Presenting Compliance Recommendations

Audit reports should be persuasive arguments for management to take action to reduce risks. When presenting audit reports and recommendations, it’s an opportunity to put a voice and answer questions that management may have. Over 2,000 years ago, Aristotle identified three methods to master the art of persuasion, which still apply today:

• Ethos—Establishing credibility, character, and show you are committed to the welfare of others, and you will gain trust.

• Logos—Use data, evidence, and facts to support your point of view.

• Pathos—Wrap your big idea in a story that will elicit an emotional reaction.

These methods work well for auditors. Present your findings in an (ethos) way that builds on the successes already established within IT such as reference well established industry standards. Present your findings based on (logos) data and clear and convincing evidence such as the use of data analytics. Finally, present your findings through a risk (pathos) story that management can easily relate to and instinctively want to take action to correct to correct such as the impact if action is not taken.

Additionally, compare your idea to something familiar and used for example. It will help you clarify your argument on the business impact making the abstract risk more concrete. Be brief and allow the audit report to speak for itself. Do not read but summarize the report. Keep the big ideas and explain them in as few words as possible. People have a limited attention span, so talk about your strongest points first.

Audits sometimes reveal major risks or compliance gaps. In those cases, the final reports may include recommendations supported by the audit findings. The recommended actions should be logically tied to a finding for which the problem has also been identified. A recommendation is more valuable to the organization when it is specific, sensible, cost-effective, and actionable.