Things to consider when rating your Internal Audit reports and findings
Rating Internal Audit reports and individual findings is a challenge. We can have the best definitions and a robust process for determining what rating should be applied, but findings and ratings can always be challenged by the business. Naturally, nobody wants to receive a bad finding, but is there a better way in which we can deliver our audit findings and recommendations / actions?
In this blog post, we are going to discuss the Internal Audit report rating scale, and raise a series of questions which audit teams should consider when determining what rating scale they are going to use.
Step 1 - What exactly are we rating?
This might seem like a silly question, but audit teams need to consider the following. Are we rating:
The overall audit report
The individual findings
The risk associated with the finding
The action required, or
A combination of the above.
Understanding this is important because the same rating definition can not be used interchangeably. For instance, if we are rating the individual actions and what is required, we can not use the same definition if we are rating the report based on the overall risk.
In these situations, it is important that we make it very clear what we are rating. This may require two rating scales in a report; one for the findings and one for the overall report.
Step 2 - What behaviours are we trying to drive?
Internal Audit teams need to determine their position in the business and what behaviours they want to drive.
For Internal Audit teams heavily focused on compliance and conformance with policy and procedure, you may want to drive the behaviours which encourage people to know company policy and processes, and adhere to it.
Alternatively, you may be in a mature business and want to create a risk mindsight within the business. For instance, teams in the business may already understand and comply with policy really well, and now we want them to understand risk and how to avoid any future audit findings.
There is no right or wrong answer here, but whichever path you take will have an impact on the behaviours you drive in the business.
Step 3 - What are the types of ratings we can apply?
There a multiple ways in which ratings can be applied. A standard rating scale is the 'traffic lights'. A simple red, amber and green rating which can be applied to either the risk or finding itself. Furthermore, a traffic light rating can be used to rate the overall report.
For those wanting something different to a standard traffic light rating when rating individual findings, the below offer an alternative solution.
Risk Ratings are common across many businesses and are often well understood
by many. Using a risk rating scale can help educate the finding owner on risk and provides a clear basis for your final rating decision.
To add further support to your rating, your audit report template can be modified to specifically call out the risk and the implication. By then assigning a rating based on impact and likelihood of the risk, it makes it harder for the business owner to defend the finding and the rating, but also show the seriousness of the finding.
Where audit teams would rather rate the audit recommendation or action as opposed to the finding or risk, the Action Rating scale can be a useful tool. This rating scale focuses on the effort required to implement and action, but also the benefit / impact on implementing the action. This will then create a priority list for the business and highlight what should be done first.
For instance, where an action is deemed easy to implement, but has a low benefit to the business, this would be considered a Priority 1 action. Its a quick win for the business and will already provide a level of benefit. On the opposite, an action which is extremely complex yet have a low benefit to the business, would be need a Priority 4 action. We can leave these actions to a later date.
If using this type of rating scale, it is important we have considered the business' risk appetite. The Priority matrix should be reviewed in conjunction with Risk before being applied to all audits to make sure it is fit an appropriate for the business.
Using this rating scale also is an easier way to close findings and actions with the business owner. To the finding owner, a Priority 2 finding may read much nicer than a High Risk finding, yet it is going to drive the same outcome. In fact, as the finding owner is essentially determining the ease of implementation and level of benefit the action will give, they are holding themselves accountable to the timely delivery of this action.
Step 4 - Finalising the report with different ratings
Transparency is the key, and the more transparent and methodical you are in your rating scale, the less it will be challenged and the less debate there will be over what rating should be applied.
In your audit report, you should clear detail the various rating scales and how these contribute to an overall rating for the final report.
How we can help
We have a range of audit report templates which can be easily modified to apply your internal audit rating. You can read more about our audit report templates here.
To purchase a copy of our internal audit report template, please click here. Please note, there are options for Microsoft Word and Microsoft PowerPoint.
To become a member of My Audit Spot and download all of our templates for one annual fee, please click here. Members also get discounted rates should they want to edit any of our templates or receive a custom version.
For a custom audit report template, please email us here. We would love to help you!