AUDIT REPORT RATING MEMO

Distribution:

Internal Audit Department

Subject:
Original Issue Date:

<Insert Date>

Page
Revision Date:
Issued By:

<Insert Date>
Internal Audit Director

This memo outlines the rating system that will be used when rating individual audit findings and overall
audit reports. The memo should be referenced by all members of the internal audit department when
reviewing findings that are noted during an audit.

Background:
It is the policy of the internal audit department to issue a written report for all audits performed. All audits
will be rated except special reviews and projects. Audit ratings are based on the condition of the audit
issues at the time of the audit, not at the time of the report. Internal audit will assign ratings to the
individual findings, as well as the overall audit report issues. Listed below is the range of possible ratings
accompanied by a brief explanation of each.

Individual Ratings of Findings:

The purpose of rating audit findings is to provide management with a clear picture of the significance of
control deficiencies as an aid to prioritize corrective actions. The rating categories that should be
assigned to each finding are as follows:

(3) Process enhancement

(2) Control weakness

(1) High-risk finding

Individual Finding Definitions:

High-Risk Finding (1)
Considerations incorporated into the decision include one or more of the criteria listed below. Issues
ranked as high risks do not necessarily meet every criterion listed below but could comprise one or more
items.

Misappropriations or losses considered significant by internal audit and management

A repeat control weakness that has not been addressed by management or is slowly being
addressed

An unintentional error in the financial results

Inadequate segregation of duties

Source: www.knowledgeleader.com

Inappropriate authority levels in place

Findings that could result in an undesirable consequence relative to legal position or publicity

Significant policy violation present

Policy violation that in isolation would not be significant but which displays a consistent pattern of
behavior that would represent a significant policy violation

Any other matter that internal audit believes to be of a significant nature

High-risk findings will be communicated to the relevant process owners and the audit committee.
Control Weakness (Medium Risk) (2)
Considerations incorporated into the decision include one or more of the criteria listed below. Issues
ranked as medium risks do not necessarily meet every criterion listed below but could comprise one or
more items.

Control weaknesses that could lead to significant misappropriation, losses or misstatement of

financial results but which are compensated for by informal controls. There is no reliance that the
informal control system will continue to operate in a consistent fashion

Control weaknesses that could result in a loss considered significant by internal audit and
management and upwards, but have not yet resulted in a loss and which are being properly
addressed by management

Some segregation of duties issues

Policy violations present

An unintentional material misstatement of financial results or a control weakness, which could result
in an unintentional material misstatement of financial results

Lack of policy and procedures covering significant transactions/activities, non-compliance with

policies and procedures covering significant transactions/activities

Misappropriations considered less than significant

Control weaknesses will be communicated to the relevant process owners and audit committee.
Process Enhancement (Low Risk) (3)
Considerations incorporated into the decision include one or more of the criteria listed below. Issues
ranked as low risks do not necessarily meet every criterion listed below but could comprise one or more
items.

Objectives are being achieved

Adequate segregation of duties present

Appropriate approval authority levels present

Control weaknesses are of minor importance and are not likely to significantly impact accuracy of
results or effectiveness of operations. These types of control weaknesses are related mainly to
strengthening the control environment where some value would result to management

Controls that provide management with worthwhile benefits relative to greater confidence in
decision-making. Controls which, if eliminated or re-engineered, would benefit productivity or
effectiveness

Process enhancements will be communicated to the relevant process owners.

Source: www.knowledgeleader.com

Overall Rating of the Audit Report:

The purpose of rating an audit report is to convey to management and the audit committee a consistent
and concise assessment of the net risk posed by the area or function audited. The rating categories that
should be used when assigning an overall rating to an audit report should be any of the following:

(4) Strong

(3) Satisfactory

(2) Needs improvement

(1) Unsatisfactory

The rating for each audit will be determined by the internal audit department and will be included in the
executive summary of the audit report. The rating will be based on the audit departments overall
assessment of the significance of issues identified during the audit process.
In determining the applicable rating, the areas that the audit department will consider include but are not
limited to the following:

Adequacy and documentation of internal controls, policies, procedures, systems and safety
requirements

Compliance with policy, procedural, legal, regulatory, safety, accounting, financial and contractual
requirements

Accuracy of data and information utilized and disseminated

Efficiency of systems and resource utilization

Overall Rating Definitions:

Strong (4)

Objectives have been achieved

Procedures performed are in compliance with established policies and procedures

Adequate segregation of duties exists

Internal control deficiencies do not exist

Appropriate authority levels are in place

Fundamental controls and reconciliations are being performed

Independent supervisory review of reconciliations and fundamental controls are being performed

Adequate monitoring of operations and financial performance exists

None or some minor follow-up action is required to better enhance the processes being performed

An audit with a strong rating would have zero high-risk findings, zero to two control weaknesses, and
zero to five process enhancements identified during the audit. This rating indicates a well-run operation in
which proper internal controls were evident in all areas, policies and procedures were being strictly
adhered to, records were correct and in good order, and any previous issues identified were adequately
corrected.
Satisfactory (3)

Almost all of the objectives set are being achieved

Procedures performed are substantially in compliance with established policies and procedures

Adequate segregation of duties

Source: www.knowledgeleader.com

High-risk internal control deficiencies do not exist

Errors/non-compliance with procedures is likely to be detected on a timely basis

Inaccuracies in information are not significant

Appropriate authority levels are in place

Fundamental controls and reconciliations are being performed

Independent supervisory review of reconciliations and fundamental controls are being performed

Adequate monitoring of operations and financial performance exists

None or some minor follow-up actions (e.g., small procedural errors, insignificant dollar variances)

An audit with a satisfactory rating would have zero high-risk findings, zero to five control weaknesses, or
process enhancements identified during the audit. This rating indicates that while the overall operations
are still above average, there are some control weaknesses identified. These types of exceptions would
not pose a significant control risk to the area.
Needs Improvement (2)

Some of the objectives set are being achieved

Procedures performed are substantially in compliance with established policies and procedures

Adequate segregation of duties exists for the critical areas covered

A significant finding existed in compliance with established policies and procedures and/or
numerous other exceptions existed

Most fundamental controls and reconciliations are being performed

Some independent supervisory review of reconciliations and fundamental controls

Limited monitoring of operations and financial performance

Deviations from ethical and prudent business practices may not be detected

Follow-up actions can be addressed within existing levels of management and authority

An audit where opportunities for improvement exist would have one to three high-risk and three to five
control weaknesses identified. This rating reflects a situation in which there were major control
weaknesses identified in addition to a number of process enhancements. These situations would not
appear to result in a loss or potential compliance penalty if corrected on a timely basis.
Unsatisfactory (1)
Objectives not being achieved.

Non-compliance with one or more critical policies or procedures

Inadequate segregation of duties

System of internal controls does not meet acceptable standards overall due to numerous control
weaknesses or significant findings in critical areas

Inappropriate authority levels in place

One or more fundamental controls or reconciliations not being performed, improper accounting
practices

Little or no independent supervisory review of reconciliations and basic controls

Poor monitoring of operations and financial performance, wasteful use of assets

Follow-up actions require prompt management attention and/or need to be referred to a higher
authority

Source: www.knowledgeleader.com

Deviations from ethical and prudent business practices were noted and not detected

Risk of substantial loss or material misstatement of reported financial results

An audit with an unsatisfactory rating would have more than three high-risk findings and more than five
control weaknesses. This rating reflects a situation in which controls were weak in several major areas
and a number of other weaknesses were identified. There may also be some uncorrected weaknesses
from the prior audit. This rating indicates a marginal quality operation with a greater potential of losses or
penalties.

Source: www.knowledgeleader.com