For years, I have written and spoken about one of the most persistent controversies in internal auditing: the practice of assigning ratings in audit reports. Whether those ratings take the form of numbers, stoplight colors, or labels such as “satisfactory” and “unsatisfactory,” they continue to generate strong opinions throughout the profession and with our stakeholders because they sit at the intersection of assurance, accountability, and organizational politics.

The truth is that audit ratings are unlikely to disappear anytime soon. In fact, a 2021 survey of more than 175 CAEs found that nearly 63% of audit departments assign overall ratings to audit reports, while a similar percentage assign ratings to individual findings. Internal auditors continue to use ratings because management and boards often demand concise signals that quickly communicate the significance of audit results and direct their attention toward areas of greatest concern.

I understand that reality well because I have seen it firsthand throughout my career. Years ago, a CEO told me exactly how he used internal audit ratings. If an audit report was labeled “satisfactory,” he set it aside and likely would not revisit it. If the report was “needs improvement,” he prioritized reviewing it the next day. If it was “unsatisfactory,” he took it home to read that evening.

That story illustrates why ratings remain popular among executives and audit committees. Leaders are inundated with information, competing priorities, and constant operational pressures, so any mechanism that helps them quickly identify where immediate attention is needed naturally becomes valuable.

At the same time, however, many of the traditional approaches internal audit functions continue to use are increasingly outdated, overly simplistic, and unnecessarily adversarial. It is time for the profession to reimagine how we rate audit results because the current approaches often create more friction than value.

Why Traditional Rating Schemes Fall Short

Most internal audit rating systems still rely on one of three approaches: adjectival ratings such as “satisfactory,” “needs improvement,” and “unsatisfactory;” numerical scales; or stoplight colors such as red, amber, and green. While these approaches are familiar and easy to apply, familiarity alone does not make them effective communication tools.

As I wrote years ago, ratings can quickly become polarizing because they often reduce management performance to a single label. When operating managers see their efforts summarized as “unsatisfactory,” they frequently interpret the result as a personal indictment rather than an objective assessment of enterprise risk exposure.

That dynamic creates several predictable and undesirable consequences. First, ratings often foster tension between internal audit and management, particularly when poor ratings influence compensation decisions or require managers to appear before the audit committee to explain themselves. Under those circumstances, ratings stop functioning as communication tools and start functioning as weapons, which undermines the collaborative relationships internal audit depends upon to be effective.

Second, ratings frequently delay the reporting process because management pushback over labels can consume more time than discussions about the actual findings themselves. Many CAEs have experienced situations where the debate over whether a report should be labeled “needs improvement” versus “unsatisfactory” becomes more contentious than the underlying risk exposure the audit identified.

Third, traditional rating schemes often fail to communicate what management truly needs most: a clear understanding of enterprise risk exposure and a practical path forward. Labels such as “satisfactory” or “yellow” provide limited insight into the urgency, business impact, or remediation expectations associated with the audit results.

That is the core problem with many legacy rating schemes. They communicate judgment, but they do not communicate direction.

Internal Audit Should Focus on Risk Exposure

Internal audit’s responsibility is not to assign grades. Our role is to help management and the board understand risk exposure, prioritize action, and strengthen governance, risk management, and controls. Traditional rating systems frequently lose sight of that purpose because they focus on categorization rather than action.

I believe internal audit functions should move toward language that reflects enterprise impact and encourages constructive response. Instead of relying on labels such as “unsatisfactory” or “red,” internal audit reports should communicate results using terminology such as:

• Critical Risk Exposure
• Elevated Risk Exposure
• Moderate Risk Exposure
• Risk Managed Effectively

This approach fundamentally changes the tone and substance of the discussion because the focus shifts away from judging management and toward understanding organizational exposure. That distinction matters because it can significantly reduce defensiveness while improving collaboration and responsiveness.

Imagine the difference between telling an operating executive that their area received an “unsatisfactory” rating versus explaining that the audit identified “elevated risk exposure related to third-party access controls.” One statement feels punitive and personal, while the other feels objective, actionable, and business-focused.

Words matter because they shape behavior, and internal auditors should be intentional about the language we use.

What a Modern Rating System Should Accomplish

A modern rating system should accomplish four important objectives simultaneously. First, it should clearly communicate the significance of the organization’s risk exposure. Second, it should identify the urgency of management action required. Third, it should encourage productive dialogue rather than emotional resistance. Finally, it should promote action.

That means ratings should explicitly connect findings to expected actions. For example:

• Critical Risk Exposure: Immediate executive action required
• Elevated Risk Exposure: Timely management remediation recommended
• Moderate Risk Exposure: Improvement opportunities identified
• Risk Managed Effectively: Controls operating within acceptable tolerance

Notice the difference in tone and clarity. These descriptions communicate both severity and expectations while aligning naturally with enterprise risk management principles and board-level discussions about risk appetite and risk tolerance.

This evolution is particularly important in today’s environment of accelerating risk velocity and volatility. Organizations face mounting cyber threats, growing AI governance concerns, geopolitical instability, supply chain disruptions, regulatory complexity, and rapidly changing operational risks. Internal audit reporting should help leaders prioritize and respond to those risks quickly, not argue over adjectival labels that generate more anxiety than insight.

Why CAEs Should Make This a Priority

Many CAEs tell me they are frustrated by the amount of time and organizational energy consumed debating audit report ratings with management. In some organizations, discussions over wording become more contentious than discussions about the underlying risks themselves, and that should concern every internal audit leader.

If your rating methodology consistently generates resistance, delays, or damaged relationships, it may no longer be serving its intended purpose.

I am not suggesting internal auditors abandon ratings altogether because executive management and audit committees still value concise signals that help them focus attention quickly. However, internal auditors should carefully reconsider whether their current schemes are helping management understand risk exposure and drive action or merely creating unnecessary friction.

As I wrote years ago, audit ratings can either be “lights” or “lightning rods.” The profession now has an opportunity to redesign rating methodologies so they illuminate enterprise risk exposure without unnecessarily igniting conflict with management.

Internal audit is most effective when it helps organizations move forward. Our rating systems should do the same.