Spotting and mitigating misinformation: insights from the internal audit conference 

How can internal audit help businesses to spot and mitigate potential harms caused by misinformation and disinformation? Speakers at the Internal Audit Conference in the session on “Misinformation, fake news and the impact on business reputation” offered thoughts and advice. 

Boards and internal auditors should be taking misinformation and disinformation far more seriously as a threat to their corporate reputation, according to speakers at the Chartered IIA’s Internal Audit Conference in October. While many organisations have cyber security and fraud high on their risk radars, far fewer look explicitly at the risks posed by fake news and misinformation.  

This could be a mistake, according to David Fineberg, Chief Internal Auditor at asset management servicing organisation Alter Domus. He admitted that he increased his own focus on the risks created by misinformation after being invited to speak at the conference. 
 

While many of the processes that combat cybercrime and fraud also help to protect against harms from misinformation, they may not do enough to counter and respond to the reputational damage caused by a false or misleading story that spreads rapidly. Fineberg advised internal auditors to consider the topic independently of other cyber threats and to raise their concerns with their audit committees and boards.    

Spot the difference 

There is an important distinction between false news and misleading information, explained Sander van der Linden, Professor of Social Psychology at the University of Cambridge. His department has developed a free “Bad News Game” that the session host, Elizabeth Honer, former CEO of the Government Internal Audit Agency, urged people to try – “It’s utterly terrifying.”  

Whereas false news stories promote ideas that are completely fake – for example, that the Earth is flat – the misleading category is more dangerous, van der Linden warned, because it contains a nugget of truth that is positioned to create a false conclusion. The original may be deliberately misleading, but many people will promote the story believing it to be true. It may appear on trusted news sources or be repeated by trusted contacts, which makes it more convincing. 

An example of this type of misinformation was a headline in the respected newspaper the Chicago Tribune during the pandemic that said a healthy doctor died two weeks after receiving the Covid vaccine. The statement was correct, but it misleadingly implied causation when all that was known was a correlation of dates. 

The dangers of this kind of story are serious. At national level, there are concerns about deliberate election interference by foreign powers spreading misinformation. Jessica Zucker, Director of Online Safety Policy at regulator Ofcom, explained what her team is doing to research the impact of misinformation and implement the government’s laws against foreign manipulation and illegal hate speech.  

However, there are legal grey areas. Many people were shocked when people who posted or re-posted false stories about asylum seekers during riots across the UK over the summer were prosecuted alongside those who directly caused criminal damage. Inciting violence and “hate speech” is a crime in the UK, but there are questions about free speech and when a social media post is an opinion or intended as satire. 

Internal audit’s role 

For organisations, it is often irrelevant whether posts are legal. Lawyers will not stop a story spreading globally and can do little to repair reputational damage once it’s spreading fast. Fineberg said there is “absolutely a role for internal audit here”. He pointed to two main areas of focus – the validation and verification of data coming into the organisation’s systems, and the accuracy of the information being generated and disseminated to stakeholders. 

Furthermore, he argued that internal auditors should consider misinformation and fake imagery when auditing fraud and cybercrime. He pointed to the Hong Kong finance officer who was tricked into transferring $25m of his organisation’s money to fraudsters after attending a video meeting with, he thought, two senior financial officers, who were really the creations of deep fake scammers. 

The psychology of deception 

One important way to stay ahead of the misinformation promoters is to heighten awareness of the techniques they use and why they work. Educating internal auditors and employees about red flags puts people on their guard. Van der Linden pointed out that much damaging false news is misinformation not disinformation – ie, promoted by people who believe the story is true. 

He compared this to the way viruses spread. Social media algorithms will target people with fake news on certain subjects if they show an interest in it. People may be sceptical at first, but tend to believe things if they are frequently repeated and if they comes from known contacts, he said. There is also a widespread distrust of fact-checkers, as well as legitimate questions about whether they are reliable. 

“There is evidence of companies using misinformation to undermine critical reports by auditors,” he said.  

Van der Linden warned that most organisations underestimate the potential harm that misinformation could do. He advised “pre-bunking”. “It’s easier to prevent stories spreading in the first place, than to deal with them once it’s happened.” He suggested undergoing a process of “inoculation”. If you educate people by exposing them to limited misinformation and where it leads, you improve their defences, he said.