Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Distribution:
Subject:
Original Issue Date:
<Insert Date>
Page
Revision Date:
Issued By:
<Insert Date>
Internal Audit Director
This memo outlines the rating system that will be used when rating individual audit findings and overall
audit reports. The memo should be referenced by all members of the internal audit department when
reviewing findings that are noted during an audit.
Background:
It is the policy of the internal audit department to issue a written report for all audits performed. All audits
will be rated except special reviews and projects. Audit ratings are based on the condition of the audit
issues at the time of the audit, not at the time of the report. Internal audit will assign ratings to the
individual findings, as well as the overall audit report issues. Listed below is the range of possible ratings
accompanied by a brief explanation of each.
A repeat control weakness that has not been addressed by management or is slowly being
addressed
Source: www.knowledgeleader.com
Findings that could result in an undesirable consequence relative to legal position or publicity
Policy violation that in isolation would not be significant but which displays a consistent pattern of
behavior that would represent a significant policy violation
High-risk findings will be communicated to the relevant process owners and the audit committee.
Control Weakness (Medium Risk) (2)
Considerations incorporated into the decision include one or more of the criteria listed below. Issues
ranked as medium risks do not necessarily meet every criterion listed below but could comprise one or
more items.
Control weaknesses that could result in a loss considered significant by internal audit and
management and upwards, but have not yet resulted in a loss and which are being properly
addressed by management
An unintentional material misstatement of financial results or a control weakness, which could result
in an unintentional material misstatement of financial results
Control weaknesses will be communicated to the relevant process owners and audit committee.
Process Enhancement (Low Risk) (3)
Considerations incorporated into the decision include one or more of the criteria listed below. Issues
ranked as low risks do not necessarily meet every criterion listed below but could comprise one or more
items.
Control weaknesses are of minor importance and are not likely to significantly impact accuracy of
results or effectiveness of operations. These types of control weaknesses are related mainly to
strengthening the control environment where some value would result to management
Controls that provide management with worthwhile benefits relative to greater confidence in
decision-making. Controls which, if eliminated or re-engineered, would benefit productivity or
effectiveness
Source: www.knowledgeleader.com
(4) Strong
(3) Satisfactory
(1) Unsatisfactory
The rating for each audit will be determined by the internal audit department and will be included in the
executive summary of the audit report. The rating will be based on the audit departments overall
assessment of the significance of issues identified during the audit process.
In determining the applicable rating, the areas that the audit department will consider include but are not
limited to the following:
Adequacy and documentation of internal controls, policies, procedures, systems and safety
requirements
Compliance with policy, procedural, legal, regulatory, safety, accounting, financial and contractual
requirements
Independent supervisory review of reconciliations and fundamental controls are being performed
None or some minor follow-up action is required to better enhance the processes being performed
An audit with a strong rating would have zero high-risk findings, zero to two control weaknesses, and
zero to five process enhancements identified during the audit. This rating indicates a well-run operation in
which proper internal controls were evident in all areas, policies and procedures were being strictly
adhered to, records were correct and in good order, and any previous issues identified were adequately
corrected.
Satisfactory (3)
Procedures performed are substantially in compliance with established policies and procedures
Source: www.knowledgeleader.com
Independent supervisory review of reconciliations and fundamental controls are being performed
None or some minor follow-up actions (e.g., small procedural errors, insignificant dollar variances)
An audit with a satisfactory rating would have zero high-risk findings, zero to five control weaknesses, or
process enhancements identified during the audit. This rating indicates that while the overall operations
are still above average, there are some control weaknesses identified. These types of exceptions would
not pose a significant control risk to the area.
Needs Improvement (2)
Procedures performed are substantially in compliance with established policies and procedures
A significant finding existed in compliance with established policies and procedures and/or
numerous other exceptions existed
Deviations from ethical and prudent business practices may not be detected
Follow-up actions can be addressed within existing levels of management and authority
An audit where opportunities for improvement exist would have one to three high-risk and three to five
control weaknesses identified. This rating reflects a situation in which there were major control
weaknesses identified in addition to a number of process enhancements. These situations would not
appear to result in a loss or potential compliance penalty if corrected on a timely basis.
Unsatisfactory (1)
Objectives not being achieved.
System of internal controls does not meet acceptable standards overall due to numerous control
weaknesses or significant findings in critical areas
One or more fundamental controls or reconciliations not being performed, improper accounting
practices
Follow-up actions require prompt management attention and/or need to be referred to a higher
authority
Source: www.knowledgeleader.com
Deviations from ethical and prudent business practices were noted and not detected
An audit with an unsatisfactory rating would have more than three high-risk findings and more than five
control weaknesses. This rating reflects a situation in which controls were weak in several major areas
and a number of other weaknesses were identified. There may also be some uncorrected weaknesses
from the prior audit. This rating indicates a marginal quality operation with a greater potential of losses or
penalties.
Source: www.knowledgeleader.com