Ethics from a financial services auditor’s lens

The evolution of ethics in business

As businesses have developed over time, new ethical challenges continue to materialize, including workers’ rights, working conditions, wages, and product safety. Professional codes of ethics and corporate social responsibility have also emerged as fundamental business principles. The modern-day standards set by the Institute of Internal Auditors (IIA) have been developed to navigate ethical gray areas in internal audit ethics, manage conflicts of interest, and maintain alignment with both personal and professional values in high-pressure environments.

What are the fundamentals of ethics?

Ethics is the study and practice of determining what is right and wrong in human behavior. It guides individuals and organizations in making decisions, taking actions, and interacting with others. Ethical behavior includes transparency, accountability, fairness, respect for people and communities, integrity in decision making, and commitment to fostering long-term trust.

Doing the right thing can carry real risks, whether personal retaliation or career setbacks, financial consequences for the organization, or isolation from peers or leadership. Addressing ethical concerns requires courage, not just knowledge. The right choice may not feel easy, safe, or immediately rewarding, but true ethical leadership means choosing integrity even when it may lead to personal or professional risk.

Defining the relationship between ethics and risk management

Ethics are essential to protecting people, communities, and trust. The 2008 global financial crisis is an example of aggressive lending practices that prioritized profit over prudence. Borrower incentives such as subprime mortgages, adjustable-rate mortgages, flexible appraisal practices, and creative loan products led to widespread unethical conduct. The inflated housing prices combined with risky lending practices created a perfect storm that harmed customers, leaving them with unsustainable debt, plummeting home values, and foreclosures.

Leaders must exercise a duty of care. This is an ethical obligation to foresee and mitigate risks that could harm consumers, employees, shareholders, or the public. Ignoring risks or failing to establish proper controls can lead to ethical issues, especially when it involves negligence, willful ignorance, or failure to act in the best interest of stakeholders. As internal auditors, it’s important to understand the relationship between ethics and risk management and how they intersect. While not all risk management oversights are unethical, when poor risk practices stem from or lead to irresponsible or harmful behavior, they become ethical concerns.

Real-life business ethical dilemmas

Ethical leadership today is built on thousands of years of human wisdom and still demands personal courage every day. Real-life examples of ethical business dilemmas serve as examples of how breakdowns can occur even in well-functioning organizations.

One such example involves a senior leader that was discovered to be embezzling customer and company assets during a routine audit. An internal auditor made the discovery after finding a suspicious document buried in a file that hinted at unethical practices. Despite the leader’s attempts to downplay the situation, the evidence of multiple internal control violations was enough to warrant further investigation. The full ethics audit and investigation uncovered a long-standing pattern of misconduct. It also found that many employees were aware of the misconduct but stayed silent out of fear of retribution.

This story highlights the importance of fostering an ethical culture and creating supportive environments where employees feel safe to speak up. You can do this in the following ways:

• Providing trusted, anonymous channels for employees to report concerns
• Requiring regular independent audits
• Cultivating a “speak-up” culture where reporting ethical concerns is encouraged by leadership
• Investigating early red flags to ensure ethical practices are upheld

Communicating ethical concerns for a win-win

Leaders must foster a culture where employees can safely raise ethical concerns. Reporting ethical issues in auditing doesn’t have to be a “win-lose” scenario. Constructive communication can turn potential conflicts into win-win scenarios. For example, if you disagree with your audit manager’s findings, you can use a variety of communication tactics for a more successful outcome, such as:

• Start with curiosity, not certainty
• Listen before reacting
• Acknowledge complexity – no situation is black or white
• Focus on shared values and the overall mission
• Offer options, not ultimatums
• Stay calm, fact-based, and respectful
• Emphasize positive intent and solutions, and avoid blame

There will likely be times in your internal audit career where you find yourself at an ethical crossroads, where organizational ethics and personal values are at odds. These moments will test your leadership and integrity and may even require you to walk away from situations that conflict with your ethical standards. Remember, your integrity must always come first and is worth more than compromising your ethics.

Applying the Global Internal Audit Standards into practice: The 5 basic principles

In internal auditing, specific ethical standards have been established by the IIA, providing internal auditors with a framework to guide decision-making that aligns with accepted professional standards.

Domain II: Ethics and Professionalism replaces the former IIA Code of Ethics and clearly outlines what ethical behavior is expected of internal audit practitioners.

Principle 1: Demonstrate Integrity

• Standard 1.1 Honesty and Courage emphasizes exercising professional courage as part of internal auditing. As internal auditors, it is critical to create a truthful, accurate, and clear assessment of your organization and maintain a professional rapport.
• Standard 1.2 Organization’s Ethical Expectations requires internal auditors to understand, respect, meet, and contribute to the legitimate and ethical expectations of the organization and must be able to recognize conduct that is contrary to those expectations.
• Standard 1.3 Legal and Ethical Behavior describes expectations around professional behavior, including not engaging in illegal or otherwise harmful behaviors to the organization or internal audit profession.

Principle 2: Maintain Objectivity

Principle 2: Maintain Objectivity addresses the importance of demonstrating an impartial and unbiased attitude when performing internal audit services and making decisions.

• Standard 2.1 Individual Objectivity requires an impartial and unbiased mindset and encourages internal auditors to make judgments based on balanced assessments when performing all aspects of internal audit services.
• Standard 2.2 Safeguarding Objectivity states that internal auditors must recognize, avoid, or mitigate potential and perceived impairments to objectivity.
• Standard 2.3 Disclosing Impairments to Objectivity describes the requirements for internal auditors to disclose objectivity impairments. 

Principle 3: Demonstrate Competency

Principle 3: Demonstrate Competency focuses on the knowledge, skills, and abilities that internal auditors must apply to fulfil their roles and responsibilities.

• Standard 3.1 Competency outlines the competencies that internal auditors must possess or obtain to perform their responsibilities successfully.
• Standard 3.2 Continuing Professional Development requires internal auditors to continually develop their competencies and pursue professional development opportunities.

Principle 4: Exercise Due Professional Care

Principle 4: Exercise Due Professional Care states that internal auditors must apply due professional care in planning and performing internal audit services.

• Standard 4.1 Conformance requires internal auditors to perform services in conformance with the Global Internal Audit Standards.
• Standard 4.2 Due Professional Care describes what internal auditors must assess when providing services.
• Standard 4.3 Professional Skepticism states that internal auditors will apply professional skepticism by critically assessing and working to enhance the reliability of information. In other words, trust but verify.

Principle 5: Maintaining Confidentiality

Principle 5: Maintaining Confidentiality outlines the responsibility and care internal auditors must take to protect the confidential information they access in their daily work.

• Standard 5.1 Use of Information describes the relevant policies, procedures, laws, and regulations internal auditors must follow when using information. Information may not be used for personal gain or in any manner contrary to or detrimental to the organization.
• Standard 5.2 Protection of Information outlines how internal auditors should manage confidential information. 

The IIA also provides guidance on other discreditable behaviors that might not be illegal but are concerning. This includes:

• Bullying, harassing, or discriminatory behavior
• Failing to accept responsibility for mistakes
• Issuing false reports or permitting others to do so
• Lying
• Making deceptive, false, or misleading claims about someone’s competency
• Making disparaging comments about the organization, employees, or stakeholders, either in person or via media

A case study of misconduct and consequences

Between 2002 and 2016, employees from a large, diversified financial services company faced immense pressure to meet unrealistic sales goals, leading to unethical practices, including millions of unauthorized account openings, falsified records, and the misuse of customer identities. These actions resulted in millions of unearned fees and significant harm to customers’ credit scores. The fallout resulted in a $3 billion settlement with the Department of Justice and the Securities and Exchange Commission (SEC) and long-term damage to the organization’s reputation.

An unethical leadership culture also played a role in this fraud. Senior leaders knew about the misconduct as early as 2002 but minimized and rationalized it. Although internal investigators flagged the misconduct, management ignored internal warnings and refused to adjust their sales strategy, accepting fraud as a cost of doing business.

This case is particularly notable because it marked the first time internal audit executives, who were not directly involved in the fraud, were personally fined for failing to act. The chief audit executive from 2012 to 2018, and another audit executive, were aware of the severity of the sales misconduct but failed to escalate the issue or reassess their audit approach. The fines imposed on them underscore the importance of extending your personal accountability beyond the organization. Protecting your integrity will help protect your career.

Conclusion

As internal auditors, you can help set the ethical tone for your organization. Your role allows you to have an impact on the ethical state of your organization based on your words and your actions. If you’re unsure where to start, the IIA provides valuable resources and guidelines for maintaining professionalism and ethics in audit practices.