Internal Audit Ratings Guide
-
Upload
sanranist2 -
Category
Documents
-
view
234 -
download
0
Transcript of Internal Audit Ratings Guide
-
8/11/2019 Internal Audit Ratings Guide
1/19
Internal Audit Ratings Guide
-
8/11/2019 Internal Audit Ratings Guide
2/19
2 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Table of Contents
Audit Ratings Definitions 3
Audit Report Ratings Matrix 4
Audit Report Ratings Guidelines 7
XYZ Audit Ratings 9
Internal Control Option Criteria 12
Audit Ratings Example 13
Appendix 14
A: Definition of Internal Audit Ratings and Rankings 15
B: Rating of Audit Findings 17
-
8/11/2019 Internal Audit Ratings Guide
3/19
-
8/11/2019 Internal Audit Ratings Guide
4/19
4 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating
Scale
Description
Effective
1 Overall risk program is reliable and requires negligible improvements.
The risk management procedures are formalized and documented and clearly communicated and
understood throughout the business. Risk management system is robust and possesses the capacity and
ability to consistently identify, document and assess existing and emerging risks.
Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose
the business to undue risk. Risk program does not expose the business to unwarranted financial loss or
regulatory non-compliance. Audit recommendations are generally housekeeping in nature.2
Monitor
3
Overall risk program is adequate for the current level of risk within the business, but requires ongoing
monitoring.
The risk management procedures are formalized and documented, but not clearly communicated. Risk
procedures need to be clearly communicated and business needs to obtain assurance that procedures
are understood. Although the risk management system possesses the capacity and ability to identify,
document and assess existing risk, specific improvements are needed to ensure accurate and timely
incorporation of emerging risks.
Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as
emerging risks and changing conditions could lead to a weakened risk management capacity. Risk
program does not expose the business to immediate financial loss or regulatory noncompliance. The
director must make improvements within 60 days.
4
-
8/11/2019 Internal Audit Ratings Guide
5/19
5 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating
Scale
Description
Needs Improvement
5
Overall risk program is not adequate.
The risk management procedures are partially formalized and documented, and not clearly
communicated. Risk procedures require improvement to assure that risk processes are fully documented,
and need to be clearly communicated. The business unit needs to obtain assurance that the risk process
is understood.
Risk management system requires improvement to ensure reliability of procedures to accurately and in a
timely manner identify, document and assess existing and new risks. Controls require improvement to
ensure ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing
conditions will possibly lead to a weakened risk management capacity. The line of business, withoutimprovements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are
required within the next 30 to 60 days.
6
Impaired
7
Overall risk program is impaired.
The risk management procedures are for the most part informal and undocumented, and not
communicated. Risk procedures require improvement to assure that risk processes are fully and
accurately documented, and must be communicated and understood by the business.
Risk management systems require significant improvement to ensure reliability of procedures toaccurately and in a timely manner identify, document and assess existing and new risks . Controls require
extensive improvements to secure ability to manage, mitigate, and transfer existing and emerging risks, as
conditions will lead to a weakened risk management capacity. Risk program exposes the business to
potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days.
8
-
8/11/2019 Internal Audit Ratings Guide
6/19
6 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating
Scale
Description
Unsatisfactory
9
Overall risk program is not acceptable.
The risk management procedures are largely nonexistent, undocumented and not communicated. Risk
procedures must be instituted, formalized, documented and clearly communicated.
Risk management systems must be implemented immediately to accurately and in a timely manner
identify, document, and assess existing and new risks.
Implementation of control mechanisms is required to manage, mitigate and transfer risks present in
business processes and possess flexibility to react under changing conditions. The line of business is
exposed to material financial loss or regulatory noncompliance. Improvements are needed within the nexttwo weeks and the audit committee must be made aware of improvements to be implemented.
10
-
8/11/2019 Internal Audit Ratings Guide
7/19
7 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Guidelines
Rating
Scale
Description
Effective
1
No high-risk issues
No medium-risk issues
No more than three low-risk issues
2
No high-risk issues
No more than one medium-risk issue
No more than six low-risk issues
Monitor
3
No high-risk issues
No more than three medium-risk issues
No more than four low-risk issues
OR
No high or medium-risk issues and more than six low-risk issues
4
No high-risk issues
No more than four medium-risk issues
No more than six low-risk issues
-
8/11/2019 Internal Audit Ratings Guide
8/19
8 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Guidelines
Rating
Scale
Description
Needs Improvement
5
No more than one high-risk issue
No more than four medium-risk issues
OR
No high-risk issues and no more than six medium-risk issues
6
No more than two high-risk issue
No more than six medium-risk issues
OR No more than one high-risk issue and more than six medium-risk issues
Impaired
7 No more than three high-risk issues
No more than four medium-risk issues
8
No more than three high-risk issues No more than six medium-risk issues
-
8/11/2019 Internal Audit Ratings Guide
9/19
9 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Rating
Scale
Description
Unsatisfactory
9
More than four high-risk issues
No more than six medium-risk issues
OR
No more than two high-risk issues and more than six medium-risk issues
10
More than four high-risk issues
More than six medium-risk issues
Audit Report Ratings Guidelines
-
8/11/2019 Internal Audit Ratings Guide
10/19
10 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
XYZ Audit Ratings
ST
Strong
Audited area meets or exceeds XYZ Comp anystandards in all critical respects. Level of internal controls is functioning effectively
and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than twolowobservations were noted.
SA Satisfactory
Audited area meets XYZ Companystandards overall. Generally, no more than two Importantobservations may exist which
are being promptly addressed by management. A few Notableobservations may also exist.
N
Needs Improvement
Audited area does not meet XYZ Comp anystandards overall. Generally, there is either at least one Highobservation and/or at
least three Importantobservations, which if uncorrected could expose XYZ Companyto an unacceptable risk.
U
Unsatisfactory
Audited area contains unacceptable gaps in overall control structure and/or controls are not working as intended. Generally, thereare at least one Highobservation and/or five Importantobservations. The area requires immediate attention with oversight
by senior management.
Business Importance Codes
H High
Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of
revenue and/or significant negative impact on operating effectiveness and/or the companys reputation . High likelihood and high
impact.
I
Important
Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of
revenue and/or negative impact on operating effectiveness and/or the companys reputation. Moderate likelihood and moderate to
high impact or high likelihood and moderate impact.
N
Notable
Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impacton operating effectiveness and/or the companys reputation, which is outside of XYZ Companyrisk appetite. Low likelihood and
moderate to high impact or moderate likelihood and moderate to low impact. This also includes low impact/high likelihood
observations.
L LowGenerally, issues classified in this category are brought to managements attention as an efficiency improvement. Low likelihood
and low to moderate impact or low to moderate likelihood and low impact.
Note:
Each audit report observat ion is assig ned a priority rat ing to establish its level of crit icality. The rat ings are assigned co llaborat ively by internal audit and XYZ Comp any
management respons ible for the process being audi ted.
-
8/11/2019 Internal Audit Ratings Guide
11/19
11 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
XYZ Audit RatingsOverall Classif icat ions COSO
F
FinancialReporting
Reliability of the financial reporting process
O Operational Operational effectiveness and efficiency
C Compliance Compliance with applicable laws and regulations
S StrategicHigh level goals, aligned with and supporting the mission of
XYZ Comp any
-
8/11/2019 Internal Audit Ratings Guide
12/19
12 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Internal Control Option CriteriaBased on th e results of the audit, the system of internal con trols w il l be rated as Strong, Satisfactory,
Unsatisfactory, or Crit ical based on the fol low ing c riter ia:
Rating Definition
Strong Satisfactory Unsatisfactory Critical
No issues. Issues are not likely to impair
business operations or jeopardize
financial integrity.
Significant issues exist.
Corrections required to avoid or
contain exposure. Prompt action is required.
Significant issues find/ indicate
processes/results are unreliable.
Impact of weaknesses is likelywidespread/ compounding.
Immediate attention required.
Attributes of Control Environment
Strong Satisfactory Unsatisfactory Critical
Control processes/monitoring are
effective.
Control processes/monitoring are
effective for key cycles/functions.
Control processes/monitoring have
weaknesses/are not effective.
Control monitoring is not in place
or is extremely unreliable.
Low potential for undetected errors
and omissions.
Major issues would likely be
detected.
Major issues may not be detected
and corrected.
Very high potential for
losses/undetected errors and
omissions.
Compliance with company policy,
GAAP.
Policy and GAAP complianceissues have no material impact on
operations or financial statements.
Policy or GAAP non-compliancecould (or do) have material impact
on operations/ financials.
Policy or GAAP non-complianceissues are severe, pervasive, and
material to operations/financials.
Financials/results are reliable;adjustments not necessary.
Financial adjustments, if any, areminor.
Material financial adjustments maybe required.
Financials/results are likelyunreliable. Major problems exist.
No regulatory compliance issues. Regulatory compliance issues, if
any, are minor and isolated.
Regulatory compliance issues may
show signs of being systemic.
Compliance issues are significant
and carry severe consequences
(fines, sanctions, etc.)
No risk to CBI image. Issues carry low level of (or no)
risk to CBI image.
Issues may carry potential for
damage to CBI image.
Issues may carry severe risk of
damage to CBI image.
No ethics issues.
Ethics issues, if any, are minor
and management takes timely,
appropriate corrective actions.
Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
-
8/11/2019 Internal Audit Ratings Guide
13/19
13 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Ratings Example
Rating
Definition
Satisfactory
The audited area has effectively assessed its risks, implemented control processes, andcomplied with applicable policies, procedures, and appropriate laws and regulations. We mayhave noted a few inconsistencies, but compensating controls exist that sufficiently minimizethe risk of loss.
GenerallySatisfactory
The audited area has adequately assessed its risks, and has implemented generally effective
control processes. We may have noted some weaknesses in controls, but they are not such
that the audited area is significantly exposed to risk of loss. Such audited areas are in general
compliance with applicable policies, procedures, and appropriate laws and regulations.
Marginal
The audited area has control, policy, procedural, compliance and/or repeat findings that are
sufficiently important to warrant the attention of more senior levels of management. Any
deterioration in the current operating routine could lead to serious exposures and regulatorycriticisms.
Unsatisfactory
The audited area has serious control, policy, procedural, compliance and/or repeat findings.
Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposuremay also exist to potentially serious criticism by regulators. Such situations require urgent
action and senior management involvement in implementing corrective action.
Unrated This rating is generally reserved for first time audits, limited scope audits and special projects.
Audit rat ings are assigned based on the fo l lowing def in i t ions:
-
8/11/2019 Internal Audit Ratings Guide
14/19
14 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
APPENDIX
-
8/11/2019 Internal Audit Ratings Guide
15/19
15 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix A: Definition of Internal Audit Ratings and RankingsDefinit ion of Review Ratings
Adequate
There are no identified issues that have either a Medium or High ranking.
There may be a limited number of issues with a Low ranking and/or other observations for potential improvement.
Needs Improvement
There are one or more identified issues with either a Medium or High ranking.
A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent
that required control objectives may not be consistently achieved.
The deficiency or combination of deficiencies impact the companys ability to provide reasonable assurance over the effective design and/or
operation of control thus affecting the companys risk exposure within the area being reviewed .
The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control
for the area under review, in order to meet required control objectives.
Inadequate
There are one or more identified issues with either a Medium or High ranking.
A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to
the extent that required control objectives may not be consistently achieved.
The deficiency or combination of deficiencies significantly impact the companys ability to provide reasonable assurance overthe effective
design and/or operation of control thus affecting the companys risk exposure within the area being reviewed .
The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of
control for the area under review, in order to meet required control objectives.
-
8/11/2019 Internal Audit Ratings Guide
16/19
16 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Definition of Internal Audit Ratings and RankingsDef in i t ion o f Issue Rankings
HIGH
The issue is a control deficiency which represents a significant gap in the design and/or operating effectiveness ofcontrol affecting the companys ability to address relevant risks and provide reasonable assurance regarding the
achievement of desired outcomes.
The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an
appropriate level of management.
MEDIUM
The issue is a control deficiency which represents a gap in the design and/or operating effectiveness of control
affecting the companys ability to address relevant risks and provide reasonable assurance regarding the
achievement of desired outcomes.
The issue requires prompt attention to ensure internal control is designed and/or operating effectively.
LOW
The issue represents an opportunity to improve control and processes to support the achievement of desired
outcomes.
The issue should be addressed promptly, as time and resources permit.
Considerable professional judgment is required in applying the ratings defined and used in this report regarding
individual f indings, recommendations and in form ulating and overal l conclusion. Acco rdingly, others could rate the
findings or con clusion differently and this should b e born in mind when cons ider ing this report.
-
8/11/2019 Internal Audit Ratings Guide
17/19
17 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings
Rating Categories Risk/Impact Explanation
Need for Action and
Responsible Function Reporting Obligations
Particularly Severe (A)Risks threatening the existence of the
organization, e.g.:
Fatal material losses
Image loss/publicly effective impact
(massive loss of customers)
Violation of regulatory requirements
(and possible revoking of the
operating license)
Urgent remediation by the
management board required,
immediate involvement of the
supervisory body
Monitoring of timely
remediation by internal audit
("follow- up)
Refer to reporting obligations for Major (C)
and Severe (B) findings, and:
Immediate notification of the
supervisory body by the management
board
Severe (B) Critical risks for business continuity,
e.g.:
Very high material losses (losses
are not detected timely)
Image loss/ publicly effective
impact (adversely affects the
image on the market)
Violation of regulatory
requirements (and possible
criminal liability, etc.)
Immediate remediation by the
management board required
(immediate involvement of the
supervisory body and the
supervisory authorities in
case of severe findings
against management board
members)
Monitoring of timelyremediation by internal audit
("follow- up)
Refer to reporting obligations for Major
findings (C) and:
Immediate submission of the internal
audit report to the management
board
Immediate notification of the
chairman of the supervisory body and
the supervisory authorities by the
management board in case of severefindings against management board
members
At least annual reporting from the
management board to the
supervisory body (highlighted
findings, including remedy measures
taken and their implementation
statuses)
-
8/11/2019 Internal Audit Ratings Guide
18/19
18 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings
Rating Categories Risk/Impact Explanation
Need for Action and
Responsible Function Reporting Obligations
Major (C) High risks for business continuity, e.g.:
High material losses (if weaknesses
are not remedied timely)
Image loss (many internal and
external parties are affected)
Violation of regulatory requirements
(and possible fines, etc.)
Remediation required, close
supervision by the responsible
member of the management
board
Monitoring of timely remediation
by internal audit ("follow- up)
Highlighted in the internal audit report
Included in the (annual) overall internal
audit report to the management board
(including remedy measures taken)
Reported to the supervisory body by
the management board at least
annually, if not remedied
If not remedied within an appropriate
period, the responsible member of the
management board has to be informed
in writing. If the findings remain
unresolved during the financial year,
the management board has to be
informed in writing in the next (annual)
overall internal audit report, at latest.
Improvement
Opportunity (D)
Medium risks for business continuity, e.g.:
Medium material losses
Image loss (internal, some external
parties are effected, if applicable)
Non-compliance with/implementation
of certain regulatory requirements
Implementation of certain
improvement measures
recommended
Monitoring by the head of the
audited organization unit;
immediate involvement of the
management board is not
required
Monitoring of timely remediation
by internal audit ("follow- up)
Included in the internal audit report
Not included in the (annual) overall
internal audit report
-
8/11/2019 Internal Audit Ratings Guide
19/19
19 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings
Rating Categories Risk/Impact Explanation
Need for Action and
Responsible Function Reporting Obligations
Comment (E) Low or no risks
"Food for thought" for
improvement/further development
Decision on prioritization and
implementation of measures
remains in the audited
organizational unit
Monitoring by the head of the
audited organization unit;
involvement of the management
board is not required
Not included in the follow-up
by internal audit
Summarized in the internal audit report
or in a separate management
summary/memo
Not included in the (annual) overall
internal audit report