Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Eight Words Internal Audit Should Kick Out - The Middle Three​

Comments Views

Yesterday, I started sharing a list of words I think internal auditors should kick out of their vocabulary. Those first two were a bit obvious and I don't think anyone found either of them overly controversial. So, let's move on and talk about three more words internal audit should kick out. At first glance they may seem unrelated. But they do have something in common. (No prize if you figure out how they are connected, just the satisfaction of a job well done.)

Utilize: I've ranted about this one before. And if you've heard me speak – on just about anything – you've probably seen me sneak this in. But it bears repeating again and again and again until the whole world is bludgeoned into submission, accepting the profound truth of what I have to say. Okay, maybe that's a bit heavy handed (you think?), but this is a point worth repeating. And here is why.

"Utilize" is the symptom of our inability (of many professionals' inability) to speak succinctly, write precisely, and communicate simply.

Let's put it another way. Why use "utilize" when you can utilize "use"?

I've always preached that the best way to improve your writing is to start by writing the way you talk. Generally, you will find yourself better able to actually express what you need to say. But that isn't always the case.

I had an auditor who talked a whole lot worser than most everybody. He recognized the problem and, when preparing reports, would compensate by writing as if he were putting together the final paper for his doctoral thesis titled "On Controls, Control Breakdowns, and Why Your Inability to Understand and Comprehend the Connection Between These Two Items May Result in the Eventual Downfall of the Organization." Put more succinctly, he used a lot of big words and long, convoluted phrases. Editing his work was a process of unending strike-throughs and the repetitious admonishment "Simplify, simplify, simplify!"

Why do people use "utilize"? I believe that, just like that auditor, we are all still trying our best to sound like grownups. We are business people, after all, and we must be taken seriously. To accomplish this Herculean task, we work really, really, really, really hard at sounding very, very, very, very important and utilize all the multi-syllable words we have at our disposal.

And the meaning and importance of what we have to say dies of verbiage strangulation.

Watch the way you speak. Watch the way you write. Make it more succinct, make it more precise, and make it simple. And start with something as simple as the word "utilize".

Kick it out!


Mitigate: This is a perfect transition word between the one we just talked about ("utilize") and the one to come (no spoilers, you'll just have to keep reading to find out what that one is.) Here's a little test I like to give. It works for any word or phrase, but let's try it with "mitigate". Provide a definition of the word that a fourth-grader can understand and (perhaps more importantly) is short enough that it doesn't challenge their attention span.

I'll give you a couple of minutes.

I got the edits back from my most recent Internal Auditor column a couple of days ago. I had used the phrase "ensure risks are properly mitigated," a somewhat overused but perfectly wonderful piece of internal audit verbiage. In the editing process, the editors (a group far more skilled, practiced, and intelligent than I, proven every time they edit one of my pieces for the magazine – note, they do not edit these blog posts) had changed the phrase to "ensure risks are managed appropriately."

I had a eureka moment (without the attendant towel and running through the st​reets). Of course! The perfect word! Mitigate means nothing and says very little; manage expresses exactly what we all mean.

Now, you might argue that mitigate carries with it the connotation of reducing or making less. And you'd be right. However, our use of the word (in fact, the mere fact that it is internal audit using the word) seems to carry with it the idea that risks will be significantly reduced. And sometimes we seem to think that it means eliminating risks. Neither is true. And most of us (I hope most of us), understand that our role is much more. Our purpose is to help management manage those risks – review them, reduce them if necessary, go ahead and accept greater if necessary.

Not eliminate them. Not "mitigate" as the word is often interpreted. But manage them.

Look back at the fourth-grader definition you developed. What was implied in it? What was actually stated? Did you get across the idea that it is actually working with the risks, not against them?

Okay, I'm not for complete elimination of the word (well, actually I am, but you may say I'm a dreamer, and I may be the only one), but if we are going to use the darned thing, we better full well understand what it means. Until then…

Kick it out!

Which leads to …


Risk: I can already hear​ the wailing and gnashing of teeth, the outpouring of virulent outrage, the beating of breasts at the mere thought that risk should be removed from our vernacular.

Horrors! What travesty is being proposed?! An understanding of risk is fundamental to the success of internal audit as a department and a profession. Risk-based audit approaches are a necessity, risk-based planning is a necessity, and evaluating organizational risk assessment is a core objective for the profession (and required by the standards.) How can I say to remove it?!

Let me quickly pour oil on your troubled waters. What I want is elimination of the word until such time as the person using it actually understands what he or she is talking about. Ask a group of auditors if a risk to the achievement of an objective is that the objective is not achieved, and half of them will say, "Yes, that is a risk." I know. I've asked. It always goes 50/50.

And that is wrong. A risk is not the opposite of an objective. (If I am preaching to the choir, I ask your forgiveness. But I have seen far too much evidence that a significant portion of the choir didn't show for Wednesday's rehearsal.) A risk is the possibility of an event occurring that will impact the achievement of an objective. (That's directly from the Professional Practices Framework.) As a profession, half of us don't even understand the word we use so blithely. And we use it with our customers under the assumption that, just like us, they understand it perfectly.

Well, we don't. Which means they don't. And if we are going to use the word, then we better understand what it means, and make sure they understand what it means.

Until such time as auditing and its customers have a firm understanding and agreement on that definition…

Kick it out!

Okay, I went on a little long today (not like that ever happens). But, as noted, I wanted to cover these three because of the interesting way they are connected. Tomorrow, let's take on a few sacred cows. (Yes, even more sacred than "mitigate" and "risk".)

And, as with last time, let me know any words you'd like to see kicked out. And be sure to let us know why.​

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
  • SCCE 2018 June 19-30_Blog 1
  • IIA_Symposium_June2018_Blog 2
  • IIA_QAL_June 2018_Blog 3