Why internal audit should lead with words, not numbers.

The title sounds like something you’d expect a communication expert to say, right? Truth be told, I love numbers and data. I love analyzing statistics and processes. And I love looking at a sexy chart as much as the next data geek (did someone say pie?). However, numbers and fancy charts are only able to tell part of the story. If you want your reports and your data to come alive for your clients, you need to make your words matter. Words, when it comes to driving action, are your most valuable currency.

Let’s take a look at some examples where Internal Audit often allows numbers to do the talking, and discuss how, with the right words, the resulting actions can be much more definitive.

Scenario 1: The Mind-Blowing Data Figure

You’ve conducted your audit. You’re writing up the report. And you’ve found something startling. In your organization, you’ve implemented three levels of security to protect your internal and consumer data. All of the computers (100 percent) met the first level, but only 33 percent met the second level, and only 10 percent the third level.

Holy cow! That’s no bueno.

There are tons of problems that can come from this, including an onslaught of nightmare public relations disasters and loss of customers should this information get out. To you, the IT Auditor, these are obvious.

You make the report, give the presentation, report the data, and talk about the next steps that need to be done. You agree on an implementation strategy and schedule and make a clear plan to remediate the issue.

You pat yourself on the back for a job well-done.

But then that implementation schedule gets pushed back and pushed back again. The urgency of this issue isn’t being respected.

Why?

Because you relied on data and numbers as your motivating factors, without adding words to drive action. Although we’d like to think they do, numbers, in fact, do not speak for themselves.

Scenario 2: The Not-So-Illustrative PowerPoint Chart

You’ve learned that visuals can help people conceptualize data, so you were sure to include a chart illustrating the three levels of security and the computers that passed or failed the tests. Surely this would be enough to drive action?

Not necessarily.

Having a chart is a step in the right direction towards more clarity. It also helps those who are visual learners more readily grasp the data and the concept. However, it still falls a step short in connecting the WHY behind the data. Why these numbers matter is not evident by reporting the figures. Why these numbers matter is not clear in a nicely-designed chart.

Why these numbers matter can only be explained by words.

Let’s have a look at how this chart could be better designed to have the visual and action-producing impact that you desire.

Below you have a nicely-designed slide. It’s pretty clean. The colors match the company branding, and we can tell what the data represents.

But we don’t know why it’s important.

Jill1

How can we make this data come alive with more than just a chart?

By adding relevant information, risks, outcomes, and bottom-line details to the data to make it come alive. Use words to further explain the data and what it means to that those looking at the presentation—whether or not they were in the room—are able to clearly understand what each number means, and the risks associated with non-compliance.

Here’s one way you could do this with the same slide design and chart.

Jill2

Scenario 3: The Accountability Dilemma

Let’s take this one step further. I’m going to assume that you’ve given your presentation deck to either upstream management or the auditee (if not, you can accomplish the same thing with a worksheet or handout).

You’ve presented and reported. The data is known. The repercussions of not acting on the level two and three security measures are clear. A plan is in place to remediate the issue. The plan is communicated. But a key piece is left out—who is specifically accountable for each step of the implementation process?

This is something that should be communicated in meetings.

Here is a way to visually present this, while also holding people accountable. If these fields are not already known, this is a great chance to get buy-in from relevant parties and increase the rate and likelihood of compliance.

Jill3

The last step in the process is to communicate this plan to everyone involved via a post-meeting email. This ensures that there’s a “paper” trail of everything reported, and specific follow-up instructions.

By doing these things you’ve essentially followed a classic framework (origins debatable) for any action to take place:

  • Tell them what you’re going to tell them: You did this in the report.

  • Tell them: You do this in the presentation.

  • Tell them what you told them: You will do this in the email.

Numbers don’t talk. But with the right words explaining the WHYs and the WHATs behind them, they can not only speak volumes, but they can drive change.

Looking to learn more about this topic and others? Join MISTI and Jill at the SuperStrategies Conference & Expo where the communication expert will be conducting a workshop and hosting a session.

 rawpixel