Ethics training 1825
terranaut last edited by
Another policy that our company is saying is due to SARBOX is annual ethics training for all employees. Does SARBOX have anything to do with the actions of employees other than executives? I didn’t think so.
Also, I don’t see how making every employee watch the same little web video EVERY YEAR help with SARBOX compliance. It also seems unlikely that SARBOX has specific requirements on training as it doesn’t really mandate anything at the process level.
harrywaldron last edited by
Hi and welcome … While it’s not an absolute requirement, you’re going to hopefully benefit from a good ethics curriculum in your organization. It’s also something Audit will like as well
This thread should help:
EMM last edited by
Training employees in ethics and having a documented code of conduct is generally considered a good control to have in place as it shows that the Organisation takes ethical behaviour seriously.
If will often cover corporate confidentiality, theft of assets, conflicts of interest, and encourages employees to report any suspicion of Fraud.
It is probably best applied within induction courses when new employees join and implementing an ethical and conduct questionnaire electronically on an annual basis.
SOX does require that a framework for evaluating and documenting internal controls over financial reporting be used for the 404 assessment. Most companies (in the US) base their evaluation of the effectiveness of internal control over financial reporting on the COSO framework, which incorporates the assessment of ‘tone at the top’ and whether or not employees, at all levels, are operating in an environment that is conducive to adhering to policies and procedures that are designed to potentially deter fraud. This being said, an argument could possibly be made that the ethics training you described is helping to satisfy this component of the COSO framework.
SOX does require that a framework for evaluating and documenting internal controls over financial reporting be used for the 404 assessment. Most companies (in the US) base their evaluation of the effectiveness of internal control over financial reporting on the COSO framework, which incorporates the assessment of ‘tone at the top’ and whether or not employees, at all levels, are operating in an environment that is conducive to adhering to policies and procedures that are designed to potentially deter fraud. This being said, an argument could possibly be made that the ethics training you described is helping to satisfy this component of the COSO framework.’
It is also called out under Pervasive (GCC) Governance area which goes along with the above statement previously posted. The pervasive areas are assessed and roles and responsibilities, communication and Corp guidance are part of them…
The Tone at the Top will be assessed under Governance and the communication of that tone.
terranaut last edited by
I guess I should say that I don’t have a problem with the Ethics training, but with the frequency of it ocurring every year. This seems to be overkill that is reasoned through SARBOX. The employees keep getting SARBOX thrown at them as reasoning because not many can argue back against that reasoning.
What I can figure is that SARBOX mandates that management take ethics seriously and that it gets communicated to the employees. The company puts in place a policy of yearly ethics training and then defends it by saying SARBOX told them so.
milan last edited by
The previous postings provide the direct linkage of an employee ethics training program and complying with SOX requirements.
As to your concern about the annual ethics training requirement, a company that is covered by SOX must assess and meet the requirements annually. Thus, your company is simply complying with the recurring aspect of the Act by implementing annual ethics training to company employees.
Hopefully, the incrementual cost to administer the ethics training program decreases with each year since the ethics training video will not need to be developed after the first year.
Hope this further helps,
Thus, your company is simply complying with the recurring aspect of the Act by implementing annual ethics training to company employees.
I don’t believe the Act specifically requires a company to administer the aformentioned ethics training. The control environment needs to be assessed and reported on, but the method by which a company achieves this will vary based on the characteristics of that company. If this is incorrect, please let me know. I work for a company that falls into the non-accelerated category and am preparing for compliance by year end 2007.
kymike last edited by
IGOR13 - I believe that you are correct. Even though management needs to make an annual assessment of ICOFR, part of which should be the general control environment, how management gets there will vary from company to company.
I do not believe that ethics training (or sexual harassment training or any other behavioral training) needs to occur every year. There should, however, be a scheduled cycle for this training to show that management is serious about it. If the scheduled cycle is followed, then that helps to support that portion of the entity-level controls.
harrywaldron last edited by
I particularly liked plaire1’s comments related to the ’ Tone at the Top '. If senior management sets a good example when it comes to ethics or any behaviors they want the staff to model it will make a difference. Half hearted attempts at ethics training won’t be remembered or make the needed impact it should.
A formal annual 1-2 hour training session is probably the best recommendation (esp. if it hasn’t been done before). However, it would incur expenses (e.g., instructor, time, materials, etc). Formal training is the best approach, but there might be other ways to communicate ethics, including:
- Adding pages on the corporate Intranet devoted to ethics (although this may not be effective in reaching everyone)
- A very brief and easy to understand email sent by senior management to all employees can help promote ethics (esp. when linking with the Intranet site as noted above).
P.S. Here’s a good example my sister recently shared regarding ethical dilemas folks sometimes get themselves into
Correct compliance annually is due to evidence/history in that the auditors external or internal have to pull tests and can only go back a maximum of 12 months, thus annual training.
Governance area of compliance specifically states the objective
PO 6 - 6.6 (now 6.5 CoBIT 2005) Compliance with Policies, Procedures and Standards
‘Management should ensure that appropriate procedures are in place to determine whether personnel understand the implemented policies and procedures, and whether the policies and procedures are being followed. Compliance procedures for ethical, security and internal control standards should be set by top management and promoted by example’
If there are existing best practices in play a good governance ‘tone’ should not be hard to comply with.
WrightLot last edited by
Cannot disagree with any that has been discussed. One question though, why not just have a code of conduct for staff, promoted upon induction to the organisation and followed up as part of the appraisal process? Clearly would not work if there is no such framework within the organisation but it would mean minimal impact wrt annual training and instead become integrated into an already accepted part of the organisation’s governance prcoess.
A code of conduct is a good start to compliance. To augment that I am considering administering a survey/questionnaire to management level personnel, which I will use in part to satisfy the control environment component of COSO. How I am going to assess the results to gauge the control environment is a bridge I haven’t crossed yet.
Surveys can be used if they follow random selection criteria and are no yes/no answers.
Description - Surveys gauge opinions or collect factual information, and permit respondents to complete independently. Surveys may ask open or closed ended questions, or a combination of both. Closed ended questions will have mutually independent possible responses, ranging from two options, i.e. Yes/No, to multiple options, i.e. Agree/Strongly Agree and Disagree/Strongly Disagree. Survey items may be either phrased as a question, i.e. Yes/No, or phrased as a statement of fact, i.e. Agree/Disagree.
When to use-To obtain feedback from a larger group of recipients without requiring a significant time investment in interviewing. It may be used to evaluate awareness and compliance with procedural manuals or code of conduct policies. It is most effective when there is a likelihood of candid and timely participation by the recipients, there is sufficient confidentiality when necessary, and when the nature of information to be collected permits limited interaction with the respondents. Survey content and distribution should be approved by client management.
Comment-To obtain feedback from a larger group of recipients without requiring a significant time investment in interviewing. It may be used to evaluate awareness and compliance with procedural manuals or code of conduct policies. It is most effective when there is a likelihood of candid and timely participation by the recipients, there is sufficient confidentiality when necessary, and when the nature of information to be collected permits limited interaction with the respondents. Survey content and distribution should be approved by client management.
There are of course advantages and disadvantages, but it can help asses a larger pervasive area such as Governance or Change Management/SDLC
EMM last edited by
Many organisations assess the code of Conduct by ensuriong that all employees sign an acknowledgement form to state that they have read * and understand. This is often performed when they first join.
Our HR department have suggested that an electronic questionaire be submitted to all staff to ensure that they understand the code, but I prefer the idea that an anonymous questionnaire is filled out which covers their ethical behaviour and awareness of any fraud within the organisation, together with knowledge of who to contact as a whistleblower (if the org. is large enough, an ethics hotline is ideal). I feel that such a questionnaire re-inforces the importance of why there is a code rather than just having some-one sit vacantly in training etc.