3. Due Professional Care
This value is a staple in most professional standards, including the IIA core principles. As Bill Belichick, coach of the New England Patriots football team, might interpret this principle, it means: “Do your job!” Every internal auditor must do the reasonable amount of work to ensure they are executing their responsibilities with care. Mistakes will happen and no one is perfect, but as long as internal auditors are acting with a reasonable amount of dedication, they are fulfilling their duties.
“The Internal Auditor shall pay particular attention to certain key audit activities, such as establishing the scope of the engagement to prevent the omission of important aspects, recognizing the risks and materiality of the areas, having required skills to review complex matters, establishing the extent of testing required to achieve the objectives within specified deadlines, etc.,” the ICAI states.
We could expand this principle beyond our jobs into everything we do. My father would often say: “Anything worth doing is worth doing right.”
4. Confidentiality
Confidentiality is one of the ICAI principles that is not included in the IIA principles. I think it makes sense to include it. Internal auditors are privy to lots of sensitive information that shouldn’t always be shared beyond those who need to know it to carry out their responsibilities. Information gained through activities such as investigations and probes should be withheld from those who don’t need to be involved, or from third parties who could unfairly or improperly gain from getting access to the information.
“The Internal Auditor shall keep confidential information secure from others. Under no circumstance any confidential information shall be shared with third parties outside the company without the specific approval of the management or client or unless there is a legal or a professional responsibility to do so,” the ICAI states.
5. Skills and Competence
Skills and competence relate to principle three, due professional care. It includes maintaining a sharp set of audit skills that could require continuing education and other professional development. It could also include declining assignments for which the internal auditor knows he or she is not qualified to conduct, or seeking outside expertise, as appropriate, to complete audits for which the internal audit team does not have the necessary skills in house.
According to the ICAI: “Where the internal auditor lacks certain expertise, he [or she] shall procure the required skills either though in-house experts or through the services of an outside expert, provided independence is not compromised. The objective is to ensure that the audit team as a whole has all the expertise and knowledge required for the area under review.”
6. Risk-Based Audit
Conducting a risk-based audit is another principle that aligns directly with an IIA principle. Since we all know that audits should be risk-based and that the audit plan should be based on an extensive and robust risk assessment, I won’t spend too much time here.
As the ICAI put it: “The internal auditor shall identify the important audit areas through a risk assessment exercise and tailor the audit activities such that the detailed audit procedures are prioritized and conducted over high-risk areas and issues, while less time is devoted to low-risk areas through curtailed audit procedures. Additionally, this approach shall ensure that risks under consideration are more aligned to the overall strategic and company objectives rather than narrowly focused on process objectives.”
7. System and Process Focus
The ICAI emphasizes a focus on systems and processes, as opposed to transactions and balances, to make the important point that internal audit should be looking to prevent problems, errors, and fraud, not just detect them. That requires conducting root cause analysis as well.
“An Internal Auditor shall adopt a system and process focused methodology in conducting audit procedures. This methodology is more sustainable than the one adopted to test transactions and balances as it goes beyond ‘error detection’ to include ‘error prevention.’ It requires a root cause analysis to be conducted on deviations to identify opportunities for system improvement or automation, to strengthen the process, and to prevent a repetition of such errors.”
8. Avoiding Participation in Operational Decision-Making
This is another principle that ties in directly to independence and objectivity. As the ICAI put it: “As part of his [or her] advisory role, the internal auditor shall avoid participation in operational decision-making, which may be subject of a subsequent audit.
The focus of the Internal Auditor shall remain with the quality and operating effectiveness of the decision-making process and how best to strengthen it, such that the chance of flawed or erroneous decisions is minimized. However, the internal auditor is at full liberty to present the lessons, which can be learned from such past decisions.”
9. Sensitivity to Multiple Stakeholder Interests
Internal auditors have many masters to serve and they need to consider all stakeholder concerns. They must also take care to understand where their allegiance should lie when those interests conflict.
“The internal auditor shall evaluate the implications of his [or her] observations and recommendations on multiple stakeholders, especially where diverse interests maybe conflicting in nature. In such situations, the internal auditor shall remain objective and present a balanced view. This would permit senior management to make a decision using all the information and balance the strategy and objectives of the company with the expectations and interests of its multiple stakeholders.”
10. Quality and continuous improvement
Along with continued professional development (covered in principle 5. Skills and Competence), internal auditors should seek outside quality assessments. And since no process or function is ever perfect, internal audit should constantly be looking for ways to improve its game.
“The internal auditor shall ensure that a self-assessment mechanism is in place to monitor his [or her] own performance and also that of his [or her] subordinates and external experts on whom he [or she] is relying to complete some part of the audit work. A peer review mechanism for quality control shall be followed to adhere to all aspects of the pronouncements issued by the ICAI.”
————
No internal auditor will ever find that a list of guiding principles has all the answers. They aren’t intended to take the place of personal judgment and the auditor’s own well-considered values. Generally, if an internal auditor does what he or she thinks is right, they will be in good shape. Still, the core principles (both the ICAI’s and the IIA’s) are worth reading and reflecting on and should be revisited on a regular basis.
And here is one bonus principle that should work for all professions and in your professional and personal life: Be Kind, from the Latin, Este Benevoli.
Joseph McCafferty is Editor & Publisher of Internal Audit 360°.