Risk assessment is an activity that internal auditors frequently engage in, whether seeking the most effective deployment of scarce resources to audit engagements or identifying the specific risks applicable to the organization relative to engagements. How individual organizations go about risk assessments is left to the discretion of their internal audit leaders. The mechanics of this exercise are as diverse as the internal audit functions executing them, but there is one constant. Cognitive bias is a phenomenon every auditor is susceptible to, regardless of how risk assessments are conducted.
Internal auditors cherish their objectivity when carrying out their professional duties and do not intentionally let personal beliefs and experiences influence their judgments in a biased way. However, cognitive bias is a different animal that may lead even the most guarded internal auditors to the wrong conclusions.
What Is Cognitive Bias?
Cognitive bias is a shortcut the brain uses to make decisions more efficiently. The problem is this mental shortcut tends to rely on incomplete or convenient information in the interest of time but at the expense of accuracy. To make matters worse, people generally are not aware of their cognitive biases until someone brings them to their attention.
By its very nature, risk assessment for internal audit planning is a subjective exercise that depends on many judgments. It already is susceptible to inaccurate presumptions. When cognitive bias enters the equation, that process can become even more imprecise, putting risk assessment outcomes at risk. Internal audit leaders can minimize the influence of cognitive biases through awareness and exercising a few best practices.
Many Types of Bias
The first step in addressing any problem is recognition. A quick internet search reveals numerous cognitive biases. Although there is no definitive list of cognitive biases, more than 100 have been identified by various scholars and psychologists.
Regardless of the number, some biases are more relevant to risk assessment than others. Internal auditors should become familiar with some of the biases most likely to negatively influence risk assessment outcomes.
Recency Bias The phenomenon of a person most easily remembering something that has happened recently, compared to remembering something that may have occurred a while back. For example, a major supply chain failure that victimized a competitor within the past month may catapult supply chain risks to the top of the risk assessment list. This may occur despite no other change in risk conditions or consideration of the circumstances around the competitor's situation.
Decline Bias Favoring the past over "how things are going." An example is disproportionately weighting risk associated with pandemic concerns despite evidence that suggests successful mitigation from vaccinations and other risk responses.
Forer Effect This bias is commonly observed in personality tests, but it also can be related to how people intuitively fill in gaps in their understanding with something that makes sense to them. This is a dangerous bias for internal auditors when assessing risk in areas that are new or where they have limited knowledge. An example is assuming cybersecurity threats are inconsequential because the business does not process credit card payments or store the personally identifiable information of individuals, when auditors do not fully understand other types of threats such as ransomware.
Personal Validation Effect The tendency for people to consider something accurate if it has personal meaning to them. For example, the auditor accepts as true a negative assertion by a person who is being interviewed about an audit client who has been difficult to deal with in the past.
In-group Bias Unfairly favoring someone from one's own group. This bias can be relevant when assessing risk in an area led by a former internal audit colleague.
Halo Effect The tendency for positive impressions to influence a person's judgment. An example is giving more weight to how a person makes the auditor feel during a risk assessment exercise than what the evidence may suggest. This bias can occur when someone is well-spoken, friendly, and appears to have more expertise in an area than the auditor.
Dunning-Kruger Effect Having a low level of knowledge in a particular subject and mistakenly assessing our knowledge or ability as greater than it is. Like the Forer Effect bias, this is the classic case of overconfidence in our own intellect.
A good practice to enhance awareness of these and other cognitive biases is for internal audit teams to study them together as a learning activity. For example, have each member of the team identify a cognitive bias and facilitate a discussion among the group as a lunch-and-learn activity each month.
Identify Potential Bias
Risk assessment methods and processes should be hardened to identify and mitigate potential cognitive bias influence. Here are some guardrails that can help internal auditors ensure risk assessment decisions remain as objective as possible:
- Stress testing. Identify common cognitive biases auditors may be susceptible to and have a third party facilitate discussions about whether risk assessment outcomes have been influenced by these biases.
- Don't make decisions in a vacuum. Leverage multiple data points and evidence sources. Also, incorporate the efforts of others in risk assessment processes, but be aware of biases that may present themselves in group settings.
- Leverage objective data sources. Because cognitive biases by definition tend to ignore or overlook empirical data, the natural hedge against this risk is for auditors to incorporate data elements to validate risk assessment outcomes, when possible.
- Use strategic plans and objectives as a north star. Audit plans should reflect the strategic intent and business objectives of the organization. If risk assessment outcomes do not appear aligned with strategies and objectives, internal auditors should question whether cognitive bias influence exists.
Facilitate Objective Decisions
Regarding risk assessment methods, internal audit must structure its process to address bias in decision-making. Many internal audit functions use common measures such as impact and likelihood to help rate individual audit areas during the risk assessment process. They often use rating scales to assign a value to impact and likelihood so a numeric score can be calculated for ranking purposes.
To the extent possible, rating scales with quantitative guidelines can help ensure rating outcomes have a basis in determinable values rather than purely subjective intuition. Additionally, the use of formulas such as the Fibonacci seq-uence can help spread numerical results so that calculated risk scores are less likely to cluster around a very small range. For example, in a 1 to 5 rating scale, risk score values tend to cluster in tight bands around the value 3.
Judgment Is Still Important
Cognitive bias is a condition internal auditors should be aware of and mitigate so its influence on risk assessment outcomes is minimized, but they shouldn't overthink it. Judgment will always be a factor in risk assessment outcomes, and auditors' professional judgments have value. Sometimes the auditor's gut and instinct are valid, and practitioners should leverage their experiences when appropriate.