Significance of Skepticism in Internal Audit
The International Professional Practices Framework (IPPF) includes the Mission Statement, which in turn indicates the role of the internal audit in “enhancing and protecting the corporate value by means of providing assurance, advice and skepticism while taking risks into consideration”.
The risk-based skepticism depends on an important principle entitled the Professional Skepticism.
Definition of the Professional Skepticism
According to the International Standards on Auditing (ISA), “Professional Skepticism is an attitude that includes a questioning mind and a critical assessment of audit evidence, and requires ongoing inquiry whether or not the obtained audit information and evidences purport that there are critical observations arising from fraud.” In other terms, it means that the auditor should undertake a professional assessment, with a skeptical mind, of efficiency and suitability of the evidences obtained throughout the term of the audit task. Indeed, the concept of the “Professional Skepticism” enhances the concept of the “Professional Due Diligence” set forth in the International Standards on Auditing (ISA).
Professional Skepticism is necessary for the skeptical assessment of evidences. It includes the skeptical and in-depth scrutinizing of the contradicting and inconsistent evidences, the credibility of documents and the responses to their inquiries. It includes also the consideration of efficiency and appropriateness of evidences obtained in light of the common conditions. As such, the Professional Skepticism explores certain ways through which internal auditors can be more skeptical.
Relationship between the Professional Skepticism and the International Standards
Professional Skepticism is one of the main requirements for conducting audit works. Many international standards have covered it, including for example:
- The International Standard on Auditing (ISA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing) emphasized the necessity of planning for and conducting the audit on the basis of the Professional Skepticism throughout the entire phases of the audit process, which include the following:
- The phase of assessing engagement acceptance;
- The phase of performing risk assessment procedures;
- The phase of obtaining the audit evidence; and
- The phase of evaluating the audit related evidences and work papers.
- The International Standard (IASE3000) regarding the tasks related to the non-financial information, issued by The International Federation of Accountants (IFAC). It is applied to the audit of the internal control, sustainability and compliance with the laws and regulations. The Professional Skepticism requires the auditor to be alert to the following:
- The audit evidences in contradiction with other obtained evidences.
- The information that leads to inquiring about the authenticity of documents and the procedures of response to inquiries, which will be used as audit evidence.
- The cases that could indicate a potential fraud.
Elements of the Professional Skepticism
The Professional Skepticism comprises three main elements as depicted below:
- The attributes: the qualifications of the auditor, i.e., knowledge, skills, and capabilities.
- The actions: the tools and methodologies adopted by the auditor to undertake the Professional Skepticism; including risk assessment methodology, quality of audit evidences, methodology of analyses and evaluation of information and document, etc.
- The mindset: the auditor’s psychological features which require neutralism, credibility, and independency in the course on undertaking the Professional Skepticism.
Application of the Professional Skepticism
The below exhibit depicts the application levels of the Professional Skepticism and its influence on the quality of audit evidences:
How can the internal auditor be more skeptical?
To be an efficient and skeptical internal auditor is not a coincidence. The internal auditor should consider certain features and habits that should be demonstrated by the internal auditors, and consider also anything that could help him attain success.
Furthermore, the internal auditor should consider the application of all or some of the following suggestions:
Develop your knowledge of the business entity and sector where you operateGet to know more people from inside and outside the business entity
The internal auditor should begin with the issues that are most required by the management, and define the positive issues. Audit reports should indicate the successes and the things that go smoothly so that such things can be recognized and recommended to other divisions within the business entity.
They should get better understanding of the risks faced by the executive managers through the internal networks and regular meetings. This should be done in an informal way, especially in terms of the fields and topics that are indicated regularly in the internal audit plan. They should also consider the other formal opportunities like attending the meeting of work teams and training activities, and taking part in change programs. They should work in cooperation with the other assurance parties or seek support or advice from experts from within the business entity.
Be familiar with the new developments in the audit field
The should be aware of the new developments in the audit field not only through the International Professional Practices Framework (IPPF), but also through the guidelines, practical guidance, learning activities, seminars and conferences. The internal auditor should join an audit team that is responsible for certain sector, and keep in touch with other auditors working in the sector. Given the increasingly limited resources, the internal auditor should think in a more critical way of how to get the best results from the assessment process and the continuous professional development with a view to bridge their own gaps in terms of knowledge and development of specialized skills.
Identify a senior manager who is willing to be a mentor and sponsor
The mentor is a person who provides ongoing support, is willing to face the challenges and with whom the internal auditor can share the problems and ideas. It is preferable that such person should have experience in training and guidance, and it is not necessary to be a senior auditor or to be in regular contact with a senior manager. It is preferable to be a person that does not work with the auditor or being audited by them.
Look at situations from a different point of view
The internal auditor should look at situations from a different point of view. They should put themselves in the place of the customer, vendor or regulatory body, think of the expected way of performing the procedures as well as the types of behaviors they are expected to come across. Does the business entity abide by and respect their values?
Find parallel sources
The internal auditor should find a link between what they see and hear during the audit process and compare the same with similar situations. For example, the internal auditor should consider the pros and cons of the methodology followed by the business entity in dealing with the customer complaints, and compare the same with the other business entities they have dealt with (Benchmarking). Professional Skepticism can be obtained from other more irrelevant parallel sources.
Ask more questions
This attitude will help develop a comprehensive understanding of the way and reasons of performing tasks in a certain way. The internal auditor should ask easy and simple (content-free) questions to encourage the individuals to express their view in general and not to compel them to accept his own views. It is very important to literally listen to other individuals. Noteworthy is that the word Audit is derived from the Latin word that means “a person who eavesdrop”.
For the purpose of in-depth survey and research on specific issues, the internal auditor should apply a simple way that he feels satisfied with and that fulfills the requirement. The internal auditor should consider using the method of six useful questions; i.e., what, why, when, how, where and who, or the method of five questions beginning with the word “why” that will assist him in identifying the causes and effects, some of which will be linked to the attitudes and behaviors that form the common culture of that field.
Do not consider things as intuitive or taken for granted
The discussion of the way procedures are performed, and speaking about the risks and problems that face individuals are a good way to get a variety of opinions, but do not accept everything without scrutinization. The internal auditor should concentrate the audit testing to establish an evidence on what happens in reality and in particular with regard to managing the key risks or in case of divergence of views on what is happening and why. Evidences and results of interviews and discussion should be documented to support the recommendations of the audit.
Identify the attitudes and relationships
The internal auditor should use audit software and reporting tools that enable them to undertake the statistical analysis in order to detect the problems that individuals may not be aware of.
This is usually used to identify the gaps or recurrence in records. However, the current availability of huge data and powerful analytics tools provide the ability to explore data and evaluate the results from different points of view to develop new relationships, patterns and links. This area is very technical, but the emergence of huge data enables the internal auditors to develop certain skills and/or work in cooperation with information technology experts to attain the level of skepticism.
Change the way of reporting the message
The internal auditor should critically examine the internal audit reports to ensure that the structure of reports and the used language help convey the message and key opinions.
Are the reports concise, clear and focused on topic? The internal auditor should think of what the readers of the internal audit reports want to know or be familiar with, and what they should do to mitigate the risks.