Risk exaggeration – a cognitive bias case study

Bribery and corruption are bad. Sectors dealing closely with the government have a propensity for bribery of public officials. Companies in these sectors particularly should implement sound Anti-Bribery Due Diligence (ABDD) policies and procedures. In countries with a low score in Transparency International’s Corruption Perception Index (CPI) [1], the risk of bribery and corruption is elevated and having effective Anti-Bribery Due Diligence in place is even more important. Of course, the effectiveness of the ABDD is subject to assurance, be it control self-assessments or internal/external reviews and audits. So far, I guess all will agree with me.

Recently I wrote a post [2] about how the judgment of assurance professionals (be it internal auditors or control reviewers from the so-called “second line of defense”) is subject to cognitive biases [3], which make it difficult for them to develop an objective assessment of their observations and may lead to exaggerated risk assessments and biased, overly critical engagement reports.

Shortly after writing that piece, I learned about a prime example of cognitive biases in an assurance context. I want to share the essence of the case here.


In an internal controls review at a subsidiary of a multinational (Company A) in medium-high bribery risk Country B, the reviewers encountered the following situation:

  • When testing the effectiveness of controls over anti-bribery, an arbitrary sample of two recently conducted anti-bribery due diligences was selected.
  • In one of the two DDs, a “red flag” (a condition signifying elevated bribery risk) had been identified. Company A’s management had finally decided to engage the vendor; because of the red flag, additional approvals had been obtained and monitoring measures for high risk third parties had been defined as per global procedure.

Additional background information discussed with company A management;

  • The CPI of Country B has been steadily decreasing over the last 3-4 years. Country B is also internationally challenged for a decrease in the rule of law and increasing autocratic tendencies of the government.
  • A major company in the same sector had faced allegations of having bribed public officials two years before but the allegations had not been substantiated.
  • Company B’s subsidiary in a close proximity, culturally similar country has recently received global media attention due to allegations of bribing government officials.
  • Company B’s internal audit department has recently started to focus on ABDD in their audits. Company A in Country B is expected to be audited, soon.
  • The scrutinized third party DD had been identified as deficient during Company A’s control self-assessment in the year before: it had been noted that the red flag had not been properly included in the last DD. As a result, local management had recently renewed the DD.
  • The red flag is a government bribery incident some 15 years ago, in which the vendor had been allegedly involved Although there is not a final verdict finding the vendor guilty.
  • In the approval of the renewed ABDD, company B management had obtained current court records regarding the alleged bribery case from 15 years ago and concluded that business with the vendor could be continued; the company has worked with the vendor for the past years without any incidents and problems; the vendor is one of only three or four in the country matching the requirements; all other major competitors in the sector work with this vendor.


The reviewers decided to include the following observation into their report:

Although the red flag was identified and documented in the ABDD, they criticized that just two additional signatures had been obtained on the DD form to authorize the vendor engagement.

The reviewers concluded in their report:

  • The issue was a documentation deficiency of the management decision to engage the third party. It would have been better to document an explicit justification for the risk acceptance in light of the red flag.
  • The issue was rated as a “high risk” observation with a “potentially significant impact” on company financial result and reputation.
  • As a remediation action, it was recommended to include a detailed justification for the third party engagement in view of the identified red flags in the ABDD documentation.

The risk scenario that could happen and cause damage to financials and/or reputation of the company was not characterized in more detail. The reviewer mentioned in a discussion that she regarded it as a risk if the reasons for the management decision were not centrally documented because they could be unavailable when needed, e.g. in case of an internal audit, because all responsible persons could have legal the company. (All involved persons could readily give the required information and provide supporting documentation upon request.)

Beware of biases!

In my view, the conclusion in the report is wrong, the risk assessment incomplete and biased and the recommendation ineffective to address the “identified” risk.

  • The risk for the company could not be assessed as “high” without further information on base-rates of bribery incidents in the country, sector, similar vendors etc. If the reviewers saw a risk in the fact that the third party has been engaged then they needed to challenge the management decision itself, not the sufficiency of its supporting documentation.
  • The recommendation to improve the documentation of the decision didn’t change the bribery risk in the scenario. It was ineffective. Management’s decision would have been the same because it was based on the same information.
  • If an improvement potential in documentation is seen, it should have been addressed to the global policy owner, not local Company A management in Country B.

In my opinion, we can see the following cognitive biases are at work here:

  • Confirmation bias and availability heuristic: By the CPI information, recent allegations of bribery in the same and a neighboring country, the reviewers were primed to “jump” on what they see as a potential bribery issue.
  • Halo effect: The fact that the topic was “bribery” in a medium to high risk country by Transparency International’s CPI was probably influencing the intuitively assigned “risk level”; this could have been further enhanced by the mention of an actual court case in the past. The reviewers had the feeling that they needed to include this in their report and that it was important, even though they could not give explicit arguments for it.
  • In-group / out-group bias: Local management’s arguments about the observation and its evaluation were perceived as an “us vs. them” situation.
  • Substitution, Affect heuristic: More documentation of the decision was somehow assumed as increasing control and lowering the bribery risk.
  • Self-serving bias: It was better for the reviewers to be more critical and inflate the issue, because of an expected internal audit later in the year. It might have reflected badly on the reviewers if they didn’t identify an issue that internal audit later would.


As I have written before, cognitive biases are at work in all of our minds, and assurance providers are no exception. The situation characterized above illustrates how such biases can contribute to exaggerated risk assessments and “window dressing” recommendations. Furthermore, as a result of such review outcomes, the relationship between assurance professionals and reviewed units’ management can be strained and trust and cooperation can suffer. [4] Assurance work will not be perceived as value-adding. [5] Neither if performed by internal auditors nor by second line functions. [6]

Please note that I am not arguing that the decision of management to accept the risk and work with the third part is the best decision. But in my view it is a risk-informed decision.

In addition, I can fully understand the assurance professionals. I have worked in the same way and have written similar recommendations in my life as an internal auditor. But I would not do so anymore after having read Daniel Kahneman’s “Thinking. Fast & Slow”. [7]

Wait! Before you leave …

If you liked this article, you may want to read also these posts:


[1] Transparency International

[2] Naturally biased – why internal auditors cannot adhere to their own code of ethics

[3] Wikipedia: “Cognitive bias”

[4] The limits of our language…

[5] How can internal audit really add value?

[6] Integrated assurance – assured integrity?

[7] Kahneman, Daniel: Thinking. Fast & Slow

One thought on “Risk exaggeration – a cognitive bias case study

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s