fraud risks that pertain to internal control over financial reporting.
Environmental Protection Policy
This sample policy ensures that all controlled and identified materials used in operations are properly managed to comply with laws and regulations and to minimize harmful effects on the environment.
Equal Employment Opportunity Policy: Sample 2
The purpose of this policy is to affirm equal opportunity for all employees and applicants for employment in accordance with all applicable laws, directives and regulations of federal, state and local governing bodies or agencies. In this policy, the company is committed to a principle of providing equal opportunity for all, regardless of race, color, age, gender, religion, national origin, physical ability or veteran status. It is important to the company to encourage a culturally diverse workforce.
Establishing an Effective Complaint and Confidential, Anonymous Reporting Process – Questionnaire
This questionnaire focuses on issues that audit committees and management should consider as they collaborate to comply with the SECs rules pursuant to Section 301 of the Sarbanes-Oxley Act of 2002. Section 301 focuses on establishing an effective complaint and confidential, anonymous reporting process. These requirements are important because the SEC’s rules direct the national securities associations to prohibit the listing of any security of a company that is not compliant with them.
Ethical Business Conduct Guidelines Audit Work Program
The purpose of this work program is to provide the general steps used to perform an audit of ethical business conduct guidelines. This document provides guidance on obtaining a list of all executives and directors, determining who is required to sign an ethical business conduct form, obtaining access to employees’ human resource files, and other steps needed to complete this audit.
Ethics Audit Checklist
This checklist contains a set of questions that can be used when performing an ethics audit. Topics include: policies and procedures, communication, training, change management, violations, penalties and enforcement.
Ethics Program Guide
An effective ethics program serves as a basis for policy-making as well as providing guidance in daily decision-making. This guide describes steps that companies should consider when developing or strengthening their ethics programs.
Ethics Program Review Audit Work Program
An organization’s ethics program is increasingly important in the current regulatory environment and critical to minimizing reputation risk. Internal audit is responsible for evaluating the effectiveness of ethics programs that can significantly reduce reputation risk exposure; however, evaluating a relatively intangible area such as ethical behavior can be challenging. This work program can assist with developing a comprehensive review.
Executive Certifications: Same Responsibilities, Higher Stakes
Although there are several aspects to the executive certification, management is certifying the effectiveness of the internal management processes that underlie the required disclosures. Certifying officers should design the certification process so that their activities are coordinated with business unit managers, process owners, internal auditors, the external auditor, legal counsel and other key parties. In this issue of The Bulletin, we answer several important questions regarding these new requirements.
External Complaints Management and Dispute Resolution Policy
This policy is based on the ISO Standards for handling complaints, with some sections on negotiation, mediation and arbitration resolution techniques that are used before litigation. The author of this policy asserts that complaints management is an integral part of Enterprise Risk Management.
Finance Code of Conduct Policy
This sample policy serves as a code of conduct specific to senior financial officers of a company with the purpose of documenting a clear understanding of roles and responsibilities.
Focus on the "Tone of the Organization”
"Tone at the top” is a term often used to describe how an organization’s leadership creates an environment that fosters ethical and responsible business behavior. While leaders communicate the company’s vision, mission, core values and commitment to ethical behavior, what really drives the culture and resonates with employees is what they see and hear every day from their supervisors. While tone at the top is important and a vital foundation, is it enough? This issue of Board Perspectives: Risk Oversight explains why it is essential that the tone at the top be translated into an effective "tone in the middle" before it can reach the rest of the organization.
Foreign Corrupt Practices Act Policy
This policy outlines procedures for compliance with the Foreign Corrupt Practices Act.
Framework for Assessing a Process or Program
This framework offers guidance for evaluating the design effectiveness of a process or program and developing a subsequent test plan for evaluating its operating effectiveness. This guidance can be applied to the following types of processes or programs: code of conduct program, whistleblower process, self-assessment program, human resource program, or similar.
Fraud Detection - Guidelines and Techniques
This guide identifies ways that fraud can be committed from an accounting, operations, and IT internal controls perspective, and includes examples of fraud detection techniques using Data Analysis, Trend Analysis, and Proportional Analysis.
Fraud Indicators: Financial Performance
This guide identifies some of the red flags within an entity's financial performance that indicate the potential existence of embezzlement, financial statement fraud, and other illegal acts (e.g., bribery, kickbacks, price-fixing, bid-rigging and tax evasion.)
This sample policy details the actions constituting fraud and non-fraud irregularities, investigation responsibilities, confidentiality statements, authorization for investigating suspected fraud, reporting procedures, and termination and administration procedures.
Fraud Prevention and Detection Audit Work Program
This audit program sample focuses on understanding current fraud prevention and detection program activities.
Fraud Response Policy
This sample policy outlines a company's principles with respect to maintaining a fraud-free environment.
Fraud Response Policy: Sample 2
This sample policy aims to reinforce the company’s fraud management plan and set the company’s response to allegations of suspected or actual fraud.
Fraud Schemes and Scenarios
Addressing fraud is one of the ways companies are working to restore investor confidence to the marketplace. This checklist provides a list of various different fraud scenarios to be considered by company management. The purpose of this document is to reach a common understanding of the potential fraud schemes and scenarios included in an entity-level fraud risk assessment.
Fraud/Integrity Risk Methodology
This methodology is a flexible framework upon which internal audit teams can build. It outlines an approach for addressing integrity risk within an organization, focusing exclusively on the Integrity Risk section of the Process Risk category of the Protiviti Risk Model. The methodology addresses key questions in this risk assessment process such as current management of and measurement of integrity risk.
Fraud: Internal Audit's Role in Detection and Prevention
This presentation discusses the fundamentals of fraud and the role of internal audit in detection and prevention of fraud.
This sample outlines a set of procedures to follow for employees to file grievances and the related resolution process.
Growing Pains: What Biotechnology Companies Transitioning to Commercialization Need to Know
To remain competitive, biotechnology companies are under increasing pressure to innovate, introduce new products quickly, clearly demonstrate the efficacy and safety of those products, and market them effectively. They must accomplish all of this in an intense regulatory environment and in a global economic climate that remains unpredictable.
Happy Cow vs. Hedgehog: Getting Straight on Principle 8
Many organizations are now well into the adoption of COSO 2013 as their integrated control framework in complying with Sarbanes-Oxley Section 404 and for other purposes, but are still struggling with Principle 8—a critical part of the Risk Assessment component of COSO 2013.
Insider Trading Policy
This policy outlines a set procedures for insider trading. Transactions must comply with these procedures in order to comply with securities laws as defined by the Security Exchange Commission.
Internal Audit Department Charter
This charter establishes the policy, mission, organization structure, responsibilities, scope of work and code of ethics for an internal audit department.
Internal Audit Ratings Guide
This 19-page guide explains various audit report ratings systems and provides guidelines for assigning report ratings.
Internal Audit Strategic Focus Questionnaire
This questionnaire explores internal audit’s strategic contributions and what management and boards should expect from audit going forward.
Intersecting Risk Management and Crisis Management
Crisis management is an integral component of effective reputation management. A rapid and effective response to sudden, unexpected events can enhance reputation. As astute observers know, even the most respected organizations can be tested. We often think, "What happened to them can’t happen to us.” Well, it can. Because most organizations are unprepared for a crisis, it is a management imperative to build a rapid-response crisis management capability for sudden and unexpected high-impact, high-velocity and high-persistence events. This issue of Board Perspectives: Risk Oversight stresses the importance of being prepared early for a potential crisis, which can improve an organization’s ability to respond to a crisis, reduce damage to a company’s brand image and reputation, and minimize regulatory sanctions, penalties or fines.
Investment Management Firm Audit Work Program
The purpose of this work program is to provide the general steps used to perform an audit at an investment management firm.
Is Your Compliance Management Making a Difference? The Bulletin, Volume 4, Issue 10
Compliance management consists of the organization’s policies and processes for adhering to applicable laws and regulations. It requires metrics, measures and monitoring that provide assurance to management and the board that established policies and procedures for fostering compliance and responsible business behavior are performing as intended. Without effective management of the compliance risks that really matter, the organization is reactive, at best, and non-compliant, at worst. Companies should ensure that they are implementing a holistic, top-down and proactive approach to managing compliance. This issue of The Bulletin focuses on the issues that surround compliance, its current state, true cost and value proposition, as well as its organizational structure and offers suggestions on ways it can be improved.
Key Elements of an Effective Project Management Office
A project management office (PMO) is a centralized, coordinating body within an organization that provides a focal point for the field of project management. This 46-page guide provides an in-depth examination of the PMO's structure and responsibilities.
Manage Legal and Ethical Issues Key Performance Indicators (KPIs)
This tool shows key objectives for managing legal and ethical issues, the outcome measures associated with each objective, and the activity measures that drive each outcome measure.
Manage Legal and Ethical Issues Key Performance Indicators (KPIs): Sample 2
This benchmarking tool outlines key performance indicators for managing legal and ethical issues within organizations.
Managing Corruption Risk Involving Foreign Officials and Avoiding Its Impact on Reputation
Civil and criminal fines stemming from anti-corruption noncompliance can be costly. Firms that paid bribes to foreign officials have been subjected to criminal and civil enforcement actions, resulting in large fines, as well as suspension and debarment from federal procurement contracting. In addition, reputation damage due to negative media attention can devastate the bottom line and impair shareholder value. To avoid these consequences, many firms have implemented detailed compliance programs intended to prevent, deter and detect improper payments by employees and agents. It is critical for management to ensure that a robust anti-corruption compliance program, including anti-corruption controls, is in place. This issue of The Bulletin briefs on how to manage corruption risk and uses the FCPA as a framework for this discussion.
Managing Corruption Risk
Consequences of corruption violations include criminal and civil enforcement actions, profit disgorgements, mega fines, and suspensions from government contracting, jail terms for employees and reputation-damaging headlines. To avoid these consequences, firms should consider an anti-corruption program intended to prevent, deter and detect improper payments by employees and agents. Companies should establish risk-based policies and procedures that provide reasonable assurance the organization and its agents are adhering to the provisions of applicable anti-corruption laws, and implementing adequate systems of internal controls. This issue of Board Perspectives: Risk Oversight shares how a robust anti-corruption program can save companies from the expensive consequences of corruption violations.
Managing Legal and Ethical Issues Guide
This guide highlights leading practices and performance measures organizations can use to manage ethical and legal issues.
"No Fraud Here?” Look Again, Says New Survey From Protiviti and Utica College
With regulators and prosecutors increasingly holding executives accountable for fraud prevention, there’s a strong incentive to replace the old refrain of "no fraud here” with the more proactive "not on my watch.”
Protecting Enterprise Value Through Your Anti-Fraud Program – Questionnaire
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. This document focuses on key questions for board members and management when evaluating the anti-fraud program.
Quarterly Compliance Assessment – Audit Report
The purpose of this report is to document internal audit’s quarterly assessment of compliance policies and procedures and the validation of the operational effectiveness of key activities and controls within those policies and procedures.
Social Responsibilities Programs Audit Work Program
This audit program helps internal audit functions identify social responsibility issues that an organization may not be adequately addressing and assess controls around those programs.
Standards of Conduct Policy
This policy includes standards for work performance, unauthorized possession or removal of property, and failure to safeguard confidential information.
System, Database and Application Administrator Policy
The purpose of this policy is to define the roles, activities, and responsibilities of administrators with regard to access rights to applications running on a company’s computer resources. The policy includes all system, database and application administrators (including third-party vendors) who have access to technology resources, either locally or remotely.
Taking the Best Route to Managing Fraud and Corruption Risks
Given the dynamic nature of white-collar crime and fraud, it isn’t surprising that the Yates Memo is only the latest in a series of catalysts that prompted Protiviti and the Economic Crime and Justice Studies Department at Utica College to conduct a comprehensive survey of white-collar crime and the fraud risk management frameworks used to combat them. In this report, we detail notable findings that emerged from our survey.
Ten Keys to Managing Reputation Risk
According to Warren Buffett, it takes 20 years to build a reputation and five minutes to ruin it. With today’s electronic media, the news cycle reporting on the downward spiral of a once-proud organization that has suffered severe reputation impairment is not a pleasant one to watch. Applied to a business, reputation represents an interpretation or perception of an organization’s trustworthiness or integrity. While the truth ultimately prevails long term, reputation can be based on false perceptions in the near term. In this issue of The Bulletin, we explore 10 essential keys for managing reputation risk. Through strategic and cultural alignment, a commitment to quality, a strong operational focus and increased resiliency, companies can lay the foundation for building and sustaining a strong reputation.
The Challenges of Managing a Global AML Program
This article discusses the number of nuances that exist in the way AML requirements apply across the United States, the United Kingdom and Hong Kong.
The Changing Corporate Governance Landscape and Its Implications
This issue of The Bulletin reviews examples of what the board of directors and management should do as they work to improve corporate governance.
The Company You Keep: A Case for Supplier Codes of Conduct
According to Protiviti and the Economic Crime and Justice Studies Department at Utica College, only a small fraction of companies conduct reasonable vendor due diligence.
The Importance of Tone at the Top to Risk Management
This issue of Board Perspectives: Risk Oversight reviews 10 key indicators that collectively provide red flags that potential issues may exist within an organization.
The Panama Papers Leak Helps Bring Third-Party Risk Into Focus
Lessons learned from the recent Panama Papers leak and guidelines for a robust third-party anti-corruption program are outlined in this article by Protiviti Managing Director Scott Moritz.
The Role of Personal Accountability in the New Environment
This issue of The Bulletin outlines seven key principles that provide a framework for establishing and reinforcing the personal accountability of management and the board of directors. Application of these principles will create a healthy tension within the organization and facilitate communication between management and the board.
Vendor Fraud: Scott Moritz Answers Your Questions
Scott Moritz answers some of the top questions submitted by participants during a recent Protiviti webinar focused on investigating vendor fraud.
Web Internet Use Policy
This sample policy outlines a set of policies and procedures governing the use of the Internet, Web browsers, and other applications with the ability to access or transfer data to or from servers connected to the Internet.
Whistleblower Policy and Procedures
This policy establishes standards and procedures to ensure that the accounting and audit-related complaint handling process complies with management’s and the audit committee’s objectives.
Who Are Your Customers, Business Partners and Employees? Information Drives an Effective Anti-Corruption Program
In this article, we outline the three most critical areas for which companies need to collect the right information, in order to deem their anti-corruption programs effective.