The auditor, the door and the fabric thread, a reflection!

Today I was finishing the slides for a new basic level internal audit course and I came across a very relevant topic for the quality of any assessment work carried out by internal auditors, but, left over.

I am talking about due professional care, an attribute that must be present in the list of necessary competencies of a high performance internal auditor.

The IIA through its international standards for professional practice, in its 1220 attribute norm, establishes that internal auditors must apply the care and skill expected of a reasonably prudent and competent internal auditor. Due professional care does not imply infallibility.

In according to this standard, internal auditors must exercise due professional care by considering the: 

• Extent of work needed to achieve the engagement’s objectives. 
• Relative complexity, materiality, or significance of matters to which assurance procedures are applied. 
• Adequacy and effectiveness of governance, risk management, and control processes. 
• Probability of significant errors, fraud, or noncompliance. 
• Cost of assurance in relation to potential benefits.directs that internal auditors should exercise the due professional care to:

In orde to provide better understand about the relevance of this topic, when I am in class, I always like to illustrate my explanation with a short story, which I will share with you bellow:

Let's imagine that you are the auditor in an organization where every day, to go to your office, you have to go through a corridor with several closed rooms on both sides. 

One day, when you are walking in this hallway, you notice that there is a small fabric thread on the floor, near one of the doors. You observe, but since it is a simple fabric thread, you evaluate that it is immaterial or irrelevant and move on without care about that. 

But, let's now include due professional care in this example. 

You are walking down the hallway and look at the fabric thread on the floor, next to a door, you understand that despite its immateriality, it is out of context. This fabric thread should be on the spool of thread or in a fabric, but not on that place. 

Thus, because of the due professional care, you need to check, get down to pick up the thread to analyze it, however, when you try to do tha, you realize that this thread is trapped under the door. Now, you will need to deepen your analysis action and you will need to open the door to see where the thread is stuck to release it for analysis. 

When you open the door, comes the surprise, this thread is not a normal fabric thread, in fact it is a hair tail of the little elephant that is quietly behind the door. 

One day, sooner or later, this door would be opened and the little elephant would be discovered. 

The manager would then ask the auditor, who spends every day in walking in this hallway, how and for what reason the auditor had not detected the elephant behind the door, and the auditor would not have, technically speaking, how to explain, other than his has used wrong professional judgment, due the lack professional care.

Unfortunately, by the excuse of materiality or lack of time, this type of occurrence is very present in corporations. I believe that this is partly due to the lack of knowledge of the auditors of the audit standards and also because of the lack of knowledge of the basic attributes for an audit work.

I observe many repetitive or standardized jobs being performed, without the necessary due care, resulting at least in low perfomance audit results.

Especially today where, through applied technology, the audit has been working hard on obtaining data, but very little in the evaluation of them. In this case the due professional care in applying the basic audit principles becomes even more relevant.

The due professional care helps the auditor to observe and evaluate everything that is out of context, regardless of its materiality. 

To finish, and looking for help, always keep in mind that:

Everything that is out of context must be analyzed, without exception!

Be happy!

Is Corporate Governance an outdated process?

The corporate world has been constantly shaken by events of fraud, disaster, corruption, wrong decisions, out-of-mission strategies, and others. These events put the governance structure in doubt, because with few exceptions, these companies that are or have been in the media counted on or rely on robust governance structures.

Then comes the question whether the governance structure or principles are outdated and should be changed as they are no longer effective.

In this article I would like to demonstrate that the problem is not the structure, but the attitude and awareness of governance existing in organizations.

We know that governance is historically a response to agency conflict, and in a simple way governance is the process by which organizations are managed and monitored in pursuit of the decision-making balance between shareholder, board and executive. Its principles are: transparency, fairness, accountability and corporate or social responsibility.

In order for governance to exist, it is necessary for the organization to have a robust and integrated risk management process, which, in its turn, needs to be supported by an effective system of internal controls, including in this point, the existence of a proactive audit activity aligned to the business.

A strong integrity program based on ethical value and principles ​​is imperative for the composition of the corporate governance structure.

Well, this whole structure becomes a great fiction if there is no real commitment, attitude and awareness of governance by the part of the decision makers, especially those who are in the highest positions of the company structure, like C-level and Board.

Before to have a governance structure, there must be the governance attitude and consciousness in the corporation, because without it the whole governance process loses its effectiveness. There must be an unrestricted commitment to good management practices, ethical values ​​and respect for all related parties.

The board should be active and independent, but it should also encourage and provide a conducive internal environment for risk awareness to be at all decision-making levels within the organization.

The Board must provide support to the second line of defense, which aims to support management in fulfilling its responsibility to improve the performance of its activity through the management of risks and internal controls, providing effectiveness and operational economics; to also support internal auditing, which as a third line of defense aims to add value to the corporation through the independent assessment of risk management, control and governance.

In turn, the leaders, in conjunction with the board, should clearly and transparently define the company's risk appetite in order that risk responses should be in line with this. Remembering that risk appetite for legal non-compliance, acts out of ethical values, and when there is risk of accident that could lead to death, should be zero.

Different from structure, governance consciousness must reach all organizational levels and need to be developed through organizational culture, which means long process with long maturation, needing to be constantly worked and evaluated.

This process should encourage and develop the managerial attitude guided by the best practices of risk management, compliance and internal controls, and in this regard the attitude of the top management, especially the C-Level is the extreme importance, as it should be the example of behavior and desired attitude.

Everyone who is part of an organization, who is governed by corporate governance, must be fully aware of the importance of their attitudes towards the organization's success and sustainability, and that they must comply with the legal, ethical and practice.

Be happy!