Writing an audit report is serious business. But for auditors, it usually is one of the last things to do before closing the audit job and going to the next one. Not all auditors writing the audit report are necessarily familiar with the audience of their report. And that results in a failure to hit the right tone and language for the report. In my opinion,
the audience should determine both content and tone of the audit report
But why is that, and why is writing a good quality audit report so difficult?
On the one hand, your target audience is not necessarily as literate in organisational language and procedures as the internal auditors or the auditees are. After all, the members of the audit committee are selected on the competences and experience they can add to the organisation to strengthen its governance structures. They bring often very specific expertise, be it financial or subject matter. The in-depth understanding of the inner workings of the organisation are not necessarily present in an audit committee.
On the other hand, an internal audit report is often a technical assessment of an issue or a set of issues in an organisational process or a set of processes. Nuance can make all the difference between adapting the procedural framework to enhance existing controls or surpressing the activity all together because the exposure is deemed too important to patch.
A high quality audit report brings both clarity for the audit committee member and nuance for the auditee.
The internal audit report needs to be concise. It needs to be read and understood by each member of the audit committee in as little time as possible. It should also provide an adequate base for nuanced recommendations. Combining these challenges into one approach is not an easy task, but one a good auditor should master. I use a couple of guidelines which work for me.
Guideline 1 – Say what you have to say upfront
I’ve read quite a few audit reports which lose themselves and their readers in pages and pages of scope exceptions before coming to the point. While it is okay and even advisable to write a short introduction which describes the context and limitations of the audit, the formal scope limitations can be pushed towards the back of the report, even to the appendices.
Rather, as an auditor you need to get to the point as quickly as possible without losing your audience. By preference, state your conclusion in the very first page of the summary, then go about explaining how you got to that conclusion.
Guideline 2 – Speak clearly, concisely and understandably
If the subject matter is technical, auditors tend to adopt the organisational language. This may make us feel safe because we adopt the language of the auditee, but it is confusing to the audit committee members. They will get confused and before long abandon reading the report all together.
At best, you’ll get a lot of very critical questions from the highly irritated audit committee, at worst you’ll get nothing at all.
If you fail to convince your audit committee of the relevance of your audit and your findings, you will not only have invalidated the work on that specific report. You will have jeopardised your own continued relevance as internal auditor as well.
Guideline 3 – Conclude sensibly
Findings are one thing, but at the end of the day it’s not the finding that will make the difference. Your conclusion and the subsequent recommendations are what will assist the organisation in improving its internal controls, risk management and governance. Your recommendations need to be understandable, as per guideline 2, but they also need to be sensible.
A sensible recommendation is the best possible, realistic, implementable recommendation. But in order to develop those, you need to …
Guideline 4 – Involve your auditees in validation and recommendation
You need to involve your auditees, not only in developing the recommendations, but in the validation of the findings and conclusions as well. There is nothing more unnerving to an audit committee member than being faced with a technical disagreement between auditee and auditor during the presentation of a report to the audit committee. That simply shows the auditor did not adequately perform his work.
Confronted with that situation, audit committee members will drop out of the conversation, get confused and eventually become highly insecure as to the relevance of the findings, the conclusions and the audit report as a whole. They should and will send you back.
To avoid that, you need to make sure that most if not all potential points of friction have been adequately cleared before going into the audit committee meeting.
Guideline 5 – Drop information irrelevant to the audit committee
This one will hurt. I know that fear of lack of audit report volume is a known abberation of internal auditors. We fear the long days, nights, weeks and sometimes even months slaving on audit tests will never be properly represented by a mere 20 pages of audit report. But we fail to understand that fat reports indicate an inability to appropriately synthesize, a major deficiency for an internal auditor.
If technical information is essential, put it in an appendix, or even better, put it in a separate report for the auditee, provided it has been appropriately reconciled with the report to the audit committee. This will ensure completeness of both reports.
To recap
If you …
- say what you have to say,
- speak (or write) clearly, concisely and understandably,
- conclude sensibly,
- involve your auditees in validation and recommendation, and
- drop information irrelevant to the audit committee.
You may find your audit reports to be a lit shorter, lighter and significantly more appreciated by your audit committee members. And remember, all the details are in your working papers … or at least, that’s where they should be. Not in your audit report.
Exploring The Black Box 