D.7 Due Professional Care

All practice review and internal audit procedures are designed to ensure internal auditors exercise appropriate professional care performing practice reviews and internal audits

  1. Practice Review and Internal Audit (PRIA) will conduct its work with the care and skill of a prudent and competent internal auditor. Professional care is, therefore, appropriate to the complexities of the practice reviews or audits being performed. In exercising due professional care, internal auditors should be alert to the possibility of intentional wrongdoing, errors and omissions, inefficiency, waste, ineffectiveness, and conflicts of interest. They should also be alert to those conditions and activities where irregularities are most likely to occur. Possible errors are to be discussed with the Chief Audit Executive (CAE). PRIA reviews management systems in order to evaluate adequacy and effectiveness of controls and recommend improvements to promote compliance with acceptable procedures and practices. An appropriate degree of testing is to be performed as part of the audit program in order to validate and measure errors.

  2. The internal audit standard of due care calls for reasonable care and competence, not infallibility or extraordinary performance. Auditors are expected to conduct examinations and verifications to a reasonable extent, with an appropriate degree of testing transactions. Accordingly, the internal auditor cannot give absolute assurance of adequacy or effectiveness, or that noncompliance or irregularities do not exist. Nevertheless, the possibility of material irregularities or noncompliance should be considered whenever the internal auditor undertakes an assignment. Audit practices include a determination of the appropriate type and degree of interviewing, system review, and testing to provide proper due care.

  3. When an internal auditor suspects wrongdoing, the CAE is notified. The CAE will contact the Auditor General and General Counsel to help determine whether an audit or investigation in the suspected areas of wrongdoing is appropriate. The auditor may or may not be personally involved in the investigation and resolution of the suspected wrongdoing.

Exercising due professional care means using reasonable audit skill and judgment in performing the practice review and internal audit

  1. All work begins with steps leading to a clear understanding of the scope and objectives. This may require a review of risk analysis, management request background, etc. The audit scope and objective are documented in advance and approved by the CAE. The PRIA programs are planned and their implementation is supervised to ensure that the objectives will be met. Ongoing auditor/supervisor communication is conducted to ensure that actual fieldwork practices support the scope and objective.

  2. Audit practices involve consideration of the materiality, impact, cause, and effect of control concerns as they emerge as part of audit fieldwork. Audit testing and discussion with the area under audit will be necessary to determine these factors. Materiality is considered in developing all potential audit findings using the primary significance categories of REPORT/DISCUSSION items. The CAE reviews and approves the final materiality classification.

  3. System reviews are performed as the initial core activity of audits. System reviews are completed in a manner that evaluates the overall adequacy of internal controls within the audited system(s). Supplemental testing is performed as necessary after review with the appropriate supervisor.

  4. All planned review/audit steps are designed in a manner that includes cost/benefit consideration. It should be noted that sufficient data may not be available to make a prudent cost/benefit decision at the planning stage. Preliminary survey data is secured to provide additional sizing input. The work is planned with both conservatism and economy in mind. Ongoing communication with the appropriate supervisor is maintained throughout fieldwork in order to maintain focused, cost‑beneficial audit steps at all times.

  5. All internal auditors use established standards and policies as a basis for evaluating operating practices. Review/Audit criteria are selected to evaluate compliance with important standards. The Office’s policy and procedures may be compared for consistency. Procedures may be evaluated against prudent attributes such as frequency, approval, detail level, distribution, etc.

  6. Consideration of management concerns is important when auditing systems because management is familiar with system use and potential system problems. Auditors may solicit management for specific expected standards of performance. These standards could become the criteria for audit testing instead of procedural standards.

Last modified:
2018-03-01