Print


Internal Audit Reports Post–Sarbanes-Oxley: A Guide to Process-Driven Reporting

By Susan M. Switzer

Published by John Wiley & Sons, Inc.; 2007; ISBN: 978-0-470-05084-2; 256 pages (hardcover); $50.00

Reviewed by Anthony S. Chan

OCTOBER 2007 - To appreciate the essential value of Susan Switzer’s work, it is important to first understand where the Sarbanes-Oxley Act (SOX) has taken us and how the risk-management landscape has changed since 2002. As companies take positive steps to strengthen their internal controls, management is leveraging SOX compliance to mitigate fraud and financial reporting risks. Specifically, management is taking action to—

  • strengthen the control environment and close the control gaps;
  • segregate duties and incompatible functions to deter fraud;
  • formalize policies and procedures to provide better guidance and directives;
  • establish proper monitoring and oversight to deter anomalies; and
  • develop training programs to enhance employees’ technical competence.

To make SOX compliance more cost-effective, management has continued to involve the internal audit function in its controls-assessment process. Over the past few years, internal audits have proved to be a valuable resource in the testing of key controls and have been instrumental in delivering objective work products that independent auditors can rely on to reduce their own testing.

In the area of SOX compliance, Switzer has correctly pointed out that internal auditors serve not only as frontline reporters for what went wrong, but also as advisors on how to address control weaknesses. By providing a systematic, process-driven approach to report writing, Switzer has succeeded in putting together a useful handbook that benefits all who desire to strengthen their writing skills.

The book is written in plain English and is well organized and easy to read. Switzer describes how report writing, much like auditing and computer programming, is a systematic process. She advises readers to start by “deciding what to say” using the following seven-step audit reporting process:

  • Listening and interpreting
  • Collaborating on audit components
  • Deciding core issues
  • Essentials versus nonessentials
  • Linking and synthesis thinking
  • Rewriting and when to quit
  • Executive summaries.

Auditors looking for advice on effective report-writing should find this approach useful in guiding their thought process. Notwithstanding, auditors must be directed to focus their findings on “issues that really matter” and are advised to adopt a risk-based, top-down approach in addressing the key concerns identified in their audits.

In deciding what to say, Switzer should remind auditors to look at the big picture and to write their report from the perspective of a member of the audit committee. To do that, auditors should prioritize the control issues identified and risk-rank them based on their potential financial and reputation impact on the organization. In my opinion, process-driven reporting could be effective only if it is risk-based in nature.

Switzer may want to incorporate such discussion in her future edition.
Switzer’s book does an excellent job of breaking down the essence of effective writing in the following 12-step process, which has practical applications for all forms of writing:

  • Be clear about the message.
  • Know your audience and analyze their needs.
  • Delete unnecessary ideas.
  • Organize and outline the material.
  • Choose precise, direct words.\
  • Use simple tenses.
  • Make sentences active.
  • Limit sentences to one main idea.
  • Keep paragraphs short and related to the topic sentence.
  • Punctuate sentences to improve understanding.
  • Use graphics where appropriate.
  • Proofread everything at least once.

Based on my experience, effective report-writing, much like oral communication, is a skill that improves with practice. Auditors seeking to enhance their writing techniques should find the above process very useful.

Switzer has made this book a practical reference guide, packing it with relevant examples and sample templates that will prove useful for first-time auditors. Chapter 4 contains examples of audit reports; chapter 5 provides useful tips and techniques on telephone and e-mail communication.

Here is the bottom line: SOX is here to stay and so is the dependence on internal audit to help identify and detect risks and to recommend practical, alternative risk-management solutions. More than ever, auditors are expected to add value to the risk-management process by bringing best practices into the equation and performing the necessary procedures to—

  • determine the nature and root cause of the control issues identified;
  • evaluate the pervasiveness of the issues;
  • size the risks and quantify the related financial statement impact; and
  • recommend changes to current practice.

Following the approach described and using the examples provided, first-time auditors should find this book useful in refining their writing skills to more succinctly and effectively communicate their messages. That said, effective report-writing is an art, not a science. An audit finding, when characterized properly from a risk-management perspective, can help identify control gaps and drive positive changes to existing controls or operating procedures. Internal audit reporting can be an effective means of risk management, as long as it is risk-based in nature, focusing on matters that pose the greatest risk and exposure to the organization.

Anthony S. Chan, CPA, is a partner of Berdon LLP in New York, N.Y., and a leader of its Sarbanes-Oxley compliance and corporate governance practice. He is a member of the NYSSCPA’s SEC Practice Committee.
 

 

Close