I’m taking a short break from my blog, so I’m reposting one of the more popular posts from previous years that remains relevant to today’s internal audit practitioners. This was originally published on Oct. 21, 2011. Enjoy.
I’ll never forget my seventh-grade English teacher telling us, “It’s not what you say, but how you say it that counts.” Obviously, she was exaggerating, but the point still stands: How we say things can make a difference. A well-written audit report should be a call to action, but a poorly written report can result in inappropriate action or in no action at all. In some cases, poor report writing can ruin working relationships or actively harm an auditor’s reputation. Little things can mean a lot, and at times, a minor change to how a recommendation is worded can make all the difference in how our suggestions are received.
Recently, I started with my own list and then asked several groups of auditors what words or phrases should never be used in audit reports. I even asked my friend, Sally Cutler, the noted internal audit report writing consultant. All and all, I got an earful. Some of their suggestions were definitely worth repeating, so here’s my new “Top 10” list of things not to say in an audit report.
Audit reports should offer solid recommendations for specific actions. When our recommendation is merely to consider something, even the most urgent call to action can become nebulous. No auditor wants a management response that says merely, “Okay, we’ll consider it.”
It’s tempting to hedge our words with phrases such as “it seems that” or “our impression is,” or “there appears to be.” It may feel safer to avoid being specific, but when you have too many hedges, particularly in the same sentence, there’s a danger that you are not presenting well-supported facts. Report readers need to know they can rely on our facts, and overuse of weasel words can make solid recommendations sound a little too much like hunches.
Because they can add emphasis, words such as “clearly,” “special,” “well,” or “very” might seem to be the opposite of weasel words. In actuality, these intensifiers are so nonspecific that they can be another type of “weaseling.” Intensifiers raise questions such as “significant compared with what?” and “clearly according to whose criteria?” If you use intensifiers freely, two readers of the same report may be left with very different impressions: Numbers such as 23 percent or $3 billion tell a story, but just what does “very large” mean?
It’s good to be specific, but there’s a danger in words such as “everything,” “nothing,” “never,” or “always.” “You always” and “you never” can be fighting words that can distract readers into looking for exceptions to the rule rather than examining the real issue. It’s safe to say you tested 10 transactions and none was approved — less safe to say transactions are never approved.
The purpose of internal audit reports is to bring about positive change, not to assign blame. We’re more likely to achieve buy-in when our reports come across as neutral rather than confrontational. The goal is to get to the root cause rather than to call out the name of the guilty party. It’s fine for a report to identify the party responsible for taking action on a recommendation — not so fine to say, “It was Fred’s fault.”
Making statements such as “management failed to implement adequate controls” will invariably annoy those to whom we are looking to implement corrective actions. Simply stating the condition without assigning blame through words like “fail” is much more likely to result in the needed corrective actions and help preserve our relationship with management for the next time we conduct an audit of their area.
A few years back, people undergoing an audit were most often referred to as “auditees.” Today, many experts believe that the phrase has negative connotations and that “auditee” implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as “audit client” and “audit customer” indicate that we are working with management, not working on them
Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear. If you use more than one phrase such as “transactional controls,” “stratified sampling methodology,” or “asynchronous transfer mode” on a single page of an audit report, don’t be surprised when some of your readers check out without reading to the end of the report.
It is tempting in audit reports to use phrases such as “internal audit found” or “we found.” Management will often bristle that you are taking credit for identifying something that wasn’t all that well-concealed. It comes off like you threw them under the bus, and then backed over them.
Work to get readers to remember your recommendations and take action — not to impress with pompous words or bloated phrases. Avoiding jargon is only the beginning: Try substituting “by” for “by means of,” “now” for “at the present time,” and “so” for “so as to,” for example.
I like to use the fifth-grader test: If an intelligent middle-schooler couldn’t understand your report, it may be needlessly complicated. Take, for example, this sentence from an actual internal audit report that basically says little things can add up:
“During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of individually immaterial items and in doing so relied on the assumption that it was appropriate to consider whether such impacts tended to offset one another or, conversely, to result in a combined cumulative effect in the same direction and hence to accumulate into a material amount.”
As always, I look forward to your comments.