There’s a notion in fraud auditing that the auditor should “think like a thief.” I am going to go out on a ledge and raise the question: Is the idea of thinking like a thief a silly suggestion? I ask you, were raised to think like a thief? Did your parents compliment you on your lying skills? Did your teachers praise you on your ability to cheat on a test? Do you and your associates discuss how to steal from your employer at the lunch table? Certainly, the answer is no!
So, the question we must consider: Is thinking like a thief a proper substitute for the professional standard of professional skepticism? As you may be aware, my last three blogs discussed professional skepticism. If you have not read the blogs, I would encourage you to add those blogs to your reading list.
Research on the Phrase
To learn more about the phrase, I simply googled “think like a thief.” I’ll admit that I was surprised what I found.
“It takes a thief to catch a thief” It is amazing how a phrase evolves over time. According to the Cambridge dictionary the original meaning was “one dishonest person can guess what another dishonest person might do.”
There is a comic book entitled Thief of Thieves. It’s about a highly successful thief who quits the business and begins a new life stealing from other thieves. I think this is more common than most people realize.
Alfred Hitchcock created a movie entitled To Catch a Thief (1955) about a retired cat burglar who uses his experience to catch an impostor.
The concept of “it takes a thief” or “to catch a thief” has spawned several television shows, some drama and some documentary.
Is This Thinking Like a Thief Truly a Good Idea?
So there seems to be some fascination with thinking like a thief. I get it. But the purpose of this blog is to discuss whether “thinking like a thief” will help the auditor better prepare their fraud risk assessment or integrate fraud into their audit program.
I will boldly say that I believe telling an auditor (an honest person) to think like a thief is not an acceptable substitute for fraud knowledge. Let me tell you why.
- 1.The original phrase suggested that a dishonest person could guess what another dishonest person might do. Are auditors honest people or dishonest people? (FYI that is a rhetorical question.) Note the common thread in all the examples above is that the person thinking like a thief actually was a thief.
- 2. Professional standards never mention, “think like a thief.” The professional standards say the attributes of professional skepticism are knowledge, skill, and ability.
- 3. The AFC Anti-Fraud Collaboration Study: Skepticism in Practice does not mention thinking like a thief.
- 4. Criminology includes the study of “the causation of crime and the personality of criminals.” Is criminology thinking like a thief or trying to understand why an “honest” person would commit a theft of assets scheme? Does this help the auditor conduct their audit? I know the professional standards require the auditor to consider the fraud triangle, but I would suggest that considering the fraud triangle makes the auditor aware of environmental factors associated with fraudulent activity rather than revealing how to identify fraud risk statements.
- 5. History teaches us valuable lessons. I found a paper, written by Jim Cali, CPA, that I would encourage you to read. It provides some historical references about forensic accounting. Mr. Cali states that Frank Wilson, a CPA working for IRS, was responsible for uncovering that Al Capone had unreported taxable income. It was a single document that allowed Wilson to prove Capone had earned “illegal income.” Mr. Wilson did not think like a criminal, he simply was thorough and complete in his work.
Why am I picking on a phrase “think like a thief” when so many people say to detect fraud you need to be able to think like a thief? First, I believe it is a misguided idea. Furthermore, it diminishes the need to emphasize strong fraud auditing skills. What is important about the phrase is to understand that people lie, cheat and steal. However, it is equally important to understand that people do not lie cheat and steal. Therein lies the conundrum for the questioning mind, some people lie and some people are honest. So, is professional skepticism a balance between trust and doubt? Or, is it the difference between knowledge and lack of knowledge?
How should an Auditor Think when it comes to Fraud?
Fraud needs to be viewed as a logic issue rather than a wild wonderment issue. The fraud risk universe helps us understand all the fraud risk statements facing an organization. The permutation logic of a fraud risk statement helps us create a comprehensive fraud risk assessment. We know that each fraud risk statement has an element of fraud concealment and that each concealment strategy has logical red flags. Yes, fraud knowledge or fraud logic is a critical aspect of professional skepticism.
Yet the duty of care standard expects the auditor to be able to apply the knowledge in the performance of their duties. So, auditors also must practice their trade. All the theory without real life experience is a recipe for audit failure. To be clear, I am not suggesting the auditor become a thief to be a good auditor. Just the opposite. To become a good auditor, the auditor must practice the science of fraud auditing.
Auditors must know how to evaluate fraud risk mitigation, quality of audit evidence and internal control reliability. They need to understand the difference between an internal control audit approach and a fraud audit approach. Lastly, and most importantly, they need to know when and how to use the right audit approach for the identified risk. There is an old saying, “Use the right tool for the right job!” I’ll add, “And in the right way!”
If you have read my previous blogs, you will understand the difference between a fraud scenario and a fraud risk statement. The purpose of the fraud scenario is to describe how a person would commit a fraud risk statement. How to commit a fraud scenario includes no internal control, natural control vulnerability and internal control inhibitors. I ask you, is using internal control theory to understand how to commit a fraud risk statement thinking like a thief or thinking like an auditor?
Auditors are always focused on risk mitigation. The ultimate goal is a risk with a low residual risk rating. We need to ask ourselves, does our desire to achieve a low residual risk rating bias our opinion? Has the auditor truly considered and understood how an internal control can fail? Remember, bias comes in many different forms.
Auditors are not intended to be lie detectors. This was addressed in a recent article by Richard Chambers, September 28, 2020 Internal Auditors: Trusting but Skeptical. To quote from the article: The cold logic of a well-constructed audit test can help strike the right balance between blind faith and needless suspicion. I encourage you read the entire article.
So! Think like a Thief? Does this really work?
Please, invest in knowledge rather than relying on cute phrases.