Writing better reports

I've been writing reports that describe the state of affairs, explain the issues, and provide recommendations for about 17 years. Over that time, I've picked up a couple of bits that clearly make them more effective.

So, I thought I'd share.

Close the loop - Audit reports are, almost by definition, alarming things. However, highly effective reports ring the alarm bells, explain which barn is on fire, then talk about how the fire got put out.

They close the loop.

I know it sounds simple, but it is commonly missed opportunity. In my experience, audit committees and senior executives appreciate being told about an issue and then being told how it was handled. It means they don't have to take action, beyond monitoring the situation and asking for updates. It also means that they will get alarmed and active, when you bring them something that truly warrants their involvement.

This is a matter both of process and of report writing.

It is a matter of process, because to be able to do this, you must have actually worked with your audit client to get him/her to pick up a bucket and fill it with water. I have known a number of audit units that create findings, shoot them at their audit clients, and sit down to write the report. Any audit client worth their salt will want their side of the story in the written record. Now you've got potential conflict and disagreement. No one is focusing on making things better. And, your Audit Committee is wondering why you can't handle these things yourself.

It is a matter of report writing, because all too often I see auditors simply leave closure out of the report. They worked very hard with the audit client to come to a workable solution and they forget to talk about it. Sometimes I've found this to be the result of auditors who have a "gotcha" approach. However, more often it is just poor story telling.

Anticipate Questions - This is not an easy thing to do, because it requires placing yourself in the shoes of your audit client's superior. However, it is a skill-worth-paying-for and good auditors, who want to become great auditors, will focus on this.

For example, you've written a report with a finding regarding unauthorized access. It seems that for a number of months the Security Unit has been granting access to an important system based on the user's supervisor's approval. Evidently, the system owner hasn't been getting notified or asked for their approval. Worse, "super user" access has been granted to a few individuals. The "risk" statement in your finding talks about the potential for data being viewed or changed by inappropriate users. And, you've followed the tip above and closed the loop by describing what was done.

Not quite finished yet, though.

A really effective finding would anticipate the next question. Which I estimate would regard the scope of damage the unauthorized super users might have caused.

Perhaps you were able to find logs, which would have recorded any "super user" activity (and which couldn't be altered.) In that case, you allow the senior IT executive to sleep at night by saying so, somewhat comfortable that you've determined that no inappropriate activity was likely to have taken place.

Conversely, you may have found that no logs exist that describe what the "super users" might have done. In that event, it is your obligation to anticipate the question and make a statement that it is impossible to know. Niether the IT executive nor the Finance executive are sleeping now, which is probably appropriate.

Either way, you've delivered a more effective finding, because it targets the energy of the leadership.

Compliment - Finally, I find including in a report a brief statement of appreciation and compliment about the cooperation of the team and their leadership to pay significant dividends. It seems minor, and often can feel forced, but it has always been worth doing for me.

Something along the lines of,

The Internal Audit team wishes to express their appreciation and thanks for the degree of openness and cooperation received during this review. We found the staff and leadership of the unit to be genuinely interested in improving controls and making the organization more effective.

Another example,

While this report could include lengthy descriptions of the many strengths we identified, its purpose is to convey ways in which the unit can improve its level of internal control. Therefore, by design, the report focuses on areas of potential improvement. This concentration on areas of improvement should in no
way be construed as a diminution of the quality of the unit.

Strangely, while everyone knows this statement is somewhat perfunctory, it helps them save face. And as an auditor, when you help a manager save face you have the grounds for a relationship. Having an extraordinary network of relationships is how great auditors become amazingly effective auditors.

-- Prescott Coleman, CIA, CISA

Be Short

You want credibility? You want to be relevant? You want your audit function to be asked to the "Big Table."

Be short.

And, by this I mean deliver audit reports that are brief. In my last post on audit report writing, I talked about being succinct. Brevity and succinctness are related, but are not the same thing.

The fact that I used to write 100+ page reports for colleges and universities notwithstanding, I believe an audit report should be no more than 10 pages.

That includes executive summary, grade (if you have one), and all major findings. It can't be done, you say. It must be done, I say.

And, here are three principles to help you.

Aggregate - Find ways to roll multiple findings into one. You do this based on identifying a common factor, usually the Cause statement. If you have more than one finding with the same root cause, they are candidates for aggregation. You can also aggregate based on Recommendation. If the thing you propose as a solution will fix several issues, roll them into one. It should come as no surprise that the two easiest aggregating factors are Cause and Reco. As I pointed out in my post "Cause and the Last Why" they are linked like tires and rims.

Seriousness Ratings - I've seen a number of approaches to this. For example, Material Weakness, Significant, Important. Also, Critical, Major, and Minor. These, and a hundred others, are ways of classifying issues so that senior folks can tell the wheat from the chaff. There are usually definitions of the level of risk of the issue, but in the end it is a pretty judgemental rating. If you make a policy decision to report only the most serious findings and provide separate documentation on the minor stuff, your reports will get shorter and become more impactful.

Of course, there is a risk. The minor stuff might still be important and the tendency is for bits not in the report to disappear from radar. To combat this, let the client know that you are tracking all issues in your tracking database, but only reporting the serious ones. Not foolproof, but it helps.

Write Fewer Words - Yes, I am as serious as an overturned Greek ferry. I know it sounds obvious and simple, but it usually isn't. This principle has alot to do with being succinct, but I consider it a more direct prescription. But, how to accomplish this simple, yet monumental task?

In the first place, put a little angel or devil (you choose which) on your shoulder as you are writing. Their job is to gripe in your ear the whole time you are typing, saying mostly, "stop writing so much stuff." Then, when you are done writing, edit out 1/3 of what you wrote and revisit it. Try again until it hurts, then try one more time. Your reports will get shorter and, if you do it well, they will get more effective.

Of course, there is another way to drive fewer words. Turn your audit report into a table or powerpoint, so you can't fit anymore words in the boxes or slides. More on this in a later post.

-- Prescott Coleman, CIA, CISA

Be Succinct

Audit report writing is one of the hardest things to teach new auditors. This can be particularly true when working with team members rotated in from the business (see my posts on Rockstars) or when you've got auditors fresh out of school.

It seems, therefore, worthwhile to spend some blog space talking about some "important safety tips" as they regard report writing. I'll probably do several posts on this in April.

Let's start with being succinct.

Why? After all, those pesky management types have to read our reports, right? We're internal audit, we've got that cool Audit Mandate from our Audit Committee. They'll be hanging on our every word, won't they?

Not in this universe or the next, I'm afraid.

Succinctness (if there is such a word) is the art of getting to the point and it shows intelligence, preparation, and respect. Even if we could force our audit clients to read every word, we need to demonstrate each of these points to build credibility. And, credibility is king.

There are a number of ways to be succinct.

Destroy Clutter. One of my favorite books on the subject, On Writing Well, The Classic Guide to Writing Non-fiction, by William Zinsser, puts it this way:

Fighting clutter is like fighting weeds, the writer is always behind. New varieties sprout overnight, and by noon they are part of American speech. Consider all the prepositions that are draped onto verbs that don't need any help. We no longer head committees. We head them up. Writing improves in direct ratio to the number of things we can keep out that shouldn't be there.

Organize your thoughts. It costs alot of money to have senior people organize your thoughts for you. I've yet to meet an internal auditor whose time was more valuable than the people they were auditing.

I know, it hurts. Deal with it.

That means the company is, in fact, paying you to make things quick and easy for your audit client. If it means outlining, rewriting, reoutlining, and re-rewriting an audit finding to cause the reader to understand your point quickly - you should do so.

I find the Five Part Approach to audit findings (from IIA Practice Advisory on Standard 2410-1 - you know, condition, cause, criteria, effect/risk, and recommendation) a literal model for organization of a finding. Allow no more than one (maybe two) sentences for each. If you can be that structured, it helps the reader to look at multiple findings and know that the risk statement for the next finding will probably follow the criteria statement. If you can be that brief, your finding will probably get read.

Directness. Audit reports are clear and decisive statements. I can't even recall the number of audit findings I've reviewed that talk around the issue. Sometimes this happens because the auditor knows the subject so well that they don't remember to state it outright to the audit client. Other times, the issue feels scary and so the natural tendency is to "break the news" to the client. Both are a waste of precious attention span and, worse, can lead to misunderstandings.

Voice and Tone. Alot of report writers forget they need to pay any attention to voice and tone. For the uninitiated, these are the way the reader hears your words in their head. This blog has a particularly voice and tone that is different than the one I would use in an audit report. It is significantly more energetic and informal.

Now, I went to a pretty uncompromising liberal arts college for my undergraduate degree. Austin College is the sort of place where every course (including accounting) includes a major paper or thesis. Yet, they spent little or no time discussing voice and tone. So, chances are your auditors are largely unfamiliar with this concept. If you introduce it to them, it can be an eye-opener. It can take their writing from sounding like Ben Stein to sounding, more appropriately, like Peter Jennings.

One is laborious to listen to, while the other can be a delight - even when he was delivering bad news.

More thoughts on report writing in coming posts.


-- Prescott Coleman, CIA, CISA