4. 4
INTERNAL AUDIT RATINGS GUIDE: SAMPLE 1
(Insert Year) Remote Access Audit Month XX, (Insert Year)
(Audit Name) (Insert Date)
Instructions: Circle the audit rating determined through the completion of the audit rating grid on Page 4.
GOOD
Areas given a âGoodâ rating are well-controlled in every respect and demonstrate quality performance in almost
every aspect. Performance is above average and adequately provides for the safe and sound operation of the
area audited. Findings noted are minor; are not indicative of any significant weaknesses in policies, practices or
procedures; and are generally corrected in the normal course of business.
SATISFACTORY
Areas given a âSatisfactoryâ opinion have acceptable internal controls and demonstrate adequate performance in
most respects. Policies, practices and procedures are generally effective but may reflect modest weaknesses that
are readily correctable in the normal course of business. Commitment to internal control and operating efficiency
are acceptable. Some problems of relative significance may exist, but none are considered material.
REQUIRES IMPROVEMENT
Areas given a âRequires Improvementâ opinion exhibit weaknesses within the internal control systems or the
absence of internal control surrounding significant activities. Additionally, these areas demonstrate performance
that is not adequately monitored and/or supervised by management, nor are policies and procedures always
effective to promote a climate where internal control concepts may be realized. Commitment to internal control
and/or operating efficiency needs enhancement.
UNSATISFACTORY
Areas given an âUnsatisfactoryâ opinion display performance or conditions that exhibit significant control
weaknesses throughout the areas included in the audit scope. In these areas, many basic internal control
concepts are not in effect and internal control systems are weak to the extent that significant financial losses or
violations of law or regulation could occur or may have occurred. The lack of policies and procedures or
adherence to them will prevent the accomplishment of a substantial part of the areaâs objectives. Corrective action
must be immediately implemented with periodic (e.g., monthly) status reports routed to the areaâs executive
management.
CONCURRENCE/NONCONCURRENCE
This rating applies to systems development and business or control projects in the process. It conveys
agreement/disagreement with a course of action or documents an opposing point of view. In each case, the report
will state whether audit believes the project should be aborted, or what actions should be taken prior to
commencing the next phase.
NOT RATED
The conditions or purposes of the audit do not require a rating to be assigned.
AUDIT RATING STANDARDS
5. 5
Instructions: Circle the point value assigned to each area. Multiply the point value by the factor for the applicable
area and write the value in the applicable column under âScoreâ and by the letter for the particular column. Add
the total points for each area across to obtain the overall point value. Use the overall point value to assign the
rating.
Internal Controls Operations Accounting Records
Factor Five
(From Page Three)
Factor Three
(From Page Four)
Factor Two
(From Page Five)
Points Score Points Score Points Score
5 5 5
4 4 4
3 3 3
2 2 2
1 1 1
Total A20 Total B12 Total C
Total Score: XX
Check the appropriate rating based on the total score.
Good 50-39 points
Satisfactory 38-25 points
Requires Improvement 24-15 points
Unsatisfactory 14 and below
Additional rating factors for audits to be rated âGoodâ include:
⢠Major system changes or upgrades during the audit period
⢠Significant changes in personnel during the audit period
⢠Significant new products or services introduced during the audit period
⢠Uncorrected internal/external audit or examination findings
⢠Unaccepted internal audit recommendations
AUDIT RATING GRID
RATING SCALE
6. 6
INTERNAL CONTROLS
Rating summary of internal control structure:
⢠5: Virtually all desired controls are in place and operating. Only very minor exceptions were noted, and backup
controls exist for all weaknesses noted.
⢠4: Most material controls are in operation and the exposures found are minor in extent and nature. They are
usually backed up by other controls.
⢠3: Attention should be given to some exposures in protective and detective controls. Reasonable assurance
exists that current controls afford the bank adequate protection.
⢠2: Early attention should be given to exposures in protective and detective controls. Deterioration in current
controls can lead to serious exposures.
⢠1: Immediate attention to serious exposures in protective and detective controls is required. Exposures exist
that could make the bank vulnerable to significant losses.
Support for rating of internal control structure: (List)
All of managementâs controls were sufficiently designed to mitigate risks and achieve control objectives related to
remote access. Additionally, all of managementâs controls were tested for operating effectively to mitigate the
intended risks and achieve the intended control objectives.
OPERATIONS
Prepare the following rating based on audit evidence.
Rating Summary of Operations
5 Performance is significantly higher than average.
4 Performance is above average.
3 Performance is average.
2 Performance is below average.
1 Performance is unacceptable.
Support for rating of operations: (List)
Internal auditâs testing revealed that management possessed documented policies and procedures in all relevant
and significant areas related to remote access (specifically the remote administration of IT systems, encryption
and passwords).
Through discussions with IT management and a walk-through of the controls, internal audit also determined that
IT management personnel responsible for performing or monitoring the controls were knowledgeable of the
controls and had many years of experience in working in their related fields.
Internal audit identified the following opportunities to further enhance and improve existing controls, but these
improvements did not constitute control failures because of numerous compensating controls that adequately
reduce risk to the bank.
⢠IT management should reassess the need for the modem remote access system.
COMPOSITE RATING AREAS
7. 7
⢠Management should update its remote administration of ITâs systems policy and annual privileged account
review procedure to require the annual review of all accounts with access to perform remote administration of
IT systems.
See VIII. Remote Access Recommendation Memo.doc for additional information regarding these
recommendations.
ACCOUNTING RECORDS
Rating Summary of Operations
5 The books and records more than adequately and accurately reflect transactions.
4 The books and records adequately and accurately reflect transactions.
3 The books and records, in reasonable detail, accurately reflect transactions.
2 The books and records less than adequately reflect transactions.
1 The books and records do not accurately reflect transactions.
Support for the rating of accounting records: (List)
There are no financial books or records applicable to the remote access audit. There are some IT records
applicable to the audit and they include remote access activity reports and IT service requests. Remote access
activity reports are used by management to monitor who is using the remote access system and to detect any
inappropriate use of the remote access system. IT service requests record the approval and testing of any
changes to remote access systems (including system and access changes). Internal audit noted that these IT
records adequately and accurately reflect system and access changes related to remote access.
8. 8
INTERNAL AUDIT RATINGS GUIDE: SAMPLE 2
AUDIT RATING DEFINITIONS
Rating Definition
Strong
Internal control systems are sufficiently comprehensive and appropriate to the size and
complexity of the organization. Risks are effectively managed. Monetary risk
associated with potential control failures is not material. A few exceptions to
established policies and procedures were identified.
Satisfactory
While there may be some minor risk management weaknesses, these issues have
been recognized and are being addressed. Risks are effectively managed. Internal
control systems may display modest weaknesses or deficiencies, but they are
correctable in the normal course of business.
Needs Improvement
Risk management practices are lacking in important ways and are a cause for more
than supervisory attention. Risks may not be effectively managed. Weaknesses may
include control exceptions or failures that could have adverse effects on the
organization if corrective actions are not taken.
Needs Significant
Improvement
Marginal risk management practices generally fail to identify, monitor and control
significant risk exposures in many material respects. The organization may have
serious identified weaknesses that require substantial improvement in internal controls
or procedures. Risks are not effectively managed. Unless properly addressed, these
conditions may result in a significant impact on the organization.
Unsatisfactory
Due to the absence of effective risk management practices, management is unable to
identify, monitor or control significant risk exposure. Internal control systems may be
sufficiently weak to jeopardize the continued viability of the organization. Risks are not
effectively managed. Deficiencies in risk management procedures and internal controls
require immediate and close supervisory attention.
AUDIT REPORT RATING MATRIX
Rating Scale Definition
Effective
1
⢠Overall risk program is reliable and requires negligible improvements.
⢠The risk management procedures are formalized and documented and
communicated and understood throughout the business. Risk
management system is robust and possesses the capacity and ability to
consistently identify, document and assess existing and emerging risks.
⢠Risk controls effectively manage, mitigate, and transfer existing and
foreseeable risks and do not expose the business to undue risk. Risk
program does not expose the business to unwarranted financial loss or
regulatory noncompliance. Audit recommendations are generally
housekeeping in nature.
2
9. 9
Rating Scale Definition
Monitor
3
⢠Overall risk program is adequate for the current level of risk within the
business but requires ongoing monitoring.
⢠The risk management procedures are formalized and documented but
not communicated. Risk procedures need to be communicated and
business needs to obtain assurance that procedures are understood.
Although the risk management system possesses the capacity and
ability to identify, document and assess existing risk, specific
improvements are needed to ensure accurate and timely incorporation
of emerging risks.
⢠Risk controls adequately manage, mitigate, and transfer existing risks
but improvements are required as emerging risks and changing
conditions could lead to a weakened risk management capacity. The risk
program does not expose the business to immediate financial loss or
regulatory noncompliance. The director must make improvements within
60 days.
4
Needs Improvement
5
⢠Overall risk program is not adequate.
⢠The risk management procedures are partially formalized and
documented and not communicated. Risk procedures require
improvement to assure that risk processes are fully documented and
need to be clearly communicated. The business unit needs to obtain
assurance that the risk process is understood.
⢠Risk management systems require improvement to ensure reliability of
procedures to accurately, and in a timely manner, identify, document,
and assess existing and new risks. Controls require improvement to
ensure the ability of mechanisms to manage, mitigate, and transfer
existing and emerging risks as changing conditions will possibly lead to
a weakened risk management capacity. The line of business, without
improvements, is likely to be vulnerable to financial loss or regulatory
noncompliance. Improvements are required within the next 30 to 60
days.
6
Impaired
7
⢠Overall risk program is impaired.
⢠The risk management procedures are informal and undocumented and
not communicated for the most part. Risk procedures require
improvement to assure that risk processes are fully and accurately
documented and must be communicated and understood by the
business.
⢠Risk management systems require significant improvement to ensure
reliability of procedures to accurately and in a timely manner identify,
document, and assess existing and new risks. Controls require
extensive improvements to secure the ability to manage, mitigate, and
transfer existing and emerging risks, as conditions will lead to a
weakened risk management capacity. Risk program exposes the
business to potential financial loss or regulatory noncompliance.
Improvements are needed within the next 30 days.
8
10. 10
Rating Scale Definition
Unsatisfactory
9
⢠Overall risk program is not acceptable.
⢠The risk management procedures are largely nonexistent,
undocumented and not communicated. Risk procedures must be
instituted, formalized, documented and communicated.
⢠Risk management systems must be implemented immediately to
accurately and in a timely manner identify, document, and assess
existing and new risks.
⢠Implementation of control mechanisms is required to manage, mitigate
and transfer risks present in business processes and possess flexibility
to react under changing conditions. The line of business is exposed to
material financial loss or regulatory noncompliance. Improvements are
needed within the next two weeks and the audit committee must be
made aware of improvements to be implemented.
10
AUDIT REPORT RATING GUIDELINES
Rating Scale Definition
Effective
1
⢠No high-risk issues
⢠No medium-risk issues
⢠No more than three low-risk issues
2
⢠No high-risk issues
⢠No more than one medium-risk issue
⢠No more than six low-risk issues
Monitor
3
⢠No high-risk issues
⢠No more than three medium-risk issues
⢠No more than four low-risk issues
or
⢠No high or medium-risk issues and more than six low-risk issues
4
⢠No high-risk issues
⢠No more than four medium-risk issues
⢠No more than six low-risk issues
Needs
Improvement
5
⢠No more than one high-risk issue
⢠No more than four medium-risk issues
or
⢠No high-risk issues and no more than six medium-risk issues
6
⢠No more than two high-risk issue
⢠No more than six medium-risk issues
or
11. 11
Rating Scale Definition
⢠No more than one high-risk issue and more than six medium-risk issues
Impaired
7
⢠No more than three high-risk issues
⢠No more than four medium-risk issues
8
⢠No more than three high-risk issues
⢠No more than six medium-risk issues
Unsatisfactory
9
⢠More than four high-risk issues
⢠More than six medium-risk issues
or
⢠No more than two high-risk issues and more than six medium-risk issues
10
⢠No more than four high-risk issues
⢠No more than six medium-risk issues
XYZ AUDIT RATINGS
ST Strong
The audited area meets or exceeds Company X standards in all critical respects. Level
of internal controls is functioning effectively and efficiently. Information systems and
user operations are integrated and support the business. Generally, no more than two
âLowâ observations were noted.
SA Satisfactory
The audited area meets the overall Company X standards. Generally, no more than two
âImportantâ observations may exist that are being promptly addressed by management.
A few âNotableâ observations may also exist.
N
Needs
improvement
The audited area does not meet Company X standards overall. Generally, there is
either at least one âHighâ observation and/or at least three âImportantâ observations,
which if uncorrected could expose Company X to an unacceptable risk.
U Unsatisfactory
The audited area contains unacceptable gaps in the overall control structure and/or
controls are not working as intended. Generally, there are at least one âHighâ
observation and/or five âImportantâ observations. The area requires immediate attention
with oversight by senior management.
Business Importance Codes
H High
Risk involves a substantial and direct exposure to loss of assets and/or misstatement of
financial information and/or loss of revenue and/or significant negative impact on
operating effectiveness and/or the companyâs reputation. High likelihood and high impact
may occur.
I Important Risk involves an unacceptable and direct exposure to loss of assets and or misstatement
of financial information and/or loss of revenue and/or negative impact on operating
12. 12
effectiveness and/or the companyâs reputation. Moderate likelihood and moderate to
high impact or high likelihood and moderate impact may occur.
N Notable
Risk involves an important but indirect and limited level exposure to loss of assets and/or
loss of revenue and/or negative impact on operating effectiveness and/or the companyâs
reputation, which is outside of Company Xâs risk appetite. Low likelihood and moderate
to high impact or moderate likelihood and moderate to low impact may occur. This also
includes low-impact/high-likelihood observations.
L Low
Generally, issues classified in this category are brought to managementâs attention as an
efficiency improvement. Low likelihood and low to moderate impact or low to moderate
likelihood and low impact may occur.
Note: Each audit report observation is assigned a priority rating to establish its level of criticality. The
ratings are assigned collaboratively by internal audit and XYZ Company management responsible for the
process being audited.
Overall Classifications: COSO
F Financial Reporting Reliability of the financial reporting process
O Operational Operational effectiveness and efficiency
C Compliance Compliance with applicable laws and regulations
S Strategic High-level goals aligned with and supporting the mission of XYZ Company
INTERNAL CONTROL OPTION CRITERIA
Based on the results of the audit, the system of internal controls will be rated as âStrong,â âSatisfactory,â
âUnsatisfactoryâ or âCriticalâ based on the following criteria:
Rating Definition
Strong Satisfactory Unsatisfactory Critical
⢠Issues do not exist. ⢠Issues are not likely to
impair business
operations or
jeopardize financial
integrity.
⢠Significant issues
exist.
⢠Corrections are
required to avoid or
contain exposure.
⢠Prompt action is
required.
⢠Significant issues
find/indicate
processes/results are
unreliable.
⢠Impact of weaknesses
is likely widespread/
compounding.
⢠Immediate attention is
required.
13. 13
Attributes of Control Environment
Strong Satisfactory Unsatisfactory Critical
⢠Control
processes/monitoring
are effective.
⢠Control
processes/monitoring
are effective for key
cycles/functions.
⢠Control
processes/monitoring
weaknesses/are not
effective.
⢠Control monitoring is
not in place or is
extremely unreliable.
⢠Low potential for
undetected errors and
omissions exists.
⢠Major issues would
likely be detected.
⢠Major issues may not
be detected and
corrected.
⢠Losses/undetected
errors and omissions
are likely.
⢠Company policy and
GAAP are adhered to.
⢠Policy and GAAP
compliance issues
have no material
impact on operations
or financial
statements.
⢠Policy or GAAP
noncompliance could
(or does) have a
material impact on
operations/financials.
⢠Policy or GAAP
noncompliance issues
are severe, pervasive
and material to
operations/financials.
⢠Financials/results are
reliable; therefore,
adjustments are not
necessary.
⢠Financial adjustments,
if any, are minor.
⢠Material financial
adjustments may be
required.
⢠Financials/results are
likely unreliable. Major
problems exist.
⢠Regulatory
compliance issues do
not exist.
⢠Regulatory
compliance issues, if
any, are minor and
isolated.
⢠Regulatory
compliance issues
may show signs of
being systemic.
⢠Compliance issues are
significant and carry
severe consequences
(fines, sanctions, etc.).
⢠Risk to the CBI image
is nonexistent.
⢠Issues carry low-level
(or no) risk to the CBI
image.
⢠Issues may carry
potential for damage
to the CBI image.
⢠Issues may carry
severe risk of damage
to the CBI image.
⢠Ethics issues do not
exist.
⢠Ethics issues, if any,
are minor and
management takes
timely, appropriate
corrective actions.
⢠Ethics issues are not
appropriately
addressed and/or
management does not
set the appropriate
tone.
⢠Ethics issues are not
addressed
appropriately and/or
management does not
set the appropriate
tone.
AUDIT RATING EXAMPLE
Audit Ratings Are Assigned Based on the Following Definitions
Rating Definition
Satisfactory
The audited area has effectively assessed its risks; implemented control processes; and
complied with applicable policies, procedures, and appropriate laws and regulations. We may
have noted a few inconsistencies, but compensating controls exist that sufficiently minimize
the risk of loss.
Generally
Satisfactory
The audited area has adequately assessed its risks and has implemented generally effective
control processes. We may have noted some weaknesses in controls, but they are not such
that the audited area is significantly exposed to the risk of loss. Such audited areas are in
14. 14
Rating Definition
general compliance with applicable policies, procedures, and appropriate laws and
regulations.
Marginal
The audited area has control, policy, procedural, compliance and/or repeat findings that are
sufficiently important to warrant the attention of more senior levels of management. Any
deterioration in the current operating routine could lead to serious exposures and regulatory
criticisms.
Unsatisfactory
The audited area has serious control, policy, procedural, compliance and/or repeat findings.
Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure
may also exist to potentially serious criticism by regulators. Such situations require urgent
action and senior management involvement in implementing corrective action.
Unrated
This rating is generally reserved for first-time audits, limited scope audits and special
projects.
15. 15
APPENDIX A: DEFINITION OF INTERNAL AUDIT RATINGS AND RANKINGS
Definition of Issue Rankings
Adequate Needs Improvement Inadequate
⢠There are no identified issues
that have either a âMediumâ or
âHighâ ranking.
⢠There may be a limited number
of issues with a âLowâ ranking
and/or other observations for
potential improvement.
⢠There are one or more identified
issues with either a âMediumâ or
âHighâ ranking.
⢠A deficiency or combination of
deficiencies impact the design
and/or operating effectiveness
of control for the area under
review to the extent that
required control objectives may
not be consistently achieved.
⢠The deficiency or combination
of deficiencies impacts the
companyâs ability to provide
reasonable assurance over the
effective design and/or
operation of control, thus
affecting the companyâs risk
exposure within the area being
reviewed.
⢠The deficiencies merit prompt
attention and remediation by
management to improve the
overall design and/or operating
effectiveness of control for the
area under review to meet
required control objectives.
⢠There are one or more identified
issues with either a âMediumâ or
âHighâ ranking.
⢠A deficiency or combination of
deficiencies significantly impair
the design and/or operating
effectiveness of control for the
area under review to the extent
that required control objectives
may not be consistently
achieved.
⢠The deficiency or combination
of deficiencies significantly
impacts the companyâs ability to
provide reasonable assurance
over the effective design and/or
operation of control, thus
affecting the companyâs risk
exposure within the area being
reviewed.
⢠The deficiencies merit
immediate attention and
remediation by management to
improve the overall design
and/or operating effectiveness
of control for the area under
review to meet required control
objectives.
High
⢠The issue is a control deficiency, which represents a significant gap in the design
and/or operating effectiveness of the control affecting the companyâs ability to address
relevant risks and to provide reasonable assurance regarding the achievement of
desired outcomes.
⢠The issue requires an immediate, comprehensive, corrective action plan with progress
to be monitored by an appropriate level of management.
Medium
⢠The issue is a control deficiency, which represents a gap in the design and/or
operating effectiveness of the control affecting the companyâs ability to address
relevant risks and provide reasonable assurance regarding the achievement of desired
outcomes.
⢠The issue requires prompt attention to ensure that internal controls are designed
and/or operating effectively.
Low
⢠The issue represents an opportunity to improve control and processes to support the
achievement of desired outcomes.
16. 16
⢠The issue should be addressed promptly, as time and resources permit.
Considerable professional judgment is required in applying the ratings defined and used in this report regarding
individual findings, recommendations, and in formulating an overall conclusion. Accordingly, others could rate the
findings or conclusion differently and this should be born in mind when considering this report.
17. 17
APPENDIX B: RATING OF AUDIT FINDINGS
Rating
Categories
Risk/Impact Explanation
Need for Action and
Responsible Function
Reporting Obligations
Particularly
Severe (A)
Risks threatening the
existence of the
organization include:
⢠Fatal material losses
⢠Image loss/publicly
effective impact
(massive loss of
customers)
⢠Violation of regulatory
requirements (and
possible revoking of the
operating license)
⢠Urgent remediation by the
management board
required immediate
involvement of the
supervisory body
⢠Monitoring of timely
remediation by internal
audit (follow-up)
Refer to reporting obligations
for Major (C) and Severe (B)
findings, and:
⢠Immediate notification of
the supervisory body by
the management board
Severe (B) Critical risks for business
continuity include:
⢠Very high material
losses (losses are not
detected timely)
⢠Image loss/publicly
effective impact
(adversely affects the
image on the market)
⢠Violation of regulatory
requirements (and
possible criminal
liability, etc.)
⢠Immediate remediation by
the management board
required (immediate
involvement of the
supervisory body and the
supervisory authorities in
case of severe findings
against management
board members).
⢠Monitoring of timely
remediation by internal
audit (follow-up).
Refer to reporting obligations
for major findings (C) and:
⢠Immediate submission of
the internal audit report to
the management board
⢠Immediate notification of
the chairman of the
supervisory body and the
supervisory authorities by
the management board in
case of severe findings
against management
board members
⢠At least annual reporting
from the management
board to the supervisory
body (highlighted findings,
including remedy
measures taken and their
implementation statuses)
18. 18
Rating
Categories
Risk/Impact Explanation
Need for Action and
Responsible Function
Reporting Obligations
Major (C) High risks for business
continuity include:
⢠High material losses (if
weaknesses are not
remedied timely)
⢠Image loss (many
internal and external
parties are affected)
⢠Violation of regulatory
requirements (and
possible fines, etc.)
⢠Remediation required
close supervision by the
responsible member of
the management board
⢠Monitoring of timely
remediation by internal
audit (follow-up)
⢠Highlighted in the internal
audit report
⢠Included in the (annual)
overall internal audit report
to the management board
(including remedy
measures taken)
⢠Reported to the
supervisory body by the
management board at
least annually, if not
remedied
⢠If not remedied within an
appropriate period, the
responsible member of the
management board must
be informed in writing (If
the findings remain
unresolved during the
financial year, the
management board must
be informed in writing in
the next (annual) overall
internal audit report, at the
latest.)
Improvement
Opportunity
(D)
Medium risks for business
continuity include:
⢠Medium material
losses
⢠Image loss (internal,
some external parties
are affected, if
applicable)
⢠Noncompliance
with/implementation of
certain regulatory
requirements
⢠Implementation of certain
improvement measures
recommended
⢠Monitoring by the head of
the audited organization
unit (Immediate
involvement of the
management board is not
required.)
⢠Monitoring of timely
remediation by internal
audit (follow-up)
⢠Included in the internal
audit report
⢠Not included in the
(annual) overall internal
audit report
Comment (E) ⢠Low or no risks
⢠"Food for thought" for
improvement/further
development
⢠Decision on the
prioritization and
implementation of
measures remains in the
audited organizational
unit.
⢠Monitoring by the head of
the audited organization
⢠Summarized in the internal
audit report or a separate
management
summary/memo
⢠Not included in the
(annual) overall internal
audit report
19. 19
Rating
Categories
Risk/Impact Explanation
Need for Action and
Responsible Function
Reporting Obligations
unit (Involvement of the
management board is not
required.)
⢠Not included in the follow-
up by internal audit