​​​What I Saw at the International Conference - Part 3 - Trust But Verify

Comments Views

I know there are many of you who, after reading my blog yesterday about my missing notebook, share in the sadness of my loss. But there are others who feel this is the opportunity for laughter at my expense. You know who you are and your lack of sympathy says much about your character. As an example, someone came up to me today and asked if I had found my notebook. Choking back the tears, I told her I had not. She then said, "What would you say if I told you I might or might not have your notebook?"

 My heart leapt within my chest. Oh frabjous day! Calloh! Callay. She then drove a chill through my newly dancing heart. "What is it worth to you?" How cruel – holding my thoughts and dear possessions for ransom. But I had only begun to get a glimmer of the cruelness that lay within.

 I begged. I pleaded. And then she finally offered that, no, she did not have the notebook. "I said I might or might not have it."

 That was one cruel woman.

 But I heard what I wanted to hear. In spite of the actual words used, I heard that she did, indeed, have my precious notebook. And an analysis of the actual words being spoken would show that such a conclusion was all kinds of wrong. 

 And it all points to that old bugaboo – critical thinking. (Or maybe better yet, critical listening.)

 Any auditor who has been around for any length of time believes he or she understands the basics – the tools of the trade that are at the core of being a successful auditor. Accordingly, we think we listen objectively and attentively. And I would put forward the hypothesis that it is not always the case – that far too often we come in with our preconceived notions and understandings and then hear what we want to hear.

 What really drove this home was listening to a presentation by Nejolla Korris on social engineering. One of the keys she presented was that people inherently want to trust – they want to believe what they are told. For the general public, this is exemplified by the none-too-subtle ways people are absorbed into internet, email, and social media scams.

 And auditors fall into that trap just as readily as others. (It was interesting watching the faces of the people in that presentation where you could clearly see two thoughts cross their minds: 1) It is amazing what is happening out there and 2) Have I even thought about such security for myself?)

 But there is probably a bigger trap out there; putting too much faith in the people we are auditing. I am one of the worst about this.  I learned very quickly that, when I was doing fraud investigations, I would believe anything anyone would tell me. "I didn't steal the money." "My dog ate the receipts." "Aliens took over my body and I have no idea what happened to the documents." And, while I was talking to them, I would believe anything. (After all, part of our audit area was Roswell, New Mexico.)

 And I quickly (with the help of those who were training me) learned the lesson "go ahead and believe anyone, but only trust the documents." So, after every conversation, I would then have to go back to the documents and see how much of what I currently "believed" actually matched what had happened.

 And then I would have to go back and say "Okay, let's try this again...This time with more truthiness."

 And so, with a history of inability to believe that someone would lie to my face, I was convinced my notebook had been found. And my trust led to fallen hopes. But, in spite of an utter and complete faith I put in that person, I did hold out for the documentation (in this case to actually see the object.) Not that I really believe she would hold it for ransom. But then, one never knows.

 And, with all that being said, I would not change my approach in dealing with people, and I would argue that the best information comes from such faith. If you talk to people with the voice of suspicion, they will be similarly suspicious. And from that arises a dam which plugs your ability to learn anything of real value.​​

​The opinions expressed by Internal Auditor's bloggers may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers' employers or the editors of Internal Auditor. The magazine is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this article

comments powered by Disqus
  • IIA Quality_July 2020_Blog 1
  • IIA Online Testing_July 2020_Blog 2
  • IIA Training_July 2020_Blog 3