Internal Audit Ratings Guide

Table of Contents

Audit Ratings Definitions 3

Audit Report Ratings Matrix 4

Audit Report Ratings Guidelines 7

XYZ Audit Ratings 9

Internal Control Option Criteria 12

Audit Ratings Example 13

Appendix 14

A: Definition of Internal Audit Ratings and Rankings 15

B: Rating of Audit Findings 17

2 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Ratings Definitions

Rating Definition

Internal control systems are sufficiently comprehensive and appropriate to the size
and complexity of the organization. Risks are effectively managed. Monetary risk
Strong
associated with potential control failures is not material. A few exceptions to
established policies and procedures were identified.

While there may be some minor risk management weaknesses, these issues have
been recognized and are being addressed. Risks are effectively managed. Internal
Satisfactory
control systems may display modest weaknesses or deficiencies, but they are
correctable in the normal course of business.

Risk management practices are lacking in important ways and are a cause for more
Needs than supervisory attention. Risks may not be effectively managed. Weaknesses
Improvement may include control exceptions or failures that could have adverse affects on the
organization if corrective actions are not taken.

Marginal risk management practices generally fail to identify, monitor and control
Needs significant risk exposures in many material respects. The organization may have
Significant serious identified weaknesses that require substantial improvement in internal
Improvement controls or procedures. Risks are not effectively managed. Unless properly
addressed, these conditions may result in a significant impact to the organization.

Due to the absence of effective risk management practices, management is unable

to identify, monitor or control significant risk exposure. Internal control systems may
Unsatisfactory be sufficiently weak to jeopardize the continued viability of the organization. Risks
are not effectively managed. Deficiencies in risk management procedures and
internal controls require immediate and close supervisory attention.

3 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Matrix

Rating Scale Description

• Overall risk program is reliable and requires negligible improvements.

1
• The risk management procedures are formalized and documented and clearly communicated and
understood throughout the business. Risk management system is robust and possesses the capacity and
Effective ability to consistently identify, document and assess existing and emerging risks.
• Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose
2 the business to undue risk. Risk program does not expose the business to unwarranted financial loss or
regulatory non-compliance. Audit recommendations are generally housekeeping in nature.

• Overall risk program is adequate for the current level of risk within the business, but requires ongoing
monitoring.
3
• The risk management procedures are formalized and documented, but not clearly communicated. Risk
procedures need to be clearly communicated and business needs to obtain assurance that procedures
are understood. Although the risk management system possesses the capacity and ability to identify,
Monitor document and assess existing risk, specific improvements are needed to ensure accurate and timely
incorporation of emerging risks.

4 • Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as
emerging risks and changing conditions could lead to a weakened risk management capacity. Risk
program does not expose the business to immediate financial loss or regulatory noncompliance. The
director must make improvements within 60 days.

4 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Matrix

Rating Scale Description

• Overall risk program is not adequate.

• The risk management procedures are partially formalized and documented, and not clearly
5
communicated. Risk procedures require improvement to assure that risk processes are fully documented,
and need to be clearly communicated. The business unit needs to obtain assurance that the risk process
is understood.
Needs Improvement
• Risk management system requires improvement to ensure reliability of procedures to accurately and in a
timely manner identify, document and assess existing and new risks. Controls require improvement to
ensure ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing
6 conditions will possibly lead to a weakened risk management capacity. The line of business, without
improvements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are
required within the next 30 to 60 days.

• Overall risk program is impaired.

7
• The risk management procedures are for the most part informal and undocumented, and not
communicated. Risk procedures require improvement to assure that risk processes are fully and
accurately documented, and must be communicated and understood by the business.
Impaired
• Risk management systems require significant improvement to ensure reliability of procedures to
accurately and in a timely manner identify, document and assess existing and new risks. Controls require
extensive improvements to secure ability to manage, mitigate, and transfer existing and emerging risks,
8 as conditions will lead to a weakened risk management capacity. Risk program exposes the business to
potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days.

5 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Matrix

Rating Scale Description

• Overall risk program is not acceptable.

9 • The risk management procedures are largely nonexistent, undocumented and not communicated. Risk
procedures must be instituted, formalized, documented and clearly communicated.
• Risk management systems must be implemented immediately to accurately and in a timely manner
Unsatisfactory identify, document, and assess existing and new risks.
• Implementation of control mechanisms is required to manage, mitigate and transfer risks present in
business processes and possess flexibility to react under changing conditions. The line of business is
10 exposed to material financial loss or regulatory noncompliance. Improvements are needed within the next
two weeks and the audit committee must be made aware of improvements to be implemented.

6 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Guidelines

Rating Scale Description

• No high-risk issues
1 • No medium-risk issues
• No more than three low-risk issues
Effective
• No high-risk issues
2 • No more than one medium-risk issue
• No more than six low-risk issues

• No high-risk issues
• No more than three medium-risk issues
3 • No more than four low-risk issues
OR
Monitor • No high or medium-risk issues and more than six low-risk issues

• No high-risk issues
4 • No more than four medium-risk issues
• No more than six low-risk issues

7 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Guidelines

Rating Scale Description

• No more than one high-risk issue
• No more than four medium-risk issues
5
OR
• No high-risk issues and no more than six medium-risk issues
Needs Improvement
• No more than two high-risk issue
• No more than six medium-risk issues
6
OR
• No more than one high-risk issue and more than six medium-risk issues

• No more than three high-risk issues

7
• No more than four medium-risk issues

Impaired

• No more than three high-risk issues

8
• No more than six medium-risk issues

8 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Audit Report Ratings Guidelines

Rating Scale Description

• More than four high-risk issues

• No more than six medium-risk issues

9
OR

• No more than two high-risk issues and more than six medium-risk issues
Unsatisfactory

• More than four high-risk issues

10
• More than six medium-risk issues

9 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 XYZ Audit Ratings

Audited area meets or exceeds XYZ Company standards in all critical respects. Level of internal controls is functioning
ST Strong effectively and efficiently. Information systems and user operations are integrated and support the business. Generally, no more
than two “low” observations were noted.

Audited area meets XYZ Company standards overall. Generally, no more than two “Important” observations may exist which
SA Satisfactory are being promptly addressed by management. A few “Notable” observations may also exist.

Audited area does not meet XYZ Company standards overall. Generally, there is either at least one “High” observation and/or
N Needs Improvement at least three “Important” observations, which if uncorrected could expose XYZ Company to an unacceptable risk.

Audited area contains unacceptable gaps in overall control structure and/or controls are not working as intended. Generally,
U Unsatisfactory there are at least one “High” observation and/or five “Important” observations. The area requires immediate attention with
oversight by senior management.

Business Importance Codes

Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of
H High revenue and/or significant negative impact on operating effectiveness and/or the company’s reputation. High likelihood and high
impact.

Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of
I Important revenue and/or negative impact on operating effectiveness and/or the company’s reputation. Moderate likelihood and moderate
to high impact or high likelihood and moderate impact.

Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impact
on operating effectiveness and/or the company’s reputation, which is outside of XYZ Company risk appetite. Low likelihood and
N Notable
moderate to high impact or moderate likelihood and moderate to low impact. This also includes low impact/high likelihood
observations.

Generally, issues classified in this category are brought to management’s attention as an efficiency improvement. Low likelihood
L Low
and low to moderate impact or low to moderate likelihood and low impact.

Note:
Each audit report observation is assigned a priority rating to establish its level of criticality. The ratings are assigned collaboratively by internal audit and XYZ Company
management responsible for the process being audited.
10 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
 XYZ Audit Ratings
Overall Classifications – COSO

Financial
F Reliability of the financial reporting process
Reporting

O Operational Operational effectiveness and efficiency

C Compliance Compliance with applicable laws and regulations

High level goals, aligned with and supporting the mission of

S Strategic
XYZ Company

11 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Internal Control Option Criteria
Based on the results of the audit, the system of internal controls will be rated as Strong, Satisfactory,
Unsatisfactory, or Critical based on the following criteria:
Strong
• No issues.
Strong
• Control processes/monitoring are
effective.
• Low potential for undetected errors •
and omissions.
• Compliance with company policy,
GAAP.
• Financials/results are reliable;
adjustments not necessary.
• No regulatory compliance issues.
• No risk to CBI image.
• No ethics issues.
12 Source: Protiviti KnowledgeLeader
Rating Definition
Satisfactory
• Issues are not likely to impair
business operations or jeopardize
financial integrity.
Attributes of Control Environment
Satisfactory
• Control processes/monitoring are
effective for key cycles/functions.
Major issues would likely be
detected.
• Policy and GAAP compliance
issues have no material impact on
operations or financial statements.
• Financial adjustments, if any, are
minor.
• Regulatory compliance issues, if
any, are minor and isolated.
• Issues carry low level of (or no)
risk to CBI image.
• Ethics issues, if any, are minor
and management takes timely,
appropriate corrective actions.
http:// www.knowledgeleader.com
Unsatisfactory
• Significant issues exist.
• Corrections required to avoid or
contain exposure.
• Prompt action is required.
Unsatisfactory
• Control processes/monitoring
have weaknesses/are not
effective.
• Major issues may not be detected
and corrected.
• Policy or GAAP non-compliance
could (or do) have material impact
on operations/ financials.
• Material financial adjustments may •
be required.
• Regulatory compliance issues
may show signs of being systemic.
• Issues may carry potential for
damage to CBI image.
• Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
Critical
• Significant issues find/ indicate
processes/results are unreliable.
• Impact of weaknesses is likely
widespread/ compounding.
• Immediate attention required.
Critical
• Control monitoring is not in place
or is extremely unreliable.
• Very high potential for
losses/undetected errors and
omissions.
• Policy or GAAP non-compliance
issues are severe, pervasive, and
material to operations/financials.
Financials/results are likely
unreliable. Major problems exist.
• Compliance issues are significant
and carry severe consequences
(fines, sanctions, etc.)
• Issues may carry severe risk of
damage to CBI image.
• Ethics issues not addressed
appropriately and/or management
does not set the appropriate tone.
 Audit Ratings Example
Audit ratings are assigned based on the following definitions:

Rating Definition

The audited area has effectively assessed its risks, implemented control processes, and
complied with applicable policies, procedures, and appropriate laws and regulations. We
Satisfactory may have noted a few inconsistencies, but compensating controls exist that sufficiently
minimize the risk of loss.

The audited area has adequately assessed its risks, and has implemented generally effective
control processes. We may have noted some weaknesses in controls, but they are not such
Generally
Satisfactory that the audited area is significantly exposed to risk of loss. Such audited areas are in
general compliance with applicable policies, procedures, and appropriate laws and
regulations.

The audited area has control, policy, procedural, compliance and/or repeat findings that are
sufficiently important to warrant the attention of more senior levels of management. Any
Marginal deterioration in the current operating routine could lead to serious exposures and regulatory
criticisms.

The audited area has serious control, policy, procedural, compliance and/or repeat findings.
Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure
Unsatisfactory
may also exist to potentially serious criticism by regulators. Such situations require urgent
action and senior management involvement in implementing corrective action.

This rating is generally reserved for first time audits, limited scope audits and special
Unrated
projects.

13 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 APPENDIX

14 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Appendix A: Definition of Internal Audit Ratings and Rankings
Definition of Review Ratings

“Adequate”
•• There
There are
are no
no identified
identified issues
issues that
that have
have either
either a
a “Medium”
“Medium” or
or “High”
“High” ranking.
ranking.
•• There
There may
may be
be a
a limited
limited number
number of
of issues
issues with
with a
a “Low”
“Low” ranking
ranking and/or
and/or other
other observations
observations for
for potential
potential improvement.
improvement.

“Needs Improvement”
•• There
There are
are one
one or
or more
more identified
identified issues
issues with
with either
either a
a “Medium”
“Medium” or
or “High”
“High” ranking.
ranking.
•• A
A deficiency
deficiency or
or combination
combination of
of deficiencies
deficiencies impact
impact the
the design
design and/or
and/or operating
operating effectiveness
effectiveness of
of control
control for
for the
the area
area under
under review
review to
to the
the extent
extent
that required control objectives may not be consistently achieved.
that required control objectives may not be consistently achieved.
•• The
The deficiency
deficiency or
or combination
combination ofof deficiencies
deficiencies impact
impact the
the company’s
company’s ability
ability to
to provide
provide reasonable
reasonable assurance
assurance over
over the
the effective
effective design
design and/or
and/or
operation
operation of
of control
control thus
thus affecting
affecting the
the company’s
company’s risk
risk exposure
exposure within
within the
the area
area being
being reviewed
reviewed ..
•• The
The deficiencies
deficiencies merit
merit prompt
prompt attention
attention and
and remediation
remediation by
by management
management to
to improve
improve the
the overall
overall design
design and/or
and/or operating
operating effectiveness
effectiveness of
of control
control
for the area under review, in order to meet required control objectives.
for the area under review, in order to meet required control objectives.

“Inadequate”
•• There
There are
are one
one or
or more
more identified
identified issues
issues with
with either
either a
a “Medium”
“Medium” or
or “High”
“High” ranking.
ranking.
•• A
A deficiency
deficiency or
or combination
combination of
of deficiencies
deficiencies significantly
significantly impair
impair the
the design
design and/or
and/or operating
operating effectiveness
effectiveness of
of control
control for
for the
the area
area under
under review
review to
to
the extent that required control objectives may not be consistently achieved.
the extent that required control objectives may not be consistently achieved.
•• The
The deficiency
deficiency or
or combination
combination of
of deficiencies
deficiencies significantly
significantly impact
impact the
the company’s
company’s ability
ability to
to provide
provide reasonable
reasonable assurance
assurance over
over the
the effective
effective
design and/or operation of control thus affecting the company’s risk exposure within the area being reviewed
design and/or operation of control thus affecting the company’s risk exposure within the area being reviewed . .

•• The
The deficiencies
deficiencies merit
merit immediate
immediate attention
attention and
and remediation
remediation by
by management
management to to improve
improve the
the overall
overall design
design and/or
and/or operating
operating effectiveness
effectiveness of
of
control
control for
for the
the area
area under
under review,
review, in
in order
order to
to meet
meet required
required control
control objectives.
objectives.

15 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Definition of Internal Audit Ratings and Rankings
Definition of Issue Rankings

• The issue is a control deficiency which represents a significant gap in the design and/or operating effectiveness of
control affecting the company’s ability to address relevant risks and provide reasonable assurance regarding the
achievement of desired outcomes.
HIGH
• The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an
appropriate level of management.

• The issue is a control deficiency which represents a gap in the design and/or operating effectiveness of control
affecting the company’s ability to address relevant risks and provide reasonable assurance regarding the
MEDIUM achievement of desired outcomes.

• The issue requires prompt attention to ensure internal control is designed and/or operating effectively.

• The issue represents an opportunity to improve control and processes to support the achievement of desired
outcomes.
LOW
• The issue should be addressed promptly, as time and resources permit.

Considerable professional judgment is required in applying the ratings defined and used in this report regarding individual
findings, recommendations and in formulating and overall conclusion. Accordingly, others could rate the findings or
conclusion differently and this should be born in mind when considering this report.

16 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com

 Appendix B: Rating of Audit Findings
Rating Categories Risk/Impact Explanation
Risks threatening the existence of the
Particularly Severe (A)
organization, e.g.:
•Fatal material losses
•Image loss/publicly effective impact
(massive loss of customers)
•Violation of regulatory requirements (and
possible revoking of the operating
license)
Severe (B) Critical risks for business continuity,
e.g.:
•Very high material losses (losses are
not detected timely)
•Image loss/ publicly effective impact
(adversely affects the image on the
market)
•Violation of regulatory requirements
(and possible criminal liability, etc.)
17 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Need for Action and
Responsible Function
•Urgent remediation by the
management board required,
immediate involvement of the
supervisory body
•Monitoring of timely remediation
by internal audit ("follow- up”)
•Immediate remediation by the
management board required
(immediate involvement of the
supervisory body and the
supervisory authorities in case of
severe findings against
management board members)
•Monitoring of timely remediation
by internal audit ("follow- up”)
Reporting Obligations
Refer to reporting obligations for Major (C)
and Severe (B) findings, and:
•Immediate notification of the supervisory
body by the management board
Refer to reporting obligations for Major
findings (C) and:
•Immediate submission of the internal
audit report to the management board
•Immediate notification of the chairman of
the supervisory body and the supervisory
authorities by the management board in
case of severe findings against
management board members
•At least annual reporting from the
management board to the supervisory
body (highlighted findings, including
remedy measures taken and their
implementation statuses)
 Appendix B: Rating of Audit Findings
Rating Categories Risk/Impact Explanation
Major (C) High risks for business continuity, e.g.:
•High material losses (if weaknesses are
not remedied timely)
•Image loss (many internal and external
parties are affected)
•Violation of regulatory requirements (and
possible fines, etc.)
Improvement Medium risks for business continuity, e.g.: •Implementation of certain
Opportunity (D) •Medium material losses
•Image loss (internal, some external
parties are effected, if applicable)
•Non-compliance with/implementation of
certain regulatory requirements
18 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com
Need for Action and
Responsible Function
•Remediation required, close
supervision by the responsible
member of the management board
•Monitoring of timely remediation by
internal audit ("follow- up”)
improvement measures
recommended
•Monitoring by the head of the
audited organization unit; immediate
involvement of the management
board is not required
•Monitoring of timely remediation by
internal audit ("follow- up”)
Reporting Obligations
•Highlighted in the internal audit report
•Included in the (annual) overall internal
audit report to the management board
(including remedy measures taken)
•Reported to the supervisory body by the
management board at least annually, if not
remedied
•If not remedied within an appropriate period,
the responsible member of the management
board has to be informed in writing. If the
findings remain unresolved during the
financial year, the management board has to
be informed in writing in the next (annual)
overall internal audit report, at latest.
•Included in the internal audit report
•Not included in the (annual) overall internal
audit report
 Appendix B: Rating of Audit Findings

Need for Action and

Rating Categories Risk/Impact Explanation Responsible Function Reporting Obligations

Comment (E)
• Low or no risks
• "Food for thought" for
improvement/further development
•Decision on prioritization and •Summarized in the internal audit report or in
implementation of measures remains a separate management summary/memo
in the audited organizational unit •Not included in the (annual) overall internal
•Monitoring by the head of the audit report
audited organization unit;
involvement of the management
board is not required
•Not included in the “follow-up” by
internal audit

19 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com