I have long believed that internal auditors have a tougher challenge than many others in an organization. It's difficult to sustain a reputation for objectivity when we live and work in the same environment where we perform our audit responsibilities — sometimes for a few years, sometimes over an entire career. Everyone is watching internal audit to see if we are walking the talk. I have heard of us referred to as "example setters for an organization," and that we are "constantly assessed by those we audit." I call it having a target on our back. If internal audit is not following organizational policies, or even appears to not be following policies, the fallout will affect trust in the department and every internal auditor in it.
No one expects internal auditors to be flawless. We are human, after all. However, if the flaws cause others to question our ethics, we will lose a significant advantage that will likely undermine our ability to be perceived as trusted advisors. If management is aware of even minor ethical transgressions, their response when we offer advice or recommendations at the conclusion of our engagements is likely to be, "Why should I listen to him? He takes vacation days without charging them." Or, "She filed a faulty expense report and had to reimburse the company."
Internal auditors cannot afford the luxury of being vulnerable. Our behavior must be above reproach, if we are to provide counsel to others. And don't be surprised if, the first time you call out a senior manager for a serious ethical infraction, suddenly every minor infraction you ever committed is thrown back at you.
Neither can internal audit afford to fail living up to its commitments. A highly respected chief audit executive recently pointed out to me that internal auditors have to understand that they have a commitment both to the organization where they work and to a broad, diverse group of stakeholders. "We have to walk a fine line, understanding the firm's needs, the board's needs, management's needs, and investors' needs," he explained. "If we're not trustworthy, and if the people we work with aren't trustworthy, we leave the door open to fraud."
I believe most internal auditors do consistently act ethically. But occasional lapses happen, and when they do, they often make the news. Many of us recall all too well certain high-profile cases. For every highly publicized case of an internal auditor who gets in trouble for ethical transgressions, there are likely scores more whose transgressions were dealt with outside of public view. The actions of unethical internal auditors constitute a massive betrayal, not only of their employers and former colleagues, but also of their profession. Internal audit has many responsibilities, one of which is as ethical overseer. In that capacity, like Caesar's wife, it must be above suspicion.
To look at it another way, we have all heard the common wisdom that those who live in glass houses should not throw stones. But sometimes, as internal auditors, our job is to toss a rock or two. So, if we're going to throw stones — and, of course, we are — we'd better make sure our own house is shatterproof. A steadfast commitment to ethical behavior, coupled with a strong and effective quality assurance and improvement program, will help ensure that we avoid injury from flying glass.
One way to shatterproof the internal audit function is to make sure the right people are in it. We must carefully vet those who are brought on board to ensure there are no skeletons that could signal a moral compass that does not point true north. We should all hold each other accountable to live up to the highest levels of ethical conduct.
The IIA recognizes that ethical behavior is crucial to the fabric of our profession. Every IIA member around the world, along with those who hold an IIA certification, must conform to The IIA's Code of Ethics. In promulgating its code, The IIA states, "The purpose of the Institute's Code of Ethics is to promote an ethical culture in the profession of internal auditing." Recently, The IIA went a step further by specifying that "certified individuals are required to complete two CPE hours (each year) focused on the subject of ethics."
As I noted earlier, I do not believe that the internal audit profession has an "ethics problem." Let's all work hard to make sure it stays that way.