Table of Contents Audit Ratings Definitions 3 Audit Report Ratings Matrix 4 Audit Report Ratings Guidelines 7 XYZ Audit Ratings 9 Internal Control Option Criteria 12 Audit Ratings Example 13 Appendix 14 A: Definition of Internal Audit Ratings and Rankings 15 B: Rating of Audit Findings 17 3 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Ratings Definitions
Rating Definition Strong Internal control systems are sufficiently comprehensive and appropriate to the size and complexity of the organization. Risks are effectively managed. Monetary risk associated with potential control failures is not material. A few exceptions to established policies and procedures were identified. Satisfactory While there may be some minor risk management weaknesses, these issues have been recognized and are being addressed. Risks are effectively managed. Internal control systems may display modest weaknesses or deficiencies, but they are correctable in the normal course of business. Needs Improvement Risk management practices are lacking in important ways and are a cause for more than supervisory attention. Risks may not be effectively managed. Weaknesses may include control exceptions or failures that could have adverse affects on the organization if corrective actions are not taken. Needs Significant Improvement Marginal risk management practices generally fail to identify, monitor and control significant risk exposures in many material respects. The organization may have serious identified weaknesses that require substantial improvement in internal controls or procedures. Risks are not effectively managed. Unless properly addressed, these conditions may result in a significant impact to the organization. Unsatisfactory Due to the absence of effective risk management practices, management is unable to identify, monitor or control significant risk exposure. Internal control systems may be sufficiently weak to jeopardize the continued viability of the organization. Risks are not effectively managed. Deficiencies in risk management procedures and internal controls require immediate and close supervisory attention. 4 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Report Ratings Matrix Rating Scale Description Effective 1 Overall risk program is reliable and requires negligible improvements. The risk management procedures are formalized and documented and clearly communicated and understood throughout the business. Risk management system is robust and possesses the capacity and ability to consistently identify, document and assess existing and emerging risks. Risk controls effectively manage, mitigate and transfer existing and foreseeable risks and do not expose the business to undue risk. Risk program does not expose the business to unwarranted financial loss or regulatory non-compliance. Audit recommendations are generally housekeeping in nature. 2 Monitor 3 Overall risk program is adequate for the current level of risk within the business, but requires ongoing monitoring. The risk management procedures are formalized and documented, but not clearly communicated. Risk procedures need to be clearly communicated and business needs to obtain assurance that procedures are understood. Although the risk management system possesses the capacity and ability to identify, document and assess existing risk, specific improvements are needed to ensure accurate and timely incorporation of emerging risks. Risk controls adequately manage, mitigate and transfer existing risks but improvements are required as emerging risks and changing conditions could lead to a weakened risk management capacity. Risk program does not expose the business to immediate financial loss or regulatory noncompliance. The director must make improvements within 60 days. 4 5 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Report Ratings Matrix Rating Scale Description Needs Improvement 5 Overall risk program is not adequate. The risk management procedures are partially formalized and documented, and not clearly communicated. Risk procedures require improvement to assure that risk processes are fully documented, and need to be clearly communicated. The business unit needs to obtain assurance that the risk process is understood. Risk management system requires improvement to ensure reliability of procedures to accurately and in a timely manner identify, document and assess existing and new risks. Controls require improvement to ensure ability of mechanisms to manage, mitigate, and transfer existing and emerging risks as changing conditions will possibly lead to a weakened risk management capacity. The line of business, without improvements, is likely to be vulnerable to financial loss or regulatory noncompliance. Improvements are required within the next 30 to 60 days. 6 Impaired 7 Overall risk program is impaired. The risk management procedures are for the most part informal and undocumented, and not communicated. Risk procedures require improvement to assure that risk processes are fully and accurately documented, and must be communicated and understood by the business. Risk management systems require significant improvement to ensure reliability of procedures to accurately and in a timely manner identify, document and assess existing and new risks. Controls require extensive improvements to secure ability to manage, mitigate, and transfer existing and emerging risks, as conditions will lead to a weakened risk management capacity. Risk program exposes the business to potential financial loss or regulatory noncompliance. Improvements are needed within the next 30 days. 8 6 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Report Ratings Matrix Rating Scale Description Unsatisfactory 9 Overall risk program is not acceptable. The risk management procedures are largely nonexistent, undocumented and not communicated. Risk procedures must be instituted, formalized, documented and clearly communicated. Risk management systems must be implemented immediately to accurately and in a timely manner identify, document, and assess existing and new risks. Implementation of control mechanisms is required to manage, mitigate and transfer risks present in business processes and possess flexibility to react under changing conditions. The line of business is exposed to material financial loss or regulatory noncompliance. Improvements are needed within the next two weeks and the audit committee must be made aware of improvements to be implemented. 10 7 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Report Ratings Guidelines Rating Scale Description Effective 1 No high-risk issues No medium-risk issues No more than three low-risk issues 2 No high-risk issues No more than one medium-risk issue No more than six low-risk issues Monitor 3 No high-risk issues No more than three medium-risk issues No more than four low-risk issues OR No high or medium-risk issues and more than six low-risk issues 4 No high-risk issues No more than four medium-risk issues No more than six low-risk issues 8 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Report Ratings Guidelines Rating Scale Description Needs Improvement 5 No more than one high-risk issue No more than four medium-risk issues OR No high-risk issues and no more than six medium-risk issues 6 No more than two high-risk issue No more than six medium-risk issues OR No more than one high-risk issue and more than six medium-risk issues Impaired 7 No more than three high-risk issues No more than four medium-risk issues 8 No more than three high-risk issues No more than six medium-risk issues 9 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Rating Scale Description Unsatisfactory 9 More than four high-risk issues No more than six medium-risk issues OR No more than two high-risk issues and more than six medium-risk issues 10 More than four high-risk issues More than six medium-risk issues Audit Report Ratings Guidelines 10 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com XYZ Audit Ratings ST Strong Audited area meets or exceeds XYZ Company standards in all critical respects. Level of internal controls is functioning effectively and efficiently. Information systems and user operations are integrated and support the business. Generally, no more than two low observations were noted. SA Satisfactory Audited area meets XYZ Company standards overall. Generally, no more than two Important observations may exist which are being promptly addressed by management. A few Notable observations may also exist. N Needs Improvement Audited area does not meet XYZ Company standards overall. Generally, there is either at least one High observation and/or at least three Important observations, which if uncorrected could expose XYZ Company to an unacceptable risk. U Unsatisfactory Audited area contains unacceptable gaps in overall control structure and/or controls are not working as intended. Generally, there are at least one High observation and/or five Important observations. The area requires immediate attention with oversight by senior management. Business Importance Codes H High Risk involves a substantial and direct exposure to loss of assets and/or misstatement of financial information and/or loss of revenue and/or significant negative impact on operating effectiveness and/or the companys reputation. High likelihood and high impact. I Important Risk involves an unacceptable and direct exposure to loss of assets and or misstatement of financial information and/or loss of revenue and/or negative impact on operating effectiveness and/or the companys reputation. Moderate likelihood and moderate to high impact or high likelihood and moderate impact. N Notable Risk involves an important but indirect and limited level exposure to loss of assets and/or loss of revenue and/or negative impact on operating effectiveness and/or the companys reputation, which is outside of XYZ Company risk appetite. Low likelihood and moderate to high impact or moderate likelihood and moderate to low impact. This also includes low impact/high likelihood observations. L Low Generally, issues classified in this category are brought to managements attention as an efficiency improvement. Low likelihood and low to moderate impact or low to moderate likelihood and low impact. Note: Each audit report observation is assigned a priority rating to establish its level of criticality. The ratings are assigned collaboratively by internal audit and XYZ Company management responsible for the process being audited. 11 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com XYZ Audit Ratings Overall Classifications COSO F Financial Reporting Reliability of the financial reporting process O Operational Operational effectiveness and efficiency C Compliance Compliance with applicable laws and regulations S Strategic High level goals, aligned with and supporting the mission of XYZ Company 12 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Internal Control Option Criteria Based on the results of the audit, the system of internal controls will be rated as Strong, Satisfactory, Unsatisfactory, or Critical based on the following criteria: Rating Definition Strong Satisfactory Unsatisfactory Critical No issues. Issues are not likely to impair business operations or jeopardize financial integrity. Significant issues exist. Corrections required to avoid or contain exposure. Prompt action is required. Significant issues find/ indicate processes/results are unreliable. Impact of weaknesses is likely widespread/ compounding. Immediate attention required. Attributes of Control Environment Strong Satisfactory Unsatisfactory Critical Control processes/monitoring are effective. Control processes/monitoring are effective for key cycles/functions. Control processes/monitoring have weaknesses/are not effective. Control monitoring is not in place or is extremely unreliable. Low potential for undetected errors and omissions. Major issues would likely be detected. Major issues may not be detected and corrected. Very high potential for losses/undetected errors and omissions. Compliance with company policy, GAAP. Policy and GAAP compliance issues have no material impact on operations or financial statements. Policy or GAAP non-compliance could (or do) have material impact on operations/ financials. Policy or GAAP non-compliance issues are severe, pervasive, and material to operations/financials. Financials/results are reliable; adjustments not necessary. Financial adjustments, if any, are minor. Material financial adjustments may be required. Financials/results are likely unreliable. Major problems exist. No regulatory compliance issues. Regulatory compliance issues, if any, are minor and isolated. Regulatory compliance issues may show signs of being systemic. Compliance issues are significant and carry severe consequences (fines, sanctions, etc.) No risk to CBI image. Issues carry low level of (or no) risk to CBI image. Issues may carry potential for damage to CBI image. Issues may carry severe risk of damage to CBI image. No ethics issues. Ethics issues, if any, are minor and management takes timely, appropriate corrective actions. Ethics issues not addressed appropriately and/or management does not set the appropriate tone. Ethics issues not addressed appropriately and/or management does not set the appropriate tone. 13 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Audit Ratings Example Rating Definition Satisfactory The audited area has effectively assessed its risks, implemented control processes, and complied with applicable policies, procedures, and appropriate laws and regulations. We may have noted a few inconsistencies, but compensating controls exist that sufficiently minimize the risk of loss. Generally Satisfactory The audited area has adequately assessed its risks, and has implemented generally effective control processes. We may have noted some weaknesses in controls, but they are not such that the audited area is significantly exposed to risk of loss. Such audited areas are in general compliance with applicable policies, procedures, and appropriate laws and regulations.
Marginal The audited area has control, policy, procedural, compliance and/or repeat findings that are sufficiently important to warrant the attention of more senior levels of management. Any deterioration in the current operating routine could lead to serious exposures and regulatory criticisms. Unsatisfactory The audited area has serious control, policy, procedural, compliance and/or repeat findings. Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure may also exist to potentially serious criticism by regulators. Such situations require urgent action and senior management involvement in implementing corrective action. Unrated This rating is generally reserved for first time audits, limited scope audits and special projects. Audit ratings are assigned based on the following definitions: 14 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com APPENDIX 15 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Appendix A: Definition of Internal Audit Ratings and Rankings Definition of Review Ratings Adequate There are no identified issues that have either a Medium or High ranking. There may be a limited number of issues with a Low ranking and/or other observations for potential improvement. Needs Improvement There are one or more identified issues with either a Medium or High ranking. A deficiency or combination of deficiencies impact the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. The deficiency or combination of deficiencies impact the companys ability to provide reasonable assurance over the effective design and/or operation of control thus affecting the companys risk exposure within the area being reviewed . The deficiencies merit prompt attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review, in order to meet required control objectives. Inadequate There are one or more identified issues with either a Medium or High ranking. A deficiency or combination of deficiencies significantly impair the design and/or operating effectiveness of control for the area under review to the extent that required control objectives may not be consistently achieved. The deficiency or combination of deficiencies significantly impact the companys ability to provide reasonable assurance over the effective design and/or operation of control thus affecting the companys risk exposure within the area being reviewed . The deficiencies merit immediate attention and remediation by management to improve the overall design and/or operating effectiveness of control for the area under review, in order to meet required control objectives. 16 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Definition of Internal Audit Ratings and Rankings Definition of Issue Rankings HIGH The issue is a control deficiency which represents a significant gap in the design and/or operating effectiveness of control affecting the companys ability to address relevant risks and provide reasonable assurance regarding the achievement of desired outcomes. The issue requires an immediate, comprehensive, corrective action plan with progress to be monitored by an appropriate level of management. MEDIUM The issue is a control deficiency which represents a gap in the design and/or operating effectiveness of control affecting the companys ability to address relevant risks and provide reasonable assurance regarding the achievement of desired outcomes. The issue requires prompt attention to ensure internal control is designed and/or operating effectively. LOW The issue represents an opportunity to improve control and processes to support the achievement of desired outcomes. The issue should be addressed promptly, as time and resources permit. Considerable professional judgment is required in applying the ratings defined and used in this report regarding individual findings, recommendations and in formulating and overall conclusion. Accordingly, others could rate the findings or conclusion differently and this should be born in mind when considering this report. 17 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Appendix B: Rating of Audit Findings
Rating Categories
Risk/Impact Explanation Need for Action and Responsible Function
Reporting Obligations
Particularly Severe (A)
Risks threatening the existence of the organization, e.g.: Fatal material losses Image loss/publicly effective impact (massive loss of customers) Violation of regulatory requirements (and possible revoking of the operating license)
Urgent remediation by the management board required, immediate involvement of the supervisory body Monitoring of timely remediation by internal audit ("follow- up)
Refer to reporting obligations for Major (C) and Severe (B) findings, and: Immediate notification of the supervisory body by the management board
Severe (B)
Critical risks for business continuity, e.g.: Very high material losses (losses are not detected timely) Image loss/ publicly effective impact (adversely affects the image on the market) Violation of regulatory requirements (and possible criminal liability, etc.)
Immediate remediation by the management board required (immediate involvement of the supervisory body and the supervisory authorities in case of severe findings against management board members) Monitoring of timely remediation by internal audit ("follow- up)
Refer to reporting obligations for Major findings (C) and: Immediate submission of the internal audit report to the management board Immediate notification of the chairman of the supervisory body and the supervisory authorities by the management board in case of severe findings against management board members At least annual reporting from the management board to the supervisory body (highlighted findings, including remedy measures taken and their implementation statuses) 18 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Appendix B: Rating of Audit Findings
Rating Categories
Risk/Impact Explanation Need for Action and Responsible Function
Reporting Obligations
Major (C)
High risks for business continuity, e.g.: High material losses (if weaknesses are not remedied timely) Image loss (many internal and external parties are affected) Violation of regulatory requirements (and possible fines, etc.)
Remediation required, close supervision by the responsible member of the management board Monitoring of timely remediation by internal audit ("follow- up)
Highlighted in the internal audit report Included in the (annual) overall internal audit report to the management board (including remedy measures taken) Reported to the supervisory body by the management board at least annually, if not remedied If not remedied within an appropriate period, the responsible member of the management board has to be informed in writing. If the findings remain unresolved during the financial year, the management board has to be informed in writing in the next (annual) overall internal audit report, at latest.
Improvement Opportunity (D)
Medium risks for business continuity, e.g.: Medium material losses Image loss (internal, some external parties are effected, if applicable) Non-compliance with/implementation of certain regulatory requirements
Implementation of certain improvement measures recommended Monitoring by the head of the audited organization unit; immediate involvement of the management board is not required Monitoring of timely remediation by internal audit ("follow- up)
Included in the internal audit report Not included in the (annual) overall internal audit report 19 Source: Protiviti KnowledgeLeader http:// www.knowledgeleader.com Appendix B: Rating of Audit Findings
Rating Categories
Risk/Impact Explanation Need for Action and Responsible Function
Reporting Obligations
Comment (E)
Low or no risks "Food for thought" for improvement/further development
Decision on prioritization and implementation of measures remains in the audited organizational unit Monitoring by the head of the audited organization unit; involvement of the management board is not required Not included in the follow-up by internal audit
Summarized in the internal audit report or in a separate management summary/memo Not included in the (annual) overall internal audit report