A kinder, gentler audit: successful audit reports don't pull any punches, or blindside recipients.

A tactful approach can lead to a satisfying, constructive outcome for all parties involved
By Lawrence De Berry

IN 1513, NICCOLO MACHIAVELLI WROTE in The Prince, "There is nothing more difficult to plan, more doubtful of success, nor more dangerous to manage than the creation of a new system. For the initiator has the enmity of all who would profit by the preservation of the old institution and merely lukewarm defenders in those who would gain by the new one." In a very real sense, changes proposed by an internal auditor are viewed in the same way as a new system. Most organizations are not staffed and managed by Machiavellian conspirators. Instead, they are typically composed of intelligent, well-intentioned individuals who are committed to seeing the organization succeed. So how do internal auditors get these good people to embrace changes recommended in the audit report? Suppose you've put some effort into landscaping your front yard and take pride in its appearance. Your neighbor, a representative from the homeowners association, comes to your door and says the yard falls below neighborhood standards. He also says he has put together a fertilizing, watering, and maintenance schedule that, along with other suggested modifications, will bring the yard up to standard. Like most people in this situation, you would likely resist the recommendations or perhaps implement them grudgingly and do the bare minimum required to meet association guidelines. By contrast, suppose this neighbor never knocks on your door to discuss the landscaping but instead invites you to his house for a barbecue one weekend. While at the event, you compliment the neighbor on his yard and say you wish yours were as lush as his. He tells you that his lawn grass variety is the same as yours; the secret is in the fertilizer and watering schedule, which he happily shares with you. In this scenario, would you be more inclined to follow his suggestions? The success of audit reporting is determined largely by the attitude and specific approach with which internal auditors carry out their duties. When handled appropriately, and with sufficient tact, the reporting process can proceed as smoothly as a backyard barbecue. Five rules, in particular, can help auditors not only achieve greater reporting effectiveness, but also bring about positive organizational change.

Auditors need to maintain humility. Moreover. RULE 2: GIVE CLIENTS THE BENEFIT OF THE DOUBT When auditors disagree with clients' work processes. Thus. noting issues along the way. they should never assume the clients arrived at their approach out of ignorance or incompetence. They discuss items that might represent control concerns or efficiency issues directly with those responsible for the areas involved. Staff and management perform their jobs day in and day out. The auditors can then say something like. "I understand your approach. Auditors who follow this first rule ensure their clients are well-prepared for the audit report. these practitioners already know if the client will agree with the findings. suspected fraudsters may still have extensive social networks in the organization. "We'd like to share with you some new . Internal auditors should give clients credit for doing what they believe is right. Even people who knowingly and deliberately commit wrongdoing deserve to be treated respectfully. while client methods may seem unusual or wrong at first glance. For example.RULE 1: TREAT CLIENTS WITH RESPECT During a recent fraud investigation I conducted. Before issuing their report. He was extremely grateful. and it makes sense in the context of what you've learned or what you've previously been trained to do on this job. even if their actions eventually prove wrong or misguided. the perpetrator thanked me at the final interrogation for the respect with which I treated him. They share results with clients as the engagement progresses. and give clients the benefit of the doubt. they will have the necessary facts to conduct their work--there is no need to denigrate anyone in the process. valid reasons may exist for their decisions. and internal auditors should look upon them with no less humanity than they would anyone else. auditors can remove significant barriers to change by saying. and the limited time allotted to individual assignments may preclude them from correctly placing all pieces of the puzzle. and the way auditors treat them could impact morale as well as the auditor's ability to function effectively even on routine assignments. it is their life." This type of acknowledgement can help disarm clients and make them more receptive to constructive feedback. and they've provided their thoughts for mitigating control risks or crafting more effective processes. recognize their own fallibility. These individuals may be fighting personal demons. If the auditors have done their job well. Auditors look at client processes as outsiders. even though the company had just terminated him and subjected him to fairly draconian restitution obligations.

Each of these categories generally breaks into two subcategories: minor or serious. in determining how reporting issues are framed. they must obtain agreement and buy-in from the individuals who would implement recommended changes. they are forced to butt heads with personnel who are intimately involved with the processes in question. Pursuing effectiveness and efficiency issues aggressively with upper management typically results in one of two possible outcomes. the auditor accomplishes nothing because the personnel doing the job every day possess more credibility on judgment calls than the auditor. they must report it and ensure the client understands that internal auditing has no choice but to do so. and counterproductive. From then on. Audit comments usually fall into two broad categories: control-related comments and those related to effectiveness or efficiency. the auditor wins the battle but loses the war. the clients forced to implement this change may become hostile toward members of the audit department. Internal auditors need to recognize these important distinctions. At my organization. unworkable. In . Although the auditor may be able to convince management that a change is necessary for the good of the company. Effective auditors know when to persist with their findings and when to back away. Clients have a greater tendency to buy into the process and take ownership of the recommendations when their input is solicited. RULE 3: PICK YOUR BATTLES CAREFULLY Not all audit issues are worth pursuing. In the first scenario. When auditors find a significant effectiveness or efficiency issue.information that has bearing on this issue. If the auditors find a serious control weakness without any mitigation in place. clients will likely be discouraged from cooperating with the internal auditors-a side effect that may well spread to other areas of the organization." When auditors later follow up by seeking client input on practical solutions. however. In the second scenario. clients often implement changes well before the audit report is issued because they want to move forward with identified processes or control improvements as quickly as possible. If the auditors do not reach an agreement with the client but still want to make a recommendation. They pit the auditor's opinion of effectiveness against that of the client who does the job day in and day out. the client will be more inclined to feel part of the solution and more likely to implement recommended changes. Clients will likely seek ways to prove the system change is unnecessary. Effectiveness issues are not black or white. Auditors do have a choice.

When auditors report a control weakness without reaching agreement with the client. and the problems represent a serious control issue. Controls cost money. there is no need to say something like. professional audit report. RULE 4: ACCENTUATE THE POSITIVE Although following the first three rules should result in a constructive. They must try to convince clients to recognize the wisdom of fixing problems identified during the engagement. If the issue is not control related." . auditors must always be able to communicate results and recommendations without using negative or accusatory language. the auditors need to apologize for the stalemate and explain that they are obliged to report the problem and the risk associated with it. If these efforts fail. but this discussion should not be placed in the report. relationship-damaging conflict. auditors can use a more constructive approach: "This department has significant challenges. there is a strong likelihood they will return to their old methods and procedures. internal auditors must still be mindful of the overall need to maintain a positive approach to the reporting process. and explain both the severity and likelihood of the risk as clearly as possible." Instead. and management must decide if it wants to spend that money or simply treat the risk as a cost of doing business. If managers see value in the idea. To avoid unnecessary.the end. Internal auditing can still mention the issue informally to management and discuss the benefits of making a change. "Department personnel are not doing what they are being paid for. The auditor's job is to ensure that management is aware of the deficiency and the risk associated with it. resource constraints prevent clients from responding to control needs. Even in areas where significant deficiencies exist. and they need to start pulling their weight. Regardless of the assignment. they will address it on their own. We have agreed with department management on appropriate changes to address the concerns identified. the auditors should let it go--there is no point in creating ill will when little upside potential exists. and we have identified several areas where improvements can be made. internal auditors need to choose their battles carefully. In many instances. They need to explain why the control is not in place and why those running the process believe they should not implement the control. they must handle the report with care.

The most effective. "So what?" That is. without judgmental language. the auditor has not established that a problem exists and does not have a valid audit comment. * The recommendation describes the actions for management to consider. but it is ultimately counterproductive.e. focusing only on the facts. Reportable issues need to be developed fully and presented in a cogent manner. a negative approach usually results in walls erected to keep auditors and their new ideas at a distance. The internal auditors' job is not just to "throw rocks" but to help find solutions. such as during a fraud investigation. subjective language can be tempting to use when the auditor feels strongly about a situation. The description should be communicated clearly. 5th Edition. * The condition explains what's being done (i. * The effect answers the question. Moreover. The old homespun expression many of us learned from our mothers remains valid: "You catch more flies with honey than with vinegar. auditors can get their message across by simply stating the facts and avoiding editorial comments. * The cause helps explain any deviations from the criteria and account for why these deviations exist. best-crafted audit reports are based on well-developed. Moreover. principles. the client's process). especially to readers who have not received any prior exposure to the audit. they must be sure to give clients credit for their positive achievements. Auditors must have a clear understanding of criteria to articulate them to others. internal auditors can follow the development criteria found in Sawyer's Internal Auditing. To ensure comments are informative and useful. RULE 5: BE INFORMATIVE To ensure clients read and clearly understand report content. audit reports need to be persuasive. which cites five audit-comment elements: * The criteria are the rules. internal auditors must pay close attention to the document's substantive content and structure. or guides that lead the auditor to believe a problem may exist. They . Auditors need to avoid this temptation by remaining objective and keeping their work on a professional plane. detailed comments. Emotionally charged. rather than only discussing problems or weaknesses." A positive approach and positive language draw people into dialogue..When significant findings must be reported. what are the potential consequences of the condition? Without a cogent effect.

internal audit work essentially boils down to walking into employees' personal workspace. "It's a good thing we're not on that end of the boat. . Management needs to be comfortable with not only the ideas discussed but also with how those ideas have been presented in the report. looking over their shoulder. my boss often uses a cartoon to illustrate a point about teamwork. that feedback helps auditors gauge the effectiveness of their work. The summary should contain the auditor's conclusions and opinion and convey the essence of the detailed comments. not problems. Moreover. Detailed comments are the foundation for the summary report to senior management and the audit committee. Responses give management an opportunity to provide feedback on the report findings. and internal auditors must keep this audience in mind when drafting them. auditing can be seen as an intrusive. Practitioners should approach each engagement with a cooperative mindset and continually seek ways to help other employees and make their jobs easier. auditors must conduct themselves in a way that encourages clients to see them as a trusted counselor. The image shows a rowboat with a small group at each end of the craft--one end is in the air and the other is resting deep in the water." When conducting their work. disruptive process. To obtain optimal results. or an approach to finding a solution. and focus on presenting solutions. The group on the high end. Auditors should keep the summary brief. AGENTS OF POSITIVE CHANGE During his presentations to company employees. Auditors should also consider a sixth element not covered in the Sawyer text--the response. and making value judgments on their performance. After all. As agents of positive change in the organization. safe for the time being. auditors need to become valued insiders--not outsiders who cause others to put up their guard and resist constructive change. Any engagement can be an intimating proposition for the audited group. says something like. for many clients. The partially submerged group is shown bailing out water.must find an agreeable solution to the condition. internal auditors need to remember that they are part of the organizational team. and the power wielded by internal auditors should be handled responsibly. They should remember that. Each of these elements is essential to effective detailed audit comments-neglecting to incorporate any one of them will leave readers wondering why reported issues require change or whether the changes suggested would lead to improvement. to which all are parties are willing to commit and follow. ensure the content is accurate.