From my experience, the prevalence of audit ratings across companies occurs because internal auditors are being responsive to the needs, expectations, and asks of stakeholders. Having served as CEO of the Institute of Internal Auditors for over twelve years, I experienced first hand how precious time is in an executive role with competing priorities, and how valuable it is to receive clear communication regarding which audit reports deserve an executive’s immediate attention. I once had a CEO tell me that he greatly values an overall rating for each audit report he receives. As he put it: “If the report is rated ‘satisfactory, I set it aside and probably won’t look at it again (relying instead on operating management to address any results or recommendations). If the report is rated ‘needs improvement,’ I put it in my inbox, and will prioritize a review of the results tomorrow. If it is rated ‘unsatisfactory,’ I put it in my briefcase to read on the train on the way home that evening.”
Our survey found a range of rating schemes that differed from department to department. The most common method —preferred by nearly 70% of respondents — is using adjectives (Satisfactory, Needs Improvement, Unsatisfactory) to summarize an audit report. A less popular method is a numerical rating scheme, with about 14% of respondents indicating they prefer this method. Considering auditors are typically criteria-focused, I expected more to prefer numerical ratings to adjectival ratings. Perhaps this is one of the factors that contributes to friction or tension between internal audit and operating management when ratings are assigned.
Another popular method used to distinguish audit reports is color-coding (e.g. red, amber, or green): almost half (47%) of respondents employ this rating scheme both in findings and in the title of report summaries. In particular, assigning color codes to risks observed, based on findings — e.g. a lack of adequate controls, heightened risk areas, controls that may leave the organization vulnerable — can be useful for directing a reader’s eyes to urgent areas requiring attention.
Our survey also found that nearly 70% of respondents also assign overall opinions on internal controls periodically to management and the board.
While there are benefits to doing so, I believe that assigning opinions creates potential risk for internal auditors. Whereas external auditors offer opinions based on a specific set of standards, there is sparse guidance for internal auditors regarding issuing opinions. This is why internal auditors must exercise caution whenever assigning opinions.
Always be sure to cite the scope of work you undertook when conveying an opinion, and avoid opinions that imply absolute assurance. Above all, be sure to communicate your opinion in a manner so that any reader can understand the basis for your conclusion, as well as any limitations to your opinion. An example of safeguarding your opinion by providing negative assurance is wording such as: “Based on the work we conducted… nothing came to our attention that would indicate the organization is not well-controlled.” In many cases, this caution can make the difference between an overall opinion on controls communicating an accurate basis for assurance vs absolute assurance.
As I’ve posited previously, audit ratings can be lights or lightning rods, and I still believe that internal auditors must understand the great power they wield when distributing ratings and opinions — and proceed with care. Another way to look at the metaphor is that audit ratings and opinions can either be lighthouses that shine a helpful light on areas for concern, or lightsabers that are weaponized and cause more damage than good by sparking discord between internal audit and management. As audit is a profession that heavily relies on its relationships with all of its stakeholders, audit leaders must be as diplomatic and conscientious as possible when assigning ratings — being mindful of preserving relationships for the future in the process of providing assurance.