Why Tone Is So Important for Internal Auditors

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


You’ve heard: “It’s not what you say, it’s how you say it.” Well, in internal auditing, I’d say it’s a combination of both. What we say in our audit reports most certainly matters. The reports must be clear, concise, and accurate. But it’s the way we communicate that will determine how our findings and recommendations are received — I call it “tone.”

Have you ever sent an email that others misread as harsh or curt? Early in my internal audit career, I actually had someone tell me, after reading a draft of an audit: “I agree with the recommendations, but I disagree with all of the findings.” In other words, he agreed that there were issues that needed to be addressed, and he was willing to fix the problems, but it was the critical nature, or tone, of my report that caused him to push back.

Most people have a difficult time conveying empathy and warmth in writing, and this is especially true in audit reports. It is fascinating to me how often, even when we keep audited activity officials informed of results throughout the course of an audit, that the same officials will read the written draft report and react as if they’ve been ambushed.

What we perceive as objective recommendations for improvement may evoke fear and anger among those being audited, who may feel as if their successes and good works are being neglected by a process designed to highlight flaws and vulnerabilities. Sometimes it’s just their own personal pride and integrity they feel is being attacked, but usually they are reading through a filter of, “How will the boss, or board, react when they read how my organization or operations are being described?”

It goes back to what I said in an earlier blog about human nature: People like to be recognized for their accomplishments. As internal auditors, if we’re not careful, we can fall into the trap of measuring our success quantitatively by the number of findings or recommendations we are able to generate. But how much more effective could we be if we focused instead on motivating those we audit to act on our findings to the betterment of the organization?

Put yourself in the shoes of those we audit and you begin to understand what I’m talking about. We may think we have treated a person fairly, but we’re talking about emotions here. Emotion and perception are not things we talk about very often, but they can have a significant effect on how an audit report is received.

As you look over your audit report, ask yourself how you would feel if those things were being said about your organization or your work. How are your written words going to be perceived? Is your report simply an accounting of everything wrong in the organization, or did you make an effort to recognize things you observed that were done well? Does the overall tone convey the true quality of the organization in a fair and balanced way?

Instead of obsessing about outputs (quantity of findings and recommendations) we need to monitor outcomes (the short-term and long-term impact of our work). If you change the way you measure the success of an audit from outputs to outcomes, you’re likely to find that it will influence the way you write. A good audit executive is a change agent, not the chief of police. At the end of the day, I think we will be judged by our ability to improve the organization, and to do that, we can’t afford to be “tone” deaf.

Posted on Mar 11, 2013 by Richard Chambers

Share This Article:    

  1. Richard: The problem you raise is an important one but one that I think warrants further analysis. 

    Over my 30+ years in the profession I have seen thousands of well-intending internal audit departments struggle with how to deliver the news that they have decided that "controls" are "ineffective" or "inadequate" or "in need of improvement" but not create what you reference above as "push back" . This traditional IA paradigm has the unintended consequence that internal auditors, in reality, are making decisions that are, or should be,  management's responsibility.  A primary role of audit should be to ensure that senior management and the board are aware of the signifcant residual risk status areas, including the potential consequences if one or more key strategic or potentiall value eroding objectives is not achieved and options available to reduce the residual/retained risk position.

    Relations with auditees improve enormously in my experience when internal audit quit giving subjective opinions on what they think constitutes "effective" or "adequate" and focus on ensuring there is awareness and conscious acceptance of residual risk status up to and including the board.

    The business case for the need for this paradigm shift will be laid out in an IIA Canada webinar on Board Oversight of Management's Risk Appetite and Tolerance on March 27th. It's free to all IIA members.  Details can be found at:



  1.  Dear Richard,


    There are two issues has been raised here:

    1. Tone, lanugaue, communication from report.

    2. Criteria used by Internal Audit to judge effectiveness, competancy, ability.


    1. Tone, lanugaue, communication from report:I totally agree that the language plays a great role. All  eports issued from my desk is cleaned for negativity and rephrased with positive language. e.g. If there is a need for Process manual, IA never says " Department does not have process manual". Observation states " Need to have a process manual" then provides reasons with example why there is a need for having a process manual.

    Unfortunately, some internal auditors thinks that IA job is to show errors. Sometimes they are misguided by Clients also in using the harsh language.

    2. Criteria used by Internal Audit to judge effectiveness, competancy, ability.: The criteria used for judging the effectiveness of Internal audit plays a spoilsport. Its difficult to measure quality but easy to measure quantity. If IA has been given a target to generate cost saving of xxx million. or they are going to be judged based on number of high risk issues raised. or they are informed that they are replacement of someone who has not generated cost savings or not raised high risk issues (in the opinion of recuiter / hirer), IA is inclined to subsitute quantity for quality as quantity can be measured.


    I'm in absolute agreement with Richard and Tim.

    As one of my efforts to convey the proper tone in audit reports, I've waged an uphill battle to eliminate the words "management should" from the auditor's lexicon. The auditor's job is to evaluate conditions and report on the options available to management.The IPPF makes it abundently clear that Internal auditors have no business assuming a managment role, which is exactly what happens when an auditor's report tells management what "should" be done. Rather, the most appropriate language for the report, in my opinion, would be to suggest that "management could reduce the risk by....";  or "management could share the risk by...."; or management could avoid the risk by...."; or "management has accepted the risk because....". Substitute "should" for "could" in that context and it becomes obvious that "should" is completely inappropriate language because it is directive. It becomes even more obvious if substituting the root of "should", which is "shall". Internal auditors have an obligation to be completely objective. That means, as Tim pointed out above, internal auditors have to refrain from placing in reports their subjective opinions on how issues are to remedied by management.

  1. I completely agree with Richard.

    Management's expectation from IA Department  is improvements in their processes with focus on risk management and not just fault findings.



    You bring up interesting points, but my first thought was how your ideas meshed with the standards for follow up. Since I’m a government auditor as well, I started with the yellow book. Section 7.05 states that "The purpose of audit reports are to...(4) facilitate follow-up to determine whether appropriate corrective actions have been taken." If I say "could" in a report, aren't we defining what an "appropriate corrective action" is? And then at the point, follow up determines that appropriate action hasn't been taken and we're back at square one. Granted there could be an alternate alternative solution that everyone (the audit team and management) overlooked, but hopefully that doesn't happen to frequently.

    Same goes for the red book. 2500.A1 says that "The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented." One could take a very narrow approach and say that if management decides not to act on your “could” recommendation then they have effectively implemented an action by not doing anything. However, the definition of internal auditing says that “internal auditing is…designed to add value and improve an organizations operations.” I don’t think that accepting such an action plan from management qualifies as adding value or improving operations.

    So I don’t think it makes much difference whether we use “should” or “could.” Unless you’re thinking about changing the standards. ;)


  1. Great commentary Richard! This speaks to a bigger issue - the building of solid relationships within the organizations. It goes beyond the writing of reports - the "tone" starts with how we present ourselves to others in our words, actions, facial expressions, etc. Our ability to build and maintain strong interpersonal relationships with others sets the stage for the positive receipt of our written audit reports. In 20 years as a CAE, I have focused more on interpersonal skills as a hiring criteria than audit skills. As Richard points out, the technical audit skills are relatively easy to teach and learn. It is the soft skills that are tough. Further to "human nature", my observation is that most people are more willing to listen to and trust people they know. If you already have a great working relationship with someone, they are far more likely to believe your findings and trust your recommendations. They may even cut you some slack on a poorly written audit report (or maybe give you some gentle coaching).

    So, yes, focus on tone and quality of reporting.

    But focus on the strong business relationships from the time you join the organization, are appointed to the internal audit position, and from the time you begin an engagement....and your reports will go so much more smoothly.


  1. @Andrew
    Even though I'm in government, I do internal auditing (IPPF), not government auditing (GAGAS). My argument in essence is that internal auditors who follow the IPPF can make suggestions, provide alternatives, or report managment's solutions, but not tell management how to fix the problem. It's through the reporting on mission-critical issues that IA adds value. The purpose of the report is to inform the senior leadership/BoD on the actions managment has taken or will take to address issues raised. It's up to the senior leadership/BoD (not internal audit) to determine whether those actions are appropriate within the context of their risk appetite and risk tolerance. Follow up serves to inform senior leadership/BoD on the outcome of the actions managment has taken to address the issue.

  1.  @Andrew, consider Std 2600:"When the chief audit executive concludes that management has accepted a level of risk that may be unacceptable to the organization, the chief audit executive must discuss the matter with senior management. If the chief audit executive determines that the matter has not been resolved, the chief audit executive must communicate the matter to the board." 

    Interpretation: "...It is not the responsibility of the chief audit executive to resolve the risk."

    And Practice Advisory 2060-1: Reporting to Senior Management and the Board
    "...4. Senior management and the board make decisions on the appropriate action to be taken regarding significant issues. They may decide to assume the risk of not correcting the reported condition because of cost or other considerations..."
    5. When the CAE believes that senior management has accepted a level of risk that the organization considers unacceptable, the CAE must discuss the matter with senior management as stated in Standard 2600. The CAE should understand management‘s basis for the decision, identify the cause of any disagreement, and determine whether management has the authority to accept the risk...Preferably, the CAE should resolve the disagreement with senior management." 
    6. If the CAE and senior management cannot reach an agreement, Standard 2600 directs the CAE to 
    inform the board. If possible, the CAE and management should make a joint presentation about the conflicting positions..."
  1.  ^^^^

    Sorry for the weird formatting. It wasn't my intention to enlarge and bold the text.

  1.  @Andrew, follow-up involves monitoring and reporting on management's actions. "Ensure" is in the context of the CAE reporting the outcome of management's actions to the senior leadership and BoD.

    2500 – Monitoring Progress
    "The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management."
    2500.A1 – "The chief audit executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that senior management has accepted the risk of not taking action."
    Practice Advisory 2050-3:
    "12. Follow-up is a process by which internal auditors evaluate the adequacy, effectiveness, and timeliness of actions taken by management on reported observations and recommendations"

  1.  @ Mark

    I understand your point that it is not up to Internal Audit to tell mgmt what to do, because that effectively puts IA in a mgmt role. My point though had nothing to do with reporting. I think that because of follow-up requirements, whether you say "mgmt should do this" vs. "mgmt could do this" is moot.

    Lets say you make a recommendation in a report. Mgmt comes back and says "great suggestion, we'll get started right away!" So you wait a bit and do your follow up to see if they followed through. If they did, great. If they didn't, you need to make another recommendation, or elevate it to the board. Or they could have originally said, "nah, we're good." If you (as CAE) don't think that's appropriate (which you probably won't since you made the recommendation in the first place) you'll elevate it to the board.

    My point is that whether you say "mgmt could do this" or "mgmt should do this" doesn't really matter, because either way, mgmt acts on your recommendation, or you elevate the matter to the board. 

    Although I don't think that it really matters which word is used, the original point of this blog post was on the importance of tone. "Should" and "could" do have different meanings, and different tones. So whether I think there is an actual difference in the end doesn't really matter, since I'm not the intended audience for my reports. 

    And for the record, since I do follow GAGAS, I think that my point is stronger ;)

  1. Richard, I very much enjoyed reading this blog.  Please keep up the stimulating insights on the profession!

    Our approach to auditing was recently described as "refreshing" by one of the execs at our company, and it was due to our focus on tone, fairness and recognizing management's accomplishments, while identifying key gaps that are being closed.  The previous auditor did a great job, but there were one or two gotchas and management's memory of those is far too long.

Leave a Reply