Training insights: Ethics

Warning: Your data is under threat and things may not be what they seem to be. Question everything; exercise professional scepticism at all times; resist external pressure. These are the key messages of the Chartered IIA’s timely new course on internal audit ethics. It may sound dramatic, but homeworking, remote audits and the business threats caused by the pandemic all could affect the integrity of the information provided to internal audit.

What’s more, just at the time when it’s hardest to see what’s really going on, internal auditors may find themselves under more overt and covert pressure to be empathetic to the circumstances and to “support the business” rather than to be rigorous. This is a dangerous double whammy, but there are actions you can take to preserve audit integrity. The first imperative is to be aware of the dangers.

Some of the risks stem from the fact that systems and processes are new and, often, implemented in haste. Managers and internal auditors need to get used to them and learn to use them effectively with adequate care and scepticism. For example, in time, people will become better at reading body language and communicating over video, and organisations will adopt more comprehensive and secure digital documentation processes.

However, in the meantime, many internal auditors are still grappling with data that may look fine, but in fact could be subject to alterations or omissions, or just be incomplete or biased. If in doubt, there are some simple questions to ask: Do you select the data files from a complete set, or are they extracted by management and sent to you? How is the data collected and by whom? Can it be tampered with (for example, if you rely on a paper document that is physically scanned in, it may be harder to spot an amendment than if you view the original version)?

Some audits are particularly challenging to do remotely. Physical security and health and safety checks, for example, may be limited. Internal auditors are more likely to spot problems walking around a building and seeing people at work than watching a video selected by a manager. Fire doors that are blocked or held open with sacks of paper, dangerous extension leads, or missing extinguishers may not be obvious from a video, but would be evident to an internal auditor in the building.

If data is coming from insecure or incomplete sources, internal auditors have to be aware of this and be able to raise concerns openly. However, they are more likely than usual to come under pressure to be “understanding” about shortcomings or to avoid putting managers under additional pressure at a difficult time. They must be aware of the danger of being too sympathetic or of “taking the line of least resistance”.

It is essential to recognise that these are not short-term issues. Things are not going back to the way they were before, and pressures to do more audits remotely and faster will continue. Ethics are always an essential and complex part of internal audit – which is why the Chartered IIA has a Code of Ethics and why all members have to complete continuing professional education (CPE) on ethics each year, in addition to other CPE requirements. However, current challenges mean that all internal auditors could benefit from dedicating time to focus on new and emerging threats to the integrity of their data and their duty to provide sufficient challenge to management.

Delegates to this course will consider all these issues and many more – and will also consider how they can use the lessons learned in the pandemic to improve the long-term value of the assurance that they offer. n

“IA ethics – maintaining assurance quality during Covid-19” covers the CPE competency areas of professional ethics and the international professional practices framework. Attendees will gain seven CPE points (including three for ethics).

This article was first published in March 2021.