In classes I teach, we frequently discuss the best level for auditors to write to—most say the junior high grades. What level should auditors speak to? The answer is the same. I am not saying talk down to anyone; I am saying be comprehendible to everyone.
Auditors tend to use industry-speak or, what I call, safe words. They make us feel like we are auditing. In reality, we can lose our audience (e.g., clients) quickly using industry-speak. In fact, some words do not fit the scope of internal auditing; they have seeped into our subconscious from too many years of external auditing.
We should speak in layman’s terms to facilitate change and assist organizations in achieving their objectives. I have compiled a list of “watch out words” auditors should eliminate from their vocabularies or use appropriately. These include:
Mysterious Action Words
These words—including discovered, appeared, revealed and captured—come mostly from our schooling. Auditors overthink everything (we ARE auditors, after all) and try to make the audit process sound more exciting than it actually is. Instead of action words, be more specific, straightforward and comprehendible. Technical writing suggests varying words to maintain reader attention, but for audit reports word consistency is best.
Emotional Triggers
Auditors often throw around words like adequate, inadequate, fail, opinion and fraud without understanding how emotionally driven they can be to clients. I am not saying never use them—if they are bad, they need to be called out as bad—but use these words appropriately.
The terms adequate and inadequate are very emotional and hurtful. Being a failure is actually better than being inadequate; the latter sounds like “I am so awful I could not meet the minimal standards to fail.”
The term fraud is obviously well-known and understood but when some clients see this, they might shut down and even stop reading. Suggested replacements include the words misappropriation and inconsistencies.
There are a number of phrases that, when used to begin a statement, the conversation goes downhill quickly. One is “In my opinion.” In an audit report, I try not to use the term opinion. We definitely give opinions in reports but I try to stick to facts and circumstances.
Definitive Terms
I am working to curb the use of definitive terms—such as absolutely, never, always, must—with my eight-year-old, Caleb. He loves to generalize and include everything. “Always” might be his most frequently used word. These words do not apply in audit; there are usually exceptions to any rule.
Ambiguous Terms
Here is an example of why you should not use ambiguous terms like reasonable and should:
When my son asks me if his homework is correct, I would not answer “It appears reasonable.” I understand why we use the word, but we can communicate much more clearly without it. Instead of saying “The control structure appears reasonable,” why not say “Based on Internal Audit’s testing of XYZ, the risk is mitigated to an acceptable level.” This may be wordy, but it is much clearer.
I believe that independence is a thick gray line; as auditors, we must be able to operate in the gray. Regarding “should,” I believe by using it we do not sound independent. When I tell someone they “should” do something, it can be interpreted that I am telling them what to do. The best—yes, using an absolute here—replacement word is recommend. It shows independence and leaves to management how to address the issue. Now we can “strongly recommend” (verbally, not written—strongly is unnecessary) and make sure they understand the ramifications of inaction while we still adhere to our independence standards.
First/Third Person (We/I)
I do not see the first/third person used in audit reports as often as I did 5-10 years ago, but it is important to depersonalize the message.
Danny Goldberg, CISA, CGEIT, CRISC, is founder of GoldSRD, a provider of high-quality, interactive internal audit training. He will present two sessions (PC Skills: Communication, and Open Debate: Is IA the 3rd Line of Defense?) at the NACACS in New Orleans, Louisiana, 2-4 May 2016. Learn the latest in information systems audit, control and security at the CACS Conference. Knowledge, tools and strategies will be shared at all levels of expertise.
Danny Goldberg, CISA, CGEIT, CRISC, founder of GoldSRD
[ISACA Now Blog]
