Naturally biased – Why internal auditors cannot adhere to their own Code of Ethics

Independence and Objectivity

The hallmarks of the Internal Audit profession are Independence and Objectivity. Without independence and objectivity there can be no truly effective auditing, because conclusions snd expressed opinions could be unfairly biased.

“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. … Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. …

Objectivity is an unbiased mental attitude … Threats to objectivity must be managed at the individual auditor, … level[s].” [1]

“Internal auditors must have an impartial, unbiased attitude … .” [2]

“Internal auditors are not to be placed in situations that could impair their ability to make objective professional judgments.” [3]

The question if Internal Audit as a function or Internal Auditors individually can be independent from the audited organization has received a lot of discussion. It is currently the accepted stance of the IIA that a dual reporting relationship resolves the independence issue [4], although, speaking from personal experience, this may in actual practice not be effective.

The objectivity has been mostly discussed from the point of view of potential conflicts of interest of an Internal Auditor who may be auditing an area she has previously been responsible for or she has been engaged in consulting engagements for. [5]

For the individual auditor, the IIA Code of Ethics describes the minimum requirements for conduct, and expected behaviors. IIA members and recipients of or candidates for IIA professional certifications need to regularly certify that they abide by the Code of Ethics and breaches of the same may be sanctioned with revocation of the professional certification.

An unbiased mental attitude

When I recently read the books “Thinking, Fast and Slow” by Nobel laureate Daniel Kahneman and “Before you know it” by John Bargh, a nagging thought began forming in my mind: what about cognitive biases [6] and their impact on internal auditors? What about the requirement to be objective, meaning maintaining an unbiased mental attitude?

The IIA Code of Ethics states:

“1. Integrity

Internal auditors:

1.1. Shall perform their work with honesty, diligence, and responsibility.

2. Objectivity

Internal auditors:

2.1. Shall not participate in any activity or relationship that may impair or be presumed to impair their unbiased assessment.” [7]

Enter cognitive biases

Cognitive biases are systematic mental shortcuts in which the mind deviates from rational, objectively expected judgments and decisions. [8] They affect our way if perceiving reality without our being consciously aware of it. Many biases have been described and demonstrated in numerous psychological experiments.

Kahneman stresses in particular, how bad the human mind is at statistics, in judging probabilities and risks, replacing the solution to the actual problem with an easier heuristic. E.g.

  • probability is replaced with representativeness;
  • frequency is misjudged due to the ease with which examples can be retrieved from memory (availability heuristic);
  • small risks are either ignored or extremely overweighted (availability cascade);
  • risk events with which we have close personal experience are overrated (affect heuristic);
  • observations fitting to previously formed opinions are preferred and overweighted vs. new findings in conflict with previous opinions (confirmation bias);
  • Judgments are subject to the context in which they are made and can be biased because of recent, even completely unrelated information (anchoring bias).

There are many more cognitive biases, a very nice visual representation in one infographics can be found here [9].

Here’s an example of a way I successfully tried the anchoring bias on my wife. When I took her recently to a nice restaurant for dinner, I first asked her if the speed limit on the highways here in Turkey was 110 or 120 km/h. I “primed” this value range in her unconscious mind. Then I asked her to estimate what the price of the set menu was for on person. Her immediate estimate was 110 TL, one of the two values I had “anchored” in her mind.

A fundamentally biased mental approach

Looking back at my own professional career of more than 10 years in internal auditing in several organizations, and my studies for the Certified Internal Auditor (CIA) designation (the same goes for the CISA by ISACA), I cannot recall any word of caution on cognitive biases in the trainings I took, neither on the job nor off the job; nor in the study materials. On the contrary, as part of a thorough preparation for an audit project, we reviewed sources on fraud and corruption in the respective country, previous audit report of the same unit, external assurance reports, background information on local culture…

From my own personal experience both as an Internal Auditor and as sitting on the other side of the table in internal audits or 2nd line of defence control reviews, I clearly observed biased behavior of auditors and reviewers all the time:

  • Fixating on issues primed through audit pre-work (anchoring, priming effect, confirmation bias); e.g. jumping to conclusions on issues that may be related to bribery in Turkey due to the relatively low Corruption Perception Index (CPI).
  • Overstating risks related to such issues expected from pre-analysis or similar recent audits (confirmation bias, availability heuristic … or even prejudice: “I don’t see a documented rationale why this vendor was chosen. Have you checked if there is a personal relationship to an employee? After all we’re in Turkey where nepotism is a normal part of culture.”)
  • Overstating risks related to issues the auditor has found in previous audits (affect bias). “We have seen similar activities in other countries and didn’t like them there. Here’s our recommendation.”
  • Overestimating likelihood of identified risks in worst-case scenarios (availability cascade, representativeness bias). “Bribery is a huge risk in Turkey. Just look at yesterday’s headline from the government corruption case on Greece.”
  • Overestimating probabilities based on small, arbitrary samples. (“Already the first two documents we tested had small errors. How bad must the overall quality be!”)

These are just some examples that come readily to mind using my own availability heuristic. Many more could be found by more systematic analysis with a list of cognitive biases at hand.

Conclusion

Following the IPPF guidance and usual practices for audit fieldwork preparation, internal auditors systematically prime themselves with negative risk information and cannot approach the encountered conditions with the necessary unbiased attitude required to make truly objective assessments. As a result, risks – both impact and likelihood- are regularly overrated and exaggerated in audit reports. This widens the gap of trust between auditors and audited unit management.

The Code of Ethics and the IIA Standards should be revised to recognize the effect of cognitive biases. All internal auditors should receive training in cognitive biases and statistics. And even this will not help de-bias them. Actually, to be truly objective and the unbiased, auditors should do no research whatsoever before a project and start each audit with a clearly “clean sheet”.

Or give up the notion of independence and objectivity and acknowledge the limitations of human beings.

Before you go:

If you liked this post, you might want to read “How can Internal Audit really add value” and “Integrated Assurance – assured integrity?”

References

[1] IIA Standard 1100, Interpretation

[2] IIA Standard 1120

[3] IIA Practice Advisory PA 1120-1 (IIA members only, PDF also available here)

[4] IIARF, Internal Audit Reporting Relationships: Serving Two Masters

[5] IIA Standard 1130, 1130.A1-2, 1130.C1-2

[6] Wikipedia

[7] IIA Code of Ethics

[8] Wikipedia

[9] visualcapitalist

3 thoughts on “Naturally biased – Why internal auditors cannot adhere to their own Code of Ethics

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s