Internal auditors can draw on several aspects when designing a plan for auditing this common risk. Modern organizations generally recognize the risk of employees having interests that conflict with the interests of the organization, itself.
These conflicts not only affect internal auditors – who are expected to follow The IIA’s Code of Ethics and uphold the principles of integrity, objectivity, confidentiality, and competency – but all employees of the organization.
The challenge is that conflicts of interest can be difficult to identify, manage, and audit.
Furthermore, there are various types of actual, potential, and perceived conflicts of interest. Some conflicts may involve an outside job or serving in another organization. Others may result from having personal and other types of relations with different stakeholders, which could influence decision-making.
In the course of business, conflicts of interest are likely to arise. This does not automatically mean that the organization and its employees are doing something wrong. The issues are whether the organization is mature enough to recognize these situations and has developed mechanisms to address them.
Internal auditors should consider several aspects when designing their approach to conflict-of-interest audits.
Clear Guidance Organizations need to define what constitutes a conflict of interest and communicate that such conflicts are not allowed. Organizations can do this by adopting an ethics policy, defining organizational values, establishing behavioural principles, or simply notifying employees.
Although such actions might appear trivial, organizations are expected to inform their employees about what is appropriate behavior.
Providing guidance on conflicts of interest and how to adequately communicate expectations to employees can be a good starting place for internal auditors to build their audit approach.
Organizational Setup Businesses can organize duties related to managing conflicts of interest in different ways, as they can take various forms.
In some organizations, the human resources (HR) department will take the lead. However, additional departments, such as the ethics, compliance, or legal functions, are commonly involved in managing conflicts of interest.
This approach creates complexity, because it requires the organization to clearly define roles and responsibilities, maintain adequate segregation of duties, exchange relevant data and information, and collaborate across functions.
It is important for internal auditors to identify which controls exist around conflicts of interest. Some generally applicable controls include:
Processes for obtaining information from potential new employees and business partners. Organizations often ask new employees and business partners to provide information on any existing relationships with current employees. Such requests provide information before any relationship is established.
“Know Your Business Partner ” procedures. Checking on business partners their business, organizational, and ownership structure can help identify conflict-of-interest risks.
Conflict of interest clauses – in employment agreements. Such clauses require employees to disclose their side activities with other companies. µ Non-compete clauses. These clauses in agreements and contracts should apply to e m p l o y e e s , customers, business partners, and other stakeholders during the time they are associated with the organization or a specified time beyond that.
Conflict-of-interest management. This process should include mechanisms, roless , and responsibilities for addressing reported or identified conflicts.
Prescribed response measures. The organization would take these actions in case of a breach of conflict of interest-related agreements and clauses.
Gift register and policy. A gift register should include both gifts given and received by employees. The gift policy should include an approval process for gifts of high value.
Conflict-of-interest reporting. This process encourages employees to report conflict-ofinterest relationships that may develop over time, including employees’ relationships with other employees, managers, business partners, and stakeholders.
Outside employment approval. Such a process requires employees to report and receive approval to have second jobs or freelance work.
Documentation. The organization should have confidential, complete, and documented records on conflicts of interest.
Training. The organization should train employees on conflicts of interest and how to deal with them.
Past lessons. The organization should communicate and promote the lessons learned from past events. Risk Acceptance Organizations also should consider establishing a risk acceptance process to determine whether some conflicts of interest are acceptable. Some conflicts may be acceptable because of lack of other alternatives, organizational issues, resource availability, and evolving relationships.
In each case, the organization needs to assess if the risk is acceptable from a risk appetite point of view. Highly sensitive and confidential risk acceptance topics could be dealt with by an organizational body.
For example, the organization could establish a committee comprising experts from HR, ethics, compliance, legal, risk management, and internal audit, with other participants invited, when necessary.
This committee’s work should be communicated and applied throughout the organization, as well as documented.
Post-transaction Controls Certain conflict-of-interest controls could be exercised to trace issues after business transactions have taken place.
Such controls include:
Ì Tools and records for obtaining information on how the reported conflicts of interest were addressed.
Ì Documented background checks on employees.
Ì Documentation of design changes from previous controls.
Ì Effectiveness assessment of new, additional, changed, and compensating controls to mitigate conflict-of-interest risks.
Ì Documented follow-up of any compensating measures taken for cases of risk acceptance.
These controls could provide auditors insights on how conflicts of interest were identified, as well as the recognition and management process steps taken, outcomes achieved, and follow-up results.
A Corporate Culture Matter Managing conflict-of-interest situations is not just a formal question, but rather an integral part of the much broader concept of corporate culture. An important aspect of auditing conflicts of interest will be the willingness of the organization’s employees to recognize it and their ability to report it.
This awareness requires an open, transparent, and trustworthy work environment. Internal auditors can contribute with the results of their audits. Corporate behaviour and decision-making related to conflict-of-interest issues send a strong message to employees about what is acceptable.
Those messages are built into employees’ perceptions and their execution of everyday business activities, which can result in significant consequences for organizations.