| Internal
Audit Reports Post–Sarbanes-Oxley: A Guide to Process-Driven
Reporting
By
Susan M. Switzer
Published
by John Wiley & Sons, Inc.; 2007; ISBN: 978-0-470-05084-2;
256 pages (hardcover); $50.00
Reviewed
by Anthony S. Chan
OCTOBER 2007
- To appreciate the essential value of Susan Switzer’s work,
it is important to first understand where the Sarbanes-Oxley Act
(SOX) has taken us and how the risk-management landscape has changed
since 2002. As companies take positive steps to strengthen their
internal controls, management is leveraging SOX compliance to mitigate
fraud and financial reporting risks. Specifically, management is
taking action to—
- strengthen
the control environment and close the control gaps;
- segregate
duties and incompatible functions to deter fraud;
- formalize
policies and procedures to provide better guidance and directives;
- establish
proper monitoring and oversight to deter anomalies; and
- develop
training programs to enhance employees’ technical competence.
To make SOX
compliance more cost-effective, management has continued to involve
the internal audit function in its controls-assessment process.
Over the past few years, internal audits have proved to be a valuable
resource in the testing of key controls and have been instrumental
in delivering objective work products that independent auditors
can rely on to reduce their own testing.
In the area
of SOX compliance, Switzer has correctly pointed out that internal
auditors serve not only as frontline reporters for what went wrong,
but also as advisors on how to address control weaknesses. By
providing a systematic, process-driven approach to report writing,
Switzer has succeeded in putting together a useful handbook that
benefits all who desire to strengthen their writing skills.
The book
is written in plain English and is well organized and easy to
read. Switzer describes how report writing, much like auditing
and computer programming, is a systematic process. She advises
readers to start by “deciding what to say” using the
following seven-step audit reporting process:
- Listening
and interpreting
- Collaborating
on audit components
- Deciding
core issues
- Essentials
versus nonessentials
- Linking
and synthesis thinking
- Rewriting
and when to quit
- Executive
summaries.
Auditors
looking for advice on effective report-writing should find this
approach useful in guiding their thought process. Notwithstanding,
auditors must be directed to focus their findings on “issues
that really matter” and are advised to adopt a risk-based,
top-down approach in addressing the key concerns identified in
their audits.
In deciding
what to say, Switzer should remind auditors to look at the big
picture and to write their report from the perspective of a member
of the audit committee. To do that, auditors should prioritize
the control issues identified and risk-rank them based on their
potential financial and reputation impact on the organization.
In my opinion, process-driven reporting could be effective only
if it is risk-based in nature.
Switzer may
want to incorporate such discussion in her future edition.
Switzer’s book does an excellent job of breaking down the
essence of effective writing in the following 12-step process,
which has practical applications for all forms of writing:
- Be clear
about the message.
- Know
your audience and analyze their needs.
- Delete
unnecessary ideas.
- Organize
and outline the material.
- Choose
precise, direct words.\
- Use simple
tenses.
- Make
sentences active.
- Limit
sentences to one main idea.
- Keep paragraphs
short and related to the topic sentence.
- Punctuate
sentences to improve understanding.
- Use graphics
where appropriate.
- Proofread
everything at least once.
Based on
my experience, effective report-writing, much like oral communication,
is a skill that improves with practice. Auditors seeking to enhance
their writing techniques should find the above process very useful.
Switzer has
made this book a practical reference guide, packing it with relevant
examples and sample templates that will prove useful for first-time
auditors. Chapter 4 contains examples of audit reports; chapter
5 provides useful tips and techniques on telephone and e-mail
communication.
Here is the
bottom line: SOX is here to stay and so is the dependence on internal
audit to help identify and detect risks and to recommend practical,
alternative risk-management solutions. More than ever, auditors
are expected to add value to the risk-management process by bringing
best practices into the equation and performing the necessary
procedures to—
- determine
the nature and root cause of the control issues identified;
- evaluate
the pervasiveness of the issues;
- size the
risks and quantify the related financial statement impact; and
- recommend
changes to current practice.
Following
the approach described and using the examples provided, first-time
auditors should find this book useful in refining their writing
skills to more succinctly and effectively communicate their messages.
That said, effective report-writing is an art, not a science.
An audit finding, when characterized properly from a risk-management
perspective, can help identify control gaps and drive positive
changes to existing controls or operating procedures. Internal
audit reporting can be an effective means of risk management,
as long as it is risk-based in nature, focusing on matters that
pose the greatest risk and exposure to the organization.
Anthony
S. Chan, CPA, is a partner of Berdon LLP in New York, N.Y.,
and a leader of its Sarbanes-Oxley compliance and corporate governance
practice. He is a member of the NYSSCPA’s SEC Practice Committee.
|