Sie sind auf Seite 1von 12

CONSOLIDATED RESOURCES ON EFFECTIVE AUDITING AND REPORT

WRITING
RULE 1: TREAT AUDITEES WITH RESPECT
Even people who knowingly and deliberately commit wrongdoing deserve to be
treated respectfully. These individuals may be fighting personal demons, and internal
auditors should look upon them with no less humanity than they would anyone else.
Moreover, suspected fraudsters may still have extensive social networks in the
organization, and the way auditors treat them could impact morale as well as the
auditor's ability to function effectively even on routine assignments. If the auditors
have done their job well, they will have the necessary facts to conduct their work-there is no need to denigrate anyone in the process.
Auditors who follow this first rule ensure their auditees are well-prepared for the
audit report. They share results with auditees as the engagement progresses, noting
issues along the way. They discuss items that might represent control concerns or
efficiency issues directly with those responsible for the areas involved. Before issuing
their report, these practitioners already know if the auditee will agree with the
findings, and they've provided their thoughts for mitigating control risks or crafting
more effective processes.
RULE 2: GIVE AUDITEE THE BENEFIT OF THE DOUBT
When auditors disagree with auditee's work processes, they should never assume the
auditee arrived at their approach out of ignorance or incompetence. Staff and
management perform their jobs day in and day out; it is their life. Auditors look at
auditee processes as outsiders, and the limited time allotted to individual
assignments may preclude them from correctly placing all pieces of the puzzle. Thus,
while auditee methods may seem unusual or wrong at first glance, valid reasons may
exist for their decisions. Auditors need to maintain humility, recognize their own
fallibility, and give auditee the benefit of the doubt.
Internal auditors should give auditee credit for doing what they believe is right, even
if their actions eventually prove wrong or misguided. For example, auditors can
remove significant barriers to change by saying, "I understand your approach, and it
makes sense in the context of what you've learned or what you've previously been
trained to do on this job." This type of acknowledgement can help disarm auditee
and make them more receptive to constructive feedback. The auditors can then say
something like, "We'd like to share with you some new information that has bearing

on this issue." When auditors later follow up by seeking auditees input on practical
solutions, the auditees will be more inclined to feel part of the solution and more
likely to implement recommended changes. Auditees have a greater tendency to buy
into the process and take ownership of the recommendations when their input is
solicited. At my organization, auditees often implement changes well before the audit
report is issued because they want to move forward with identified processes or
control improvements as quickly as possible.
RULE 3: PICK YOUR BATTLES CAREFULLY
Not all audit issues are worth pursuing. Effective auditors know when to persist with
their findings and when to back away.
Audit comments usually fall into two broad categories: control-related comments
and those related to effectiveness or efficiency. Each of these categories generally
breaks into two subcategories: minor or serious. Internal auditors need to recognize
these important distinctions. If the auditors find a serious control weakness without
any mitigation in place, they must report it and ensure the auditee understands that
internal auditing has no choice but to do so. Auditors do have a choice, however, in
determining how reporting issues are framed.
1. Findings related to effectiveness or efficiency
When auditors find a significant effectiveness or efficiency issue, they must
obtain agreement and buy-in from the individuals who would implement
recommended changes. Effectiveness issues are not black or white. They pit the
auditor's opinion of effectiveness against that of the auditee who does the job
day in and day out. If the auditors do not reach an agreement with the auditees
but still want to make a recommendation, they are forced to butt heads with
personnel who are intimately involved with the processes in question.
Pursuing effectiveness and efficiency issues aggressively with upper management
typically results in one of two possible outcomes. In the first scenario, the auditor
accomplishes nothing because the personnel doing the job every day possess
more credibility on judgment calls than the auditor. From then on, auditees will
likely be discouraged from cooperating with the internal auditors--a side effect
that may well spread to other areas of the organization.
In the second scenario, the auditor wins the battle but loses the war. Although
the auditor may be able to convince management that a change is necessary for

the good of the company, the auditees forced to implement this change may
become hostile toward members of the audit department. Auditees will likely
seek ways to prove the system change is unnecessary, unworkable, and
counterproductive. In the end, there is a strong likelihood they will return to their
old methods and procedures.
To avoid unnecessary, relationship-damaging conflict, internal auditors need to
choose their battles carefully. They must try to convince auditees to recognize
the wisdom of fixing problems identified during the engagement. If these efforts
fail, and the problems represent a serious control issue, the auditors need to
apologize for the stalemate and explain that they are obliged to report the
problem and the risk associated with it. If the issue is not control related, the
auditors should let it go--there is no point in creating ill will when little upside
potential exists. Internal auditing can still mention the issue informally to
management and discuss the benefits of making a change, but this discussion
should not be placed in the report. If managers see value in the idea, they will
address it on their own.
2. Control-related Issues
When auditors report a control weakness without reaching agreement with the
auditee, they must handle the report with care. They need to explain why the
control is not in place and why those running the process believe they should not
implement the control. In many instances, resource constraints prevent auditees
from responding to control needs. The auditor's job is to ensure that
management is aware of the deficiency and the risk associated with it, and
explain both the severity and likelihood of the risk as clearly as possible. Controls
cost money, and management must decide if it wants to spend that money or
simply treat the risk as a cost of doing business.
LASTLY, be mindful of the impact or risk of the issue
Auditors must ask themselves the following questions before including an issue in
the audit report or before raising it as nonconformity.
What is the risk?
What mitigating controls are in place, and do they effectively reduce the risk?
What happened and what was supposed to happen?

Is the issue significant enough to be reported formally; are the amounts


relevant?
To gauge whether issue/findings is value-adding or not, the auditor must know
the potential risk that may result. The effect answers the question, "So what?"
That is, what are the potential consequences of the condition? Without a cogent
effect, the auditor has not established that a problem exists and does not have a
valid audit comment.
RULE 4: ACCENTUATE THE POSITIVE
Although following the first three rules should result in a constructive, professional
audit report, internal auditors must still be mindful of the overall need to maintain a
positive approach to the reporting process. Regardless of the assignment, auditors
must always be able to communicate results and recommendations without using
negative or accusatory language. Even in areas where significant deficiencies exist,
there is no need to say something like, "Department personnel are not doing what
they are being paid for, and they need to start pulling their weight." Instead, auditors
can use a more constructive approach: "This department has significant challenges,
and we have identified several areas where improvements can be made. We have
agreed with department management on appropriate changes to address the
concerns identified."
When significant findings must be reported, such as during a fraud investigation,
auditors can get their message across by simply stating the facts and avoiding
editorial comments. Emotionally charged, subjective language can be tempting to
use when the auditor feels strongly about a situation, but it is ultimately
counterproductive. Auditors need to avoid this temptation by remaining objective
and keeping their work on a professional plane. Moreover, they must be sure to give
auditees credit for their positive achievements, rather than only discussing problems
or weaknesses.
The old homespun expression many of us learned from our mothers remains valid:
"You catch more flies with honey than with vinegar." A positive approach and positive
language draw people into dialogue; a negative approach usually results in walls
erected to keep auditors and their new ideas at a distance.
RULE 5: BE INFORMATIVE

To ensure auditees read and clearly understand report content, internal auditors
must pay close attention to the document's substantive content and structure.
Reportable issues need to be developed fully and presented in a cogent manner.
Moreover, audit reports need to be persuasive, especially to readers who have not
received any prior exposure to the audit.
The most effective, best-crafted audit reports are based on well-developed, detailed
comments. To ensure comments are informative and useful, internal auditors can
follow the development criteria below:
Findings What happened, must be clear and concise
Location where the issue occurred, locatable by other auditors including the
evidences
Objective Evidence base on facts, explains what's being done (i.e., the auditee's
process), focusing only on the facts. The description should be communicated
clearly, without judgmental language.
Requirement/criteria - rules, principles, or guides that lead the auditor to believe
a problem may exist. Auditors must have a clear understanding of criteria to
articulate them to others.
Each of these elements is essential to effective detailed audit comments--neglecting
to incorporate any one of them will leave readers wondering why reported issues
require change or whether the changes suggested would lead to improvement.
Detailed comments are the foundation for the summary report to senior management
and the audit committee, and internal auditors must keep this audience in mind
when drafting them.
In Writing report

Quality professionals, while adept at finding areas for improvement, sometimes


struggle to communicate those suggestions.
By following 12 simple rules, youll be able to get your point across clearly and
turn a potentially confusing and frustrating situation into a successful project.

Words have incredible power. They can hurt, and they can help. They can build trust,
inspire and promote a sense of shared goals. They can steer attention to areas of
commonality or focus on divisive elements. Words can confuse or clarify.

A single word can trigger powerful emotions and turn a conversation or even an
entire business relationship in a different direction. Words should be carefully
selected and used deliberately. For these reasons and many more, quality
professionals need to be cognizant of the wording, substance and style of messages.
By using this practical guide, quality auditors, managers, engineers and other
professionals in the field will be able to clarify their written messages and inspire
their readers to constructive actions. The 12 tips are based on many years of
practical experience and analysis of what worked and what didnt in written
communication related to auditing, consulting and training in the area of
management systems.
1. Use words with positive connotations
Words can create an emotional response in readers minds. Certain words can
remind the reader about a situation or circumstances connected to positive or
negative emotions.
The goal in quality communication is to
work through cooperation and mutual
understanding. To achieve that end, you
want to make readers responses 100%
positive, which is why you should strive
to use words with positive connotations
that would be less likely to trigger a fight-or-flight response in readers minds.
2. Always look on the bright side
Faults and obstacles are not necessarily negative. Constraints spur creativity,
problems lead to new solutions, and faults are key components of learning and
making progress. For example, during previous recessions, several top companies
were created, such as FedEx, Microsoft, Apple, Genentech, Oracle and the SAS
Institute.
By their nature, quality departments
accumulate information about faults, defects
and problems. This information becomes
highly valuable to improvement, innovation
and getting ahead of the competition, but it

is effective only when the quality professionals language is focused on the bright
side of things.

3. Say what you want, not what you dont


It has been said that a goal properly set is halfway reached. That credo definitely
holds true in an auditing context. There is no better way to set a goal than to
describe it in detail.
A goal can be a picture of what you want or, conversely, what you dont want to
achieve as an outcome. Using an
example from risk management
practices, it is not as important to
describe what can possibly go wrong,
but rather what plan B is.
In other words, focus on solutions, not
problems. Focus on expectations, not
precautions.
4. Be brief and to the point
Value the readers time, and try to be as
concise as possible. Use descriptive
words instead of descriptive paragraphs.

5. Use consistent terms


One of the important stylistic rules of non-technical writing is to avoid repetition in
consecutive sentences if possible.
For example, if you talk about Marinas accomplishments in one sentence, it is better
to say "her achievements" in the second one. In technical correspondence, however,
that can lead to confusion because "accomplishments" and "achievements" may have
some differences in meaning.

Here is a real-world example from a quality audit report: "Process XYZ suggestions:
Process XYZ was very good, but the following issues were discussed afterward."
In this example, the quality auditor used
"suggestions" and "issues" interchangeably.
But try looking at it from the users
perspectives. In their minds, an issue must be
addressed, while a suggestion can be
considered. To add more confusion, the
process was deemed to be "very good."

6. Use consistent formats


A consistent format is important in all aspects of writing, but it is especially important
in lists. Quality professionals use lists in many situationswhether its to outline
audit issues, evaluation results,
supporting evidence, examples,
actionable items or follow-up comments.
A list that is easy to read and understand
includes sentences with the same
structure and approximate length. For
example, actions and names of functions
should not appear on the same list.

7. Use white space


White space is an area on a printed page with no graphics or type. White space helps
to focus the readers attention on the important information by providing more
meaning while using fewer words.
White space has proven to be more
effective in bringing attention to words
than capitalization, different fonts,
underlining or color-coding. To have
enough white space, widen the margins of
pages, separate paragraphs and use tables, bullet points and lists when possible.

8. Be specific

General words are minefields when it comes to writing in the quality management
arena. Examples of such words are: always, never, all, none, lack, almost and alike. If
you use the word "never" and a single occurrence negates its use, the reader will find
it difficult to trust the rest of the message.
Words that express opinions should be
used sparingly and carefully. Examples of
such words are: comprehensive, clear,
consistent and unambiguous. What
appears to be consistent to one person
may not be consistent from another point
of view. If we decide to use such words, we
need to first agree on their definitions.

9. Underpromise and overdeliver


It is always great to exceed expectations. On the opposite end of the spectrum, even
if you perform far above the original expectations of the customer but below the level
of your original promises, customer
dissatisfaction is inevitable.
The same is true for internal and external
customers, partners, suppliers and all
other communication agents. The golden
rule is to estimate your capabilities and set
expectations below the level of what you
are capable of doing. This approach should be clear in all of messages written by the
quality professional.

10. Dont use jargon or clichs


Quality professionals communicate primarily with people who are already familiar
with quality terminology. As a result, its rare that the use of quality or technical
terminology causes communication problems. Problems that happen more
frequently are related to attempts to
sound user-friendly and be better
understood by the client.
Some clients accept jargon and
clichs, but some dont. Generally, the

use of such language doesnt improve communication or rapport. To be on the safe


side, completely avoid jargon and clichs.

11. Use complete words and sentences


The technological advances of the past decade have been accompanied by a
growing trend to save time spent typing by abbreviating words. As a result, an entire
language of new computer abbreviations and acronyms has been developed.
The rule about jargon and clichs
applies to abbreviations: They are not
understood by everyone. Use complete
words and sentences, and explain all
abbreviations if you need to use them.

12. Use "I" to ask and "you" to give


Most companies avoid using "you" and "I" when theyre writing formal documents.
When it comes to informal professional writing, however, two rules apply.
Use the "I" approach when asking,
requesting or expressing dissatisfactions
and concerns: "I need to know," "I didnt
understand" or "I would appreciate." This
helps make the message less demanding
and destructive.
Use the "you" approach in situations in which you are offering, suggesting, informing
or inviting. That way, you will put the focus
on the readers interests and benefits.
Readers are the key people to think about
when you are writing, and they should be
respected at all times by following these 12 simple rules. Doing so will help you get
your point across quickly and clearly, and everyone will benefit as a result.

BUT FOR INTERNAL QUALITY AUDITING , USE PASSIVE


VOICE

AGENTS OF POSITIVE CHANGE

"It's a good thing we're not on


that end of the boat."

When conducting their work, internal auditors need to remember that they are part
of the organizational team. Practitioners should approach each engagement with a
cooperative mindset and continually seek ways to help other employees and make
their jobs easier. They should remember that, for many auditees, auditing can be
seen as an intrusive, disruptive process. After all, internal audit work essentially boils
down to walking into employees' personal workspace, looking over their shoulder,
and making value judgments on their performance. Any engagement can be an
intimating proposition for the audited group, and the power wielded by internal
auditors should be handled responsibly.
To obtain optimal results, auditors must conduct themselves in a way that
encourages auditees to see them as a trusted counselor. As agents of positive
change in the organization, auditors need to become valued insiders--not outsiders
who cause others to put up their guard and resist constructive change.