I recently shared a blog that proved very popular with the profession. Internal Auditors Must Remember: Good People Can Do Bad Things resonated with readers around the world who are constantly seeking to reconcile a person’s character with potential misdeeds. While it is true that good people can do bad things, it is likewise true that smart/capable people can do dumb things.
We don’t have to look far to identify instances in which decisions destroyed shareholder value in a company or the hard-earned reputation of a government agency. Such blunders are often made by incredibly seasoned professionals who get careless or exercise poor judgement.
It’s also easy to be intimidated when auditing an area led or filled with intelligent, seasoned professionals. They dazzle you with their deep understanding of operations; their knowledge can appear unassailable. Yet, I have found that some very bright folks can do some pretty dumb things. For example, I have uncovered deliberate violations of internal controls where individuals believed such controls were unnecessary for them
In government, I was called upon by legislators and others to audit or investigate allegations of waste and mismanagement. Our efforts often confirmed that capable executives had made bad decisions, costing taxpayers millions of dollars. The root cause was usually that egos had blinded people to their own fallibility. They weren’t nearly as smart as they thought they were.
So, how do internal auditors effectively audit areas led by highly capable and expert executives? It takes a lot of courage, a lot of self-confidence – and a healthy dose of skepticism. Objectivity demands that we remain skeptical – no matter how impressive someone’s resume or track record might be. For internal auditors, being skeptical is a never-ending chore.
New internal auditors tend to see the world in black-and-white: “Should we do an audit?” “Should we issue a finding?” “Am I maintaining a healthy degree of professional skepticism?” For many, such questions point to a single yes-or-no answer. But with experience, an internal auditor comes to realize that the answers to those kinds of questions are nuanced. The issue is not merely whether we should perform an audit, but whether risks in the program, function, or activity warrant an audit compared with other areas where the risk may be greater; whether sufficient resources are available; and how soon the audit is needed. And it’s not just reporting a finding, but reporting the finding’s significance relative to other areas in the audit, and how strongly to frame it.
The same thing applies when we attempt to draw a line between a healthy amount of professional skepticism and unwarranted suspicions about the people and areas we audit. Professional skepticism means taking nothing for granted: We continuously assess audit evidence and other information, and we question what we see and hear. We take pride in never missing a clue or warning sign, remaining alert for hidden messages. It is a quality that is essential to our work as auditors.
The flip side is that too much skepticism can hamper an internal audit’s effectiveness. I once had a hyper-suspicious auditor on my team who always assumed his clients were guilty of something and that his primary job was to blow the whistle on them. Not surprisingly, his working relationship with management and even with me deteriorated. Managers became less than forthcoming during risk assessments and audit engagements, leading to a breakdown in communication and weaker audits.
An internal auditor’s performance goals may include initiatives to build working relationships with key stakeholders and foster business partnerships with management. Unfortunately, the need for professional skepticism means we can never completely trust the very people in our organization who want us to be their partner. And that means management is less likely to think of internal auditors as trusted advisors, especially when compared with their “partners” in other departments.
Finding an appropriate level of professional skepticism and knowing how to express it are critical to an internal auditor’s long-term success. One size does not fit all: Some internal auditors rely on building relationships, while others are inclined to dig out the truth in the form of hard facts. The trick is balance, and to exhibit just the right degree of skepticism in any given situation.
If only we had a standardized rating system for determining our level of skepticism! Unfortunately, accurate and flexible ratings are not likely anytime soon. Imagine a checklist with statements such as: “The client seemed nervous and was sweating profusely. Add three skepticism points.” Or, “The sample size was statistically significant. Deduct one skepticism point.”
For me, the secret is to approach each situation with an open mind and to communicate in a way that demonstrates underlying trust and confidence in management. I still need to ask tough questions, but I will use tact in deciding when and how to ask them.
“Trust but verify” was a signature phrase of U.S. President Ronald Reagan when discussing superpower relations with the former Soviet Union. For internal auditors, “trust but verify” should be words to live by. We need to demonstrate trust in others (no matter how smart they seem), and continually verify that our trust is well-placed.