Ethical Conduct and Code of Ethics Compliance Among Maltese Internal Auditors: An Analytical Perspective

Along the years, poor ethical practices have resulted in many corporate scandals and failures, which have uncovered the insufficiency and inadequacy of control mechanisms and a lack of accountability on the part of certain organizations. Often, such scandals could have been prevented if the organization had been vigilant about detecting unethical behavior rather than solely focusing on achieving strategic objectives. As a result, there is a growing emphasis on business ethics and codes of conduct, with the IAor playing a key role in bringing out this increased importance.

The Internal Audit Function (IAF) has evolved from being solely focused on fraud detection and compliance to becoming a dynamic function that encompasses all aspects of organizational processes (G​r​i​m​a​,​ ​2​0​2​2). The IAF plays a crucial role in the overall “governance mosaic” by providing assurance on internal controls, risk management, and compliance (S​o​h​ ​&​ ​M​a​r​t​i​n​o​v​‐​B​e​n​n​i​e​,​ ​2​0​1​1).

Ethical pressures from management or one’s self-interest may result in conflicts (S​i​e​g​e​l​ ​e​t​ ​a​l​.​,​ ​1​9​9​5), and since IAors are expected to work in collaboration with management, they encounter various ethical dilemmas and threats in their pursuit of performing their job with professional integrity. Nonetheless, IAors are able to influence the ethical reasoning process of companies as they play a crucial role in integrity, honesty, and business ethics (B​r​i​n​c​a​u​,​ ​2​0​1​0).

The Board of Directors (BOD), management, the Audit Committee (AC), external auditors (EAors), and other stakeholders are increasingly relying on IAors to offer assurance and advice (P​r​i​v​i​t​e​l​l​i​,​ ​2​0​0​7). The IAors’ reliability and credibility are strengthened when they are ethical (B​r​i​n​c​a​u​,​ ​2​0​1​0), and the IAors can maintain their credibility by abiding by a relevant Code, especially when solving ethical dilemmas (S​i​e​g​e​l​ ​e​t​ ​a​l​.​,​ ​1​9​9​5). Despite this increased importance, Maltese IAors still lack an adequate code and regulatory framework to abide by.

In fact, while there is a wealth of literature that delves into the relevance of the IA function, little exists on the relevance of the Code and its impact on the IAors’ ethical behavior. B​r​i​n​c​a​u​ ​(​2​0​1​0​) addressed the aspect of ethical decision-making in IAUs with only a brief reference to the relevance of the Code. Additionally, the study did not explore the distinct attitudes of in-house versus outsourced IAUs when it comes to the Code.

The current code and guidelines for internal auditors in Malta display notable insufficiencies, lacking specificity for contemporary ethical challenges, clarity in application to Malta's unique context, and responsiveness to emerging issues. Apart from distinguishing between ethical dilemmas and threats faced by in-house and outsourced IAors, this study also aims to address these gaps by proposing enhancements, ensuring a more robust and contextually relevant ethical framework specific to Malta's dynamic business environment.

In this regard, the objectives of this study are to: (i) examine the potential factors that influence the ethical conduct of IAors; (ii) determine the level of IAor awareness regarding ethical dilemmas and threats, as well as their ethical obligations in following the Code; and (iii) evaluate the circumstances and degree to which IAors refer to the Code, if at all. This involves comparing the distinct perspectives taken by internal and external information assurance officers.

This study is conducted in Malta, a small island state in the European Union. It recommends and raises awareness about the need for enhancing ethical practices among Maltese IAors so that they are provided with the necessary guidance, oversight, and support. This includes making audit committees with code-related expertise mandatory for all entities, adopting the IIA Code of Ethics for all Maltese IAUs with additional local requirements, establishing an official institute and regulatory framework for Maltese IAors, and implementing increased communication and training initiatives focused on the Code.

Belonging to a profession with a Code of Ethics and performance standards helps in resolving ethical dilemmas by offering direction and guidance on the proper path of conduct. The Institute of Internal Auditors (IIA) provides a regulatory framework for IAors to follow. In 2013, the IIA’s Board of Directors decided to improve the relevance of the International Professional Practice Framework (IPPF). Consequently, the C​h​a​r​t​e​r​e​d​ ​I​n​s​t​i​t​u​t​e​ ​o​f​ ​I​n​t​e​r​n​a​l​ ​A​u​d​i​t​o​r​s​ ​(​2​0​1​6​) (CIIA) launched the New IPPF in 2016.

The Code cultivates a culture of ethics in IA. It outlines the fundamental principles and expected conduct for IAors. However, it does not provide specific activities but merely outlines the minimum requirements (I​I​A​,​ ​2​0​2​1). In line with Immanuel Kant’s deontological theory of ethics, L​a​r​r​y​ ​&​ ​M​o​o​r​e​ ​(​2​0​0​8​) argue that this theory of ethics emphasizes the significance of formal rules and standards in defining acceptable or desired behavior. This approach makes abstract moral requirements more specific and enables them to effectively guide and coordinate conduct.

Nonetheless, despite the IIA providing such direction in the field of IA, individual judgment is still required to apply the Code successfully (Z​i​e​g​e​n​f​u​s​s​ ​&​ ​S​i​n​g​h​a​p​a​k​d​i​,​ ​1​9​9​4). This is because interpretation is necessary to apply rules to particular circumstances, and it is during this process that ethical principles play a role in guiding what actions a "reasonable" individual would take in a given scenario, as well as how an unbiased observer would perceive those actions (C​h​e​f​f​e​r​s​ ​&​ ​P​a​k​a​l​u​k​,​ ​2​0​0​7).

When considering ethics in auditing, it is insufficient to focus exclusively on the auditing process or standards. Instead, the ethical character of the auditor should also be taken into consideration (E​v​e​r​e​t​t​ ​&​ ​T​r​e​m​b​l​a​y​,​ ​2​0​1​4). B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s study concluded that IAors conduct themselves ethically because it is right and not just to comply with the Code. It was also noted that ethical behavior must stem from within rather than being imposed externally.

Previous research has suggested that auditors with greater moral development rely more on their judgment and less on specific standards when resolving ethical dilemmas (P​o​n​e​m​o​n​ ​&​ ​G​a​b​h​a​r​t​,​ ​1​9​9​4). Furthermore, auditors with strong moral values are better equipped to resist client pressure compared to those with weaker moral values, who may prioritize economic factors and self-interest (B​e​r​n​a​r​d​i​,​ ​1​9​9​4). IAors must not only be competent but also possess the will to make the correct decision, even in the face of potential retribution from top management (S​c​h​w​a​r​t​z​ ​&​ ​S​h​a​r​p​e​,​ ​2​0​0​6). Nonetheless, knowledge of ethical regulations remains important (T​r​e​v​i​n​o​ ​&​ ​N​e​l​s​o​n​,​ ​2​0​0​4).

It was also noted that ethical behavior must stem from within rather than being imposed externally. This can be seen in line with K​o​h​l​b​e​r​g​ ​(​1​9​7​1​)’s theory of moral development. As outlined in Figure 1, Kohlberg categorized moral reasoning into three hierarchical levels: pre-conventional, conventional, and post-conventional, each consisting of two sub-stages. Every individual passes through this sequence of stages in the order listed below, but not all individuals reach proficiency in all three stages (M​c​L​e​o​d​,​ ​2​0​2​3).

For a person who falls under the pre-conventional stage, an ethical dilemma is resolved by considering the cost and benefits of the ethical actions. In the second stage, resolution of the dilemma is based on preventing harm to other members of the organization. Lastly, a person in the post-conventional stage will form his ethical judgment based on internally self-chosen values and principles (K​o​h​l​b​e​r​g​,​ ​1​9​7​1).

Even though unprofessional behavior is a direct result of the auditors’ poor ethical reasoning and values, the organizational environment also influences unprofessional behavior (J​o​n​e​s​ ​e​t​ ​a​l​.​,​ ​2​0​0​3). Therefore, the IAors’ compliance with ethical standards and requirements is influenced by the organizational culture and ethical climate, and the IAors can only conduct their work effectively if their respective organization’s culture supports their role (P​r​i​v​i​t​e​l​l​i​,​ ​2​0​0​7). Similarly, F​r​e​d​e​r​i​c​k​ ​&​ ​P​r​e​s​t​o​n​ ​(​1​9​9​0​) contend that the Code alone is insufficient to ensure compliance and must be complemented by a strong corporate and ethical culture that upholds it and addresses any non-compliance issues.

A close and direct collaboration between the Audit Committee (AC) and the Internal Audit Unit (IAU) can reduce information gaps between shareholders and executive boards, resulting in an overall improvement in the governance structure (Z​a​m​a​n​ ​&​ ​S​a​r​e​n​s​,​ ​2​0​1​3).

The AC plays a vital role in promoting the IAors’ role and is responsible for evaluating whether the IAU adheres to the Code and IIA Standards (I​I​A​,​ ​2​0​1​3), among other duties. In fact, according to J​a​m​e​s​o​n​ ​(​2​0​1​1​), for the IAor to work freely and without any fear of retribution due to presenting critical findings, support from the AC is essential, and this cooperation improves the overall IAU effectiveness (G​r​i​m​a​ ​e​t​ ​a​l​.​,​ ​2​0​2​3). Additionally, an effective AC allows for a more unbiased evaluation of how closely IAors follow the International Professional Practices Framework (IPPF). Therefore, the existence of an effective AC is linked to the adoption of the International Standards for the Professional Practice of Internal Auditing (ISPPIA) (A​l​z​e​b​a​n​,​ ​2​0​1​5; I​I​A​,​ ​2​0​0​8).

IAors are consistently faced with conflicts and ethical issues, and a lack of knowledge and experience can hinder their ability to report unethical conduct, exacerbating the challenges in resolving ethical dilemmas (B​r​i​n​c​a​u​,​ ​2​0​1​0). Similarly, F​r​a​s​e​r​ ​&​ ​L​i​n​d​s​a​y​ ​(​2​0​0​7​) contend that the IAU requires personnel who possess experience in the categories of risks they audit. On the other hand, according to B​r​i​f​f​a​ ​(​2​0​1​6​)'s research, although experience aids IAors in knowing how to be independent, it can also compromise independence if the IAor has been serving the organization for an extended period.

The IAors’ competence is crucial for an effective IAU (T​ü​r​e​t​k​e​n​ ​e​t​ ​a​l​.​,​ ​2​0​1​9) and is another factor that can impinge on the IAors’ ethical judgment (B​r​i​n​c​a​u​,​ ​2​0​1​0). IAors must only perform those services for which they have the knowledge and skills required; otherwise, they will be unethical (V​a​n​a​s​c​o​,​ ​1​9​9​4).

Apart from formal education, specialized training is also necessary for auditors (F​i​r​t​h​,​ ​1​9​9​0). Training plays a crucial role in helping IAors recognize and steer clear of potential threats to independence (P​e​r​e​z​-​L​ó​p​e​z​,​ ​2​0​1​3). In fact, the I​I​A​ ​(​2​0​1​9​) encourages ongoing professional development to enhance the auditors’ abilities and prepare them to handle increasingly complicated audit activities. However, participants in B​e​z​z​i​n​a​ ​(​2​0​1​1​)’s research asserted that the training in internal auditing offered by professional bodies in Malta was insufficient.

Being morally and ethically competent should be viewed as one important attribute that accounting and auditing professionals need to possess, and this can be attained through increased ethics education (J​a​c​k​l​i​n​g​ ​e​t​ ​a​l​.​,​ ​2​0​0​7). Indeed,

“Ethical behavior does not come by chance but by ensuring that all the factors influencing the IAors ethical behavior, no matter how small or insignificant, are in place and effective” (B​r​i​n​c​a​u​,​ ​2​0​1​0).

Due to their embeddedness within organizations, IAors are particularly vulnerable to being influenced by more influential and powerful managers within the organization (E​v​e​r​e​t​t​ ​&​ ​T​r​e​m​b​l​a​y​,​ ​2​0​1​4). IAors’ responsibilities extend beyond being a mere "watchdog" for the board and now encompass serving shareholders and other external stakeholders (A​b​b​o​t​t​ ​e​t​ ​a​l​.​,​ ​2​0​1​0; A​b​b​o​t​t​ ​&​ ​P​a​r​k​e​r​,​ ​2​0​0​0). Because of this, IAors may frequently encounter conflicts of interest when management conduct or objectives are inconsistent with those set by the profession.

The following are some of the ethical dilemmas and threats that may pose challenges for IAors in adhering to the Code.

When IAors uncover misconduct, they confront the dilemma of whether to disclose it to the appropriate authorities within or outside the company (B​r​i​n​c​a​u​,​ ​2​0​1​0). This can be a difficult decision, especially if they are under pressure to misrepresent the truth (A​c​c​o​u​n​t​a​n​c​y​ ​B​o​a​r​d​,​ ​2​0​0​9). Additionally, auditors may experience pressure from managers to modify conclusions to accommodate client preferences (E​s​p​i​n​o​s​a​-​P​i​k​e​ ​&​ ​B​a​r​r​a​i​n​k​u​a​,​ ​2​0​1​6).

According to Z​i​e​g​e​n​f​u​s​s​ ​&​ ​S​i​n​g​h​a​p​a​k​d​i​ ​(​1​9​9​4​), Eaors (external auditors) are more likely to act when they identify wrongdoings when compared to IAors. Although it may not be easy to blow the whistle, if a crime is not reported, the individual becomes an accomplice (C​u​t​a​j​a​r​ ​G​h​i​g​o​,​ ​2​0​0​8).

One of the most important duties of an IAor is to perform an independent and objective assurance activity to provide value to those charged with governance (E​u​l​e​r​i​c​h​ ​e​t​ ​a​l​.​,​ ​2​0​1​7). Since they form part of the organization, the issue of being able to work independently has been a persistent obstacle for IAors and their field (A​h​m​a​d​ ​&​ ​T​a​y​l​o​r​,​ ​2​0​0​9). In-house IAors frequently establish personal relationships with their colleagues as a result of working closely on a daily basis (V​a​n​a​s​c​o​,​ ​1​9​9​4). According to B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s findings, these dilemmas give rise to familiarity threats, as it may be challenging for IAors to keep their distance from colleagues. In this respect, outsourced IAors tend to be more impartial owing to less familiarity with the client (D​e​l​l​a​i​ ​&​ ​O​m​r​i​,​ ​2​0​1​6).

In order to properly conduct their work, IAors require unrestricted access to information, but in turn, they are bound by the principle of confidentiality. This principle contradicts the concept of a collective culture that encourages individuals to alert their relatives and acquaintances to any pertinent matter (B​r​i​n​c​a​u​,​ ​2​0​1​0). As per the I​I​A​ ​(​2​0​2​1​), business data is confidential and must not be shared or utilized by external parties, except when there is a legal or professional obligation to do so.

Based on research by B​a​r​a​c​ ​&​ ​M​o​t​u​b​a​t​s​e​ ​(​2​0​0​9​) and B​r​i​f​f​a​ ​(​2​0​1​6​), outsourcing the IAU can increase the risk of confidentiality breaches, which is a potential disadvantage despite the numerous benefits of outsourcing. Similarly, B​r​i​n​c​a​u​ ​(​2​0​1​0​)'s study found that respondents were opposed to outsourcing due to concerns about maintaining confidentiality.

The IAor's scope of responsibilities has been broadened to encompass consulting services (R​a​m​a​m​o​o​r​t​i​,​ ​2​0​0​3). In fact, according to the I​I​A​ ​(​2​0​2​2​), the IA is “an independent, objective assurance and consulting activity.”

As the demand for consulting services provided by IAors is on the rise, there is a risk that their independence could be compromised unless appropriate measures are implemented (B​r​i​f​f​a​,​ ​2​0​1​6). The I​I​A​ ​(​2​0​2​3​) simply states that for the provision of consulting services, it is essential for the IAor to uphold objectivity and avoid assuming management responsibility. Additionally, Standard 1000.C1 mandates that the IA charter must outline the consulting services that IAors can offer and the situations in which they can provide them.

To maintain the trust of management, the AC, and other stakeholders, IAors must behave and be perceived to behave in an independent and impartial manner. Accepting gifts or hospitality can create the perception of impropriety, compromise an IAor’s integrity (I​I​A​,​ ​2​0​2​3), and impair their professional judgement (V​a​n​a​s​c​o​,​ ​1​9​9​4). According to B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s research and the I​I​A​ ​(​2​0​2​3​), minor gifts without any malicious intent can generally be accepted, but anything exceeding a certain threshold should either be declined or approved by the AC.

IAors may encounter the following threats, which can compromise their objectivity and independence (A​c​c​o​u​n​t​a​n​c​y​ ​B​o​a​r​d​,​ ​2​0​0​9).

This occurs when the IAor develops a close relationship with the auditee, leading to a lack of impartiality in their work. In-house IAors are particularly vulnerable to this risk, as it can be difficult to separate the IAor from their co-workers (B​r​i​n​c​a​u​,​ ​2​0​1​0). To address this issue, it is recommended to rotate IAors periodically across different assignments (V​a​n​a​s​c​o​,​ ​1​9​9​4), thereby helping to preserve their professional skepticism and objectivity.

This includes real or perceived risks to the IAor's career that might potentially result in termination. Recent findings by I​l​e​m​o​n​a​ ​&​ ​N​w​i​t​e​ ​(​2​0​2​1​) reveal that intimidation threats are the most severe of all threats to auditors' adherence to ethical standards. Similarly, in B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s study, intimidation was also deemed significant by IAors in Malta.

This arises when the IAor has a personal interest in the area being audited. This can be significant for IAors since their job security and remuneration depend on their employer (B​r​i​n​c​a​u​,​ ​2​0​1​0).

This threat emerges when the IAor supports his or her employer in situations like legal proceedings or while promoting business stock.

This threat arises when the IAor is hired from another function within the company. According to IIA Implementation Standard 1130, IAors cannot perform IA work on areas on which they had provided consultancy or occupied an operational role within the previous year (I​I​A​,​ ​2​0​1​6).

Due to the multiple conflicts of interest faced by IAors, the IIA established its Code and Standards, which IAors are expected to uphold in their work, to assist them in identifying and managing ethical issues (D​i​c​k​i​n​s​ ​&​ ​C​h​r​i​s​t​i​a​n​,​ ​2​0​1​1). Given that the IA profession relies on the public's trust in its unbiased assurance of governance, risk management, and control, a code is both required and suitable in the profession of IA (I​I​A​,​ ​2​0​2​2). The Code has four important principles, which are: integrity, objectivity, confidentiality and competence.

The trustworthiness of IAors is established through their integrity, which forms the foundation for relying on their judgment (I​I​A​,​ ​2​0​1​9). Therefore, integrity is a fundamental trait that IAors should embody, as it results in the fulfillment of other principles in the Code (B​r​i​n​c​a​u​,​ ​2​0​1​0).

The Code stipulates that IAors must approach their tasks with honesty, diligence, responsibility, and a commitment to ethical conduct, even when it is uncomfortable or demanding to do so (I​I​A​,​ ​2​0​1​9). They must also make the required disclosures under both the law and their profession and refrain from participating in activities that are unlawful or bring discredit to the profession or the organization (D​i​c​k​i​n​s​ ​&​ ​C​h​r​i​s​t​i​a​n​,​ ​2​0​1​1). Nonetheless, integrity is primarily a personal characteristic that can be challenging to enforce or assess (I​I​A​,​ ​2​0​1​9). Just because certain behaviors are not explicitly prohibited by law does not make them acceptable (T​r​e​v​i​n​o​ ​&​ ​N​e​l​s​o​n​,​ ​2​0​0​4).

IAors must provide the greatest degree of objectivity and independence to management and the authorities (R​o​u​s​s​y​ ​&​ ​R​o​d​r​i​g​u​e​,​ ​2​0​1​6), and they must never consider their own interests while obtaining, analyzing, and communicating information about the activity or process being evaluated. This involves avoiding involvement in any activity that could compromise or appear to compromise their objectivity or lead to a conflict with the interests of the IAor or the organization. The Code further states that in the event of any impairment to objectivity or independence, the IAor must reveal all relevant information they are aware of that, if withheld, could skew the reporting of the activities under evaluation (I​I​A​,​ ​2​0​1​9).

IAors are required to respect the ownership and value of the information they receive during their work, and unless there is a legal or professional responsibility, they are not permitted to reveal any information or knowledge without proper authorization. Additionally, they must exercise caution in handling and safeguarding information gathered during the course of their responsibilities and refrain from exploiting information for personal benefit or in a manner that violates the law or undermines the legitimate and ethical objectives of the organization (I​I​A​,​ ​2​0​1​9).

IAors are obliged to use the knowledge, skills, and competencies necessary to carry out their IA duties and must execute their responsibilities in accordance with the ISPPIA. To maintain their ethical standards, IAors must also restrict their involvement to services for which they possess the necessary qualifications and expertise (I​I​A​,​ ​2​0​1​9). Additionally, expertise is crucial, as it enables IAors to confidently engage in discussions with management and other knowledgeable individuals without feeling intimidated (B​r​i​f​f​a​,​ ​2​0​1​6). In fact, the effectiveness of the AC is also contingent upon the presence of a competent IAF (F​e​n​e​c​h​,​ ​2​0​1​4).

Adhering to the principles of the Code would be the best approach to dealing with conflicts of interest. This is because failure to uphold objectivity and independence are the major concerns that have the most influence on ethical behavior at the workplace (J​a​c​k​l​i​n​g​ ​e​t​ ​a​l​.​,​ ​2​0​0​7).

On a small island like Malta, remaining objective can be challenging for IAors due to familiarity. Such challenges can be minimized through the rotation of duties; however, this may not always be possible due to a lack of personnel or the preference for specialization to achieve greater efficiency (B​r​i​n​c​a​u​,​ ​2​0​1​0). Similarly, A​t​t​a​r​d​ ​(​2​0​1​4​) contends that Maltese IAUs are not always adequately staffed, and this makes it challenging for IAFs to remain in line with IIA requirements.

According to the I​I​A​ ​(​2​0​1​9​), the IAU needs capable and well-informed personnel to guarantee that their advisory and assurance tasks are carried out according to the organization's expectations and in adherence with recognized principles and standards. This entails carefully assessing whether outsourcing is necessary (I​I​A​,​ ​2​0​1​9). According to V​a​l​e​n​t​i​n​o​ ​(​2​0​0​2​), the IAU often has very few human resources, and to maintain independence, this may prove to limit the IAors’ capabilities and intended audit coverage. Additionally, Performance Standard 2230 stipulates that for the IAU to function effectively, it must be equipped with sufficient and professional personnel (I​I​A​,​ ​2​0​1​9). Therefore, the AC should review the staffing and budgeting for the IAF (A​b​b​o​t​t​ ​e​t​ ​a​l​.​,​ ​2​0​1​0), as this will have an overall positive impact on audit quality and ethical behavior. Employees that are exhausted, stressed out, and overworked might not be adequately attentive to identify wrongdoings or have enough time to perform their duties effectively (B​r​i​n​c​a​u​,​ ​2​0​1​0).

A well-defined and official Code of Ethics serves as a clear indication that unethical behavior will not be accepted and can encourage individuals to act ethically, particularly if they already have a predisposition in that direction (A​d​a​m​s​ ​e​t​ ​a​l​.​,​ ​2​0​0​1). The same study by A​d​a​m​s​ ​e​t​ ​a​l​.​ ​(​2​0​0​1​) revealed that companies with a code in place were better equipped to handle ethical dilemmas and received greater support for ethical conduct.

In Maltese IAUs, the Code is mainly consulted when the IAors face a dilemma and when they need a reminder of the rules and principles. However, IAors do not perceive the Code as a ‘Bible’ but rather as a set of common-sense principles (B​r​i​n​c​a​u​,​ ​2​0​1​0). Similarly, E​v​e​r​e​t​t​ ​&​ ​T​r​e​m​b​l​a​y​ ​(​2​0​1​4​) contend that the Code simply provides a list of virtues that the IAor needs to possess. Typically, MLEs, who are subject to stricter rules, place more weight on the Code than government entities, which tend to react after a significant issue has been exposed (B​r​i​n​c​a​u​,​ ​2​0​1​0). Nevertheless, the existence of codes in public organizations has the potential to enhance public confidence in their operations (A​d​a​m​s​ ​e​t​ ​a​l​.​,​ ​2​0​0​1).

In a previous study by S​i​e​g​e​l​ ​e​t​ ​a​l​.​ ​(​1​9​9​3​), it was discovered that IAors were more inclined to view the profession's code as an ethical compass as they gained more experience. This finding was corroborated by a more recent study conducted by L​a​m​b​e​r​t​o​n​ ​e​t​ ​a​l​.​ ​(​2​0​0​5​), which revealed that 90% of the US managers surveyed believed that the Code plays a critical role in preventing unethical behavior. Contrastingly, P​a​t​e​r​ ​&​ ​v​a​n​ ​G​i​l​s​ ​(​2​0​0​3​)’s research found no relationship between the Code and ethical behavior.

B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s research suggests that one-person IAUs utilized the Code and standards when they were unable to confer with other IAors. When organizations were part of a group, they opted to seek guidance from foreign IAors rather than consulting with the Code.

For IIA members, breaches of the Code are evaluated and administered according to the IIA’s bylaws and processes of violation (I​I​A​,​ ​2​0​2​3). Nonetheless, enforcement of ethical behavior may be in contradiction with the values of professionalism, which hold that ethics are rooted in an individual’s character (B​a​r​r​a​i​n​k​u​a​ ​&​ ​E​s​p​i​n​o​s​a​-​P​i​k​e​,​ ​2​0​1​8). In fact, according to G​e​n​d​r​o​n​ ​e​t​ ​a​l​.​ ​(​2​0​0​6​), an auditor’s independence is primarily a moral-ethical position and not an object that can be controlled by codes and reviewed by inspections. Having said this, according to B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s research, Maltese IAors voluntarily seek guidance from the Code, but the fact that IA is not regulated in Malta can pose challenges in applying the respective principles in the Code.

The Code can result in less ethical ambiguity, but auditors themselves know that no code can be a “silver bullet” (P​r​e​s​t​o​n​ ​e​t​ ​a​l​.​,​ ​1​9​9​5) and that professional judgement is still required (P​o​n​e​m​o​n​ ​&​ ​G​a​b​h​a​r​t​,​ ​1​9​9​4). Similarly, B​r​i​n​c​a​u​ ​(​2​0​1​0​) states that merely having an IA Code is insufficient to guarantee ethical conduct.

The study employs a mixed research design, leveraging the strengths of both qualitative and quantitative approaches (S​a​u​n​d​e​r​s​ ​&​ ​L​e​w​i​s​,​ ​2​0​1​8). This approach was deemed optimal for the study's objectives. Specifically, the chosen research tool, a semi-structured interview, incorporates a combination of open-ended and closed-ended questions to comprehensively address the research aims.

The interview schedule is made up of a pre-established set of questions, but probing was used where necessary to ensure adequate coverage of the material in accordance with the research objectives (H​a​r​r​e​l​l​ ​&​ ​B​r​a​d​l​e​y​,​ ​2​0​0​9). Additionally, when the interviewer felt that a topic or question was not applicable to certain participants, they left it out or asked additional questions (S​a​u​n​d​e​r​s​ ​&​ ​L​e​w​i​s​,​ ​2​0​1​8). Consequently, discussion was encouraged, allowing the researcher to gather information on certain sensitive issues. Additionally, since all representatives were questioned in the same way, the information collected could be compared and statistically evaluated (M​c​I​n​t​o​s​h​ ​&​ ​M​o​r​s​e​,​ ​2​0​1​5). Secondary data in line with the research objectives was collected from numerous sources, such as peer-reviewed journals, books, and articles. This same information helped with developing the interview schedule, on which a pilot test was performed to determine the viability of the schedule. This helped in identifying any potential practical challenges and amending the questions as necessary.

The interview agenda for this research was developed specifically for this study and for Maltese IAors (representatives) of MLEs (MLEreps), government entities (Govtreps), and Maltese entities providing IA services to other organizations (Outreps). The interview schedule was divided into three main sections, with each section covering one of the study’s research objectives, and was made up of both open-ended and closed-ended questions.

We used a five-point Likert scale for the close-ended questions, with ‘1’ being strongly disagree/very rarely and ‘5’ being strongly agree/very often.

Section A of the questionnaire related to possible factors impacting the internal auditors’ ethical behavior, to which the respondents had to answer three questions and the possible answers using a five-point Likert scale, with ‘1’ being strongly disagree and ‘5’ being strongly agree. The first question related to the reasons why internal auditors behaved ethically, and the respondents had to rate their level of agreement with four possible answers: (a) it is the right thing; (b) it is required by the organization; (c) it is required by the Code of Ethics and standards; and (d) they will be sanctioned. The second question related to how the internal auditors’ ethical behavior is influenced. The respondents had to rate their level of agreement with six possible answers: (a) personality and character; (b) organizational culture; (c) audit committee effectiveness; (d) experience; (e) education and qualifications; and (f) ethical training provided by the organization. The third question related to how the Code of Ethics helps in shaping the character of the internal auditor to behave ethically. To do this, the respondents had to rate their level of agreement.

Section B of the questionnaire related to the internal auditors’ awareness of ethical dilemmas and threats and their ethical requirements in adhering to the Code of Ethics. To do this, the respondents had to answer five questions and the possible answers using a five-point Likert scale, with ‘1’ being very rare and ‘5’ being very often. The first question related to whether the Code of Ethics helps in shaping the character of the internal auditor to behave ethically. The second question related to how often they encounter ethical issues at their place of work. The third question is related to the types of ethical dilemmas you encounter. For the latter, the respondents had to rate their level of agreement with seven possible answers, namely: (a) Reporting ethical issues (b) Auditing departments or organizations in which the internal auditor was involved; (c) Auditing own colleagues; (d) Confidentiality of Information; (e) Involvement in Consultancy; (f) Possible conflict of interest; and (g) Accepting gifts. The fourth question related to the five major threats that may compromise an internal auditor’s independence. To this end, the respondents had to rate their level of agreement on five possible answers: (a) familiarity threat, (b) intimidation threat, (c) self-interest threat, (d) advocacy threat, and (e) self-review threat. The fifth question related to whether the Code of Ethics serves as a guide for knowing what to do in specific ethical dilemmas. The sixth question related to whether the principles guide you the most in your work. To do this, the respondents had to rate their level of agreement on four possible answers: (a) integrity, (b) objectivity, (c) confidentiality, and (d) competency. The seventh question dealt with conflict of interest. We asked whether the internal auditor is allowed to audit a department where there is a conflict of interest. We also asked whether the internal audit team performed any type of rotation and whether there was a time barrier for an internal auditor to carry out an audit somewhere where he or she had once been employed. These were open-ended questions.

Section C of the questionnaire related to the internal auditors’ consultation with the Code of Ethics. The first question related to the main purpose of the Code of Ethics. To this end, the respondents had to answer five questions and the possible answers using a five-point Likert scale, with ‘1’ being to provide guidance in circumstances requiring judgment and ‘2’ being to enhance the public’s perceptions of the internal auditor.

‘3’ being to serve as a reminder of the ideal ethical behavior and ‘4’ Other. The second and third questions relate to whether they follow the IIA Code of Ethics and whether they refer to the IIA Code of Ethics in your reports, respectively. To this, respondents had to answer ‘yes’ or ‘no’. They were also asked whether they followed any other code.

In the last section, we asked eight open-ended questions: (a) How often do you find yourself consulting with the Code of Ethics? (b) Have you ever been specifically trained on tackling ethical issues? (c) Does the training refer to the Code of Ethics? (d) Do you think that the Code of Ethics gives clear guidelines? (e) Is there a way to sanction employees for not abiding by the Code of Ethics? (f) Which ethical standards in the IIA Code of Ethics are most challenging to implement in Malta? (g) Is it beneficial to modify and adopt Malta's version of the Institute of Internal Auditor Code of Ethics? (h) Should internal auditors in Malta agree to a basic code?

A significant step in the study is to identify the appropriate sample from the target population. The target population, in accordance with the objectives of this research study, were Maltese IAors working either in MLEs, government entities, or in a Maltese entity providing IA services. The Official List of MLEs was obtained from the Malta Stock Exchange (MSE) website as of October 30, 2022, in order to determine all the MLEs listed on the M​S​E​ ​(​2​0​2​2​). For government entities, a list was obtained from the government website as of the same date. For outsourced IAors, an online search was conducted on company websites. However, it was noted that many MLEs and government entities did not have their own IAU.

In total, 22 interviews were conducted. Nine interviews were conducted with their respective MLEreps; a further five interviews were conducted with their respective Govtreps; and a further eight interviews were conducted with Outreps. Research participants were determined to be chief or senior IAors in the respective entities. All entities were of different sizes, and many of them operate in diverse sectors of the economy.

For optimal data utilization, transcripts were prepared after each interview, capturing key points for streamlined evaluation and interpretation.

Open-ended questions were the primary means of collecting qualitative data, which also included follow-up questions and other respondent comments on their response to the Likert scale and dichotomous questions. In order to facilitate spotting similarities and disparities in their answers, the transcripts of respondent replies and comments were summarized using the thematic approach (B​r​a​u​n​ ​&​ ​C​l​a​r​k​e​,​ ​2​0​0​6). Additionally, the analysis of the interviewees’ additional remarks, following the responses to the Likert scale questions, was mainly focused on the most significant aspects.

Close-ended questions served as the basis for the quantitative data. The Friedman Test was used to compare the mean rating scores to the Likert scale questions and to determine whether these scores differ significantly or not. The Kruskal-Wallis test was used to compare the mean rating scores among the groups of respondents clustered by entity and to determine whether such mean rating scores differ significantly or otherwise among the groups. The Chi-Squared Test was utilized to investigate the association between two categorical variables, the first being the condition and the other being the entity group.

The study was limited by the fact that many MLEs and government entities did not have their own in-house IAU. Another limitation was that social desirability bias in the responses was inevitable. Additionally, slight discrepancies were noted between the ratings given to some of the Likert scale questions and the corresponding comments.

IAors engage in ethical behavior primarily because it is the right thing to do (x̅=4.95). Few respondents (5/22) emphasized that IAors being and doing what was “morally correct” came primarily from within the IAors themselves. However, as stated by one respondent, a Code and standards in place must be given importance because,

“Unless an organization requires such a framework, it is very telling on what type of organization you are working for.”

Sanctioning was the least agreed-upon reason among IAors. It was noted that sanctioning in this industry was not harsh enough for certain scandals and misconduct that occurred, and the law must be tightened in this regard. Nonetheless, most respondents (12/22) stated that even if there were proper sanctions, it would still not be the reason why they behaved ethically.

The second question asked respondents to indicate their agreement with five possible influences on the IAors’ ethical behavior. The Friedman test indicates that the distribution of scores differed significantly from each other (p<0.001).

Personality and character: Ethical behavior was perceived as being mostly influenced by personality and character (x̅=4.95). Specifically, a few respondents (2/5 Govtreps, 2/8 Outreps) added that this influence would remain the main determinant of ethical behavior even if IAors were provided with equivalent levels of education and training. The argument put forth was that individuals’ personal values cannot be disregarded in this line of work.

Experience: Experience was an influence to which respondents gave second preference (x̅=4.45). In line with B​r​i​n​c​a​u​ ​(​2​0​1​0​), two respondents (1/5 Govtreps, 1/8 Outreps) added that experience was indeed influential, particularly in cases of conflict of interest and dilemmas.

Organizational culture: As regards this influence (x̅=4.14), a few respondents (1/9 MLEreps, 3/8 Outreps) added that the organizational culture must be similar to and in line with the IAors’ own beliefs and values. In line with J​o​n​e​s​ ​e​t​ ​a​l​.​ ​(​2​0​0​3​), it was noted that if the organization was not ethically cautious, it could easily erode and influence the decisions of an ethically correct IAor. Contrastingly, few respondents (3/8 outreps) added that their character and actions would remain unchanged even if the tone at the top was not right.

AC effectiveness: AC effectiveness was another influence that IAors perceived as having an impact on their ethical behavior (x̅=4.05). In line with Z​a​m​a​n​ ​&​ ​S​a​r​e​n​s​ ​(​2​0​1​3​), some respondents (3/9 MLEreps, 1/5 Govtrep) added that the AC is the primary independent body that can assist and support the IAor, thereby impacting the level of effectiveness of the IAor himself. However, as noted by two respondents (2/5 Govtreps), the AC was sometimes unavailable or not knowledgeable enough on the Code and ISPPIA.

Education and qualifications: Some respondents (1/9 MLEreps, 2/5 Govtreps) added that IAors could still provide a significant contribution to the IAF without having professional qualifications. Therefore, education and qualifications (x̅=3.77) were perceived as a supplement and an extension to the IAors’ experience and not the main deciding factor over ethical behavior. Nonetheless, one Outrep added that membership in professional institutions such as the MIA and IIA provided certain guidelines on how individuals should act as part of an organization, as well as improved their ability to review and ask pertinent questions.

Ethical training: Some representatives (3/9 MLEreps, 2/5 Govtreps) emphasized that ethical training was almost never provided to IAors and, in contrast to P​e​r​e​z​-​L​ó​p​e​z​ ​(​2​0​1​3​), held that it was not considered crucial towards preserving ethical behavior (x̅=3.59). Another two representatives (2/8 Outreps) stated that many times, training was “nothing new” and was merely provided as part of a list that needed to be completed. Only two respondents (1/5 Govtrep and 1/9 MLErep) asserted that they frequently attended ethical training provided by professional bodies like the MIA and IIA, stating that more emphasis has been placed on ethical matters in recent years.

When asked whether the Code helped shape the character of the IAor to behave ethically, MLEreps and Outreps were neutral, whereas Govtreps marginally agreed to the question. Yet, no significant differences were revealed between the three groups (χ2(4)=0.120, p=0.942).

Some respondents (4/9 MLEreps, 5/8 Outreps) added that the character had to do with personal upbringing, and therefore, it was shaped long before they encountered the Code. One MLErep added that the IAors character cannot be changed by the Code as “the core of being ethical at work and in your personal life is based on personal values." Therefore, if the IAors themselves were not intrinsically guided by proper values, this would pose challenges in applying the principles in the Code on a daily basis.

Other respondents (3/5 Govtreps) added that the Code plays an important role in ethical behavior as it establishes what is expected from the IAor and individuals who do not possess such principles as their character traits should not be part of the IA profession. This outlines the importance of IAors not solely relying on a deontological interpretation of the Code, which prioritizes formal rules to guide behavior. Instead, in line with Aristotle’s virtue ethics theory, the Code should be viewed as a means for IAors to become more virtuous.

With respect to the frequency with which they encountered ethical issues at work, a statistically significant difference was found between the type of entity (χ2(2)=10.531, p=0.005) and the frequency of ethical issues encountered.

Few Govtreps (3/5 Govtreps) added that despite IAors being independent of management, in a government entity, it all depended on the type of people forming part of management. It was noted that Govtreps frequently encountered limitations of scope and contended that certain business areas had the tendency to use the IAor to advance their own agenda by maintaining a good rapport as long as the IAor reported only what they preferred to be disclosed. Managers frequently blamed their poor decision-making on a lack of people and resources. When this issue occurred, the IAors’ counterargument was that such an issue should have been raised prior to the commencement of the audit.

Contrastingly, most Outreps (6/8) added that working outside of the clients’ organization created fewer dilemmas. Additionally, before the commencement of any audit, risk management and independence checks were performed to lower the probability of encountering ethical issues. Clients were unlikely to approach the IAor for involvement in unethical matters, as they were aware that the organization was guided by strong ethical values. However, two Outreps (2/8) added that there were times when IAors faced pressure to withhold certain information or “turn a blind eye.”

Most MLEreps (6/9) agreed that they rarely encountered ethical dilemmas, even though they worked within the organization. This was due to abiding by listing rules, supplementing policies and procedures, and having safeguards in place.

Some respondents (2/9 MLEreps, 2/5 Govtreps, 2/8 Outreps) emphasized that the outcome of a dilemma depended on the IAor himself. However, experience, organizational culture, policies in place, and the level of support from the AC all played an important role in handling dilemmas effectively.

Respondents experience ethical dilemmas

The biggest dilemma for MLEreps (x̅=4.22) and for Govtreps (x̅=4.20) was that of auditing their own colleagues, whereas confidentiality of information was the biggest dilemma for Outreps (x̅=3.88).

(i) Confidentiality of information - With respect to this dilemma, the highest mean score was that for Outreps (x̅=3.88), followed by Govtreps (x̅=3.80) and MLEreps (x̅=3.78).

It was contended (5/8 outreps) that having unrestricted access to information was part of the job of the IAor, but in turn, this created potential divulgence of sensitive information without consent. Another Outrep added that sometimes certain junior members “disclose certain information unintentionally, without knowing that they are in breach of the Code.”

It was also contended (2/5 Govtreps) that individuals with the tendency to disclose confidential information were unsuitable for the position of an IAor. Nevertheless, IAors were required to report information to the AC. If an employee reported unethical behavior and this proved to be true, the IAor still had to inform the AC and, if need be, the authorities. This created a dilemma for IAors as it was usually challenging to strike a balance between maintaining confidentiality and disclosing information to the relevant parties.

(ii) Involvement in consultancy - MLEreps (x̅=3.89) and Govtreps (x̅=3.60) agreed to encountering this dilemma whereas Outreps (x̅=3.38) were neutral.

The small difference in the mean scores was due to the fact that Outreps were commonly part of larger IAUs, which facilitated having two distinct groups for IA and consultancy services. Additionally, one Outrep stated that to avoid self-reviewing, IAors reported to different partners depending on whether the work was of an IA nature or advisory.

Two Govtreps, stated that this dilemma should be looked at from a different perspective, as traditional auditing and consulting were part and parcel. This was because, in both cases, the IAor provided a recommendation and followed up on it. The difference was that consulting tended to be more value-adding as it was proactive rather than reactive. Therefore, in line with the I​I​A​ ​(​2​0​2​3​), IAors could take on a consulting role, provided that they did not assume a managerial position.

Most MLEreps (6/9) also contended that consulting was part of the IAors’ role in providing value and assisting others. Nonetheless, a few MLEreps (3/9) also added that, in order to remain independent, they made a disclaimer that any recommendations were part of consultancy projects and that the IAors reserved the right to audit. Therefore, there was a limit on the extent of their involvement in new processes and systems, as the line between consultancy and IA work was hard to establish.

(iii) Auditing own colleagues - Outreps disagreed with encountering such a dilemma. However, the mean rating scores for both MLEreps (x̅=4.22) and Govtreps (x̅=4.20) were high, implying that both types of entities agreed to encounter such a dilemma. The distribution of scores was statistically significantly different between the three groups (χ2(2)=15.437, p<0.001).

Some representatives (4/9 MLEreps, 1/5 Govtreps) added that this is the greatest dilemma faced by in-house IAors, stating that it was uncomfortable to report on the employees they worked with on a daily basis. In line with A​h​m​a​d​ ​&​ ​T​a​y​l​o​r​ ​(​2​0​0​9​), one Govtrep added that when auditing familiar people, independence was hard to establish. IAors tended to be more lenient as,

“On one hand, the IAor must conduct his work professionally, and on the other hand, the IAor would not like to be isolated from colleagues.”

Another Govtrep stated that the IAF worked closely with the legal function for the provision of consultancy services. This tended to put the IAor in an ambiguous position when auditing the provision of legal advice. In such cases, certain employees were scoped out of the engagement, and criticisms were addressed towards the entity’s processes and systems and not towards specific employees.

(iv) Reporting ethical issues - Outreps were neutral on this issue (x̅=2.75) when compared to MLEreps (x̅=3.78) and Govtreps (x̅=3.60), who tended to agree.

A few Outreps added that they felt comfortable reporting as they found the required support within the organization. Contrastingly, similar to E​s​p​i​n​o​s​a​-​P​i​k​e​ ​&​ ​B​a​r​r​a​i​n​k​u​a​ ​(​2​0​1​6​), a few respondents (3/9 MLEreps, 2/5 Govtreps, and 1/8 Outreps) stated that when they pointed out red flags, managers often required changes in certain wording in the report to protect their own interests. This was even more so during governance audits, where IAors found it harder to report at that level.

Some respondents (4/22) contended that when discovering misconduct, such as a person going against the Code, or an illegality, they had the option to report through the Whistleblower Act. A few MLEreps (3/9) added that since last December, the new EU directive mandated all organizations with over 250 employees to implement a whistleblowing policy. This resulted in employees being more comfortable reporting, knowing that their interests would be safeguarded.

Two representatives (1/9 MLEreps, 1/5 Govt. Entity reps) added that once the IAor flagged any misconduct, the AC must use its powers to get the shareholders and managers in line. If the AC changed its course of action or did not enforce certain values and rules, simply because of the person being impacted by the truthful reporting, all the effort of the IAor would be worthless.

(v) Accepting a gift - MLEreps disagreed (x̅=2.33) with this dilemma, whereas Govtreps (x̅=2.80) and Outreps (x̅=2.75) were neutral.

This dilemma was one of the least encountered by IAors. However, in line with B​r​i​n​c​a​u​ ​(​2​0​1​0​) and the I​I​A​ ​(​2​0​2​3​), respondents added that this depended on the amount of the gift, its significance, and whether it was provided to just one person or to a group of people. Nonetheless, similar to V​a​n​a​s​c​o​ ​(​1​9​9​4​), a few respondents (2/22) added that gifts should be refused no matter how insignificant, as they could easily be perceived to impair objectivity and independence in appearance. One Govtrep added that if this was a frequently encountered dilemma, the IAU would need to establish a policy stating that all gifts must be sent to charity.

Respondents experience ethical threats

In line with B​r​i​n​c​a​u​ ​(​2​0​1​0​), familiarity was the biggest threat for MLEreps (x̅=3.89), Govtreps (x̅=3.80), and Outreps (x̅=3.88). Additionally, in line with I​l​e​m​o​n​a​ ​&​ ​N​w​i​t​e​ ​(​2​0​2​1​), Govtreps also highly agreed to encountering intimidation threats (x̅=3.80).

(i) Familiarity threat - All three groups mostly agreed to encountering a familiarity threat. Many respondents (9/22) noted that familiarity was a general problem for Malta due to the country’s relatively small size. Consequently, IAors, especially those working in-house, had to keep their distance even more so because the auditees were their own colleagues. Some Outreps (3/8) added that outsourcing still resulted in a familiarity threat when an organization remained a client for a consecutive number of years. Nonetheless, it was stated (4/22) that provided the IAF had enough skills and resources, such a threat could be mitigated by scoping out those individuals creating the threat and delegating the work to other competent individuals.

Few MLEreps (3/9) also added that employees within the organization knew the IAor as their own colleague, but this did not stop them from conducting their job professionally. As long as IAors’ kept themselves at arm’s length and focused on the transactions, processes, systems, and policies in place rather than people, independence issues due to familiarity were mitigated.

(ii) Self-review threat - MLEreps (x̅=3.56) were more likely to agree that self-review threats were encountered during their work when compared to their counterparts, who tended to be neutral.

Some MLEreps (3/9) added that their organization did not have a fully-fledged IAU. Additionally, some members were employed by other departments within the organization, resulting in greater self-review threats. It was stated that if IAFs were better equipped with skills and resources, it would facilitate observing the 4-eyes principle. One MLErep contended that due to huge revenue losses suffered during COVID-19, the aim of having an independent, fully-functioning IAU had to be postponed. Some Outreps (2/8) added that an element of self-review threat still existed when the IAF reviewed the work performed by other departments within the organization for the same client.

(iii) Intimidation threat - Govtreps (x̅=3.80) agreed that intimidation was a threat faced during their work. Outreps (x̅=2.50) were more likely to disagree, while MLEreps were neutral (x̅=3.11).

Some Govtreps (3/5) added that when misconduct was encountered, some managers deflected the argument by provoking the IAor and stating that to take such an issue further, the IAors would need to go to court. One MLErep added that she had no problem doing so, but this showcased a proper instance where the IAors were restricted from professionally conducting their work. Another limitation was that managers argued that presenting the IAor with certain detailed information resulted in a waste of time.

MLEreps (4/9) added that they mainly encountered indirect intimidation. For example, if the report being written had implications for higher authorities within the organization, the IAor would face pressure to choose less sensitive wording and not draw attention to bigger powers.

One Outrep added that fear was not always conducive to intimidation, as sometimes it was due to employees having a misguided perception of IAors, causing them to become defensive. In fact, some respondents (2/9 MLEreps, 2/5 Govtreps, and 2/8 Outreps) emphasized the importance of creating greater awareness of the IAor’s value-adding role, as due to this lack of knowledge, IAors might be seen as a threat.

“IAors must use their social skills to break these barriers for employees to be more cooperative.”

(iv) Self-interest threat - MLEreps (x̅=2.78) and Govtreps (x̅=2.60) were neutral, while Outreps (x̅=2.25) disagreed with self-interest threats.

As opposed to the findings of B​r​i​n​c​a​u​ ​(​2​0​1​0​), the self-interest threat was one of the least agreed to by IAors. A few respondents (3/9 MLEreps, 1/5 Govtreps) added that IAors must be careful not to be blinded by their own progression when making judgments, as this would threaten the important principles of objectivity and independence.

(v) Advocacy Threat - MLEreps were neutral (x̅=2.89), whereas Govtreps (x̅=2.20) and Outreps (x̅=2.25) disagreed with encountering such a threat.

One Outrep mentioned that risk management training helped in addressing this threat and prevented IAors from coming across as advocates for the client. Additionally, respondents (6/22) noted that while the IAF had opinions on certain matters, they were formed collectively by the IAU as a whole, preventing subjectivity and ensuring that no individual's perspective was prioritized over that of the majority.

MLEreps were neutral (x̅=3.44), Govtreps agreed (x̅=4.20), whereas Outreps marginally agreed (x̅=3.63) that the Code serves as a guide to know what to do in specific ethical dilemmas.

Some MLEreps (4/9) added that the Code was not specific and would never give an answer to practical life situations such as ‘IAors cannot audit someone they spent time with during the weekend’. Such issues were based on the IAors’ judgment and what they felt was right, which “comes from within” and not from any Code.

It was noted that for cases of dilemmas or misconduct that were not straightforward, consultation with the AC was the IAors’ immediate course of action and not reference to the Code. Few Outreps (3/8) added that despite knowing the impracticality of having a Code specifying exactly how to deal with every dilemma, they still believed that the Code could be enhanced to lower the possibility of IAors interpreting situations differently. In fact, one MLErep added that had the IIA Code been more in line with the Code for Warrant Holders, greater and better guidance would be given to IAors.

In line with B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s findings, the three entity groups strongly agreed that the principle of integrity guided them the most in their work (x̅ = 5.00). Govtreps and Outreps also strongly agreed to the principle of objectivity, while MLEreps tended to agree. All three entity groups also agreed to the principles of confidentiality and competency, with both principles having the lowest mean scores.

The general view was that integrity and objectivity provided the greatest guidance to IAors. These two principles served as a solid starting point, and if they were in place, IAors were less likely to act unethically. Few respondents (3/22) also added that ethical issues and temptations would always impinge on these two important principles, as they were the most volatile.

It was noted that integrity, objectivity, and confidentiality tend to be associated with one’s character, whereas competency could easily be learned with time and developed with experience. This is in line with the findings of B​r​i​n​c​a​u​ ​(​2​0​1​0​), where it was stated that personality must be present upon recruitment as competence, unlike an ethical character, could be developed over the years. Nonetheless, some representatives (3/22) added that the company’s whole policy manual should be based on these five ethical pillars, as failure in any one would result in huge repercussions.

Most respondents (7/9 MLEreps, 4/5 Govtreps, and 5/8 Outreps) stated they would still audit a department where there was a conflict of interest, provided that safeguards were in place. The most common safeguards were those of extensive reviewing, signing of conflict of interest declarations, and cooling-off periods, which ranged from a minimum of 12 months, as stipulated by the IIA requirements, to a maximum of three years, depending on the circumstances. This ensured that the IAor was not auditing the review period in which s/he worked for the client or department. However, a few respondents (3/22) still stated that if any risk of conflict of interest remained, the IAor should still not be involved in the engagement.

Nonetheless, such safeguards were not present in every IAF. A few MLEreps (3/9) stated that there are no provisions in the audit charter excluding the above scenarios from taking place, especially for a one-man IAU. It was stated that IAors would not feel comfortable reporting to a department where the IAor’s objectivity may be questioned, but very often they had no one to assign the job to internally, and outsourcing was not possible due to budget constraints. Therefore, they had to proceed with the engagement while being as strict as possible. Additionally, in line with V​a​l​e​n​t​i​n​o​ ​(​2​0​0​2​), some Govtreps contended that if the department was doing well, the IAor would end up limiting their audit coverage and refraining from auditing when there was a conflict of interest.

Only two respondents (2/9 MLEreps) stated that the safeguard depended on whether the relative or employee working within the other department occupied a decision-making role that was audit-sensitive. In such cases, the IAors would be completely scoped out of that engagement so as not to compromise their independence in mind and appearance.

Most respondents (6/9 MLEreps, 4/5 Govtreps, and 4/8 Outreps) contended that the IAFs did not perform rotation of duties. This was mainly because five IAUs were one-man IAUs, whereas further respondents stated that their IAU lacked skills and expertise. One Govtrep added that this resulted in the senior IAor performing the whole audit and doing follow-ups with no segregation of duties. Some respondents (5/9 MLEreps, 2/5 Govtreps) expressed the need for a well-established team of skilled IAors, allowing for improved quality of the deliverables as people came up with innovative and different ideas.

Contrastingly, less than half of the respondents (3/9 MLEreps, 1/5 Govtreps, and 4/8 Outreps) stated that they performed a rotation of duties. In line with V​a​n​a​s​c​o​ ​(​1​9​9​4​), some Outreps (4/8) stated that rotation of duties was an important safeguard to combat conflict of interest and familiarity, and it provided the added benefit of pooling the skills of the whole IAU, resulting in greater flexibility and opportunities to learn. Additionally, a few respondents (2/9 MLEreps, 1/5 Govtreps) expressed that although they performed rotation, specialization was preferred due to greater efficiency. It was noted that since this process resulted in greater familiarity threats, once in a while another IAor who was foreign to that area was sent to ask the “stupid questions” and to shake the status quo.

All Govtreps considered that the primary purpose of the Code was to provide guidance in circumstances requiring judgment. This same reason was provided by 66.7% MLEreps and 87.5% Outreps. The remaining MLEreps considered that the primary purpose was to enhance the public’s perception of the IAor whereas the remaining Outreps considered the Code to serve as a reminder of ideal ethical behavior.

One MLErep stated that:

“The Code and standards give the character to the IA profession. If they are treated simply as requirements and clauses, they will be considered as being strict and rigid. However, if the Code is incorporated into day-to-day activities, then it will start forming the character of the department and how it moves forward.”

Some Outreps (3/8) added that less experienced personnel might not always know how to handle a dilemma, and therefore, guidance from the Code becomes very important. As opposed to B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s findings, one Outrep also contended that the Code should not merely serve as a reminder of ethical behavior, as no IAor should need a reminder to behave ethically. It was stated that the Code elevated the IAors’ role by setting a higher standard of ethics for all IAors to follow.

The IIA Code, was voluntarily followed by the majority of respondents. Nonetheless, only a few (10/22) agreed to refer to the Code in their written reports. Govtreps (60.0%) and Outreps (50.0%) were more likely to refer to the Code than MLEreps (33.3%).

The respondents who referred to the Code mentioned that the Code and the International Standards for the Professional Practice of Internal Auditing (ISPPIA) must be referred to as they are the governing standards of the IA profession. The counterargument of those not referring to the Code was that the Code needed to be applied in the IAors’ work and not simply stated in the report. Additionally, there was never a requirement for IAors to refer to the Code, thereby assuming that it was not an essential feature of the report. One MLErep mentioned how she once made reference to the Code and was questioned on why the statement was included as part of the report.

Various respondents (11/22) added that the Code of Ethics for Warrant Holders as issued by the Accountancy Board provided greater detail, thereby being more useful in their work. It was stated that this Code, which is based on the International Ethics Standards Board for Accountants (IESBA), takes into consideration EU directives and regulations. One MLErep highlighted the significance of having a comprehensive code, particularly for MLEs that were subject to intense regulation, as “importance must always be given to the governance aspect.”

Other respondents (7/22) contended that their organization has its own code, which internalizes the principles and rules in the Code for Warrant Holders and the IIA. Nonetheless, such codes were not exclusive to the IAF. Only one MLErep added that the company code covered issues such as discrimination, bribery, corruption, and acceptance of gifts, which should be included in any Code. Several respondents (12/22) noted that all codes shared the same purpose of providing guidance, with one Govtrep adding that:

“What matters the most is the practical application of the fundamental principles in the Code.”

The three entity groups rarely, or very rarely, consult the Code. The main reason for this was that the IAors already knew the principles by heart and conducted themselves accordingly, especially those with lots of experience. One Govtrep added that “you don’t have to open the Bible regularly to know how to live properly," implying that the principles in the Code were automatically ingrained in the IAor and adhered to without needing to refer directly to the Code. Despite this, in line with A​d​a​m​s​ ​e​t​ ​a​l​.​ ​(​2​0​0​1​) and L​a​r​r​y​ ​&​ ​M​o​o​r​e​ ​(​2​0​0​8​), respondents (8/22) added that the Bible, i.e., the Code, must be present and documented for reference in cases of dilemmas and to clarify what is acceptable and what is not.

Govtreps (80.0%) and Outreps (87.5%) were more likely to be trained on tackling ethical issues than MLEreps (55.6%). Additionally, most respondents that were trained on tackling ethical issues (11/16) also contended that the training referred to the Code of Ethics. Nonetheless, respondents (5/22) added that the training did not involve any case studies and was usually not specifically targeted to IAors as it referred to the Code for Warrant Holders and not the IIA Code. Few Outreps (3/8) added that, in line with the recent IIA requirement, IAors were expected to conduct two of their Continuing Professional Education (CPE) credits in ethics. However, IAors had to attend such sessions independently, as such training was not required or provided by the organization.

Most respondents (19/22) stated that the principles in the Code were quite clear. However, some of them (10/22) added that the Code should be less generic by including more real-life scenarios, practical examples, and case studies, thereby providing more practical guidance on how to deal with particular challenges faced by IAors. One Outrep suggested that there should be Q&As where IAors would submit questions about specific situations and the institute would issue an official answer that could be referred to by anyone encountering similar dilemmas.

Contrastingly, some respondents (9/18) added that by looking at the Code, it was crystal clear that any unethical behavior should be reported and not supported. It was noted that codes were in themselves generic enough to apply to different industries and scenarios, and it was impossible to incorporate and provide an answer to every situation. One MLErep added that “integrity is integrity; no one can say otherwise.”

Few respondents (3/22) stated that the Code did not provide adequate guidelines as it was too short and to the point. Similar to B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s findings, respondents noted that the Code simply includes definitions, which respondents considered to be “common sense.” Moreover, the Code lacked detail as to what constitutes a compromise to these principles, and IAors had to keep abreast of additional papers issued by the IIA as the Code does not suffice.

A few respondents (5/22) added that the IAor himself must develop a level of discipline and maturity not to fall into traps. If a person had malicious intent, they would always find ways to bend the rules, no matter how detailed and relevant the Code is. One MLErep added that:

“For every scandal that happens, there is always someone who was unethical in their decisions, even though there were codes in place.”

The general view of most respondents (13/22) was that objectivity and independence remained challenging in Malta, even in Outreps, due to familiarity and living in a closed-knit community. This challenge was aggravated for MLEreps, where independence was harder to establish, fewer safeguards were in place, and IAors did not always have the option to withdraw from the engagement due to a lack of personnel. Some respondents (2/9 MLEreps, 2/5 Govtreps) added that IAors could easily be seen as acting against the company’s interests or trying to put someone in a bad light; however, “facts are facts” and the IAor’s work would be of no value if s/he lacked objectivity.

Few Outreps (3/8) also added that having multiple clients at once posed certain challenges to the principle of confidentiality. Additionally, a few MLEreps (2/9) expressed concerns about the principle of competency, citing the lack of certified IAors in Malta as a major challenge. This often led to the hiring of less competent individuals, resulting in lower-quality work. It was stated that:

“This heightened talent risk and lack of resources, results in the principle of competency being under threat and challenged.”

Few Govtreps (2/5) contended that integrity was also under threat for government institutions. It was noted that certain employees were given all the power and responsibility for all projects without any segregation of duties, thereby allowing for further mistakes and unethical behavior.

Only a few respondents contended that even with no code in place, the IAor would not feel comfortable with certain situations, such as auditing one’s spouse. Therefore, although the standards provided requirements, it felt logical for these standards to be present for the IAors to work comfortably.

Provided that there is currently no IIA requirement in Malta, all respondents agreed that Maltese IAUs should adopt the Code, which should become part of a Maltese regulatory framework. Most respondents (18/22) added that despite Maltese IAors facing greater threats and dilemmas due to Malta’s size and culture, the principles should be standardized across the globe, and any additional local requirements addressing local challenges should be further mandated on Maltese IAUs.

Two MLEreps added that, in their view, having a requirement for minimum personnel forming part of the IAU could reduce certain dilemmas, but this depended on the level of financing available. Contrastingly, another MLErep added that the issue is not about coming up with specific requirements but rather how IAors should train their mindset to remain objective:

“One million codes can be written but it will still remain difficult to remove certain threats like familiarity in Malta.”

In line with T​r​e​v​i​n​o​ ​&​ ​N​e​l​s​o​n​ ​(​2​0​0​4​), the study ascertains that despite the Code and other ethical standards being in place, the IAors’ own character, resilience, and values are the most potent weapons against unethical conduct. In fact, IAors claimed that ethical behavior is primarily about doing the right thing because it is morally correct and not simply because it is required by the Code. Furthermore, in line with B​r​i​n​c​a​u​ ​(​2​0​1​0​), IAors rated integrity as the foremost guiding principle in their profession, as it cultivates honesty, fairness, and objectivity. This in turn ensures the fulfillment of the other principles in the Code. The findings indicate that MLEreps, unlike their counterparts, do not agree that the Code serves as a valuable foundation for addressing ethical dilemmas. Nonetheless, as per P​o​n​e​m​o​n​ ​&​ ​G​a​b​h​a​r​t​ ​(​1​9​9​4​)'s perspective, it ultimately depends on the IAors' discretion and judgement rather than specific regulations.

Apart from the IAors’ own character and the Code, other factors such as organizational culture and AC effectiveness serve to protect and promote appropriate judgment, leading to ethical conduct. As argued by S​t​e​w​a​r​t​ ​&​ ​O​’​L​e​a​r​y​ ​(​2​0​0​7​), the findings similarly indicate that if management exhibits a negative attitude and mindset, maintaining ethical behavior will be exceedingly difficult for IAors. Nonetheless, a few Outreps added that the tone at the top is less influential on their ethical behavior, thereby implying that they find it less challenging to go against the organizational culture. Perhaps, as D​e​l​l​a​i​ ​&​ ​O​m​r​i​ ​(​2​0​1​6​) point out, this could be due to Outreps not being informed about the culture of the client organization.

Similarly, IAors stated that when dealing with complex ethical matters, it is necessary to seek guidance from the AC, along with referring to the Code. Therefore, in line with A​l​z​e​b​a​n​ ​(​2​0​1​5​), the presence of an effective and independent AC to which IAors can report will lead to greater adherence to the IA standards. Additionally, the findings of G​r​i​m​a​ ​e​t​ ​a​l​.​ ​(​2​0​2​3​) also indicate that cooperation on the part of the AC has a positive influence over IAU effectiveness. This suggests that it may be necessary for an AC with expertise in the Code and ISPPIA to be mandatory for all types of entities, not just MLEs. This will ensure greater assistance and support for IAors in addressing ethical dilemmas.

Should education and ethical training be a requirement for ethical behavior?

As opposed to F​i​r​t​h​ ​(​1​9​9​0​) and J​a​c​k​l​i​n​g​ ​e​t​ ​a​l​.​ ​(​2​0​0​7​), IAors agreed that qualifications and training in ethics are not so influential on ethical behavior. In fact, some respondents seem to imply that experience is preferred over qualifications and training. This aligns with Aristotle's concept of practical wisdom in his Nicomachean Ethics, where, in line with K​r​a​u​t​ ​(​2​0​2​2​), he asserts that practical wisdom, as opposed to theoretical reasoning, is gained through a culmination of experiences over time and leads one to adopt the right dispositions to act virtuously in any given situation rather than the mere application of rules.

The I​I​A​ ​(​2​0​1​9​), specifically Attribute Standard 1210, requires “IAors to possess the knowledge, skills, and other competencies” to effectively carry out their duties. Additionally, they are required to demonstrate a reasonable level of care and skill that is typical of a competent and prudent IAor. Nonetheless, the IIA merely encourages IAors to obtain certifications and qualifications and does not provide an explanation of what constitutes competence.

The fact that some IAors lack specific qualifications and the absence of legal requirements for such qualifications suggest that neither qualifications nor statutory provisions are essential to the IAors’ work. This goes against T​ü​r​e​t​k​e​n​ ​e​t​ ​a​l​.​ ​(​2​0​1​9​), who state that competency is crucial for an effective IAU. Furthermore, even though IAors claim that they have received ethical training, such training is not tailored exclusively for IAors. Instead, they primarily rely on the Code for warrant holders instead of referring to the IIA Code. This emphasizes the necessity of better communication and more targeted training that pertains specifically to IAors.

This raises the question of why Maltese IAors are not obliged to possess both formal qualifications and practical experience, which would likely promote their critical thinking and equip them better to effectively navigate ethical dilemmas. Additionally, if IAors lack experience, this could instead be compensated with more highly focused ethical training. Probably this would be the optimal way of ensuring that Maltese IAors are in line with the I​I​A​ ​(​2​0​1​9​), which advocates for continual professional development to strengthen the auditors’ abilities and equip them to tackle increasingly complex issues.

In line with E​v​e​r​e​t​t​ ​&​ ​T​r​e​m​b​l​a​y​ ​(​2​0​1​4​), the findings indicate that, owing to their integration within their organizations, in-house IAors are particularly vulnerable to authoritative and dominant managers therein. This appears to be particularly so in government entities, owing to political influence resulting in direct pressure on IAors. These threats have the potential to weaken adherence to core ethical values and undermine commitment to good governance. With regards to MLEreps, despite also being in-house IAors, the Listing Rules exercise greater pressure to avoid certain deficiencies, whereas Outreps face fewer conflicts owing to fewer independence issues.

Do in-house IAors face greater difficulties in maintaining their independence?

According to the ISPPIA, the IAors’ independence is a crucial criterion for an effective IAU. Nonetheless, in line with V​a​n​a​s​c​o​ ​(​1​9​9​4​), the findings indicate that in-house IAors often form personal connections with colleagues as a consequence of their working closely together on a daily basis, thereby increasing their risk of leniency when conducting internal reviews. For this reason, as argued by D​e​l​l​a​i​ ​&​ ​O​m​r​i​ ​(​2​0​1​6​), outsourced IAFs are typically more objective because they are not as acquainted with and familiar with the client.

Additionally, A​h​m​a​d​ ​&​ ​T​a​y​l​o​r​ ​(​2​0​0​9​) stated that IAors are required to uphold their independence from management and refrain from compromising their judgment in audit-related matters. Nevertheless, their consulting role necessitates working in partnership with management and providing support while also acknowledging the AC’s feedback. In fact, the findings indicate that for in-house IAors, the line between consultancy and IA work can be hard to establish. As argued by B​r​i​f​f​a​ ​(​2​0​1​6​), outsourced IAors may face fewer of these conflicts of interest. Therefore, it appears that outsourcing the IAF may provide an advantage in upholding the fundamental principle of independence.

Linked to this, the findings indicate that, both being in-house IAors, MLEreps and Govtreps face greater difficulties than Outreps in reporting ethical issues. This finding indicates that for in-house IAors, it may not be easy to follow Attribute Standard 1110, which mandates that IAors should be able to report without fear of retribution. However, under the new EU directive, IAors now have the option to report through the Whistleblower Act, which provides them with a more streamlined reporting option. Nevertheless, as per the I​I​A​ ​(​2​0​2​3​), it is crucial for IAors not to compromise their ability to perform other assurance functions while being involved in whistleblowing.

In line with the findings of B​a​r​a​c​ ​&​ ​M​o​t​u​b​a​t​s​e​ ​(​2​0​0​9​) and B​r​i​f​f​a​ ​(​2​0​1​6​), despite outsourcing offering many benefits, especially for companies with limited resources, it can result in the potential loss of confidential knowledge. In fact, the findings indicate that Outreps encounter mostly the dilemma of confidentiality of information, which is one of the principles found in the Code. Furthermore, it is common for outsourced IAUs to comprise a larger workforce, which consequently amplifies the risk of unauthorized disclosure of information. This risk is particularly elevated among junior staff members who may be unaware of breaching the Code. This can have serious implications for the organization’s reputation, competitive advantage, and legal compliance. This emphasizes the significance of implementing adequate policies and procedures, including contractual provisions, to minimize potential confidentiality risks. Nonetheless, even in-house IAors encounter this challenge as they are obliged to strike a delicate balance between preserving the confidentiality of information and disclosing it to the relevant parties within their own organization.

In line with B​r​i​n​c​a​u​ ​(​2​0​1​0​), the findings indicate that in IAUs composed of only one or a few IAors, it may become impossible to manage conflict of interest effectively and adhere to the principles outlined in the Code. This is due to the unavailability of proper cooling-off periods and challenges in implementing rotation of duties, thus resulting in an increased risk of self-review threats. It appears that certain in-house IAUs are merely established for the sake of stating that an IAor is present, when in reality, the IAU is not supplied with adequate financial resources to facilitate its effective functioning. This confirms A​t​t​a​r​d​ ​(​2​0​1​4​)’s statement that Maltese IAUs are still not adequately staffed. The situation reflects non-compliance with Performance Standard 2030, which stipulates that the CAE must ensure that the IAU has appropriate and sufficient resources.

A possible issue resulting from this is that the Code does not specify a minimum number of IAors that should be part of the IAU. To address this, it might be beneficial for the Code to suggest a suitable team of IAors rather than providing a fixed number. This would ensure that companies can determine their optimal number of IAors within the recommended range based on their size, complexity, and combination of knowledge, skills, and competences possessed by the IAU.

The findings indicate that Govtreps encounter greater dilemmas in their work due to certain pressures and insufficient resources. Yet, despite agreeing that the Code helps in managing ethical issues and referring to the Code more frequently in their reports, Govtreps still rarely consult with the Code. Moreover, MLEreps, who face greater dilemmas than Outreps, still refer to and consult with the Code less often than their counterparts. This contrasts with B​r​i​n​c​a​u​ ​(​2​0​1​0​)’s research, which indicates that MLEs, who are bound by more stringent regulations, give greater importance to the Code. Perhaps this shows the need for a proper regulatory framework where IAors are legally bound to follow the Code and the ISPPIA.

Interestingly, one questions how IAors, especially those who are company employees and face more significant ethical implications than EAors, do not have a proper framework to follow. This shows that IA in Malta has some progress to make before achieving recognition as a profession, particularly when compared to Certified Public Accountants (CPA). Currently, the Malta Forum of Internal Auditors (MFIA) is making progress in this direction, which may be considered a significant milestone. However, the absence of a legally recognized framework means that there is no uniform standard followed across companies. Furthermore, there is no regulatory body or established system for handling disciplinary matters.

While most Maltese IAors voluntarily comply with the Code, it has been observed that they often require additional guidance from the Code of Ethics for Warrant Holders. It is possible that the Code could benefit from incorporating certain elements of the Code for Warrant Holders, but any changes would need to be carefully considered and evaluated to ensure that they are appropriate and applicable to the IA profession. In fact, IAors emphasizes the significance of enhancing the Code to offer additional guidance, such as case studies and practical examples showing how the principles would be applied in specific circumstances.

There seems to be a growing sense of urgency to address certain ethical aspects specific to Malta. Rather than reinventing the whole Code, Malta could establish additional requirements and safeguards to reduce the familiarity threat prevalent in such a small country. Such requirements may include stipulating the minimum number of IAors making up an IAU, which in turn would allow for proper cooling-off periods, rotation of duties, and better ways of identifying and managing conflicts of interest, as well as outlining the consequences for failing to do so.

Perhaps if Maltese IAors were to officially form part of an institution, a collaborative approach could be taken to develop an IA Code that would be applied uniformly across all Maltese IAUs. Similar to the approach taken by Malta in the implementation of GAPSME, developing such a Code would provide a behavioral benchmark for IAors.

Additionally, similar to what the IIA implements, the regulatory body would be able to issue official sanctions for violating the ethical Code, such as fines and suspensions. This would ensure that “ethics is given due importance” while aligning Malta with its international counterparts. It is probable that the adverse impact on IAUs operating without a shared benchmark surpasses the costs of its implementation.

The study concludes that, regardless of the Code's depth, the primary defense against unethical behavior lies in internal auditors' character and values. Their moral judgment, not just regulations, is pivotal. Moreover, the study ascertains that a virtuous circle exists where the organization’s commitment to ethical conduct re-enforces the IAor's integrity, and the IAor, in turn, plays a pivotal role in promoting and enhancing business ethics. Similarly, the IAor requires a competent AC that is well versed in the Code and the ISPPIA, which will provide assistance and support in addressing ethical dilemmas. A potential research area could focus on the impact of ACs on IAors ethical behavior. This study may explore the ethical implications of effective ACs, especially in resolving ethical dilemmas, and could include an analysis of the relevance of the Code of Principles of Good Corporate Governance. Moreover, the prevailing opinion is that experience holds greater value than qualifications and training in ethics when it comes to managing ethical dilemmas. A study could be carried out to evaluate the significance of IAors’ experiences and qualifications, particularly but not exclusively, for tackling ethical issues in different industries.

Furthermore, the study concludes that Govtreps face more frequent dilemmas due to their heightened susceptibility to pressure from managers and politicians. In-house IAors, embedded in the organization, often form personal connections, creating conflicts of interest and leniency. Independence issues make it challenging to report ethical concerns and delineate between consulting and IA work. Conversely, outsourced IAors face fewer conflicts and independence issues, but they face substantial confidentiality threats. Local literature addressing ethics within outsourced IAUs is scarce. A promising avenue for future research could involve an exploration of potential confidentiality threats encountered by outsourced Maltese IAUs. On its part, the size limitation of Maltese IAUs also impinges on independence. While most Maltese IAors understand their ethical obligations, for the smaller IAUs, additional resources are often necessary to support their effective functioning.

IAor professionalism goes beyond mere technical competence and must incorporate taking on ethical responsibilities towards a variety of stakeholders, including the wider community. However, as indicated by this study, it is not enough for IAUs to conduct themselves through self-regulation at present. In particular, there is a need for an official body to enforce the appropriate regulatory provisions and to seek to improve the quality of the output of IAors. After all, even though the exercise of optimal ethical behavior may need to go beyond any regulatory requirements, such regulatory provisions will go a long way towards improving and developing the local IA profession. In the words of one of the study’s respondents, “regulatory provisions and their enforcement are normally the quickest way to progress in Malta.”

It is therefore recommended that ACs with sufficient Code-related expertise become mandatory for all types of entities having an IAU, not just MLEs. This would ensure a direct reporting channel for IAors and facilitate the timely identification of weaknesses within the IAU and the provision of prompt and suitable guidance to IAors as needed. Moreover, there is a need for the adoption of the IIA Code of Ethics for all Maltese IAUs, with additional locally relevant requirements. The Code should be enforced in Malta with a number of additional local requirements and safeguards, as indicated in Table 1.

Maltese law should additionally enforce the ISPPIA and IA regulations. Moreover, an official institute should be established, or, at the very least, the MFIA should be legally recognized as a regulatory body for Maltese IAors. In this manner, IAors would have a recognized structure, which, in addition to establishing official sanctions, would be a focal point from which IAors may obtain advice and support.

Moreover, the Code must be clearly communicated and explained through ethical training pertaining exclusively to IAors. During such training, case studies, including real-life scenarios and dilemmas, should be referred to so that the IAors’ ethical skills may be enhanced.

IAor professionalism goes beyond mere technical competence and must incorporate taking on ethical responsibilities towards a variety of stakeholders, including the wider community. However, as indicated by this study, it is not enough for IAUs to conduct themselves through self-regulation at present. In particular, there is a need for an official body to enforce the appropriate regulatory provisions and to seek to improve the quality of the output of IAors. After all, even though the exercise of optimal ethical behavior may need to go beyond any regulatory requirements, such regulatory provisions will definitely go a long way towards improving and developing the local IA profession. In the words of one of the study’s respondents, “regulatory provisions and their enforcement are normally the quickest way to progress in Malta.”