Internal Audit’s Role in Modeling and Promoting an Ethical Culture

As internal auditors, we have the privilege and responsibility of being among the guardians of trust within our organizations. While we should work tirelessly to identify and report ethical misconduct, we must also recognize that we are not immune to ethical breaches ourselves. 

In Blind Spots: Why We Fail to Do What’s Right and What to Do About It, authors Max Bazerman and Ann Tenbrunsel write: “Our minds are subject to bounded ethicality, or cognitive limitations that can make us unaware of the moral implications of our decisions.” This can even be true on the job as internal auditors when — in the heat of a high-stakes, emotionally charged situation — we might find ourselves motivated by loyalties that go beyond doing the right thing. 

The internal audit profession is built on a foundation of trust and integrity, but we must never take that trust for granted. As evidenced by Enron, WorldCom, and other 21st-century scandals that have rocked the corporate landscape, the bottom line is that bad ethical behavior can destroy a business’s share value, undermine credibility, and destroy public confidence as fast as anything else. This is why we must never take the chance of it happening on our watch. 

Internal Audit Awareness Month is an opportunity not only to celebrate audit’s role in promoting and supporting a healthy organizational culture, but also to shine a light on an unfortunate truth: in reality, our blind spots as auditors are exposed every day on the job, and these exposures can lead to ethical breaches. This May, I would encourage you to reflect on the importance of proactively creating an ethical culture within internal audit so that we may better serve as the moral compass for our organizations — and inspire others to do the same.

Guidance From the New IIA Code of Ethics 

An enhanced IIA code of ethics has been integrated into the proposed new Global Internal Audit Standards, with the intent of further instilling ethical behavior in the profession. Currently open for public comment until May 30, these new standards offer a detailed blueprint for ethical behavior for internal auditors. Below, I highlight a few of the particular standouts that make for excellent studying. 

1. Standard 1.1 Honesty and Courage. Honesty and courage go hand-in-hand when it comes to acting with integrity; you cannot have one without the other. Auditors must be willing to lean on courage, to refrain from — or challenge — any activity that is illegal or discreditable to the organization or the profession. 
2. Standard 2.3 Disclosing Impairments to Objectivity. As auditors, it is important that we maintain professional objectivity while performing any internal audit services by separating our personal biases from our work. However, if objectivity is impaired, internal auditors must be willing to disclose impairments to appropriate parties before the services are performed.
3. Standard 3.2 Continuing Professional Development. In addition to possessing or obtaining the knowledge, skills, and abilities needed to perform our services, auditors must also strive to maintain and develop their competencies by continuously improving our knowledge and skills. 
4. Standard 4.1 Conformance with Global Internal Audit Standards. In addition to exercising professional skepticism and considering the nature, circumstances, and requirements of the work, it is important that auditors also exercise care in planning and performing services by conforming with the IIA’s code of ethics. 
5. Standard 5.2 Protection of Information. There are situations where auditors may come into possession of information that is theoretically or actually proprietary, but would disclose the commission of a fraud or an illegal act. This standard emphasizes where there is a legal or professional responsibility to disclose such information, it is necessary to do so. 

Overall, the proposed standards have the potential to make significant strides in reinforcing ethical behavior for internal auditors, and will serve as valuable resources for those in the profession moving forward.

Recognizing and Addressing Our Blind Spots

No matter how good our intentions or how diligently we attempt to remain vigilant, internal auditors are still human. In a recent article, I examined common challenges that can arise from auditors’ ethical blind spots — which, more often than not, are everyday scenarios. They may have even happened to you or your team. Acknowledging our blind spots as a profession and as individuals can better help us prepare if and when they surface. The following are some ways to fortify our responsiveness to blind spots: 

• Recognize that we are prone to behave in ways that serve our own interests.
• Challenge your own thought/decision processes.
• Watch and challenge those around you.
• Slow down and deliberate (with yourself and others).
• Implement controls that force contemplation of ethical decisions.
• Disclose potential ethical conflicts.
• Remember: We are only as strong as our weakest link.

Proactively Creating an Ethical Culture

I believe that, in organizations where culture audits are not yet top priority, auditors can still put their energy and focus toward creating an ethical culture. This does not necessarily mean internal auditors have to start a movement. We can take actions in our everyday engagements to begin applying the lens of ethics to the organization in the spirit of improvement.  Below are some steps auditors can take:

1. Perform root cause analysis. Performing root cause analysis doubles as an opportunity for internal auditors to consider culture in every audit. More often than not, there are findings requiring an auditor to identify the root cause, but there is a tendency to gloss over this effort, with excuses like not enough training, resources, or staff. Yet, good internal auditors won’t rest until they have the root cause, which, in many cases, can partially be attributed to an organization’s culture. 
2. Perform a capstone report, with trending that allows you to project across the enterprise. If culture is a potential risk priority for the organization, not performing an assessment of culture risk and providing a formal report to the audit committee and executive management is a risk in itself. This is where a special audit project, in the form of a capstone report on culture, can come into handy as a segway to addressing culture risk in the organization. 
3. Apply a top-down, holistic approach. The most comprehensive action we can take is to perform a culture risk assessment or a cultural audit of the enterprise. While this is dependent on the appropriate talent and resources, it is critical to applying a top-down approach when embedding a culture of ethics in the organization. This assessment should address elements including: risk management, code of conduct, and important infrastructure, such as Chief Ethics Officer. 

Upholding Our Ethical Responsibility as Auditors

The work of internal auditors is essential to maintaining the trust and integrity of our organizations. By taking a proactive approach to ethics and setting high standards for ourselves, we can ensure that our work is respected and valued by our stakeholders. It’s up to each of us to set the bar high and hold ourselves accountable for upholding the ethical standards of our profession. Let’s rise to the challenge and be the guardians of trust that our organizations need.