Implementation Guide

Code of Ethics: Integrity

IIA Code of Ethics Principle 1: Integrity

The integrity of internal auditors establishes trust and thus provides the basis for reliance on
their judgment.

Rules of Conduct
Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

1.2. Shall observe the law and make disclosures expected by the law and the profession.

1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are
discreditable to the profession of internal auditing or to the organization.

1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

Getting Started
The International Standards for the Professional Practice of Internal Auditing require conformance with
the Code of Ethics, comprising four principles. Each principle is accompanied by rules of conduct that
internal auditors must implement to properly demonstrate the principle. This implementation guide is
intended to demonstrate how to achieve conformance with the principle of integrity.

Integrity is the foundation of the other three principles in The IIA’s Code of Ethics; objectivity,
confidentiality, and competency all depend on integrity. Integrity also underpins the Standards. The
rules of conduct related to each Code of Ethics principle help internal auditors translate the principle
into practical behavioral norms.

1
 Implementation Guide: Code of Ethics | Integrity

Internal auditors including the chief audit executive (CAE) may find it helpful to regularly review the
IPPF to understand the expectations related to “diligence” and “responsibility” as described in Rule 1.1.
Several standards and implementation guides describe the concepts and related requirements.

To implement Rules 1.2 and 1.3, internal auditors must become familiar with the laws and regulations
relevant to the industry and jurisdictions within which the organization operates. To implement Rule 1.4,
internal auditors start by identifying the organization’s mission, objectives, and ethical values, usually
found in annual strategic plans, employee handbooks, and/or policy manuals.

Considerations for Implementation

Chief Audit Executive
According to Standard 2000 – Managing the Internal Audit Activity, the CAE must ensure that the
internal audit activity achieves the purpose and fulfills the responsibility included in the internal audit
charter and that its individual members conform with the Code of Ethics and the Standards. As the
leader of the internal audit activity, the CAE should cultivate a culture of integrity by acting with integrity
and adhering to the Code of Ethics.

The CAE also establishes policies and procedures to guide the internal audit activity, according to
Standard 2040. When these are implemented, the internal audit activity is able to show diligence and
responsibility. The CAE may bring about awareness and accountability by requiring internal auditors to
acknowledge in writing that they have reviewed and understood such policies and procedures.
Typically, the organization collects signed acknowledgements of its code of conduct and ethics policy
from all employees, and the CAE may require internal auditors to acknowledge in writing their
agreement to follow The IIA’s Code of Ethics and any additional ethics-related policies specific to the
internal audit activity, such as disclosures of conflicts of interest. The organization and the CAE may
also emphasize the importance of integrity by providing training that demonstrates integrity and other
ethical principles in action; for example, discussing situations that require making ethical choices.

Effectively managing the internal audit activity includes proper engagement supervision and periodic
reviews of internal auditors’ performance, which provide opportunities to discuss how integrity may be
challenged and applied in real situations. For example, supervision includes the approval of work
programs before fieldwork begins and a review of the engagement workpapers and results. These are
chances for supervisors to discuss any situations that may call integrity into question and to guide
internal auditors. In addition, the CAE should maintain a working environment in which internal auditors
feel supported when expressing legitimate, evidence-based observations, conclusions, and opinions,
even if they are not favorable.

2
 Implementation Guide: Code of Ethics | Integrity

Individual Internal Auditors

Integrity may be considered primarily a personal attribute of individual internal auditors, making it
difficult to measure, enforce, or guarantee. In simple terms, internal auditors are expected to tell the
truth and do the right thing, even when it is uncomfortable or difficult to do so and avoiding taking
appropriate actions might seem easier (e.g., concealing or omitting observations from an engagement
report). The best attempts to identify and measure integrity likely involve astute awareness and
understanding of the Code of Ethics’ rules of conduct for integrity, the IPPF’s Mandatory Guidance, and
supporting practices.

With regard to Rule 1.1, internal auditors should pay particular attention to information about diligence
and responsibility, as described in Standard 1200 – Proficiency and Due Professional Care, Standard
1220 – Due Professional Care, and the associated implementation standards and implementation
guides. Rule 1.2 requires internal auditors to observe the law and to make disclosures expected by the
law and the profession. Rule 1.3 explicitly calls for internal auditors to never knowingly be a party to any
illegal activity. The rule extends beyond simply illegal acts to include “acts that would be considered
discreditable to the profession of internal auditing or to the organization.”

For internal auditors, behaviors that may not be illegal but may be discreditable include:

• Behavior that may be considered bullying, harassing, or discriminatory.

• Failing to accept responsibility for making mistakes.
• Issuing false reports or permitting others to do so.
• Lying.
• Making claims about one’s competency in a manner that is deceptive, false, or misleading.
• Making disparaging comments about the organization, fellow employees, or its stakeholders,
either in person or via media (e.g., in publications or social media posts).
• Minimizing, concealing, or omitting observations or unsatisfactory conclusions and ratings
from engagement reports or overall assessments.
• Noncompliance with the Standards and other IPPF Mandatory Guidance.
o Performing internal audit services for which one is not competent.
o Performing internal audit services with undeclared impairments to independence and
objectivity.
o Soliciting or disclosing confidential information without proper authorization.

3
 Implementation Guide: Code of Ethics | Integrity

o Stating that the internal audit activity is operating in conformance with the Standards
when the assertion is not supported by the results of the quality assurance and
improvement program. 1
• Overlooking illegal activities that the organization may tolerate or condone.
• Using the CIA designation or other credentials after they have expired or been revoked.

Some behavioral expectations may be codified in the policies of the internal audit activity and/or the
organization (i.e., human resources and legal policies). In addition to conforming with The IIA’s Code of
Ethics and other IPPF Mandatory Guidance, internal auditors should adhere to the ethics policy, code
of conduct, values statement, and other policies and procedures established by the internal audit
activity and the organization. Additionally, internal auditors must abide by the laws and regulations
relevant to the industry and jurisdictions within which the organization operates. The CAE and internal
auditors should strive to behave in a manner that is above reproach.

Internal auditors are expected to add value to the organization, and this expectation is codified in Code
of Ethics Rule 1.4, which says that internal auditors shall respect and contribute to the legitimate and
ethical objectives of the organization. This aspect of integrity is emphasized in the Mission of Internal
Audit and throughout the IPPF. For example, internal auditors should consider how strategies and
objectives align with the organization’s mission and values and should identify opportunities to make
significant improvements to its governance, risk management, and control processes.

Internal auditors may support their understanding of the Code of Ethics and their ability to conform with
its tenets by participating in ethics-focused continuing professional education/development (CPE/CPD).
The IIA requires holders of its certifications and qualifications to complete ethics training and attest to
conformance with The IIA’s Code of Ethics each reporting period. Professionals should maintain up-to-
date awareness about the requirements relevant to their credentials because failing to fulfill them may
jeopardize their permission to use the credentials until the deficiency is corrected.

Considerations for Demonstrating Conformance

Chief Audit Executive
As part of sustaining integrity, the CAE should maintain a quality assurance and improvement program
and should report on the results of the program, including instances of nonconformance, to senior
management and the board, in accordance with the 1300 series of standards. This evidence, along with
internal audit policies and procedures, also demonstrate that the CAE’s management of the internal

1 For more information, see Implementation Guide 1321 – Use of “Conforms with the International Standards for
the Professional Practice of Internal Auditing.”

4
 Implementation Guide: Code of Ethics | Integrity

audit activity supports its integrity. Through a quality assurance and improvement program, the CAE’s
conformance with the integrity principle and rules of conduct may be independently validated.

Individual Internal Auditors

Internal auditors and the internal audit activity demonstrate integrity through adherence to the
processes that support conformance with the integrity principle and its rules of conduct and through
conformance with the Standards, especially the specific standards mentioned in this guide.
Nonconformance may indicate that integrity is lacking.

Forms of acknowledgment, signed by individual internal auditors, demonstrate that internal auditors
have committed to follow the organization’s ethics policy or code of conduct, relevant laws and
regulations, and The IIA’s Code of Ethics and other IPPF Mandatory Guidance. In addition, the CAE
may have records of internal auditors’ participation in workshops, webinars, or meetings where ethical
issues were discussed. CPE/CPD credits also provide evidence supporting an individual’s commitment
to maintaining and improving ethical awareness.

The internal audit activity as a whole demonstrates integrity through diligent supervision of
engagements and performance of the self-assessments required by the Standards. Documented
engagement plans, workpapers, and the results of post-engagement surveys that solicit the opinions of
management and the board may indicate whether the information provided by internal auditors is useful
and helps the organization reach its goals and whether communications are constructive. Additional
performance metrics may indicate that work has been performed with diligence and responsibility.

Applicability and Enforcement of the Code of Ethics

This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code
of Ethics will be evaluated and administered according to The IIA’s Bylaws and the Process for
Disposition of Code of Ethics Violation and Process for Disposition of Certification Violation. The fact that
a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being unacceptable
or discreditable, and therefore, the member, certification holder, or candidate can be liable for disciplinary
action.

5
Implementation Guide: Code of Ethics | Integrity

About The IIA

The Institute of Internal Auditors (The IIA) is the internal audit profession’s most widely recognized advocate,
educator, and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more
than 190,000 members from 170 countries and territories. The association’s global headquarters is in Lake Mary,
Fla., USA. For more information, visit www.globaliia.org.

About Implementation Guidance

Implementation Guidance, as part of The IIA’s International Professional Practices Framework® (IPPF®), provides
Recommended Guidance (nonmandatory) for the internal audit profession. It is designed to assist both internal
auditors and internal audit activities to enhance their ability to achieve conformance with the International Standards
for the Professional Practice of Internal Auditing.

Implementation Guides describe considerations that may be applied and actions that may be taken to implement
The IIA’s Mandatory Guidance. Implementation Guides do not detail programs, processes, procedures, or tools.

For other authoritative guidance materials provided by The IIA, please visit our website at
https://globaliia.org/standards-guidance.

About The IIA’s Code of Ethics

The IIA’s Code of Ethics comprises two essential components:

• Four principles relevant to the profession and practice of internal auditing.

• Rules of conduct for each principle that describe behavioral norms expected of internal auditors.

The purpose of The IIA’s Code of Ethics is to promote an ethical culture in the profession of internal auditing.

The complete Code of Ethics may be found at https://globaliia.org/standards-guidance/mandatory-

guidance/Pages/Code-of-Ethics.aspx.

Disclaimer
The IIA publishes this document for informational and educational purposes. This guidance material is not intended
to provide definitive answers to specific individual circumstances. The IIA recommends seeking independent expert
advice related to specific situations. The IIA accepts no responsibility for anyone placing sole reliance on this
guidance.

Copyright
Copyright© 2019 by The Institute of Internal Auditors, Inc. All rights reserved. For permission to reproduce, please
contact [email protected].

February 2019