Internal Audit Ratings Guide

8/11/2019 Internal Audit Ratings Guide

1/19

Internal Audit Ratings Guide


2/19

2 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

Table of Contents

Audit Ratings Definitions 3

Audit Report Ratings Matrix 4

Audit Report Ratings Guidelines 7

XYZ Audit Ratings 9

Internal Control Option Criteria 12

Audit Ratings Example 13

Appendix 14

A: Definition of Internal Audit Ratings and Rankings 15

B: Rating of Audit Findings 17


3/19


4/19


Audit Report Ratings Matrix

Rating

Scale

Description

Effective

1 Overall risk program is reliable and requires negligible improvements.

The risk management procedures are formalized and documented and clearly communicated and

understood throughout the business. Risk management system is robust and possesses the capacity and

ability to consistently identify, document and assess existing and emerging risks.

Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose

the business to undue risk. Risk program does not expose the business to unwarranted financial loss or

regulatory non-compliance. Audit recommendations are generally housekeeping in nature.2

Monitor

3

Overall risk program is adequate for the current level of risk within the business, but requires ongoing

monitoring.

The risk management procedures are formalized and documented, but not clearly communicated. Risk

procedures need to be clearly communicated and business needs to obtain assurance that procedures

are understood. Although the risk management system possesses the capacity and ability to identify,

document and assess existing risk, specific improvements are needed to ensure accurate and timely

incorporation of emerging risks.

Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as

emerging risks and changing conditions could lead to a weakened risk management capacity. Risk

program does not expose the business to immediate financial loss or regulatory noncompliance. The

director must make improvements within 60 days.

4


5/19



Rating

Scale

Description

Needs Improvement

5

Overall risk program is not adequate.

The risk management procedures are partially formalized and documented, and not clearly

communicated. Risk procedures require improvement to assure that risk processes are fully documented,

and need to be clearly communicated. The business unit needs to obtain assurance that the risk process

is understood.

Risk management system requires improvement to ensure reliability of procedures to accurately and in a

timely manner identify, document and assess existing and new risks. Controls require improvement to

ensure ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing

conditions will possibly lead to a weakened risk management capacity. The line of business, withoutimprovements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are

required within the next 30 to 60 days.

6

Impaired

7

Overall risk program is impaired.

The risk management procedures are for the most part informal and undocumented, and not

communicated. Risk procedures require improvement to assure that risk processes are fully and

accurately documented, and must be communicated and understood by the business.

Risk management systems require significant improvement to ensure reliability of procedures toaccurately and in a timely manner identify, document and assess existing and new risks . Controls require

extensive improvements to secure ability to manage, mitigate, and transfer existing and emerging risks, as

conditions will lead to a weakened risk management capacity. Risk program exposes the business to

potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days.

8


6/19



Rating

Scale

Description

Unsatisfactory

9

Overall risk program is not acceptable.

The risk management procedures are largely nonexistent, undocumented and not communicated. Risk

procedures must be instituted, formalized, documented and clearly communicated.

Risk management systems must be implemented immediately to accurately and in a timely manner

identify, document, and assess existing and new risks.

Implementation of control mechanisms is required to manage, mitigate and transfer risks present in

business processes and possess flexibility to react under changing conditions. The line of business is

exposed to material financial loss or regulatory noncompliance. Improvements are needed within the nexttwo weeks and the audit committee must be made aware of improvements to be implemented.

10


7/19


Audit Report Ratings Guidelines

Rating

Scale

Description

Effective

1

No high-risk issues

No medium-risk issues

No more than three low-risk issues

2

No high-risk issues

No more than one medium-risk issue

No more than six low-risk issues

Monitor

3

No high-risk issues

No more than three medium-risk issues

No more than four low-risk issues

OR

No high or medium-risk issues and more than six low-risk issues

4

No high-risk issues

No more than four medium-risk issues

No more than six low-risk issues


8/19



Rating

Scale

Description

Needs Improvement

5

No more than one high-risk issue


OR

No high-risk issues and no more than six medium-risk issues

6

No more than two high-risk issue

No more than six medium-risk issues

OR No more than one high-risk issue and more than six medium-risk issues

Impaired

7 No more than three high-risk issues


8

No more than three high-risk issues No more than six medium-risk issues


9/19


Rating

Scale

Description

Unsatisfactory

9

More than four high-risk issues

No more than six medium-risk issues

OR

No more than two high-risk issues and more than six medium-risk issues

10

More than four high-risk issues

More than six medium-risk issues



10/19


XYZ Audit Ratings

ST

Strong

Audited area meets or exceeds XYZ Comp anystandards in all critical respects. Level of internal controls is functioning effectively

and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than twolowobservations were noted.

SA Satisfactory

Audited area meets XYZ Companystandards overall. Generally, no more than two Importantobservations may exist which

are being promptly addressed by management. A few Notableobservations may also exist.

N

Needs Improvement

Audited area does not meet XYZ Comp anystandards overall. Generally, there is either at least one Highobservation and/or at

least three Importantobservations, which if uncorrected could expose XYZ Companyto an unacceptable risk.

U

Unsatisfactory

Audited area contains unacceptable gaps in overall control structure and/or controls are not working as intended. Generally, thereare at least one Highobservation and/or five Importantobservations. The area requires immediate attention with oversight

by senior management.

Business Importance Codes

H High

Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of

revenue and/or significant negative impact on operating effectiveness and/or the companys reputation . High likelihood and high

impact.

I

Important

Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of

revenue and/or negative impact on operating effectiveness and/or the companys reputation. Moderate likelihood and moderate to

high impact or high likelihood and moderate impact.

N

Notable

Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impacton operating effectiveness and/or the companys reputation, which is outside of XYZ Companyrisk appetite. Low likelihood and

moderate to high impact or moderate likelihood and moderate to low impact. This also includes low impact/high likelihood

observations.

L LowGenerally, issues classified in this category are brought to managements attention as an efficiency improvement. Low likelihood

and low to moderate impact or low to moderate likelihood and low impact.

Note:

Each audit report observat ion is assig ned a priority rat ing to establish its level of crit icality. The rat ings are assigned co llaborat ively by internal audit and XYZ Comp any

management respons ible for the process being audi ted.


11/19


XYZ Audit RatingsOverall Classif icat ions COSO

F

FinancialReporting

Reliability of the financial reporting process

O Operational Operational effectiveness and efficiency

C Compliance Compliance with applicable laws and regulations

S StrategicHigh level goals, aligned with and supporting the mission of

XYZ Comp any


12/19


Internal Control Option CriteriaBased on th e results of the audit, the system of internal con trols w il l be rated as Strong, Satisfactory,

Unsatisfactory, or Crit ical based on the fol low ing c riter ia:

Rating Definition

Strong Satisfactory Unsatisfactory Critical

No issues. Issues are not likely to impair

business operations or jeopardize

financial integrity.

Significant issues exist.

Corrections required to avoid or

contain exposure. Prompt action is required.

Significant issues find/ indicate

processes/results are unreliable.

Impact of weaknesses is likelywidespread/ compounding.

Immediate attention required.

Attributes of Control Environment

Strong Satisfactory Unsatisfactory Critical

Control processes/monitoring are

effective.

Control processes/monitoring are

effective for key cycles/functions.

Control processes/monitoring have

weaknesses/are not effective.

Control monitoring is not in place

or is extremely unreliable.

Low potential for undetected errors

and omissions.

Major issues would likely be

detected.

Major issues may not be detected

and corrected.

Very high potential for

losses/undetected errors and

omissions.

Compliance with company policy,

GAAP.

Policy and GAAP complianceissues have no material impact on

operations or financial statements.

Policy or GAAP non-compliancecould (or do) have material impact

on operations/ financials.

Policy or GAAP non-complianceissues are severe, pervasive, and

material to operations/financials.

Financials/results are reliable;adjustments not necessary.

Financial adjustments, if any, areminor.

Material financial adjustments maybe required.

Financials/results are likelyunreliable. Major problems exist.

No regulatory compliance issues. Regulatory compliance issues, if

any, are minor and isolated.

Regulatory compliance issues may

show signs of being systemic.

Compliance issues are significant

and carry severe consequences

(fines, sanctions, etc.)

No risk to CBI image. Issues carry low level of (or no)

risk to CBI image.

Issues may carry potential for

damage to CBI image.

Issues may carry severe risk of

damage to CBI image.

No ethics issues.

Ethics issues, if any, are minor

and management takes timely,

appropriate corrective actions.

Ethics issues not addressed

appropriately and/or management

does not set the appropriate tone.

Ethics issues not addressed

appropriately and/or management

does not set the appropriate tone.


13/19


Audit Ratings Example

Rating

Definition

Satisfactory

The audited area has effectively assessed its risks, implemented control processes, andcomplied with applicable policies, procedures, and appropriate laws and regulations. We mayhave noted a few inconsistencies, but compensating controls exist that sufficiently minimizethe risk of loss.

GenerallySatisfactory

The audited area has adequately assessed its risks, and has implemented generally effective

control processes. We may have noted some weaknesses in controls, but they are not such

that the audited area is significantly exposed to risk of loss. Such audited areas are in general

compliance with applicable policies, procedures, and appropriate laws and regulations.

Marginal

The audited area has control, policy, procedural, compliance and/or repeat findings that are

sufficiently important to warrant the attention of more senior levels of management. Any

deterioration in the current operating routine could lead to serious exposures and regulatorycriticisms.

Unsatisfactory

The audited area has serious control, policy, procedural, compliance and/or repeat findings.

Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposuremay also exist to potentially serious criticism by regulators. Such situations require urgent

action and senior management involvement in implementing corrective action.

Unrated This rating is generally reserved for first time audits, limited scope audits and special projects.

Audit rat ings are assigned based on the fo l lowing def in i t ions:


14/19


APPENDIX


15/19


Appendix A: Definition of Internal Audit Ratings and RankingsDefinit ion of Review Ratings

Adequate

There are no identified issues that have either a Medium or High ranking.

There may be a limited number of issues with a Low ranking and/or other observations for potential improvement.

Needs Improvement

There are one or more identified issues with either a Medium or High ranking.

A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent

that required control objectives may not be consistently achieved.

The deficiency or combination of deficiencies impact the companys ability to provide reasonable assurance over the effective design and/or

operation of control thus affecting the companys risk exposure within the area being reviewed .

The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control

for the area under review, in order to meet required control objectives.

Inadequate

There are one or more identified issues with either a Medium or High ranking.

A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to

the extent that required control objectives may not be consistently achieved.

The deficiency or combination of deficiencies significantly impact the companys ability to provide reasonable assurance overthe effective

design and/or operation of control thus affecting the companys risk exposure within the area being reviewed .

The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of

control for the area under review, in order to meet required control objectives.


16/19


Definition of Internal Audit Ratings and RankingsDef in i t ion o f Issue Rankings

HIGH

The issue is a control deficiency which represents a significant gap in the design and/or operating effectiveness ofcontrol affecting the companys ability to address relevant risks and provide reasonable assurance regarding the

achievement of desired outcomes.

The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an

appropriate level of management.

MEDIUM

The issue is a control deficiency which represents a gap in the design and/or operating effectiveness of control

affecting the companys ability to address relevant risks and provide reasonable assurance regarding the

achievement of desired outcomes.

The issue requires prompt attention to ensure internal control is designed and/or operating effectively.

LOW

The issue represents an opportunity to improve control and processes to support the achievement of desired

outcomes.

The issue should be addressed promptly, as time and resources permit.

Considerable professional judgment is required in applying the ratings defined and used in this report regarding

individual f indings, recommendations and in form ulating and overal l conclusion. Acco rdingly, others could rate the

findings or con clusion differently and this should b e born in mind when cons ider ing this report.


17/19


Appendix B: Rating of Audit Findings

Rating Categories Risk/Impact Explanation

Need for Action and

Responsible Function Reporting Obligations

Particularly Severe (A)Risks threatening the existence of the

organization, e.g.:

Fatal material losses

Image loss/publicly effective impact

(massive loss of customers)

Violation of regulatory requirements

(and possible revoking of the

operating license)

Urgent remediation by the

management board required,

immediate involvement of the

supervisory body

Monitoring of timely

remediation by internal audit

("follow- up)

Refer to reporting obligations for Major (C)

and Severe (B) findings, and:

Immediate notification of the

supervisory body by the management

board

Severe (B) Critical risks for business continuity,

e.g.:

Very high material losses (losses

are not detected timely)

Image loss/ publicly effective

impact (adversely affects the

image on the market)

Violation of regulatory

requirements (and possible

criminal liability, etc.)

Immediate remediation by the

management board required

(immediate involvement of the

supervisory body and the

supervisory authorities in

case of severe findings

against management board

members)

Monitoring of timelyremediation by internal audit

("follow- up)

Refer to reporting obligations for Major

findings (C) and:

Immediate submission of the internal

audit report to the management

board

Immediate notification of the

chairman of the supervisory body and

the supervisory authorities by the

management board in case of severefindings against management board

members

At least annual reporting from the

management board to the

supervisory body (highlighted

findings, including remedy measures

taken and their implementation

statuses)


18/19




Need for Action and


Major (C) High risks for business continuity, e.g.:

High material losses (if weaknesses

are not remedied timely)

Image loss (many internal and

external parties are affected)

Violation of regulatory requirements

(and possible fines, etc.)

Remediation required, close

supervision by the responsible

member of the management

board

Monitoring of timely remediation

by internal audit ("follow- up)

Highlighted in the internal audit report

Included in the (annual) overall internal

audit report to the management board

(including remedy measures taken)

Reported to the supervisory body by

the management board at least

annually, if not remedied

If not remedied within an appropriate

period, the responsible member of the

management board has to be informed

in writing. If the findings remain

unresolved during the financial year,

the management board has to be

informed in writing in the next (annual)

overall internal audit report, at latest.

Improvement

Opportunity (D)

Medium risks for business continuity, e.g.:

Medium material losses

Image loss (internal, some external

parties are effected, if applicable)

Non-compliance with/implementation

of certain regulatory requirements

Implementation of certain

improvement measures

recommended

Monitoring by the head of the

audited organization unit;

immediate involvement of the

management board is not

required

Monitoring of timely remediation

by internal audit ("follow- up)

Included in the internal audit report

Not included in the (annual) overall

internal audit report


19/19




Need for Action and


Comment (E) Low or no risks

"Food for thought" for

improvement/further development

Decision on prioritization and

implementation of measures

remains in the audited

organizational unit

Monitoring by the head of the

audited organization unit;

involvement of the management

board is not required

Not included in the follow-up

by internal audit

Summarized in the internal audit report

or in a separate management

summary/memo

Not included in the (annual) overall

internal audit report

Internal Audit Ratings Guide

Documents

Transcript of Internal Audit Ratings Guide