Ten Things Not to Say in an Internal Audit Report

I’ll never forget my seventh-grade English teacher telling us, “It’s not what you say but how you say it that counts.” Obviously she was exaggerating, but the point still stands: How we say things can make a difference. A well-written audit report should be a call to action, but a poorly written report can result in inappropriate action or in no action at all. In some cases, poor report writing can ruin working relationships or actively harm an auditor’s reputation. Little things can mean a lot, and at times, a minor change to how a recommendation is worded can make all the difference in how our suggestions are received.

Recently I started with my own list and then asked several groups of auditors what words or phrases should never be used in audit reports. I even asked my friend, Sally Cutler, the noted internal audit report writing consultant. All and all, I got an earful. Some of their suggestions were definitely worth repeating, so here’s my new “top 10” list of things not to say in an audit report.

1. Don’t say, “Management should consider…”

Audit reports should offer solid recommendations for specific actions. When our recommendation is merely to “consider” something, even the most urgent call to action can become nebulous. No auditor wants a management response that says merely, “Okay, we’ll consider it.” 

2. Don’t use “weasel words.”

It’s tempting to hedge our words with phrases such as “it seems that” or “our impression is” or “there appears to be.” It may feel safer to avoid being specific, but when you have too many hedges, particularly in the same sentence, there’s a danger that you are not presenting well-supported facts. Report readers need to know they can rely on our facts, and over-use of weasel words can make solid recommendations sound a little too much like hunches.

3. Use “intensifiers” sparingly.

Because they can add emphasis, words such as “clearly,” “special,” “well,” or “very” might seem to be the opposite of weasel words. In actuality, these intensifiers are so non-specific that they can be another type of “weaseling.” Intensifiers raise questions such as “Significant compared to what?” and “Clearly according to whose criteria?” If you use intensifiers freely, two readers of the same report may be left with very different impressions: Numbers such as 23 percent or $3 billion tell a story, but just what does “very large” mean? 

4. The problem is rarely universal.

It’s good to be specific, but there’s a danger in words such as “everything,” “nothing,” “never,” or “always.” “You always” and “you never” can be fighting words that can distract readers into looking for exceptions to the rule rather than examining the real issue. It’s safe to say you tested 10 transactions and none were approved — less safe to say transactions are never approved.

5. Avoid the “blame game.”

The purpose of internal audit reports is to bring about positive change, not to assign blame. We’re more likely to achieve buy-in when our reports come across as neutral rather than confrontational. The goal is to get to the root cause rather than to call out the name of the guilty party. It’s fine for a report to identify the party responsible for taking action on a recommendation — not so fine to say, “It was Fred’s fault.”

6. Don’t say “management failed.”

Making statements such as “Management failed to implement adequate controls” will invariably annoy those to whom we are looking to implement corrective actions. Simply stating the condition without assigning blame through words like “fail” is much more likely to result in the needed corrective actions and help preserve our relationship with management for the next time we conduct an audit of their area.

7. “Auditee” is old-school.

A few years back, people undergoing an audit were most often referred to as “auditees.” Today, many experts believe that the phrase has negative connotations and that “auditee” implies someone who has something done to them by an auditor. Internal audit has become a collaborative process, and terms such as “audit client” and “audit customer” indicate that we are working with management, not workingon them 

8.     Avoid unnecessary technical jargon.

Every profession needs a certain amount of technical jargon, but the more we can avoid audit-speak, the more we can be sure that the message is clear. If you use more than one phrase such as “transactional controls,” “stratified sampling methodology,” or “asynchronous transfer mode” on a single page of an audit report, don’t be surprised when some of your readers check out without reading to the end of the report.

9. Avoid taking all the credit

It is tempting in audit reports to use phrases such as “internal audit found” or “we found.” Management will often bristle that you are taking credit for identifying something that wasn’t all that well concealed. It comes off like you threw them under the bus, and then backed over them.

10. If it sounds impressive, you probably need a re-write.

Work to get readers to remember your recommendations and take action — not to impress with pompous words or bloated phrases. Avoiding jargon is only the beginning: Try substituting “by” for “by means of,” “now” for “at the present time,” and “so” for “so as to,” for example.

I like to use the fifth-grader test: If an intelligent middle-schooler couldn’t understand your report, it may be needlessly complicated. Take, for example, this sentence from an actual internal audit report that basically just says little things can add up

“During the aforementioned examination of the accounts undertaken by the internal auditors, the team evaluated the cumulative impact of individually immaterial items and in doing so relied on the assumption that it was appropriate to consider whether such impacts tended to offset one another or, conversely, to result in a combined cumulative effect in the same direction and hence to accumulate into a material amount.”

Enough said. And then some.

Lists like these are often very personal. I am sure my list will generate some controversy — both for the things I included and the things I didn’t. So, let’s get the dialogue started. What else is on your list of the top things never to say in an audit report?