Confidentiality and the proper use of information are fundamental principles within the IIA Code of Ethics, directly supporting the CIA Part 1 focus on Ethics and Professionalism. Internal auditors routinely access sensitive, proprietary, and privileged information during engagements, and they bear…Confidentiality and the proper use of information are fundamental principles within the IIA Code of Ethics, directly supporting the CIA Part 1 focus on Ethics and Professionalism. Internal auditors routinely access sensitive, proprietary, and privileged information during engagements, and they bear a professional duty to protect this data. The Confidentiality principle of the IIA Code of Ethics establishes that internal auditors respect the value and ownership of information they receive and do not disclose it without appropriate authority, unless there is a legal or professional obligation to do so. This builds trust between auditors and the organization, ensuring stakeholders feel secure sharing information. Two key rules of conduct reinforce this principle. First, internal auditors shall be prudent in the use and protection of information acquired in the course of their duties. This means safeguarding data through secure storage, controlled access, and careful communication, preventing accidental or intentional leaks. Second, internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization. This prohibits activities such as insider trading, misusing confidential findings, or leveraging privileged knowledge for private benefit. The improper use of information can severely damage the auditor's credibility, the internal audit function's reputation, and the organization itself, potentially resulting in legal liability. Auditors must balance confidentiality obligations against legitimate disclosure requirements, such as reporting fraud, complying with regulatory demands, or responding to court subpoenas. Even when disclosure is required, auditors should follow proper channels and seek legal or professional guidance when uncertain. Ultimately, maintaining confidentiality and using information ethically demonstrates integrity, objectivity, and professional competence. These behaviors uphold public and organizational trust in the internal audit profession, aligning individual conduct with the broader ethical framework that governs certified internal auditors worldwide throughout their careers.
Confidentiality and Use of Information
Confidentiality and Use of Information is a core principle of the internal audit profession, forming part of the IIA's Code of Ethics. It governs how internal auditors handle the sensitive information they acquire during their engagements.
Why It Is Important Internal auditors are granted broad access to an organization's records, systems, and people. This access places them in a position of significant trust. If auditors misuse or improperly disclose the information they obtain, they can cause serious harm to the organization, its employees, and its stakeholders. Confidentiality protects the organization's competitive position, preserves the integrity of the audit process, and maintains the credibility of the internal audit function. Without strict confidentiality, individuals would be reluctant to share information openly with auditors, undermining the effectiveness of every engagement.
What It Is The confidentiality principle in the IIA Code of Ethics states that internal auditors respect the value and ownership of information they receive and do not disclose information without appropriate authority unless there is a legal or professional obligation to do so.
Two key rules of conduct support this principle: 1. Internal auditors shall be prudent in the use and protection of information acquired in the course of their duties. 2. Internal auditors shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
How It Works In practice, confidentiality applies throughout and beyond the audit engagement:
1. Safeguarding information: Auditors must protect working papers, reports, and data from unauthorized access, ensuring secure storage and controlled distribution.
2. Restricting disclosure: Information gathered may only be shared with those who have proper authority or a legitimate need to know. External disclosure typically requires appropriate authorization.
3. Legal or professional obligations: There are exceptions. If a law requires disclosure (e.g., a subpoena) or a professional standard mandates it, the auditor may be obligated to reveal information.
4. No personal use: Auditors must never exploit information for personal advantage — for example, trading on inside knowledge or leveraging data for personal or third-party benefit.
5. Continuing duty: The obligation of confidentiality continues even after an auditor leaves an engagement or the organization.
How to Answer Questions in an Exam Exam questions on confidentiality often present a scenario and ask what the auditor should do. Focus on identifying whether information is being used or disclosed appropriately. Ask yourself: • Does the auditor have proper authority to disclose? • Is there a legal or professional obligation that overrides confidentiality? • Is the information being used for personal gain or against the organization's interests? • Is the auditor being prudent in protecting the information?
The correct answer usually emphasizes protecting information, obtaining proper authorization before disclosure, and refraining from personal use.
Exam Tips: Answering Questions on Confidentiality and Use of Information • Remember the two rules of conduct: prudence in protection, and prohibition of personal or detrimental use. • Watch for the exceptions: legal or professional obligations can require disclosure — these are legitimate, authorized exceptions. • Personal gain is always wrong: any answer suggesting the auditor benefits personally from information is incorrect. • Look for 'appropriate authority': disclosure without proper authorization violates the principle. • Distinguish confidentiality from other principles (integrity, objectivity, competency) — confidentiality is specifically about handling and protecting information. • Confidentiality survives the engagement: the duty does not end when the audit or employment ends. • Choose the most cautious, ethical option when unsure; the IIA expects auditors to err on the side of protecting information. • Read scenarios carefully to determine whether a disclosure is authorized, legally mandated, or an improper breach.