Internal Auditors Must Draw a Line Between Skepticism and Suspicion

I have always enjoyed working with new internal auditors, in part because they so often see the world in black and white. “Should we do an audit?” “Should we issue a finding?” “Am I maintaining a healthy degree of professional skepticism?” For many new internal auditors, each of those questions points unerringly to a single yes-or-no answer. 

With experience, internal auditors’ horizons expand, and they start to see repercussions of our actions. The issue is not merely whether we should perform an audit, but whether there is enough risk to warrant one, how extensive an audit is justified, and how soon it is needed. Likewise, the issue is not merely whether to report a finding, but how significant the finding is and how strongly to word the condition, cause and effect. 

Experience is valuable in appropriately drawing the line between providing adequate professional skepticism and harboring unwarranted suspicions. Issues regarding skepticism can be emotionally charged, because they lie at the core of how we see ourselves as auditors. Professional skepticism means we take nothing for granted — that we continuously assess audit evidence and other information, and that we question what we see and hear. We take pride in never missing a clue or warning sign, and being alert for the hidden messages that some other internal auditor might miss. We are all aware that, without professional skepticism, we might fail as auditors.

So, why shouldn’t auditors be obsessively skeptical? The flip side is that it can hamper audit effectiveness. Take, for example, the case of the hyper-suspicious auditor who once worked for me. He always assumed new clients were “guilty of something,” and his job was to blow the whistle. I would constantly remind him of the quote from Irish author Ian Gibson: “A suspicious mind will find poison everywhere it looks.”

Unsurprisingly, my colleague’s working relationship with management, as well as with me, deteriorated. Managers were less than forthcoming during risk assessments and the audit engagement. The auditor’s nature of being overly suspicious eventually led to communications breakdowns and weak audit results.​

​​​​​​For many internal auditors, our written goals might include partnership-with-management initiatives or other relationship-building practices. Unfortunately, maintaining professional skepticism means we can never turn a blind eye to the very leaders who would be our partners in these initiatives. In turn, management may become less likely to think of internal auditors as trusted advisors. It’s human nature to trust and confide in people who trust and confide in us — but also to distrust those whose (remarkably poor) judgment makes them suspicious of us. Is it any wonder, then, that taking a hard line on professional skepticism can potentially damage valuable working relationships?

Having a handle on an appropriate level of professional skepticism is critical to long-term internal audit success, but evaluating our own professional skepticism can be dismayingly subjective. One size does not fit all. Some auditors rely more on relationship building; others are more inclined to “dig out the truth” in hard facts. Every situation is unique, and the trick is not merely to decide how much skepticism is enough in general, but to draw the line so clearly that we exhibit just the right degree of professional skepticism in any given situation.

If only we could use a standardized rating system to assess our level of skepticism! Unfortunately, an accurate, flexible rating scale is not likely in the near future. Imagine a checklist with statements such as, “The interviewee seemed nervous and was sweating profusely. Deduct one skepticism point.” Or, “The sample size was statistically significant. Add three skepticism points.”

To me, the secret is simply to approach each situation with an open mind and to communicate in a way that demonstrates our underlying trust and confidence in management. We will always need to ask the hard questions, but we also need to use tact in deciding how and when to ask the questions.

Former U.S. President Ronald Reagan once said, “trust but verify.” At the time, Reagan was discussing ongoing relationships with a U.S. adversary. For auditors, “trust but verify” should be words to live by. We need to demonstrate trust in our co-workers, and we need to verify that our trust continues to be well-placed.​