Mind of Jacka: Use Your Head

The need for internal auditors to understand and apply critical thinking seems self-evident, especially with research showing the importance chief audit executives (CAEs) place on this skill. It’s also made an outstanding showing in The IIA’s annual Pulse of Internal Audit survey over the years. In 2018, 95% considered critical-thinking skills essential to their function’s ability to perform its responsibilities.

Unfortunately, while everyone agrees that critical thinking is important, they find it hard to define exactly what it is. If you ask 10 CAEs, you are likely to get 10 different answers. And at the core, those answers boil down to nothing more than internal auditors using their brains.

Fortunately, The Foundation for Critical Thinking provides a more practical definition: “The intellectually disciplined process of actively and skillfully conceptualizing, applying, analyzing, synthesizing, and/or evaluating information gathered from, or generated by, observation, experience, reflection, reasoning, or communication, as a guide to belief and action.”

Using this definition, the Foundation for Critical Thinking developed an outline for critical thinking based on eight elements, described in the book, The Thinker’s Guide to Analytic Thinking, by Linda Elder and Richard Paul. Following is a framework for internal auditors’ use of critical thinking based on these elements.

Thinking Critically 

Critical thinking requires understanding the purpose of the individual task toward determining the question to be answered. It also involves recognizing the various points of view brought to the task, as well as the assumptions, concepts, and theories upon which the work will be based. Information is gathered, leading to inferences or preliminary conclusions, which come together to provide final conclusions and consequences.

Thinking critically about the audit process means thinking critically about audit engagement tasks. This requires evaluating the tasks, such as interviews, functional tests, and risk assessments to better understand not only how they are completed, but also how critical thinking was used and how it can be used more effectively in the future. Some people consider critical thinking to be “thinking about how you think.” 

Understand the Purpose Identifying the objective of an audit engagement is fundamental. But the first step in critical thinking applies this concept to each activity conducted within the audit, providing guidance for the critical thinking that follows. The objective of an interview might be to learn the interviewee’s understanding of the process, the purpose of a test might be to ensure the organization is compliant with a specific regulation, and the goal of a meeting might be to confirm all parties understand the audit process. These objectives are often assumed, but critical thinking requires the auditor to be able to articulate them.

Determine the Question The point of critical thinking is to come to a conclusion regarding a question or problem. Therefore, to think critically, internal auditors need to determine, based on the previously defined purpose, what question the individual task (test, interview, process documentation, etc.) will answer. Does this person understand his or her role in the accounts payable process? Is there a more efficient way to ensure new hires are appropriately vetted? Does the data support the effectiveness of controls? The question can be specific or broad, based on the detail of the work being done and the individuals involved. But it should align with the task’s purpose, as well as the overall purpose of the engagement.

Understand Your Points of View Everyone approaches a situation with points of view, both positive and negative. Effective critical thinking requires understanding how they impact the ensuing analysis. Internal audit’s point of view might be that the department helps the organization achieve its objectives. However, because of internal audit’s focus on risks and controls, it also may approach engagements with a point of view that is skewed toward risk aversion or ignores missed opportunities as part of an assessment. For this reason, it is important to also consider other points of view and, as appropriate, include them in the analysis. 

Determine Assumptions Effective critical thinkers step back to determine the assumptions — beliefs we take for granted at subconscious or unconscious levels — being made to adjust for them. These can be positive (everyone in the organization is working toward success, or the client sees internal audit as a partner) or negative (the department being reviewed has never run well and will continue to run poorly, or no one in the organization sees the value of internal audit). Any of these could be true, but they should be evaluated to determine if they are accurate and what impact they will have on the analysis. 

Identify Concepts and Theories Concepts, theories, and principles help make sense of things. They are different than assumptions, which are ideas and beliefs brought to a project. Concepts and theories are the additional information and ideas that may be needed to conduct the analysis. Some of this information may already be known, such as control frameworks or standards for internal auditing. Others may require additional research, such as applicable laws and regulations or best practices in the industry. Ultimately, the internal auditor should confirm that, in every audit task, he or she understands the concepts and theories needed to answer the question being asked.

Gather Information At the core of critical thinking is information, which is the lifeblood of internal audit work. Without it — data, evidence, and facts — there is nothing on which to base inferences and conclusions. Information should be applicable to the purpose and the question being asked, and the points of view, assumptions, concepts, and theories can result in the need for additional information. Many audit processes — interviewing, testing, process analysis, etc. — also are methods for gathering information.

Recognize Inferences Analysis should begin when the audit engagement starts, with the auditor immediately drawing inferences and preliminary conclusions. This involves constructing hypotheses regarding what is occurring, then subjecting them to further analysis. For example, an initial interview may infer that a process is well-understood and controls are effective. Subsequent testing proves that controls are not working as designed and significant delays and errors are occurring. It is not that the initial inference was incorrect. Rather, the initial inference provided a base to identify the need for additional information. 

Provide Final Conclusions and Consequences This is the final step in the critical-thinking process. The testing, interviewing, reviewing, and analyzing lead to conclusions that answer the question and satisfy the purpose of the audit task. The conclusions also should provide direction on how to proceed — more testing, more interviews, additional data gathering, or completing the audit engagement. 

The Audit Process

The preceding descriptions show how every stage of an audit engagement can be evaluated with an eye toward using effective critical thinking. However, specific issues related to the elements of critical thinking should be considered within every audit task. 

Risk Assessment One cause of the Great Recession was the subprime mortgage crisis. Analysts believe the complicated nature of these securities resulted in few people understanding how they actually worked or the impact of the associated risks. The lesson is that sufficient information should be gathered in the risk assessment process to ensure the intricacies of the process, as well as the associated risks, are understood. If the auditor does not feel comfortable with his or her understanding of how things work and how they might go wrong, then the audit task should not proceed until more information is obtained.

The subprime mortgage crisis also points to another important part of critical thinking in the risk assessment process: One reason the crisis was allowed to escalate was that everyone was benefiting. And people seldom question success. When a process or product is succeeding, the unconscious assumption is that risks are well-controlled. This leads to the inference that risks are mitigated and no further reviews are needed. Stated this way, we can see the fallacy. But it only becomes obvious when viewed through the lens of the critical-thinking framework.

Interviewing A good interviewer confirms the answers given answer the questions asked and support the overall purpose of the interview. In addition, because people, even internal auditors, have personal agendas, the interviewer should safeguard that no assumptions about the validity of answers intrude on inferences being drawn. 

Inferences will be made during the interview regarding how new information may have changed the structure of the interview, the subsequent information gathering, the purpose of the interview, and, in rare cases, the purpose of the engagement. Navigational change can come from any task within the audit process.

Process Documentation As with interviewing, information gathered during process documentation may result in navigational changes. And it is important that the internal auditor not look only at what is presented. Taking off the blinders — watching what else is occurring — may result in inferences and preliminary conclusions that change the focus of the audit. For example, if the auditor is working in a warehouse and notices an unmarked van occasionally picking up a box or two, it may represent a significant issue requiring follow-up. Even something as simple as a large pile of papers on a desk may indicate an issue that needs to be addressed. 

Testing Entrepreneur and author Seth Godin notes, “Connecting the dots … is more essential than ever before. Why, then, do we spend so much time collecting dots instead? [A] big bag of dots isn’t worth nearly as much as [a] handful of insight.” The volume and accessibility of data has resulted in including as much data as possible in every test. Critical thinking requires understanding why specific data is needed — how it supports the purpose of the test, itself, and of the audit engagement. A 100% sample may not be required, no matter how easy it is to retrieve. Being awash in data can actually inhibit the critical-thinking process. Never gather data just because you can; gather data because it supports what you are trying to achieve.

Report Writing

Much of internal audit’s focus on critical thinking centers on report writing, when all the inferences and conclusions come together for presentation to the client. But everything that goes into the report — the data gathering, the process descriptions, the conclusions — should have occurred long before the report is drafted. If critical thinking is applied throughout the internal audit process, one of the biggest struggles in report writing can be eliminated.

The overall purpose of report writing needs to be understood and some additional questions need to be addressed, such as what is the purpose of the report, who is the report for, what does the reader care about, and what is internal audit trying to say? Answering these questions — reviewing the assumptions that are being made about reports — will give the internal auditor a better grasp of the content to include.

Thinking About How You Think

Thinking about how you think is the first step every internal auditor should take. A good exercise is to take a specific task — an upcoming interview, functional test, or walk-through — and work through the critical-thinking framework. This will help auditors see the good and bad habits they use in the thinking process and allow them to build on their strengths and work on their weaknesses. Continue this exercise and, eventually, an increased awareness of how critical thinking is used in all situations will develop. And it will make auditors, audit departments, and the profession better.