Your year to be a better writer: Adding value to your reporting
RISK BULLETIN |
Many internal auditors struggle to present the results of an audit in an effective manner and best represent findings. IIA Standard 2420 states that communications must be accurate, clear, concise, constructive, complete and timely. All of these are critical when communicating an opinion on the strength of internal controls, and several guidelines can be followed to increase the quality and clarity of reports.
An optimal report should anticipate reader's questions, effectively communicate findings and prioritize what audit committees should focus on. When developing a report, you should avoid any subjective or emotive writing that can be vague or misconstrued. Strive to use objective and unbiased language that is direct and uses facts as well as specific, concise and clear writing.
When detailing observations and recommendations, present a fact-based outline followed by an interpretation of what you found. Provide enough analysis of your findings to support your conclusions and recommendations. Do more than just describe the situation; make the significance of your findings clear and how they relate to your recommendations. Recommendations should cover:
- What needs to be done
- Who is responsible
- How, when and where it needs to be done
Your observations and recommendations must be written persuasively, always with the question, "why should they care?" in mind. A helpful three-step program to develop compelling observations and recommendations consists of:
- State the facts
- Describe the risks
- Recommend a solution to reduce or mitigate the risk
Several common pitfalls often arise that can lessen the impact of your internal audit observations and recommendations. These common missteps include:
- Not describing the issue
- Not describing the risk
- Information overload (data dumping)
- Implying you tested or found items you didn't
- Exaggerating the importance of a fact or finding
- Downplaying the importance of a fact or finding
Below is an example of a poorly written observation and recommendation. Neither address why the reader should care and do not describe the risks that are associated with the issue at hand.
Observation: During our review of monetary instruments at the Main Street branch, we located a supply of loan checks that are no longer used by the branch and should no longer be in their inventory.
Recommendation: For more accurate inventory and to reduce the risk of inappropriate or unauthorized use of loan checks, we recommend the bank properly dispose of any unused monetary items from branch locations.
The recommendation is not a good, actionable item that will solve future problems (how do we prevent unused and stale instruments at branch locations in the future?). In addition, the observation and recommendation are not consistent, as the observation never stated the inventory was inaccurate, but the recommendation implies that it was.
On the other hand, the following is an example of a well-written observation and recommendation for a financial institution. Note that it is direct and concise while effectively communicating the risks and a solution.
Observation: Commission calculations are completed by manually entering figures into Excel. A second review of the Excel calculations is not completed and spreadsheet security controls are not used.
Recommendation: To ensure that commission calculations are correct, we recommend that the figures entered and formulas used be reviewed by a second person. Management may also consider using spreadsheet security controls such as locking down cells with formulas in them.
In addition to providing internal audit findings and recommendations, our reports will often include management's responses to them. Management's written responses can sometimes present additional facts, or uncover mitigating controls that were not previously disclosed during the actual internal audit procedures. Therefore, while in draft, report observations and recommendations should be updated if further discussion yields new information. After conversations with process owners have taken place and it is agreed that risks have been accurately identified, it is important for management to acknowledge that an error or fraud is possible (by process owners or others, depending on the situation). In this case, management must present an agreeable solution to the audit committee.
Communications and reports should be thorough and accurate for management to evaluate potential control concerns in the proper context and perspective. Your observations and recommendations should be relevant, value-added, professional, understandable and action-oriented, keeping your three-step program in mind by focusing on facts, risks and solutions. Paying close attention to how you write reports and knowing your audience are significant factors in helping management understand issues and take steps toward remediating them.