I often wonder whether internal auditors have an element of psychopathy. I don’t mean that internal auditors are likely to murder their management colleagues and friends in their beds or that they are mentally ill. By this I wonder if being professionally trained to be objective and independent can make you almost emotionally detached from the world, and in particular the clients you work with. I can even review my own feelings and behaviours and objectively analyse them and consider the counter viewpoint. So does this mean I don’t empathise? No, not a bit of it, I think good internal audit demands it.
Many of the auditors I have worked with have been very passionate about their clients, about the moral and ethical basis and professional standards to which they work. For my own part I genuinely believe things should be ethical, done for the greater good and in a manner that is professional and appropriate. I have also been lucky to chose organisations that I work for, and have and would always, choose organisations that genuinely add value to society and the world. Is there then a moral component to internal audit – I think there must be, for we are required under auditing standards to have a view over what is ‘good’ governance. ‘Good’ is itself a moral judgement, for something to be good, there must equally be something ‘bad’.
So if auditors can be passionate, should they be compassionate? I have also in my career had the chance to work in, and lead, counter fraud and fraud investigation functions. In this role you get to see the other side of humans, society and organisational life. Sometimes it is depressing and upsetting to see individuals’ actions and the things they do; fraudulent behaviour never ceases to surprise. This, I admit, has made it more difficult for me to be compassionate – I am critical, but I hope not yet cynical.
Yet whether in an audit or fraud investigation capacity I do like to empathise with my clients. The head of department that perhaps struggles to deliver because of people, resource, policy and other pressures or the individual that does not check something once whilst under personal or professional pressure, or the leadership decision that proves to be wrong. Things go wrong. Humans make mistakes. Decisions and actions are taken at a point in time without full information. We cannot predict the future, we cannot get all things, objectively, ‘right’. That is the reason why I believe human and cultural controls make such a difference in the control environment; not low level preventative, systemic controls.
Fraud, mistakes, errors, problems, risks and issues; they all arise from humans and their behaviour. So it is important for an auditor to be both psychopathic (unemotional, detached, in many ways inhuman) yet also be ultimately understanding and human. For unless you understand people, you don’t really understand control and risk mitigation. For risks arise with humans and they are ultimately mitigated and controlled by them. Decisions that seem so incomprehensible and egregiously wrong are often made by people, not processes or governance meetings.
As much as computers, systematisation, segregation of duties, preventative approvals etc do make a difference to the control environment they are not, and cannot be, in my view, all of it. They are a necessary, but not sufficient, element of the control environment. So when you are next giving your closeout meeting preliminary findings results, or discussing a risk assessment with a client, remind yourself that they are human, that they will have a context within which they operate.
So do I recommend all heads of audit do a cultural audit? Yes, perhaps on a standalone basis, or perhaps as part of your testing and review during each assurance review. In my clients I have always majored on these ‘soft’ controls because they make such a difference. I love to sit within a department or visit an office, because you get a real sense of the control environment. Much like reality shows, if you sit there long enough, they participants will revert to their actual behaviours, not the ones put on for the visitor. That is when you learn the most. I think it is an audit thing, to be able to appear, in full view, to a client and yet not be noticed (or is it perhaps ignored?!).
So are auditors psychopathic? Yes, a little. Are they empathetic (yes, I hope so, a lot). Just remember when you work with another auditor, their greatest critic and analyser of behaviour will often be themselves. So yes we should use our judgement and objective psychopathic sides, but always temper and challenge it with our human empathetic side.
Do you get this balance right in your work?