SlideShare a Scribd company logo

Audit ratings guide

C
CenapSerdarolu

The document provides guidelines and examples for rating audits. It includes five rating levels - Good, Satisfactory, Requires Improvement, Unsatisfactory, and Concurrence/Nonconcurrence. Sample 1 provides detailed descriptions of each rating level and examples of how to rate audits of internal controls, operations, and accounting records based on an audit rating grid. Sample 2 defines five audit report ratings on a scale from Strong to Unsatisfactory based on the effectiveness of risk management practices.

Economy & Finance
1 of 19
Downloaded 48 times
1
2
3
4
Most read
5
6
7
8
Most read
9
10
11
Most read
12
13
14
15
16
17
18
19
Audit ratings guide
2
3 Table of Contents AUDIT RATINGS GUIDE: SAMPLE 1........................................................................................................................4 AUDIT RATINGS GUIDE: SAMPLE 2........................................................................................................................8
4 AUDIT RATINGS GUIDE: SAMPLE 1 (Insert Year) Remote Access Audit Month XX, (Insert Year) (Audit Name) (Insert Date) Instructions: Circle the audit rating determined through the completion of the audit rating grid on Page 4. GOOD Areas given a “Good” rating are well-controlled in every respect and demonstrate quality performance in almost every aspect. Performance is above average and adequately provides for the safe and sound operation of the area audited. Findings noted are minor; are not indicative of any significant weaknesses in policies, practices or procedures; and are generally corrected in the normal course of business. SATISFACTORY Areas given a “Satisfactory” opinion have acceptable internal controls and demonstrate adequate performance in most respects. Policies, practices and procedures are generally effective but may reflect modest weaknesses that are readily correctable in the normal course of business. Commitment to internal control and operating efficiency are acceptable. Some problems of relative significance may exist, but none are considered material. REQUIRES IMPROVEMENT Areas given a “Requires Improvement” opinion exhibit weaknesses within the internal control systems or the absence of internal control surrounding significant activities. Additionally, these areas demonstrate performance that is not adequately monitored and/or supervised by management, nor are policies and procedures always effective to promote a climate where internal control concepts may be realized. Commitment to internal control and/or operating efficiency needs enhancement. UNSATISFACTORY Areas given an “Unsatisfactory” opinion display performance or conditions that exhibit significant control weaknesses throughout the areas included in the audit scope. In these areas, many basic internal control concepts are not in effect and internal control systems are weak to the extent that significant financial losses or violations of law or regulation could occur or may have occurred. The lack of policies and procedures or adherence to them will prevent the accomplishment of a substantial part of the area’s objectives. Corrective action must be immediately implemented with periodic (e.g., monthly) status reports routed to the area’s executive management. CONCURRENCE/NONCONCURRENCE This rating applies to systems development and business or control projects in the process. It conveys agreement/disagreement with a course of action or documents an opposing point of view. In each case, the report will state whether audit believes the project should be aborted, or what actions should be taken prior to commencing the next phase. NOT RATED The conditions or purposes of the audit do not require a rating to be assigned. AUDIT RATING STANDARDS
5 Instructions: Circle the point value assigned to each area. Multiply the point value by the factor for the applicable area and write the value in the applicable column under “Score” and by the letter for the particular column. Add the total points for each area across to obtain the overall point value. Use the overall point value to assign the rating. Internal Controls Operations Accounting Records Factor Five (From Page Three) Factor Three (From Page Four) Factor Two (From Page Five) Points Score Points Score Points Score 5 5 5 4 4 4 3 3 3 2 2 2 1 1 1 Total A20 Total B12 Total C Total Score: XX Check the appropriate rating based on the total score. Good 50-39 points Satisfactory 38-25 points Requires Improvement 24-15 points Unsatisfactory 14 and below Additional rating factors for audits to be rated “Good” include: • Major system changes or upgrades during the audit period • Significant changes in personnel during the audit period • Significant new products or services introduced during the audit period • Uncorrected internal/external audit or examination findings • Unaccepted internal audit recommendations AUDIT RATING GRID RATING SCALE
6 INTERNAL CONTROLS Rating summary of internal control structure: • 5: Virtually all desired controls are in place and operating. Only very minor exceptions were noted, and backup controls exist for all weaknesses noted. • 4: Most material controls are in operation and the exposures found are minor in extent and nature. They are usually backed up by other controls. • 3: Attention should be given to some exposures in protective and detective controls. Reasonable assurance exists that current controls afford the bank adequate protection. • 2: Early attention should be given to exposures in protective and detective controls. Deterioration in current controls can lead to serious exposures. • 1: Immediate attention to serious exposures in protective and detective controls is required. Exposures exist that could make the bank vulnerable to significant losses. Support for rating of internal control structure: (List) All of management’s controls were sufficiently designed to mitigate risks and achieve control objectives related to remote access. Additionally, all of management’s controls were tested for operating effectively to mitigate the intended risks and achieve the intended control objectives. OPERATIONS Prepare the following rating based on audit evidence. Rating Summary of Operations 5 Performance is significantly higher than average. 4 Performance is above average. 3 Performance is average. 2 Performance is below average. 1 Performance is unacceptable. Support for rating of operations: (List) Internal audit’s testing revealed that management possessed documented policies and procedures in all relevant and significant areas related to remote access (specifically the remote administration of IT systems, encryption and passwords). Through discussions with IT management and a walk-through of the controls, internal audit also determined that IT management personnel responsible for performing or monitoring the controls were knowledgeable of the controls and had many years of experience in working in their related fields. Internal audit identified the following opportunities to further enhance and improve existing controls, but these improvements did not constitute control failures because of numerous compensating controls that adequately reduce risk to the bank. • IT management should reassess the need for the modem remote access system. COMPOSITE RATING AREAS
7 • Management should update its remote administration of IT’s systems policy and annual privileged account review procedure to require the annual review of all accounts with access to perform remote administration of IT systems. See VIII. Remote Access Recommendation Memo.doc for additional information regarding these recommendations. ACCOUNTING RECORDS Rating Summary of Operations 5 The books and records more than adequately and accurately reflect transactions. 4 The books and records adequately and accurately reflect transactions. 3 The books and records, in reasonable detail, accurately reflect transactions. 2 The books and records less than adequately reflect transactions. 1 The books and records do not accurately reflect transactions. Support for the rating of accounting records: (List) There are no financial books or records applicable to the remote access audit. There are some IT records applicable to the audit and they include remote access activity reports and IT service requests. Remote access activity reports are used by management to monitor who is using the remote access system and to detect any inappropriate use of the remote access system. IT service requests record the approval and testing of any changes to remote access systems (including system and access changes). Internal audit noted that these IT records adequately and accurately reflect system and access changes related to remote access.
8 AUDIT RATINGS GUIDE: SAMPLE 2 AUDIT RATING DEFINITIONS Rating Definition Strong Internal control systems are sufficiently comprehensive and appropriate to the size and complexity of the organization. Risks are effectively managed. Monetary risk associated with potential control failures is not material. A few exceptions to established policies and procedures were identified. Satisfactory While there may be some minor risk management weaknesses, these issues have been recognized and are being addressed. Risks are effectively managed. Internal control systems may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. Needs Improvement Risk management practices are lacking in important ways and are a cause for more than supervisory attention. Risks may not be effectively managed. Weaknesses may include control exceptions or failures that could have adverse effects on the organization if corrective actions are not taken. Needs Significant Improvement Marginal risk management practices generally fail to identify, monitor and control significant risk exposures in many material respects. The organization may have serious identified weaknesses that require substantial improvement in internal controls or procedures. Risks are not effectively managed. Unless properly addressed, these conditions may result in a significant impact on the organization. Unsatisfactory Due to the absence of effective risk management practices, management is unable to identify, monitor or control significant risk exposure. Internal control systems may be sufficiently weak to jeopardize the continued viability of the organization. Risks are not effectively managed. Deficiencies in risk management procedures and internal controls require immediate and close supervisory attention. AUDIT REPORT RATING MATRIX Rating Scale Definition Effective 1 • Overall risk program is reliable and requires negligible improvements. • The risk management procedures are formalized and documented and communicated and understood throughout the business. Risk management system is robust and possesses the capacity and ability to consistently identify, document and assess existing and emerging risks. • Risk controls effectively manage, mitigate, and transfer existing and foreseeable risks and do not expose the business to undue risk. Risk program does not expose the business to unwarranted financial loss or regulatory noncompliance. Audit recommendations are generally housekeeping in nature. 2
9 Rating Scale Definition Monitor 3 • Overall risk program is adequate for the current level of risk within the business but requires ongoing monitoring. • The risk management procedures are formalized and documented but not communicated. Risk procedures need to be communicated and business needs to obtain assurance that procedures are understood. Although the risk management system possesses the capacity and ability to identify, document and assess existing risk, specific improvements are needed to ensure accurate and timely incorporation of emerging risks. • Risk controls adequately manage, mitigate, and transfer existing risks but improvements are required as emerging risks and changing conditions could lead to a weakened risk management capacity. The risk program does not expose the business to immediate financial loss or regulatory noncompliance. The director must make improvements within 60 days. 4 Needs Improvement 5 • Overall risk program is not adequate. • The risk management procedures are partially formalized and documented and not communicated. Risk procedures require improvement to assure that risk processes are fully documented and need to be clearly communicated. The business unit needs to obtain assurance that the risk process is understood. • Risk management systems require improvement to ensure reliability of procedures to accurately, and in a timely manner, identify, document, and assess existing and new risks. Controls require improvement to ensure the ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing conditions will possibly lead to a weakened risk management capacity. The line of business, without improvements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are required within the next 30 to 60 days. 6 Impaired 7 • Overall risk program is impaired. • The risk management procedures are informal and undocumented and not communicated for the most part. Risk procedures require improvement to assure that risk processes are fully and accurately documented and must be communicated and understood by the business. • Risk management systems require significant improvement to ensure reliability of procedures to accurately and in a timely manner identify, document, and assess existing and new risks. Controls require extensive improvements to secure the ability to manage, mitigate, and transfer existing and emerging risks, as conditions will lead to a weakened risk management capacity. Risk program exposes the business to potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days. 8
10 Rating Scale Definition Unsatisfactory 9 • Overall risk program is not acceptable. • The risk management procedures are largely nonexistent, undocumented and not communicated. Risk procedures must be instituted, formalized, documented and communicated. • Risk management systems must be implemented immediately to accurately and in a timely manner identify, document, and assess existing and new risks. • Implementation of control mechanisms is required to manage, mitigate and transfer risks present in business processes and possess flexibility to react under changing conditions. The line of business is exposed to material financial loss or regulatory noncompliance. Improvements are needed within the next two weeks and the audit committee must be made aware of improvements to be implemented. 10 AUDIT REPORT RATING GUIDELINES Rating Scale Definition Effective 1 • No high-risk issues • No medium-risk issues • No more than three low-risk issues 2 • No high-risk issues • No more than one medium-risk issue • No more than six low-risk issues Monitor 3 • No high-risk issues • No more than three medium-risk issues • No more than four low-risk issues or • No high or medium-risk issues and more than six low-risk issues 4 • No high-risk issues • No more than four medium-risk issues • No more than six low-risk issues Needs Improvement 5 • No more than one high-risk issue • No more than four medium-risk issues or • No high-risk issues and no more than six medium-risk issues 6 • No more than two high-risk issue • No more than six medium-risk issues or
11 Rating Scale Definition • No more than one high-risk issue and more than six medium-risk issues Impaired 7 • No more than three high-risk issues • No more than four medium-risk issues 8 • No more than three high-risk issues • No more than six medium-risk issues Unsatisfactory 9 • More than four high-risk issues • More than six medium-risk issues or • No more than two high-risk issues and more than six medium-risk issues 10 • No more than four high-risk issues • No more than six medium-risk issues XYZ AUDIT RATINGS ST Strong The audited area meets or exceeds Company X standards in all critical respects. Level of internal controls is functioning effectively and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than two “Low” observations were noted. SA Satisfactory The audited area meets the overall Company X standards. Generally, no more than two “Important” observations may exist that are being promptly addressed by management. A few “Notable” observations may also exist. N Needs improvement The audited area does not meet Company X standards overall. Generally, there is either at least one “High” observation and/or at least three “Important” observations, which if uncorrected could expose Company X to an unacceptable risk. U Unsatisfactory The audited area contains unacceptable gaps in the overall control structure and/or controls are not working as intended. Generally, there are at least one “High” observation and/or five “Important” observations. The area requires immediate attention with oversight by senior management. Business Importance Codes H High Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of revenue and/or significant negative impact on operating effectiveness and/or the company’s reputation. High likelihood and high impact may occur. I Important Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of revenue and/or negative impact on operating
12 effectiveness and/or the company’s reputation. Moderate likelihood and moderate to high impact or high likelihood and moderate impact may occur. N Notable Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impact on operating effectiveness and/or the company’s reputation, which is outside of Company X’s risk appetite. Low likelihood and moderate to high impact or moderate likelihood and moderate to low impact may occur. This also includes low-impact/high-likelihood observations. L Low Generally, issues classified in this category are brought to management’s attention as an efficiency improvement. Low likelihood and low to moderate impact or low to moderate likelihood and low impact may occur. Note: Each audit report observation is assigned a priority rating to establish its level of criticality. The ratings are assigned collaboratively by internal audit and XYZ Company management responsible for the process being audited. Overall Classifications: COSO F Financial Reporting Reliability of the financial reporting process O Operational Operational effectiveness and efficiency C Compliance Compliance with applicable laws and regulations S Strategic High-level goals aligned with and supporting the mission of XYZ Company INTERNAL CONTROL OPTION CRITERIA Based on the results of the audit, the system of internal controls will be rated as “Strong,” “Satisfactory,” “Unsatisfactory” or “Critical” based on the following criteria: Rating Definition Strong Satisfactory Unsatisfactory Critical • Issues do not exist. • Issues are not likely to impair business operations or jeopardize financial integrity. • Significant issues exist. • Corrections are required to avoid or contain exposure. • Prompt action is required. • Significant issues find/indicate processes/results are unreliable. • Impact of weaknesses is likely widespread/ compounding. • Immediate attention is required.
13 Attributes of Control Environment Strong Satisfactory Unsatisfactory Critical • Control processes/monitoring are effective. • Control processes/monitoring are effective for key cycles/functions. • Control processes/monitoring weaknesses/are not effective. • Control monitoring is not in place or is extremely unreliable. • Low potential for undetected errors and omissions exists. • Major issues would likely be detected. • Major issues may not be detected and corrected. • Losses/undetected errors and omissions are likely. • Company policy and GAAP are adhered to. • Policy and GAAP compliance issues have no material impact on operations or financial statements. • Policy or GAAP noncompliance could (or does) have a material impact on operations/financials. • Policy or GAAP noncompliance issues are severe, pervasive and material to operations/financials. • Financials/results are reliable; therefore, adjustments are not necessary. • Financial adjustments, if any, are minor. • Material financial adjustments may be required. • Financials/results are likely unreliable. Major problems exist. • Regulatory compliance issues do not exist. • Regulatory compliance issues, if any, are minor and isolated. • Regulatory compliance issues may show signs of being systemic. • Compliance issues are significant and carry severe consequences (fines, sanctions, etc.). • Risk to the CBI image is nonexistent. • Issues carry low-level (or no) risk to the CBI image. • Issues may carry potential for damage to the CBI image. • Issues may carry severe risk of damage to the CBI image. • Ethics issues do not exist. • Ethics issues, if any, are minor and management takes timely, appropriate corrective actions. • Ethics issues are not appropriately addressed and/or management does not set the appropriate tone. • Ethics issues are not addressed appropriately and/or management does not set the appropriate tone. AUDIT RATING EXAMPLE Audit Ratings Are Assigned Based on the Following Definitions Rating Definition Satisfactory The audited area has effectively assessed its risks; implemented control processes; and complied with applicable policies, procedures, and appropriate laws and regulations. We may have noted a few inconsistencies, but compensating controls exist that sufficiently minimize the risk of loss. Generally Satisfactory The audited area has adequately assessed its risks and has implemented generally effective control processes. We may have noted some weaknesses in controls, but they are not such that the audited area is significantly exposed to the risk of loss. Such audited areas are in
14 Rating Definition general compliance with applicable policies, procedures, and appropriate laws and regulations. Marginal The audited area has control, policy, procedural, compliance and/or repeat findings that are sufficiently important to warrant the attention of more senior levels of management. Any deterioration in the current operating routine could lead to serious exposures and regulatory criticisms. Unsatisfactory The audited area has serious control, policy, procedural, compliance and/or repeat findings. Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure may also exist to potentially serious criticism by regulators. Such situations require urgent action and senior management involvement in implementing corrective action. Unrated This rating is generally reserved for first-time audits, limited scope audits and special projects.
15 APPENDIX A: DEFINITION OF INTERNAL AUDIT RATINGS AND RANKINGS Definition of Issue Rankings Adequate Needs Improvement Inadequate • There are no identified issues that have either a “Medium” or “High” ranking. • There may be a limited number of issues with a “Low” ranking and/or other observations for potential improvement. • There are one or more identified issues with either a “Medium” or “High” ranking. • A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. • The deficiency or combination of deficiencies impacts the company’s ability to provide reasonable assurance over the effective design and/or operation of control, thus affecting the company’s risk exposure within the area being reviewed. • The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review to meet required control objectives. • There are one or more identified issues with either a “Medium” or “High” ranking. • A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. • The deficiency or combination of deficiencies significantly impacts the company’s ability to provide reasonable assurance over the effective design and/or operation of control, thus affecting the company’s risk exposure within the area being reviewed. • The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review to meet required control objectives. High • The issue is a control deficiency, which represents a significant gap in the design and/or operating effectiveness of the control affecting the company’s ability to address relevant risks and to provide reasonable assurance regarding the achievement of desired outcomes. • The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an appropriate level of management. Medium • The issue is a control deficiency, which represents a gap in the design and/or operating effectiveness of the control affecting the company’s ability to address relevant risks and provide reasonable assurance regarding the achievement of desired outcomes. • The issue requires prompt attention to ensure that internal controls are designed and/or operating effectively. Low • The issue represents an opportunity to improve control and processes to support the achievement of desired outcomes.
16 • The issue should be addressed promptly, as time and resources permit. Considerable professional judgment is required in applying the ratings defined and used in this report regarding individual findings, recommendations, and in formulating an overall conclusion. Accordingly, others could rate the findings or conclusion differently and this should be born in mind when considering this report.
17 APPENDIX B: RATING OF AUDIT FINDINGS Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations Particularly Severe (A) Risks threatening the existence of the organization include: • Fatal material losses • Image loss/publicly effective impact (massive loss of customers) • Violation of regulatory requirements (and possible revoking of the operating license) • Urgent remediation by the management board required immediate involvement of the supervisory body • Monitoring of timely remediation by internal audit (follow-up) Refer to reporting obligations for Major (C) and Severe (B) findings, and: • Immediate notification of the supervisory body by the management board Severe (B) Critical risks for business continuity include: • Very high material losses (losses are not detected timely) • Image loss/publicly effective impact (adversely affects the image on the market) • Violation of regulatory requirements (and possible criminal liability, etc.) • Immediate remediation by the management board required (immediate involvement of the supervisory body and the supervisory authorities in case of severe findings against management board members). • Monitoring of timely remediation by internal audit (follow-up). Refer to reporting obligations for major findings (C) and: • Immediate submission of the internal audit report to the management board • Immediate notification of the chairman of the supervisory body and the supervisory authorities by the management board in case of severe findings against management board members • At least annual reporting from the management board to the supervisory body (highlighted findings, including remedy measures taken and their implementation statuses)
18 Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations Major (C) High risks for business continuity include: • High material losses (if weaknesses are not remedied timely) • Image loss (many internal and external parties are affected) • Violation of regulatory requirements (and possible fines, etc.) • Remediation required close supervision by the responsible member of the management board • Monitoring of timely remediation by internal audit (follow-up) • Highlighted in the internal audit report • Included in the (annual) overall internal audit report to the management board (including remedy measures taken) • Reported to the supervisory body by the management board at least annually, if not remedied • If not remedied within an appropriate period, the responsible member of the management board must be informed in writing (If the findings remain unresolved during the financial year, the management board must be informed in writing in the next (annual) overall internal audit report, at the latest.) Improvement Opportunity (D) Medium risks for business continuity include: • Medium material losses • Image loss (internal, some external parties are affected, if applicable) • Noncompliance with/implementation of certain regulatory requirements • Implementation of certain improvement measures recommended • Monitoring by the head of the audited organization unit (Immediate involvement of the management board is not required.) • Monitoring of timely remediation by internal audit (follow-up) • Included in the internal audit report • Not included in the (annual) overall internal audit report Comment (E) • Low or no risks • "Food for thought" for improvement/further development • Decision on the prioritization and implementation of measures remains in the audited organizational unit. • Monitoring by the head of the audited organization • Summarized in the internal audit report or a separate management summary/memo • Not included in the (annual) overall internal audit report
19 Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations unit (Involvement of the management board is not required.) • Not included in the follow- up by internal audit

More Related Content

What's hot (20)

PPTX
The Internal Audit Framework
Ahmad Tariq Bhatti
 
PPTX
Internal Audit
Jami Martin
 
PPTX
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
PPTX
Standards of Internal Audit
Karan Puri
 
PPTX
Internal audit ppt
Ibrahim Jimalle
 
PPT
Management Audit &Report
vishakeb
 
PPTX
Audit Report Writing
Mira Anuar
 
PPTX
Common internal audit findings & how to avoid them
Surajit Datta
 
PPTX
Internal Auditor Roles
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
PPTX
Presentation on Audit Findings
Deshapriya Senanayake
 
PDF
Internal audit ppt
Letzconsult.com
 
PDF
Internal audit report writing
Neha Kothari
 
PPTX
Internal Audit Methodology
Manoj Agarwal
 
DOCX
Internal audit manual final project
AndreaAdanza107
 
PDF
Presentation on Internal Audit Standards
NahidHasan617654
 
PPTX
An introduction to internal auditing
grifff
 
PDF
Internal audit-checklist-example
Hoang Nguyen
 
PDF
Audit Report Model and Sample
Flevy.com Best Practices
 
PDF
Compiling an internal audit universe
David Griffiths
 
PPTX
Internal audit department
Popun
 
The Internal Audit Framework
Ahmad Tariq Bhatti
 
Internal Audit
Jami Martin
 
Practical approach to Risk Based Internal Audit
Manoj Agarwal
 
Standards of Internal Audit
Karan Puri
 
Internal audit ppt
Ibrahim Jimalle
 
Management Audit &Report
vishakeb
 
Audit Report Writing
Mira Anuar
 
Common internal audit findings & how to avoid them
Surajit Datta
 
Internal Auditor Roles
Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Presentation on Audit Findings
Deshapriya Senanayake
 
Internal audit ppt
Letzconsult.com
 
Internal audit report writing
Neha Kothari
 
Internal Audit Methodology
Manoj Agarwal
 
Internal audit manual final project
AndreaAdanza107
 
Presentation on Internal Audit Standards
NahidHasan617654
 
An introduction to internal auditing
grifff
 
Internal audit-checklist-example
Hoang Nguyen
 
Audit Report Model and Sample
Flevy.com Best Practices
 
Compiling an internal audit universe
David Griffiths
 
Internal audit department
Popun
 

Similar to Audit ratings guide (20)

DOCX
Internal Audit Rating System Internal Audit Rating System
edwardnjorogesic
 
PPT
SEATA by TOMMY SEAH
Tommy Seah
 
PPTX
8. internal control new
Syed Osama Rizvi
 
PDF
2018 ValAct - Session 22 - Material Weakness
MarkSpong1
 
PPTX
AUDIT - AUDITING STRATEGIES.pptx
Mohamed Fazil M
 
PDF
Value-added it auditing
Marc Vael
 
PPTX
Issues in Internal and External Auditing (L1).pptx
mayadevichandran94
 
PPTX
Internal controls (2).pptx
RaafayDogar
 
PPTX
2018 Val Act: Session 22 - Material weakness
Alex Hovi
 
PDF
Audit Reports Communicating Assurance Engagement Results.pdf
Simar Neasy
 
PDF
Accounting Information Systems Controls Processes 3rd Edition Turner Solution...
zuletherjana
 
PDF
Auditing And Assurance Services In Australia 6th Edition Louwers Solutions Ma...
laurehorty
 
PPTX
Control Strategies in Management sector
kristinalimarenko7
 
PDF
Sedex Members Ethical Trade Audit (SMETA) Measurement Criteria
milos639
 
PPTX
Hanrick Curran Audit Training - Internal Controls - March 2013
Matthew Green
 
PPTX
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
toammel
 
PPTX
Controlling by Taufiq
Taufiq Siddiquee
 
PDF
Auditing And Assurance Services In Australia 6th Edition Louwers Solutions Ma...
hildojulus
 
PPT
1auditconcepts
Shubham Raj
 
PDF
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
Internal Audit Rating System Internal Audit Rating System
edwardnjorogesic
 
SEATA by TOMMY SEAH
Tommy Seah
 
8. internal control new
Syed Osama Rizvi
 
2018 ValAct - Session 22 - Material Weakness
MarkSpong1
 
AUDIT - AUDITING STRATEGIES.pptx
Mohamed Fazil M
 
Value-added it auditing
Marc Vael
 
Issues in Internal and External Auditing (L1).pptx
mayadevichandran94
 
Internal controls (2).pptx
RaafayDogar
 
2018 Val Act: Session 22 - Material weakness
Alex Hovi
 
Audit Reports Communicating Assurance Engagement Results.pdf
Simar Neasy
 
Accounting Information Systems Controls Processes 3rd Edition Turner Solution...
zuletherjana
 
Auditing And Assurance Services In Australia 6th Edition Louwers Solutions Ma...
laurehorty
 
Control Strategies in Management sector
kristinalimarenko7
 
Sedex Members Ethical Trade Audit (SMETA) Measurement Criteria
milos639
 
Hanrick Curran Audit Training - Internal Controls - March 2013
Matthew Green
 
Week 4 Audit planning and Client evaluation and audit risk assessment.pptx
toammel
 
Controlling by Taufiq
Taufiq Siddiquee
 
Auditing And Assurance Services In Australia 6th Edition Louwers Solutions Ma...
hildojulus
 
1auditconcepts
Shubham Raj
 
Internal Control Certification – It’s Not Just an Accounting Thing (Credit Un...
NAFCU Services Corporation
 
Ad

More from CenapSerdarolu (14)

PDF
Fraud-Risk-Assessment-Standards-2022-03-25.pdf
CenapSerdarolu
 
PDF
Root cause analysis questionnaire
CenapSerdarolu
 
PDF
Risk assessment facilitation guide
CenapSerdarolu
 
PDF
Performance measures guide
CenapSerdarolu
 
PDF
Internal audit test type guide
CenapSerdarolu
 
PDF
Internal audit manual template
CenapSerdarolu
 
PDF
Fraud detection guide
CenapSerdarolu
 
PDF
Data governance guide
CenapSerdarolu
 
PDF
Data analytics and audit coverage guide
CenapSerdarolu
 
PDF
Business continuity planning guide
CenapSerdarolu
 
PDF
Auditing the organizational culture
CenapSerdarolu
 
PDF
Auditing application controls
CenapSerdarolu
 
PDF
Enterprise risk management summary approach guide
CenapSerdarolu
 
PDF
Auditing corporate governance guide
CenapSerdarolu
 
Fraud-Risk-Assessment-Standards-2022-03-25.pdf
CenapSerdarolu
 
Root cause analysis questionnaire
CenapSerdarolu
 
Risk assessment facilitation guide
CenapSerdarolu
 
Performance measures guide
CenapSerdarolu
 
Internal audit test type guide
CenapSerdarolu
 
Internal audit manual template
CenapSerdarolu
 
Fraud detection guide
CenapSerdarolu
 
Data governance guide
CenapSerdarolu
 
Data analytics and audit coverage guide
CenapSerdarolu
 
Business continuity planning guide
CenapSerdarolu
 
Auditing the organizational culture
CenapSerdarolu
 
Auditing application controls
CenapSerdarolu
 
Enterprise risk management summary approach guide
CenapSerdarolu
 
Auditing corporate governance guide
CenapSerdarolu
 
Ad

Recently uploaded (20)

PPTX
FFD4_From Insight to Impact_TaxDev_ICTD_IISD.pptx
International Centre for Tax and Development - ICTD
 
DOCX
The Political Era of Accountability: A Reflection on South Africa's Past Self...
Matthews Bantsijang
 
DOCX
Corporate Governance Requirements for NCD Listed Companies – PART A.docx
ConnectAffluence
 
PDF
Pyramid_of_Financial_Priorities_Part2_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
PPTX
办理加利福尼亚大学圣芭芭拉分校文凭|购买UCSB毕业证录取通知书学位证书
1cz3lou8
 
PDF
Why Most People Misunderstand Risk in Personal Finance.
Harsh Mishra
 
PPTX
Internal-Controls powerpoint presentation
GamePro14
 
PDF
How To Trade Stocks deriv.com by Vince Stanzione
Vince Stanzione
 
PDF
Financial Statement Ananlysis - CFA Level 1.pdf
izdiharzohana
 
PDF
The Future of Electricity Pricing in South Africa by Matthews Mooketsane Bant...
Matthews Bantsijang
 
PPTX
Avoid These Costly Blunders_ Critical Mistakes When Selecting CA Services in ...
Sachin Gujar & Associates
 
PDF
Monthly Economic Monitoring of Ukraine No. 246
Інститут економічних досліджень та політичних консультацій
 
PPTX
Judaism-group-1.pptx for reporting grade 11
ayselprettysomuch
 
PPT
The reporting entity and financial statements
Adugna37
 
PDF
Mining Beneficiation as a Catalyst for Broad-Based Socio-Economic Empowerment...
Matthews Bantsijang
 
PDF
Eni 2023 Second Quarter Results - July 2025
Eni
 
PDF
STEM Education in Rural Maharashtra by Abhay Bhutada Foundation
Heera Yadav
 
PPTX
Introduction of Derivatives.pptx dwqdddff
XMenJEAN
 
PPTX
Agrarian Distress by Dr. S. Malini. ppt.
MaliniHariraj
 
PDF
ONS Economic Forum Slidepack – 21 July 2025
Office for National Statistics
 
FFD4_From Insight to Impact_TaxDev_ICTD_IISD.pptx
International Centre for Tax and Development - ICTD
 
The Political Era of Accountability: A Reflection on South Africa's Past Self...
Matthews Bantsijang
 
Corporate Governance Requirements for NCD Listed Companies – PART A.docx
ConnectAffluence
 
Pyramid_of_Financial_Priorities_Part2_by_CA_Suvidha_Chaplot.pdf
CA Suvidha Chaplot
 
办理加利福尼亚大学圣芭芭拉分校文凭|购买UCSB毕业证录取通知书学位证书
1cz3lou8
 
Why Most People Misunderstand Risk in Personal Finance.
Harsh Mishra
 
Internal-Controls powerpoint presentation
GamePro14
 
How To Trade Stocks deriv.com by Vince Stanzione
Vince Stanzione
 
Financial Statement Ananlysis - CFA Level 1.pdf
izdiharzohana
 
The Future of Electricity Pricing in South Africa by Matthews Mooketsane Bant...
Matthews Bantsijang
 
Avoid These Costly Blunders_ Critical Mistakes When Selecting CA Services in ...
Sachin Gujar & Associates
 
Monthly Economic Monitoring of Ukraine No. 246
Інститут економічних досліджень та політичних консультацій
 
Judaism-group-1.pptx for reporting grade 11
ayselprettysomuch
 
The reporting entity and financial statements
Adugna37
 
Mining Beneficiation as a Catalyst for Broad-Based Socio-Economic Empowerment...
Matthews Bantsijang
 
Eni 2023 Second Quarter Results - July 2025
Eni
 
STEM Education in Rural Maharashtra by Abhay Bhutada Foundation
Heera Yadav
 
Introduction of Derivatives.pptx dwqdddff
XMenJEAN
 
Agrarian Distress by Dr. S. Malini. ppt.
MaliniHariraj
 
ONS Economic Forum Slidepack – 21 July 2025
Office for National Statistics
 

Audit ratings guide

  • 2. 2
  • 3. 3 Table of Contents AUDIT RATINGS GUIDE: SAMPLE 1........................................................................................................................4 AUDIT RATINGS GUIDE: SAMPLE 2........................................................................................................................8
  • 4. 4 AUDIT RATINGS GUIDE: SAMPLE 1 (Insert Year) Remote Access Audit Month XX, (Insert Year) (Audit Name) (Insert Date) Instructions: Circle the audit rating determined through the completion of the audit rating grid on Page 4. GOOD Areas given a “Good” rating are well-controlled in every respect and demonstrate quality performance in almost every aspect. Performance is above average and adequately provides for the safe and sound operation of the area audited. Findings noted are minor; are not indicative of any significant weaknesses in policies, practices or procedures; and are generally corrected in the normal course of business. SATISFACTORY Areas given a “Satisfactory” opinion have acceptable internal controls and demonstrate adequate performance in most respects. Policies, practices and procedures are generally effective but may reflect modest weaknesses that are readily correctable in the normal course of business. Commitment to internal control and operating efficiency are acceptable. Some problems of relative significance may exist, but none are considered material. REQUIRES IMPROVEMENT Areas given a “Requires Improvement” opinion exhibit weaknesses within the internal control systems or the absence of internal control surrounding significant activities. Additionally, these areas demonstrate performance that is not adequately monitored and/or supervised by management, nor are policies and procedures always effective to promote a climate where internal control concepts may be realized. Commitment to internal control and/or operating efficiency needs enhancement. UNSATISFACTORY Areas given an “Unsatisfactory” opinion display performance or conditions that exhibit significant control weaknesses throughout the areas included in the audit scope. In these areas, many basic internal control concepts are not in effect and internal control systems are weak to the extent that significant financial losses or violations of law or regulation could occur or may have occurred. The lack of policies and procedures or adherence to them will prevent the accomplishment of a substantial part of the area’s objectives. Corrective action must be immediately implemented with periodic (e.g., monthly) status reports routed to the area’s executive management. CONCURRENCE/NONCONCURRENCE This rating applies to systems development and business or control projects in the process. It conveys agreement/disagreement with a course of action or documents an opposing point of view. In each case, the report will state whether audit believes the project should be aborted, or what actions should be taken prior to commencing the next phase. NOT RATED The conditions or purposes of the audit do not require a rating to be assigned. AUDIT RATING STANDARDS
  • 5. 5 Instructions: Circle the point value assigned to each area. Multiply the point value by the factor for the applicable area and write the value in the applicable column under “Score” and by the letter for the particular column. Add the total points for each area across to obtain the overall point value. Use the overall point value to assign the rating. Internal Controls Operations Accounting Records Factor Five (From Page Three) Factor Three (From Page Four) Factor Two (From Page Five) Points Score Points Score Points Score 5 5 5 4 4 4 3 3 3 2 2 2 1 1 1 Total A20 Total B12 Total C Total Score: XX Check the appropriate rating based on the total score. Good 50-39 points Satisfactory 38-25 points Requires Improvement 24-15 points Unsatisfactory 14 and below Additional rating factors for audits to be rated “Good” include: • Major system changes or upgrades during the audit period • Significant changes in personnel during the audit period • Significant new products or services introduced during the audit period • Uncorrected internal/external audit or examination findings • Unaccepted internal audit recommendations AUDIT RATING GRID RATING SCALE
  • 6. 6 INTERNAL CONTROLS Rating summary of internal control structure: • 5: Virtually all desired controls are in place and operating. Only very minor exceptions were noted, and backup controls exist for all weaknesses noted. • 4: Most material controls are in operation and the exposures found are minor in extent and nature. They are usually backed up by other controls. • 3: Attention should be given to some exposures in protective and detective controls. Reasonable assurance exists that current controls afford the bank adequate protection. • 2: Early attention should be given to exposures in protective and detective controls. Deterioration in current controls can lead to serious exposures. • 1: Immediate attention to serious exposures in protective and detective controls is required. Exposures exist that could make the bank vulnerable to significant losses. Support for rating of internal control structure: (List) All of management’s controls were sufficiently designed to mitigate risks and achieve control objectives related to remote access. Additionally, all of management’s controls were tested for operating effectively to mitigate the intended risks and achieve the intended control objectives. OPERATIONS Prepare the following rating based on audit evidence. Rating Summary of Operations 5 Performance is significantly higher than average. 4 Performance is above average. 3 Performance is average. 2 Performance is below average. 1 Performance is unacceptable. Support for rating of operations: (List) Internal audit’s testing revealed that management possessed documented policies and procedures in all relevant and significant areas related to remote access (specifically the remote administration of IT systems, encryption and passwords). Through discussions with IT management and a walk-through of the controls, internal audit also determined that IT management personnel responsible for performing or monitoring the controls were knowledgeable of the controls and had many years of experience in working in their related fields. Internal audit identified the following opportunities to further enhance and improve existing controls, but these improvements did not constitute control failures because of numerous compensating controls that adequately reduce risk to the bank. • IT management should reassess the need for the modem remote access system. COMPOSITE RATING AREAS
  • 7. 7 • Management should update its remote administration of IT’s systems policy and annual privileged account review procedure to require the annual review of all accounts with access to perform remote administration of IT systems. See VIII. Remote Access Recommendation Memo.doc for additional information regarding these recommendations. ACCOUNTING RECORDS Rating Summary of Operations 5 The books and records more than adequately and accurately reflect transactions. 4 The books and records adequately and accurately reflect transactions. 3 The books and records, in reasonable detail, accurately reflect transactions. 2 The books and records less than adequately reflect transactions. 1 The books and records do not accurately reflect transactions. Support for the rating of accounting records: (List) There are no financial books or records applicable to the remote access audit. There are some IT records applicable to the audit and they include remote access activity reports and IT service requests. Remote access activity reports are used by management to monitor who is using the remote access system and to detect any inappropriate use of the remote access system. IT service requests record the approval and testing of any changes to remote access systems (including system and access changes). Internal audit noted that these IT records adequately and accurately reflect system and access changes related to remote access.
  • 8. 8 AUDIT RATINGS GUIDE: SAMPLE 2 AUDIT RATING DEFINITIONS Rating Definition Strong Internal control systems are sufficiently comprehensive and appropriate to the size and complexity of the organization. Risks are effectively managed. Monetary risk associated with potential control failures is not material. A few exceptions to established policies and procedures were identified. Satisfactory While there may be some minor risk management weaknesses, these issues have been recognized and are being addressed. Risks are effectively managed. Internal control systems may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. Needs Improvement Risk management practices are lacking in important ways and are a cause for more than supervisory attention. Risks may not be effectively managed. Weaknesses may include control exceptions or failures that could have adverse effects on the organization if corrective actions are not taken. Needs Significant Improvement Marginal risk management practices generally fail to identify, monitor and control significant risk exposures in many material respects. The organization may have serious identified weaknesses that require substantial improvement in internal controls or procedures. Risks are not effectively managed. Unless properly addressed, these conditions may result in a significant impact on the organization. Unsatisfactory Due to the absence of effective risk management practices, management is unable to identify, monitor or control significant risk exposure. Internal control systems may be sufficiently weak to jeopardize the continued viability of the organization. Risks are not effectively managed. Deficiencies in risk management procedures and internal controls require immediate and close supervisory attention. AUDIT REPORT RATING MATRIX Rating Scale Definition Effective 1 • Overall risk program is reliable and requires negligible improvements. • The risk management procedures are formalized and documented and communicated and understood throughout the business. Risk management system is robust and possesses the capacity and ability to consistently identify, document and assess existing and emerging risks. • Risk controls effectively manage, mitigate, and transfer existing and foreseeable risks and do not expose the business to undue risk. Risk program does not expose the business to unwarranted financial loss or regulatory noncompliance. Audit recommendations are generally housekeeping in nature. 2
  • 9. 9 Rating Scale Definition Monitor 3 • Overall risk program is adequate for the current level of risk within the business but requires ongoing monitoring. • The risk management procedures are formalized and documented but not communicated. Risk procedures need to be communicated and business needs to obtain assurance that procedures are understood. Although the risk management system possesses the capacity and ability to identify, document and assess existing risk, specific improvements are needed to ensure accurate and timely incorporation of emerging risks. • Risk controls adequately manage, mitigate, and transfer existing risks but improvements are required as emerging risks and changing conditions could lead to a weakened risk management capacity. The risk program does not expose the business to immediate financial loss or regulatory noncompliance. The director must make improvements within 60 days. 4 Needs Improvement 5 • Overall risk program is not adequate. • The risk management procedures are partially formalized and documented and not communicated. Risk procedures require improvement to assure that risk processes are fully documented and need to be clearly communicated. The business unit needs to obtain assurance that the risk process is understood. • Risk management systems require improvement to ensure reliability of procedures to accurately, and in a timely manner, identify, document, and assess existing and new risks. Controls require improvement to ensure the ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing conditions will possibly lead to a weakened risk management capacity. The line of business, without improvements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are required within the next 30 to 60 days. 6 Impaired 7 • Overall risk program is impaired. • The risk management procedures are informal and undocumented and not communicated for the most part. Risk procedures require improvement to assure that risk processes are fully and accurately documented and must be communicated and understood by the business. • Risk management systems require significant improvement to ensure reliability of procedures to accurately and in a timely manner identify, document, and assess existing and new risks. Controls require extensive improvements to secure the ability to manage, mitigate, and transfer existing and emerging risks, as conditions will lead to a weakened risk management capacity. Risk program exposes the business to potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days. 8
  • 10. 10 Rating Scale Definition Unsatisfactory 9 • Overall risk program is not acceptable. • The risk management procedures are largely nonexistent, undocumented and not communicated. Risk procedures must be instituted, formalized, documented and communicated. • Risk management systems must be implemented immediately to accurately and in a timely manner identify, document, and assess existing and new risks. • Implementation of control mechanisms is required to manage, mitigate and transfer risks present in business processes and possess flexibility to react under changing conditions. The line of business is exposed to material financial loss or regulatory noncompliance. Improvements are needed within the next two weeks and the audit committee must be made aware of improvements to be implemented. 10 AUDIT REPORT RATING GUIDELINES Rating Scale Definition Effective 1 • No high-risk issues • No medium-risk issues • No more than three low-risk issues 2 • No high-risk issues • No more than one medium-risk issue • No more than six low-risk issues Monitor 3 • No high-risk issues • No more than three medium-risk issues • No more than four low-risk issues or • No high or medium-risk issues and more than six low-risk issues 4 • No high-risk issues • No more than four medium-risk issues • No more than six low-risk issues Needs Improvement 5 • No more than one high-risk issue • No more than four medium-risk issues or • No high-risk issues and no more than six medium-risk issues 6 • No more than two high-risk issue • No more than six medium-risk issues or
  • 11. 11 Rating Scale Definition • No more than one high-risk issue and more than six medium-risk issues Impaired 7 • No more than three high-risk issues • No more than four medium-risk issues 8 • No more than three high-risk issues • No more than six medium-risk issues Unsatisfactory 9 • More than four high-risk issues • More than six medium-risk issues or • No more than two high-risk issues and more than six medium-risk issues 10 • No more than four high-risk issues • No more than six medium-risk issues XYZ AUDIT RATINGS ST Strong The audited area meets or exceeds Company X standards in all critical respects. Level of internal controls is functioning effectively and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than two “Low” observations were noted. SA Satisfactory The audited area meets the overall Company X standards. Generally, no more than two “Important” observations may exist that are being promptly addressed by management. A few “Notable” observations may also exist. N Needs improvement The audited area does not meet Company X standards overall. Generally, there is either at least one “High” observation and/or at least three “Important” observations, which if uncorrected could expose Company X to an unacceptable risk. U Unsatisfactory The audited area contains unacceptable gaps in the overall control structure and/or controls are not working as intended. Generally, there are at least one “High” observation and/or five “Important” observations. The area requires immediate attention with oversight by senior management. Business Importance Codes H High Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of revenue and/or significant negative impact on operating effectiveness and/or the company’s reputation. High likelihood and high impact may occur. I Important Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of revenue and/or negative impact on operating
  • 12. 12 effectiveness and/or the company’s reputation. Moderate likelihood and moderate to high impact or high likelihood and moderate impact may occur. N Notable Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impact on operating effectiveness and/or the company’s reputation, which is outside of Company X’s risk appetite. Low likelihood and moderate to high impact or moderate likelihood and moderate to low impact may occur. This also includes low-impact/high-likelihood observations. L Low Generally, issues classified in this category are brought to management’s attention as an efficiency improvement. Low likelihood and low to moderate impact or low to moderate likelihood and low impact may occur. Note: Each audit report observation is assigned a priority rating to establish its level of criticality. The ratings are assigned collaboratively by internal audit and XYZ Company management responsible for the process being audited. Overall Classifications: COSO F Financial Reporting Reliability of the financial reporting process O Operational Operational effectiveness and efficiency C Compliance Compliance with applicable laws and regulations S Strategic High-level goals aligned with and supporting the mission of XYZ Company INTERNAL CONTROL OPTION CRITERIA Based on the results of the audit, the system of internal controls will be rated as “Strong,” “Satisfactory,” “Unsatisfactory” or “Critical” based on the following criteria: Rating Definition Strong Satisfactory Unsatisfactory Critical • Issues do not exist. • Issues are not likely to impair business operations or jeopardize financial integrity. • Significant issues exist. • Corrections are required to avoid or contain exposure. • Prompt action is required. • Significant issues find/indicate processes/results are unreliable. • Impact of weaknesses is likely widespread/ compounding. • Immediate attention is required.
  • 13. 13 Attributes of Control Environment Strong Satisfactory Unsatisfactory Critical • Control processes/monitoring are effective. • Control processes/monitoring are effective for key cycles/functions. • Control processes/monitoring weaknesses/are not effective. • Control monitoring is not in place or is extremely unreliable. • Low potential for undetected errors and omissions exists. • Major issues would likely be detected. • Major issues may not be detected and corrected. • Losses/undetected errors and omissions are likely. • Company policy and GAAP are adhered to. • Policy and GAAP compliance issues have no material impact on operations or financial statements. • Policy or GAAP noncompliance could (or does) have a material impact on operations/financials. • Policy or GAAP noncompliance issues are severe, pervasive and material to operations/financials. • Financials/results are reliable; therefore, adjustments are not necessary. • Financial adjustments, if any, are minor. • Material financial adjustments may be required. • Financials/results are likely unreliable. Major problems exist. • Regulatory compliance issues do not exist. • Regulatory compliance issues, if any, are minor and isolated. • Regulatory compliance issues may show signs of being systemic. • Compliance issues are significant and carry severe consequences (fines, sanctions, etc.). • Risk to the CBI image is nonexistent. • Issues carry low-level (or no) risk to the CBI image. • Issues may carry potential for damage to the CBI image. • Issues may carry severe risk of damage to the CBI image. • Ethics issues do not exist. • Ethics issues, if any, are minor and management takes timely, appropriate corrective actions. • Ethics issues are not appropriately addressed and/or management does not set the appropriate tone. • Ethics issues are not addressed appropriately and/or management does not set the appropriate tone. AUDIT RATING EXAMPLE Audit Ratings Are Assigned Based on the Following Definitions Rating Definition Satisfactory The audited area has effectively assessed its risks; implemented control processes; and complied with applicable policies, procedures, and appropriate laws and regulations. We may have noted a few inconsistencies, but compensating controls exist that sufficiently minimize the risk of loss. Generally Satisfactory The audited area has adequately assessed its risks and has implemented generally effective control processes. We may have noted some weaknesses in controls, but they are not such that the audited area is significantly exposed to the risk of loss. Such audited areas are in
  • 14. 14 Rating Definition general compliance with applicable policies, procedures, and appropriate laws and regulations. Marginal The audited area has control, policy, procedural, compliance and/or repeat findings that are sufficiently important to warrant the attention of more senior levels of management. Any deterioration in the current operating routine could lead to serious exposures and regulatory criticisms. Unsatisfactory The audited area has serious control, policy, procedural, compliance and/or repeat findings. Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure may also exist to potentially serious criticism by regulators. Such situations require urgent action and senior management involvement in implementing corrective action. Unrated This rating is generally reserved for first-time audits, limited scope audits and special projects.
  • 15. 15 APPENDIX A: DEFINITION OF INTERNAL AUDIT RATINGS AND RANKINGS Definition of Issue Rankings Adequate Needs Improvement Inadequate • There are no identified issues that have either a “Medium” or “High” ranking. • There may be a limited number of issues with a “Low” ranking and/or other observations for potential improvement. • There are one or more identified issues with either a “Medium” or “High” ranking. • A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. • The deficiency or combination of deficiencies impacts the company’s ability to provide reasonable assurance over the effective design and/or operation of control, thus affecting the company’s risk exposure within the area being reviewed. • The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review to meet required control objectives. • There are one or more identified issues with either a “Medium” or “High” ranking. • A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. • The deficiency or combination of deficiencies significantly impacts the company’s ability to provide reasonable assurance over the effective design and/or operation of control, thus affecting the company’s risk exposure within the area being reviewed. • The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review to meet required control objectives. High • The issue is a control deficiency, which represents a significant gap in the design and/or operating effectiveness of the control affecting the company’s ability to address relevant risks and to provide reasonable assurance regarding the achievement of desired outcomes. • The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an appropriate level of management. Medium • The issue is a control deficiency, which represents a gap in the design and/or operating effectiveness of the control affecting the company’s ability to address relevant risks and provide reasonable assurance regarding the achievement of desired outcomes. • The issue requires prompt attention to ensure that internal controls are designed and/or operating effectively. Low • The issue represents an opportunity to improve control and processes to support the achievement of desired outcomes.
  • 16. 16 • The issue should be addressed promptly, as time and resources permit. Considerable professional judgment is required in applying the ratings defined and used in this report regarding individual findings, recommendations, and in formulating an overall conclusion. Accordingly, others could rate the findings or conclusion differently and this should be born in mind when considering this report.
  • 17. 17 APPENDIX B: RATING OF AUDIT FINDINGS Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations Particularly Severe (A) Risks threatening the existence of the organization include: • Fatal material losses • Image loss/publicly effective impact (massive loss of customers) • Violation of regulatory requirements (and possible revoking of the operating license) • Urgent remediation by the management board required immediate involvement of the supervisory body • Monitoring of timely remediation by internal audit (follow-up) Refer to reporting obligations for Major (C) and Severe (B) findings, and: • Immediate notification of the supervisory body by the management board Severe (B) Critical risks for business continuity include: • Very high material losses (losses are not detected timely) • Image loss/publicly effective impact (adversely affects the image on the market) • Violation of regulatory requirements (and possible criminal liability, etc.) • Immediate remediation by the management board required (immediate involvement of the supervisory body and the supervisory authorities in case of severe findings against management board members). • Monitoring of timely remediation by internal audit (follow-up). Refer to reporting obligations for major findings (C) and: • Immediate submission of the internal audit report to the management board • Immediate notification of the chairman of the supervisory body and the supervisory authorities by the management board in case of severe findings against management board members • At least annual reporting from the management board to the supervisory body (highlighted findings, including remedy measures taken and their implementation statuses)
  • 18. 18 Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations Major (C) High risks for business continuity include: • High material losses (if weaknesses are not remedied timely) • Image loss (many internal and external parties are affected) • Violation of regulatory requirements (and possible fines, etc.) • Remediation required close supervision by the responsible member of the management board • Monitoring of timely remediation by internal audit (follow-up) • Highlighted in the internal audit report • Included in the (annual) overall internal audit report to the management board (including remedy measures taken) • Reported to the supervisory body by the management board at least annually, if not remedied • If not remedied within an appropriate period, the responsible member of the management board must be informed in writing (If the findings remain unresolved during the financial year, the management board must be informed in writing in the next (annual) overall internal audit report, at the latest.) Improvement Opportunity (D) Medium risks for business continuity include: • Medium material losses • Image loss (internal, some external parties are affected, if applicable) • Noncompliance with/implementation of certain regulatory requirements • Implementation of certain improvement measures recommended • Monitoring by the head of the audited organization unit (Immediate involvement of the management board is not required.) • Monitoring of timely remediation by internal audit (follow-up) • Included in the internal audit report • Not included in the (annual) overall internal audit report Comment (E) • Low or no risks • "Food for thought" for improvement/further development • Decision on the prioritization and implementation of measures remains in the audited organizational unit. • Monitoring by the head of the audited organization • Summarized in the internal audit report or a separate management summary/memo • Not included in the (annual) overall internal audit report
  • 19. 19 Rating Categories Risk/Impact Explanation Need for Action and Responsible Function Reporting Obligations unit (Involvement of the management board is not required.) • Not included in the follow- up by internal audit