The Purpose of an Executive Summary
An executive summary is not a table of contents. Its purpose is to give a senior reader who will not read the full report — and this describes most board members and many senior executives — the information they need to exercise informed oversight over the subject area audited. That is a different job from summarising what is in the document.
A well-written executive summary answers four questions in sequence: What did we look at and why? What is the overall control environment assessment? What are the one or two most important things that need to change? What is the expected outcome if these changes are made?
If the executive summary answers these four questions in plain language, a CFO who reads only that section will have what they need to brief the audit committee, respond to the CEO, and ensure the right people are accountable for corrective action. If it does not, the audit report has failed at its most important communication task.
What Most Executive Summaries Get Wrong
The most common failure is the recap structure — a summary that mirrors the report structure by listing each finding in the same order they appear in the report body. This approach is logical but unhelpful. Senior readers do not need a compressed version of the findings list; they need the synthesised message that the findings, taken together, convey about the control environment and what management needs to prioritise.
The second most common failure is burying the overall assessment. If the audit found that the subject area has a weak control environment with significant control deficiencies, that message should appear in the first or second sentence of the executive summary — not at the end of the third paragraph after the reader has worked through background context and scope qualifications.
The third failure is using jargon and audit terminology that is transparent to audit professionals but opaque to business readers. Phrases like "control design adequacy," "operating effectiveness testing," and "attribute sampling methodology" are appropriate in the body of the report. They have no place in the executive summary.
A Better Structure
Consider this structure for an audit executive summary:
Sentence 1-2 (Context): One sentence on what was audited and why it was prioritised. One sentence on the scope period and main business units or systems covered.
Sentence 3-4 (Overall Assessment): A clear overall assessment of the control environment — what is working well and what is not. This should be a synthesised judgement, not a list.
Paragraph 2 (Key Issues): The one, two, or at most three most significant issues identified, written in business language. Not the finding titles from the body of the report — the actual business risk that each issue represents.
Paragraph 3 (Management Commitment): A brief summary of management's response and the expected timeline for resolution.
An executive summary written at this level of clarity is also a more honest document than most — because it forces the audit team to articulate what they actually found, rather than presenting findings in a way that distributes responsibility and avoids the discomfort of a clear overall verdict.
Calibrating to Your Audience
The audience for an executive summary determines the level at which it should be written. A summary designed for the operating business unit's senior leadership can use more technical and process-specific language than one designed for the board audit committee. The key discipline is deciding upfront who the primary reader is and writing consistently for that reader — not trying to satisfy everyone in a single section that ends up satisfying no one.