Writing is a decision-making process. Just as audit report content decisions are based on legal requirements (e.g., Sarbanes-Oxley, the SEC), professional standards (e.g., the IIA, AICPA), and business needs (the company being audited, the audit committee, the stakeholders), writing decisions should be based on specific criteria.


Deciding how to say what you have decided to say should be based on:

  1. The most effective way to communicate with the individuals who will read and attest to the report—what will satisfy the CEO and audit committee
  2. Generally accepted usage, formats, and style conventions in the corporate culture being audited—what the CAE and audit manager look for
  3. The rules of punctuation and grammar—what maximizes credibility and makes for faster comprehension

Taking Account of the Audience

Since SOX, audit committees, audit executives, and internal auditors are finding themselves in closer contact. That heightened level of communication will make it easier to determine precisely what levels of risk, internal controls, and operational and technical information should be included in any particular report. In addition, identifying specific writing criteria that are most likely to succeed should be easier. Are the members of the audit committee detail-oriented (not “orientated”)? Does the CAE insist on using (not “utilizing”) certain phrases—and excluding others? Are the managers sticklers for particular punctuation conventions ...

Get Internal Audit Reports Post Sarbanes-Oxley: A Guide to Process-Driven Reporting now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.