Audit Ratings: Could we leave it to the experts?
The topic of ratings for audit work comes up relatively regularly with varying opinions across the profession on what is the best approach. IIA standards do not require ratings to be used, but for many people in the profession (and regulators) the presence of a rating suggests a more robust and objective outcome. There is often a feeling that without a formal grade on an audit report or issue we are somehow “going easy” on management.
A recent survey conducted by Auditboard shows approximately 60% of respondents use a rating scheme for overall audit reports and 60% rate individual findings. This means there is still a sizable population of audit functions who have determined that ratings are not necessary.
The pros and cons of ratings have also been discussed by various articles
- The Pros and Cons of Including Ratings in Audit Reports — Internal Audit 360
- I disagree with Richard Chambers on Opinions and Ratings | Norman Marks on Governance, Risk Management, and Audit (wordpress.com)
- How can the Internal Audit function most effectively communicate the results of its work? | EY — Global
Some interesting ideas come up in these such as:
- Ratings can help the business prioritise and focus on what matters.
- Ratings can detract from insight and wider issues as the focus is only on the rating.
- Lack of ratings can make it more difficult to aggregate and report on audit work.
A reoccurring issue faced by many of us is that assigning ratings can slow down the reporting process with protracted negotiations about the severity of the findings and the overall rating. I often find conversations that had previously been very straight forward can become more difficult the second a rating is applied to a finding. Ratings can be taken personally, and in some cases can be used as a proxy for performance measurement of a business unit or manager. There are also instances in some organisations where a negatively rated audit item is automatically prioritised above critical control improvements identified by line management or other assurance areas due to the voice we have at the highest levels of the organisation.
Balancing the pros and cons I think ratings as part of audit communication can provide value. I see a rating as a signal as to the priority for taking action, an identical issue in two different organisations or contexts could have totally different priorities. If my house is on fire, the guy stealing my TV is not really a priority but any other day it would be a critical concern.
My thought is that perhaps some of the challenges of assigning ratings can be overcome by giving management the responsibility for deciding what rating they would give a finding or audit report. Operating management are close to the facts and understand the various priorities outside of your audit that should be considered so why not use that experience and knowledge to help prioritise audit findings.
A potential approach could be:
- Provide a consistent, clear and objective rating criteria
- Communicate the concerns clearly (See the IIA 5 C’s)
- Ask management to assess the finding considering the risk appetite and other priority work and give their rationale for why they have arrived at the rating.
- If you disagree, you can explain your reasoning and note this in the audit report to ensure an objective view is conveyed.
It may seem like a small change if Internal Audit retains the right to disagree with management, but the process of giving accountability to the business may reduce contentious and protracted audit reporting. A secondary consequence may be that this approach could put greater accountability on auditors to be clear on the potential implications of their findings to make sure management rates findings appropriately.
