Internal Audit Reporting

Perspectives from Chief Audit Executives

>> Introduction

A common challenge for many Chief Audit Executives (CAE) is presenting the results of the internal audit
outcomes in the most effective and impactful manner. Most CAE are requested to issue an opinion on the
adequacy of internal controls following an internal audit. Such audit opinions provide clarity regarding the
severity of the identified issues and increase the comparability in time and also between audit objects.
However, using standard audit opinions may be arbitrary and could result in debates on the rating rather
than the identified issues. This challenge has been discussed with CAE's representing various industries
during a recent round table in Amsterdam hosted by Ernst & Young:

 ow can audit
H  ow can internal
H How can Internal  ow can internal
H
findings of audit findings be Audit apply audit opinions
entities across reported in a audit opinions support desired
the company be way that without being change within a
reported in a facilitates seen as a police company?
comparable prioritization officer?
way? and follow up?

'The Internal Audit Roundtable is part of a series of recurring events

and aims to provide a platform for companies to collaborate with peers.
The goal is to identify, through deliberations, practical step change solutions
that can contribute towards maximizing the value that organizations can derive
from their investments in managing risks.'

Ernst & Young 1

>> Internal Audit report
rating revisited
A number of different systems for audit opinions are used by
internal audit functions. The most common varieties are:
Binary: internal controls are or are not appropriate in the
situation, for example: internal controls are satisfactory or
unsatisfactory, effective or ineffective, meet expectations or
do not meet expectations, etc.
Graded: the effectiveness of internal controls is rated using a
grading system, for example: red-yellow-green, 1-2-3-4-5,
etc.
Directional: provides additional information about the
direction of the opinion since a previous report, for example
Satisfactory, but diminished since last year.
Most participants at this roundtable use one of the above
systems. A leading global company in the Technology industry
recently started a transformation program designed to become
even more relevant by acting as a business partner to the
organization; providing value-added advice in a dynamic and
constant changing market environment. Changing the report
rating and issue tracking approach was part of this major
transformation program.
In the past the Internal Audit function assessed the
effectiveness of internal controls using a 5 scale grading system
ABCDN, equivalent to the frequently used system where audit
reports are rated with Good, Fair, Unsatisfactory, Unacceptable,
Not Rated.
The internal audit function found that this traditional audit
rating approach:
did not give sufficient insight into risk development, nor did it
allow for comparability. For example the materiality of a
C-rated (unsatisfactory) financial review in a small country
did not compare with a C-rated review of a major business
process. As a result, if the % of C-ratings went down, you
could not conclude that the risk level for the whole company
decreased.
drove management to focus on reports with an overall C
rating (unsatisfactory) and put less attention on reports with
more positive audit ratings.
reinforced the police role of internal audit, emphasizing the
rating and not focusing on a constructive dialogue around
materiality, urgency and solutions.
2 Internal Audit Reporting Perspectives from Chief Audit Executives
The internal audit function decided to develop a new audit
report rating system to move away from the traditional police
role and at the same time increasing comparability and
understanding of audit findings.
Ernst & Young point of view:
______________________________________________________
Why the push for an internal
audit report rating system?
Audit ratings and opinions, in one form or another, have
been around for decades. But with corporate governance
regulations requiring management to provide an in-control
statement overall ratings and opinions have become more
important. Certainly, Management and Audit Committees
will look at the internal audit function before issuing a
positive in-control statement in its annual report.
Broadly speaking, audit opinions and ratings offer several
distinct benefits:
ability to see the state of the control environment at a
glance
benchmarking against which management and the Audit
Committee can measure improvement or slippage
identifying trends in the control environment
putting the audit rating results in context with the activitys
risk profile
recognizing managements awareness of control
weaknesses and its proactive remediation of them
Using a single-dimension approach, control ratings can be as
simple as pass or fail, or as complex as having five levels of
performance. The more commonly used system applies
three rating levels: Satisfactory, Needs improvement and
Unsatisfactory. These kinds of ratings enable the Audit
Committee to assess the strength of the companys controls.
But a rating of unsatisfactory in isolation does not let Audit
Committee members know how important the businesss
activity is within the organization, the levels of risk it may
pose or what management may be doing about it.
Leading internal audit functions consider the extent to which
the audit findings may impact the achievement of business
objectives and use a variety of quantitative and qualitative
measures to reach the audit opinion. Important elements of
these measures are impact and likelihood, but also more implicit
business objectives such as reputation or environment.
The internal audit function of a leading global company in the
Technology industry decided to use Value at Risk (V@R)
principles to quantify the business impact of internal audit
findings.
With the V@R method the IA function wants to:
present findings in a more visual and quantified manner which
enables the business to focus on the main findings.
increase the insight into the development of risk across the
company and to allow for more comparability.
shift focus from overall point in time ratings to a continuous
improvement orientation based on materiality and urgency
through a constructive dialogue with the auditee.

Ernst & Young point of view:

__________________________________________________________________________________________________________________

Considering a three dimensional audit ratings approach

As highlighted on previous page traditional audit rating approaches pose several challenges as they:
1. often do not provide insight into the importance of the businesss activity within the organization or the levels of risk it may
pose;
2. do not give insight whether management knew about the identified audit issues and what they are doing to fix it.

A three dimensional ratings approach should provide these two data points in addition to the performance level (Satisfactory,
Needs improvement, Unsatisfactory) of the control environment of an auditable entity.

The first data point is often available by leveraging inherent risk ratings from (Enterprise) Risk Assessments. These risk
assessments can deploy quantitative techniques including both probabilistic techniques such as value at risk, market value at
risk, loss distributions, and back-testing, as well as non-probabilistic techniques such as sensitivity analysis, scenario analysis,
stress testing, and benchmarking.

The second data point addresses the fact that Executives often hear complaints from management that it was already aware of
and working to resolve many of the issues raised in the audit report. Internal Audit could give management teams credit for
identifying issues and having plans for resolution before the audit. If they arent given credit for identifying issues before Internal
Audit enters the picture, they are less likely to raise the problems that they know exist. More often, they keep quiet, hoping that
Internal Audit wont find the issues. This is not a good strategy. Asking management teams to provide their control issues and
improvement efforts during the planning phase of an audit will enable them to receive full credit for their efforts in the audit
report.

A three-dimensional rating provides executives and Audit Committees with a broader view of the organization. It also enables
them to more effectively prioritize issues based on the entitys inherent risk and awareness by management, rather than solely
on the traditional audit rating.

Ernst & Young 3

>> Value at risk put into practice

The V@R methodology, applied by a leading global company in
the Technology industry, is designed to highlight the likelihood
and the urgency of an audit finding, ensuring management
attention at the right level in the organization. Key design
principles included:
Moving from a one dimensional system to a more balanced
view (including was goes well);
Resolving comparability challenges by explicitly highlighting
impact and value;
Solicitation of action through enabling prioritization based on
urgency.
Audit findings are visualized as a bubble placed in the Likelihood
Urgency grid. The size of the bubble visualizes the impact of
the finding based on the financial business impact which is
determined by the possible loss in Cash. Items that cannot be
quantified such as brand or reputation risks are represented by
squares. The likelihood (Y axis) represents the probability of
the V@R materializing in the next 12 months. Urgency (X axis)
refers to the required speed of action required to remediate the
root cause of the audit findings.
One participant of the roundtable concurred that an important
element of changing the internal audit ratings approach is to
change mindsets in the entire company. The CAE of a leading
global company in the technology industry responds that it
indeed is a process. The new internal audit rating approach
facilitates a very interesting dialogue with stakeholders as the
outcome is more robust and more factors are taken into
consideration. Nevertheless implementing a new method of
internal audit rating is a journey. As part of this journey steps
have been taken to further align with stakeholders to increase
business buy in through:
Continued calibration of audit reports which is required as the
process matures;
Integrating value@risk with Enterprise Risk Management
(ERM) through management self assessments of the value
at risk as part of its ERM risk reporting;
Merging the Value@Risk outputs with action-tracking and
follow-up for a more comprehensive view of risk.

The V@R pilot has been running for a year now and Internal
Audit has found the advantages of this approach to be twofold:
Management attention at the right level in the organization is
ensured and the business is enabled to focus on the main
findings as they are presented in a more visual and quantified
manner. The additional complexity in evaluating audit outcomes
did pose significant challenges as many business stakeholders
liked the traditional rating system for the simple answer on
good or bad.

4 Internal Audit Reporting Perspectives from Chief Audit Executives

>> Closing remarks

Using V@R as an internal audit rating approach is a relatively These topics will certainly be good areas of discussion during a
new concept. Through our discussion with CAEs we found that it next round table.
offers a number of advantages. V@R, as an integral part of the
overall enterprise risk management, can play an important role For more information, please contact:
in changing the relationship with stakeholders from being a Maurice van der Sanden, Internal Audit solution leader
police man to a business partner. V@R does not only measure +31 6 2125 1636
internal audit findings but can also help comparing findings Maurice.van.der.sanden@nl.ey.com
across the company to facilitate meaningful discussion with
stakeholders. It can also drive prioritization and follow up on Or
audit findings that matter.
Tonny Dekker, Risk Leader Belgium and The Netherlands
Throughout the discussions during the roundtable a number of +31 88 407 1004
emerging topics on the CAE agenda have been mentioned, such Tonny.dekker@nl.ey.com
as:
How to quantify the risk appetite of a company?
How can innovation (e.g. tooling and techniques) be utilized
by Internal Audit?
What is the impact of culture on controls?
What are the key elements of a risk assessment, how do these
link to business opportunities and how can internal audit
facilitate a company-wide risk assessment?

Ernst & Young 5

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction
and advisory services. Worldwide, our 167,000 people are
united by our shared values and an unwavering commitment
to quality. We make a difference by helping our people, our
clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member

firms of Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to
clients. For more information about our organization, please
visit www.ey.com.

2012 Ernst & Young LLP.

All rights reserved.

www.ey.com/nl