To rate or not to rate

To rate or

not to rate

How IA can most effectively

communicate the results of

its work

Haley, the chief audit executive (CAE) of a

large multinational organization, sighs as

she leaves the touch point with her audit

manager, Joseph.

They have just wrapped up one of their

most challenging internal audits of the year,

and Joseph has been brieng her on the

closing meeting. The audit was related to

an implementation project that veered off

course and identied major weaknesses

regarding governance, project management

and stakeholder communications. By

performing extensive eldwork and

receiving support from subject-matter

resources, the internal audit team developed

insightful recommendations, though some

will take time and effort to implement. Haley

had hoped to hear of constructive dialogue

around major changes to overhaul the

implementation project. Instead, she learns

the closing meeting quickly got derailed by

concerns over the potential rating on the

report. Joseph explains that before they

even got into the rst observation, he was

elding questions about the rating. While

he tried to guide the conversation back on

course, the stakeholders were distracted,

and the discussion became contentious.

When Haley gets back to her desk, she has a

voicemail from the chief information ofcer

(CIO) expressing his own concerns. He has

debriefed with his team and is troubled by

the potential rating of the audit. He begins

to argue his case.

As Haley worries that the audit’s ability to

drive much-needed change is in jeopardy,

her mind races through questions: Is there a

better way to approach ratings? Are ratings

even necessary? If we do not use ratings,

how will we communicate internal audit

results to the audit committee and other

stakeholders?

1To rate or not to rate |

Most internal audit

departments are

communicating audit

results to a wide array of

stakeholders, including:

1. Audit committee

2. Executive management

3. Line management

Internal audit (IA) has a unique and

important position within companies,

entrusted as the eyes and ears of the audit

committee, to highlight concerns and report

on the operations of the organization.

In addition, IA is increasingly seen as a

resource to share industry insights and

market trends. With this mandate in mind,

IA needs to communicate results clearly

and precisely to its stakeholders.

In this age of information overload, IA must

be able to steer its message through the

constant barrage of “high importance”

emails and “mission critical” meetings to

focus the attention of the audit committee

and executive management on high-risk

ndings and areas of concern — both

immediate threats and future threats. What

can be especially challenging is how to

most effectively translate the conclusions

of IA’s work in a way that accomplishes this

goal. Many companies have attempted to

drive clarity in communication by assigning

ratings to audit reports. However, there are

several questions to consider:

• What is the purpose of IA ratings?

• What is the denition of a “red” or

“unsatisfactory” report, and do all

stakeholders interpret a rating the

same way?

• Do ratings provide a clear directive to

guide priorities, or do they oversimplify

a complex environment?

• How do ratings impact the perception

of the IA function?

• What are the implications of the rating

for the business and management?

In the digital age, where stakeholders

expect messages to be enabled by

technology, provide timely and actionable

results and be easy to digest, it is more

important than ever for IA functions to fully

understand the options for rating — or not

rating — internal audit results and use that

understanding to develop a system that

works best for their organizations.

The Institute of Internal Auditors (IIA)

does not offer prescriptive guidance

on ratings. Rather, the IIA International

Standards for the Professional Practice

of Internal Auditing (Standards) requires

the communication of specic elements

(e.g., objective, scope and results)

and emphasizes the importance of

communicating results in a manner that

is objective, constructive and timely.

Organizations should also follow the

strategy set forth in their own IA mandate

and policies.

When it comes to reporting audit results,

one size does not t all. The sector,

structure, maturity, culture and stakeholder

expectations will inuence the delivery of IA

results. While there are a lot of similarities

when it comes to communicating IA results,

one thing is certain — no two companies

approach it the same way.

Perspectives on internal audit ratings

Institute of Internal Auditors, International Standards for the Professional Practice of Internal Auditing (Standards) Section 2410 — Criteria for Communicating

2 | To rate or not to rate

Is the use of ratings universal? In a recent

EY survey, many respondents indicated that

they use some kind of ratings methodology

in their audit reports. However, there is

wide variety in the application of a rating

methodology, including variation in the

types of reports rated and in the level at

which ratings are used. Stakeholders of

the internal audit reports can also differ

by organization, including the audit

committee, executive management and

line management. Variation can also exist

in the rating structure, which may include

using a numeric or word-based scale to

describe the severity of an observation. In

addition, the denitions of what each rating

means to involved stakeholders can affect

the timeliness of remediation, establish

the oversight required or identify the risk

to the enterprise.

Companies cite a number of reasons for

rating audit reports, the most common of

which include clearly communicating the

following, regardless of whether the ratings

occur at the report level or issue level:

• Severity of the ndings

• Priority for corrective action

• Impact of issues

• Reliability of the system of internal

control

• What the audit committee should

view as most important

Most IA functions feel they need ratings

to adequately communicate audit results

and that rating audit reports is seen as

valuable by audit committees. However, it

is less clear as to whether management,

who bears the operational burden of

going through the audit, gains value or

has a good understanding of the rationale

for specifying a rating level. Some of the

common arguments for not rating include

that ratings lead to conict between the

auditee and internal audit and take time

away from focusing on the forward-looking

and benecial recommendations and/or

remediation plans.

View on ratings in

organizations

83%

of respondents said that

ratings add value from

IA and audit committee

perspective

30%

of respondents said

that they are unsure if

ratings add value from

management’s perspective

88%

of companies rate

at the issue level

53%

of companies rate

at the report level

IA departments are more likely

to rate reports that are focused

on assurance, as opposed to

those that they consider to be

more advisory in nature.

74%

of respondents rate

assurance reports

32%

rate advisory reports

3To rate or not to rate |

Audit reporting is one of the most crucial

elements of IA and, as such, elicits strong

opinions. Many CAEs have unwavering

commitments to their decisions to rate or

not rate audit reports based on their overall

experience and what has driven successful

communications in their organizations.

Some CAEs surveyed felt that the burden

of rating outweighs the benets, while

the majority expressed that ratings are

expected by stakeholders and give power

to IA’s results. When asked why her

organization rates audit reports, the CAE

of a large multinational company explained,

“The audit committee wants to move the

organization in the right direction, and

as the CAE, I am responsible for putting

internal audit reports into context to help

direct their attention to topics that require

attention, resources and funding support

to help our organization achieve its goals.”

She continued, “While I understand that

rating reports might create difcult

conversations with the auditee, the job

of the CAE is to deliver an independent

perspective, which sometimes includes

delivering hard messages.”

However, the CAE of a large utility has a

differing view and does not rate reports.

When asked how she communicates

audit ndings to the audit committee

without using ratings, she explained,

“By not using ratings, I can better shape

the message to the audit committee to

focus on emerging themes, resourcing

concerns or other notable activity I am

seeing across the organization. These

items may not have independently risen

to the level of being considered high

risk as a single nding or report would.”

Additionally, she commented, “Not rating

audit reports creates a collaborative

relationship focused on continuous

improvement instead of spending a

signicant amount of time debating a

rating. And at the end of the day, the

conclusion of the audit and the decision

on how it is presented to the audit

committee is the independent decision

of the IA organization.”

Most companies are

using many methods of

communication to share

audit results, including:

1. Detailed written audit

reports

2. Memos to management

3. Oral communication

4. Dashboards

Pro Con

Rating

• Clear and dened

communication to audit

committee

• Management can easily

identify which ndings are

most critical

• Potential for friction with stakeholders

• Does not provide adequate attention

to parts of the business with positive

audit ratings

• May reduce comparability

• May not provide insight into the

importance of the business activity

within the organization or levels of

risk it may pose

Not

rating

• Potential for collaboration

and forward-focus with

auditee

• Focus on areas of emerging

risk and trends that may not

rise to a signicant risk at the

individual audit level

• Difculty in quantifying results of

the audit and comparing results

between audits

• Lack of a simple and agreed-upon

communication plan to audit

committee and senior leadership

Chief audit executive point/counterpoint

Do you feel you could

adequately communicate

the results of your audit

work without a rating?

Ratings give power to

results, and are expected.

10%

view ratings are more

trouble and effort than

they are worth, and cause

friction between IA and

management

43%

said the results would not be

as powerful without a rating

4 | To rate or not to rate

Examples of rating schemes

Even among organizations that rate reports,

there are countless ways to structure and

interpret ratings. We collected examples of the

variables that feed into a ratings system and

recommend that organizations review each

section to develop an approach that best ts

their industry, culture and management

requirements.

Innovation

Digitization is pushing the

horizons of what IA is and

can be, including how IA is

absorbing, analyzing, reacting

to and communicating

results. However, 96% of

IA functions are still using

detailed written audit reports.

As the digital age continues

to transform the way we do

business, IA must not get

left behind by using outdated

communication channels.

Some functions have

started to experiment

with other methods of

communication, such as

memos and dashboards,

a trend that is expected to

increase. IA must evolve

to continue supporting

the mandate established

with its stakeholders

while delivering results

faster and in more digitally

compatible methods.

When actively engaged with

its stakeholders and using its

own communication style, IA

is poised to deliver high-value

communications to assist with

the strategic, operational,

compliance and nancial

ambitions of the organization.

• Control environment

• Business unit

• Audit report

• Individual issues

What level are

you rating?

• Compliance

• Regulatory

• Reputational

• Financial

• Operational

What criteria

are you rating?

• Scale size (2, 3, 4)

• Colors (red, yellow,

green)

• Words (satisfactory,

improvement needed,

signicant improvement

needed)

What scale are

you using?

Of the survey respondents

who rate audit reports,

65%

use a scheme with

three or four levels

Back at her desk, Haley listens one

more time to the voicemail from her CIO

with his concerns about the audit report

and its potential rating. In this case, she

knows the audit committee is expecting

a rating on this latest report. Delivering

a “red” report would be the quickest

way for her to enact change within

her organization, including identifying

resources to assist with remediation and

gaining executive attention. However,

there are several new board members,

and this could be an opportunity to

better understand their expectations

and brainstorm if they have a different

vision for internal audit reporting. No

matter how Haley chooses to adjust

her reporting approach, she’ll need to

align with the company’s objectives and

strategic vision to elevate IA’s position

as a trusted business advisor in a

rapidly evolving world.

5To rate or not to rate |

EY | Assurance | Tax | Transactions | Advisory

About EY

EY is a global leader in assurance, tax, transaction and advisory

services. The insights and quality services we deliver help build trust

and condence in the capital markets and in economies the world

over. We develop outstanding leaders who team to deliver on our

promises to all of our stakeholders. In so doing, we play a critical

role in building a better working world for our people, for our clients

and for our communities.

EY refers to the global organization, and may refer to one or more,

of the member rms of Ernst & Young Global Limited, each of which

is a separate legal entity. Ernst & Young Global Limited, a UK

company limited by guarantee, does not provide services to clients.

For more information about our organization, please visit ey.com.

EYG no. 012476-18Gbl

1804-2671688

ED None

This material has been prepared for general informational purposes only and is not intended

to be relied upon as accounting, tax or other professional advice. Please refer to your

advisors for specic advice.

ey.com

To nd out more about how our Risk Advisory services

could help your organization, speak to your local EY

professional or a member of our global organization,

or go to ey.com/advisory.

Amy Brachio

EY Global and EY Americas Advisory Risk Leader

+1 612 371 8537

amy.brachio@ey.com

Esi Akinosho

EY Global Advisory IA Leader

+1 713 750 8670

esi.akinosho@ey.com

Lisa Hartkopf

EY Americas Advisory IA Leader

+1 312 879 2226

lisa.hartkopf@ey.com

Kevin Janes

Central

+1 312 879 5400

kevin.janes@ey.com

Lynne Coviello

Northeast

+1 617 375 1321

lynne.coviello@ey.com

Keith Young

Southeast

+1 404 817 5781

keith.young@ey.com

Geoff Beatty

Southwest

+1 713 750 1467

geoffrey.beatty@ey.com

Scott Coolidge

West

+1 213 977 4206

scott.coolidge@ey.com