By their nature, roosters are self-confident, bold and vocal. That gives internal auditors reason to believe that more fraud will be exposed in Estonian companies than in years past. The starting gun went off last year – already then, we dealt with many times more fraud in Estonian companies than we had in the past. Was the reason the fact that company owners cracked down more actively, more cases were detected, or simply that more fraud was committed? It’s hard to evaluate.

Another interesting difference compared to years past is that whereas in some sectors such as retail, food service and production, employees have swindled and skimmed in years past as well, 2016 saw an increase in the number of proceedings due to “bloodsucker” companies and cases of fraud involving the purchasing process. Last year had a clear, common theme – all of the schemes had been in operation for several years.

The second half of the year brought yet another change – an unexpected number of companies expressed the desire to draft a code of ethics for their companies, along with a process for putting the code into action. Some cases involved just establishing and implementing the code of ethics and developing and introducing to employees the necessary processes for its functioning, while others went further – an assessment of the entire internal control system and increase in the effectiveness of verification.

Top management must lead the way

In public sector institutions, pressure for such activities comes from a National Audit Office guideline that requires certain public sector organisations to have their anti-corruption measures evaluated by a sworn auditor. Private sector companies that are engaged in a concerted effort to develop a code of ethics and internal control environment have a self-interest in doing so – no one is forcing the owner to deal with such a topic. The owner or CEO’s wisdom and ability to see the big picture is what leads the firm to address the topic. Even telling one’s employees, “We have a topic that we haven’t dealt with,” is a bold step. It requires excellent “sales” and leadership within the organisation, because no code of ethics can be put into action without top management taking the initiative and believing in it. Creating an ethical environment and working system is a multi-year process replete with setbacks and leaps forward. The role model and leadership provided by the executives and the role and commitment of the supervisory board are extremely important in this regard.

Reporting fraud is not ‘ratting’

We’ve dealt with a number of companies in Estonia who have drafted a code of ethics that includes, in the description of procedures, a requirement to report fraud. Employees are aware of this, yes, but the system still doesn’t work. Along with other reasons, often an important role is played by the fact that employees don’t dare give information to their colleagues for fear of persecution or loss of their job. The loser in such a situation is the company. For this reason, Grant Thornton Baltic is rolling out a unique service, first in Estonia and then the Baltics, to help companies set up a hotline in an efficient, trustworthy and systematic manner and keep it operational.

Requirements for establishing a code of conduct

The goal of a code of conduct is to establish a framework for the rules of acceptable conduct in an organisation and to set forth procedures for conducting proceedings on violations of the rules.

A code of conduct is not a sheet of paper employees are asked to sign. It’s a system that has to cover:

  • rules of what is allowed and what is not allowed behaviour in our organisation
  • notification process, including type of organisational culture and control environment – who and how the employee must notify of possible fraud
  • description of actions to be taken in handling cases – who will start conducting proceedings on information received, how the proceedings will be conducted, during what time, whether and how feedback will be given to the person who passed on the information etc.
  • description of sanctions – what are the punishments for the violations, who makes the decision and so on.

The entire process described is different in every company. It isn’t possible to generate a unique document that is appropriate for every different company, as the process depends on managerial policies, internal control environment, size of the organisation and area of activity and much else. While the state has developed various codes, trainings and guidelines, in the private sector, the whole framework has to be established oneself. Only the general regulations and advisory guidelines can be used as a basis.

Employees have to see it the right way

Communication is also important – the message that is sent to employees when the process is started and implemented must be clear and communicated well. All parties must have assurance that the code of ethics is not intended for spying or checking up on anyone but rather for changing the company’s culture in a step in a more employee-friendly direction. Employees must under no circumstance be left with the impression that it’s a measure that can be used for unselectively and intentionally firing staff.

More precise information about establishing the internal control environment and Grant Thornton Baltic’s new hotline service is available from our internal audit service at 626 0500 and internalaudit@ee.gt.com.

Author: Siiri Antsmäe