Due Professional Care: What Is Reasonable and Competent?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


In my last blog, I observed that internal auditors are expected to demonstrate a number of core attributes. I went on to explore the concept of “professional proficiency” and what that means for internal auditors.

Another attribute that often receives light treatment in internal audit manuals and textbooks is “due professional care.” It goes without saying that internal auditors should exercise due professional care in undertaking their work, but what does that really mean?

The IIA’s Standard 1220: Due Professional Care states: “Internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor.”

So what is reasonable and competent? The International Professional Practices Framework (IPPF) makes it clear that we’re not looking for perfection. In fact, it clearly states that, “Due professional care does not imply infallibility.”

So, what does due professional care imply?

According to the interpretation, an internal auditor exercises due professional care by considering the:

  • Extent of work needed to achieve the engagement objectives;
  • Complexity, materiality, or significance of matters to which assurance procedures are applied;
  • Adequacy and effectiveness of governance, risk management, and control processes;
  • Probability of significant errors, fraud, or noncompliance; and
  • Cost of assurance relative to potential benefits.

That’s what it looks like on paper. But what does all that really mean?

It means that while no one expects us to be perfect, our stakeholders should be able to rely on us to demonstrate competence and use the most up-to-date knowledge, technology, and techniques in exercising our responsibilities.

During my career, I have seen more than a few internal audit engagements that were not well planned, not well conducted, or where the results were communicated via poorly written, untimely, or inaccurate engagement reports. If the engagement team was working for me, I never hesitated to call out instances where due professional care had not been exercised. If necessary, I sent the team back to undertake more field work that would serve as an adequate basis for conclusions.

I think a lot of us still pat ourselves on the back when we learn a new technique or leverage new technology. It’s not wrong to take pride in your work. But false pride can lead to complacency. Due professional care requires a mindset of continuous improvement that recognizes mastery of tools as just the price of admission, not an end in itself. Last year’s leading practice can quickly become this year’s fundamental practice. We owe it to our stakeholders and others who rely on the results of our engagement reports to enhance our proficiency continuously.

Hindsight being 20/20, there will be people who will ask: “Where were the auditors?” when things go wrong. And maybe sometimes we should have identified key risks that were not mitigated, or key controls that were not properly designed and implemented. While we are not infallible, I am convinced that by exercising due professional care in everything we do, there will be fewer people asking where we were.

It is better to look forward, make sure you enter each engagement well-prepared, and exercise due professional care.

What is your definition of “due professional care?” Feel free to comment.

Posted on Oct 15, 2013 by Richard Chambers

Share This Article:    

  1.  I will not define it. because we can define it, using different approaches in defining it. The problem is implementing Due Professional care. I think that is a very serious issue at the moment and planning as auditors should be on point as we want  to save on the resources utilised by us. if  we put a lot of effort in planning And dont see why we would fail in performing our duties.

    Internal Auditing  Student from South Africa at Cape Peninsula University of Technology.

  1.  I am disappointed more with the response to the ill informed question "Where were the auditors", because it is so defensive.

    The responsibility for implementing adequate and effective governance, risk management and control processes rests squarely with management and I can't see why when things go wrong it should suddenly become the internal auditors'.

    If internal auditors concentrated in adding value, in the technical sense as defined in the Glossary, by conducting the appropriate engagements for prevailing circumstances all the time, they would have done their job.

    Internal audit plans take away from internal auditors their the duty to exercise due professional care and implement the standards by making the decision for internal auditors as to what engagement to conduct. The internal auditor then is forced to subjugate his/her professional judgement to internal audit plan.

    To make matters worse, the focus on "high risks" is at odds with the definition of significant risks. Many significant risks are sacrificed at the alter of the high risk populism.

    Things go wrong when objectives are not being achieved, when only certain high risks are addressed instead of all identified significant risks are addressed - not by internal auditors, but by management.

    Things go wrong when internal auditors start focusing on individual risks rather than on organisational objectives and governance, risk management and control PROCESSES.

    That is the message we should be getting through to them through mainly consulting engagements (so that the engagement clients can incorporate it in their ongoing monitoring and periodic assessments) and reinforcing through the assurance engagements.

    Instead we convey a message to them that if they address only the highest risks, miraculously organisational objectives will be achieved, even though other risks assessed to be significant are not addressed.

  1. While the administrative and clerical part of auditing are an important indicator of due professional care, the strategic part requires competence in understanding the objectives of the area under review. Auditors can be taught and can implement a risk management approach even if such an approach doesn't readily exist within the organization more broadly. It's this approach that will allow the auditor to have a discussion that helps them understand the area's operating and control objectives, and the relative importance of each. This prioritized understanding allows the auditor to consider each operating and control objective in determining his/her audit objectives. When you have this solid foundation, the remainder of the due professional care becomes much easier.
  1. The key words in Standard 1220 in my opinion are "reasonably prudent and competent".

    Analyzing the three words, the truth might be enlightened. Reasonableness in my opinion has to do with the average human thinking, Prudent encircle the human’s values of honesty, trust and feeling the responsibility and Competency covers the knowledge and proficiency.

    If the I.A. work discovers not the extraordinary deviations, but those that a reasonable competent Internal Auditor could discover and since being prudent will not hide them, that for me is a Reasonable Due Care.

    The reasonably competent Internal Auditor returns again in my statement and that shall be investigated further and linked to prudence.

    How an Internal Auditor may support that is reasonably competent?

    In my opinion an Internal Auditor must feel the responsibility, seeks continuously the training, exercises practically the continued professional development spirit and implement all those learned in his/ her work, with responsibility and a non stop investigating spirit. Only then an Inernal Auditor might claim that exercise Due Professional Care during her/ his work.


Leave a Reply