Internal Audit Ratings Guide

2 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

Table of Contents
Audit Ratings Definitions 3
Audit Report Ratings Matrix 4
Audit Report Ratings Guidelines 7
XYZ Audit Ratings 9
Internal Control Option Criteria 12
Audit Ratings Example 13
Appendix 14
A: Definition of Internal Audit Ratings and Rankings 15
B: Rating of Audit Findings 17
3 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Ratings Definitions

Rating Definition
Strong
Internal control systems are sufficiently comprehensive and appropriate to the size
and complexity of the organization. Risks are effectively managed. Monetary risk
associated with potential control failures is not material. A few exceptions to
established policies and procedures were identified.
Satisfactory
While there may be some minor risk management weaknesses, these issues have
been recognized and are being addressed. Risks are effectively managed. Internal
control systems may display modest weaknesses or deficiencies, but they are
correctable in the normal course of business.
Needs
Improvement
Risk management practices are lacking in important ways and are a cause for more
than supervisory attention. Risks may not be effectively managed. Weaknesses
may include control exceptions or failures that could have adverse affects on the
organization if corrective actions are not taken.
Needs
Significant
Improvement
Marginal risk management practices generally fail to identify, monitor and control
significant risk exposures in many material respects. The organization may have
serious identified weaknesses that require substantial improvement in internal
controls or procedures. Risks are not effectively managed. Unless properly
addressed, these conditions may result in a significant impact to the organization.
Unsatisfactory
Due to the absence of effective risk management practices, management is unable
to identify, monitor or control significant risk exposure. Internal control systems may
be sufficiently weak to jeopardize the continued viability of the organization. Risks
are not effectively managed. Deficiencies in risk management procedures and
internal controls require immediate and close supervisory attention.
4 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating Scale Description
Effective
1
Overall risk program is reliable and requires negligible improvements.
The risk management procedures are formalized and documented and clearly communicated and
understood throughout the business. Risk management system is robust and possesses the capacity and
ability to consistently identify, document and assess existing and emerging risks.
Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose
the business to undue risk. Risk program does not expose the business to unwarranted financial loss or
regulatory non-compliance. Audit recommendations are generally housekeeping in nature.
2
Monitor
3
Overall risk program is adequate for the current level of risk within the business, but requires ongoing
monitoring.
The risk management procedures are formalized and documented, but not clearly communicated. Risk
procedures need to be clearly communicated and business needs to obtain assurance that procedures
are understood. Although the risk management system possesses the capacity and ability to identify,
document and assess existing risk, specific improvements are needed to ensure accurate and timely
incorporation of emerging risks.
Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as
emerging risks and changing conditions could lead to a weakened risk management capacity. Risk
program does not expose the business to immediate financial loss or regulatory noncompliance. The
director must make improvements within 60 days.
4
5 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating Scale Description
Needs Improvement
5
Overall risk program is not adequate.
The risk management procedures are partially formalized and documented, and not clearly
communicated. Risk procedures require improvement to assure that risk processes are fully documented,
and need to be clearly communicated. The business unit needs to obtain assurance that the risk process
is understood.
Risk management system requires improvement to ensure reliability of procedures to accurately and in a
timely manner identify, document and assess existing and new risks. Controls require improvement to
ensure ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing
conditions will possibly lead to a weakened risk management capacity. The line of business, without
improvements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are
required within the next 30 to 60 days.
6
Impaired
7
Overall risk program is impaired.
The risk management procedures are for the most part informal and undocumented, and not
communicated. Risk procedures require improvement to assure that risk processes are fully and
accurately documented, and must be communicated and understood by the business.
Risk management systems require significant improvement to ensure reliability of procedures to
accurately and in a timely manner identify, document and assess existing and new risks. Controls require
extensive improvements to secure ability to manage, mitigate, and transfer existing and emerging risks, as
conditions will lead to a weakened risk management capacity. Risk program exposes the business to
potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days.
8
6 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Matrix
Rating Scale Description
Unsatisfactory
9
Overall risk program is not acceptable.
The risk management procedures are largely nonexistent, undocumented and not communicated. Risk
procedures must be instituted, formalized, documented and clearly communicated.
Risk management systems must be implemented immediately to accurately and in a timely manner
identify, document, and assess existing and new risks.
Implementation of control mechanisms is required to manage, mitigate and transfer risks present in
business processes and possess flexibility to react under changing conditions. The line of business is
exposed to material financial loss or regulatory noncompliance. Improvements are needed within the next
two weeks and the audit committee must be made aware of improvements to be implemented.
10
7 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Guidelines
Rating Scale Description
Effective
1
No high-risk issues
No medium-risk issues
No more than three low-risk issues
2
No high-risk issues
No more than one medium-risk issue
No more than six low-risk issues
Monitor
3
No high-risk issues
No more than three medium-risk issues
No more than four low-risk issues
OR
No high or medium-risk issues and more than six low-risk issues
4
No high-risk issues
No more than four medium-risk issues
No more than six low-risk issues
8 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Report Ratings Guidelines
Rating Scale Description
Needs Improvement
5
No more than one high-risk issue
No more than four medium-risk issues
OR
No high-risk issues and no more than six medium-risk issues
6
No more than two high-risk issue
No more than six medium-risk issues
OR
No more than one high-risk issue and more than six medium-risk issues
Impaired
7
No more than three high-risk issues
No more than four medium-risk issues
8
No more than three high-risk issues
No more than six medium-risk issues
9 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Rating Scale Description
Unsatisfactory
9
More than four high-risk issues
No more than six medium-risk issues
OR
No more than two high-risk issues and more than six medium-risk issues
10
More than four high-risk issues
More than six medium-risk issues
Audit Report Ratings Guidelines
10 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
XYZ Audit Ratings
ST Strong
Audited area meets or exceeds XYZ Company standards in all critical respects. Level of internal controls is functioning effectively
and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than two
low observations were noted.
SA Satisfactory
Audited area meets XYZ Company standards overall. Generally, no more than two Important observations may exist which
are being promptly addressed by management. A few Notable observations may also exist.
N Needs Improvement
Audited area does not meet XYZ Company standards overall. Generally, there is either at least one High observation and/or at
least three Important observations, which if uncorrected could expose XYZ Company to an unacceptable risk.
U Unsatisfactory
Audited area contains unacceptable gaps in overall control structure and/or controls are not working as intended. Generally, there
are at least one High observation and/or five Important observations. The area requires immediate attention with oversight
by senior management.
Business Importance Codes
H High
Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of
revenue and/or significant negative impact on operating effectiveness and/or the companys reputation. High likelihood and high
impact.
I Important
Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of
revenue and/or negative impact on operating effectiveness and/or the companys reputation. Moderate likelihood and moderate to
high impact or high likelihood and moderate impact.
N Notable
Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impact
on operating effectiveness and/or the companys reputation, which is outside of XYZ Company risk appetite. Low likelihood and
moderate to high impact or moderate likelihood and moderate to low impact. This also includes low impact/high likelihood
observations.
L Low
Generally, issues classified in this category are brought to managements attention as an efficiency improvement. Low likelihood
and low to moderate impact or low to moderate likelihood and low impact.
Note:
Each audit report observation is assigned a priority rating to establish its level of criticality. The ratings are assigned collaboratively by internal audit and XYZ Company
management responsible for the process being audited.
11 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
XYZ Audit Ratings
Overall Classifications COSO
F
Financial
Reporting
Reliability of the financial reporting process
O Operational Operational effectiveness and efficiency
C Compliance Compliance with applicable laws and regulations
S Strategic
High level goals, aligned with and supporting the mission of
XYZ Company
12 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Internal Control Option Criteria
Based on the results of the audit, the system of internal controls will be rated as Strong, Satisfactory,
Unsatisfactory, or Critical based on the following criteria:
Rating Definition
Strong Satisfactory Unsatisfactory Critical
No issues. Issues are not likely to impair
business operations or jeopardize
financial integrity.
Significant issues exist.
Corrections required to avoid or
contain exposure.
Prompt action is required.
Significant issues find/ indicate
processes/results are unreliable.
Impact of weaknesses is likely
widespread/ compounding.
Immediate attention required.
Attributes of Control Environment
Strong Satisfactory Unsatisfactory Critical
Control processes/monitoring are
effective.
Control processes/monitoring are
effective for key cycles/functions.
Control processes/monitoring have
weaknesses/are not effective.
Control monitoring is not in place
or is extremely unreliable.
Low potential for undetected errors
and omissions.
Major issues would likely be
detected.
Major issues may not be detected
and corrected.
Very high potential for
losses/undetected errors and
omissions.
Compliance with company policy,
GAAP.
Policy and GAAP compliance
issues have no material impact on
operations or financial statements.
Policy or GAAP non-compliance
could (or do) have material impact
on operations/ financials.
Policy or GAAP non-compliance
issues are severe, pervasive, and
material to operations/financials.
Financials/results are reliable;
adjustments not necessary.
Financial adjustments, if any, are
minor.
Material financial adjustments may
be required.
Financials/results are likely
unreliable. Major problems exist.
No regulatory compliance issues.
Regulatory compliance issues, if
any, are minor and isolated.
Regulatory compliance issues may
show signs of being systemic.
Compliance issues are significant
and carry severe consequences
(fines, sanctions, etc.)
No risk to CBI image.
Issues carry low level of (or no)
risk to CBI image.
Issues may carry potential for
damage to CBI image.
Issues may carry severe risk of
damage to CBI image.
No ethics issues.
Ethics issues, if any, are minor
and management takes timely,
appropriate corrective actions.
Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
13 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Audit Ratings Example
Rating
Definition
Satisfactory
The audited area has effectively assessed its risks, implemented control processes, and
complied with applicable policies, procedures, and appropriate laws and regulations. We may
have noted a few inconsistencies, but compensating controls exist that sufficiently minimize
the risk of loss.
Generally
Satisfactory
The audited area has adequately assessed its risks, and has implemented generally effective
control processes. We may have noted some weaknesses in controls, but they are not such
that the audited area is significantly exposed to risk of loss. Such audited areas are in general
compliance with applicable policies, procedures, and appropriate laws and regulations.

Marginal
The audited area has control, policy, procedural, compliance and/or repeat findings that are
sufficiently important to warrant the attention of more senior levels of management. Any
deterioration in the current operating routine could lead to serious exposures and regulatory
criticisms.
Unsatisfactory
The audited area has serious control, policy, procedural, compliance and/or repeat findings.
Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure
may also exist to potentially serious criticism by regulators. Such situations require urgent
action and senior management involvement in implementing corrective action.
Unrated
This rating is generally reserved for first time audits, limited scope audits and special projects.
Audit ratings are assigned based on the following definitions:
14 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
APPENDIX
15 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix A: Definition of Internal Audit Ratings and Rankings
Definition of Review Ratings
Adequate
There are no identified issues that have either a Medium or High ranking.
There may be a limited number of issues with a Low ranking and/or other observations for potential improvement.
Needs Improvement
There are one or more identified issues with either a Medium or High ranking.
A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent
that required control objectives may not be consistently achieved.
The deficiency or combination of deficiencies impact the companys ability to provide reasonable assurance over the effective design and/or
operation of control thus affecting the companys risk exposure within the area being reviewed .
The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control
for the area under review, in order to meet required control objectives.
Inadequate
There are one or more identified issues with either a Medium or High ranking.
A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to
the extent that required control objectives may not be consistently achieved.
The deficiency or combination of deficiencies significantly impact the companys ability to provide reasonable assurance over the effective
design and/or operation of control thus affecting the companys risk exposure within the area being reviewed .
The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of
control for the area under review, in order to meet required control objectives.
16 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Definition of Internal Audit Ratings and Rankings
Definition of Issue Rankings
HIGH
The issue is a control deficiency which represents a significant gap in the design and/or operating effectiveness of
control affecting the companys ability to address relevant risks and provide reasonable assurance regarding the
achievement of desired outcomes.
The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an
appropriate level of management.
MEDIUM
The issue is a control deficiency which represents a gap in the design and/or operating effectiveness of control
affecting the companys ability to address relevant risks and provide reasonable assurance regarding the
achievement of desired outcomes.
The issue requires prompt attention to ensure internal control is designed and/or operating effectively.
LOW
The issue represents an opportunity to improve control and processes to support the achievement of desired
outcomes.
The issue should be addressed promptly, as time and resources permit.
Considerable professional judgment is required in applying the ratings defined and used in this report regarding
individual findings, recommendations and in formulating and overall conclusion. Accordingly, others could rate the
findings or conclusion differently and this should be born in mind when considering this report.
17 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings

Rating Categories

Risk/Impact Explanation
Need for Action and
Responsible Function

Reporting Obligations

Particularly Severe (A)

Risks threatening the existence of the
organization, e.g.:
Fatal material losses
Image loss/publicly effective impact
(massive loss of customers)
Violation of regulatory requirements
(and possible revoking of the
operating license)

Urgent remediation by the
management board required,
immediate involvement of the
supervisory body
Monitoring of timely
remediation by internal audit
("follow- up)

Refer to reporting obligations for Major (C)
and Severe (B) findings, and:
Immediate notification of the
supervisory body by the management
board

Severe (B)

Critical risks for business continuity,
e.g.:
Very high material losses (losses
are not detected timely)
Image loss/ publicly effective
impact (adversely affects the
image on the market)
Violation of regulatory
requirements (and possible
criminal liability, etc.)

Immediate remediation by the
management board required
(immediate involvement of the
supervisory body and the
supervisory authorities in
case of severe findings
against management board
members)
Monitoring of timely
remediation by internal audit
("follow- up)

Refer to reporting obligations for Major
findings (C) and:
Immediate submission of the internal
audit report to the management
board
Immediate notification of the
chairman of the supervisory body and
the supervisory authorities by the
management board in case of severe
findings against management board
members
At least annual reporting from the
management board to the
supervisory body (highlighted
findings, including remedy measures
taken and their implementation
statuses)
18 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings

Rating Categories

Risk/Impact Explanation
Need for Action and
Responsible Function

Reporting Obligations

Major (C)

High risks for business continuity, e.g.:
High material losses (if weaknesses
are not remedied timely)
Image loss (many internal and
external parties are affected)
Violation of regulatory requirements
(and possible fines, etc.)

Remediation required, close
supervision by the responsible
member of the management
board
Monitoring of timely remediation
by internal audit ("follow- up)

Highlighted in the internal audit report
Included in the (annual) overall internal
audit report to the management board
(including remedy measures taken)
Reported to the supervisory body by
the management board at least
annually, if not remedied
If not remedied within an appropriate
period, the responsible member of the
management board has to be informed
in writing. If the findings remain
unresolved during the financial year,
the management board has to be
informed in writing in the next (annual)
overall internal audit report, at latest.

Improvement
Opportunity (D)

Medium risks for business continuity, e.g.:
Medium material losses
Image loss (internal, some external
parties are effected, if applicable)
Non-compliance with/implementation
of certain regulatory requirements

Implementation of certain
improvement measures
recommended
Monitoring by the head of the
audited organization unit;
immediate involvement of the
management board is not
required
Monitoring of timely remediation
by internal audit ("follow- up)

Included in the internal audit report
Not included in the (annual) overall
internal audit report
19 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Appendix B: Rating of Audit Findings

Rating Categories

Risk/Impact Explanation
Need for Action and
Responsible Function

Reporting Obligations

Comment (E)

Low or no risks
"Food for thought" for
improvement/further development

Decision on prioritization and
implementation of measures
remains in the audited
organizational unit
Monitoring by the head of the
audited organization unit;
involvement of the management
board is not required
Not included in the follow-up
by internal audit

Summarized in the internal audit report
or in a separate management
summary/memo
Not included in the (annual) overall
internal audit report