Better Never Than Late

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession.

The iconic Larry Sawyer once observed that “few sources of friction within the audit department exceed that caused by the process of report writing.” Sawyer went on to correctly observe, “The most brilliant of analyses and the most productive of audit findings seem to be forgotten during the trauma of report writing.” In my view, these are some of the wisest comments Sawyer (or any other practitioner or academic) ever uttered about internal auditing.

After almost 36 years as an internal auditor, I am not sure that as a profession we are any more proficient in publishing timely and well-written audit reports than we were the day I first “donned my internal audit spurs.” As Sawyer noted, the reasons for committing “reportable offenses” are many:

  • Internal auditors often lack fundamental writing and “storytelling” skills.
  • Draft reports often portray internal auditors as the heroes and management as the villains.
  • Supervisors (in large audit departments with multiple levels of supervisors) often rewrite or heavily edit the initial draft audit reports.
  • The emphasis on accuracy dwarfs the emphasis on timeliness.
  • Lack of coordination with management and a negative tone in the draft report creates friction that causes major push-back against the draft report.

If we are to successfully navigate the current environment in which stakeholders expect more of us despite our reduced resources, then we must tackle our inefficient processes. None are more obvious targets than report writing, where many audit departments spend more time finalizing a report than the audit took to complete. I have been evangelizing on this topic for the past 15 years. Among the effective strategies to reducing report “cycle time” that I have observed, include:

  • Sharing audit results with clients “as the audit unfolds.”
  • Eliminating or minimizing levels of draft report reviews.
  • Deploying an editor to review draft reports early in the reporting process (for larger departments).
  • Using team writing or team editing processes (a strategy I used extensively as the Deputy Inspector General of the U.S. Postal Service).
  • Using “report conferencing” during the editing process, which involves management in the editing process.
  • Using extract features from automated workpapers to craft the initial draft audit report.
  • Streamlining the report format to eliminate extraneous or redundant information.

Granted, these “sound bite” solutions are easier said than done. However, report writing is a core internal audit process in dire need of reengineering. We cannot maintain the hard-won stature of the past decade if we ignore opportunities to deliver timely and relevant information to key stakeholders. Failure to deliver timely audit results is not an option.

As the great playwright George Bernard Shaw once observed, “Better never than late.”

Posted on Apr 18, 2011 by Richard Chambers

Share This Article:    

  1. Richard:

    This is a very important topic.  My observations of thousands of audit reports from scores of audit departments around the world mirror your observations and concerns noted above.  

    My personal view is that audit reports should not be a collection of areas where internal audit thinks controls are "deficient" or "need improvement" or even provide an opinion whether Internal audit thinks controls are "effective" or "adequate".  This is the primary friction point that produces the problems you note.   I believe the report should describe the current residual risk status in the areas reviewed and hi-lite areas where the level of residual risk, after considering risk treatments that the client agrees to implement, is still at a level that Internal Audit believes senior management and the board should be aware of. 

    I have worked from a simple premise over the years that has served me well.  Work units can accept any level of residual risk that they are prepared to share with those above them, up to and including the board of directors for serious issues.  This often produces friction free agreements to introduce new risk treatments. Audit's primary purpose in life should be to to ensure senior management and board of directors are aware of the company's current residual risk status.  In companies where work units self-assess and share results upwards the role of IA is solely to ensure the process is producing  materially reliable information on the company's residual risk status. 


  1. The highlight for me is Richard's suggestion of storytelling and a shared narrative. If you look at any major change project - ranging from internal company projects through to political reform, then a shared narrative is everything. It's what determines success or failure. It's the reason why most big consulting projects have a dedicated change manager and great comms people on every project. We often forget that internal audit is in the change business. In terms of innovative practice, a client of mine once did an audit report on a wiki. The auditor wrote the report and the client responded, fact checked and even edited what the auditors had written IN REAL TIME! If I recall rightly, the report went from draft to signoff in 8 working days, instead of the usual 4-6 weeks. That's innovative! Picking up on Tim's point, some of us pushed the idea that the internal auditor's primary job is to give a second opinion on residual risk and improve the integrity, veracity and use of the organisation's risk system. Everything else is noise. Alas this is still taking time to catch on, but if you dig through the global internal audit manuals from at least one of the big 4 internal audit manuals from circa 2000/2001 you'll find that in there clear as day. (It may or may not be written in an Australian accent. ;) ) Thanks for raising all of this, a timely reminder for us all.
  1. Richard / Tim / Todd,

    So that one day a search engine can find it and accurately date when it was first said ... :) ... I am hereby calling out that the days of audit reports is coming to an end.  

    By the end of this decade, I predict that we will look back on audit reporting as we now know it in the same way that we look back at the early cell phones. 

    Yes the first generation of cell phones perform the same telephony functions as their current era cousins but it would be a brave person to argue that the circa 1973 Motorola is the same tool as the iPhone.

    As to what we will have - I have absolutely no idea but the process will be more about the engagement than the outcome.

    To borrow from perhaps the greatest American woman ever to have lived, Eleanor Roosevelt, and to name the moment that we let go of audit reports - forever now know as the Roosevelt Moment - may the future belong to those who believe in the beauty of their dreams!

    We as a profession just need to be brave enough to dream.

  1. For me, in report writing, accuracy trumps everything else.  We may disagree on what the facts mean, but there should never be any question about what the facts are.

    Once you have the facts, how you report it goes a long way on getting acceptance of the report.  The tone has to be non-adversarial and the facts presented in a balanced and objective way.

    Another key for me is knowing my audience.  I try to tailor the report to the reader and how they plan to use it.  This helps me determine the level of detail I need to include to gain the results I want to get.

    There are other things that may play into the audit report like correct grammar, style, corporate culture, etc.  But ultimately, the report is written to provoke someone to do something that you recommended.  Presenting the facts in a way that the reader can use the information can help that cause.

  1. Often times, the audit report is issued after the war is over and the issues resolved.  Not much value to the engagement client but a tribute to internal audit that they were there.  Prefer a string of management letters throughout the field work allowing audit to collaborate with the engagement client and resolve issues as they come up.

  1. I wholeheartedly concur with Jonnie Keith. 

  1. Dear don Mario:

    I'm sending this article because you have knowlege and you can tell me your opinion.



  1. Thanks, Richard for again raising this issue. As I teach and consult on audit reports, I've found the key is to understand report writing as a process and treat it accordingly. Here are strategies my clients tell me enable timely, impactful reports: (1) Set and track timeliness expectations. (1) Assess how readers use the report. Eliminate what they don't need and want or what obscures rather than clarifies. (2) Align the report design with the organization. The old paragraph-by-paragraph report is a dinosaur. Focus on navigation enabling readers to find what they need. Is the organization hard-edged and technically focused? The report will be a quick read with an edge. It likely will be an interactive, online interface. Is the organization softer and people-focused? The report will have "layers" and feel more approachable. It likely will be a PDF. (3) Define each report section contains and in what sequence. (4) If there's an Opinion, elevate it beyond a summary. Deliver the 15-second elevator speech. Replace audit-speak with messages about risks and actions. (5) Have auditors write workpaper text that can be lifted into the report. (6) Share Observations early with the audit customer; share the actual words and graphs you'll use in the report. Negotiate agreement on issues and wording as early as possible. (7) Ensure the staff understands what's expected. Train them. Develop models. Develop specifications for section content, sequence, and length. Specify metrics for sentence length and clarity. (8) Perform two-level reviews: substance first, then writing quality. If the substance is off target, there's no point in editing. If the substance is on target, only minor changes should be necessary. (9) Provide review comments; edit only in exceptional circumstances. (9) Don't let compulsive editors--be they audit managers or CAEs--derail the process.
  1. Agree with verything sais by all!


    Additional food for thought; I know a CAE who has decided to stop including audit recommendations to the auditees in his reports. His logic is that there are usually no major problem in convincing the auditees that an observation is relevant; however, it is sometimes (often) more difficult to come-up with an apporpriate and practical recommendation. This is why this CAE makes sure that the auditees agree with the observations andd the relevant related risks, and then requires from the auditee to come-up with their own action plans for adressing the risks at stake.

    If the CAE believes the action plans do not address properly the risks being raised by the internal auditors, then he adds a statement to this effect into the audit report (with explanatory reasons).


  1. Very nice and important topic. I beleive that in most idustries writing audit reports in a table shape (rather than the old paragraph style) is easier and more readable by the clients. A template table may be designed such that each cell hold certain element of audit finding: Observation, business impact, recommendation, management comments etc.

Leave a Reply