Michael’s Critique of Pragmatical Reason VI: Risk exaggeration – a cognitive bias case study
Bribery and corruption are bad. Sectors dealing closely with the government have a propensity for bribery of public officials. Companies in these sectors particularly should implement sound Anti-Bribery Due Diligence (ABDD) policies and procedures.
In countries with a low score in Transparency International’s Corruption Perception Index (CPI) , the risk of bribery and corruption is elevated and having effective Anti-Bribery Due Diligence in place is even more important. Of course, the effectiveness of the ABDD is subject to assurance, be it control self-assessments or internal/external reviews and audits.
So far, I guess all will agree with me.
Recently I wrote a blogpost  about how the judgment of assurance professionals (be it internal auditors or control reviewers from the so-called “second line of defense”) is subject to cognitive biases , which make it difficult for them to develop an objective assessment of their observations and may lead to exaggerated risk assessments and biased, overly critical engagement reports.
Shortly after writing that piece, I learned about a prime example of cognitive biases in an internal audit context. I want to share the essence of the case here.
In an internal audit at a subsidiary company A of a multinational (mother company M) in medium-high bribery risk country T, the auditors encountered the following situation:
- When testing the effectiveness of controls over anti-bribery, an arbitrary sample of two recently conducted anti-bribery due diligences was selected.
- In one of the two due diligences, a “red flag” (a condition signifying elevated bribery risk) had been identified. Still, company A’s management had decided to engage the vendor. Because of the red flag, additional approvals had been obtained and monitoring measures for high risk third parties had been defined as per global procedure of mother company M.
Some background information on the environment:
- The CPI of Country T has been steadily decreasing over the last 3-4 years. Country T is also internationally criticized for a decrease in the rule of law and increasing autocratic tendencies of the government.
- Company M’s subsidiary in a close proximity, culturally similar country has recently received global media attention due to allegations of bribing government officials. Hence Company M’s corporate internal audit department has recently started to focus closely on anti bribery due diligence in their audits.
Additional background information on the decision was discussed with company A management;
- The company has worked with the vendor for the past years without any incidents and problems; the vendor is one of only three or four in the country matching the requirements; all other major competitors in the sector work with this vendor.
- The scrutinized third party due diligence had been identified as deficient during Company A’s control self-assessment in the year before: It had been noted that the red flag had not been properly included in the last due diligence. As a result, local management had recently renewed the due diligence.
- The red flag is a government bribery incident more than 10 years ago, in which the vendor had been allegedly involved – although there is not a final verdict finding the vendor guilty.
- For the approval of the renewed anti bribery due diligence, company A management had obtained current court records regarding the alleged bribery case from 10 years ago and concluded that business with the vendor could be continued.
The internal auditors included the following observation into their report: Although the red flag was identified and documented in the due diligence, they criticized that just two additional approvals, from Legal and Compliance, had been obtained on the due diligence form to authorize the vendor engagement.
The auditors concluded:
- The issue was a documentation deficiency: The management decision to engage the third party was not adequately documented. It would have been better to document an explicit justification for the risk acceptance in light of the red flag to justify the decision of Legal and Compliance to sign the due diligence form.
- The issue was rated as a “high risk” observation with a “potentially significant impact” on company financial profit and reputation.
- As a remediation action, it was recommended to include a detailed justification for the third party engagement in view of the identified red flags in the anti bribery documentation.
The risk scenario that could happen and cause damage to financials and/or reputation of the company was not characterized in more detail. The auditor mentioned in a discussion that she regarded it as a risk if the reasons for the management decision were not centrally documented because they could be unavailable when needed, e.g. in case of an internal audit, because all responsible persons could have left the company.
Beware of biases!
What do you think of this judgment and the reported observation?
In my view, the conclusion in the report is wrong, the risk assessment is incomplete and biased and the recommendation is ineffective to address the “identified” risk.
- The risk for the company could not be assessed as “high” without further information on base-rates of bribery incidents in the country, sector, similar vendors etc. If the auditors saw a risk in the fact that the third party has been engaged then they needed to challenge the management decision itself, not the sufficiency of its supporting documentation.
- The recommendation to improve the documentation of the decision does not change the bribery risk in the scenario. It is ineffective. Management’s decision would have been the same because it is based on the same information.
In my opinion, we can see the following cognitive biases are at work here:
- Confirmation bias and availability heuristic: By the CPI information, recent allegations of bribery in the same and a neighboring country, the auditors were primed to “jump” on what they see as a potential bribery issue.
- Halo effect: The fact that the topic was “bribery” in a medium to high risk country by Transparency International’s CPI was probably influencing the intuitively assigned “risk level”; this could have been further enhanced by the mention of an actual court case in the past. The auditors had the feeling that they needed to include this in their report and that it was important, even though they could not give explicit arguments for it.
- In-group / out-group bias: Local management’s arguments about the observation and its evaluation were perceived as an “us vs. them” situation.
- Substitution, Affect heuristic: More documentation of the decision was somehow assumed as increasing control and lowering the bribery risk.
- Self-serving bias: It was better for the reviewers to be more critical and inflate the issue, because it might have reflected badly on the auditors if they didn’t identify an issue and something “bad” would have happened later.
As I have written before, cognitive biases are at work in all of our minds, and assurance providers are no exception. The situation characterized above illustrates how such biases can contribute to exaggerated risk assessments and “window dressing” recommendations. Furthermore, as a result of such audit outcomes, the relationship between assurance professionals and audited units’ management can be strained and trust and cooperation can suffer. 
Assurance work will not be perceived as value-adding.  Neither if performed by internal auditors nor by second line functions. 
Please note that I am not arguing that the decision of management to accept the risk and work with the third part is the best decision. But in my view it was a well-founded and risk-informed decision.
In addition, I can fully understand the assurance professionals. I have worked in the same way and have written similar recommendations in my life as an internal auditor. But I would not do so anymore after having read Daniel Kahneman’s “Thinking. Fast & Slow”. 
Michael Kuckein, Sandoz TR, Ethics and Compliance Director, CIA, CISA, CCSA, CRISC, CRMA
The author contributed to this article in his personal capacity. The views expressed are his/her own and do not necessarily represent the views of TEİD.