Following another spate of corporate governance and audit failures both locally and internationally, lack of professional scepticism is a phrase frequently quoted in the media. This article attempts to clarify the concept of professional scepticism and how auditors can practically apply this.
The media seems to use the blanket statement ‘lack of professional scepticism’ as the root cause for most audit failures. There are, however, many factors that can contribute to audit failures. The risk with this is that we diagnose something based on a root cause that isn’t deep enough and then come up with prescriptions that most probably won’t solve the underlying problem.
Professional scepticism is a multifaceted issue and the label of ‘lack of professional scepticism’ should be the beginning of inquiry and not the end.
Unpacking professional scepticism
Professional scepticism is a very complex area. This is not something that practitioners can read in a standard and apply.
In a presentation, Jeanette Franzel, a former member of the Public Company Accounting Oversight Board, described professional scepticism using the three As, namely attributes, attitude and action. This was depicted as follows:
These three elements are not unique to professional scepticism and can be found throughout the International Standards on Auditing (ISAs). In the context of professional scepticism, these can be interpreted and practically applied as explained below.
Attributes (‘professional knowledge and skill’)
This refers to the overall ability of the auditor, who must possess the knowledge, skills and other required competencies to perform their responsibilities. Relevant and regular training is therefore crucial.
The IIA’s Global Internal Audit Competency Framework,1 which is a tool that defines the competencies needed to meet the requirements of the International Professional Practices Framework (IPPF) for the success of the internal audit profession, contains a framework that outlines the ten core competencies recommended for each broad job level of internal audit staff, management and the chief audit executive. Each core competency is supported by a list of more detailed competencies that further define the core competency statement.
The ten competencies, which are all interdependent, are similar to what the external auditing standards call for, such as professional ethics and technical expertise but, from my experience, the three ‘personal skills’ (or soft skills) are the key to achieving on-going professional development by teams and individuals.
The three core competencies that make up personal skills are communication, persuasion and collaboration, and critical thinking. We therefore started including some of the sub-competency topics in our training courses and these are the sections we get the most positive response to from the attendees, as they can see how these skills will benefit them, both at work and at home, especially the lie detection / body language topic.
These key sub-competency sections are:
- ‘Interprets and uses body language to reinforce communication’ (communication)
- ‘Maintains curiosity and exercises professional scepticism’ and ‘Uses critical thinking to identify and propose tactics for business process improvement’ (critical thinking)
- ‘Manages conflict by negotiating and resolving disagreements’ and ‘Uses a range of strategies to build active consensus and support’ (persuasion)
In addition to the above, we suggest ‘observation skills’ training as many auditors ‘see, but do not observe’, to use Sherlock Holmes’ famous statement.
Think how much more effective auditors would be if they used body language to detect deception when interviewing clients, used critical thinking and observation skills to identify problems and then possessed good persuasion skills so they could convince their clients to do what is right.
Attitude (‘… an attitude that includes a questioning mind, being alert to conditions that may indicate possible misstatement due to fraud or error’)
Attitude relates to the integrity and good faith of the auditor who must be neutral, neither assuming honesty nor dishonesty on the part of the audit client but recognising the possibility of fraud and misrepresentation of critical facts.
In 2017, The Money Show’s Bruce Whitfield interviewed Independent Regulatory Board For Auditors CEO Bernard Agulhas. One of the questions was: ‘Does auditing need a revamp; do we need to rethink how audits are done?’ The answer was:
We believe that auditors need to spend more time asking questions of their clients, when they take on their clients, during the audit, after the audit, before they issue their audit opinion … Yes, auditors need to be more sceptical.
That’s the kind of change we’ll need, and it’s not just the change in standards … it’s a change in mindset of auditors, in their attitude towards an audit and the fact that they need to report on company’s financial statements in a way that restores the confidence, creates confidence, by the stakeholders and investors.2
Action (‘… and a critical assessment of audit evidence’)
The action element refers to the importance of executing a robust risk assessment, planning the engagement based on the discovered risks, ensuring strong engagement supervision, and the diligent gathering and evaluation of audit evidence, both internal and external.
Applying professional scepticism: a continuum
Because of the lack of clear application guidance in relation to professional scepticism, Steve Glover and Doug Prawitt, professors at Brigham Young University, published a paper ‘Enhancing auditor professional skepticism: the professional skepticism continuum’3 in which they focus on a more comprehensive view of professional scepticism to fill in the void of practical application guidance.
In the paper, they look at professional scepticism as a continuum related to the risk of material misstatement and other factors.
The application of audit procedures and documentation after an appropriate initial risk assessment across a scepticism continuum is illustrated in the paper as follows:
It must be noted that while the illustration includes a complete behavioural range from complete trust to complete doubt, the image highlights that the application of professional scepticism does not include the area denoted as complete trust.
The use of the scepticism continuum makes clear that the appropriate level of scepticism varies depending on the situation. While the image illustrates different levels of professional scepticism, the continuum represents a gradation of more or less doubt within and across the categories and not necessarily completely different mindsets at distinct stages of the continuum.
Some of the factors leading to a neutral or more doubting attitude, and thus the need for more or less audit evidence, are listed at the bottom of the image. These factors are primarily based on risk and susceptibility of material misstatement and on indications provided by audit evidence.
Auditors applying a questioning mind
Some people say that society cannot afford a fraud examiner on every audit – yet it seems that society can afford an army of forensic accountants to investigate financial statement frauds once they have occurred. Surely prevention is better and more cost-effective than cure?
I don’t know if we’ll ever see fraud examiners on audits proactively looking for fraud. It is therefore crucial for auditors to apply the appropriate level of professional scepticism and actively look for red flags of fraud and be proactive in responding appropriately to any alarm bells identified. An appropriate response may well be engaging with a fraud examiner on these suspicions.
Glover and Prawitt ended their paper by stating: ‘We suggest that the consistent application of an appropriate level of professional skepticism could be enhanced if audit firms, standard setters, regulators, and inspectors were to explicitly integrate a scepticism continuum conceptually similar to the one illustrated above, in policies and standards, and then work to provide relevant practical implementation guidance.’
Proper care is always required and neither time, cost constraints, nor familiarity with the client, should reduce the degree of scepticism applied. As the US Securities Exchange Commission (SEC) stated at the Phar-mor trial: ‘At the end of the day the auditors have no room to compromise − they have a responsibility to dig deeper, to be skeptical, to ask questions and to impose a discipline on management and on the financial reporting process that might otherwise not be there.’4
The focus is on auditors as they are the ‘watchdogs’, but professional scepticism should also be applied by management, the board and others within organisations, as fighting fraud should be seen as a shared responsibility.
Many criminals collude when committing fraud, as collusion allows for a greater success rate in terms of amounts stolen and length of time to detection. It is therefore important that honest role-players also work together to prevent and detect fraud. Professional scepticism is a key element in achieving this success.
1 The IIA Global Internal Audit Competency Framework, https://na.theiia.org/about-us/Public%20Documents/The-IIA-Global-Internal-Audit-Competency-Framework.pdf.
2 ‘Auditors are watchdogs, not bloodhounds’ – 702’s the Money Show interview with the IRBA’s CEO Bernard Agulhas, 11 September 2017, http://www.702.co.za/articles/272101/auditors-are-watchdogs-not-bloodhounds.
3 Steve Glover and Doug Prawitt, Enhancing auditor professional skepticism: the professional skepticism continuum, Current Issues in Auditing, 8(2), 2014:1−10, https://www.iaasb.org/system/files/meetings/files/20150615-iaasb-agenda_item_10-b-gloverprawitt_enhancing_auditor_professional_skepticism-final.pdf.
4 The Phar-Mor fraud case was featured in an episode of the PBS show Frontline titled ‘How to steal $500 million’.
AUTHOR | Mario Fazekas, CFE (Certified Fraud Examiner), Director at Exactech Forensics