In my last blog, I observed that internal auditors are expected to demonstrate a number of core attributes. I went on to explore the concept of "professional proficiency" and what that means for internal auditors.
Another attribute that often receives light treatment in internal audit manuals and textbooks is "due professional care." It goes without saying that internal auditors should exercise due professional care in undertaking their work, but what does that really mean?
The IIA's Standard 1220: Due Professional Care states: "Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor."
So what is reasonable and competent? The International Professional Practices Framework (IPPF) makes it clear that we're not looking for perfection. In fact, it clearly states that, "Due professional care does not imply infallibility."
So, what does due professional care imply?
According to the interpretation, an internal auditor exercises due professional care by considering the:
- Extent of work needed to achieve the engagement objectives;
- Complexity, materiality, or significance of matters to which assurance procedures are applied;
- Adequacy and effectiveness of governance, risk management, and control processes;
- Probability of significant errors, fraud, or noncompliance; and
- Cost of assurance relative to potential benefits.
That's what it looks like on paper. But what does all that really mean?
It means that while no one expects us to be perfect, our stakeholders should be able to rely on us to demonstrate competence and use the most up-to-date knowledge, technology, and techniques in exercising our responsibilities.
During my career, I have seen more than a few internal audit engagements that were not well planned, not well conducted, or where the results were communicated via poorly written, untimely, or inaccurate engagement reports. If the engagement team was working for me, I never hesitated to call out instances where due professional care had not been exercised. If necessary, I sent the team back to undertake more field work that would serve as an adequate basis for conclusions.
I think a lot of us still pat ourselves on the back when we learn a new technique or leverage new technology. It's not wrong to take pride in your work. But false pride can lead to complacency. Due professional care requires a mindset of continuous improvement that recognizes mastery of tools as just the price of admission, not an end in itself. Last year's leading practice can quickly become this year's fundamental practice. We owe it to our stakeholders and others who rely on the results of our engagement reports to enhance our proficiency continuously.
Hindsight being 20/20, there will be people who will ask: "Where were the auditors?" when things go wrong. And maybe sometimes we should have identified key risks that were not mitigated, or key controls that were not properly designed and implemented. While we are not infallible, I am convinced that by exercising due professional care in everything we do, there will be fewer people asking where we were.
It is better to look forward, make sure you enter each engagement well-prepared, and exercise due professional care.
What is your definition of "due professional care?" Feel free to comment.