Red, yellow, green.
Once a quarter, Sunterra Corp.’s Chief Audit Executive Allan Misner meets with the company’s audit committee and provides a summary on the current standing of recent audits performed by his group. As part of the presentation, Misner uses a color-based, “stoplight” rating system for the audits he presents.
An audit with no key findings (that is, those without matters that pose significant risk), or where all the key findings have been resolved would be rated “green.” The severity, or volume, of key findings in a report would lead to either a “yellow” or “red” rating. Until key findings are resolved, Misner reports on them in the quarterly presentations. They drop off after being rated “green.”
Misner instituted the system when he joined Sunterra, one of the world’s largest vacation-ownership companies, about a year ago. The system gives the committee an immediate, visual summary of Sunterra’s areas of risk, and provides Misner with a framework for his conversation with the committee. Together, Misner and the committee probe the issues identified in the presentation, and he can educate them about the control structure of the North Las Vegas, Nev.-based company.
Use Of Ratings Up
The use of ratings in internal-audit reports has been growing amid an increasingly stringent regulatory environment with the adoption of legislation like the Sarbanes-Oxley Act. Companies’ boards, managers, and audit committees have taken a more active interest in the work of internal-audit teams, relying on them to identify control inefficiencies and risks before they become a serious problem for the businesses, internal auditors and consultants say.
“With the volume of testing that we do for Sarbanes-Oxley, we end up with more deficiencies to evaluate than we would have with a standard audit,” Misner says.
The increased amount of required testing, combined with the rising stature of internal auditors in organizations, also may be boosting auditors’ confidence about issuing ratings, says Paul Sobel, vice president of internal audit at Mirant Corp., an independent power company based in Atlanta.
“Without a rating, it can be challenging for readers to make an assessment on what an auditor thinks,” Sobel says. “It should be part of our fiduciary responsibility” to provide them.
Richard Chambers, a managing director at PricewaterhouseCoopers who co-authored a study this year about the state of the internal-audit profession, says that audit-committee chairs and companies’ senior managers consistently tell him that they expect their internal auditing group to help them avoid “surprises” in their businesses.
Chambers
“I’m a big proponent that internal auditors need to be responsive to the needs of their stakeholders, including the board and management,” Chambers says. “If ratings are what they need, then they’re appropriate. It’s important that all the risks and rewards are considered.”
Chambers’ study found that inconsistencies abound in the approaches taken to develop ratings systems.
Different Types Of Ratings
Ratings can be numerical; descriptive, such as “high, medium, and low” or “satisfactory, needs improvement, and unsatisfactory;” or presented as a color heat map, using red, yellow, and green. Often, they reflect the preferences of the local internal-audit group or the values, risks, and control costs of an organization.
“I’ve found that a lot of people in business tend to be very visual,” Sunterra’s Misner says. “Giving them colors draw them to that item. If they see a “yellow” in a bunch of audits that are all green, they go directly to it and start asking questions.”
Internal auditors should identify objective criteria and coordinate with management on the ratings system in advance so that everyone understands the rules. The approach should be driven by the expectations and risk tolerance of the audit committee and management, Sobel says.
Robert Hirth, a managing director at risk consulting firm Protiviti, suggests including an actual definition of each rating in the body or back of a report. It also can be helpful to provide comparative examples in the definitions themselves to make everything clear, he says.
Hirth
Protiviti uses the Capability Maturity Model in many of its reports to provide the reader with an acknowledged comparative model of rating a process or area against various states of maturity, ranging from initial to maximized, Hirth says. Developed initially by Carnegie Mellon University, the CMM brings out more discussion about where the process should plan to get to rather than arguing a grade on the current state of a process.
IIA Report
An excerpt from the IIA’s report on practical considerations for expressing an opinion about internal controls follows.
The chief auditing officer should ensure that a sufficient amount of audit evidence is obtained to express their opinion. For example, work often is performed on a rotation basis across many audit units, with the scope of the work performed based on work in multiple audit units. Giving a positive assurance opinion on each of the individual units may not be possible if the amount of work done in each unit is insufficient.
A grading scale can be useful in providing sufficient information to build a positive assurance opinion. Use of a grading scale would generally require a well-defined evaluation structure. In addition, the more detailed the grading scheme, the more evidence is required to support the grades. Thus, a grading scale can provide more precision in the positive assurance opinion being expressed. For example, an opinion that merely states that internal controls meet a minimum defined criteria would not require the same amount of evidence as an opinion that stated how much betteror worse internal controls are than a defined benchmark. Increased precision in the information provided in an opinion normally increases the amount of evidence needed to support the opinion. Providing a grade as part of a positive assurance opinion may provide useful information to the reader, but sufficient evidence is needed to support that finer level of detail given in the opinion.
Negative assurance is a statement that nothing came to the auditor s attention that would indicate inadequate internal controls. The auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all concerns or issues. Such an opinion is less valuable than a positive assurance opinion as it provides limited assurance that sufficient evidence was gathered to determine whether internal controls were inadequate. A negative assurance opinion merely states that the internal auditor has not seen problems based on the work performed.
An opinion can be qualified with specific findings that contradict the overall opinion. Qualified opinions can be useful in situations where there is an exception to the general opinion. For example, the opinion may indicate that controls were, Satisfactory, with the exception of accounts payable controls, which require significant improvement.The Standards provide guidance for determining the adequacy of evidence and documentation. The CAE must ensure that any opinion expressed can be fully supported with sufficient audit evidence. The CAE should determine the level of audit evidence required to support an opinion on internal controls.
This determination relies heavily on the judgment of the CAE based on the scope of the opinion and the risks in the organization being addressed by the internal controls. Some internal audit activities have sufficient resources to gather enough audit evidence to provide very definitive and descriptive opinions. Other internal audit activities do not have sufficient resources to gather enough audit evidence to provide any type of opinion other than negative assurance qualified with a clear explanation of the limited amount of testing performed.
Source
IIA Report: “Practical Considerations Regarding Internal Auditing Expressing an Opinion
on Internal Control” (June 10, 2005)
“There’s a certain amount of inherent subjectivity when you draw these sorts of conclusions and assign a rating,” Chambers says. “That’s why it’s so critical that there be as much objectivity and transparency as possible because it’s very important for the people being audited to understand the basis for the rating.”
The Chance To Respond
Management also should be given an opportunity to respond to the ratings and to have a voice in the final report.
Misner says he takes a collaborative approach to audits. Each audit report is issued individually after an agreement with management is reached; the audit committee is among the recipients of the reports. Often he will work with the managers of a business group that’s being audited and help them resolve identified issues before the next quarterly audit-committee meeting occurs. The changes made would be noted in the audit-committee presentation.
“It’s good when you can get things resolved before the next meeting,” Misner says.
There are inherent risks associated with any ratings system. For example, officials being audited may push back on a report’s findings, particularly if there are consequences—such as a reduction in the official’s compensation—associated with the ratings. They may drag out the process of responding to a report, making the audits less timely and therefore counterproductive to the business.
Chambers suggests companies avoid using ratings for punitive purposes. “If I’m the manager in the business and I get a report that says ‘unsatisfactory,’ and that equates to not getting a bonus, I’ll fight very hard” against the audit, Chambers says. “If you’re not careful, the focus of the audit becomes the rating and not the real results of the audit.”
“Remember that any audit is done as of a point in time and is usually retrospective in what it’s looked at,” Hirth says. “It’s important to understand that the work was done in a point in time and after that time, things can change.”
To illustrate this point in audit reports, Hirth says, Protiviti includes the following wording: “This report provides management and the Audit Committee with information about the condition of risks and internal controls at one point in time. Future changes in environmental factors and actions by personnel will impact these risks and controls in ways this report cannot anticipate.”
While the Institute of Internal Auditors has no official standards for ratings systems, the group does offer some guidance in this area. A position paper on internal audit opinions by the IIA called “Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control” is applicable to ratings, the group said in a statement. Ratings and opinions should be consistent with the audit charter, supported with evidence, and appropriate for the intended use and audience. (See the box, above right, for an excerpt from the IIA’s report.)
No comments yet