Pop quiz, audit report writers! What kind of risk writer are you? Mentally circle which statement below best describes you:

  1. Risk-Writing-MainLess is more. I don’t think risks need to be a full sentence. “Non-compliance with policies” is a perfectly solid risk statement.

  2. Vague is best. I like to use the same risk for multiple issues. Writing “Financial misstatement” is an all-encompassing risk and just feels right. Every. Single. Time.

  3. Already proved it. The risk is obvious to the issue, so why rewrite it? I’ll throw something in the risk section to fill the space. Who reads the risk anyway?

  4. I’m a risk-writing genius. I write full sentences that quantify what could happen if the issue goes unresolved. I cater my risk to speak to what the Executive would be concerned about. I kind of kill it in the risk area.

This quiz sums up some of the common pitfalls of risk statements: incomplete sentences, vague or broad risks, and general repeats of the issue itself without a furthering of what could happen if the issue goes unresolved.

If you answered D, then you can skip this week’s Audit Writer’s Hub article. But if you’ve ever read or written a sentence along the lines of “Financial misstatement could lead to financial loss,” or “Non-compliance with policies” (what does that even mean anyway?), then read on for some tips to improve the risk statement.

Familiar Risk Statements

To start, we need an example that covers snafus listed in A, B, and C. Below, the auditor has written a solid, succinct issue:

Issue: The home healthcare referral system is not properly configured. Data selection tables allow the use of “other” as an agency name. The “other” field results in home healthcare referrals being mapped to an “unknown” section in the referral system.

Then, the auditor lists the risk:

Risk: Reputational risk; financial loss

I’ve seen the above words (or something similar) used as the risk statement in many audit reports for many companies and for a variety of audit issues. Have you, too?

Stating just the risk category (i.e., common risk categories include financial, reputational, operational, compliance, or strategic risks) in an incomplete sentence is not enough. The risk above supplies an incomplete picture of what’s going on in the business. We don’t know how reputation and finance is at risk, just that it is. The risk is also broad enough that you could be talking about anything from online branding to account reconciliation.

Instead of broad risk statements, you have to quantify what you mean. How is the issue a reputational loss? What specifically makes this a financial issue? I wouldn’t know what to do with such a broad statement, and neither would executives.

Where do we go from here? We scrap the risk and try again, this time using a full sentence with informative words.

Formulate the Risk Statement

Writing is formulaic – that’s what I like about it. A risk statement is just as formulaic as any other writing:

Risk = [Subject noun] + could, might + [verb] + [object noun]

Risk = [Employees] could [damage] [sensitive data].

Maybe not all risks ascribe to this formula, but it’s good enough to get you through the majority of your risk statements.

Define the Subject

In the example above, the writer has already determined that the issue presents financial and reputational risks. Start by defining the subject of your risk. I’ll explain.

Risk can arise from mistakes by people (e.g., employees, customers, departments) or things (e.g., payroll expenses, customer statements, referrals). So, first determine whether you want to focus your risk statement on people or things. Since the audit issue example above discusses home healthcare referrals, it’s safe to focus on home healthcare referrals in the risk statement as well. So our risk sentence formula begins to build into the following:

Risk = Home healthcare referrals + could [verb] + [object noun]

Next, we need a good verb.

Use could or might

When you see the word could or might in a sentence, it’s a direct indicator that the sentence is about something that might happen in the future – a risk. If you see the word could or might elsewhere in an audit issue, it’s a grammatical tip that the sentence might be the risk or a repeat of the risk just listed elsewhere in the issue. A sentence that contains the word could or might anywhere else in an issue can be deleted, rewritten, or moved to the risk section.

Use a Vivid Verb

After the helping verb could, decide on the action that is at risk. And you can’t tap out of this. The verb is important! So instead of, “Home healthcare referrals could risk reputational loss,” try a vivid verb, an action verb that is more specific to the potential consequences. And remember how we’ve vowed to describe “reputational loss” instead of use the actual words “reputational loss?” That’s what we’re going to do.

Vivid verbs tell the reader what people could do or what things could go wrong. Using vivid verbs adds movement to the risk.

Vivid verbs are words like tamper with, damage, delay, misuse, or corrupt. All of these verbs describe a formidable action. Using the verb risk keeps the risk sedentary. Use a vivid verb instead. In this case, we’ll choose forfeit for our vivid verb. As our risk formula progresses, here’s what the statement looks like now:

Risk = Misplaced home healthcare referrals + could forfeit + [object noun]

Create an Impactful Ending

The object noun receives the action of the verb and refers to the subject noun. Solid nouns in the audit world include opportunity, statements, payments, employees, customers, and many more. In the risk that we’re building above, do you want to focus on a financial or reputational impact?

If you focus on a financial impact then the forfeited object would be something like, “opportunities to expand the market.” If you focus on reputational impact, then the forfeited object would be something like “the needs of customers.”

Once you fill in your final noun, the final risk statement looks like this:

Risk = Misplaced home healthcare referrals could forfeit opportunities to expand its market.

It’s not rocket science, but it does require some focus on determining what exactly you want to say. You might want to look through past risk statements and determine what made them so good. Perhaps you or others have followed this formula without even thinking about it.


No one is perfect at writing. We’re just sort of all in this together and we help each other out. And what I think sounds good as a sentence today might change tomorrow. That’s the nature of the beast we call being human: we change our minds a few times.

But, when in doubt, go back to the simple things that make your writing clear: a relevant subject noun, a vivid verb, and a specific object noun. And write risk statements that accurately describe potential risks.

Interested in learning more about similar topics? Check out one of Sarah's upcoming seminars here. Also be sure to mark your calendars for MISTI's highly-anticipated SuperStrategies Conference & Expo

Mimi Thian