INTERNAL AUDIT REPORT RATINGS
Internal audit reports are rated as follows. These ratings are documented in the quarterly progress report provided to Senior Leadership and the Board, and to the Board (in the form of color coding) in the status update presentations provided by the Chief Audit Executive.
-
- “Effective”: All internal control issues found were not material to the institution (“green”).
- “Needs Improvement”: Internal control issues of significant number/materiality (“yellow”).
- “Needs Improvement with Concerns”: Internal control issues of significant number or heightened materiality, requires focused attention by the process owner (“orange”).
- “Ineffective”: Immediate action required due to material, business risk (“red”).
In addition to the state of internal controls, factors influencing the rating include management’s intention to provide corrective actions to our recommendations. As is indicated in UToledo Policy 3364-40-20 “Policy for dissemination of an internal audit report”, management (i.e., the process owner) is responsible for providing responses to all recommendations made in an internal audit report within 10 business days of receipt. The following procedures will be followed and discussed with the process owner at the opening meeting:
-
- Internal audit will create an audit program after discussions with the process owner regarding areas of concern, risk, and any known fraud in the area.
- Internal audit will perform fieldwork.
- A closing meeting will be held with the process owner to discuss audit findings and the draft audit report.
- The draft audit report will be issued requesting written management responses. Management should indicate whether they agree with the recommendation or not, and if so, what they will do to implement it (whether what internal audit suggests or something else) and the timeframe for doing so. For reports considered “Effective”, management should know that they can still agree with the recommendation, but do nothing, if they intend to assume the risk. If they disagree with the recommendation (and the matter was not resolved in the closing meeting), they need to state why and document controls in place to mitigate the finding.
- The process owner will have 10 business days to provide these management responses (as stated in the policy).
- If the process owner has not responded within 10 business days, internal audit will follow-up with the process owner and their senior leader indicating a response is past due and ask when we should expect it.
- If the process owner does not respond within 5 business days, internal audit will issue a final report without management responses.
If a final report has been issued without management responses and there are any aspects of the report not considered “Effective”, in the report internal audit will indicate that it is the responsibility of the senior leader and the President to resolve any findings identified.
When the draft report is presented to management, they will also be afforded an opportunity to correct any “errors of fact” documented in the report. Please note, however, that errors of fact do not include the report rating, which is the sole judgment of the Internal Audit team.
The final decision on the rating of an internal audit report rests with the Executive Director of Internal Audit (i.e., Chief Audit Executive), and cannot be delegated to others within or outside the department. Attempts by management to influence the final rating by appealing to members of the Chief Audit Executive’s administrative chain of command will be reported directly by the Chief Audit Executive to the Board.
Internal audits rated as “Needs Improvement” , “Needs Improvement with Concerns” or “Ineffective” will be subject to a full follow-up audit, shortly after the scheduled implementation date of the last management action plan in response to our recommendations. Those findings in internal audits that are rated as “Effective” will be assessed individually, shortly after each management action plan is scheduled for implementation.
All Internal Audit reports are authored by either the Chief Audit Executive or the Manager of Internal Audit and addressed to the executive of the area under review (i.e., VP or dean). The president, chief financial officer, and chief risk officer are automatically copied on all reports.
A project is considered “Completed” when the Chief Audit Executive is satisfied that all recommendations have been implemented, or management has agreed to accept the risk of the finding.
Reports emanating from special projects or other activities (i.e., compliance-based, or advisory/consulting project) where internal control attestation/testing is not an objective, will not receive a rating.