Sie sind auf Seite 1von 8

Internal Audit Reporting

Perspectives from Chief Audit Executives

>> Introduction

A common challenge for many Chief Audit Executives (CAE) is presenting the results of the internal audit
outcomes in the most effective and impactful manner. Most CAE are requested to issue an opinion on the
adequacy of internal controls following an internal audit. Such audit opinions provide clarity regarding the
severity of the identified issues and increase the comparability in time and also between audit objects.
However, using standard audit opinions may be arbitrary and could result in debates on the rating rather
than the identified issues. This challenge has been discussed with CAE's representing various industries
during a recent round table in Amsterdam hosted by Ernst & Young:

 ow can audit
H  ow can internal
H How can Internal  ow can internal
findings of audit findings be Audit apply audit opinions
entities across reported in a audit opinions support desired
the company be way that without being change within a
reported in a facilitates seen as a police company?
comparable prioritization officer?
way? and follow up?

'The Internal Audit Roundtable is part of a series of recurring events

and aims to provide a platform for companies to collaborate with peers.
The goal is to identify, through deliberations, practical step change solutions
that can contribute towards maximizing the value that organizations can derive
from their investments in managing risks.'

Ernst & Young 1

>> Internal Audit report
rating revisited

A number of different systems for audit opinions are used by The internal audit function decided to develop a new audit
internal audit functions. The most common varieties are: report rating system to move away from the traditional police
Binary: internal controls are or are not appropriate in the role and at the same time increasing comparability and
situation, for example: internal controls are satisfactory or understanding of audit findings.
unsatisfactory, effective or ineffective, meet expectations or
do not meet expectations, etc.
Graded: the effectiveness of internal controls is rated using a
Ernst & Young point of view:
grading system, for example: red-yellow-green, 1-2-3-4-5,
Directional: provides additional information about the
direction of the opinion since a previous report, for example Why the push for an internal
Satisfactory, but diminished since last year.
audit report rating system?
Most participants at this roundtable use one of the above
systems. A leading global company in the Technology industry Audit ratings and opinions, in one form or another, have
recently started a transformation program designed to become been around for decades. But with corporate governance
even more relevant by acting as a business partner to the regulations requiring management to provide an in-control
organization; providing value-added advice in a dynamic and statement overall ratings and opinions have become more
constant changing market environment. Changing the report important. Certainly, Management and Audit Committees
rating and issue tracking approach was part of this major will look at the internal audit function before issuing a
transformation program. positive in-control statement in its annual report.

In the past the Internal Audit function assessed the Broadly speaking, audit opinions and ratings offer several
effectiveness of internal controls using a 5 scale grading system distinct benefits:
ABCDN, equivalent to the frequently used system where audit ability to see the state of the control environment at a
reports are rated with Good, Fair, Unsatisfactory, Unacceptable, glance
Not Rated. benchmarking against which management and the Audit
Committee can measure improvement or slippage
The internal audit function found that this traditional audit identifying trends in the control environment
rating approach: putting the audit rating results in context with the activitys
did not give sufficient insight into risk development, nor did it risk profile
allow for comparability. For example the materiality of a recognizing managements awareness of control
C-rated (unsatisfactory) financial review in a small country weaknesses and its proactive remediation of them
did not compare with a C-rated review of a major business
process. As a result, if the % of C-ratings went down, you Using a single-dimension approach, control ratings can be as
could not conclude that the risk level for the whole company simple as pass or fail, or as complex as having five levels of
decreased. performance. The more commonly used system applies
drove management to focus on reports with an overall C three rating levels: Satisfactory, Needs improvement and
rating (unsatisfactory) and put less attention on reports with Unsatisfactory. These kinds of ratings enable the Audit
more positive audit ratings. Committee to assess the strength of the companys controls.
reinforced the police role of internal audit, emphasizing the But a rating of unsatisfactory in isolation does not let Audit
rating and not focusing on a constructive dialogue around Committee members know how important the businesss
materiality, urgency and solutions. activity is within the organization, the levels of risk it may
pose or what management may be doing about it.

2 Internal Audit Reporting Perspectives from Chief Audit Executives

Leading internal audit functions consider the extent to which With the V@R method the IA function wants to:
the audit findings may impact the achievement of business present findings in a more visual and quantified manner which
objectives and use a variety of quantitative and qualitative enables the business to focus on the main findings.
measures to reach the audit opinion. Important elements of increase the insight into the development of risk across the
these measures are impact and likelihood, but also more implicit company and to allow for more comparability.
business objectives such as reputation or environment. shift focus from overall point in time ratings to a continuous
improvement orientation based on materiality and urgency
The internal audit function of a leading global company in the through a constructive dialogue with the auditee.
Technology industry decided to use Value at Risk (V@R)
principles to quantify the business impact of internal audit

Ernst & Young point of view:


Considering a three dimensional audit ratings approach

As highlighted on previous page traditional audit rating approaches pose several challenges as they:
1. often do not provide insight into the importance of the businesss activity within the organization or the levels of risk it may
2. do not give insight whether management knew about the identified audit issues and what they are doing to fix it.

A three dimensional ratings approach should provide these two data points in addition to the performance level (Satisfactory,
Needs improvement, Unsatisfactory) of the control environment of an auditable entity.

The first data point is often available by leveraging inherent risk ratings from (Enterprise) Risk Assessments. These risk
assessments can deploy quantitative techniques including both probabilistic techniques such as value at risk, market value at
risk, loss distributions, and back-testing, as well as non-probabilistic techniques such as sensitivity analysis, scenario analysis,
stress testing, and benchmarking.

The second data point addresses the fact that Executives often hear complaints from management that it was already aware of
and working to resolve many of the issues raised in the audit report. Internal Audit could give management teams credit for
identifying issues and having plans for resolution before the audit. If they arent given credit for identifying issues before Internal
Audit enters the picture, they are less likely to raise the problems that they know exist. More often, they keep quiet, hoping that
Internal Audit wont find the issues. This is not a good strategy. Asking management teams to provide their control issues and
improvement efforts during the planning phase of an audit will enable them to receive full credit for their efforts in the audit

A three-dimensional rating provides executives and Audit Committees with a broader view of the organization. It also enables
them to more effectively prioritize issues based on the entitys inherent risk and awareness by management, rather than solely
on the traditional audit rating.

Ernst & Young 3

>> Value at risk put into practice

The V@R methodology, applied by a leading global company in One participant of the roundtable concurred that an important
the Technology industry, is designed to highlight the likelihood element of changing the internal audit ratings approach is to
and the urgency of an audit finding, ensuring management change mindsets in the entire company. The CAE of a leading
attention at the right level in the organization. Key design global company in the technology industry responds that it
principles included: indeed is a process. The new internal audit rating approach
Moving from a one dimensional system to a more balanced facilitates a very interesting dialogue with stakeholders as the
view (including was goes well); outcome is more robust and more factors are taken into
Resolving comparability challenges by explicitly highlighting consideration. Nevertheless implementing a new method of
impact and value; internal audit rating is a journey. As part of this journey steps
Solicitation of action through enabling prioritization based on have been taken to further align with stakeholders to increase
urgency. business buy in through:
Continued calibration of audit reports which is required as the
Audit findings are visualized as a bubble placed in the Likelihood process matures;
Urgency grid. The size of the bubble visualizes the impact of Integrating value@risk with Enterprise Risk Management
the finding based on the financial business impact which is (ERM) through management self assessments of the value
determined by the possible loss in Cash. Items that cannot be at risk as part of its ERM risk reporting;
quantified such as brand or reputation risks are represented by Merging the Value@Risk outputs with action-tracking and
squares. The likelihood (Y axis) represents the probability of follow-up for a more comprehensive view of risk.
the V@R materializing in the next 12 months. Urgency (X axis)
refers to the required speed of action required to remediate the
root cause of the audit findings.

The V@R pilot has been running for a year now and Internal
Audit has found the advantages of this approach to be twofold:
Management attention at the right level in the organization is
ensured and the business is enabled to focus on the main
findings as they are presented in a more visual and quantified
manner. The additional complexity in evaluating audit outcomes
did pose significant challenges as many business stakeholders
liked the traditional rating system for the simple answer on
good or bad.

4 Internal Audit Reporting Perspectives from Chief Audit Executives

>> Closing remarks

Using V@R as an internal audit rating approach is a relatively These topics will certainly be good areas of discussion during a
new concept. Through our discussion with CAEs we found that it next round table.
offers a number of advantages. V@R, as an integral part of the
overall enterprise risk management, can play an important role For more information, please contact:
in changing the relationship with stakeholders from being a Maurice van der Sanden, Internal Audit solution leader
police man to a business partner. V@R does not only measure +31 6 2125 1636
internal audit findings but can also help comparing findings
across the company to facilitate meaningful discussion with
stakeholders. It can also drive prioritization and follow up on Or
audit findings that matter.
Tonny Dekker, Risk Leader Belgium and The Netherlands
Throughout the discussions during the roundtable a number of +31 88 407 1004
emerging topics on the CAE agenda have been mentioned, such
How to quantify the risk appetite of a company?
How can innovation (e.g. tooling and techniques) be utilized
by Internal Audit?
What is the impact of culture on controls?
What are the key elements of a risk assessment, how do these
link to business opportunities and how can internal audit
facilitate a company-wide risk assessment?

Ernst & Young 5

Ernst & Young

Assurance | Tax | Transactions | Advisory

About Ernst & Young

Ernst & Young is a global leader in assurance, tax, transaction
and advisory services. Worldwide, our 167,000 people are
united by our shared values and an unwavering commitment
to quality. We make a difference by helping our people, our
clients and our wider communities achieve their potential.

Ernst & Young refers to the global organization of member

firms of Ernst & Young Global Limited, each of which is a
separate legal entity. Ernst & Young Global Limited, a UK
company limited by guarantee, does not provide services to
clients. For more information about our organization, please

2012 Ernst & Young LLP.

All rights reserved.