Avoiding Bias in Your Internal Audit Program

Auditors of all stripes—internal and external—have long faced a bit of a catch 22: bring to light problems that cast management in a bad light and risk retaliation, or look the other way and suffer a loss of integrity and jeopardize the organization. Good auditors, of course, generally go the first route without consequences, but it doesn’t always work out that way.

Research, for example, has shown that the market for audit services penalizes auditors for disclosing information critical of management in their audit opinions. This disturbing finding undermines the value of direct-to-investor auditor communications.

In the research paper, Don’t Make Me Look Bad: How the Audit Market Penalizes Auditors for Doing Their Job, authors Stephen Rowe and Elizabeth Cowle of the University of Arkansas found that potential clients perceive auditors as less attractive in the marketplace when they report internal control material weaknesses. This, in turn, can lead to a loss of business and subsequent financial hardship for the audit firm, placing the auditors in the precarious position of balancing their duties against the security of their jobs. The negative perception, “disincentivizes auditors from disclosing internal-control information that could make their clients look bad,” the report’s authors write. It also opens the door for auditing bias.

While the study was done in the context of third-party or for-hire audit firms, internal auditors should nevertheless take note of the findings because the results speak to the challenge of remaining independent and objective when the auditee is also the one paying for the audit services.

Pulling Punches
For more than 12 years, Mauro Botta had worked in the audit department for PricewaterhouseCoopers with a focus on auditing technology companies in Silicon Valley. By November 2016, however, the senior manager decided he could no longer remain silent in the face of increasing evidence of wrongdoing against his employer.

So he became a whistleblower.

In his statement to the Security and Exchange Commission about PwC’s actions, Botta said that, “To keep corporate managers happy and to avoid losing their business, PwC was pulling its punches—trying not to flag too many problems with companies’ internal controls,” according to a 2018 article in POGO, a website created by watchdog group, The Project on Government Oversight.

In April, 2017, the SEC alerted PwC that it was opening an investigation related to a pair of audits conducted in 2013 and 2014. Botta was removed from the audit at the request of the chief financial officer of the company PwC was auditing, before Managing Partner of the Assurance Practice, Mark Simon, terminated Botta’s at-will employment. Simon stated that he wasn’t aware of the SEC complaint at the time of Botta’s firing. Botta filed a 2018 lawsuit in 2018, alleging that, “PwC fired him in retaliation for standing up to ‘fraudulent,’ ‘deceptive,’ and ‘negligent’ practices at the accounting firm and for reporting that conduct to the SEC,” the POGO article states. The case is still pending.

The Rowe and Cowle study suggests that PwC is not an isolated incident in the audit profession. Comprising 13 years of data from 885 local offices and 358 U.S. firms, their findings show that “companies reporting material weaknesses in internal controls over financial reporting for one or more clients in the course of a year saw their average fee total in the following year grow by about 8 percent less than would have been the case had they issued none,” according to an article on the study by Michael Cohn in Accounting Today.

Internal Audit Perspective
The Botta case and the Rowe and Cowle research offers good reason for internal auditors to take a step back and consider how bias could exist in their own environments and the importance of removing even the perception of it. According to Richard Chambers, president and CEO of the Institute of Internal Auditors (IIA), it is a matter of protecting credibility. “Credibility emanates from objectivity [and] nothing is more critical to our reputation as internal audit professionals than credibility,” he wrote in a 2015 blog post. “Credibility cannot waver. Without it, the reputation of the entire internal audit function can be tarnished and even the best insight and recommendations may be ignored. And, once credibility is lost, it can be exceedingly difficult for an internal auditor to recover.”

In the typical internal audit department, it’s hopefully rare than an auditor would purposefully turn a blind eye toward material weaknesses. There are, however, other, more subtle, ways that bias can creep into the audit process. Some of those include:

• Consistently performing the same procedures, year after year, on areas known to be functioning well. Focusing on the same areas without changing tactics can result in a false sense of security and material weaknesses can be missed.
• Allowing the same auditors to audit the same functions each year. While this can be good for the auditor in terms of building understanding and expertise, auditing the same processes and areas too many times can potentially lead to the erosion of professional skepticism over time.
• Becoming overly involved in business processes. There is an ongoing shift in the internal audit industry toward being more integrated in business processes and providing advisory-type services that senior executives seek from internal audit. The idea is often that by getting involved in projects higher upstream, internal audit can advise management on internal controls and risks when they can be proactively addressed, instead of after the fact. This may, however, increase the risk of auditors becoming too integrated and involved in management-type roles, including implementing and designing controls, while sacrificing some of their independence and objectivity.

There are a number of ways internal audit departments can discourage auditor bias or the perception of auditor bias. One of the most important ways is through reporting lines. According to a 2011 position paper by the IIA, “Internal auditors are independent when they render impartial and unbiased judgment in the conduct of their engagement. To ensure this independence, best practices suggest the Chief Audit Executive should report directly to the audit committee or its equivalent.”

In addition to organizational independence, the audit charter should also be structured to establish the internal auditor’s role and responsibility to provide fair, unbiased information to the company’s leadership to serve as the basis of good decision making.

In addition to having proper reporting lines and a robust internal audit charter, the internal audit department should ensure the following:

• Auditors should promote and follow an attitude that reflects impartiality, while ensuring they avoid potential or real conflicts of interest.
• All findings should be reviewed prior to being released. This provides at least a reasonable assurance of objective performance.
• Under no circumstances should internal auditors accept operational responsibilities. Doing so could damage their objectivity on audit findings, since they would be reviewing activities over which they had authority or accountability within a timeframe significant enough to possibly influence their judgement.
• Internal auditor staff assignments should be rotated on a consistent basis.
• Decisions on what areas to audit or not to audit should be supported by a sound risk-assessment approach.
• Internal auditors should understand and adhere to the code of ethics for their company and their professional organization.

One root cause of auditor bias is the underlying belief that audit findings and recommendations are antithetical to business success, as the cliché “a clean audit” suggests. That’s why it is critical for business management to understand that internal audit does not define success in terms of the issues it discovers. In other words, a good audit doesn’t depend on “finding stuff,” but rather from providing useful information regarding controls and risks that help the business achieve its objectives.

Internal auditors should be proactive and repetitive in communicating that the entire company succeeds when internal audit is allowed to perform its duties with independence and objectivity. The more successful internal auditors are at communicating this, the less likely they will be faced with a choice between rendering an objective opinion and pleasing their clients. 

Kevin M. Alvero, CISA,CFE, is senior vice president of internal audit at Nielsen.