2

Table of Contents
INTERNAL AUDIT RATINGS GUIDE: SAMPLE 1 .....................................................................................................4
INTERNAL AUDIT RATINGS GUIDE: SAMPLE 2 .....................................................................................................8

3
 INTERNAL AUDIT RATINGS GUIDE: SAMPLE 1

(Insert Year) Remote Access Audit Month XX, (Insert Year)

(Audit Name) (Insert Date)

AUDIT RATING STANDARDS

Instructions: Circle the audit rating determined through the completion of the audit rating grid on Page 4.

GOOD
Areas given a “Good” rating are well-controlled in every respect and demonstrate quality performance in almost
every aspect. Performance is above average and adequately provides for the safe and sound operation of the
area audited. Findings noted are minor; are not indicative of any significant weaknesses in policies, practices or
procedures; and are generally corrected in the normal course of business.

SATISFACTORY
Areas given a “Satisfactory” opinion have acceptable internal controls and demonstrate adequate performance in
most respects. Policies, practices and procedures are generally effective but may reflect modest weaknesses that
are readily correctable in the normal course of business. Commitment to internal control and operating efficiency
are acceptable. Some problems of relative significance may exist, but none are considered material.

REQUIRES IMPROVEMENT
Areas given a “Requires Improvement” opinion exhibit weaknesses within the internal control systems or the
absence of internal control surrounding significant activities. Additionally, these areas demonstrate performance
that is not adequately monitored and/or supervised by management, nor are policies and procedures always
effective to promote a climate where internal control concepts may be realized. Commitment to internal control
and/or operating efficiency needs enhancement.

UNSATISFACTORY
Areas given an “Unsatisfactory” opinion display performance or conditions that exhibit significant control
weaknesses throughout the areas included in the audit scope. In these areas, many basic internal control
concepts are not in effect and internal control systems are weak to the extent that significant financial losses or
violations of law or regulation could occur or may have occurred. The lack of policies and procedures or
adherence to them will prevent the accomplishment of a substantial part of the area’s objectives. Corrective action
must be immediately implemented with periodic (e.g., monthly) status reports routed to the area’s executive
management.

CONCURRENCE/NONCONCURRENCE
This rating applies to systems development and business or control projects in the process. It conveys
agreement/disagreement with a course of action or documents an opposing point of view. In each case, the report
will state whether audit believes the project should be aborted, or what actions should be taken prior to
commencing the next phase.

NOT RATED
The conditions or purposes of the audit do not require a rating to be assigned.

4
 AUDIT RATING GRID

Instructions: Circle the point value assigned to each area. Multiply the point value by the factor for the applicable
area and write the value in the applicable column under “Score” and by the letter for the particular column. Add
the total points for each area across to obtain the overall point value. Use the overall point value to assign the
rating.

Internal Controls Operations Accounting Records

Factor Five Factor Three Factor Two

(From Page Three) (From Page Four) (From Page Five)

Points Score Points Score Points Score

5 5 5

4 4 4

3 3 3

2 2 2

1 1 1

Total A20 Total B12 Total C

Total Score: XX

RATING SCALE

Check the appropriate rating based on the total score.

Good 50-39 points

Satisfactory 38-25 points

Requires Improvement 24-15 points

Unsatisfactory 14 and below

Additional rating factors for audits to be rated “Good” include:

• Major system changes or upgrades during the audit period
• Significant changes in personnel during the audit period
• Significant new products or services introduced during the audit period
• Uncorrected internal/external audit or examination findings
• Unaccepted internal audit recommendations

5
 COMPOSITE RATING AREAS

INTERNAL CONTROLS
Rating summary of internal control structure:
• 5: Virtually all desired controls are in place and operating. Only very minor exceptions were noted, and backup
controls exist for all weaknesses noted.
• 4: Most material controls are in operation and the exposures found are minor in extent and nature. They are
usually backed up by other controls.
• 3: Attention should be given to some exposures in protective and detective controls. Reasonable assurance
exists that current controls afford the bank adequate protection.
• 2: Early attention should be given to exposures in protective and detective controls. Deterioration in current
controls can lead to serious exposures.
• 1: Immediate attention to serious exposures in protective and detective controls is required. Exposures exist
that could make the bank vulnerable to significant losses.

Support for rating of internal control structure: (List)

All of management’s controls were sufficiently designed to mitigate risks and achieve control objectives related to
remote access. Additionally, all of management’s controls were tested for operating effectively to mitigate the
intended risks and achieve the intended control objectives.

OPERATIONS
Prepare the following rating based on audit evidence.

Rating Summary of Operations

5 Performance is significantly higher than average.

4 Performance is above average.

3 Performance is average.

2 Performance is below average.

1 Performance is unacceptable.

Support for rating of operations: (List)

Internal audit’s testing revealed that management possessed documented policies and procedures in all relevant
and significant areas related to remote access (specifically the remote administration of IT systems, encryption
and passwords).

Through discussions with IT management and a walk-through of the controls, internal audit also determined that
IT management personnel responsible for performing or monitoring the controls were knowledgeable of the
controls and had many years of experience in working in their related fields.

Internal audit identified the following opportunities to further enhance and improve existing controls, but these
improvements did not constitute control failures because of numerous compensating controls that adequately
reduce risk to the bank.
• IT management should reassess the need for the modem remote access system.

6
• Management should update its remote administration of IT’s systems policy and annual privileged account
review procedure to require the annual review of all accounts with access to perform remote administration of
IT systems.

See VIII. Remote Access Recommendation Memo.doc for additional information regarding these
recommendations.

ACCOUNTING RECORDS

Rating Summary of Operations

5 The books and records more than adequately and accurately reflect transactions.

4 The books and records adequately and accurately reflect transactions.

3 The books and records, in reasonable detail, accurately reflect transactions.

2 The books and records less than adequately reflect transactions.

1 The books and records do not accurately reflect transactions.

Support for the rating of accounting records: (List)

There are no financial books or records applicable to the remote access audit. There are some IT records
applicable to the audit and they include remote access activity reports and IT service requests. Remote access
activity reports are used by management to monitor who is using the remote access system and to detect any
inappropriate use of the remote access system. IT service requests record the approval and testing of any
changes to remote access systems (including system and access changes). Internal audit noted that these IT
records adequately and accurately reflect system and access changes related to remote access.

7
 INTERNAL AUDIT RATINGS GUIDE: SAMPLE 2

AUDIT RATING DEFINITIONS

Rating Definition

Internal control systems are sufficiently comprehensive and appropriate to the size and
complexity of the organization. Risks are effectively managed. Monetary risk
Strong
associated with potential control failures is not material. A few exceptions to
established policies and procedures were identified.

While there may be some minor risk management weaknesses, these issues have
been recognized and are being addressed. Risks are effectively managed. Internal
Satisfactory
control systems may display modest weaknesses or deficiencies, but they are
correctable in the normal course of business.

Risk management practices are lacking in important ways and are a cause for more
than supervisory attention. Risks may not be effectively managed. Weaknesses may
Needs Improvement
include control exceptions or failures that could have adverse effects on the
organization if corrective actions are not taken.

Marginal risk management practices generally fail to identify, monitor and control
significant risk exposures in many material respects. The organization may have
Needs Significant
serious identified weaknesses that require substantial improvement in internal controls
Improvement
or procedures. Risks are not effectively managed. Unless properly addressed, these
conditions may result in a significant impact on the organization.

Due to the absence of effective risk management practices, management is unable to

identify, monitor or control significant risk exposure. Internal control systems may be
Unsatisfactory sufficiently weak to jeopardize the continued viability of the organization. Risks are not
effectively managed. Deficiencies in risk management procedures and internal controls
require immediate and close supervisory attention.

AUDIT REPORT RATING MATRIX

Rating Scale Definition

• Overall risk program is reliable and requires negligible improvements.

• The risk management procedures are formalized and documented and
1
communicated and understood throughout the business. Risk
management system is robust and possesses the capacity and ability to
consistently identify, document and assess existing and emerging risks.
Effective
• Risk controls effectively manage, mitigate, and transfer existing and
foreseeable risks and do not expose the business to undue risk. Risk
2 program does not expose the business to unwarranted financial loss or
regulatory noncompliance. Audit recommendations are generally
housekeeping in nature.

8
 Rating Scale Definition

• Overall risk program is adequate for the current level of risk within the
business but requires ongoing monitoring.
• The risk management procedures are formalized and documented but
3
not communicated. Risk procedures need to be communicated and
business needs to obtain assurance that procedures are understood.
Although the risk management system possesses the capacity and
ability to identify, document and assess existing risk, specific
Monitor improvements are needed to ensure accurate and timely incorporation
of emerging risks.
• Risk controls adequately manage, mitigate, and transfer existing risks
but improvements are required as emerging risks and changing
4
conditions could lead to a weakened risk management capacity. The risk
program does not expose the business to immediate financial loss or
regulatory noncompliance. The director must make improvements within
60 days.

• Overall risk program is not adequate.

• The risk management procedures are partially formalized and
documented and not communicated. Risk procedures require
5
improvement to assure that risk processes are fully documented and
need to be clearly communicated. The business unit needs to obtain
assurance that the risk process is understood.
• Risk management systems require improvement to ensure reliability of
Needs Improvement
procedures to accurately, and in a timely manner, identify, document,
and assess existing and new risks. Controls require improvement to
ensure the ability of mechanisms to manage, mitigate, and transfer
existing and emerging risks as changing conditions will possibly lead to
6
a weakened risk management capacity. The line of business, without
improvements, is likely to be vulnerable to financial loss or regulatory
noncompliance. Improvements are required within the next 30 to 60
days.

• Overall risk program is impaired.

• The risk management procedures are informal and undocumented and
not communicated for the most part. Risk procedures require
7
improvement to assure that risk processes are fully and accurately
documented and must be communicated and understood by the
business.
Impaired • Risk management systems require significant improvement to ensure
reliability of procedures to accurately and in a timely manner identify,
document, and assess existing and new risks. Controls require
extensive improvements to secure the ability to manage, mitigate, and
8 transfer existing and emerging risks, as conditions will lead to a
weakened risk management capacity. Risk program exposes the
business to potential financial loss or regulatory noncompliance.
Improvements are needed within the next 30 days.

9
 Rating Scale Definition

• Overall risk program is not acceptable.

• The risk management procedures are largely nonexistent,
9 undocumented and not communicated. Risk procedures must be
instituted, formalized, documented and communicated.
• Risk management systems must be implemented immediately to
accurately and in a timely manner identify, document, and assess
Unsatisfactory existing and new risks.
• Implementation of control mechanisms is required to manage, mitigate
and transfer risks present in business processes and possess flexibility
10 to react under changing conditions. The line of business is exposed to
material financial loss or regulatory noncompliance. Improvements are
needed within the next two weeks and the audit committee must be
made aware of improvements to be implemented.

AUDIT REPORT RATING GUIDELINES

Rating Scale Definition

• No high-risk issues
1 • No medium-risk issues
• No more than three low-risk issues
Effective
• No high-risk issues
2 • No more than one medium-risk issue
• No more than six low-risk issues

• No high-risk issues
• No more than three medium-risk issues
3 • No more than four low-risk issues
or
Monitor
• No high or medium-risk issues and more than six low-risk issues

• No high-risk issues
4 • No more than four medium-risk issues
• No more than six low-risk issues

• No more than one high-risk issue

• No more than four medium-risk issues
5
or
Needs • No high-risk issues and no more than six medium-risk issues
Improvement
• No more than two high-risk issue
6 • No more than six medium-risk issues
or

10
 Rating Scale Definition
• No more than one high-risk issue and more than six medium-risk issues

• No more than three high-risk issues

7
• No more than four medium-risk issues
Impaired
• No more than three high-risk issues
8
• No more than six medium-risk issues

• More than four high-risk issues

• More than six medium-risk issues
9
or
Unsatisfactory
• No more than two high-risk issues and more than six medium-risk issues

• No more than four high-risk issues

10
• No more than six medium-risk issues

XYZ AUDIT RATINGS

The audited area meets or exceeds Company X standards in all critical respects. Level
of internal controls is functioning effectively and efficiently. Information systems and
ST Strong
user operations are integrated and support the business. Generally, no more than two
“Low” observations were noted.

The audited area meets the overall Company X standards. Generally, no more than two
SA Satisfactory “Important” observations may exist that are being promptly addressed by management.
A few “Notable” observations may also exist.

The audited area does not meet Company X standards overall. Generally, there is
Needs
N either at least one “High” observation and/or at least three “Important” observations,
improvement
which if uncorrected could expose Company X to an unacceptable risk.

The audited area contains unacceptable gaps in the overall control structure and/or
controls are not working as intended. Generally, there are at least one “High”
U Unsatisfactory
observation and/or five “Important” observations. The area requires immediate attention
with oversight by senior management.

Business Importance Codes

Risk involves a substantial and direct exposure to loss of assets and/or misstatement of
financial information and/or loss of revenue and/or significant negative impact on
H High
operating effectiveness and/or the company’s reputation. High likelihood and high impact
may occur.

I Important Risk involves an unacceptable and direct exposure to loss of assets and or misstatement
of financial information and/or loss of revenue and/or negative impact on operating

11
 effectiveness and/or the company’s reputation. Moderate likelihood and moderate to
high impact or high likelihood and moderate impact may occur.

Risk involves an important but indirect and limited level exposure to loss of assets and/or
loss of revenue and/or negative impact on operating effectiveness and/or the company’s
N Notable reputation, which is outside of Company X’s risk appetite. Low likelihood and moderate
to high impact or moderate likelihood and moderate to low impact may occur. This also
includes low-impact/high-likelihood observations.

Generally, issues classified in this category are brought to management’s attention as an

L Low efficiency improvement. Low likelihood and low to moderate impact or low to moderate
likelihood and low impact may occur.

Note: Each audit report observation is assigned a priority rating to establish its level of criticality. The
ratings are assigned collaboratively by internal audit and XYZ Company management responsible for the
process being audited.

Overall Classifications: COSO

F Financial Reporting Reliability of the financial reporting process

O Operational Operational effectiveness and efficiency

C Compliance Compliance with applicable laws and regulations

S Strategic High-level goals aligned with and supporting the mission of XYZ Company

INTERNAL CONTROL OPTION CRITERIA

Based on the results of the audit, the system of internal controls will be rated as “Strong,” “Satisfactory,”
“Unsatisfactory” or “Critical” based on the following criteria:

Rating Definition

Strong Satisfactory Unsatisfactory Critical

• Issues do not exist. • Issues are not likely to • Significant issues • Significant issues
impair business exist. find/indicate
operations or processes/results are
• Corrections are
jeopardize financial unreliable.
required to avoid or
integrity.
contain exposure. • Impact of weaknesses
is likely widespread/
• Prompt action is
compounding.
required.
• Immediate attention is
required.

12
 Attributes of Control Environment

Strong Satisfactory Unsatisfactory Critical

• Control • Control • Control • Control monitoring is

processes/monitoring processes/monitoring processes/monitoring not in place or is
are effective. are effective for key weaknesses/are not extremely unreliable.
cycles/functions. effective.

• Low potential for • Major issues would • Major issues may not • Losses/undetected
undetected errors and likely be detected. be detected and errors and omissions
omissions exists. corrected. are likely.

• Company policy and • Policy and GAAP • Policy or GAAP • Policy or GAAP
GAAP are adhered to. compliance issues noncompliance could noncompliance issues
have no material (or does) have a are severe, pervasive
impact on operations material impact on and material to
or financial operations/financials. operations/financials.
statements.

• Financials/results are • Financial adjustments, • Material financial • Financials/results are

reliable; therefore, if any, are minor. adjustments may be likely unreliable. Major
adjustments are not required. problems exist.
necessary.

• Regulatory • Regulatory • Regulatory • Compliance issues are

compliance issues do compliance issues, if compliance issues significant and carry
not exist. any, are minor and may show signs of severe consequences
isolated. being systemic. (fines, sanctions, etc.).

• Risk to the CBI image • Issues carry low-level • Issues may carry • Issues may carry
is nonexistent. (or no) risk to the CBI potential for damage severe risk of damage
image. to the CBI image. to the CBI image.

• Ethics issues do not • Ethics issues, if any, • Ethics issues are not • Ethics issues are not
exist. are minor and appropriately addressed
management takes addressed and/or appropriately and/or
timely, appropriate management does not management does not
corrective actions. set the appropriate set the appropriate
tone. tone.

AUDIT RATING EXAMPLE

Audit Ratings Are Assigned Based on the Following Definitions

Rating Definition

The audited area has effectively assessed its risks; implemented control processes; and
complied with applicable policies, procedures, and appropriate laws and regulations. We may
Satisfactory
have noted a few inconsistencies, but compensating controls exist that sufficiently minimize
the risk of loss.

Generally The audited area has adequately assessed its risks and has implemented generally effective
Satisfactory control processes. We may have noted some weaknesses in controls, but they are not such
that the audited area is significantly exposed to the risk of loss. Such audited areas are in

13
 Rating Definition
general compliance with applicable policies, procedures, and appropriate laws and
regulations.

The audited area has control, policy, procedural, compliance and/or repeat findings that are
sufficiently important to warrant the attention of more senior levels of management. Any
Marginal
deterioration in the current operating routine could lead to serious exposures and regulatory
criticisms.

The audited area has serious control, policy, procedural, compliance and/or repeat findings.
Losses may not yet be realized, but exposure to potentially serious loss may exist. Exposure
Unsatisfactory
may also exist to potentially serious criticism by regulators. Such situations require urgent
action and senior management involvement in implementing corrective action.

This rating is generally reserved for first-time audits, limited scope audits and special
Unrated
projects.

14
APPENDIX A: DEFINITION OF INTERNAL AUDIT RATINGS AND RANKINGS
Definition of Issue Rankings

Adequate Needs Improvement Inadequate

• There are no identified issues • There are one or more identified • There are one or more identified
that have either a “Medium” or issues with either a “Medium” or issues with either a “Medium” or
“High” ranking. “High” ranking. “High” ranking.
• There may be a limited number • A deficiency or combination of • A deficiency or combination of
of issues with a “Low” ranking deficiencies impact the design deficiencies significantly impair
and/or other observations for and/or operating effectiveness the design and/or operating
potential improvement. of control for the area under effectiveness of control for the
review to the extent that area under review to the extent
required control objectives may that required control objectives
not be consistently achieved. may not be consistently
achieved.
• The deficiency or combination
of deficiencies impacts the • The deficiency or combination
company’s ability to provide of deficiencies significantly
reasonable assurance over the impacts the company’s ability to
effective design and/or provide reasonable assurance
operation of control, thus over the effective design and/or
affecting the company’s risk operation of control, thus
exposure within the area being affecting the company’s risk
reviewed. exposure within the area being
reviewed.
• The deficiencies merit prompt
attention and remediation by • The deficiencies merit
management to improve the immediate attention and
overall design and/or operating remediation by management to
effectiveness of control for the improve the overall design
area under review to meet and/or operating effectiveness
required control objectives. of control for the area under
review to meet required control
objectives.

• The issue is a control deficiency, which represents a significant gap in the design
and/or operating effectiveness of the control affecting the company’s ability to address
relevant risks and to provide reasonable assurance regarding the achievement of
High desired outcomes.
• The issue requires an immediate, comprehensive, corrective action plan with progress
to be monitored by an appropriate level of management.

• The issue is a control deficiency, which represents a gap in the design and/or
operating effectiveness of the control affecting the company’s ability to address
relevant risks and provide reasonable assurance regarding the achievement of desired
Medium outcomes.
• The issue requires prompt attention to ensure that internal controls are designed
and/or operating effectively.

• The issue represents an opportunity to improve control and processes to support the
Low
achievement of desired outcomes.

15
 • The issue should be addressed promptly, as time and resources permit.

Considerable professional judgment is required in applying the ratings defined and used in this report regarding
individual findings, recommendations, and in formulating an overall conclusion. Accordingly, others could rate the
findings or conclusion differently and this should be born in mind when considering this report.

16
 APPENDIX B: RATING OF AUDIT FINDINGS

Rating Need for Action and

Risk/Impact Explanation Reporting Obligations
Categories Responsible Function

Particularly Risks threatening the • Urgent remediation by the Refer to reporting obligations
Severe (A) existence of the management board for Major (C) and Severe (B)
organization include: required immediate findings, and:
involvement of the
• Fatal material losses • Immediate notification of
supervisory body
the supervisory body by
• Image loss/publicly
• Monitoring of timely the management board
effective impact
remediation by internal
(massive loss of
audit (follow-up)
customers)
• Violation of regulatory
requirements (and
possible revoking of the
operating license)

Severe (B) Critical risks for business • Immediate remediation by Refer to reporting obligations
continuity include: the management board for major findings (C) and:
required (immediate
• Very high material • Immediate submission of
involvement of the
losses (losses are not the internal audit report to
supervisory body and the
detected timely) the management board
supervisory authorities in
• Image loss/publicly case of severe findings • Immediate notification of
effective impact against management the chairman of the
(adversely affects the board members). supervisory body and the
image on the market) supervisory authorities by
• Monitoring of timely
the management board in
• Violation of regulatory remediation by internal
case of severe findings
requirements (and audit (follow-up).
against management
possible criminal
board members
liability, etc.)
• At least annual reporting
from the management
board to the supervisory
body (highlighted findings,
including remedy
measures taken and their
implementation statuses)

17
 Rating Need for Action and
Risk/Impact Explanation Reporting Obligations
Categories Responsible Function

Major (C) High risks for business • Remediation required • Highlighted in the internal
continuity include: close supervision by the audit report
responsible member of
• High material losses (if • Included in the (annual)
the management board
weaknesses are not overall internal audit report
remedied timely) • Monitoring of timely to the management board
remediation by internal (including remedy
• Image loss (many
audit (follow-up) measures taken)
internal and external
parties are affected) • Reported to the
supervisory body by the
• Violation of regulatory
management board at
requirements (and
least annually, if not
possible fines, etc.)
remedied
• If not remedied within an
appropriate period, the
responsible member of the
management board must
be informed in writing (If
the findings remain
unresolved during the
financial year, the
management board must
be informed in writing in
the next (annual) overall
internal audit report, at the
latest.)

Improvement Medium risks for business • Implementation of certain • Included in the internal
Opportunity continuity include: improvement measures audit report
(D) recommended
• Medium material • Not included in the
losses • Monitoring by the head of (annual) overall internal
the audited organization audit report
• Image loss (internal,
unit (Immediate
some external parties
involvement of the
are affected, if
management board is not
applicable)
required.)
• Noncompliance
• Monitoring of timely
with/implementation of
remediation by internal
certain regulatory
audit (follow-up)
requirements

Comment (E) • Low or no risks • Decision on the • Summarized in the internal

prioritization and audit report or a separate
• "Food for thought" for
implementation of management
improvement/further
measures remains in the summary/memo
development
audited organizational
• Not included in the
unit.
(annual) overall internal
• Monitoring by the head of audit report
the audited organization

18
 Rating Need for Action and
Risk/Impact Explanation Reporting Obligations
Categories Responsible Function

unit (Involvement of the

management board is not
required.)
• Not included in the follow-
up by internal audit

19