As internal auditors strive to serve the needs of various business stakeholders as well as management and the board, we must always be cognizant of how we communicate our findings. A key part of this is providing information that stakeholders need in a manner that is clear and accurate. What I’ve observed over the course of more than two decades is that management and audit committees are typically appreciative of audit results that have been synthesized in an easy-to-digest manner. More often than not, any mechanism that can help to focus their attention, as well as any predetermined indicator of what is urgent, is greatly welcomed by executive readers.
One of the most prevalent methods for auditors to achieve this is through ratings and opinions. As I have explored previously in my blog Ratings in Audit Reports: Lights or Lightning Rods?, as well as presentations and interviews, audit ratings and opinions are a perennial hot topic for the audit profession. A recent AuditBoard survey of 175+ CAEs found that audit ratings continue to be a widespread practice among internal auditors, although methodology and frequency range widely among different audit departments and companies. However, it is important to understand the advantages and disadvantages of ratings and opinions in order to maximize their benefits — while also avoiding potential unwanted consequences.
Audit Ratings Continue to Be a Widespread Practice in 2021
Our CAE survey found 63% of audit departments assign overall ratings for each audit report. In addition, nearly 63% of respondents also rate individual findings in their audit reports.
From my experience, the prevalence of audit ratings across companies occurs because internal auditors are being responsive to the needs, expectations, and asks of stakeholders. Having served as CEO of the Institute of Internal Auditors for over twelve years, I experienced first hand how precious time is in an executive role with competing priorities, and how valuable it is to receive clear communication regarding which audit reports deserve an executive’s immediate attention. I once had a CEO tell me that he greatly values an overall rating for each audit report he receives. As he put it: “If the report is rated ‘satisfactory, I set it aside and probably won’t look at it again (relying instead on operating management to address any results or recommendations). If the report is rated ‘needs improvement,’ I put it in my inbox, and will prioritize a review of the results tomorrow. If it is rated ‘unsatisfactory,’ I put it in my briefcase to read on the train on the way home that evening.”
Rating Schemes Vary by Audit Department
Our survey found a range of rating schemes that differed from department to department. The most common method —preferred by nearly 70% of respondents — is using adjectives (Satisfactory, Needs Improvement, Unsatisfactory) to summarize an audit report. A less popular method is a numerical rating scheme, with about 14% of respondents indicating they prefer this method. Considering auditors are typically criteria-focused, I expected more to prefer numerical ratings to adjectival ratings. Perhaps this is one of the factors that contributes to friction or tension between internal audit and operating management when ratings are assigned.
Another popular method used to distinguish audit reports is color-coding (e.g. red, amber, or green): almost half (47%) of respondents employ this rating scheme both in findings and in the title of report summaries. In particular, assigning color codes to risks observed, based on findings — e.g. a lack of adequate controls, heightened risk areas, controls that may leave the organization vulnerable — can be useful for directing a reader’s eyes to urgent areas requiring attention.
A Significant Majority Assigns Overall Opinions on Controls
Our survey also found that nearly 70% of respondents also assign overall opinions on internal controls periodically to management and the board.
While there are benefits to doing so, I believe that assigning opinions creates potential risk for internal auditors. Whereas external auditors offer opinions based on a specific set of standards, there is sparse guidance for internal auditors regarding issuing opinions. This is why internal auditors must exercise caution whenever assigning opinions.
Always be sure to cite the scope of work you undertook when conveying an opinion, and avoid opinions that imply absolute assurance. Above all, be sure to communicate your opinion in a manner so that any reader can understand the basis for your conclusion, as well as any limitations to your opinion. An example of safeguarding your opinion by providing negative assurance is wording such as: “Based on the work we conducted… nothing came to our attention that would indicate the organization is not well-controlled.” In many cases, this caution can make the difference between an overall opinion on controls communicating an accurate basis for assurance vs absolute assurance.
Audit Ratings: Lighthouses or Lightsabers?
As I’ve posited previously, audit ratings can be lights or lightning rods, and I still believe that internal auditors must understand the great power they wield when distributing ratings and opinions — and proceed with care. Another way to look at the metaphor is that audit ratings and opinions can either be lighthouses that shine a helpful light on areas for concern, or lightsabers that are weaponized and cause more damage than good by sparking discord between internal audit and management. As audit is a profession that heavily relies on its relationships with all of its stakeholders, audit leaders must be as diplomatic and conscientious as possible when assigning ratings — being mindful of preserving relationships for the future in the process of providing assurance.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as Senior Internal Audit Advisor at AuditBoard. Previously, he served for over a decade as the president and CEO of The Institute of Internal Auditors (IIA). Connect with Richard on LinkedIn.