How are you thinking regarding risk ratings being used for the findings within an Audit Report? Are there any changes to the approach?

Peer Insights
830 viewscircle icon1 Upvotecircle icon5 Comments
Sort by:
SVP - External and Regulatory Audit2 years ago

We risk rate all findings that rise to the level of an "issue". That criticality rating drives overall audit rating - Satisfactory, unsatisfactory, needs improvement. All Med and High issues are reported to the Audit Committee, based on status updates from management. Risk definitions are tied to ERM framework. 

Lightbulb on1
Vice President - Internal Audit and Enterprise Risk Management in Healthcare and Biotech2 years ago

We rate every finding in our audit reports as we find that it helps out senior leaders understand relative severity in order to assist with prioritization and resourcing taken within the context of the broader set of initiatives their teams are working on.   We've recently revisited our rating scales to ensure that they are still appropriate given the overall company risk appetite. We also made updates to the language we use for our ratings, to improve our ability to communicate the ratings to our internal clients.

Lightbulb on2
SVP Corporate Audit in Energy and Utilities2 years ago

We use risk ratings for every audit finding that we report.  This is used to drive the speed of implementation of the remediating actions.  However, no matter what the risk rating is the actions need to be completed by the due date, with the Board getting an update each quarter of progress against implementation of actions and any overdue actions.

Lightbulb on1
Vice President, Internal Audit in Banking2 years ago

I agree that risk ratings are beneficial in allowing stakeholders to develop risk-based remediation plans (or risk acceptance decisions) and prioritize resources. We have adopted the risk ratings scale in our organization's risk management standards to promote consistency amongst assurance providers.

Lightbulb on2
CFO in Travel and Hospitality2 years ago

Risk ratings are always beneficial in understanding the importance of a finding and how critical it can be for the company. This can also give enough guideline to focus on either improving an existing control or introduce a new one to bring down the risk to lower possible.

Lightbulb on1

Content you might like

Has anyone created and presented a cybersecurity audit roadmap to the Audit Committee on how the Internal Audit function plans to provide value-added assurance on the effectiveness of cybersecurity controls across the spectrum of cyber security risks?

How is your organization keeping track of the high volume of executive orders being signed by recently elected US President Donald Trump? Are you tracking them at all? If so, what job function is responsible? Or most in-tune with what's happening?

Read More Comments

What are your concerns when outsourcing?

Lack of commitment/trust50%

Wasted time & cost in searching process & trials52%

Managing differences among vendors33%

Damage to existing credibility in case of bad resources22%

View Results

How long does your organization retain original systems logs used to filter SOX-related actions into a system that requires review of the logs and retains the filtered logs for seven years? Does your organization consider those original system logs records subject to record retention requirements, or supporting information used to create the SOX records?

90 Days13%

365 Days44%

3 years27%

5 years9%

7 years7%

Other (share in the comments)

View Results

Has anyone recently went through or started a Finance Modernization process? What were your experiences? What advice would you give?