Ten Things Not to Say in an Internal Audit Report

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession. 

I’ll never forget my seventh-grade English teacher telling us, “It’s not what you say but how you say it that counts.” Obviously she was exaggerating, but the point still stands: How we say things can make a difference. A well-written audit report should be a call to action, but a poorly written report can result in inappropriate action or in no action at all. In some cases, poor report writing can ruin working relationships or actively harm an auditor’s reputation. Little things can mean a lot, and at times, a minor change to how a recommendation is worded can make all the difference in how our suggestions are received.

Recently I started with my own list and then asked several groups of auditors what words or phrases should never be used in audit reports. I even asked my friend, Sally Cutler, the noted internal audit report writing consultant. All and all, I got an earful. Some of their suggestions were definitely worth repeating, so here’s my new “top 10” list of things not to say in an audit report.

1.     Don’t say, “Management should consider…”

Audit reports should offer solid recommendations for specific actions. When our recommendation is merely to “consider” something, even the most urgent call to action can become nebulous. No auditor wants a management response that says merely, “Okay, we’ll consider it.” 

2.     Don’t use “weasel words.”

It’s tempting to hedge our words with phrases such as "it seems that" or “our impression is” or "there appears to be." It may feel safer to avoid being specific, but when you have too many hedges, particularly in the same sentence, there’s a danger that you are not presenting well-supported facts. Report readers need to know they can rely on our facts, and over-use of weasel words can make solid recommendations sound a little too much like hunches.

3.     Use “intensifiers” sparingly.

Because they can add emphasis, words such as “clearly,” “special,” “well,” or “very” might seem to be the opposite of weasel words. In actuality, these intensifiers are so non-specific that they can be another type of “weaseling.” Intensifiers raise questions such as “Significant compared to what?" and “Clearly according to whose criteria?“ If you use intensifiers freely, two readers of the same report may be left with very different impressions: Numbers such as 23 percent or $3 billion tell a story, but just what does “very large” mean? 

4.     The problem is rarely universal.

It’s good to be specific, but there’s a danger in words such as “everything,” “nothing,” “never,” or “always.” “You always” and “you never” can be fighting words that can distract readers into looking for exceptions to the rule rather than examining the real issue. It’s safe to say you tested 10 transactions and none were approved — less safe to say transactions are never approved.

5.     Avoid the “blame game.”

The purpose of internal audit reports is to bring about positive change, not to assign blame. We’re more likely to achieve buy-in when our reports come across as neutral rather than confrontational. The goal is to get to the root cause rather than to call out the name of the guilty party. It’s fine for a report to identify the party responsible for taking action on a recommendation — not so fine to say, “It was Fred’s fault.”

6.     Don’t say “management failed.”

Making statements such as “Management failed to implement adequate controls” will invariably annoy those to whom we are looking to implement corrective actions. Simply stating the condition without assigning blame through words like “fail” is much more likely to result in the needed corrective actions and help preserve our relationship with management for the next time we conduct an audit of their area.

7.     “Auditee” is old-school.

A few years back, people undergoing an audit were most often referred to as “auditees.” Today, many experts believe that the phrase has negative connotations and that “auditee” implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as “audit client” and “audit customer” indicate that we are working with management, not working on them 

8.     Avoid unnecessary technical jargon.

Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear. If you use more than one phrase such as “transactional controls,” “stratified sampling methodology,” or “asynchronous transfer mode” on a single page of an audit report, don’t be surprised when some of your readers check out without reading to the end of the report.

9.     Avoid taking all the credit

It is tempting in audit reports to use phrases such as “internal audit found” or “we found.” Management will often bristle that you are taking credit for identifying something that wasn’t all that well concealed. It comes off like you threw them under the bus, and then backed over them. 

10. If it sounds impressive, you probably need a re-write.

Work to get readers to remember your recommendations and take action — not to impress with pompous words or bloated phrases. Avoiding jargon is only the beginning: Try substituting “by” for “by means of,” “now” for “at the present time,” and “so” for “so as to,” for example.

I like to use the fifth-grader test: If an intelligent middle-schooler couldn’t understand your report, it may be needlessly complicated. Take, for example, this sentence from an actual internal audit report that basically just says little things can add up:

“During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of individually immaterial items and in doing so relied on the assumption that it was appropriate to consider whether such impacts tended to offset one another or, conversely, to result in a combined cumulative effect in the same direction and hence to accumulate into a material amount.”

Enough said. And then some.

Lists like these are often very personal. I am sure my list will generate some controversy — both for the things I included and the things I didn’t. So, let’s get the dialogue started. What else is on your list of the top things never to say in an audit report?

Posted on Oct 21, 2011 by rchambers

Share This Article:    

  Comments (15) un-categorized
  1. Comment by: Harish Kumar   (10/24/11 06:51 PM)   

    Audit Report is the final product from the auditor. It has gone from draft to final report. Therefore, cosmetic changes to the report should not drive the attention of the auditees rather the audit findings, comments and agreed recommendation. Disagreed audit recommendation considered important by auditor and not by the senior management should state both auditor and senior management comments. Hence, the board can make the decision on management risk posed in the audit report. The auditing standards should be on the agenda here for compliance & standards.

  1. Comment by: Muhammad Arshad   (10/25/11 02:58 AM)   http://www.knowyourtax.com

    Well written article. Sir, one should try to:

    i.     Keep sentences short and terse;

    ii.    Firm in ones findings and say them clearly without mincing words;

    iii.   The wording should indicate that the audit is part of the organisation and not against the organisation.

    May contact at taxopinion@gmail.com

    Thank you.

  1. Comment by: Rose   (10/25/11 09:06 PM)   

    Words and phrases to avoid includes the following:

    "There is evidence of...." (If there was none, it would not have been raised correct?), "There are weaknesses in..." (Just explain the point and avoid that phrase), "At the time of the audit...." (It can't be from last year or next month!), etc.

    It takes a lot of practice to produce a good audit report. After more than 10 years in IA, I still am learning new things everytime. Good article Sir and keep them coming!!

  1. Comment by: Nemanja   (10/27/11 07:02 AM)   

    Names of employees/clients and similar should not be a part of audit finding, unless it cannot be avoided (in cases of Internal Fraud investigation it might be necessary to write full names of employees involved).

    Instead, unique identifying codes should be used (Social security code, company code, Tax code, or similar).

  1. Comment by: Pat   (10/27/11 04:29 PM)   

    Richard, I am sorry.  I have to disagree with the first two things on your list.

    1.  Don't say, "Management should consider....."   That statement by itself is ok.  However, you go on to say that audit reports should offer solid recommendations.  That could be a potential pitfall if you, the auditor, are not an expert in the subject matter in which you audited.  This is especially true (uh, oh, intensifier!) if you work at a small company or firm.  Raven Caitlin, who instructed an FMS I/A workshop in Nashville a couple of years ago, advised using agreed upon procedures with management as opposed to recommendations when addressing exceptions, reportable conditions or internal control weaknesses.  I took her advice.  Now, my audits are more effective than ever.

    2. Don't use "weasel words."  In my opinion, these are not "weasel words."  These are words that are meant to protect you as an auditor from management criticism.  I agree you should not overly use these words.  If you do, then it makes you "appear" as somewhat of a charlatan to your audience.  However, if you are presenting your report to your board or senior members of management, it is not a bad idea to use a few of these hedge words regardless how much research, time and work you have put in to your audit.

    I agree with the rest of your well-written article.

     

  1. Comment by: Don Sparks, CIA, CISA, ARM   (10/28/11 11:33 AM)   http://www.audimation.com

    If you can not get your point across in the first 25 words, you need to rethink what the point is in the first place.

  1. Comment by: CIM   (11/10/11 02:42 PM)   

    Hi All,

    Your comments are much appreciated, I am very new to the internal audit process and the guidance is very helpful.

    Thanks a Mill

     

  1. Comment by: Laurel   (11/12/11 09:30 PM)   

    Great points.  I am pleased to say we follow most of the points addressed in the article as we write our audit reports.  The one exception is that we will use "we recommend management consider" with best practices or modifications to policy or processes where we are not requiring implementation, but believe it would enhance management's current practice.   I'm interested in how others address these. 

     

  1. Comment by: Andrew   (11/17/11 03:09 AM)   http://y

    I agree strongly with Pat , the first two points raised by Richard are difficult not to do. First and foremost as auditors our job is to recommend and not to instruct managment on what to do , they may have a better way toaddress the recommendation and we are supposed to be independent so we are just selling an idea , it is thus difficult to avoid using "management should consider" , maybe Richard should also have told us the best phrase to use....

     

  1. Comment by: David   (11/17/11 05:45 AM)    I agreed with Pat. 1. Don't say, "Management should consider....." I think it's fine, particularly when there was an issue noted and the solution could be multiple. Internal auditor can just make recommendation but ultimate business decision is upon local management since they take the responsibility. I also disagree with Rose's comment regarding not using "at the time of the audit". You might be auditing a site of their last 12 months financials and the issue noted in the then financials might be changed now. So you need to provide a time frame or readers might get confused.
  1. Comment by: fahad   (11/20/11 03:37 AM)   

    hi,,,

    i am very happy to read all the points.

    it should b very helpful in my life & i hope u will also help me in this way.

    m very thankful to u for this great information.

    May God Bless u. 

  1. Comment by: Mark R. Simmons   (12/1/11 10:30 AM)   

    Spot on, Richard!

    To expand a bit on "Managment should consider...", I've wrestled with this more than once.

    "Managment should consider..." is too weak, as you suggest. 

    However, using "Management should..." to me makes the auditor sound arrogant (we know what has to be done, how come you don't?), and also, as mentioned in an earlier post, the auditor may not be a subject matter expert in the area under review. 

    Over time I've come to settle on "Management could..." whether there be multiple options available or an agreed upon action hasn't been identified. Use of the word "could" puts the focus on the "auditor as partner/problem solver", and eliminates the "arrogant auditor", "auditor as expert" connotation, and the "don't hold the manager accountable for outcomes" syndrome ("the auditor told me to do it"), all implied by use of the word "should".  

    Even in a circumstance where the issue is non-compliance with a law, regulation, or policy (where it might seem appropriate to say "Managment should comply..." stating the obvious doesn't cut it, the real issue being identification of the root cause and actionable options for correcting the situation (things that "could" help solve the problem).

  1. Comment by: Pat Hughes   (12/6/11 08:33 AM)   

    Here's a thought, instead of "management should consider" why not just write, Management has agreed to......   Bottom line, this report should not surpise the recipient... they should know what you found.  There should have been an agreement etween the audirot and the manager  as to how they will remediate the issue.  

  1. Comment by: Radhakrishnan S   (2/4/12 11:13 AM)   

    As Head of Internal Audit, I appreciate the points mentioned in the article . Very useful.

    Thanks and Regards

     

  1. Comment by: Ozizi Musa S   (2/17/12 01:23 PM)    Mr.Chambers, thanks for your beautiful article. It is quite enlightening and helpful to me as an Internal Auditor.On the issue of ..."management should or could consider..." the line to tow should depend on the attitude of the mgt. towards previous Audit recommendation and the expertise of the Auditor in a a particular audit area. however, to maintain peaceful working relationship,we should use word that unites such as mgt could consider. In addition,when the auditor discovers lapse(S),explanation should be obtained from the concerned audit client and same included in the report before recommendation to avoid one sided report that could be faulted during the discussion of observation

Leave a Reply