Perspectives on internal audit ratings
Some CAEs surveyed felt that the burden of rating outweighs the benefits, while the majority expressed that ratings are expected by stakeholders and give power to IA’s results.
When asked why her organization rates audit reports, the CAE of a large multinational company explained, “The audit committee wants to move the organization in the right direction, and as the CAE, I am responsible for putting internal audit reports into context to help direct their attention to topics that require attention, resources and funding support to help our organization achieve its goals.” She continued, “While I understand that rating reports might create difficult conversations with the auditee, the job of the CAE is to deliver an independent perspective, which sometimes includes delivering hard messages.”
However, the CAE of a large utility has a differing view and does not rate reports.
When asked how she communicates audit findings to the audit committee without using ratings, she explained, “By not using ratings, I can better shape the message to the audit committee to focus on emerging themes, resourcing concerns or other notable activity I am seeing across the organization. These items may not have independently risen to the level of being considered high risk as a single finding or report would.”
Additionally, she commented, “Not rating audit reports creates a collaborative relationship focused on continuous improvement instead of spending a significant amount of time debating a rating. And at the end of the day, the conclusion of the audit and the decision on how it is presented to the audit committee is the independent decision of the IA organization.”
Is the use of ratings universal?
In a recent EY survey, many respondents indicated that they use some kind of ratings methodology in their audit reports. However, there is wide variety in the application of a rating methodology, including variation in the types of reports rated and in the level at which ratings are used.
Variation can also exist in the rating structure, which may include using a numeric or word-based scale to describe the severity of an observation. In addition, the definitions of what each rating means to involved stakeholders can affect the timeliness of remediation, establish the oversight required or identify the risk to the enterprise.
Even among organizations that rate reports, there are countless ways to structure and interpret ratings. We collected examples of the variables that feed into a ratings system and recommend that organizations review each section to develop an approach that best fits their industry, culture and management requirements.
Most companies are using many methods of communication to share audit results, including:
- Detailed written audit reports
- Memos to management
- Oral communication
Digitization is pushing the horizons of what IA is and can be, including how IA is absorbing, analyzing, reacting to and communicating results. However, 96% of IA functions are still using detailed written audit reports.
In the digital age, where stakeholders expect messages to be enabled by technology, provide timely and actionable results and be easy to digest, it is more important than ever for IA functions to fully understand the options for rating — or not rating — internal audit results and use that understanding to develop a system that works best for their organizations.