“People generally see what they are looking for and hear what they listen for.” – Harper Lee (To Kill a Mockingbird). This is also (or especially) true for the marketplace of audit reports.
One might think that like a successful physician is one who accurately and early diagnoses patient problems, a successful auditor might be one who is finding confidently and timely client accounting and control deficiencies. Not quite so. Think about businesses tending to avoid “health costs,” especially long-term ones, as what counts is next quarter’s profit and the reputation as an immaculate corporation. Unfortunately for these enterprises, the annual examination is required by law though. So, the strategy becomes to ensure spending the audit fees for an external auditor who understands their needs to be certified “healthy.”
An auditor can collaborate with practices that include failing to report all information, collecting additional supporting data if first tests found undesired results, and selectively reporting only results that align with flattering management expected outcomes. That’s favorable for the client relationship. The freedom to frame reports in this way is labeled “professional judgment.” These practices can be quite subtle and even unconscious. By manipulating methodologies (for example data sampling), testing, and how they are reported, auditors can present neat and clean results. Results that conform to stories they want to tell and that protect the responsible client managers from having a flaw in their bonus important goal achievement (i.e., having no audit findings). If Garrison Keillor’s Lake Wobegon is where all the women are strong, all the men are good-looking, and all the children are above average, questionable audit practices alter audits into reporting exercises in which all the evidence basis is strong, all the testing results are good looking, and all the assurance and security levels are above average.
As I did too before I had insight into the audit world, people may believe that a successful security audit would confirm the security of the system under review. Halt! If you read the small text of such reports, it becomes clear that the audit attestation only means the procedures didn’t find and interpret data in a way that would cause the auditor to draw a negative conclusion. Not more. Positive assurance would be too costly. But there is a lot of money involved already. On bigger clients, whole teams of the audit company are financially depending on the client of being chosen over other audit firms. That’s why a lot of auditor’s education is concerned about how to appear independent. So, many think twice to report any “bad weather” condition and better wrap themselves well instead, in the interest of their monthly salary and audit career (if that’s what they want to continue to do under these circumstances).
All that said, it still is always an individual choice whether you align audit evidence and your conscience to follow economic interests or whether you are true to the data and to yourself, demonstrating your commitment to professional pride, societal welfare, and personal self-esteem.