To celebrate Internal Audit Awareness Month in May, this article highlights the role of ethics in internal auditing. In January 2024, the Institute of Internal Auditors (IIA) issued the new Global Internal Audit Standards (GIAS). The GIAS consists of five domains, 15 principles and 52 standards that internal auditors must adhere to when providing assurance and advisory services to their clients.

 

Domain II is titled “Ethics and Professionalism” and replaces the previous IIA Code of Ethics. It outlines the behavioural expectations for professional internal auditors. The five principles are integrity, objectivity, competence, due professional care and confidentiality.

 

Acting with integrity implies that internal auditors are honest and perform their work with professional courage. This entails taking appropriate action, even when confronted by dilemmas and difficult situations.

Maintaining objectivity implies having an impartial and unbiased attitude when performing internal audit services and making decisions. Internal auditors must avoid conflicts of interest and must not be unduly influenced by their own interests or the interests of others. Furthermore, internal auditors must recognise and avoid any impairments to objectivity.

 

Internal auditors also need to demonstrate competency which requires developing and applying the knowledge, skills and abilities to provide internal audit services. To improve the effectiveness and quality of internal audit services, internal auditors must participate annually in continuing professional development (CPD) initiatives such as obtaining relevant certifications and completing relevant education and training programmes.

 

Internal auditors must also apply due professional care in planning and performing internal audit services. This includes the application of professional scepticism to critically assess and evaluate the reliability of information. It further entails that internal auditors must maintain an attitude that includes inquisitiveness, being straightforward and honest when raising concerns and asking questions about inconsistent information.

 

Finally, internal auditors need to maintain confidentiality. Due to the fact that internal auditors have access to client information, they need to be prudent in the use of such information and only make disclosures if there is a legal obligation to do so.

 

Apart from taking cognisance of the ethics of internal auditors as described above, the internal audit function (IAF) also needs to audit the ethics of an organisation. The GIAS state that internal auditors must evaluate the adequacy and effectiveness of an organisation’s governance processes. These processes include building an ethical organisational culture in line with the recommendations of the fourth King Report on Corporate Governance issued by the Institute of Directors in South Africa.

 

It is management’s responsibility to implement a sound ethical organisational culture. This can be done by implementing, amongst others, a formal ethics management framework. Such a framework consists of key components that are needed within an organisation to build an ethical organisational culture.

 

The first component is leadership commitment. Without the necessary buy-in from top management, organisations will not succeed in building an ethical culture. Second, governance structures are needed at multiple levels within the organisation. For example, at the strategic level, a social and ethics committee can provide oversight for the effective implementation of the ethics management framework. At a systems level, an ethics officer or ethics office can take responsibility for managing ethics within the organisation. At operational level, various ethics champions can “walk the ethics talk”. Third, a formal ethics management process forms part of the ethics management framework. The ethics management process consists of the following steps:

 

The fourth and final component of the ethics management framework is the independent assessment of ethics performance in the organisation. This is where the IAF can add value by assessing the adequacy and effectiveness of the organisation’s ethics management framework. In an assurance capacity, the IAF can provide assurance on whether the ethics management framework is effective in building an ethical organisational culture. In an advisory capacity, the IAF can provide advice and assistance to an organisation that has not yet implemented a formal ethics management framework.

 

When performing an internal audit of ethics, the IAF can, for example, consider the following:

 

In conclusion, the ethics of internal auditors and the internal audit of ethics are two distinct dimensions of ethics that need to be considered by internal auditors. On the one hand, one has the professional ethical principles and values that internal auditors must possess to guide their ethical behaviour, and on the other hand, the role of the IAF in providing assurance on the organisational ethics of their clients. Considering these two dimensions will, to a large extent, address ethical dilemmas that may arise in the internal audit domain of any organisation.