CIA 1.6: Internal Audit Ethics - Confidentiality Flashcards
Internal auditors shall:
- Shall be prudent in the use and protection of information acquired in the course of their duties.
- Shall not use information for any personal gain or in any manner that would be contrary to the law or detrimental to the legitimate and ethical objectives of the organization.
“To protect proprietary information, policies and procedures may require internal auditors to take the following precautions, even when handling information internally:
- Collect only the data required to perform the assigned engagement and use this information only for the engagement’s intended purposes.
- Protect information from intentional or unintentional disclosure through the use of controls such as data encryption, email distribution restrictions, and restriction of physical access to the information.
- Eliminate copies of or access to such data when it is no longer needed.”
“Organizations usually issue what to protect the data they acquire, use, and produce and to ensure compliance with the laws and regulations that pertain to the industry and jurisdiction within which they operate.” ?
Information security policies
“To better understand the impact of legal and regulatory requirements and protections (e.g., legal privilege or attorney-client privilege), the chief audit executive (CAE) should consult with who? The organization’s policies and procedures may require that specific authorities review and approve business information before external release.” [emphasis added]
Legal counsel
What does rule of conduct 3.2 emphasize?
“Rule of Conduct 3.2 emphasizes that internal auditors must not use any information for personal gain. For example, internal auditors should not use insider financial, strategic, or operational knowledge of an organization to bring about personal financial gain by purchasing or selling shares in the organization. Another example is releasing insider knowledge to journalists or via other media without proper authorization. Using insider information to develop a competitive product or selling proprietary information to a competitor also violates this confidentiality rule. Furthermore, internal auditors should not abuse their privilege to access information, such as using access to customer records to look up a neighbor’s recent purchases or to view the health records of a celebrity.”
Conformance with confidentiality is demonstrated how?
“The CAE may demonstrate support of internal audit confidentiality through evidence of policies, processes, procedures, and training materials implemented to cover confidentiality as it applies to the internal audit activity and the organization.”
“Regarding the release of engagement results, reports, or related information, the CAE demonstrates conformance with the confidentiality principle and rules of conduct by documenting and retaining records of disclosures approved by legal counsel, if applicable, and by senior management and the board.”
“Internal auditors demonstrate conformance with engagement record confidentiality by documenting distribution restrictions in engagement workpapers and reports and by retaining authorizations of all disclosures and approved distribution lists.”
“If there are no reports or investigations of individual auditors violating policies, procedures, and rules related to confidentiality, then it is likely that the internal audit activity as a whole is in conformance with the principle.”
