Ten Things Not to Say in an Internal Audit Report

Richard Chambers, CIA, CGAP, CCSA, shares his personal reflections and insights on the internal audit profession. 

I’ll never forget my seventh-grade English teacher telling us, “It’s not what you say but how you say it that counts.” Obviously she was exaggerating, but the point still stands: How we say things can make a difference. A well-written audit report should be a call to action, but a poorly written report can result in inappropriate action or in no action at all. In some cases, poor report writing can ruin working relationships or actively harm an auditor’s reputation. Little things can mean a lot, and at times, a minor change to how a recommendation is worded can make all the difference in how our suggestions are received.

Recently I started with my own list and then asked several groups of auditors what words or phrases should never be used in audit reports. I even asked my friend, Sally Cutler, the noted internal audit report writing consultant. All and all, I got an earful. Some of their suggestions were definitely worth repeating, so here’s my new “top 10” list of things not to say in an audit report.

1.     Don’t say, “Management should consider…”

Audit reports should offer solid recommendations for specific actions. When our recommendation is merely to “consider” something, even the most urgent call to action can become nebulous. No auditor wants a management response that says merely, “Okay, we’ll consider it.” 

2.     Don’t use “weasel words.”

It’s tempting to hedge our words with phrases such as "it seems that" or “our impression is” or "there appears to be." It may feel safer to avoid being specific, but when you have too many hedges, particularly in the same sentence, there’s a danger that you are not presenting well-supported facts. Report readers need to know they can rely on our facts, and over-use of weasel words can make solid recommendations sound a little too much like hunches.

3.     Use “intensifiers” sparingly.

Because they can add emphasis, words such as “clearly,” “special,” “well,” or “very” might seem to be the opposite of weasel words. In actuality, these intensifiers are so non-specific that they can be another type of “weaseling.” Intensifiers raise questions such as “Significant compared to what?" and “Clearly according to whose criteria?“ If you use intensifiers freely, two readers of the same report may be left with very different impressions: Numbers such as 23 percent or $3 billion tell a story, but just what does “very large” mean? 

4.     The problem is rarely universal.

It’s good to be specific, but there’s a danger in words such as “everything,” “nothing,” “never,” or “always.” “You always” and “you never” can be fighting words that can distract readers into looking for exceptions to the rule rather than examining the real issue. It’s safe to say you tested 10 transactions and none were approved — less safe to say transactions are never approved.

5.     Avoid the “blame game.”

The purpose of internal audit reports is to bring about positive change, not to assign blame. We’re more likely to achieve buy-in when our reports come across as neutral rather than confrontational. The goal is to get to the root cause rather than to call out the name of the guilty party. It’s fine for a report to identify the party responsible for taking action on a recommendation — not so fine to say, “It was Fred’s fault.”

6.     Don’t say “management failed.”

Making statements such as “Management failed to implement adequate controls” will invariably annoy those to whom we are looking to implement corrective actions. Simply stating the condition without assigning blame through words like “fail” is much more likely to result in the needed corrective actions and help preserve our relationship with management for the next time we conduct an audit of their area.

7.     “Auditee” is old-school.

A few years back, people undergoing an audit were most often referred to as “auditees.” Today, many experts believe that the phrase has negative connotations and that “auditee” implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as “audit client” and “audit customer” indicate that we are working with management, not working on them 

8.     Avoid unnecessary technical jargon.

Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear. If you use more than one phrase such as “transactional controls,” “stratified sampling methodology,” or “asynchronous transfer mode” on a single page of an audit report, don’t be surprised when some of your readers check out without reading to the end of the report.

9.     Avoid taking all the credit

It is tempting in audit reports to use phrases such as “internal audit found” or “we found.” Management will often bristle that you are taking credit for identifying something that wasn’t all that well concealed. It comes off like you threw them under the bus, and then backed over them. 

10. If it sounds impressive, you probably need a re-write.

Work to get readers to remember your recommendations and take action — not to impress with pompous words or bloated phrases. Avoiding jargon is only the beginning: Try substituting “by” for “by means of,” “now” for “at the present time,” and “so” for “so as to,” for example.

I like to use the fifth-grader test: If an intelligent middle-schooler couldn’t understand your report, it may be needlessly complicated. Take, for example, this sentence from an actual internal audit report that basically just says little things can add up:

“During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of individually immaterial items and in doing so relied on the assumption that it was appropriate to consider whether such impacts tended to offset one another or, conversely, to result in a combined cumulative effect in the same direction and hence to accumulate into a material amount.”

Enough said. And then some.

Lists like these are often very personal. I am sure my list will generate some controversy — both for the things I included and the things I didn’t. So, let’s get the dialogue started. What else is on your list of the top things never to say in an audit report?

Posted on Oct 21, 2011 by rchambers

Share This Article:    

  1. Audit Report is the final product from the auditor. It has gone from draft to final report. Therefore, cosmetic changes to the report should not drive the attention of the auditees rather the audit findings, comments and agreed recommendation. Disagreed audit recommendation considered important by auditor and not by the senior management should state both auditor and senior management comments. Hence, the board can make the decision on management risk posed in the audit report. The auditing standards should be on the agenda here for compliance & standards.

  1. Well written article. Sir, one should try to:

    i.     Keep sentences short and terse;

    ii.    Firm in ones findings and say them clearly without mincing words;

    iii.   The wording should indicate that the audit is part of the organisation and not against the organisation.

    May contact at taxopinion@gmail.com

    Thank you.

  1. Words and phrases to avoid includes the following:

    "There is evidence of...." (If there was none, it would not have been raised correct?), "There are weaknesses in..." (Just explain the point and avoid that phrase), "At the time of the audit...." (It can't be from last year or next month!), etc.

    It takes a lot of practice to produce a good audit report. After more than 10 years in IA, I still am learning new things everytime. Good article Sir and keep them coming!!

  1. Names of employees/clients and similar should not be a part of audit finding, unless it cannot be avoided (in cases of Internal Fraud investigation it might be necessary to write full names of employees involved).

    Instead, unique identifying codes should be used (Social security code, company code, Tax code, or similar).

  1. Richard, I am sorry.  I have to disagree with the first two things on your list.

    1.  Don't say, "Management should consider....."   That statement by itself is ok.  However, you go on to say that audit reports should offer solid recommendations.  That could be a potential pitfall if you, the auditor, are not an expert in the subject matter in which you audited.  This is especially true (uh, oh, intensifier!) if you work at a small company or firm.  Raven Caitlin, who instructed an FMS I/A workshop in Nashville a couple of years ago, advised using agreed upon procedures with management as opposed to recommendations when addressing exceptions, reportable conditions or internal control weaknesses.  I took her advice.  Now, my audits are more effective than ever.

    2. Don't use "weasel words."  In my opinion, these are not "weasel words."  These are words that are meant to protect you as an auditor from management criticism.  I agree you should not overly use these words.  If you do, then it makes you "appear" as somewhat of a charlatan to your audience.  However, if you are presenting your report to your board or senior members of management, it is not a bad idea to use a few of these hedge words regardless how much research, time and work you have put in to your audit.

    I agree with the rest of your well-written article.

     

  1. If you can not get your point across in the first 25 words, you need to rethink what the point is in the first place.

  1. Hi All,

    Your comments are much appreciated, I am very new to the internal audit process and the guidance is very helpful.

    Thanks a Mill

     

  1. Great points.  I am pleased to say we follow most of the points addressed in the article as we write our audit reports.  The one exception is that we will use "we recommend management consider" with best practices or modifications to policy or processes where we are not requiring implementation, but believe it would enhance management's current practice.   I'm interested in how others address these. 

     

  1. I agree strongly with Pat , the first two points raised by Richard are difficult not to do. First and foremost as auditors our job is to recommend and not to instruct managment on what to do , they may have a better way toaddress the recommendation and we are supposed to be independent so we are just selling an idea , it is thus difficult to avoid using "management should consider" , maybe Richard should also have told us the best phrase to use....

     

  1. I agreed with Pat. 1. Don't say, "Management should consider....." I think it's fine, particularly when there was an issue noted and the solution could be multiple. Internal auditor can just make recommendation but ultimate business decision is upon local management since they take the responsibility. I also disagree with Rose's comment regarding not using "at the time of the audit". You might be auditing a site of their last 12 months financials and the issue noted in the then financials might be changed now. So you need to provide a time frame or readers might get confused.
  1. hi,,,

    i am very happy to read all the points.

    it should b very helpful in my life & i hope u will also help me in this way.

    m very thankful to u for this great information.

    May God Bless u. 

  1. Spot on, Richard!

    To expand a bit on "Managment should consider...", I've wrestled with this more than once.

    "Managment should consider..." is too weak, as you suggest. 

    However, using "Management should..." to me makes the auditor sound arrogant (we know what has to be done, how come you don't?), and also, as mentioned in an earlier post, the auditor may not be a subject matter expert in the area under review. 

    Over time I've come to settle on "Management could..." whether there be multiple options available or an agreed upon action hasn't been identified. Use of the word "could" puts the focus on the "auditor as partner/problem solver", and eliminates the "arrogant auditor", "auditor as expert" connotation, and the "don't hold the manager accountable for outcomes" syndrome ("the auditor told me to do it"), all implied by use of the word "should".  

    Even in a circumstance where the issue is non-compliance with a law, regulation, or policy (where it might seem appropriate to say "Managment should comply..." stating the obvious doesn't cut it, the real issue being identification of the root cause and actionable options for correcting the situation (things that "could" help solve the problem).

  1. Here's a thought, instead of "management should consider" why not just write, Management has agreed to......   Bottom line, this report should not surpise the recipient... they should know what you found.  There should have been an agreement etween the audirot and the manager  as to how they will remediate the issue.  

  1. As Head of Internal Audit, I appreciate the points mentioned in the article . Very useful.

    Thanks and Regards

     

  1. Mr.Chambers, thanks for your beautiful article. It is quite enlightening and helpful to me as an Internal Auditor.On the issue of ..."management should or could consider..." the line to tow should depend on the attitude of the mgt. towards previous Audit recommendation and the expertise of the Auditor in a a particular audit area. however, to maintain peaceful working relationship,we should use word that unites such as mgt could consider. In addition,when the auditor discovers lapse(S),explanation should be obtained from the concerned audit client and same included in the report before recommendation to avoid one sided report that could be faulted during the discussion of observation
  1. Great article, Richard. No controversy for me. The audit report is invariably the most important product of any audit assignment. Without getting into semantics, my view is that it should also be balanced (complete and objective) reporting of the issues and recommendations that are practical. Not an easy feat but neither is it impossible as I am sure many internal auditors will have to contend with the 'political sensitivites' within their organisations.

  1. Great article, thanks Richard.

    If I may add to the thoughts on "management should...": It is our house style not to use that phrase at all, and to re-cast the sentence in the neutral voice.

    So for example instead of "Management should review all user accounts on a regular basis" we write "All user accounts should be reviewed on a regular basis". We also ensure that each recommendation in the report is associated with an owner, so it becomes clear who is responsible for carrying out any actions.

    I agree that asking management to consider things often results in no action!  So an alternative phrasing might be  "Consideration should be given to (doing X)... and should the decision be taken to not do this then (Y should be done instead) and the resultant risk appropriately acceptied.

  1. A very useful information. I have been educated a lot through this article and the comments. Thanks
  1. Caro Richard

    Parabens pelo seu artigo. Excelente.

    Entendi sua mensagem quanto a evitar as famosas remendações que aqui chamamos de "gasosas", bem como, o uso de adjetivos ou adverbios que a unica função é deslocar o foco do leitor.

    abs.

     

  1. My other pet peeve in audit reports is the use of the phrase "It should be noted that...".  Of course, you think it should be noted, that is why it is in the report in the first place!

  1. I love that this posting continues to get comments - it's timeless! One to add: "It's obvious that........" "Auditee" (#7): On this one I'm old school - maybe "retro." This term is descriptive and proper. Auditees are people who are subject to audit procedures, and they can be in many parts of the organization for the same audit. We are in the IIA, an organization composed of auditors. We get degrees, education, designations, and ongoing training. Who do we depend upon for successful audits? --> The auditees. Yet very little is done for them. People are subject to audits not just by Internal Audit, but also by others: customers; industry associations; ISO 9000 auditors; ISO 14000 auditors, etc. I think better to recognize the term "auditee" and give it the respect (and the resources & attention!) it deserves. People may regard "secretary" as an unworthy title, but I think that's more reflective of baggage we place (or we allow others to place!) on the term. There's no need to call someone an "administrative assistant" if being a "secretary" is held in its proper [high!] regard. Let's hear it for secretaries - and auditees!
  1. I was an internal auditor many years ago with a now defunct US Bank (no conenction between my employment and their demise!!) and the report was the final product of our work, with all the points well discussed and agreed with the "management" before it hit print. My recollection was that the best received points and most effective reports came from those times when we had built some mutual resepct in terms of subject knowledge during the process. This allowed for less forensic syllable by syllable examination of the final report.

    We also kept the less significant or less certain points for a more private side letter (a little like a yellow card). This was a powerful tool that was unfortunately phased out once the audit function started being measured by the number of points they made/raised. This drove more, contentious or less well researched points into the main report.

    I know the creed "we are only here to help you" is one most Internal auditors live by, it is not always seen that way from the other side. I think the issue is much more than the words used!!!

     

     

  1. I agree with IJS, in the most cases it does not about the words, but attitude of internal auditors and management and mutual respect and understanding of roles and responsibilities of each party. In my cases, i faced situation when we had numerous comments from the management about format, about recommendations, about ways of asking questions...and we considered all comments and further improved the report. But there were no such improvements from management'sside: most of recommendations were not being considered for years...so, the questions is raised, why does this company need internal audit with beatiful reports, which is liked by the management?!

     

  1. Very very true for every Internal Auditor..

    Thanks a lot for providing such simple things in big words...

  1. On the "Management should consider" point I agree with many of the responses that there are often multiple solutions to problems of any significance. Therefore it is hard to avoid the spirit of asking Management to consider..

    How we have dealt with that is to make the action for management to research the suggested solutions by a set date, and upon that formally accept the risk via a defined process, or propose their approach to manage the risk in consultation with internal audit which then spawns another action.

    To me this allows the cost/benefit angle to be considered, but does not let management simply "consider" and that is all.

    I think for advisory work, as opposed to assurance, it would be very acceptable to simply suggest advice.

  1. In the point "Management should consider ....". Use of management can be avoided but while giving recommendation use of word "should" should be very well accepted. This gives confidence to reader / stakeholders of the audit report. Use of word "Could", should be avoided. It indicates that auditors is not sure of his recommendation. Auditors are professionals to find out any process / control gaps etc, and report the same to audit committee. They have to maintain their dignity as an auditor and also show their professionalism. 

    Secondly, I have one more point to add that can be avoided in audit report. Using of words interchangeably. E.g using of both the word auditee & management.; using of word "material", "items" " inventory". Using all such words will confuse the reader. Throughout the Audit report, using of the word should be consistent. 

    While using the acronym / abbreviation, ensure that first time it explained.

     

     

  1. Good article and highligted the common audit report drafting mistake normally commited in initial years of IA profile by IA professionals.

    Giving precise time of your audit observation in the report is perfectly all right as you  same will give the exact information to auditee and if same is rectified after your observation and final report release your facts remain correct and you don't  certify and own the correctness before or after that. 

    I don't find any harm using word auditee  although one one can use business stakeholders or process owners. Quantfying your observation is 100% needed no names or blame game required.

    Language of the report should convey that you are  integral part of the organization and you are there to support the business.  writing recommendations using should is  acceptable because it is already agreed between auditor and business process owner.

    Wherever there is disagreement on recommendations or observation itself  audit report should include business process owner's point of view to give complete picture to decision makers and leave to their judgement.

    Now a days action plan and target date of agreed recommendations are part of final report.

    Even after fifteen years in IA and 12 years in same industry Iam still learning how to draft effective audit report.

    We keep on learning for our whole life.

    Thanks for wonderful contents of IA reprt writing.

     

  1. Excellent points - I agree on all points made.  I have extensive audit / consulting experience and over the years have either came across some of these words or phrases used in reports or have previously used them myself (early on).

    Over the years, it has become increasingly important to ensure you try to eliminate damaging the working relationship as most certainly it may backfire even with the greatest of intentions.  That said, it is also important to stay neutral and not downplay the significance of any of the findings - I have also seen a significant number of these instances as well - sugarcoating should not be an option as this only hurts the credibility of the profession in giving the appearance that opinions/results can be bought.

  1. Good, solid report-writing advice. When I joined IT audit in Citigroup we had a training class and, luckily, most of this was discussed.

    I'd like to note that the antidote to "weasel words": "It is what it is" ... facts, data, no drama, no judgement. If you have a compelling case then your reader will respond.  No amount of spin and tweaking is going to make a weak audit report into a strong call to action.

  1. I would suggest that one way around the "Management should" recommendation is to focus on the end result.  For instance, "management should find a way to streamline reporting", without specifically stating how they should go about it.  "When food cost percentage is examined on a regular basis, errors can be identified right away and eliminated as a possible cause of variances so management does not waste time speculating about said variances a year later" instead of "Management should investigate variances monthly."

  1.  Thanks for this great article and the precious conversations, in my opinion just "management to" is more effective than should or could, and " management should consider" can be replaced by " Managment to assess the feasability of" accordingaly your asseement for derivables will be based on a kind of feasability study presented not just "will be considered in the future"

  1.  Current article.Crux of the problem  - the internal auditor cop or advisor ?

    Thanks 

  1. totally agreed. dont use "management should consider..." in the report. we should write ..."management accepted the recommendation and agreed to implement..." or " management agreed ...".

    "management should consider.." is only used in the audit exception / observation report for the audit management's response during in the field work.

  1. This is spot on!!!  I love those weasel words............audit reports are full of them and they are used to "soften" things up.  Usually clients want them  included to avoid the potential "blame game".  Being positive about corrective action and giving clients credit for the things that are going well will help eliminate the need for the "weasel".

    I have worked in organizations where we have eliminated recommendations and gone straight to action plans.  We work with the client to find solutions as they understand aspects of the business way better than auditors do!  This really moves the reporting process along!!

     

  1. In my opinion the word " Management should consider" can be replaced by "Management may consider" it's quite.

  1.  Excellent article, it really has helped me when putting together my audit report. Please keep the good suggestions coming, it will continue to help other auditors thorugh out the world.

  1. Auditor's reports plays a vital role in estimating the performance of a business. So the auditor should note reliable and effective items while doing the internal audit report. This blog shares some of the tips, which gives valuable guidance to the auditor.
  1. I found this article useful. I confess that I am guilty of some of the things in there, particularly #1 and #2. I also found some of the comments here useful. It is difficult being a one-man IA Department. I am still learning.
  1. The above article remained very useful for me. I learned many things from this. Thanks
  1. On point #9 (avoid taking all the credit), what should we say instead? I am new to Internal Audit, fresh out of Big 4, and I can’t bear to read the Internal Audit Report. One of my biggest issue is saying “our review identified.” For example: “Our review of 20 employee files identified one missing I9” or “our reviewed identified 2 bank accounts that were not properly reconciled.” My 9th grade grammar teacher would say, “your review does not walk, does not talk, does not wake up in the morning and go to the office and does not identify anything.” If I was to write those statements I would say, “During our review, WE identified…” But I guess that would be a violation of rule #9. What are some recommendations? Or should we just stick with “our review identified?”
  1.  Can an auditor start his report with positive and improvement related wirds He may then start his findings Pl let me know

  1.  I take a look at your blog it's really great......Thanks for sharing such a valuable information with us...

     

Leave a Reply