Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | albashatariq@outlook.

com

CIA Part 1 - Section I - Foundations of Internal Auditing

The IIA Code of Ethics
Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE
[email protected]
19-Aug-22

Section # Section Title # of Q

Section 1 The Code of Ethics Overview 6.00
Section 2 The four principles in the Code of Ethics 8.00
Section 3 The IIA Code of Ethics 12.00
Section 4 The IIA Code of Ethics Components 3.00
Section 5 Rules of Conduct - [1] Integrity 8.00
Section 6 Rules of Conduct - [2] Objectivity 28.00
Section 7 Rules of Conduct - [3] Confidentiality 10.00
Section 8 Rules of Conduct - [4] Competency 13.00
Section 9 Violation of Rules of Conduct 1.00
Section 10 Applicability and Enforcement of the Code of Ethics 2.00
Section 11 No violation of either the Code of Ethics or the Standards 19.00
Total 110.00

Section #1: The Code of Ethics Overview

The Code of Ethics applies to both individuals and entities that perform internal audit services.
The Code of Ethics is an ethical guide for internal auditors and does not provide specific guidance nor does it
The Code of Ethics prescribe defined actions because an auditor faces many different types of ethical situations.
However, the rules of conduct related to each principle in the Code of Ethics help internal auditors translate the
principle into practical behavioral norms that can be used on a day-to-day basis.

Test Bank

Q1
To those who perform internal audit services, the Code of Ethics applies
A Only individuals.
B Only entities.
C Only tax authorities.
D Both individuals and entities.

Q2
Which of the following statements is true about the Code of Ethics?
A The Code of Ethics is an ethical guide for internal auditors.
B The Code of Ethics provides specific guidance.
C The Code of Ethics prescribes defined actions.
D All of the choices are correct.

Q3
Which of the following statements is true about the Code of Ethics?
A The Code of Ethics is not an ethical guide for internal auditors.
B The Code of Ethics does not provide specific guidance.
C The Code of Ethics prescribes defined actions.
D All of the choices are correct.

Q4
Which of the following statements is true about the Code of Ethics?
A The Code of Ethics is not an ethical guide for internal auditors.

Page 1 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

B The Code of Ethics provides specific guidance.

C The Code of Ethics does not prescribe defined actions.
D All of the choices are correct.

Q5
Which of the following statements is true about the Code of Ethics?
A The Code of Ethics is an ethical guide for internal auditors.
B The Code of Ethics does not provide specific guidance.
C The Code of Ethics does not prescribe defined actions.
D All of the choices are correct.

Q6
The Code of Ethics is an ethical guide for internal auditors and does not provide specific guidance nor does it
prescribe defined actions because
A An auditor faces many different types of ethical situations.
B An auditor does not face many different types of ethical situations.
C An auditor will not face many different types of ethical situations.
D An auditor might not face many different types of ethical situations.

Answers

Q1 Both individuals and entities. D

Q2 The Code of Ethics is an ethical guide for internal auditors. A
Q3 The Code of Ethics does not provide specific guidance. B
Q4 The Code of Ethics does not prescribe defined actions. C
Q5 All of the choices are correct. D
Q6 An auditor faces many different types of ethical situations. A

Section #2: The four principles in the Code of Ethics

1) Integrity.
The four principles 2) Objectivity.
in the Code are: 3) Confidentiality.
4) Competency.

The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

Integrity Auditors should behave in a way that reflects positively on the auditor individually, the IAA, and the profession.

As per the IG, integrity is the foundation of the other three principles, and integrity also underpins the
Standards.
Auditors should make decisions based on facts and information and not on their personal preferences or
Objectivity feelings.
Objectivity should be used in gathering, evaluating, and communicating information.
Auditors will learn many things that should be kept confidential.
When in doubt, auditors should err on the side of not sharing information, rather than incorrectly sharing
Confidentiality information that should not be shared.
Internal auditors respect the value and ownership of information they receive and do not disclose information
without appropriate authority unless there is a legal or professional obligation to do so.
Competency Internal auditors should have the necessary skills, knowledge, and experience to perform their work.

The four principles in the Code of Ethics

Page 2 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Q1
According to the IIA Code of Ethics, which of the following are four principles relevant to the professional care
that internal auditors should apply in their practice of internal auditing?
A Integrity, objectivity, confidentiality, and competency.
B Judgment, interest, authority, and experience.
C Reliance, evaluation, information, and service.
D Trust, communication, value, and performance.

Q2
In complying with The IIA Code of Ethics, an internal auditor should
A Go beyond the limitation of personal technical skills to advance the interest of the organization.
B Use individual judgment in the application of the principles set forth in the Code.
C Respect and contribute to the objectives of the organization even if it is engaged in illegal activities.
D Primarily apply the competency principle in establishing trust.

Q3

According to The IIA’s Code of Ethics, which of the following principles is relevant to the establishment of trust?

A Confidentiality.
B Competency.
C Integrity.
D Objectivity.

Q4
As per the implementation guide (IG), which of the following principles is the foundation of the other three
principles, and it also underpins the Standards?
A Confidentiality.
B Competency.
C Integrity.
D Objectivity.

Q5
According to The IIA’s Code of Ethics, which of the following principles is be used in gathering, evaluating, and
communicating information?
A Confidentiality.
B Competency.
C Integrity.
D Objectivity.

Q6

According to The IIA’s Code of Ethics, which of the following principles is relevant to that internal auditors
should make decisions based on facts and information and not on their personal preferences or feelings?

A Confidentiality.
B Competency.
C Integrity.
D Objectivity.

Q7
According to The IIA’s Code of Ethics, which of the following principles is relevant to that internal auditors
respect the value and ownership of information they receive and do not disclose information without
appropriate authority unless there is a legal or professional obligation to do so?
A Confidentiality.

Page 3 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

B Competency.
C Integrity.
D Objectivity.

Q8
According to The IIA’s Code of Ethics, which of the following principles is relevant to that internal auditors
should have the necessary skills, knowledge, and experience to perform their work?
A Confidentiality.
B Competency.
C Integrity.
D Objectivity.

Answers

Q1 Integrity, objectivity, confidentiality, and competency. A

Q2 Use individual judgment in the application of the principles set forth in the Code. B
Q3 Integrity. C
Q4 Integrity. C
Q5 Objectivity. D
Q6 Objectivity. D
Q7 Confidentiality. A
Q8 Competency. B

Section #3: The IIA Code of Ethics

The Code of Ethics states the principles and expectations governing the behavior of individuals and
organizations in the conduct of internal auditing.
Paragraph #1

It describes the minimum requirements for conduct, and behavioral expectations rather than specific activities.

Introduction to the Code of Ethics

The purpose of The Institute’s Code of Ethics is to promote an ethical culture in the profession of internal
Paragraph #2
auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and
improve an organization’s operations.
Paragraph #3
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and
improve the effectiveness of risk management, control, and governance processes.
A code of ethics is necessary and appropriate for the profession of internal auditing, founded as it is on the trust
Paragraph #4
placed in its objective assurance about governance, risk management, and control.
The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
1) Principles that are relevant to the profession and practice of internal auditing.
Paragraph #5
2) Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal
auditors.
“Internal auditors” refers to Institute members, recipients of or candidates for IIA professional certifications,
Paragraph #6
and those who perform internal audit services within the Definition of Internal Auditing.

Applicability and Enforcement of the Code of Ethics

Paragraph #7 This Code of Ethics applies to both entities and individuals that perform internal audit services.

Page 4 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics
will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives.
Paragraph #8
The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for
disciplinary action.

Principles

Paragraph #9 Internal auditors are expected to apply and uphold the following principles:

1. Integrity

Paragraph #10 The integrity of internal auditors establishes trust and thus provides the basis for reliance on their judgment.

2. Objectivity

Internal auditors exhibit the highest level of professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined.
Paragraph #11
Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by
their own interests or by others in forming judgments.

3. Confidentiality

Internal auditors respect the value and ownership of information they receive and do not disclose information
Paragraph #12
without appropriate authority unless there is a legal or professional obligation to do so.

4. Competency

Internal auditors apply the knowledge, skills, and experience needed in the performance of internal auditing
Paragraph #13
services.

Test Bank

Q1
The code of ethics of a professional organization sets forth
A The organizational details of the profession's governing body.
B A list of illegal activities that are proscribed to the members of the profession.
C A basis for the measurement of internal audit performance.
D Broad standards of conduct for the members of the organization

Q2
The Rules of Conduct set forth in The IIA Code of Ethics:
A Describe behavior norms expected of internal auditors.
B Are interpreted by the Principles.
C Are guidelines to assist internal auditors in dealing with engagement clients.
D Apply only to particular conduct specifically mentioned.

Q3
In analyzing the differences between two recently merged businesses, the chief audit executive (CAE) of
Organization A notes that it has a formal code of ethics and Organization B does not.

Page 5 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

The code of ethics covers such things as purchase agreements, relationships with vendors, and other issues.

Its purpose is to guide individual behavior within the firm.

Which of the following statements regarding the existence of the code of ethics in A can be logically inferred?

I. A exhibits a higher standard of ethical behavior than does B.

II. A has established objective criteria by which an individual’s actions can be evaluated.
III. The absence of a formal code of ethics in B would prevent a successful review of ethical behavior in that
organization.
A II and III.
B II only.
C I and II.
D III only.

Q4
An internal auditor who encounters an ethical dilemma not explicitly addressed by the IIA’s Code of Ethics
should always:

A Seek counsel from an independent attorney to determine the personal consequences of potential actions.

B Take action consistent with the principles embodied in The IIA’s Code of Ethics.
C Seek the counsel of the audit committee before deciding on an action.
Act consistently with the employing organization’s code of ethics, even if such action would not be consistent with
D
The IIA’s Code of Ethics.

Q5
Today’s internal auditor will often encounter a wide range of potential ethical dilemmas, not all of which are
explicitly addressed by The IIA’s Code of Ethics.
If the internal auditor encounters such a dilemma, the internal auditor should always
A Apply and uphold the principles embodied in The IIA Code of Ethics.
Act consistently with the code of ethics adopted by the organization even if such action is not consistent with The
B
IIA's Code of Ethics.
C Seek the counsel of the board before deciding on an action.
D Seek counsel from an independent attorney to determine the personal consequences of potential actions.

Q6
An accounting association established a code of ethics for all members.
What is one of the association's primary purposes for establishing the code of ethics?

A To provide a framework within which accounting policies could be effectively developed and executed.

B To establish standards to follow for effective accounting practice.

C To outline criteria that can be used in conducting interviews of potential new accountants.
D To outline criteria for professional behavior to maintain standards of integrity and objectivity.

Q7
The degree of voluntary compliance with an organization’s adopted code of ethics is a measure of the
A Organization’s ethical culture.
B Integrity of the organization’s professionals.
C Standards of competence of all members.
D Cohesion and professionalism of an organization.

Q8
The best reason for establishing a code of conduct within an organization is that such codes

Page 6 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

A Provide a quantifiable basis for personnel evaluations.

B Are typically required by governments.
C Express standards of individual behavior for members of the organization.
D Have tremendous public relations potential.

Q9
A formal code of ethics should do all of the following except
A Communicate the organization’s value system to outsiders.
B Provide a method of policing and disciplining members of the organization for violations.
C Reflect only legal standards of conduct for individuals and the organization.
D Effectively communicate acceptable values to all members.

Q10
A typical code of ethical conduct for financial managers or management accountants in an organization
requires all of the following except
A Independence from conflicts of professional interest.
B Subjectivity in presenting information, preparing reports, and making analyses.
C Integrity and a refusal to compromise professional values for the sake of personal goals.
D Independence from conflicts of economic interest

Q11
The Rules of Conduct in The IIA’s Code of Ethics are
A Organized based on the principles of integrity, authority, capability, and objectivity.
B Intended to guide the ethical conduct of internal auditors.
C Used to measure compliance with The IIA’s Core Principles.
D Used to approve decisions regarding the appointment and removal of the chief audit executive (CAE).

Q12
What do internal auditors mean in the IIA Code of Ethics?
They refer to Institute members, recipients of or candidates for IIA professional certifications, and those who
A
perform internal audit services within the Definition of Internal Auditing.
B They only refer to institue members.
C They only refer to recipients of IIA professional certifications.
D They only refer to candidates for IIA professional certifications.

Answers

Q1 Broad standards of conduct for the members of the organization D

Q2 Describe behavior norms expected of internal auditors. A
Q3 II only. B
Q4 Take action consistent with the principles embodied in The IIA’s Code of Ethics. B
Q5 Apply and uphold the principles embodied in The IIA Code of Ethics. A
To outline criteria for professional behavior to maintain standards of integrity and
Q6 D
objectivity.
Q7 Cohesion and professionalism of an organization. D
Q8 Express standards of individual behavior for members of the organization. C
Q9 Reflect only legal standards of conduct for individuals and the organization. C
Q10 Subjectivity in presenting information, preparing reports, and making analyses. B
Q11 Intended to guide the ethical conduct of internal auditors. B
They refer to Institute members, recipients of or candidates for IIA professional
Q12 certifications, and those who perform internal audit services within the Definition of A
Internal Auditing.

Section #4: The IIA Code of Ethics Components

Page 7 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

The Institute’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components:
The IIA Code of 1) Principles that are relevant to the profession and practice of internal auditing.
Ethics Components 2) Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal
auditors.

Test Bank

Q1
The IIA’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components.
Which item below is one of these components?
A Principles that are relevant to the profession and practice of internal auditing.
B Activities that provide the organization with assurance and consulting services.
C Provision of quality criteria for evaluating the internal audit function’s performance
D Government of the responsibilities, attitudes, and actions of the organization’s internal audit activity.

Q2
The IIA’s Code of Ethics extends beyond the Definition of Internal Auditing to include two essential
components.
Which item below is one of these components?
A Rules of Conduct that describe behavior norms expected of internal auditors.
B Activities that provide the organization with assurance and consulting services.
C Provision of quality criteria for evaluating the internal audit function’s performance
D Government of the responsibilities, attitudes, and actions of the organization’s internal audit activity.

Q3
Which of the following statements is true about the two essential components of the Institute’s Code of Ethics?

I. Principles that are relevant to the profession and practice of internal auditing.
II. Rules of Conduct that describe behavior norms expected of internal auditors. These rules are an aid to
interpreting the Principles into practical applications and are intended to guide the ethical conduct of internal
auditors.
A I only.
B II only.
C Both I and II.
D Neither I nor II.

Answers

Q1 Principles that are relevant to the profession and practice of internal auditing. A
Q2 Rules of Conduct that describe behavior norms expected of internal auditors. A
Q3 Both I and II. C

Rules of Conduct [summary from The IIA’s Implementation Guides]

Section #5: Rules of Conduct - [1] Integrity

1.1. Shall perform their work with honesty, diligence, and responsibility.
1.2. Shall observe the law and make disclosures expected by the law and the profession.
Internal auditors:

Page 8 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Internal auditors: 1.3. Shall not knowingly be a party to any illegal activity, or engage in acts that are discreditable to the profession
of internal auditing or to the organization.
1.4. Shall respect and contribute to the legitimate and ethical objectives of the organization.

Internal auditors including the chief audit executive (CAE) may find it helpful to regularly review the IPPF to
1.1 Explanation
understand the expectations related to “diligence” and “responsibility” as described in Rule 1.1.

1.2 & 1.3 To implement Rules 1.2 and 1.3, internal auditors must become familiar with the laws and regulations relevant to
Explanation the industry and jurisdictions within which the organization operates.

To implement Rule 1.4, internal auditors start by identifying the organization’s mission, objectives, and ethical
1.4 Explanation
values, usually found in annual strategic plans, employee handbooks, and/or policy manuals.

Test Bank

The IIA Code of Ethics - Rules of Conduct - [1] Integrity - 1.1

Q1
An internal auditor has discovered mathematical errors in their workpapers.
Reporting the error would require an extensive amount of rework.
The internal auditor decides to not say anything and leaves the errors.
The internal auditor’s actions are in violation of The IIA’s Code of Ethics.
What did the internal auditor fail to do?
A Engage in services for which they have sufficient knowledge and experience.
B Observe the law and report the disclosures expected by the law and the profession.
C Protect the information acquired in the course of their duties.
D Perform the work with honesty, diligence, and responsibility.

Q2
The Rule of Conduct requirement for internal auditors to “perform their work with honesty, diligence, and
responsibility” falls under which core principle of The IIA’s Code of Ethics?
A Competency.
B Confidentiality.
C Integrity.
D Objectivity.

Q3
The IIA’s Code of Ethics requires internal auditors to perform their work with
A Knowledge, skills, and competencies.
B Timeliness, sobriety, and clarity.
C Punctuality, objectivity, and responsibility.
D Honesty, diligence, and responsibility.

Q4
Every day, acts of integrity are seen in the workplace.
Which workplace situation presented below most likely violates The IIA’s Code of Ethics core principle of
integrity?
An employee, hired to work full-time, has had to reduce work hours to help care for her elderly mother. The
A employee has kept her supervisor and human resources informed, is productive when in the office, and always
punches out when not at work.
The director of internal auditing is quick to take responsibility for the department when his team fails to perform.
B
The director also is quick to recognize and praise his team when the job is done well.

Page 9 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

A first-year internal auditor was having difficulty completing assignments on time. The employee’s supervisor
C arranged for the employee to have more training. Additionally, the supervisor developed a more structured work
schedule with intermediary deadlines for the employee.
The internal audit manager is required to file work performance reports every morning. The manager continually
D comes in late and leaves work early. One of the manager’s direct reports stays late every night to complete the
performance reports on behalf of the manager.

Q5
A newly hired CAE discovered the CFO is paying personal expenses through the organization.
Upon further investigation, the CAE found that the CFO is submitting these expenses as research and
development.
The CFO has worked for the organization for 15 years.
The CAE immediately notified the audit committee.
The CAE
A Violated the Code of Ethics principle of objectivity.
B Upheld the Code of Ethics principle of integrity.
C Violated the Code of Ethics principle of integrity.
D Violated the Code of Ethics principle of confidentiality.

The IIA Code of Ethics - Rules of Conduct - [1] Integrity - 1.2

Q6
An auditor who shall observe the law and make disclosures expected by the law is following the IIA’s Code of
Ethics Core Principle of
A Competency.
B Objectivity.
C Integrity.
D Responsibility.

The IIA Code of Ethics - Rules of Conduct - [1] Integrity - 1.3

Q7
The Rule of Conduct requirement for internal auditors to “shall not knowingly be a party to any illegal activity,
or engage in acts that are discreditable to the profession of internal auditing or to the organization” falls under
which core principle of The IIA’s Code of Ethics?
A Competency.
B Confidentiality.
C Integrity.
D Objectivity.

The IIA Code of Ethics - Rules of Conduct - [1] Integrity - 1.4

Q8
According to the IIA Code of Ethics, the principle of integrity requires internal auditors to do which of the
following?
A Be prudent in the use and protection of the information acquired in the course of their duties.
B Not accept anything that may impair or be presumed to impair their professional judgment.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Continually improve their proficiency, effectiveness, and quality of services.

Answers

Q1 Perform the work with honesty, diligence, and responsibility. D

Page 10 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Q2 Integrity. C
Q3 Honesty, diligence, and responsibility. D
The internal audit manager is required to file work performance reports every morning.
The manager continually comes in late and leaves work early. One of the manager’s direct
Q4 D
reports stays late every night to complete the performance reports on behalf of the
manager.
Q5 Upheld the Code of Ethics principle of integrity. B
Q6 Integrity. C
Q7 Integrity. C

Q8 Respect and contribute to the legitimate and ethical objectives of the organization. C

Section #6: Rules of Conduct - [2] Objectivity

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
assessment. This participation includes those activities or relationships that may be in conflict with the interests of
the organization.
Internal auditors:
2.2. Shall not accept anything that may impair or be presumed to impair their professional judgment.
2.3. Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities
under review.
Objectivity is so essential in the internal audit profession that it is specifically mentioned within each element of
the Mandatory Guidance and in the Mission of Internal Audit.
Explanation
The Rules of Conduct and the Standards related to objectivity describe specific actions internal auditors must take
to implement this principle.

Test Bank

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.1

Q1
Which of the following concurrent occupations could appear to subvert the ethical behavior of an internal
auditor?

A Internal auditor and adjunct faculty member of a local business college that educates potential employees.

B Internal auditor and a well-known charitable organization’s local in-house chairperson.

C Internal auditor and part-time business insurance broker.
Internal auditor and landlord of multiple housing that publicly advertises for tenants in a local community
D
newspaper listing monthly rental fees.

Q2

Objectivity is an ethical requirement for all persons engaged in the professional practice of internal auditing.

One aspect of objectivity requires

A Refraining from using confidential information for unethical or illegal advantage.
B Performance of professional duties in accordance with relevant laws.
C Avoidance of conflict of interest.
D Maintenance of an appropriate level of professional expertise.

Q3

Which of the following actions by an internal auditor is most likely a violation of The IIA Code of Ethics?

A Accepting a small gift of insignificant value from a customer of his/her organization.

B Accepting payment for teaching auditing at a local university.

Page 11 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

C Allowing use of the Certified Internal Auditor designation in a context not involving his/her employment.

D Having a material ownership interest in a competitor.

Q4
A staff auditor has been assigned to the Treasury audit for the second consecutive year.

The auditor confirmed investment securities held by a brokerage house and realized that several large
securities were improperly used as collateral for personal loans a few years ago by the current Treasurer.

Last year the staff auditor had mistak-enly signed off on the audit steps involving the confirmations and
verification of the securities without completing all of the steps.
The audit manager also mistakenly signed off on the review last year.

When the error was detected this year, the audit manager commented that "it was an error, but the loan has
been repaid, and the securities returned. We have corrected the control weakness, and I'm positive it will not
happen again. Pursuit of this issue will be an embarrass-ment to everyone involved. Leave it like it is. "

As a staff auditor, which of the following actions would be considered a violation of the Standards or Code of
Ethics?
A Discuss the matter with the audit director without further discussion with the audit manager.

B Inform the audit manager that you will be including the information in your working papers as an audit finding.

C Resign from the audit department and company if further action is not taken on the matter.
D Disclose the matter to the external auditor without further discussion.

Q5

An internal auditor for a large regional bank was asked to serve on the board of directors of a local bank.

The bank competes in many of the same markets as the regional bank but focuses more on consumer financing
than on business financing.
In accepting this position, the internal auditor:
I. Violates The IIA Code of Ethics because serving on the board may be in conflict with the best interests of the
internal auditor's employer.
II. Violates The IIA Code of Ethics because the information gained while serving on the board of directors of the
local bank may influence recommendations regarding potential acquisitions.
A II only.
B I only.
C I and II.
D Neither I nor II.

Q6
According to the IIA Code of Ethics, the principle of Objectivity requires internal auditors to do which of the
following?
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
A assessment. This participation includes those activities or relationships that may be in conflict with the interests of
the organization.
B Shall be prudent in the use and protection of information acquired in the course of their duties.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Continually improve their proficiency, effectiveness, and quality of services.

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.2

Q7

Page 12 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

An internal auditor engages in the preparation of income tax forms during the tax season.
For which of the following activities will the internal auditor most likely be in violation of The IIA’s Code of
Ethics?
A Teaching an evening tax seminar, for a fee, at a local university.
B Preparing tax returns for elderly citizens, regardless of their associations, as a public service.
C Preparing the personal tax return, for a fee, for one of the organization’s division managers.
D Writing a tax guide intended for publication and sale to the general public.

Q8
A CIA is working in a noninternal-auditing position as the director of purchasing.
The CIA signed a contract to procure a large order from the supplier with the best price, quality, and
performance.

Shortly after signing the contract, the supplier presented the CIA with a gift of significant monetary value.

Which of the following statements regarding the acceptance of the gift is true?
Because the contract was signed before the gift was offered, acceptance of the gift does not violateeither The
A
IIA’s Code of Ethics or the organization’s code of conduct.
B Acceptance of the gift is prohibited only if it is not customary.
Because the CIA is no longer acting as an internal auditor, acceptance of the gift is governed only by the
C
organization’s code of conduct.
D Acceptance of the gift violates The IIA’s Code of Ethics and is prohibited for a CIA.

Q9
An internal auditor has been assigned to an engagement at a foreign subsidiary.
The internal auditor is aware that the social climate of the country is such that “facilitating payments” (bribes)
are an accepted part of doing business.
The internal auditor has completed the engagement and has found significant weaknesses relating to important
controls.
The subsidiary’s manager offers the internal auditor a substantial “facilitating payment” to omit the
observations from the final engagement communication with a provision that the internal auditor could revisit
the subsidiary in 6 months to verify that the problem areas have been properly addressed.
The internal auditor should
A Not accept the payment because such acceptance is in conflict with the Code of Ethics.
Accept the offer because it is consistent with the ethical concepts of the country in which the subsidiary is doing
B
business.
Accept the payment because it has the effect of doing the greatest good for the greatest number; the internal
C auditor is better off, the subsidiary is better off, and the organization is better off because there is strong
motivation to correct the deficiencies.
D Not accept the payment, but omit the observations as long as a verification visit is made in 6 months.

Q10
An internal auditing team has made observations and recommendations that should significantly improve a
division’s operating efficiency.
Out of appreciation of this work, and because it is the holiday season, the division manager presents the in-
charge internal auditor with a gift of moderate value.
Which of the following best describes the action prescribed by The IIA Code of Ethics?
A Not accept it, regardless of other circumstances, because its value is significant.
B Not accept it prior to submission of the final engagement communication.
C Accept it, regardless of other circumstances, because its value is insignificant.
D Not accept it if the gift is presumed to impair the internal auditor's judgment.

Q11

Page 13 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

According to the IIA Code of Ethics, the principle of Objectivity requires internal auditors to do which of the
following?
A Shall not accept anything that may impair or be presumed to impair their professional judgment.
B Shall be prudent in the use and protection of information acquired in the course of their duties.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Continually improve their proficiency, effectiveness, and quality of services.

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.3

Q12
An internal auditor discovered some material inefficiencies in a purchasing function.
The purchasing manager is the internal auditor’s next-door neighbor and best friend.
In accordance with The IIA’s Code of Ethics, the internal auditor should
A Not report the incident because of loyalty to the friend.
B Include the facts of the case in a special communication submitted only to the friend.
C Objectively include the facts of the case in the engagement communications.
D Not report the friend unless the activity is illegal.

Q13
In their communication of results, internal auditors are required by The IIA’s Code of Ethics to
A Obtain factual information within the established time and budget parameters.
B Disclose all material information obtained as of the date of the final engagement communication.
C Reveal material facts that could distort communications if not revealed.
Present sufficient factual information without revealing confidential information that could be detrimental to the
D
organization.

Q14
During an engagement, an employee with whom you have developed a good working relationship informs you
that she has some information about senior management that is damaging to the organization and may
concern illegal activities.
The employee does not want her name associated with the release of the information.
Which of the following actions is considered to be unethical?
A Inform the employee of other methods of communicating this type of information.
B Suggest that the employee consider talking to legal counsel.
Inform the employee that you will attempt to keep the source of the information confidential and will look into
C
the matter further.
D Assure the employee that you can maintain her anonymity and listen to the information.

Q15
An internal auditor has uncovered facts that could be interpreted as indicating unlawful activity on the part of
an engagement client.
The internal auditor decides not to inform senior management and the board of these facts because of lack of
proof.
The internal auditor, however, decides that, if questions are raised regarding the omitted facts, they will be
answered fully and truthfully.
In taking this action, the internal auditor
Has violated The IIA’s Code of Ethics because unlawful acts should have been reported to the appropriate
A
regulatory agency to avoid potential “aiding and abetting” by the internal auditor.
Has not violated The IIA’s Code of Ethics or the Standards because the internal auditor is committed to answering
B
all questions fully and truthfully.

Page 14 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Has violated the Standards because the internal auditor should inform the appropriate authorities in the
C
organization if fraud may be indicated.
Has not violated The IIA’s Code of Ethics or the Standards because confidentiality takes precedence over all other
D
standards.

Q16
Fact Pattern: The chief audit executive (CAE) of a mid-sized internal audit activity was concerned that
management might outsource the internal auditing function.

Thus, the CAE adopted a very aggressive program to promote the internal audit activity within the organization.

The CAE planned to present the results to senior management and the board and recommend modification of
the internal audit activity’s charter after using the new program.
The following lists six actions the CAE took to promote a positive image within the organization:

[1] Engagement assignments concentrated on efficiency. The engagements focused solely on cost savings, and
each engagement communication highlighted potential costs to be saved. Negative observations were omitted.
The focus on efficiency was new, but the engagement clients seemed very happy.

[2] Drafts of all engagement communications were carefully reviewed with the engagement clients to get their
input. Their comments were carefully considered when developing the final engagement communication.

[3] The information technology internal auditor participated as part of a development team to review the
control procedures to be incorporated into a major computer application under development.
[4] Given limited resources, the engagement manager performed a risk assessment to establish engagement
work schedule priorities. This was a marked departure from the previous approach of ensuring that all
operations are evaluated on at least a 3-year interval.
[5] To save time, the CAE no longer required that a standard internal control questionnaire be completed for
each engagement.
[6] When the internal auditors found that the engagement client had not developed specific criteria or data to
evaluate operations, the internal auditors were instructed to perform research, develop specific criteria, review
the criteria with the engagement client, and, if acceptable, use them to evaluate the engagement client’s
operations. If the engagement client disagreed with the criteria, a negotiation took place until acceptable
criteria could be agreed upon. The engagement communication commented on the engagement client’s
operations in conjunction with the agreed-upon criteria.
Which of the following elements of Action 1 taken by the CAE would be considered inappropriate?
[1] The type of engagements was changed before modifying the internal audit activity’s charter and going to
the audit committee.
[2] Negative observations were omitted from the engagement communications.
[3] Cost savings and recommendations were highlighted in the engagement communication.
A 1 and 3.
B 1 and 2.
C 1 only.
D 2 and 3.

Q17
In their reporting, internal auditors are required by The IIA’s Code of Ethics to
Disclose material facts known to the internal auditor that could distort the final engagement communication if not
A
revealed.

B Disclose all material information obtained by the auditor as of the date of the final engagement communication.

C Obtain factual information within the established time and budget parameters.

Page 15 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Present sufficient factual information without revealing confidential matters that could be detrimental to the
D
organization.

Q18
An engagement at a foreign subsidiary disclosed payments by the sales department to local government
officials in return for orders.
What action does The IIA’s Code of Ethics suggest for an internal auditor in such a case?
A Report the incident to appropriate regulatory authorities.
B Report the practice to the board of The Institute of Internal Auditors.
C Refrain from any action that might be detrimental to the organization.
D Inform appropriate organizational officials.

Q19
Which of the following situations is a violation of The IIA’s Code of Ethics?
Knowing that management was aware of the situation, an internal auditor purposely left a description of an
A
unlawful practice out of the final engagement communication.
An internal auditor, with the knowledge and consent of management, accepted a token gift from a customer of
B
the organization that was not presumed to impair and did not impair judgment.
C An internal auditor shared techniques with internal auditors from another organization.
Based upon knowledge of the probable success of the employer’s business, an internal auditor invested in a
D
mutual fund that specialized in the same industry.

Q20
Which of the following actions could be construed as a violation of The IIA’s Code of Ethics?
Including an internal control problem in a final engagement communication when it has been corrected prior to
A
completion of the engagement.

B Turning a case over to the security department when an internal auditor suspects fraud but has no proof.
C Expressing an opinion on internal financial statements.
D Failing to report to management information that would be material to management’s judgment.

Q21
Which of the following items is a violation by an internal auditor of The IIA Code of Ethics?

Certain facts recorded in the internal auditor's working papers that helped to support the basic allegations made
A
by the internal auditor regarding a case of fraud were not included in the final engagement communication.

Information in the internal auditor's working papers that proved a criminal act was included in the internal
B
auditor's draft communication. The comments were later removed by internal audit management.

A control system that had been recommended by the internal audit staff during the previous engagement was
C
found to be defective. The internal auditor reported the defective function as an engagement client failure.

To keep the engagement effort within the budgeted time, the internal auditor was directed to and did curtail
D
testing in an area that looked suspicious and later was proved to contain massive irregularities.

Q22
During an examination of grants awarded by a not-for-profit organization, an internal auditor discovered a
number of grants made without the approval of the grant authorization committee (which includes outside
representatives), as required by the organization’s charter.
All the grants, however, were approved and documented by the president.

The chair of the grant authorization committee, who is also a member of the board of directors, proposes that
the committee meet and retroactively approve all the grants before the engagement communication is issued.

Page 16 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

If the committee meets and approves the grants before such issuance, the internal auditor should
Include the items in the communication as an override of the organization’s controls. Details about each grant
A
should be reported, and the internal auditor should investigate further for fraud.
B Report the override of control to the board.
Discuss the matter with the chair of the grant committee to determine the rationale for not approving the grants
C earlier. If the grants are routine, discussion of the grant committee’s inaction should be omitted from the
engagement communication.
Not report the grants in question because they were approved before the issuance of the engagement
D
communication.

Q23
In a review of travel and entertainment expenses, a certified internal auditor questioned the business purposes
of an officer’s reimbursed travel expenses.
The officer promised to compensate for the questioned amounts by not claiming legitimate expenses in the
future.
If the officer makes good on the promise, the internal auditor
A Should inform the tax authorities in any event.
B Can ignore the original charging of the nonbusiness expenses.
C Should still include the finding in the final engagement communication.

D Should recommend that the officer forfeit any frequent flyer miles received as part of the questionable travel.

Q24
According to the IIA Code of Ethics, the principle of Objectivity requires internal auditors to do which of the
following?
Shall disclose all material facts known to them that, if not disclosed, may distort the reporting of activities under
A
review.
B Shall be prudent in the use and protection of information acquired in the course of their duties.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Continually improve their proficiency, effectiveness, and quality of services.

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.1, 2.2 & 2.3

Q25
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:

1) The auditor received royalties from a publisher for authoring a professional book on internal auditing.

2) The auditor has a part-time job as a real estate broker, and his real estate firm recently received a
commission from the employer company.

3) The auditor received an item of value from a fellow employee in the same company whose department has
never been audited and whose department is not scheduled to be audited in the foreseeable future.
4) The auditor did not include in an audit report that the bottlenecks in a shipping department were caused by
the absence of the supervisor. The supervisor was the auditor's friend and neighbor who had a hospitalized
child requiring him to miss work off and on for several weeks.
How many of the allegations about the auditor represent violations of the IIA Code of Ethics?
A Four.
B Two.
C Three.

Page 17 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

D One.

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.1 & 2.2

Q26
Which core principle of The IIA’s Code of Ethics do the following actions violate?
[1] The internal auditor assumes operational duties on a temporary basis.
[2] The internal auditor performs an audit in a department managed by the auditor’s father.
[3] The internal auditor managed the department being audited 6 months prior to the audit.
[4] The internal auditor receives a bonus based on the number of observations generated during an audit.

A Integrity.
B Competency.
C Independence.
D Objectivity.

Q27
The chief audit executive (CAE) has been appointed to a committee to evaluate the appointment of the external
auditors.
The engagement partner for the external accounting firm wants the CAE to join her for a week of hunting at her
private lodge.
The CAE should
A Refuse on the grounds of conflict of interest.
B Accept, assuming both their schedules allow it.
C Ask the comptroller whether accepting the invitation is a violation of the organization’s code of ethics.
D Accept as long as it is not charged to employer time.

The IIA Code of Ethics - Rules of Conduct - [1] Objectivity - 2.2 & 2.3

Q28
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:
1) The auditor received an item of value from a local nonprofit organization of purchasing agents for whom he
gave a speech.
2) The auditor received an item of value from a customer of the employer.
3) The auditor has a part-time job as president of a local charitable organization.
4) The auditor shared audit techniques with auditors from another company while attending a professional
meeting.
5) A buyer accepted a kickback of $500 to give bid amounts to a supplier to enable that supplier to bid the
contract. The auditor omitted this information from the audit report since the contract amount was not
material to the financial statements.
How many of the allegations about the auditor represent violations of the IIA Code of Ethics?
A Four.
B Two.
C One.
D Three.

Answers

Q1 Internal auditor and part-time business insurance broker. C

Q2 Avoidance of conflict of interest. C
Q3 Having a material ownership interest in a competitor. D

Page 18 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Q4 Disclose the matter to the external auditor without further discussion. D

Q5 I and II. C
Shall not participate in any activity or relationship that may impair or be presumed to
Q6 impair their unbiased assessment. This participation includes those activities or A
relationships that may be in conflict with the interests of the organization.
Preparing the personal tax return, for a fee, for one of the organization’s division
Q7 C
managers.
Q8 Acceptance of the gift violates The IIA’s Code of Ethics and is prohibited for a CIA. D

Q9 Not accept the payment because such acceptance is in conflict with the Code of Ethics. A

Q10 Not accept it if the gift is presumed to impair the internal auditor's judgment. D
Shall not accept anything that may impair or be presumed to impair their professional
Q11 A
judgment.
Q12 Objectively include the facts of the case in the engagement communications. C
Q13 Reveal material facts that could distort communications if not revealed. C

Q14 Assure the employee that you can maintain her anonymity and listen to the information. D

Has violated the Standards because the internal auditor should inform the appropriate
Q15 C
authorities in the organization if fraud may be indicated.
Q16 1 and 2. B
Disclose material facts known to the internal auditor that could distort the final
Q17 A
engagement communication if not revealed.
Q18 Inform appropriate organizational officials. D
Knowing that management was aware of the situation, an internal auditor purposely left a
Q19 A
description of an unlawful practice out of the final engagement communication.

Failing to report to management information that would be material to management’s

Q20 D
judgment.
A control system that had been recommended by the internal audit staff during the
Q21 previous engagement was found to be defective. The internal auditor reported the C
defective function as an engagement client failure.
Q22 Report the override of control to the board. B
Q23 Should still include the finding in the final engagement communication. C
Shall disclose all material facts known to them that, if not disclosed, may distort the
Q24 A
reporting of activities under review.
Q25 Three. C
Q26 Objectivity. D
Q27 Refuse on the grounds of conflict of interest. A
Q28 Two. B

Section #7: Rules of Conduct - [3] Confidentiality

3.1. Shall be prudent in the use and protection of information acquired in the course of their duties.
Internal auditors: 3.2. Shall not use information for any personal gain or in any manner that would be contrary to the law or
detrimental to the legitimate and ethical objectives of the organization.
Confidentiality is not explicitly referenced in the Standards, however, requirements related to limiting the
Explanation #1
dissemination of engagement results are discussed in the implementation standards.
Organizations usually issue information security policies to protect the data they acquire, use, and produce in
order to ensure compliance with the laws and regulations that pertain to the industry and jurisdiction within
which they operate (e.g., the European Union’s General Data Protection Regulation or the EU-U.S. Privacy Shield
Framework).
Explanation #2

Page 19 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Explanation #2
These policies typically cover data privacy, record retention, and physical and digital security of information.

Also, membership in professional organizations may help internal auditors stay current with relevant professional
obligations.
The term “information” includes data in physical form, such as printed documents, and in electronic form, such as
audio, video, and encoded data.
Explanation #3
Confidentiality involves protecting information from being disclosed to unauthorized individuals and entities, both
within and outside the organization.

The IIA Code of Ethics - Rules of Conduct - [3] Confidentiality - 3.1

Q1
An internal auditor was reviewing filed payroll tax reports with payroll records.

Two months later, the auditor shared salaries of certain employees with the organization’s Logistics Manager.

Which core principle of The IIA’s Code of Ethics was violated?

A Confidentiality.
B Competency.
C Objectivity.
D Authority.

Q2
Which of the following actions taken by a chief audit executive (CAE) could be considered professionally ethical
under the IIA Code of Ethics?
A The CAE refuses to provide information about organizational operations to his father, who is a part owner.
To save organizational resources, the CAE limits procedures at foreign branches to confirmations from branch
B
managers that no major personnel changes have occurred.
To save organizational resources, the CAE cancels all staff training for the next 2 years on the basis that all staff
C
are too new to benefit from training.
The CAE decides to delay an engagement at a branch so that his nephew, the branch manager, will have time to
D
"clean things up."

Q3
“Internal auditors shall be prudent in the use and protection of information acquired in the course of their
duties” is a Rule of Conduct under which core principle of The IIA’s Code of Ethics?
A Risk-based assurance.
B Competency.
C Disclosure.
D Confidentiality.

The IIA Code of Ethics - Rules of Conduct - [3] Confidentiality - 3.2

Q4
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:

1) The auditor has a part-time job outside of office hours as a visiting professor at a local community college.

2) The auditor owns stock in the employer company.

Page 20 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

3) The auditor told his next-door neighbor to start looking for a new job because an audit of the executive
office indicated that the neighbor's division was going to be closed down in about six months.

How many of the allegations about the internal auditor represent violations of the IIA Code of Ethics?
A None.
B Two.
C Three.
D One.

Q5
Which of the following violates The IIA’s Code of Ethics core principle of confidentiality?
The company’s internal audit charter states, “If independence is impaired in fact or appearance, the details of the
A
impairment must be disclosed to appropriate parties.”

B The internal auditor purchased stock in the company after seeing a draft of the quarterly financial statements.

A first-year internal auditor sought help preparing workpapers from a third-year internal auditor on the same
C
engagement.
The CAE began an investigation on submitted travel expense reports after hearing sales personnel were inflating
D
their travel expenses.

Q6
A chief audit executive (CAE) learned that a staff internal auditor provided confidential information to a
relative.
Both the CAE and staff internal auditor are CIAs.
Although the internal auditor did not benefit from the transaction, the relative used the information to make a
significant profit.
The most appropriate way for the CAE to deal with this problem is to
A Take no action because the internal auditor did not benefit from the transaction.
B Summarily discharge the internal auditor and notify The IIA.
C Verbally reprimand the internal auditor.
D Inform The IIA’s Board of Directors and take the personnel action required by organizational policy.

Q7
Which of the following situations is a violation of The IIA’s Code of Ethics?

During an engagement, an internal auditor learned that the organization was about to introduce a new product
A that would revolutionize the industry. Because of the probable success of the new product, the product manager
suggested that the internal auditor buy an additional interest in the organization, which the internal auditor did.

An internal auditor gave a speech at a local IIA chapter meeting outlining the contents of a program the internal
B auditor had developed for engagements relating to electronic data interchange (EDI) connections. Several internal
auditors from major competitors were in the audience.
An internal auditor for a manufacturer of office products recently completed an engagement to evaluate the
marketing function. Based on this experience, the internal auditor spent several hours one Saturday working as a
C
paid consultant to a hospital in the local area that intended to conduct an engagement to evaluate its marketing
function.
An internal auditor was ordered to testify in a court case in which a merger partner claimed to have been
D defrauded by the internal auditor’s organization. The internal auditor divulged confidential information to the
court.

Q8
According to the IIA Code of Ethics, the principle of Confidentiality requires internal auditors to do which of the
following?

Page 21 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
A assessment. This participation includes those activities or relationships that may be in conflict with the interests of
the organization.
Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental
B
to the legitimate and ethical objectives of the organization.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Continually improve their proficiency, effectiveness, and quality of services.

The IIA Code of Ethics - Rules of Conduct - [3] Confidentiality - 3.1 & 3.2

Q9
Which of the following is a violation of The IIA’s Code of Ethics core principle of confidentiality?
Confidential information of the organization was released in response to a court order received by the
A
organization.
Disclosure of the organization’s trade secrets to a family member. The disclosure of the information resulted in no
B
personal gain to the internal auditor or the family member.
During an engagement, the audit supervisor found that a control deficiency caused by management override
C
created exposure to material risks. He reported the matter to the audit committee.
A loan officer at the local bank requested financial statements for the past two years. The CFO approved the
D
request.

Q10
An internal auditor is performing services in a division in which the chief financial officer is a close personal
friend, and the internal auditor learns that the friend is to be replaced after a series of critical labor
negotiations.
The internal auditor relays this information to the friend.
Has a violation of The IIA’s Code of Ethics occurred?
A No. The use of the confidential information resulted in no personal gain to the internal auditor.

B Yes. The internal auditor was not prudent in the use of information acquired in the course of his or her duties.

C No. The internal auditor was just being honest with his or her friend.
D Yes. The internal auditor had a conflict of interest with the organization.

Answers

Q1 Confidentiality. A
The CAE refuses to provide information about organizational operations to his father, who
Q2 A
is a part owner.
Q3 Confidentiality. D
Q4 One. D
The internal auditor purchased stock in the company after seeing a draft of the quarterly
Q5 B
financial statements.
Inform The IIA’s Board of Directors and take the personnel action required by
Q6 D
organizational policy.

During an engagement, an internal auditor learned that the organization was about to
introduce a new product that would revolutionize the industry. Because of the probable
Q7 A
success of the new product, the product manager suggested that the internal auditor buy
an additional interest in the organization, which the internal auditor did.

Shall not use information for any personal gain or in any manner that would be contrary to
Q8 B
the law or detrimental to the legitimate and ethical objectives of the organization.

Page 22 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Disclosure of the organization’s trade secrets to a family member. The disclosure of the
Q9 B
information resulted in no personal gain to the internal auditor or the family member.

Yes. The internal auditor was not prudent in the use of information acquired in the course
Q10 B
of his or her duties.

Section #8: Rules of Conduct - [4] Competency

4.1. Shall engage only in those services for which they have the necessary knowledge, skills, and experience.
Internal auditors: 4.2. Shall perform internal auditing services in accordance with the International Standards for the Professional
Practice of Internal Auditing.
4.3. Shall continually improve their proficiency and the effectiveness and quality of their services.
The importance of the competency principle is evidenced by its inclusion in the Core Principles for the
Explanation
Professional Practice of Internal Auditing and throughout the Standards.

The IIA Code of Ethics - Rules of Conduct - [4] Competency - 4.1

Q1
Company A recently acquired Company B.
Company B is in a very different industry from Company A.
Ten internal auditors have been assigned to review key areas of Company B’s operations.
The CAE has arranged for the auditors to receive industry training prior to the commencement of work.
How should the CAE explain to the board why the industry training is needed?
Internal auditors will not know how to be prudent in the use and protection of the information acquired in the
A
course of their duties.

B Internal auditors will be unable to contribute to the legitimate and ethical objectives of the organization.

C Internal auditors do not have the necessary knowledge, skills, or experience to complete the work.
D Internal auditors may distort the reporting of activities if all material facts are not known to them.

Q2
Which of the following statements is part of The IIA Rules of Conduct for competency?
Internal auditors shall disclose all material facts known to them that, if not disclosed, may distort the reporting of
A
activities under review.

B Internal auditors shall respect and contribute to the legitimate and ethical objectives of the organization.
Internal auditors shall engage only in those services for which they have the necessary knowledge, skills, and
C
experience.
D Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties.

Q3
During the course of an engagement, an internal auditor discovers that a clerk is embezzling funds from the
organization.
Although this is the first embezzlement ever encountered and the organization has a security department, the
internal auditor decides to interrogate the suspect.
If the internal auditor is violating The IIA’s Code of Ethics, the rule violated is most likely
A Failing to comply with the law.
B Lack of loyalty to the organization.
C Lack of competence in this area.
D Failing to exercise due diligence.

Page 23 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Q4
Which of the following violates The IIA’s Code of Ethics core principle of competency?
A The internal auditor directed his brother to sell company stock during the company’s blackout period.
The internal auditor failed to complete the required continuing education needed to obtain the skills necessary for
B
the engagement.
C The manager failed to disclose all revenues and sales taxes collected to the state’s taxation department.
D The internal auditor accepted gifts of material value from the engagement client.

The IIA Code of Ethics - Rules of Conduct - [4] Competency - 4.2

Q5
In some countries, governmental units have established audit standards.
For example, in the United States, the General Accounting Office has developed standards for the conduct of
governmental audits, particularly those that relate to compliance with government grants.
In performing governmental grant compliance audits, the auditor should
A Be guided by the more general standards that have been issued by the public accounting profession.
B Follow both The IIA Standards and any additional governmental standards.
C Be guided only by the governmental standards.
D Be guided only by The IIA Standards because they are more encompassing.

Q6
A new staff internal auditor was told to perform an engagement in an area with which the internal auditor was
not familiar.
Because of time constraints, no supervision was provided.
The assignment represented a good learning experience, but the area was clearly beyond the internal auditor’s
competence.
Nonetheless, the internal auditor prepared comprehensive working papers and communicated the results to
management.
In this situation,

A The internal audit activity violated the Standards by hiring an internal auditor without proficiency in the area.

B The internal audit activity violated the Standards by not providing adequate supervision.
C The Standards and The IIA’s Code of Ethics were followed by the internal audit activity.

D The chief audit executive has not violated The IIA’s Code of Ethics because it does not address supervision.

Q7
An organization has recently placed a former operating manager in the position of chief audit executive (CAE).
The new CAE is not a member of The IIA and is not a CIA.
Henceforth, the internal audit activity will be run strictly by the CAE’s standards, not The IIA’s.
All four staff internal auditors are members of The IIA, but they are not CIAs.
According to The IIA’s Code of Ethics, what is the best course of action for the staff internal auditors?
A They must respect the legitimate and ethical objectives of the organization and ignore the Standards.
B They must resign their jobs to avoid improper activities.
C They should comply with the International Standards for the Professional Practice of Internal Auditing.
D The Code does not apply because they are not CIAs.

Q8
Under The IIA’s Code of Ethics, an entity that provides internal auditing services is specifically required to

A Maintain certain predetermined staffing requirements for engagements.

B Participate in a formal continuing education program.
C Comply with the International Standards for the Professional Practice of Internal Auditing.

Page 24 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

D Comply with organizational policy.

Q9
According to the IIA Code of Ethics, the principle of Competency requires internal auditors to do which of the
following?
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
A assessment. This participation includes those activities or relationships that may be in conflict with the interests of
the organization.
Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental
B
to the legitimate and ethical objectives of the organization.
C Respect and contribute to the legitimate and ethical objectives of the organization.
Shall perform internal auditing services in accordance with the International Standards for the Professional
D
Practice of Internal Auditing.

The IIA Code of Ethics - Rules of Conduct - [4] Competency - 4.3

Q10
Which of the following would violate The IIA’s Code of Ethics core principle of competency?
The organization has downsized and has a very lean staff. The board has recently approved the deferral of all
A
continuing education for the next 12 months due to the staff’s workload.
Bob recently completed continuing education courses in restaurant accounting and has been assigned to audit
B
one of the organization’s steakhouses next month.

The audit committee hired a new CAE to perform financial due diligence on a chain of hotels that the company is
C
considering purchasing. The new CAE has extensive knowledge and years of experience in the hotel industry.
Carrie was recently promoted to supervise the audit of food and beverage accounting for the organization’s
D banquet facilities. Carrie has audited several areas of the organization, including 6 months of shadowing audit
supervisors in the hospitality area.

Q11
Which of the following most likely constitutes a violation of The IIA’s Code of Ethics?
Auditor C is content as an internal auditor and has come to look at it as a regular 9-to-5 job. Auditor C has not
A engaged in continuing professional education or other activities to improve effectiveness during the last 3 years.
However, Auditor C feels performance of quality work is the same as before.

Auditor A has accepted an assignment to perform an engagement at the electronics manufacturing division.
B Auditor A has recently joined the internal audit activity. But Auditor A was senior auditor for the external audit of
that division and has audited many electronics organizations during the past 2 years.

Auditor B has been assigned to perform an engagement at the warehousing function 6 months from now. Auditor
C B has no expertise in that area but accepted the assignment anyway. Auditor B has signed up for continuing
professional education courses in warehousing that will be completed before the assignment begins.

Auditor D discovered an internal financial fraud during the year. The books were adjusted to properly reflect the
D loss associated with the fraud. Auditor D discussed the fraud with the external auditor when the external auditor
reviewed working papers detailing the incident.

Q12

A manufacturing organization often hires recent college graduates to fill entry-level internal auditor positions.

Which of the following would not support the organization’s commitment to the Rule of Conduct for
competency?

Page 25 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Annually, the organization holds a seminar and provides the professional employees with updates on changes to
A
IIA standards and guidance.
B The organization routinely brings in motivational speakers to inspire the employees.
C The organization pays for and requires all professional employees to take continuing education classes.
D The organization requires a training program for entry level auditors.

Q13
According to the IIA Code of Ethics, the principle of Competency requires internal auditors to do which of the
following?
Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased
A assessment. This participation includes those activities or relationships that may be in conflict with the interests of
the organization.
Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental
B
to the legitimate and ethical objectives of the organization.
C Respect and contribute to the legitimate and ethical objectives of the organization.
D Shall continually improve their proficiency and the effectiveness and quality of their services.

Answers

Internal auditors do not have the necessary knowledge, skills, or experience to complete
Q1 C
the work.
Internal auditors shall engage only in those services for which they have the necessary
Q2 C
knowledge, skills, and experience.
Q3 Lack of competence in this area. C
The internal auditor failed to complete the required continuing education needed to obtain
Q4 B
the skills necessary for the engagement.
Q5 Follow both The IIA Standards and any additional governmental standards. B
Q6 The internal audit activity violated the Standards by not providing adequate supervision. B
They should comply with the International Standards for the Professional Practice of
Q7 C
Internal Auditing.

Q8 Comply with the International Standards for the Professional Practice of Internal Auditing. C

Shall perform internal auditing services in accordance with the International Standards for
Q9 D
the Professional Practice of Internal Auditing.

The organization has downsized and has a very lean staff. The board has recently approved
Q10 A
the deferral of all continuing education for the next 12 months due to the staff’s workload.

Auditor C is content as an internal auditor and has come to look at it as a regular 9-to-5 job.
Auditor C has not engaged in continuing professional education or other activities to
Q11 A
improve effectiveness during the last 3 years. However, Auditor C feels performance of
quality work is the same as before.

Q12 The organization routinely brings in motivational speakers to inspire the employees. B

Shall continually improve their proficiency and the effectiveness and quality of their
Q13 D
services.

Section #9: Violation of Rules of Conduct

Considerations for Implementation of Rules of Conduct for the CAE

Considerations for CAE - [1] Integrity

Page 26 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

[1] The CAE must ensure that the internal audit activity achieves its purpose, fulfills the responsibilities included
in the internal audit charter, and that its individual members conform with the Code of Ethics and the Standards.

[2] The CAE should cultivate a culture of integrity by acting with integrity and adhering to the Code of Ethics.

[3] The CAE may bring about awareness and accountability by requiring internal auditors to acknowledge in
writing that they have reviewed and understood policies and procedures of the IAA. If this is implemented, the
Integrity IAA can show diligence and responsibility.
[4] The CAE may require internal auditors to acknowledge in writing their agreement to follow The IIA’s Code of
Ethics, and any additional ethics-related policies specific to the IAA.
[5] The CAE may emphasize the importance of integrity by providing training that demonstrates integrity and
other ethical principles in action.

[6] The CAE should maintain a working environment in which internal auditors feel supported when expressing
legitimate, evidence-based observations, conclusions, and opinions, even if they are not favorable.

[1] The CAE must ensure that the IAA

individual members conform with the Code &

achieves its purpose fulfills the responsibilities included in the Charter
Standards

[2] The CAE should cultivate a culture of integrity by

acting with integrity adhering to the Code

[3 - A] The CAE may bring about awareness and accountability by

requiring internal auditors to acknowledge in writing that they have reviewed and understood policies and procedures of the IAA

[3 - B] If this is implemented

the IAA can show diligence and responsibility

[4] The CAE may require internal auditors to

acknowledge in writing their agreement to follow The IIA’s Code acknowledge in writing any additional ethics-related policies specific to the IAA

[5] The CAE may emphasize the importance of integrity by

providing training that demonstrates integrity other ethical principles in action

[6] The CAE should maintain a working environment in which internal auditors feel supported when expressing (even if they are not favorable)

legitimate evidence-based observations conclusions opinions

The IAA’s supervision includes the approval of work programs before fieldwork begins and a review of the
engagement workpapers and results.
These are chances for supervisors to discuss any situations that may call integrity into question, and to guide
Example internal auditors.

Page 27 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]
Example

Also, an effective management of the internal audit activity includes proper engagement supervision and periodic
reviews of internal auditors’ performance, which provide opportunities to discuss how integrity may be
challenged and applied in real situations.

Considerations for CAE - [2] Objectivity

[1] The CAE may create relevant policies and procedures, such as a policy about internal auditors receiving gifts,
favors, and rewards.
[2] The CAE may require internal auditors to complete an acknowledgement form disclosing potential conflicts of
interest and impairments to objectivity, and the CAE should consider these disclosures when assigning internal
auditors to engagements.
Objectivity [3] The CAE should carefully consider how performance measures and the system of compensation may
influence internal auditors’ objectivity, when developing policies and procedures.

[4] The CAE is to enforce objectivity and require that potential impairments be declared, even If the work is
outsourced or co-sourced. The CAE may include such requirements in third-party provider contracts and should
research the providers’ relationship to determine whether conflicts of interest exist.

[1] The CAE may create relevant

policies & procedures
[4 - B] The CAE may include such [4 - C] The CAE should research the
• Example: a policy about internal auditors
receiving gifts, favors, & rewards.
requirements in third-party providers’ relationship to
provider contracts. determine whether conflicts of
interest exist.

[2 - A] The CAE may require internal [4 - A] The CAE is to enforce

auditors to complete an objectivity & require that potential
acknowledgement form disclosing impairments be declared, even If
potential conflicts of interest & the work is outsourced or co-
impairments to objectivity. sourced.

[3] The CAE should carefully

consider how performance
[2 - B] The CAE should consider measures and the system of
these disclosures when assigning compensation may influence
internal auditors to engagements. internal auditors’ objectivity, when
developing policies and
procedures.

Considerations for CAE - [3] Confidentiality

[1] The CAE should consult with legal counsel to better understand the impact of legal and regulatory
requirements, and protections of information. The organization’s policies and procedures may require that
specific positions in the company review and approve business information before external release of that
information.
[2] The CAE may implement additional policies, processes, and/or procedures that the internal audit activity and
external consultants must follow. Typically, these are closely aligned with the Mandatory Guidance.

[3] The CAE should periodically assess and confirm internal auditors’ need for access to areas and databanks
containing confidential information. The CAE should confirm that access controls are working effectively.
Confidentiality
[4] The CAE is to control access to the engagement records, in part by developing requirements for retaining the
records, regardless of the medium in which each record is stored.

Page 28 of 41
Confidentiality
Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

[5] The CAE and internal auditors need to be able to comply with requests by regulators and with transparency
laws in public sector organizations.
[6] The CAE may discuss the principles, rules, policies, and expectations related to confidentiality during meetings
or trainings of the IAA, also may use the opportunity to brainstorm and discuss the potential impact of sharing
various types of confidential organizational information.
[7] The CAE may require internal auditors to sign a form acknowledging that they attended such sessions and
understand relevant policies, procedures, and expectations.

[1] The CAE should consult with [6 - A] The CAE may discuss the
legal counsel to better understand [3 - B] The CAE should confirm that principles, rules, policies, and
the impact of legal and regulatory access controls are working expectations related to
requirements, and protections of effectively. confidentiality during meetings or
information. trainings of the IAA.

[4] The CAE is to control access to [6 - B] The CAE may also use the
[2] The CAE may implement
the engagement records, in part by opportunity to brainstorm and
additional policies, processes,
developing requirements for discuss the potential impact of
and/or procedures that the
retaining the records, regardless of sharing various types of
internal audit activity and external
the medium in which each record is confidential organizational
consultants must follow.
stored. information.

[7] The CAE may require internal

[3 - A] The CAE should periodically [5] The CAE and internal auditors
auditors to sign a form
assess and confirm internal need to be able to comply with
acknowledging that they attended
auditors’ need for access to areas requests by regulators and with
such sessions and understand
and databanks containing transparency laws in public sector
relevant policies, procedures, and
confidential information. organizations.
expectations.

Considerations for CAE - [4] Competency

[1] The CAE is responsible for ensuring the competency of the internal audit activity as a whole.

[2] The CAE should develop a staffing strategy to regularly assess the competencies of individual internal auditors,
the internal audit activity as a whole, and any service providers upon which the internal audit activity relies.

[3] The CAE should inventory the skills and experience of individual auditors, align them with the competencies
needed to fulfill the internal audit plan, and identify any gaps in coverage.
[4] The CAE may address deficiencies by providing training and mentorship, rotating internal audit staff, bringing
Competency
in guest auditors, and/or hiring external service providers. Also, the CAE should encourage educational and
training opportunities when possible.
[5] The CAE should develop policies and procedures that include regularly reviewing individual performance,
which may involve benchmarking and/or reviewing key performance indicators.
[6] The CAE should implement a quality assurance and improvement program to promote the continual
improvement of the internal audit activity as a whole. The CAE may use The IIA’s Competency Framework to
benchmark the maturity of the IAA and work toward its progress.

[5] The CAE should develop policies

[6 - A] The CAE should implement a
and procedures that include
[1] The CAE is responsible for quality assurance and
regularly reviewing individual
ensuring the competency of the improvement program to promote
performance, which may involve
IAA as a whole. the continual improvement of the
benchmarking and/or reviewing
internal audit activity as a whole.

Page 29 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]
performance, which may involve
IAA as a whole. the continual improvement of the
benchmarking and/or reviewing
internal audit activity as a whole.
key performance indicators.

[2] The CAE should develop a

staffing strategy to regularly assess
the competencies of [6 - B] The CAE may use The IIA’s
[4 - B] The CAE should encourage
Competency Framework to
•individual internal auditors, educational and training
benchmark the maturity of the IAA
•the IAA as a whole, and opportunities when possible.
•any service providers upon which the and work toward its progress.
internal audit activity relies.

[3] The CAE should inventory the [4 - A] The CAE may address
skills and experience of individual deficiencies by providing training
auditors, align them with the and mentorship, rotating internal
competencies needed to fulfill the audit staff, bringing in guest
internal audit plan, and identify any auditors, and/or hiring external
gaps in coverage. service providers.

Considerations for Implementation of Rules of Conduct for Individual Internal Auditors

Considerations for Individual Internal Auditors - [1] Integrity

[1] For internal auditors, integrity may be considered primarily a personal attribute, which makes it difficult to
measure, enforce, or guarantee.
[2] For individual internal auditors, the best attempts to identify and measure integrity likely involve astute
awareness and understanding of the Code of Ethics’ rules of conduct for integrity, the Mandatory Guidance, and
supporting practices.
[3] For internal auditors, some behaviors may not be illegal but may be discreditable.

[4] Internal auditors should adhere to the ethics policy, code of conduct, values statement, and other policies and
procedures established by the IAA and the organization (i.e., human resources and legal policies).
Integrity

[5] Internal auditors must abide by the laws and regulations relevant to the industry and jurisdictions within
which the organization operates.
[6] Internal auditors should consider how strategies and objectives align with the organization’s mission and
values and should identify opportunities to make significant improvements to its governance, risk management,
and control processes.

[7] Internal auditors may support their understanding of the Code of Ethics and their ability to conform with its
tenets by participating in ethics-focused continuing professional education/development (CPE/CPD).

Internal auditors are expected to tell the truth and do the right thing, even when it is uncomfortable or difficult to
Example do so and avoiding taking appropriate actions might seem easier.
(e.g., concealing or omitting observations from an engagement report).

Considerations for Individual Internal Auditors - [2] Objectivity

[1] Internal auditors are to perform engagements in a manner that results in a balanced assessment of all the
relevant circumstances, and the engagement workpapers that have been approved by the CAE or a designated
engagement supervisor should evidence that balanced assessment.
[2] Internal auditors are to review relevant resources as this may help to better recognize, understand, and
overcome innate biases and subjectivity.
[3] Internal auditors should not be unduly influenced by others or subordinate their judgment on audit matters to
others.

Page 30 of 41
Objectivity
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

[4] Internal auditors should avoid conflicts of interest, which include excessive individual fraternizing outside of
work with the organization’s employees, management, third-party suppliers, and vendors. Close relationships or
Objectivity
financial ties, such as investments, could represent conflicts of interest, whether in fact or perception. If
unavoidable, such objectivity impairments should be disclosed.
[5] Internal auditors shall not accept anything that may impair or be presumed to impair their professional
judgment. Examples include accepting gifts, meals, trips, and special treatment that exceed policy limits, or are
not disclosed and approved.

[6] Internal auditors are to disclose any “material” facts about the activities under review. Internal auditors must
not hold back from reporting all the known facts pertinent to the engagement results and conclusions, even if
those facts, results, or conclusions may be displeasing to senior management and the board.

[7] Internal audit communications should be clear, factual, and objective, avoiding language that could minimize,
hide, or exaggerate findings.

IIA’s standards describe the requirements for internal auditors to gather, analyze, evaluate, and document
information that is sufficient, reliable, relevant, and useful and that will support the engagement results and
conclusions, while the respective implementation guides detail specific ways to carry out the audit objectives.
Example - Point #1
This information should enable an engagement supervisor, CAE, external auditor, or a similarly informed
individual (i.e., with sufficient information and appropriate knowledge and qualifications) to reach the same
conclusions reached by the internal auditors, which is a validation that a balanced, objective review of all the
relevant circumstances has been conducted.
If the controls in accounts payable were unsatisfactory when last assessed, stating that the controls are just as
effective as when last assessed (or that there has been no change in the control effectiveness) would be
inadequate.
Example - Point #7
Instead, internal auditors should mention whether recommendations and improvements have been implemented
since the last assessment and whether those changes have brought the unsatisfactory condition into a
satisfactory status.

Considerations for Individual Internal Auditors - [3] Confidentiality

[1] Internal auditors should understand the laws and regulations related to confidentiality and information
security for the jurisdictions in which their organization operates, as well as knowing any policies specific to their
organization and internal audit activity. Such policies may identify, for example, the type of information that may
be disclosed, the parties that must authorize the disclosure, and the procedures to be followed.

[2] Internal auditors should follow the policies and procedures set by the organization and the CAE, as well as
comply with any relevant laws and regulations.
[3] Internal auditors collect only the data required to perform the assigned engagement and use this information
only for the engagement’s intended purposes.

[4] Internal auditors protect information from intentional or unintentional disclosure through the use of controls
such as data encryption, email distribution restrictions, and restriction of physical access to the information.

Confidentiality [5] Internal auditors eliminate copies of or access to data when it is no longer needed.
[6] Internal auditors should consider confidentiality when documenting internal audit work and observations.
Work program or engagement workpaper templates may include reminders about confidentiality; electronic
formats may contain automated controls that require internal auditors to acknowledge such reminders before
auditors are able to access and complete documentation.
[7] Internal auditors are required to establish a written understanding of the restrictions related to the
distribution of engagement results and the access to engagement records, specifically when they are planning an
assurance engagement that involves third parties, as they might need to release the results of an assurance
engagement to parties outside the organization.

Page 31 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

[8] Internal auditors must stipulate limitations regarding how the results may be distributed and used. They must
follow established procedures for disclosure, including contacting the correct authority in the organization for
written permission before disclosing any information, and retaining the authorization in workpapers.

[9] Internal auditors must not use any information for personal gain.
One example of information typically protected from internal disclosure is personally identifiable human resource
information.
For instance, individual salaries and records of reprimands or personal problems discussed with supervisors and
Example - Point #1 HR personnel.

Access to this information might be restricted or monitored through physical controls, such as locked filing
cabinets, and through information system controls, including password protection and encryption of data.
Internal auditors should not:
[1] Use insider financial, strategic, or operational knowledge of an organization to bring about personal financial
gain by purchasing or selling shares in the organization.
[2] Release insider knowledge to journalists or via other media without proper authorization.
Example - Point #9

[3] Use insider information to develop a competitive product or selling proprietary information to a competitor.

[4] Abuse their privilege to access information, such as using access to customer records to look up a neighbor’s
recent purchases or to view the health records of a celebrity.

Considerations for Individual Internal Auditors - [4] Competency

[1] Internal auditors should regularly assess themselves to gain insight into their level of competency, proficiency,
and effectiveness, and to find areas for potential growth. The IIA’s Competency Framework may be a useful
benchmarking tool for this purpose.

[2] Internal auditors should seek constructive formal/informal feedback from peers, supervisors, and the CAE.
Feedback may be given throughout engagements, during supervisory reviews, and/or after closing engagements.

[3] Internal auditors assigned to plan an engagement must determine the competencies needed to achieve the
engagement objectives. In engagement workpapers, internal auditors conducting an engagement may document
their rationale for the resource allocation used.
[4] When resources appear to be insufficient, internal auditors should consult with the CAE and document the
Competency results of the discussion. If appropriate and sufficient resources are not available, it may be necessary to seek
additional resources outside the internal audit activity.
[5] Internal auditors may build their competencies by pursuing education, mentorship, and supervised work
experiences. Properly supervised internal audit engagements play a large role in facilitating the development of
internal auditors because most internal audit activities have limited resources.
[6] Internal auditors are responsible for taking the necessary actions to obtain any continuing professional
education and development (CPE/CPD) hours they may need.
[7] Internal auditors are responsible for their own conformance with the Code of Ethics, and relevant standards
and for obtaining the knowledge, skills, and experience needed to perform their responsibilities, and to
continually improve their proficiency and quality of service.
[8] Internal auditors may create and maintain plans for their professional development.
An internal auditor has a thorough understanding of risks, risk assessments, controls, and internal audit
methodologies but lacks subject matter expertise in specialty areas or processes to be assessed.
In this case, the internal auditor may work with an appropriate subject matter expert to better understand the
area or process and build relevant business acumen.
Example - Point #5
On the other hand, special personnel hired for their deep subject matter expertise in certain areas or processes
may lack proficient internal audit skills.
An experienced internal auditor (e.g., engagement supervisor) should work closely with the special personnel to
ensure the engagement is performed with sufficient internal audit competency.

Page 32 of 41
Example - Point #5

Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Both approaches will help increase business and organizational knowledge among internal auditors and contribute
to broadening the business acumen and strategic insights of The IIA.

Conformance with The IIA Code of Ethics

The International Standards for the Professional Practice of Internal Auditing require conformance with the Code
of Ethics, which is comprised of the four principles.
Each principle is accompanied by rules of conduct that internal auditors must implement to properly
demonstrate the principle.
However, the internal audit activity as a whole demonstrates integrity through diligent supervision and self-
assessments as per the Standards, along with any additional performance metrics that may indicate work has
Overview
been performed with diligence and responsibility.

If there are no reports or investigations of individual auditors violating policies, procedures, and rules of conduct,
then it is likely that the internal audit activity as a whole is in conformance with the principles.

The implementation guide is intended to demonstrate how to achieve conformance with the Code of
Ethics.

Considerations for Demonstrating Conformance for the CAE

[1] The CAE should maintain a quality assurance and improvement program and should report on the results of
the program, including instances of nonconformance, to senior management and the board. This as part of
sustaining integrity.
[2] The CAE’s management of the internal audit activity supports its integrity, objectivity, confidentiality, and
competency, which need to be demonstrated, documented, communicated and evident by the quality
assurance and improvement program results as well as the IAA policies, procedures, plan, processes, training
materials and minutes of meetings.
[3] The CAE’s conformance with the Rules of Conduct may be independently validated, through a quality
assurance and improvement program.
[4] The CAE, as the leader of the internal audit activity, is to uphold the Code of Ethics principles and rules of
conduct, thereby setting the tone for the value of ethics among the team.

Considerations for [5] The CAE typically retains forms signed by internal auditors and outsourced and co-sourced providers to
Demonstrating document their consideration and disclosure of any potential conflicts of interest or impairments to objectivity.
Conformance for
the CAE
[6] The CAE demonstrates conformance with the Confidentiality Principle and Rules of Conduct by documenting
and retaining records of disclosures approved by legal counsel, if applicable, and by senior management and the
board.
[7] The CAE provides evidence of control of access to records by implementing mechanisms that restrict access
and mitigate the risk of circumventing or otherwise violating these controls.
[8] The CAE may demonstrate a culture supportive of competency and the continual improvement of proficiency,
effectiveness, and quality through evidence that:
[A] Engagements have been properly resourced and supervised.
[B] Feedback has been solicited from internal audit stakeholders and sufficiently considered.
[C] Performance reviews of internal auditors have been conducted regularly.
[D] Opportunities for training, mentoring, and professional education have been provided.
[E] A quality assurance and improvement program is active.
[F] Internal audit services are performed in conformance with the Mandatory Guidance.

Considerations for Demonstrating Conformance for Individual Internal Auditors

Page 33 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

[1] Internal auditors’ participation/attendance in training, workshops, webinars, or meetings where ethical issues
were discussed, provides evidence supporting an individual’s commitment to maintaining and improving ethical
awareness. Also, CPE/CPD credits, of which the CAE may retain records.

[2] Internal auditors’ signatures acknowledging their understanding of the code of ethics and relevant policies,
procedures, laws, and regulations.

[3] Internal auditor’s feedback from post-engagement surveys and supervisory reviews of engagements may
provide additional evidence that the internal auditors’ work appeared to be performed ethically.

[4] Internal auditors demonstrate conformance with engagement record confidentiality by documenting
Considerations for
Demonstrating
distribution restrictions in engagement workpapers and reports and by retaining authorizations of all disclosures
Conformance for and approved distribution lists.
Individual Internal [5] Internal auditors may retain within the work program a signed acknowledgment attesting that engagement-
Auditors
related information has been kept confidential.
[6] Internal auditors may evidence their knowledge, skills, and experience, in part, through credentialed
qualifications, such as university/professional certifications, relevant work history as detailed on their resume,
which should be on file.

[7] Internal auditors may maintain documentation of a skills self-assessment, a plan for professional development,
and the completion of continuing professional education/development courses or trainings.

[8] Internal auditors may provide evidence of experiences undertaken — such as specific work assignments (i.e.,
on-the-job training) or volunteering in professional organizations — to expand their competencies.

Test Bank

Q1
Which situation is most likely a violation of The IIA’s Code of Ethics?
A Immediately reporting a violent crime observed at work to local law enforcement agencies.
B Reporting apparent violations of antitrust statutes by officers to government regulators.
C Reporting apparent violations of antitrust statutes by officers to the board of directors.
D Cooperating with the government’s criminal investigation of the organization.

Answers

Q1 Reporting apparent violations of antitrust statutes by officers to government regulators. B

Section #10: Applicability and Enforcement of the Code of Ethics

Paragraph #7 This Code of Ethics applies to both entities and individuals that perform internal audit services.

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics
will be evaluated and administered according to The Institute’s Bylaws and Administrative Directives.
Paragraph #8
The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for
disciplinary action.

Implementation Guide: Applicability and Enforcement of the Code of Ethics

IIA’s Code of Ethics applies to both entities and individuals that perform internal audit services.

Applicability and
Enforcement of
the Code of Ethics

Page 34 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

For IIA members and recipients of or candidates for IIA professional certifications, breaches of the Code of Ethics
Applicability and will be evaluated and administered according to The IIA’s Bylaws, the Process for Disposition of Code of Ethics
Enforcement of Violation, and the Process for Disposition of Certification Violation.
the Code of Ethics
The fact that a particular conduct is not mentioned in the Rules of Conduct does not prevent it from being
unacceptable or discreditable, and therefore, the member, certification holder, or candidate can be liable for
disciplinary action.

Test Bank

Q1
The board of directors of The Institute of Internal Auditors (IIA) has been informed that a CIA was tried and
convicted of tax evasion.
The probable consequences for this person are
A Nothing; the act was performed outside of the normal line of work.
B Censure by the director of professional practices of the institute.
C Immediate revocation of the CIA designation by the Internal Auditing Standards Board.
D Review by the board of directors and forfeiture of the CIA designation.

Q2
A review of an organization’s code of conduct revealed that it contained comprehensive guidelines designed to
inspire high levels of ethical behavior.
The review also revealed that employees were knowledgeable of its provisions.
However, some employees still did not comply with the code.
What element should a code of conduct contain to enhance its effectiveness?
A Periodic review and acknowledgment by all employees.
B Employee involvement in its development.
C Provisions for disciplinary action in the event of violations.
D Public knowledge of its contents and purpose.

Answers

Q1 Review by the board of directors and forfeiture of the CIA designation. D

Q2 Provisions for disciplinary action in the event of violations. C

Section #11: No violation of either the Code of Ethics or the Standards

Test Bank

Q1

An auditor, nearly finished with an engagement, discovers that the director of marketing has a gambling habit.

The gambling issue is not directly related to the existing engagement and there is pressure to complete the
current engagement.

The auditor notes the problem and forwards the information to the CAE but performs no further follow-up.
The auditor’s actions would:
Be in violation of the Standards because the auditor did not properly follow up on a red flag that might indicate
A
the existence of fraud.
B Be in violation of The IIA’s Code of Ethics for withholding meaningful information.

Be in violation of both The IIA’s Code of Ethics for withholding meaningful information and Be in violation of the
C
Standards because the auditor did not properly follow up on a red flag that might indicate the existence of fraud.

D Not be in violation of either The IIA’s Code of Ethics or Standards.

Page 35 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

Q2
Which of the following would be permissible under The IIA’s Code of Ethics?
An auditor did not report significant observations about illegal activity to the board because management
A
indicated that it would resolve the issue.

B An auditor used audit-related information in a decision to buy stock issued by the employer corporation.

After praising an employee in a recent audit engagement communication, an auditor accepted a gift from the
C
employee.
In response to a subpoena, an auditor appeared in a court of law and disclosed confidential, audit-related
D
information that could potentially damage the auditor’s organization.

Q3
Internal auditors should be prudent in their relationships with persons and organizations external to their
employers.

Which of the following activities will most likely not adversely affect internal auditors’ ethical behavior?

A Serving as consultants to suppliers.

B Discussing engagement plans or results with external parties.
C Accepting compensation from professional organizations for consulting work.
D Serving as consultants to competitor organizations.

Q4
An internal auditor may receive which of the following without violating The IIA Code of Ethics?
A dinner and baseball tickets from the manager of a department being reviewed. The tickets are usually made
A
available to employees of that department.
A dinner and baseball tickets from the manager of a department that has never been reviewed and for which
B there are no plans for a future engagement. The tickets are usually made available to employees of that
department.
A pen received from the sales manager of a subsidiary with the imprinted name of the organization's product and
C
a phone number.
D A bottle of whiskey from the organization's treasurer.

Q5
Which of the following activities of an internal auditor is most likely to be acceptable under The IIA’s Code of
Ethics?
A Acceptance of a material gift from a supplier.
Frequent luncheons and other socializing with major suppliers of the organization without the consent of senior
B
management.
C Conducting an unrelated business outside of office hours.
D Late arrivals and early departures from work because this practice is common in the organization.

Q6
During an engagement performed at a manufacturing division of a defense contractor, the internal auditor
discovered that the organization apparently was inappropriately adding costs to a cost-plus governmental
contract.
The internal auditor discussed the matter with senior management, who suggested that the internal auditor
seek an opinion from legal counsel.
Upon review, legal counsel indicated that the practice was questionable but was not technically in violation of
the government contract.
Based on legal counsel’s decision, the internal auditor decided to omit any discussion of the practice in the final
engagement communication sent to senior management and the board.

Page 36 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

However, the internal auditor did informally communicate legal counsel’s decision to senior management.

Did the internal auditor violate The IIA’s Code of Ethics?

No. The internal auditor followed up the matter with appropriate personnel within the organization and reached a
A
conclusion that no fraud was involved.
Yes. Internal legal counsel’s opinion is not sufficient. The internal auditor should have sought advice from outside
B
legal counsel.
C No. If a fraud is suspected, it should be resolved at the divisional level where it is taking place.

D Yes. It is a violation because all important information, even if resolved, should be reported to the board.

Q7
Which of the following statements is not appropriate to include in a manufacturer’s conflict ofinterest policy?

An employee shall not

A Use organizational information for private purposes.
B Participate (directly or indirectly) in the management of a public agency.
C Borrow from or lend money to vendors.
D Accept money, gifts, or services from a customer.

Q8
An internal auditor, recently terminated by an organization due to downsizing, has found a job with another
organization in the same industry.
Which of the following disclosures made by the internal auditor to the new organization would constitute a
violation of The IIA’s Code of Ethics?

The new internal audit activity does not use PPS sampling, and the internal auditor believes PPS sampling has
A advantages for many of the engagements conducted by the new employer. The internal auditor conducts training
sessions and develops forms to implement sampling in the same manner as the previous employer.
While at the previous firm, the internal auditor conducted a great deal of research to identify “best practices” for
the management of the treasury function. Because most of the research was done at home and during non-office
B
hours, the internal auditor retained much of the research and plans to use it in conducting a review of the
treasury function at the new employer.
The internal auditor used the risk assessment approach that was used by the internal auditor’s former employer in
C
determining priorities in the new job.
D None of the answers represent a violation of the Code.

Q9
Which of the following actions by an internal auditor is not a violation of The IIA Code of Ethics?
I. Accepting a small gift of insignificant value from a customer of his/her organization.
II. Accepting payment for teaching auditing at a local university.

III. Allowing use of the Certified Internal Auditor designation in a context not involving his/her employment.

IV. Having a material ownership interest in a competitor.

A I and II.
B II and III.
C I, II, and III.
D I, II, and IV.

Q10
A staff auditor has been assigned to the Treasury audit for the second consecutive year.

Page 37 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

The auditor confirmed investment securities held by a brokerage house and realized that several large
securities were improperly used as collateral for personal loans a few years ago by the current Treasurer.

Last year the staff auditor had mistak-enly signed off on the audit steps involving the confirmations and
verification of the securities without completing all of the steps.
The audit manager also mistakenly signed off on the review last year.

When the error was detected this year, the audit manager commented that "it was an error, but the loan has
been repaid, and the securities returned. We have corrected the control weakness, and I'm positive it will not
happen again. Pursuit of this issue will be an embarrass-ment to everyone involved. Leave it like it is. "

As a staff auditor, which of the following actions would not be considered a violation of the Standards or Code
of Ethics?
I. Discuss the matter with the audit director without further discussion with the audit manager.

II. Inform the audit manager that you will be including the information in your working papers as an audit finding.

III. Resign from the audit department and company if further action is not taken on the matter.
IV. Disclose the matter to the external auditor without further discussion.
A I and II.
B II and III.
C I, II, and III.
D I, II, and IV.

Q11

An internal auditor for a large regional bank was asked to serve on the board of directors of a local bank.

The bank competes in many of the same markets as the regional bank but focuses more on consumer financing
than on business financing.
Which of the following actions would not be considered a violation of the Standards or Code of Ethics in
accepting this position by the internal auditor?
I. Violates The IIA Code of Ethics because serving on the board may be in conflict with the best interests of the
internal auditor's employer.
II. Violates The IIA Code of Ethics because the information gained while serving on the board of directors of the
local bank may influence recommendations regarding potential acquisitions.
A II only.
B I only.
C I and II.
D Neither I nor II.

Q12
An internal auditor engages in the preparation of income tax forms during the tax season.
For which of the following activities will the internal auditor most likely not be in violation of The IIA’s Code of
Ethics?
I. Teaching an evening tax seminar, for a fee, at a local university.
II. Preparing tax returns for elderly citizens, regardless of their associations, as a public service.
III. Preparing the personal tax return, for a fee, for one of the organization’s division managers.
IV. Writing a tax guide intended for publication and sale to the general public.
A I and II.
B II and III.
C I, II, and III.
D I, II, and IV.

Q13
Which of the following situations is not a violation of The IIA’s Code of Ethics?

Page 38 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

I. Knowing that management was aware of the situation, an internal auditor purposely left a description of an
unlawful practice out of the final engagement communication.
II. An internal auditor, with the knowledge and consent of management, accepted a token gift from a customer of
the organization that was not presumed to impair and did not impair judgment.
III. An internal auditor shared techniques with internal auditors from another organization.
IV. Based upon knowledge of the probable success of the employer’s business, an internal auditor invested in a
mutual fund that specialized in the same industry.
A I and II.
B II, III and IV.
C I, II, and III.
D I, II, and IV.

Q14
Which of the following actions could not be construed as a violation of The IIA’s Code of Ethics?
I. Including an internal control problem in a final engagement communication when it has been corrected prior to
completion of the engagement.

II. Turning a case over to the security department when an internal auditor suspects fraud but has no proof.
III. Expressing an opinion on internal financial statements.
IV. Failing to report to management information that would be material to management’s judgment.
A I and II.
B II, III and IV.
C I, II, and III.
D I, II, and IV.

Q15
Which of the following items is not a violation by an internal auditor of The IIA Code of Ethics?

I. Certain facts recorded in the internal auditor's working papers that helped to support the basic allegations made
by the internal auditor regarding a case of fraud were not included in the final engagement communication.

II. Information in the internal auditor's working papers that proved a criminal act was included in the internal
auditor's draft communication. The comments were later removed by internal audit management.

III. A control system that had been recommended by the internal audit staff during the previous engagement was
found to be defective. The internal auditor reported the defective function as an engagement client failure.

IV. To keep the engagement effort within the budgeted time, the internal auditor was directed to and did curtail
testing in an area that looked suspicious and later was proved to contain massive irregularities.

A I and II.
B II, III and IV.
C I, II, and III.
D I, II, and IV.

Q16
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:

1) The auditor received royalties from a publisher for authoring a professional book on internal auditing.

2) The auditor has a part-time job as a real estate broker, and his real estate firm recently received a
commission from the employer company.

Page 39 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

3) The auditor received an item of value from a fellow employee in the same company whose department has
never been audited and whose department is not scheduled to be audited in the foreseeable future.
4) The auditor did not include in an audit report that the bottlenecks in a shipping department were caused by
the absence of the supervisor. The supervisor was the auditor's friend and neighbor who had a hospitalized
child requiring him to miss work off and on for several weeks.
How many of the allegations about the auditor does not represent violations of the IIA Code of Ethics?
A One.
B Two.
C Three.
D Four.

Q17
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:
1) The auditor received an item of value from a local nonprofit organization of purchasing agents for whom he
gave a speech.
2) The auditor received an item of value from a customer of the employer.
3) The auditor has a part-time job as president of a local charitable organization.
4) The auditor shared audit techniques with auditors from another company while attending a professional
meeting.
5) A buyer accepted a kickback of $500 to give bid amounts to a supplier to enable that supplier to bid the
contract. The auditor omitted this information from the audit report since the contract amount was not
material to the financial statements.
How many of the allegations about the auditor do not represent violations of the IIA Code of Ethics?
A One.
B Two.
C Three.
D Four.

Q18
A company with a whistleblowing hotline has received an anonymous tip that a senior internal auditor is in
violation of the IIA Code of Ethics.
The company has adopted the IIA Code as a part of the corporate ethical code.
Among the allegations against the auditor were the following:

1) The auditor has a part-time job outside of office hours as a visiting professor at a local community college.

2) The auditor owns stock in the employer company.

3) The auditor told his next-door neighbor to start looking for a new job because an audit of the executive
office indicated that the neighbor's division was going to be closed down in about six months.

How many of the allegations about the internal auditor do not represent violations of the IIA Code of Ethics?

A None.
B One.
C Two.
D Three.

Q19
Which of the following situations is not a violation of The IIA’s Code of Ethics?

Page 40 of 41
 Tariq Al-Basha, MSc, CMA®, FMVA®, CMSA®, CBCA™, BIDA™, CRE | [email protected]

I. During an engagement, an internal auditor learned that the organization was about to introduce a new product
that would revolutionize the industry. Because of the probable success of the new product, the product manager
suggested that the internal auditor buy an additional interest in the organization, which the internal auditor did.

II. An internal auditor gave a speech at a local IIA chapter meeting outlining the contents of a program the internal
auditor had developed for engagements relating to electronic data interchange (EDI) connections. Several internal
auditors from major competitors were in the audience.
III. An internal auditor for a manufacturer of office products recently completed an engagement to evaluate the
marketing function. Based on this experience, the internal auditor spent several hours one Saturday working as a
paid consultant to a hospital in the local area that intended to conduct an engagement to evaluate its marketing
function.
IV. An internal auditor was ordered to testify in a court case in which a merger partner claimed to have been
defrauded by the internal auditor’s organization. The internal auditor divulged confidential information to the
court.
A I and II.
B II, III and IV.
C I, II, and III.
D I, II, and IV.

Answers

Q1 Not be in violation of either The IIA’s Code of Ethics or Standards. D

In response to a subpoena, an auditor appeared in a court of law and disclosed
Q2 confidential, audit-related information that could potentially damage the auditor’s D
organization.
Q3 Accepting compensation from professional organizations for consulting work. C
A pen received from the sales manager of a subsidiary with the imprinted name of the
Q4 C
organization's product and a phone number.
Q5 Conducting an unrelated business outside of office hours. C
Q6 No. The internal auditor followed up the matter with appropriate personnel within the A
Q7 Participate (directly or indirectly) in the management of a public agency. B
Q8 None of the answers represent a violation of the Code. D
Q9 I, II, and III. C
Q10 I, II, and III. C
Q11 Neither I nor II. D
Q12 I, II, and IV. D
Q13 II, III and IV. B
Q14 I, II, and III. C
Q15 I, II, and IV. D
Q16 One A
Q17 Three. C
Q18 Two C
Q19 II, III and IV. B

Page 41 of 41