From the early days of my career, I was told that internal auditors should not simply accept what we are told, that we should always take the extra steps to double-check the information. En route to the answers, it was important to build reliable sources by creating open, productive working relationships. In this way, we could establish trust. But we also should ensure that trust was earned.
Trust but verify.
The Anti-Fraud Collaboration, of which The IIA is one of four sponsoring organizations, is releasing new thought leadership that cuts to the core of the notion “trust but verify.” In examining methods for detecting and deterring financial statement fraud — or, for that matter, any type of fraud — the paper focuses on the importance of practicing skepticism, or refusing to accept information and practices we observe with blind faith.
Certainly, we shouldn’t automatically assume the worst and distrust others. That can lead to suspicion, which can be destructive. Distrust fosters distrust: Auditors who seem suspicious soon find that they have clients who don’t trust them. Any hint of distrust can lead to the perception that we only want to use evidence against others, especially those we are auditing. And while it may not seem logical, when we treat others as if we suspect fraud, they are less likely to be candid and forthcoming about problems that have nothing to do with fraud. Worse, when we act as if we suspect a cover-up, our clients actually can become more likely to conceal information we need.
We may disagree about the appropriateness of trusting audit clients. But one thing is clear: Automatic distrust doesn’t work. Suspicion is the silent killer of client relationships.
Ironically, one problem with “trust but verify” is that, while we shouldn’t automatically distrust our clients, many of us are biased toward trusting them too much. Even the most objective of us have built-in biases, based on personal and professional life experiences. But trusting relationships can create subconscious biases that impede our ability to perform our work objectively.
There are several reasons that auditors might be biased toward over-trust. We want to be collegial and, as I mentioned, we want to build and maintain productive working relationships. And, honestly, the more skeptical we are, the more time it can take to complete an audit. There is an inevitable tug of war between professional skepticism and audit efficiency. There also is an inherent conflict between fostering good relationships and asking challenging questions. And, subconsciously, all this also can lead to a negative auditor bias.
Maybe it is time to be more skeptical about our own professional skepticism.
All audits have deadlines, so we must maintain a balance between too much skepticism and too little. Audits must be efficient as well as effective, so we can’t continue to ask questions and evaluate evidence ad infinitum. But there is art as well as science in knowing how to ask the right questions, when to follow up on the answers, and when to move on. The cold logic of a well-constructed audit test can help to strike the right balance between blind faith and needless suspicion. But even the best audit tests are open to interpretation.
Maintaining an appropriate level of professional skepticism isn’t easy. We can’t do it simply by following a checklist. Instead, it is a mindset that must be applied pervasively, from designing the audit program to gathering and evaluating the evidence. Throughout every audit, we must maintain an attitude that says, I may like these people and I may understand what they are telling me, but I must verify the facts independently and objectively. I neither believe nor disbelieve until that verification is complete. I neither trust nor distrust.
Needless to say, some of our clients would prefer that we put complete trust in them. And it may not always be clear to our clients whether our views are suspicious or merely skeptical. There’s a fine line between maintaining a healthy degree of professional skepticism and having an inherently suspicious attitude.
In the eyes of a nervous client, a simple audit interview may feel like an interrogation — or even a witch hunt. We need to be sensitive to those concerns. But all of our stakeholders need to know that, when internal audit comes in, there is no free pass. Auditors will independently evaluate the evidence with a very objective mindset. We cannot be satisfied with less than persuasive evidence because of an instinct that management is honest. We must conduct every engagement with a mindset that recognizes the risk of fraud — regardless of any past experience or belief about management’s honesty and integrity. We owe that to the organizations we serve.
I encourage you to take a look at the new Anti-Fraud Collaboration paper “Skepticism in Practice,” which probes how to use skepticism to fight fraud, how biases threaten skepticism, managing risks of emerging technologies, dealing with crises, and actionable steps for enhancing skepticism. The collaboration also has an informative video on the subject, in which I discuss these issues with Margot Cella, vice president of Research and Anti-Fraud Initiatives at partner Center for Audit Quality. And, finally, there’s plenty more on skepticism on the Anti-Fraud Collaboration’s website.