Are internal auditors really independent and objective? Insights from a case study

As the former CAE of AstraZeneca (AZ) and now a consultant and trainer on internal audit matters for the past 12 years, I've been happy to work on a range of interesting topic areas. Recently, I have been helping clients with issues around auditor mindsets, influencing, stakeholder management, and political savvy. 

Having written articles on the typical personality type of auditors and preferred influencing styles, I now want to turn to the question of internal auditor (IA) mindsets and the question of independence and objectivity. 

My interest in this topic goes back to 2005 when I was CAE of AZ, and we found some of our new audit recruits sometimes struggled "to see the wood for the trees.” We decided that the recruitment process could be more rigorous. So we worked on a case study (around 14 pages long) that prospective auditors needed to complete to supplement more conventional recruitment processes. The case study's results helped us better understand how auditors analyzed, prioritized, and synthesized data and information. It also helped us see how auditors approached the task of engaging stakeholders with appropriate questions. Since 2010 various clients have asked me to help up-grade their internal audit recruitment processes using a similar (but shorter) case study. 

More recently, I have been using the case study to help CAEs and IA teams understand how internal auditors prioritize information and decide things as a team. The case study in question concerns: 

1)    A business-as-usual activity, where a range of 10 risks and issues are described and 

2)    A project to implement a new system (that impacts the business-as-usual activity) also with ten risks and issues. 

Those reading the case study get half a page of extra information and are then told to: 

A)   Rank the top 3-4 issues/risks from their perspective and 

B)   Consider the key questions to ask 

Responses are collected in advance and in confidence and then shared in workshops or webinars anonymously. These results help internal auditors explore how they and others think about problems. The aim is to come to a common understanding of the most critical risks and issues, and what the appropriate and insightful questions might be. It also helps IA teams better understand how they make decisions about priorities during assignments. 

Insights from individual workshops/webinars

Readers might want to pause for a minute and imagine what responses they might expect? For example, would everyone from the most junior to the most senior member of an IA team see the case study similarly? Would someone with expertise in IS/IT or projects process the information the same way as someone with a finance, accounting, or procurement perspective? 

Here is an example of the priority areas from a group of around ten internal auditors:

The specific risks and issues chosen are beyond this article's scope. Still, you can see: 

i)               Not everyone chooses the same issues, and 

ii)             Some risks and issues are much more popular than others.

One of the questions we explore is why these differences exist and – in general terms – how one might prioritize the risks and issues in a way everyone can support. After all, if internal auditors need to be "independent and objective," there is a good argument that there will be better and less good ways of digesting the information presented. 

Here is another example of the results from the case study from another IA team:

The risks and issues are in the same format as before. Hopefully, you can see two things compared to the earlier photograph: 

1.    What might be the most common risks and issues in one audit team (or sub-team) may not be the same as another, and 

2.    Some auditors don’t always choose issues and risks from the list of 20 provided; they "think out of the box."

Workshops and webinars with internal auditors examine questions such as: 

I)              Why have some auditors chosen risks/issues as stated, while others have raised risks/issues "out of the box”?" 

II)             To what extent would a majority of opinions determine what we should conclude are the key risks and issues? 

III)           Would the views of subject matter experts carry more weight around what was really critical in some situations?

IV)          Should decisions about priorities be made by the most experienced auditor or team leader? 

V)            Is there another basis for prioritizing risks/issues? 

The cumulative case study results over the past few years (with thanks to my PA, Sarah) are interesting:

Looking at the cumulative position, we can see one risk area got over 150 votes to be in the top 3-4. Then, more than ten different risk areas got between 100 and 150 votes. In other words, even with the same case study, with precisely the same words, there is an enormous diversity in what auditors think the key risks and issues are. We say that internal auditors have an "independent and objective mindset." However, the evidence from the case study shows a considerable amount of diversity around how auditors analyse and prioritise the same information, even auditors in the same team! 

  Some observations about priority areas chosen for questions   

When compiling the priority questions from auditors (which would be asked of a key stakeholder), the workshops show:  

i)               The key questions an internal auditor wants to ask are often linked to the key risks and issues they have identified and

ii)             there is an even greater diversity of question topic areas, focus points, and styles of questioning than risks/issues (the IA workshops present back different ways of seeing these differences.) 

Workshops and webinars explore some of the reasons why there is such a great diversity around key questions to ask. One consideration is that when you are asking questions you are considering both tangible factors as well as "soft skill" dimensions. By the end of most workshops and webinars we develop a clearer understanding of how to think about the options we have when questioning, and what might be more and less effective approaches.

Outcomes/benefits

It’s impossible to summarise all of the ways these workshops unfold (which can depend on the specifics of each IA team.) However, overarching messages and learnings are: 

1.    Despite IA training and qualification programmes, internal auditors do not approach the same information in an identical way, as if they were machines, or robots;  

2.    These differences in approach link to different mindsets between auditors and can have advantages; for example, team members may see the same facts from different angles, offering new insights; but 

3.    The risk of biases and blind spots is present in even the most experienced internal audit team, and IA team members may not realize this; 

4.    Prioritization and decision-making in audit teams is not always as explicit and consistent a process as many might think;

5.    Using a case study is a powerful way of bringing home these and many other lessons in a relatively short time. It can also help IA teams develop more insightful points, transparent and consistent priorities and more effective questioning techniques;

6.    Other lessons about how to approach assignments can also arise: 

a.    how to think about the scope and objectives of an assignment and the many choices that are possible,  

b.    how to question effectively in "high stakes" meetings (sometimes using a role-play) 

c.     how to see the underlying root causes of problems.

In conclusion, the evidence of this case study suggests we need to be more wary of assertions that internal auditors have an independent and objective frame of mind due to their training and experience. In practical terms, most of the time, internal audit methodologies, work programmes, and review processes can help to ensure assignments are objective, and stay "on track." However, without these safeguards, it is plain to see from the case study that internal auditors view the same information each "wearing a different set of glasses," meaning differences and biases are very present.

Furthermore, this IA mindset question has become of great interest to the CAEs and IA teams I work with because it imposes an additional burden on the IA team when you are relying on management reviews, QC and QA processes to maintain levels of insight and consistency between assignments. 

Instead, by working on auditor mindsets and decision-making processes, you can help IA teams get things done, more often consistently and “right first time,” which is increasingly valuable when lean and agile work methods are adopted. 

I would be delighted to get your comments/posts on LinkedIn. But if you want to learn more about the specifics of the case study or to explore using this with your team, please get in touch with me via: jcp@RiskAI.co.uk

 James C Paterson, Director, Risk & Assurance Insights, www.RiskAI.co.uk