Speaker 1: Hello, welcome to Getting Started With, where our job is to make your job easier. On this episode, we are getting started with writing an audit finding. In this video, you'll get tips and answers on how you should go about writing an audit finding, including what goes into the audit finding, the five C's, and tips on communicating issues. So, let's get started. So you found an issue, and now you need to communicate exactly what has gone wrong. How do you do that? Be sure to use objective language. This means writing that avoids emotion, exaggeration, and bias. Internal audit is an independent function that provides objective assurance, and this must be reflected in the audit finding. The audit finding should be concise and clear, using plain language and avoiding technical jargon. Make sure to define all acronyms to avoid any confusion among your readers. Start with the most important information. Don't make your audience wait. Also, writing in an active versus passive voice will make your writing livelier and easier to read. Here's a pro tip for collaboration and communication. Before you begin to write your finding, ask yourself, does the audit client need to know about this issue? Proceed if the answer to that is, yes they do. Communicate verbally to the client what you have seen, and don't assume your conclusion is correct. Try to work through the issue before you start writing a finding. Collaborating with your stakeholders will ultimately result in a better outcome, as you can each bring your expertise to solve the issue at hand. In getting started with reporting, we told you about the five C's. Let's explore them a bit more, including why they are an important part of an audit finding. The first two C's typically go together when you're writing up an issue. You want to explain the condition, which is, in simple terms, what happened. An example could be that system changes were not approved by management. The second C, criteria, will tell us why this is a finding. For example, the why could be that it is a part of company policy that all system changes must be approved. This could be tied back to a larger framework the company has agreed to follow. Be concise with these statements, get to the point, and avoid filler phrases like, during our review, internal audit noted that… The third C is consequence. You must describe why your audience should care. In our example, maybe that system change issue will now be documented on a system and organization controls report, also called a SOC report, going out to customers. That could potentially cause some reputational damage, which could lead to reduced sales. The fourth C, cause, should explain why the condition occurred in the first place. In our example, maybe the manager role was vacant or the manager was out of office and a backup wasn't identified. The last C, corrective action, is typically written up by management, sometimes using recommendations suggested by the auditors. Here's a bright idea. Work with stakeholders on identifying root causes and develop a rapport with them. The better you know them, the better the work output will be. Internal audit's role is not to be the decision maker on what the final plan is, but internal audit can make recommendations based on previous experience and industry best practices. This can make management's job a little easier with regard to making decisions. An auditor with experience on management actions can be a great resource by pointing out ways they've seen the issue successfully remediated in the past. Here's a useful tool, risk ratings. Audit findings typically include risk ratings, such as high, medium, or low. These ratings relate to risk associated with the issue addressed in the finding. Findings can also include rating terms, such as satisfactory, ineffective, or needs improvement. It is important to define rating terms so all of your stakeholders have clarity. Don't assume everyone knows what you mean when you say something is a medium risk, for example. Your finding will likely go through a drafting process that will vary by organization and even individual reviewers, depending on your manager's preferences. Make sure to keep all relevant stakeholders in the loop during any rewrites or reconsiderations. Congratulations on completing Getting Started with Writing and Audit Finding. Thank you for watching. There's so much more to learn. On the following screen, you'll see links to suggested videos to view next.