The impact of confirmation bias on internal audit

What It Is

Wikipedia defines confirmation bias as:

“”a tendency of people to favor information that confirms their beliefs or hypotheses.”

As an internal auditor, confirmation bias is a risk. We may be too focused on proving our positions or our hypotheses we miss key information which may disprove our position.

How It Influences Us

Imagine this scenario:

In the preparation phase of an audit on a process, you interview a collaborator who will be leaving the organization after many years of service. Although he will no longer be present when you conduct your audit, you want to make sure you capture as much information from him as you can. And you do. You tailor your work program to ensure your testing program covers as many of the issues he mentions.

This is a problem. Rather than analyzing a process and using the information from an interview as an additional source of information, you let the interviewee determine your audit approach.

What Drives Confirmation Bias?

There are many reasons this bias may occur. For internal auditors, I believe there is a strong tendency to start diving deep into findings and confirming them as best as possible. The real risk is ignoring alternative explanations for an issue occurring and ignoring data that may disprove a finding or the reason for a finding.

How to Avoid Confirmation Bias?

As internal auditors, we have some tools that allow us to deal with this confirmation bias. First, there is the work program. A work program needs to be developed in order to detail, prior to testing activities, the way in which testing should occur. A work program by itself will not make the difference if it is developed by one person.

Hence a second, highly relevant layer of defence: the peer review. It is essential that any work program is reviewed by a collaborator who is not afraid to be critical of your efforts of making an as objective as possible work program. This is one of the reasons why audit managers review work programs developed by audit seniors.

Thirdly, and as important as both points above, whenever you review your draft audit reports, be aware that there is a significant risk of confirmation bias occuring in your reporting as well. Review your findings, the data on which those findings are based and ensure that the data cannot be interpreted but in the way you’ve interpreted it.

An Illustration From My Early Career

As a young auditor, I made many mistakes. And falling for the confirmation bias was one of them. I remember an audit a long time ago, where we were to check the activities of a subsidiary of a large Belgian conglomerate. We interviewed a number of blue collar workers, who weren’t too kind about their employers. They told us about lack of maintenance and showed us maintenance logs which indeed proved that that specific year (we were there end of year) had not been done.

We had a finding, which we developed specific tests for to confirm that finding. Which is where we went wrong. Our tests did confirm that the information available to the machine operators pointed towards late maintenance. We failed to take it up a higher level.

Had we done so, we would have learned that the reason those machines had not yet been maintained is that some of them were slated to be replaced, while others were to be moved to another production facility. Neither fact was known to the blue collar workers, who just felt that that specific year, they needed to work more.

I learned a lot from that audit.

What Can We Learn?

While pressure on audit teams to deliver results as fast as possible is mounting, and rightfully so, it should never refrain us from making sure we have taken that one extra step to not fall for typical errors in internal auditing.

And while work programs are there to ensure we have done the work we are supposed to be doing, it makes sense to critically question that approach prescribed in those audit programs as well. A simple critical peer review of the audit approach may alieviate much of the future suffering from badly executed audits.

That is why I firmly believe that an audit team, while necessarily critical for its auditees, should first and foremost remain critical to itself. We are guardians, but we need to guard our auditees against errors we can make as well.