Internal audit: The need to exceed the code of ethics
By Jesse Laseman
In 2009, the Institute of Internal Auditors (IIA) established a code of ethics for internal auditors. IIA is the profession’s global voice, chief advocate, principal educator, and recognized leader and authority. Its code of ethics describes minimum requirements for conduct and lays out behavioral expectations rather than specific activities.
Why is a code of ethics necessary? Because organizations place their trust in internal auditors’ objective assurance about risk management, control and governance. That’s why the IIA code of ethics consists of these four main principles:
- Integrity
- Objectivity
- Confidentiality
- Competency
But while internal audit ethics form a strong base for any internal auditor’s conduct, exceeding these standards helps ensure they are better serving their organization.
Here are four ways internal auditors can exceed the code of ethics.
1. Understand your organization’s code of ethics/conduct
It’s not just professions that have codes of ethics/conduct. Companies often have them, too. Ford Motor Company, U.S. Bank and Nike all provide good examples.
A code of ethics has value as both an internal guideline and an external statement of corporate values and commitments. Whether the internal auditor is an employee or consultant, they are an extension of the organization and should meet the standards set forth for all employees.
Plus, the organization’s code of ethics/conduct will help the internal auditor understand the following:
- The general tone at the top of the organization
- The expectation of how employees should carry themselves
- Risks identified by management
2. Understand the business objective
Internal auditors should understand management’s goals and objectives.You don’t want IA focused on the wrong areas and unimportant details.
Internal audit failures often stem from misalignment with company strategies. For example, Cambridge Analytica likely improperly gained access to the data of millions of Facebook users because there was misalignment between Facebook management’s goal of maximizing revenue and Facebook IA’s duty to protect the organization and ensure the organization is upholding customer trust.
If you understand the key performance indicators (KPIs) that your organization uses to determine how well it’s meeting its goals, this can help you align your audit with management.
Business goals change, so your annual internal audit should change, too. It might be tempting to re-use a previous audit program that found several insignificant errors, but re-performing last year's audit is not necessarily the best way to add value. Plus, internal audit reports that contain inconsequential findings or recommendations that are not cost effective will earn you a reputation as a "bean counter," or worse.
3. Always seek to add value
The goal of internal audit is to help management accomplish their objectives. Adding value means more than just pointing out what’s wrong. It means showing them what’s right.
IA should strive to be a consultant providing a treasure chest of insight, rather than someone who simply supplies findings with no accompanying analysis. You want to always understand the true underlying problem of an issue. Talk through these issues with management, explain IA’s perspective and share additional resources. Don’t get stuck on the execution issues and lose sight of the greater opportunity. Make sure the time internal audit spends is truly adding value to the organization.
4. Grow with the organization
Internal audit must understand where the organization is at with its risk-mitigation journey. IA can add value by helping management designate priority when it comes to findings. The issues they should tackle first are those that are high-risk and crucial to financial reporting.
Follow-up is critical. Put a plan in place to follow up on issues to ensure they’re being tackled and the risk is being mitigated to the extent possible.
Also, consider a cost benefit analysis for all internal control findings. Sometimes IA tends to make recommendations that the organization is unable to implement. For example, if an organization lacks segregation of duties, are they actually able to hire more people to realign those duties?
Finally, walk the fine line between consulting and assurance. While an effective internal audit function often provides advice and consultancy services for key stakeholders, internal audit will often struggle to address an organization’s critical risks if little or no assurance is provided to management and the board on the overall effectiveness of mitigating controls.
For example, Toshiba’s governance structure relied too heavily on internal audit as a consulting service rather than as an assurance provider. The audit department focused primarily on providing consulting services to Toshiba's various companies as part of operational audits, without assessing the appropriateness of accounting processes — leading to an accounting scandal where $1.2 billion in operating profits were overstated.
Wipfli can help you exceed the code of internal audit ethics
Need assistance with adding value to your internal audit? You can co-source your audit with Wipfli.
If you have one or more internal audit team members who are inexperienced, overwhelmed, going on leave, or not independent in certain areas, our co-sourcing solution is a great option. From mentoring and guiding inexperienced team members to helping your team perform the risk assessment and develop the internal audit plan, we can be as little or as much involved as you need us. Click here to learn more.
Sign up to receive additional internal audit information in your inbox, or continue reading on:
Resolving internal audit findings
How internal audit can help organizations during difficult times
