5 minute read 6 Mar 2019
Business People Meeting Office

How can the Internal Audit function most effectively communicate the results of its work?

5 minute read 6 Mar 2019
Related topics Advisory Risk

Audit reporting is one of the most crucial elements of Internal Audit, but rating elicits strong opinions.

Internal audit (IA) has a unique and important position within companies, entrusted as the eyes and ears of the audit committee, to highlight concerns and report on the operations of the organization.

Audit reporting is one of the most crucial elements of IA and, as such, elicits strong opinions. Many companies have attempted to drive clarity in communication by assigning ratings to audit reports. However, there are several questions to consider:

  • What is the purpose of IA ratings?
  • What is the definition of a “red” or “unsatisfactory” report, and do all stakeholders interpret a rating the same way?
  • Do ratings provide a clear directive to guide priorities, or do they oversimplify a complex environment?
  • How do ratings impact the perception of the IA function?
  • What are the implications of the rating for the business and management?

Companies cite a number of reasons for rating audit reports, the most common of which include clearly communicating the following, regardless of whether the ratings occur at the report level or issue level:

  • Severity of the findings
  • Priority for corrective action
  • Impact of issues
  • Reliability of the system of internal control
  • What the audit committee should view as most important

Most IA functions feel they need ratings to adequately communicate audit results and that rating audit reports is seen as valuable by audit committees. Ratings scales can include colors (red, yellow, green) and words (satisfactory, improvement needed, significant improvement needed).

In a recent EY survey, 83% of respondents said that ratings add value from IA and audit committee perspective.

However, it is less clear as to whether management, who bears the operational burden of going through the audit, gains value or has a good understanding of the rationale for specifying a rating level.

In a recent EY survey, 83% of respondents said that ratings add value from IA and audit committee perspective. However, it is less clear as to whether management gains value
Amy Brachio
EY Global and EY Americas Advisory Risk Leader

Perspectives on internal audit ratings

Some CAEs surveyed felt that the burden of rating outweighs the benefits, while the majority expressed that ratings are expected by stakeholders and give power to IA’s results.

When asked why her organization rates audit reports, the CAE of a large multinational company explained, “The audit committee wants to move the organization in the right direction, and as the CAE, I am responsible for putting internal audit reports into context to help direct their attention to topics that require attention, resources and funding support to help our organization achieve its goals.” She continued, “While I understand that rating reports might create difficult conversations with the auditee, the job of the CAE is to deliver an independent perspective, which sometimes includes delivering hard messages.”

However, the CAE of a large utility has a differing view and does not rate reports.
When asked how she communicates audit findings to the audit committee without using ratings, she explained, “By not using ratings, I can better shape the message to the audit committee to focus on emerging themes, resourcing concerns or other notable activity I am seeing across the organization. These items may not have independently risen to the level of being considered high risk as a single finding or report would.”

Additionally, she commented, “Not rating audit reports creates a collaborative relationship focused on continuous improvement instead of spending a significant amount of time debating a rating. And at the end of the day, the conclusion of the audit and the decision on how it is presented to the audit committee is the independent decision of the IA organization.”

Is the use of ratings universal? 

In a recent EY survey, many respondents indicated that they use some kind of ratings methodology in their audit reports. However, there is wide variety in the application of a rating methodology, including variation in the types of reports rated and in the level at which ratings are used.

Variation can also exist in the rating structure, which may include using a numeric or word-based scale to describe the severity of an observation. In addition, the definitions of what each rating means to involved stakeholders can affect the timeliness of remediation, establish the oversight required or identify the risk to the enterprise.

Even among organizations that rate reports, there are countless ways to structure and interpret ratings. We collected examples of the variables that feed into a ratings system and recommend that organizations review each section to develop an approach that best fits their industry, culture and management requirements.

Most companies are using many methods of communication to share audit results, including:

  1. Detailed written audit reports
  2. Memos to management
  3. Oral communication
  4. Dashboards

Digitization is pushing the horizons of what IA is and can be, including how IA is absorbing, analyzing, reacting to and communicating results. However, 96% of IA functions are still using detailed written audit reports.

In the digital age, where stakeholders expect messages to be enabled by technology, provide timely and actionable results and be easy to digest, it is more important than ever for IA functions to fully understand the options for rating — or not rating — internal audit results and use that understanding to develop a system that works best for their organizations.  

Chief audit executive point/counterpoint on ratings

  • Clear and defined communication to audit committee
  • Management can easily identify which findings are most critical
  • Potential for friction with stakeholders
  • Does not provide adequate attention to parts of the business with positive audit ratings
  • May reduce comparability
  • May not provide insight into the importance of the business activity within the organization or levels of risk it may pose
Not rating
  • Potential for collaboration and forward-focus with auditee
  • Focus on areas of emerging risk and trends that may not rise to a significant risk at the individual audit level
  • Difficulty in quantifying results of the audit and comparing results between audits
  • Lack of a simple and agreed-upon communication plan to audit committee and senior leadership


Companies cite a number of reasons for rating audit reports, but are they necessary? How else could internal audit communicate results to the audit committee and other stakeholders?

About this article

Related topics Advisory Risk