Sunday, October 16, 2011

Why do Auditors Write Like Idiots?


Here is an interesting audit by the City Auditor of Palo Alto, California.


It’s a detailed audit on an important topic, but unfortunately, most people are not going to read it.

If they do read it, most people won’t understand it.

And that’s too bad.

The report is 80 pages long and the conclusion is on the 59th page. Here’s the conclusion from the audit report:

“The City’s SAP Enterprise Resource Planning system supports its core business functions and management of information. An unsecured system-provided SAP user account with unrestricted access resulted in a significant security vulnerability, and ASD violated two critical security principles by not properly restricting access for all user accounts. Moreover, ASD has not formally adopted and implemented all controls needed to effectively manage SAP user accounts to ensure system security. The Auditor’s Office recommends formal adoption of the PCI DSS and NIST SP 800-53 security control frameworks and further security assessments of the City’s information systems using a risk-based approach.”


First, this jargon just has to go (PCI DSS, NIST SP 800-53). We need to write in plain English. I was responsible for managing a group of computer auditors and they kept telling me, “You just didn’t understand – this is how we talk.”

They’ve got to get a grip and write so the City Manager and his or her staff can understand what is happening.

Second, the writers of this report need to be sure they are saying what really is going on. “An unsecured system-provided SAP user account with unrestricted access resulted in a significant security vulnerability.”

While that is hard to understand as written – I’ll bet the writer meant to say the opposite of what was written. The security vulnerability resulted in access to a SAP user account.

Third, ASD (whatever that is) doesn’t do anything. People do.

So, who specifically violated two critical security principles and why are they not held accountable for their actions in this audit report? Too often, auditors are cowards and are unwilling to point to the real cause of the problems in an organization.

Writing is a difficult task. Unfortunately, the most critical part of an audit – communicating the results, is often left to people who have not studied the craft of writing.

Too many auditors approach the task of writing without tools – such as a book on grammar or a book on style. They don’t even have a dictionary, thesaurus or a book of synonyms.

There are many good books on writing. But one of the best is short and to the point - The Plain English Approach to Business Writing by Edward P. Bailey Jr. It’s an investment worth making if you write audit reports.

And if that book doesn’t help you, buy, Why Business People Speak Like Idiots: A Bullfighter's Guide.

If you want to be an amateur you don’t have to study the craft of writing. If you want to be a real professional though – you've got to be on your game and be a good writer.

This was a good audit and the auditors deserve credit for raising an important issue. They just need to improve the approach to presenting the information to management and to the public.




2 comments:

  1. I hope things are going well and it's good to see you started a blog. I found blogging to be a rewarding experience. Now onto your post ...

    I agree with your point about the conclusion as written needing some work. However, I don't agree with your comment

    "While that is hard to understand as written – I’ll bet the writer meant to say the opposite of what was written. The security vulnerability resulted in access to a SAP user account."

    I only read your post and not the audit report but the writer didn't mean the opposite. The user account was not protected and this was the weakness in the system/application. Think about it this way. If my front door is unlocked then the weakness to my house's security is the lock. The weakness didn't already exist resulting in the unlocked door. I think the writer didn't take into account his target audience which resulted in some people guessing as to what was meant.

    If you do check out my blog I’m writing for a specific target audience who understands my terminology. ;)

    ReplyDelete
  2. Even better - and more concise - is The Elements of Style, by Strunk and White.

    ReplyDelete