How to Build Compliance and Ethics Surveys That Protect Your Organization

Every major corporate scandal of the past two decades -- Enron, Wells Fargo, Wirecard, FTX -- shares a common thread: employees knew something was wrong long before the public did. In every post-mortem, investigators found that warning signs existed, that people had concerns, and that the organization either lacked the mechanisms to surface those concerns or had mechanisms so distrusted that employees stayed silent.

Compliance and ethics surveys are not bureaucratic exercises. They are early warning systems. Done well, they surface risks before they become crises, build a culture where ethical behavior is the norm rather than the exception, and provide documented evidence of organizational diligence that protects against regulatory penalties and litigation.

This guide covers how to design compliance and ethics surveys that actually work -- that employees trust enough to be honest, that measure what matters, and that give compliance teams actionable intelligence rather than false reassurance.

---

Why Compliance and Ethics Surveys Are Essential

The Regulatory Landscape

Regulators worldwide increasingly expect organizations to demonstrate proactive compliance cultures, not just reactive rule-following:

• US Department of Justice (DOJ) guidance on corporate compliance programs explicitly evaluates whether organizations measure compliance culture through surveys and act on findings
• Sarbanes-Oxley (SOX) requires internal controls that include mechanisms for employees to report concerns about financial reporting
• EU Whistleblower Directive mandates confidential reporting channels for organizations with 50+ employees
• UK Bribery Act requires organizations to demonstrate "adequate procedures" to prevent bribery, which courts interpret as including cultural measurement
• FCPA (Foreign Corrupt Practices Act) enforcement considers the effectiveness of compliance training and culture in determining penalties

The Cost of Getting It Wrong

A $50,000 investment in comprehensive compliance surveying is trivial insurance against these outcomes.

---

Core Measurement Domains

1. Code of Conduct Awareness and Understanding

It is not enough that employees received the code of conduct during onboarding. You need to know whether they understand it, remember it, and know how to apply it.

Awareness questions:

Yes/No:

• "Have you read your organization's Code of Conduct in the past 12 months?"
• "Do you know where to find the Code of Conduct if you needed to reference it?"

Single choice:

• "How well do you understand the Code of Conduct?" (Very well -- I could explain it to a colleague / Generally -- I know the main principles / Somewhat -- I remember some parts / Not well -- I would need to re-read it / I have not read it)

Application questions (scenario-based):

Single choice:

• "A vendor offers you tickets to a sporting event worth $500. According to your organization's policy, what should you do?" (Accept -- it's a normal business courtesy / Decline -- it exceeds the gift threshold / Accept but report it to compliance / Check the gift policy before deciding)

Yes/No:

• "If you witnessed a colleague submitting false expense reports, would you know exactly how to report it?"

Training effectiveness:

Scale (1-5 agreement):

• "The compliance training I received was relevant to my actual work"
• "I learned something new in my most recent compliance training"
• "The training used realistic scenarios I might actually encounter"

2. Ethical Culture and "Tone at the Top"

Ethical culture is the single strongest predictor of whether employees will report misconduct. Measure it directly:

Leadership modeling:

Scale (1-5 agreement):

• "Senior leaders in my organization model ethical behavior"
• "My direct manager would support me if I raised an ethical concern"
• "Leaders are held to the same ethical standards as everyone else"

Speak-up culture:

Scale (1-5 agreement):

• "I feel comfortable raising ethical concerns without fear of retaliation"
• "I have seen people speak up about ethics issues and be treated fairly"
• "Ethical concerns are taken seriously when raised"

Yes/No:

• "In the past 12 months, have you observed behavior that you believed violated the Code of Conduct or company policy?"
• "If yes, did you report it?"
• "If you did not report it, was fear of retaliation a factor?"

Pressure and rationalization:

Scale (1-5 frequency):

• "I feel pressure to compromise ethical standards to meet business goals"
• "I have heard colleagues justify questionable behavior with phrases like 'everyone does it' or 'it's not a big deal'"

3. Whistleblower Confidence and Reporting Mechanisms

The effectiveness of reporting channels depends entirely on whether employees trust them:

Channel awareness:

Multiple choice (select all known):

• "Which reporting channels are you aware of?" (Ethics hotline / Online reporting portal / Direct manager / Compliance department / HR / Legal department / Board audit committee / External ombudsman / None of these)

Channel trust:

Scale (1-5 confidence):

• "If I reported a concern through the ethics hotline, I am confident it would be investigated fairly"
• "If I reported a concern, I am confident my identity would be protected"
• "If I reported a concern, I am confident I would not face retaliation"

Single choice:

• "Which reporting channel would you most trust for a serious ethical concern?" (Anonymous hotline / External ombudsman / Direct to senior leadership / Compliance department / HR / I would not report internally -- I would go to a regulator)

Retaliation perception:

Yes/No:

• "Have you personally experienced or witnessed retaliation against someone who reported an ethical concern?"

Single choice:

• "If you have not reported a concern you observed, what was the primary reason?" (Fear of retaliation / Believed nothing would be done / Did not know how to report / Did not think it was serious enough / Someone else reported it / Concern about being identified / Other)

4. Conflict of Interest Management

Yes/No:

• "Do you have any personal, financial, or family relationships that could create a conflict of interest with your work responsibilities?"
• "Have you disclosed all potential conflicts of interest as required by policy?"
• "Do you understand what constitutes a conflict of interest at this organization?"

Single choice:

• "If you discovered a conflict of interest in your role, what would you do?" (Disclose it immediately to my manager / Report it to compliance / Try to manage it myself / I'm not sure what I would do)

5. Anti-Bribery and Corruption

Particularly critical for organizations with international operations:

Scale (1-5 agreement):

• "I understand what constitutes bribery under our policies and applicable law"
• "I know how to handle requests for facilitation payments"
• "Third-party due diligence processes are adequate at this organization"

Yes/No:

• "Have you been asked to approve or facilitate a payment you were uncomfortable with in the past 12 months?"
• "Do you know what a facilitation payment is and whether it is permitted under our policy?"

Single choice:

• "When working with third-party agents or distributors, how confident are you in the anti-corruption due diligence process?" (Very confident / Somewhat confident / Not confident / I'm not involved with third parties / I don't know what this process involves)

---

SOX Compliance Considerations

For publicly traded companies, Sarbanes-Oxley imposes specific requirements that compliance surveys can support:

Section 301: Audit Committee Reporting

SOX requires that audit committees establish procedures for receiving complaints about accounting, internal controls, or auditing matters -- including anonymous submission. Your survey should measure:

• Employee awareness of these specific reporting channels
• Trust in the audit committee's independence
• Understanding of what constitutes a reportable accounting concern

Section 404: Internal Controls Assessment

While SOX Section 404 focuses on financial controls, the culture surrounding those controls matters. Survey questions about pressure to meet financial targets, understanding of revenue recognition rules, and willingness to report irregular transactions support the internal control environment assessment.

Section 806: Whistleblower Protection

SOX provides anti-retaliation protections for whistleblowers at public companies. Your survey should measure whether employees know these protections exist and whether they believe they are enforced in practice.

---

The Critical Trust Problem (And How AI Solves It)

Here is the fundamental paradox of compliance surveying: the people with the most important information to share are the ones least likely to share it through traditional channels. An employee who has witnessed their VP accepting bribes is not going to click "Yes" on a SurveyMonkey form that they suspect IT can trace back to their workstation.

Why Traditional Compliance Surveys Fail

1. Identifiability fears. Even "anonymous" web surveys generate metadata (IP address, browser fingerprint, submission time relative to email delivery). Sophisticated employees know this.
2. Social desirability bias. Employees give the answers they think compliance wants to hear, not their honest assessment.
3. Binary limitations. "Have you witnessed misconduct? Yes/No" captures nothing about the nature, severity, frequency, or context of what was observed.
4. Compliance theater. When surveys are visibly just checking a box, employees respond in kind -- quickly, superficially, dishonestly.

How Koji Transforms Compliance Research

Koji's AI-native approach addresses each of these failures:

• Architectural anonymity. Koji conversations cannot be traced to individual employees. There is no IP logging, no browser fingerprinting, no timing correlation. The compliance team receives aggregated insights, not identifiable transcripts.
• Conversational depth. When the AI interviewer asks "Have you observed behavior that concerned you from an ethics perspective?" and the employee says yes, it follows up naturally: "Can you tell me more about what you observed, without naming specific individuals?" This elicits 10-50x more actionable detail than a checkbox.
• Reduced social desirability bias. Research consistently shows people are more honest with AI interviewers than human ones, especially on sensitive topics. There is no fear of judgment, no relationship consequences, and no unconscious signaling from the interviewer.
• Psychological safety through technology. The AI interviewer creates a space that feels genuinely safe -- conversational but not casual, thorough but not interrogatory, empathetic but not performative.
• Voice mode for accessibility. Employees in manufacturing, logistics, or field operations who rarely sit at computers can participate via voice conversation on their phones.

---

Survey Design Best Practices for Compliance Topics

Mandatory vs. Voluntary Participation

This is a genuine tension. Compliance surveys often need high response rates to satisfy regulators, but mandatory participation can reduce honesty. The best approach:

• Make the structured/quantitative section mandatory (awareness, understanding, training effectiveness)
• Make the qualitative/sensitive section voluntary (witnessed misconduct, retaliation experiences, specific concerns)
• Use Koji's conversational approach to make voluntary sections feel inviting rather than burdensome

Frequency

• Annual comprehensive survey: Full measurement across all domains
• Post-training assessments: Immediately after compliance training (knowledge check, not opinion)
• Targeted pulse surveys: After high-profile ethical incidents in your industry or organization
• Always-on reporting option: A permanent Koji interview link for employees to share concerns at any time

Segmentation

• Report by business unit/region (critical for identifying localized compliance risks)
• Report by tenure (new employees vs. long-tenured -- different risk profiles)
• Report by management level (front-line vs. middle management vs. senior leadership)
• Never cross-tabulate in ways that could identify individuals

---

Analyzing and Acting on Compliance Survey Data

Red Flag Patterns

Watch for these signals in your data:

The Investigation Decision Framework

When survey data surfaces potential issues:

1. Pattern vs. outlier? A single concerning data point might be noise. A pattern across multiple questions or survey cycles demands investigation.
2. Corroborated by other signals? Cross-reference with hotline reports, audit findings, and operational data.
3. Severity assessment. Legal/financial exposure, reputational risk, regulatory implications.
4. Response proportionality. Not every finding requires a formal investigation. Some require training, some require policy clarification, some require immediate escalation.

---

Sample Compliance Survey Structure Using Koji

Structured Questions (10-12 minutes, mandatory):

1. Code of Conduct awareness (3 yes/no questions)
2. Training effectiveness (3 scale questions, 1-5)
3. Ethical culture and tone at top (4 scale questions, 1-5)
4. Speak-up confidence (3 scale questions, 1-5)
5. Reporting channel awareness (multiple choice)
6. Most trusted reporting channel (single choice)
7. Observed potential misconduct in past 12 months? (yes/no)
8. Anti-bribery understanding (2 scale questions, 1-5)
9. Conflict of interest status (yes/no with disclosure prompt)
10. Scenario-based knowledge check (2 single choice questions)

AI Conversational Exploration (5-15 minutes, voluntary):

• For those who observed potential misconduct: explores what was observed (without identifying individuals), whether they reported it, what the experience was like
• For all participants: explores what would make them more confident in speaking up, what compliance training would actually be useful, what ethical challenges they face in their specific role
• Captures suggestions for improving the compliance program
• Surfaces organizational pressure points that quantitative questions miss

---

Reporting to Leadership and the Board

What the Board Needs to See

• Trend data on key culture metrics (speak-up confidence, retaliation perception, leadership modeling)
• Comparison to industry benchmarks where available
• Red flag analysis with recommended actions
• Training effectiveness evidence
• Response rate and participation quality metrics

What Compliance Teams Need

• Granular breakdowns by business unit, region, and management level
• Qualitative theme analysis from AI conversations
• Specific policy areas where understanding is weak
• Reporting channel utilization and trust data
• Year-over-year trend analysis for every measured dimension

---

Getting Started

1. Map your regulatory requirements. Know exactly what SOX, DOJ guidance, or industry-specific regulations require from your compliance measurement program.
2. Baseline your current state. Run a comprehensive compliance culture survey to establish benchmarks before introducing changes.
3. Set up Koji for anonymous conversations. The AI interviewer is particularly valuable for the sensitive topics that traditional surveys cannot explore honestly.
4. Design scenario-based questions. Abstract ethics questions yield abstract answers. Concrete scenarios reveal actual understanding.
5. Build the reporting infrastructure. Decide in advance what gets reported to the board, what stays with the compliance team, and what triggers investigation protocols.
6. Communicate the purpose clearly. Employees should understand that this survey protects them as much as it protects the organization.

Compliance and ethics surveys are the canary in the coal mine. The organizations that avoid scandals are not the ones with the thickest policy manuals -- they are the ones that have built genuine mechanisms for hearing what their people know. Koji's conversational AI makes those mechanisms trustworthy, thorough, and scalable.