The International Professional Practices Framework does not require internal auditors to issue a written report. So auditors can, in theory, communicate engagement results through any medium that suits the function and the client. For most departments, though, this is done via a written report that documents the engagement and prompts senior managers to action.
A well-written internal audit report, which some may argue is a rare thing, should be easy to read and review and even easier to act on. Whether new or experienced, internal auditors can always benefit from a refresher on the basics of audit report writing.
WHAT GOES INTO A REPORT?
Implementation Standard 2410.A1: Criteria for Communicating, states: “Final communication of engagement results must include applicable conclusions, as well as applicable recommendations and/or action plans. Where appropriate, the internal auditors’ opinion should be provided.” What should internal auditors include to make sure their reports meet these criteria?
Findings Also called issues or observations, audit findings are the results of observation and testing during an engagement. They may be nonexistent or failed controls, but also can include instances of good practice that the auditor wants to share with the client. It’s crucial to communicate any issues clearly, so the client understands the problem and why he or she needs to act.
Many internal audit departments follow the five Cs model to structure their audit findings discussion for clients: criterion, condition, consequence, cause, and corrective action. However, the nonnegotiable elements are condition, cause, and consequence.
Another way to articulate condition, cause, and consequence is to ask three important questions:
- Who is not doing what, or what is not in place? The report should indicate what observation and testing produced — evidence of inadequate or ineffective controls. For example: “Senior managers in the facilities security team do not check applicants’ backgrounds for criminal or other relevant records.”
- So what? The answer to this question should be a real risk statement. In other words, auditors should state the real-world harm that has occurred, or could result from, the control weakness, rather than just another failed control. For example: “As a result, the organization may risk reputational damage and financial loss if it hires people who have a history of theft or other crimes.”
- Why? Internal auditors should not settle for a superficial reason or a repetition of condition as the answer to this question. Instead, they should channel their inner four-year-old and keep asking, “Why?” For example: “This has arisen because senior managers in the facilities security team have not updated hiring processes in line with group policy, which requires background checks.”
Executive Summary Once internal auditors have articulated the key findings, it’s time to write the executive summary. The IIA Practice Guide, “Audit Reports: Communicating Assurance Engagement Results,” says the executive summary should “provide a clear and concise overview of the engagement results and efficiently deliver critical information with a persuasive, well-substantiated key message to stakeholders.” However, the summary should not be a condensed recitation of the findings.
Many clients will only take the time to read the executive summary, so it needs to provide high-level headlines. Broader themes such as underlying cultural or behavioral problems, a lack of governance, or other big items must feature in the executive summary.
Internal auditors should try to limit the executive summary to a short paragraph. It’s harder than people think, but readers appreciate such concise communication.
HOW TO WRITE IT
Standard 2420: Quality of Communications says, “Communications must be accurate, objective, clear, concise, constructive, complete, and timely.” To communicate in this way, internal auditors should follow the ABCs to keep writing active, brief, and concrete.
Active The audit report should be written in the active rather than passive voice. Instead of saying, “The report was reviewed by the manager,” the report should say, “The manager reviewed the report.” The active version is shorter and clearer.
Often, report writers leave out the performer of the action altogether. For example, “The report was reviewed” is short, but it omits what could be useful information. A sentence such as, “The findings were discussed, rewritten, approved, and issued” contains four actions and no hint as to who performed any of them. One person? One team? Different people on different teams? The active voice helps avoid such confusion.
Because the active voice puts the responsible parties or area first, it may come across as blaming. However, overusing the passive voice produces writing full of vague, possibly misleading sentences. A good rule of thumb is to keep the use of passive voice in the report below 20%, which Microsoft Word readability statistics can calculate.
Brief Report readers are busy, so internal auditors should use simple words and keep sentence length to 20 words at most (in English). Why would anyone want to wade through 20 pages when they could grasp the message in fewer than 10 pages of plain language? Again, Microsoft Word’s readability statistics function will help, as it provides the average number of words per sentence in a document.
Concrete One way internal auditors can make their writing less abstract is to avoid nominalizations (also called verbal nouns). This happens when the writer takes a verb — analyze — and turns it into a noun — analysis. The result is a longer sentence. Instead of saying, “We performed an analysis of the data,” the writer should say, “We analyzed the data.”
Nominalizations make writing even harder to follow when people disappear completely from the sentence: “Analysis and further investigation led to discussions and decision-making.” The reader cannot determine who is analyzing, investigating, discussing, and deciding.
Some auditors may shy away from communicating so directly, especially in cultures that may see this as rude. However, if internal auditors have performed the engagement thoroughly and have material findings to report, the reader needs to know. Whether in reports, emails, or briefings, the ABCs will make it easier for readers to understand the message and act on it.
TRUSTED ADVISORS, TRUSTED REPORTS
When internal auditors understand their audience, keep communication factual, and focus on solutions, they create a professional and positive impression. They also avoid sending mixed messages and then wondering why no one has acted on the report recommendations.
Report writing — like all working practices — has changed greatly since the pandemic and will continue to evolve. Many internal audit departments are communicating more by phone and video, and producing more concise, targeted reports. With that goal in mind, internal auditors who can convey more with fewer words are of greater value to the organization.