Professional Ethics, Code of Conduct, and Integrity of IT Auditors
Ethics and code of conduct have the intent to control behavior but are different. Ethics are value statements that help an auditor make decisions. Code of conduct outlines expected behaviors and mandated actions given a specific situation. For example, an ethical value statement may say that auditors must maintain their independence. The code of conduct may say that auditors may not accept gifts. In this way, ethics and code of conduct complement each other. In this example, by not allowing gifts that may influence an auditor’s opinion, auditors can maintain their independence,
In addition to having the required knowledge base, being ethical is essential to the auditing profession since organizations must place a high level of dependability and reliance on an IT auditor’s work. At its core, ethics is about having an independent, unbiased, fair, and balanced opinion.
Professional organizations for IT auditors, such as ISACA and the IIA, also have codes of ethics to promote an ethical culture in the profession of IT auditing and are adopted by organizations that provide auditing services. The IIA, for example, has four key principles within its code of conduct that auditors are expected to uphold:
-
Integrity—The integrity of IT auditors establishes trust and thus provides the basis for reliance on their judgment. Auditors with integrity shall
-
Perform their work with honesty, diligence, and responsibility;
-
Observe the law and make disclosures expected by the law and the profession;
-
Not knowingly be a party to any illegal activity or engage in acts that are discreditable to the profession of internal auditing or the organization; and
-
Respect and contribute to the legitimate and ethical objectives of the organization.
-
-
Objectivity—IT auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments.
-
Objective auditors shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment. This participation includes those activities or relationships that may conflict with the interests of the organization.
-
Objective auditors shall not accept anything that may impair or be presumed to impair their professional judgment.
-
Objective auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under review.
-
-
Confidentiality—IT auditors respect the value, sensitivity, and ownership of information they receive and do not disclose information without appropriate authority. Auditors upholding confidentiality shall
-
Be prudent in the request, use, and protection of information acquired in the course of their duties and
-
Not use the information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
-
-
Competency—IT auditors apply the knowledge, skills, and experience needed in the performance of internal audit services. Competent auditors shall
-
Engage only in those services for which they have the necessary knowledge, skills, and experience;
-
Perform internal audit services per the International Standards for the Professional Practice of Internal Auditing; and
-
continually improve their proficiency and the effectiveness and quality of their services.
-
IT auditing must provide an independent and objective assurance by following these principles. Auditors are not there to criticize the organization, but to add value through improving operations in order to help them be successful moving forward. Therefore, it is vital that they do not approach the work with an agenda but retain a fair and balanced position. A properly executed audit will ultimately help an organization achieve its goals by establishing a methodical approach to assess the efficacy of an organization’s risk management, control, and governance processes.
Ethical Independence
Understanding the importance of independence is still crucial in obtaining accurate results as well as instilling confidence in the results. Independent auditors should not have a vested interest in the outcome of the audit, such as working as the auditor being a direct report to those being audited.
Prior to executing an audit, IT auditors should identify possible impacts to independence, address any potential hindrances to independence compliance, and then convey the potential effect of residual hindrances to the appropriate parties.
When referring to the term “independence” in the audit world, it means there is autonomy from situations that can hinder risk assessment and other auditing tasks unbiasedly. In simple terms, it means being fair-minded. To accurately perform the requirements of the IT audit, the auditor must have a certain level of independence away from higher-ups. A system of checks and balances is a great way to achieve this. For example, a system of dual reporting on both ends can be developed. Risks must be managed at all access levels.
A conflict of interest may occur if a member performs a professional service for a client or employer and the member or his or her firm has a relationship. If the member believes that the professional service can be performed with objectivity, and the relationship is disclosed to and consent is obtained from such client, employer, or other appropriate parties, the rule shall not operate to prohibit the performance of the professional service.