GUEST BLOG POST
Throughout my more than 20 years as an internal auditor, I’ve always been drawn to understanding the “why” behind every issue I uncover. When I work with clients now, I encourage them to keep digging until they reach the true root cause of a problem, because that is where meaningful, lasting change begins. Real improvement doesn’t come from fixing symptoms; it comes from understanding the decisions and behaviors that cause them.
Over the years, I’ve shared this philosophy in training sessions, helping other internal auditors look beyond checklists and think more critically about what drives the results they see. I’ve found that when we focus on root cause analysis, our findings lead to real progress instead of temporary fixes that don’t address the real issues. But until the release of the Institute of Internal Auditors’ 2024 Global Internal Audit Standards, I hadn’t realized that this curiosity—the drive to understand people and their decisions—is at the very heart of behavioral ethics.
From ‘Gotcha’ Auditing to Insight and Improvement
Earlier in my career, I observed many internal auditors who approached their work with a “gotcha” mindset, focused on catching errors or assigning blame. Yet that approach rarely led to lasting change. It may fix symptoms, but not causes.
That’s where the 2024 Global Internal Audit Standards come in. The Standards challenge us to think differently. They ask us to move beyond enforcing compliance and towards understanding conduct. They call on internal auditors to act ethically and to understand the behaviors that drive ethical and unethical decisions. This shift transforms our work from rule enforcement and policy policing to uncovering meaningful insight and ultimately becoming a change agent.
Behavioral ethics helps explain why this change matters. It studies how people make decisions in the real world where pressures, incentives, and habits often shape outcomes more than written policies do. Most control failures we uncover are not because a rule was unclear or missing, but because someone made a decision under pressure, without perspective, or in a culture that unintentionally rewarded the wrong behavior.
When internal auditors stop at identify the symptom, they leave the deeper issue untouched. But when we ask why and take the time to understand the motivations and pressures behind each choice, we can uncover the roots of risk itself. That is where our work begins to create real, lasting value.
How the Standards Have Evolved
When I first read the 2024 Standards, what struck me most was how much they build on and improve what came before. In the 2017 Standards, the IIA’s Code of Ethics and Core Principles was separate from the Standards themselves. This separation also caused a disconnect in my mind. I was required to agree to the code of ethics, but thinking about them and incorporating them into the Standards wasn’t on the top of my mind. Now, those pieces have been brought together into a single, cohesive framework.
By incorporating ethics into Domain II – Ethics and Professionalism, the IIA has uplifted ethics from the margins into the center of how we define and measure performance. It is front and center, shaping how internal auditors are expected to think and act.
The language also changed in a meaningful way. The old Standards used words like “shall” and “should,” while the new version often uses “must.” That may seem like a small edit to some, but as internal auditors, we know that word choice truly matters. Concepts that once sounded aspirational or even optional are now clearly stated as professional requirements.
The new Standards also unveil two additional ideas: professional courage and organizational ethical expectations. Together, they provide a more complete understanding of what it means to act ethically, not just as individuals, but also as members of a profession that influences our entire organization.
These revisions and additions are not limited to style or structure. They mark a shift in tone, from suggestion to accountability. Ethics is no longer something we talk about in the abstract. It is something we’re expected to demonstrate, measure, and strengthen every day.
Ethical Expectations and Cultural Signals
To gain an understanding of how culture drives behavior, Standard 1.2 – Organization’s Ethical Expectations, asks internal auditors to understand, respect, and contribute to their organization’s ethical expectations while recognizing behavior that conflicts with them.
It challenges internal auditors to look beyond policies and see how values are actually lived. An important distinction that pushes us to ask important questions. Are incentives aligned with ethics? Do employees feel safe speaking up? Does the tone at the top match what happens in the day-to-day operations of the organization?
By putting culture and ethical expectations at the center of our work, the Standards remind internal auditors that evaluating ethics is part of evaluating controls. A strong control environment can’t exist without an ethical one.
Legal and Ethical Behavior
While the 2017 Standards recognized the importance of legal and ethical behavior, the new Standard 1.3 acknowledges that legality and ethics are not always the same. It requires auditors to avoid any activity that is illegal or discreditable to the organization or the profession, of course, but it also goes further.
An action can meet regulatory requirements or even the letter of the law and still fall short of fairness or transparency. The 2024 Standards challenge internal auditors to think not only about compliance but also about whether decisions align with the organization’s principles and values. This is a broader view that strengthens our role. It reminds us that internal audit isn’t just about confirming what’s legal, it’s about promoting what’s right.
Individual Objectivity and Safeguarding Independence
Objectivity has always been central to internal auditing, but the new Standard 2.1 – Individual Objectivity and Standard 2.2 – Safeguarding Objectivity take it a step further. They recognize that bias is a part of human judgement and that true objectivity requires constant awareness and effort. Internal auditors are expected to stay impartial, identify actual or perceived impairments, and take deliberate steps to address them.
The emphasis on perception is especially important. Even when our conclusions are fair, the appearance of bias can dissolve trust. That’s why maintaining objectivity isn’t just about reporting lines or structures, it’s also about an ethical mindset and behavior. It means recognizing how relationships, obligation, or subtle pressure can shape our thinking, and having the humility and courage to question ourselves.
The 2024 Global Internal Audit Standards make it clear that ethics isn’t separate from performance. It is the foundation of it. The success of internal audit depends on our ability to dig deep by understanding people, their motivations, pressures, and rationalizations. When we take time to explore those human factors, we uncover the real reasons behind risk and create change that lasts.
Applying Behavioral Ethics in the Real World
Applying behavioral ethics in practice starts with awareness. During audit planning, think about how ethical pressures or incentives might shape behavior. During fieldwork, listen for rationalizations and pay attention to culture. In reporting, describe not just what happened, but why it happened.
The new Standards remind us that honesty, courage, and objectivity are not static traits, they are habits we develop through reflection and practice. Behavioral ethics gives us the lens to examine those habits and the courage to question them. When we embrace that mindset as internal auditors, our reports are enhanced by telling a story that includes the behaviors behind the numbers, the choices behind the controls, and the character that defines the organizations success. That is where the true value of internal audit shines. 
Editor‘s Note: The Audit Library has developed a behavioral ethics training course to help internal auditors translate the Standards into action through discussion and case studies. The course fulfills the IIA’s behavioral and ethics CPE requirement and gives participants practical tools to strengthen ethical judgment. Those interested in exploring this topic further can register here.
John Kaneklides is co-founder of The Audit Library, a digital collection of internal audit documents, templates, and tools. He is also an internal audit consultant specializing in the credit union industry.