Editorial
While I have challenged the IIA’s Standard requirement of two hours annual ethics training for every internal auditor, that doesn't mean I don't recommend training, provided its useful.
I challenged the Standard because training doesn’t necessarily increase the likelihood of ethical behavior. I have led or supervised many investigations where fraud or other unethical behavior was committed by people who had not only read the Ethics Policy and received related training, but had passed every test. Ethics training may increase an individual’s knowledge of the Ethics Policy, but it will not prevent someone with poor ethics from committing fraud.
The training is a necessary start, but it is insufficient to provide reasonable assurance of ethical behavior.
What Will Reading a Policy Accomplish?
Ethics training for internal auditors that simply regurgitates the Ethics Policy has even less value than for other employees, as it is hardly likely that any internal auditor is unaware of the policy and its expectations. It also doesn’t take two hours for them to read.
CAEs and other internal auditors who read this: do you need two hours of ethics training every year?
There’s a saying that 60% of employees will never commit fraud. Another 20% are always looking for the opportunity, while the other 20% will steal if they think they can get away with it or the temptation is too great.
A recent study by Verisk of insurance fraud came up with slightly different percentages, but confirmed the general idea (I have edited the formatting and added my [comments]:
At the macro level, a somewhat surprising 5.71% of all respondents to the study informed us what they had actually done on a claim which they personally submitted for payment. [In other words, they admitted committing insurance fraud. Who knows how many more inflated their claims but didn’t admit it!]
But wait, it appears they are just waiting for their chance to commit a similar fraud. Beginning at the baseline of those who admitted to committing such acts is the even more shocking 11.63% of all persons responding telling us given the opportunity to submit such a fraudulent claim they would “definitely do so.” [Again, how many feel the same way but wouldn’t admit it?]
Combined this represents 17.34% of all respondents.
But the lack of a moral high ground does not stop there. Rather than finding such actions to be unacceptable, the next group of 17.34% (… matching exactly the same number as the two prior respondent groups) …. Of all respondents simply said “I might” when asked about submitting such a claim.
Collectively then these responses represent the views of 34.68% of all U.S. citizens. [And how many more are not admitting it, perhaps even to themselves?]
Related Article: What to Do When Compliance Is Wrong
A More Effective Way to Train People in Ethics
There is a better way to train people in ethical behavior than testing their knowledge of the policy. Watch this video for experiences I had at Tosco and Maxtor.
Professor Barbara Ley Toffler (whom I met when I was CAE of Tosco Corporation, and who is now a good friend) showed me a great way to train any manager in what it means to be ethical, and how to approach difficult situations. While still a professor at Harvard Business School, she wrote “Managers Talk Ethics: Making Tough Choices in a Competitive World.” Now she's a consultant to major organizations, their top executives and their boards.
The kind of training she gave them is eminently suitable for today’s executives, including all internal auditors.
Instead of reading and being able to recite a policy, present a group (who could be at any level, in any department including internal audit) with a scenario. It might be hypothetical, or it might be based on a real-life situation.
Then have them discuss, with facilitation, the rights and wrongs and what each of them would do if in that situation.
For internal auditors, it might be:
You need to leave the office by 6pm at the latest if you are going to arrive on time for your youngest child’s birthday celebration. You and your partner’s family will all be there, and you can’t afford to be late.
One task is remaining in your audit, which your team leader is expecting you to complete before the end of the day. It is to select 20 paid invoices and confirm a) that they are supported by approved purchase orders (POs), and b) that the Accounts Payable (AP) clerk compared them. He or she initials a hard copy of the invoice before filing them away with the PO attached.
You have selected the 20 invoices from a report from the Accounts Payable (AP) system.
It is now 5:30pm and you think you can complete the test in the 30 minutes left before you must leave.
But first you have to find the 20 hard copy invoices in the AP files. Five are missing and the AP clerk has left for the day.
What should you do?
- Select five different invoices from the AP files and get home in time?
- Search for them, knowing that will take time and you will be late for the party?
- Leave a note for the AP clerk to find them in the morning and disappoint your manager?
This kind of training brings home to the internal auditor what is expected of them. It is meaningful, especially when the whole group can discuss and debate the situation.
But it doesn’t take two hours, and I am not persuaded that every auditor needs it every year.
Conference
Sep
16
HR Tech Conference Las Vegas 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
Let’s not do it just because the IIA says it must be done. Only do it if you feel it adds value and is worth taking every audit staff member’s time.
What do you think?
Learn how you can join our contributor community.
