The importance of integrity to the internal audit function.
Aziz Fataliyev argues that while all of the principles in The IIA's Code of Ethics are important, integrity rules them all.
Blogs Aziz Fataliyev, CIA Dec 07, 2021
As many of us know, the purpose of The IIA's Code of Ethics is to promote an ethical culture in the profession of internal auditing. Principles within the Code include integrity, objectivity, confidentiality, and competency.
It could also be argued that all four principles defined in the Code are equal in importance. There is truth to this; internal auditors must comply with each of them equally. We cannot pay more attention to objectivity than confidentiality or focus on integrity while ignoring competency, and so forth.
However, the significance of the integrity principle, in my humble opinion, cannot be overstated. It is the foundation of all possible ethical values. As I stated in my previous blog post, "From Staff Auditor to CAE," without honesty, you will not be able to be objective or stay confidential. You will not even improve your competency appropriately, although you may (and there is a big chance that you will) pretend that you do.
Let us go a little bit deeper by considering possible risk scenarios triggered by a lack of integrity, as well as recommendations intended to mitigate these risks.
It is unlikely that a dishonest person would assess information objectively. Objectivity is a hard task even for a diligent person (considering all relevant circumstances is not an easy duty). So what would a dishonest auditor do? There could be many factors motivating him or her to behave in a biased manner.
In pursuit of posing as a value-adding auditor, our integrity-deficient auditor might overstate the significance of issues observed or report nonexistent findings (for example, by interpreting current issues as not compliant with respective guidance). A dishonest internal auditor might also conceal the existence of a conflict of interest if they are understating the deficiencies observed (resulting from a too-friendly relationship with an audit client) or overstating deficiencies (in the case of hostile relationship with an audit client).
To avoid overstatement, there should be a clearly-defined model for risk assessment and day-to-day control over audit assignments, such as through proper supervision. The negative scenario of nonexistent findings may also be detected by supervising audit engagements. And a preventive control for preventing a conflict of interest is an effective conflict of interest policy — which could include negative reinforcement for noncompliance.
Unfortunately, the ability to keep things secret is not always characteristic of humans. It is equally uncharacteristic of a dishonest person to respect the privacy of information. It could be rather tempting to use valuable information for personal gain.
Just imagine how attractive the desire to benefit from confidential information is — how hard it would be not to withdraw money from a financial institution in the case of an increased liquidity risk or buy stocks knowing that there is high probability that share value will increase.
The first step in managing the confidentiality of an organization is classifying information by its secrecy level (stakeholders must understand which information is confidential). Further steps include offering internal guidance on the disseminating of information and conducting periodic monitoring on compliance with the rules. For instance, in a liquidity risk scenario, it would not be so time-consuming to monitor whether internal auditors used confidential information for personal gain.
Even the competency principle would inevitably be impaired by dishonesty. It is hard to believe that a dishonest person would improve his or her skills in a disciplined manner. However, our integrity-lacking internal auditor would likely improve on their "cheating" competencies.
In the desire to be evaluated as a competent auditor, internal auditors might overstate the knowledge and skills they possess and engage in audit assignments not familiar to them. Alternatively, in an attempt to comply with the requirement to continuously improve on proficiency, an internal auditor might take ineffective courses in order only to check the box within an individual development program.
The best way to keep auditors aligned with the competency principle is a quality assurance and improvement program (QAIP), ensuring that all components stated by the respective standards are in place. For competency frameworks establishing requirements for each position within the internal audit function and respective evaluation practices, these must be designed and implemented. In the presence of approved individual development plans, also a feature of QAIPs, opportunities to select ineffective trainings will be definitely reduced.
It would be impossible to summarize all risks related to a lack of integrity and possible measures intended to manage them. The simplest way to avoid risks related to the integrity principle is to maintain an ethical climate within the organization as a whole, and specifically within the internal audit function. We must promote the integrity principle every single minute of our lives.