Five Words to Banish From the Internal Audit Dictionary

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 


I recently spoke at a conference where one of the sessions was called “Four Most Dangerous Words in Finance.” It reminded me of a blog I wrote a few years ago called “Ten Things Not to Say in an Audit Report.” In that blog I wrote about types of things not to say. Beyond the categories of phrases or messages that I explored in that blog, however, lie a handful of words that are so useless or polarizing that they should be banished from the internal audit dictionary. 

Words have power. A well-written audit report is a call to action. A poorly written report can result in inappropriate action, or no action at all. On the one hand, you don’t want to be too vague, but on the other you don’t want to be perceived as too opinionated or antagonistic. Little things can make a big difference in how our recommendations are received. 

I’ve always been an advocate of straight talk. I also have coached scores of internal auditors on the dangers of populating an internal audit report with adjectives and other subjective terminology that often incite management to vehemently disagree with our conclusions. Here are the five words I’d like to banish from the internal audit vocabulary.

Failed – as in “management failed to adequately assess and mitigate risks.” Simply stating the condition without assigning blame is much more likely to result in corrective action and preserve our relationship with management the next time we audit their area.

Inadequate – “Management designed and implemented inadequate internal controls.” Inadequate is one of those adjectives that can elicit a strong disagreement from management officials if the word is used to describe their actions. I prefer to describe the condition and contrast the observation with appropriate criteria without attaching the adjective to individuals. If I do use the word “inadequate,” I use it to describe the controls and not the actions of management.  

Ineffective – “Management actions were ineffective.” Ineffective is another adjective that should be used sparingly. The word will often elicit a defensive response on the part of management. Rather than encourage swift concurrence with the audit report and implementation of corrective actions, words such as “ineffective” will result in prolonged negotiations over the final wording of the report. The result can be a deterioration of relationships with management and additional exposure or losses accruing from the delays in implementing corrective measures. 

Found – “We found…” This is grandstanding. We find things because they are there. To say that we found something shifts the emphasis to us. Just as “failed” alienates and belittles, “found” carries a superior “gotcha” tone that draws attention to the auditor and not the problem at hand or the corrective action required.

Appears – “It appears that…” In internal audit, things are or they aren’t. Weasel words can make solid recommendations sound like hunches. It may feel safer to avoid specifics, but too many qualifiers suggest you can’t back up your facts. I’d put “seems” in this same category. A few commenters on my earlier blog took exception with my classification of “appears” as a weasel word. However, I stand by my contention that “appears” should be banished from our reports.

As is always true in my blog, these are my personal views, and should not be construed as views or guidance from The IIA. This is just a conversation starter. I know some people have an aversion to “should,” “would,” “could,” and other auxiliary verbs. You no doubt have words you’d like to add to these five, and you may take issue with the words I’ve chosen. This is an open discussion. What words would you banish?

Posted on Jun 10, 2013 by rchambers

Share This Article:    

  1. I have often despised the word "adequate" when report writing. A favorite phrase of mine has been, "The control structure is adequate to obtain the objective." However, the more I thought about "adequate" the more I have come to the conclusion that it should be omitted from reporting. I rationalize this by thinking about my yearly reviews. It would not make me feel very good to see in print "Your work has been adequate this year."
  1. semantics dialectology etymology phonology morphology grammar syntax
  1.  Two comments

    1 - a long with "appears" and "seems", I suggest avoiding non accurate termos such as many, some, most, few and so on. Imeddiate question from management is "how much is...(whatever was written)

    2 - I understood for the first three words that it is not so much a matter of completely avoiding them, but avoid using them to judge management actions and use only to describe internal controls (in particular, inadequate). But being management responsible for implementing the internal control systems, won't that result in the same (even if indirectly)? If a say to a cook "this dish is awful", I am passing judgement on the dish, not on the cook. But who disagrees that the cook will fell offended?

  1.  How about also banning "auditee".

  1.  Let's banish the golden oldie 'revealed'. Using this word implies / implies something was being hidden. 

    Language  and the words we use are like swords!Use them carefully :)

  1. Thanks Richard

    Sometimes things are hidden until the IA brings them to light. You've spent so much effort data mining or just doing a diligent detailed check, and If words such as "revealed" or "found" are banished what's the next in line? Internal Audit "noted"?  i believe its the context of how the word is used. I don't mind using all three words in the report, explaining the "revealed" and "found" is an art! ". 


  1. Thanks for very useful suggestions.

    As far as  "client", I am against using this word for auditee in internal auditting.

    Internal auditor's client is not an audited section but is the board and president, though the same for the audit corporation might be the audited company, I believe.

  1. Thanks to you Sir Richard for bringing out the right topic at right time for deliberation and recording in your skillful site.

    As is rightly pointed out by you, words have power in built in them. There is a saying that, if you get injured by a burn from fire, it can be healed.;if you get injured by a hit, you can recover; but if you get injured by some words not acceptable to your mind and heart, the wound caused by such words can never be healed till death. That is when such unacceptable words are just told only. But , when such unacceptable words are put in writing, it will never be forgotten even after death also as it is carried over to next generation. Such is the power of words. But, to circumvent this scenario in our profession, a technique can be followed if all things remain the same. That is to say, as auditors we need to agree in advance with the Management as to what type of words they prefer us to avoid in the reporting and also agree with them what type of words are acceptable to them for minor, major and significant findings for enabling them for implementation of recommendations and in that way we can win the trust and confidence of all users of the report. Internal audit report is not developed with the sole intention of injuring and down sizing the management and the users. It is the reflection of what has gone before and that cannot be changed by them. So, Management might also be aware of their bad choice mostly, adding fuel to fire, we should not use any un-agreed words to express our observations and make them unco-operative. Any words not agreeable to Management are those which need to be banished form the lexicon of that internal audit department of that organisation. Different Management prefers different words for audit report for their action. Dev

  1. I am with Richard on this - the objective of reports in my mind is to inform the audit committee and to encourage management to take corrective action.   This means that reports should be based on facts not supposition and at least in the first instance (while forming a view on the subject matter) should not be judgmental of management.

    I can envisage a situation where persistent failure to implement important recommendations could lead to more direct criticism of management.  However I would say that scenario could mean that IA has failed to obtain "buy in" from management to recommendations and potentially there could be deeper issues around lack of  board support.  



  1. Richard: Thanks for raising this important topic. On a technical level I don't believe Internal Auditors can/should decide whether a particular status/situation is "inadequate" or "ineffective" or "failed" in the absence of real clarity on the organization's risk appetite and tolerance for that issue. Few organizations have articulated and agreed this with their boards for the full range of objectives necessary for long term success. My basis for these conclusions are laid out in a presentation on "wrong turns" made in Dubai last month that will form a core for a pre-conference workshop I will be presenting in October at the IIA All Stars Conference in New Orleans. For those interested, a link to a presentation outlining what's wrong with the status quo, including the wide spread practice of internal auditors concluding on "adequacy" and "effectiveness" is below:
  1. There is a big gap here about internal audit expectation. Audit Committee Charter is one document that clarifies many of the things mentioned here by various individuals on "words" and sentences in English language audit report delivery system in an organization. Internal Audit cannot implement audit recommendation. Internal Audit cannot take ownership on audit recommendation implementation for management. Therefore, it does not make sense about "management buying into audit recommendation" issue here when the process is followed between audit kick off, field work, audit testing, report writing, draft report discussed items and final audit report submission for management's agreed time line on the implementation for recommended corrective action based audit findings at the first place. Obviously, auditor who made the recommendation cannot accomplish audit objective if auditor takes ownership for the recommendation auditor himself or herself suggested based on control weakness in the control process/control objective.
  1. Dear Mr. Richard,

    I strongly recommend that you give a sample for those statements being banished so it is more clear to understand your thoughts. Explanation only is not enough.

    Thank you.


  1.  Hi Richard,

    I enjoy your work and appreciate the conversation starter.

    I agree that the first three and other "hot button" words are best avoided in almost all circumstances. However, I think you also need the intestinal fortitude to use them in the right circumstances when you really are trying to draw attention to actions that are unacceptable. It all depends on the context and what sort of reaction you are hoping for.

    I have no problem with the word "found" because your findings are what you are being paid for. "Revealed" or "uncovered" are in a different league, however, and are best avoided.

    Couldn't agree more with "appears" and other weasel words. Either you have the evidence to back up your conclusions or you don't. If you have to use the weasel word it is an indicator that you need to either do more work or adjust your conclusion.

    Thanks again, Scott

  1. Most of these words I agree with, but the term 'we found' doesnt necessarily constitute negativity or 'grandstanding' to me, unless of course everything contained in the audit report is generally negative!.  It is a simple word really, the past-participle of 'find' and its use in an audit report is as a verb rather than as an adjective. 

  1. A good part of my career has been focused on communicating risk and control vocabulary to Management. As I have studied leading strategy, management oversight and operations development I think there are many words that Internal auditors need to add to their vocabulary: 1. Strategy; the desired destination and the thing At Risk 2. Business or Functional Objective; the propose of a function within an organization that helps the organization delivery value and accommodate a variety of strategies. Also a the main thing At Risk 3. Management Oversight; what management does to implement and oversee progress towards objectives, mitigating risk 4. Operations Alignment; the combination of people, process and technology at the right level for the right challenge to efficiently and effectively move towards the current goals - impacts efficiency and effectiveness 5. Maturity and Vulnerability; the concept that management oversight, operations alignment and its related components are organic and grow with time, meaning that the level of internal maturity or vulnerability could be the greatest risk of all.
  1.  I read this and thought of a good natured way. How are you doing

  1. I think it would also help seeing that from the following perspective, I believe the usage of those words and any other words need to be in line with like what for is the engagement being carried on or to conduct that specific internal audit engagement, that is the objective for the engagement. Then if the objective is clearly and correctly stated the reporting words are usually linked to them. I thing it is also a good thing to provide what other words and how they could be used instead of those to be banished Thank you Sir
  1. Brilliant, I couldn't agree more with 'Appears'; precision is needed, no time for being vague!
  1. Words are carrier of message, whatever it may be. Let us just make sure that that your message use the appropriate words for your targeted audience. If you know your audience, then no need for word censorship. Facts need exact words while unfactual, hazy conditions but relevant to mention need some word qualifiers such as it appears or seems. Anyway, there is such a thing as preliminary conference, progress reporting, and closing or exit conference wherein issues such as word usage that could trigger hostility can be maturedly and intelligently discussed and if necessarily taken out or retained in the report as long as it is taken in proper context and explained and accepted. In my opinion, there should  be not much argument about it than what must be done to help parties make their working life better as that what really counts at the end of the day. Don't you think?

  1. My pet hate is inappropriate use of the word "ensure".  So many times we use the word when it is impractical.  Management should perform a reasonableness review of the payment proposal to ensure that no invalid payments are made.  Such a review may well help to reduce the risk that an invalid payment is made but it is asking too much to expect the review to guarantee that no invalid payments are made.  In this sense the use of the word is misleading and auditors are not in the business of misleading our audit clients.  I can live with ensure if it is prefixed with the word "help"  as in help ensure that .........

Leave a Reply