Audit Reports Post–Sarbanes-Oxley: A Guide to Process-Driven
Susan M. Switzer
by John Wiley & Sons, Inc.; 2007; ISBN: 978-0-470-05084-2;
256 pages (hardcover); $50.00
by Anthony S. Chan
- To appreciate the essential value of Susan Switzer’s work,
it is important to first understand where the Sarbanes-Oxley Act
(SOX) has taken us and how the risk-management landscape has changed
since 2002. As companies take positive steps to strengthen their
internal controls, management is leveraging SOX compliance to mitigate
fraud and financial reporting risks. Specifically, management is
taking action to—
the control environment and close the control gaps;
duties and incompatible functions to deter fraud;
policies and procedures to provide better guidance and directives;
proper monitoring and oversight to deter anomalies; and
training programs to enhance employees’ technical competence.
To make SOX
compliance more cost-effective, management has continued to involve
the internal audit function in its controls-assessment process.
Over the past few years, internal audits have proved to be a valuable
resource in the testing of key controls and have been instrumental
in delivering objective work products that independent auditors
can rely on to reduce their own testing.
In the area
of SOX compliance, Switzer has correctly pointed out that internal
auditors serve not only as frontline reporters for what went wrong,
but also as advisors on how to address control weaknesses. By
providing a systematic, process-driven approach to report writing,
Switzer has succeeded in putting together a useful handbook that
benefits all who desire to strengthen their writing skills.
is written in plain English and is well organized and easy to
read. Switzer describes how report writing, much like auditing
and computer programming, is a systematic process. She advises
readers to start by “deciding what to say” using the
following seven-step audit reporting process:
on audit components
and synthesis thinking
and when to quit
looking for advice on effective report-writing should find this
approach useful in guiding their thought process. Notwithstanding,
auditors must be directed to focus their findings on “issues
that really matter” and are advised to adopt a risk-based,
top-down approach in addressing the key concerns identified in
what to say, Switzer should remind auditors to look at the big
picture and to write their report from the perspective of a member
of the audit committee. To do that, auditors should prioritize
the control issues identified and risk-rank them based on their
potential financial and reputation impact on the organization.
In my opinion, process-driven reporting could be effective only
if it is risk-based in nature.
want to incorporate such discussion in her future edition.
Switzer’s book does an excellent job of breaking down the
essence of effective writing in the following 12-step process,
which has practical applications for all forms of writing:
- Be clear
about the message.
your audience and analyze their needs.
and outline the material.
precise, direct words.\
- Use simple
sentences to one main idea.
- Keep paragraphs
short and related to the topic sentence.
sentences to improve understanding.
- Use graphics
everything at least once.
my experience, effective report-writing, much like oral communication,
is a skill that improves with practice. Auditors seeking to enhance
their writing techniques should find the above process very useful.
made this book a practical reference guide, packing it with relevant
examples and sample templates that will prove useful for first-time
auditors. Chapter 4 contains examples of audit reports; chapter
5 provides useful tips and techniques on telephone and e-mail
Here is the
bottom line: SOX is here to stay and so is the dependence on internal
audit to help identify and detect risks and to recommend practical,
alternative risk-management solutions. More than ever, auditors
are expected to add value to the risk-management process by bringing
best practices into the equation and performing the necessary
the nature and root cause of the control issues identified;
the pervasiveness of the issues;
- size the
risks and quantify the related financial statement impact; and
changes to current practice.
the approach described and using the examples provided, first-time
auditors should find this book useful in refining their writing
skills to more succinctly and effectively communicate their messages.
That said, effective report-writing is an art, not a science.
An audit finding, when characterized properly from a risk-management
perspective, can help identify control gaps and drive positive
changes to existing controls or operating procedures. Internal
audit reporting can be an effective means of risk management,
as long as it is risk-based in nature, focusing on matters that
pose the greatest risk and exposure to the organization.
S. Chan, CPA, is a partner of Berdon LLP in New York, N.Y.,
and a leader of its Sarbanes-Oxley compliance and corporate governance
practice. He is a member of the NYSSCPA’s SEC Practice Committee.