How Satisfying is the “ Satisfactory” rating in your audit report

Internal audit , also called as 'the third line' function, is responsible for conducting independent, objective assurance and consulting?audit activity.?One of the main purposes of the internal audit function is to add value and improve Organization’s performance.?Internal audit communicates the results of its work through Internal Audit report. Internal Audit report is valued by Senior Management and Board as the report provides formal assurance on the effectiveness of risk management, internal controls, and governance process. Audit outcome is one of the KPI for the Business leaders and Senior Management, hence audit report and related communication is a central feature of internal audit.

IIA Performance standards 2400 requires internal auditors to communicate the results of internal audit engagement.

Standard 2410 describes the criteria for communicating audit results.

Audit communications must include the engagement's objectives and scope as well as applicable conclusions, recommendations, and action plans.

2410.A1- Final communication of engagement results must, where appropriate, contain the internal auditors’ opinion and/or conclusions. When issued, an opinion or conclusion must take account of the expectations of senior management, the board, and other stakeholders and must be supported by sufficient, reliable, relevant, and useful information.

2410.A2- Internal auditors are encouraged to acknowledge satisfactory performance in engagement communications.?

Communicating audit result is core to the delivery of assurance and advice. Audit opinion at the engagement level can include ratings, conclusions, and other descriptions.?Auditors mostly follow RAG labelling in assigning the significance of individual audit observations and in providing an overall engagement level audit opinion. Much of the management attention is spent on the report rated red or amber as they indicate areas requiring management attention and has an impact on Organisation objectives. Green rating signifies that there is no major non- conformance, and the internal controls are operating at a satisfactory level.?

Business leaders and Senior management are harmoniously relieved when an audit report is rated “Satisfactory”. Albeit the rating ‘satisfactory’ can sometimes soften management attention to the control environment.?

Audit report is a point in time opinion and when an auditor issues a ‘Pass’ or ‘Satisfactory’ report it does not shift the responsibility to third line, ?and it cannot be treated as ?"Auditors" said, “it was okay”.?

Although, IIA does not prescribe any mandatory standards for overall rating of audit report, issuing one is highly subjective.?If the overall audit report is issued as’ Satisfactory’, there is a chance that the stakeholders potentially obscure the high-risk individual issues.

How can Management react to overall ?'Satisfactory' rated audit report :

• ????Understand the ratings of individual observations , likelihood , impact , velocity, vulnerability of each observation
• ????Focus on the high-risk individual observation and ensure a responsible owner is assigned for remediating the control gaps.
• ????Confirm, risk for the scope which is rated ‘satisfactory’ are being managed in the most effective manner
• ????Explore ?opportunities for significant efficiency improvements within the audited area
• ???Find out if , control areas that are assessed satisfactory in the recent engagement have been rated unsatisfactory in the past? How were the control issues mitigated?
• ??How critical are the control areas in achieving the strategic objective of the Organisation
• ??If the scope rated ‘satisfactory’ are representing non- key controls , review the control monitoring process and realign the control testing frequency to optimize the first line control testing efforts.

Role of audit function:

Audit reports are collaborative tools to improve the control operations. By bringing a positive impact through the audit findings, process owners can reach out to internal audit for consultative opinions. Therefore, auditors must seek focus on the individual observations in audit reports for more value add and to drive effective audit response.?

What other suggestions do you have for the management and audit function ?