One of the most tragic figures of English literature is Catherine. She is the one true love of Heathcliff’s life and he is her love as well. In the 1939 film version, the scenes of these two across the moors are some of the most romantic I have seen on the big screen. Yet it is a decision to marry another suitor and then a statement by Catherine which turns the novel from a romance into a very dark gothic tragedy. This intemperate statement drives Heathcliff away for a dozen years. When he returns, Catherine realizes Heathcliff is the true love of her life and to punish herself, she stops eating, slowly starving herself to death.

This part of the tragedy could have been prevented and that leads up to Part II of this three-part exploration of an ACFE’s Fraud Magazine article, entitled “What’s Your Integrity Agenda”, edited by Vince Walden, partner at Ernest and Young LLP (EY), with contributions from Professor Eugene Soltes, Ph.D., of Harvard Business School, Jon Feig, CPA, and Andrew Reisman, J.D., of EY’s Forensic & Integrity Services practice. As Catherine helped to bring the story and tension of Wuthering Heights to life, today we consider the four elements of an integrity agenda and how they may be brought to life. The four elements are (1) Governance; (2) Culture; (3) Controls and Procedures; and (4) Insights. (As usual with a great article, I got carried away and my two-part blog post has now become a three-part series.) 


How does your organization support its ethics and corporate values required to support an integrity program? This is more than creating institutional justice and institutional fairness. This is supporting an integrity agenda through mandating involvement in all levels of your organization, starting with the Board of Directors and senior management. The authors suggested asking some of these basic questions: “Are functional and business leaders included in this program? How does the board oversee these structures? Are the governance structures designed for diversified and decentralized operations? Do business units and local leaders have the resources and information they need to stand accountable for integrity and compliance outcomes?”

Good governance under this model requires support to the front-line decision makers but it also means empowering the functional groups in your organization to support these initiatives. Obviously, this means the compliance function but it also includes Human Resources (HR), internal audit, internal controls and other corporate disciplines. It begins with an “Organizational vision and mission, and the ethical obligations they influence” then moves through your Code of Conduct and the values of your company. It also means embedding integrity into your internal controls, together with the “Inclusive teams with diversity of skills”. Finally, as mandated by the Department of Justice (DOJ) in the new Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy there must be sufficient resource allocation, in both salaries and head count.


What is the culture of your organization? Does it promote institutional fairness and justice or is it simply my way or the highway? The authors posit these basic questions to help you make this initial assessment: “Does the organization’s culture focus on transparency? Does it perceive individuals who raise concerns as troublemakers? Employees work for a company for numerous reasons, but is their main reason to earn income or prestige? Do employees know that the organization encourages them to speak up and that it’ll protect them when they do? Put differently, has management created a culture where that employee will risk putting food on the table to protect the company? How does the organization incentivize and reward employees?”

You must understand your culture to assess where you are on integrity. Key areas are in culture, ethics and awareness of anti-corruption/anti-fraud policies. Some of the areas you can focus on in culture include not only tone but conduct at the top, with open and transparent lines for reporting both direct and anonymously. There must be training, education and ongoing communications regarding the company’s commitment to an integrity agenda. Moreover, and tied to conduct at the top, does senior management really mean what they say; that is, does their conduct really back what they may espouse on values, ethics and integrity? Or if you miss your numbers for two quarters are you fired?

Culture extends to the types of individuals your company hires and those who are promoted. Do only those who ‘make their numbers’ succeed or is there an integrity evaluation for those promoted to management positions? Does your organization consider behavioral factors such as red flags around fraud and corruption? Finally, does your company engage in a robust five-step third party risk management program?

Controls and Procedures

Many still consider controls as detect only but a more holistic approach sees controls and procedures as a key part of the tripartite prevent, detect and remediatestructure. The authors advocate embedding controls in business process and operation steps just as you would for financial activities. One of the key concepts from the COSO 2013 Internal Controls Framework is that integrity controls are largely financial controls. The authors posit the following question: “Has the organization thought through where the main risks lie and invested in controls and procedures to protect the company and its employees?”

Controls and procedures lend themselves to a technological solution. They go on to suggest that “Technology-enhanced procedures, which provide data about performance and impact to management and employees in the field and assessments, including fraud risk program assessments, cyber risk assessments and investigations” are key starting points but they are only that, the human element then needs to analyze and interpret the results. This leads to “continuous improvement of controls, e.g., reduced high-risk transactions, improved employee survey feedback, improved employee decisions based on scenario training, and increased sales or success stories based on ethical decision-making”. 


As noted with controls, it is the information you assess and garner which allows you to continue to grow and refine your integrity agenda. The authors start with the question of how do you know your efforts are succeeding to “improve culture, and identify and manage risks?” They go on to suggest a focus on “primary sources of information” such as hotline and other internal reporting. Other insights can be gleaned from “assessing how consistently the organization has disciplined wrongdoers, spared senior executives or was gender-biased. Conducting transactional analysis, such as review and risk scoring of payments, can also provide key insights into high-risk third parties or employees.”

How can you go about implementing such ongoing monitoring to garner the insights needed for continuous improvement? An obvious starting point is risk and controls monitoring. If there is a failure, are investigations conducted and is there a root cause analysis performed? The analytics from hotlines or other forms of reporting, tied with forensic data analysis, can provide valuable information. But it must come with sharing the insights with your employees so they can learn from both the good and the bad.

Tomorrow we tie it all together and bring it all home with Heathcliff.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2018