By now, most internal auditors are aware that The IIA has released long-anticipated proposed revisions to its Global Internal Audit Standards. As I recently shared in an AuditBoard blog calling attention to these changes, they would represent “the most sweeping change to the standards in more than 20 years, and present a significant opportunity for internal auditing and its future.”
Until now, I have elected not to provide extensive public commentary on the proposed standards, preferring instead to offer (generally positive) feedback to IIA leadership privately. However, there is one particular proposed change that I feel compelled to address: The standards would mandate ratings (rankings or other indications of priority) for internal audit engagement findings and a rating for the aggregated engagement results.
To appreciate the significance of such a change, it is useful to look at existing IIA standards.
The accompanying interpretation states that, “Opinions at the engagement level may be ratings, conclusions or other descriptions of the results.”
Existing Standard 2410 Criteria for Communicating
Existing Standard 2410.A1 Requirements
“Where appropriate, the internal auditors’ opinion should be provided.”
The IIA had clearly left the decision on assigning ratings in audit reports to the professional judgement of the internal audit executive/team. But if the proposed standards are adopted, it appears that discretion will be a thing of the past.
The IIA’s Proposed Global Internal Audit Standards raises the bar on ratings:
Proposed Standard 14.3 Evaluation of Findings – Requirements
“Internal auditors must provide a rating, ranking, or other indication of priority for each engagement finding, based on the significance of the finding, using methodologies established by the chief audit executive.”
Proposed Standard 14.5 Developing Engagement Conclusions – Requirements
“Internal auditors must develop an engagement conclusion.… Based on the engagement conclusion, internal auditors must issue a rating, ranking, or other indicator of the significance of the aggregated findings.”
My views on the topic of ratings and opinions should be well-known, as I have expressed them over 15 years in presentations, blogs and even a recent Podcast. Ratings and opinions in audit reports are fine, as long as they align with the needs and expectations of internal audit’s stakeholders and internal auditors acknowledge accompanying risks.
Indeed, ratings for audit reports are widely used today. A 2021 survey I conducted for AuditBoard revealed that 63% of American audit departments assign an overall rating for each audit report. In addition, nearly 63% of respondents said they also rate individual findings in their audit reports. Despite this widespread use of ratings and opinions, however, most internal auditors acknowledge that they are a common source of friction. As I noted in a 2021 blog:
“Even when management begrudgingly agrees with unflattering internal audit results, the fur can fly when internal audit assigns an overall rating on the audit report. Such ratings are often adjectival, for example, “satisfactory,” “needs improvement” or “unsatisfactory.” It is not uncommon for operating management to bristle at an “unsatisfactory” rating. And tensions can become much more pronounced if the rating results in punitive actions, such as impacting management’s performance assessment or incentive compensation.
“From my experience, executive management and the audit committee are often more receptive to internal audit rating schemes than operating management. But that doesn’t mean internal auditors should not be sensitive to rating perceptions throughout the organization. As a CAE, I would discourage the use of such ratings as a sole basis for reducing management’s incentive compensation. That’s because internal audit will likely be perceived as an adversary by those who are negatively impacted.”
Participants in my seminar, “Auditing at the Speed of Risk,” have told me that disagreements over ratings in draft internal audit reports often slow down the resolution process and undermine the timeliness of the report.
So, where do I stand on the proposed standards that would mandate the use of ratings? Frankly, I think The IIA already has it right in the current version of the standards: “Where appropriate, the internal auditor’s opinion should be provided.” I am not signaling strong disagreement with the proposed changes, however, I believe there are many ways internal auditors can convey the significance of their conclusions without adding traffic lights that often impede the flow of traffic.
As always, I welcome your thoughts on this important topic. Feel free to comment directly to the blog, or share your thoughts with me via email at firstname.lastname@example.org.