Tools for the job – one-page wonders

Even before the Covid-19 pandemic changed working practices, many people were wondering how to streamline their daily tasks. Internal audit reports were
no exception.

Several teams have been experimenting with “one-pagers”, which summarise engagement results on a single sheet of paper. Unsurprisingly, many people like this notion. Long, verbose reports have been standard in corporate life for too long. Concise documents that recognise readers’ time constraints and attention span must be an improvement.

However, before we slash the wordcount, we must ensure that the information we put in our one-pagers is useful as well as being more accessible.

First, consider the one-pager’s purpose. Ask whether you even need to issue a report at all. After all, the International Standards and the Public Sector Internal Audit Standards don’t stipulate that you must communicate your findings in a report. They simply require you to communicate them. If you include the objective, scope and results (which can be summarised in a few sentences), you’re adhering to the Standards.

One chief audit executive (CAE) I know asks his team to email their final reports as attachments, with a two- or three-sentence summary in the body of the email. He points out that many senior managers receive emails on handheld devices. If they get the gist of the results without scrolling or opening attachments, it saves time: they know in seconds whether they should download the report or whether it can wait until later.

Once an auditor has summed up each audit in two to three sentences, the CAE asks them: “So why do I now need a longer executive summary?” He doesn’t – but this highlights how it’s easier to include unnecessary details in summaries than to work out what actually matters. Consequently, his team now produces executive summaries that are real summaries – not edited versions of the entire report.

The more internal auditors think about their readers and tailor communications accordingly, the more management time they will save. However, a one-page report may not always be the most efficient solution.

Situations to consider

1) The internal audit engagement has produced no material findings, and things seem to be going well in the area under review. Do you need to fill a whole page? Would an email suffice? You could tell the readers that, within the objectives and scope of the engagement, you discovered no material findings, but you’re happy to share details of testing and results if they want to know more. You could include links to relevant fieldwork documents in emails or one-pagers, or you could create a secure, read-only folder for readers outside internal audit to access details.

2) If, however, an engagement reveals a complicated or contradictory picture, you need to choose your language carefully. The aim is not to avoid giving offence, but to ensure every word conveys a precise meaning so you provide essential detail and context without wasting space or obscuring important messages with trivia or corporate waffle. You may need to exceed a page to do this well.

3) Lastly, a slavish adherence to the principle of one-page reports can cause internal auditors to replace complete sentences and coherent structure with array of pie charts, tables and graphs, all in six-point font. Their poor readers must infer the headline results for themselves. Graphics used judiciously are powerful; used exclusively, they are just exhausting.

Internal audit communications should always be “accurate, objective, clear, concise, constructive, complete and timely” (Standard 2420). If you keep your writing active, brief and precise (no vague or abstract buzzwords), then you can deliver even complex information in very little space.

Focus on this and, regardless of whether you produce a three-sentence email or a three-page document, your readers will get the best return on the time they invest – and you are more likely to elicit the response you require. And that, in the end, is what it’s all about. 

Sara I James, PhD, CIA, is the owner of Getting Words to Work (www.saraijames.com) and a member of the Chartered IIA. Her new book, Radical Reporting: Writing Better Audit, Risk, Compliance and Information Security Reports is published by Taylor & Francis/CRC Press.

This article was first published in July 2022.