INTERNAL AUDIT REPORT RATINGS
Internal audit reports are rated as follows.聽 These ratings are documented in the quarterly progress report provided to Senior Leadership and the Board, and to the Board (in the form of color coding) in the status update presentations provided by the Chief Audit Executive.
-
- 鈥淓ffective鈥: All internal control issues found were not material to the institution (鈥済reen鈥).
- 鈥淣eeds Improvement鈥: Internal control issues of significant number/materiality (鈥測ellow鈥).
- 鈥淣eeds Improvement with Concerns鈥: Internal control issues of significant number or 聽聽heightened materiality, requires focused attention by the process owner (鈥渙range鈥).
- 鈥淚neffective鈥: Immediate action required due to material, business risk (鈥渞ed鈥).
In addition to the state of internal controls, factors influencing the rating include management鈥檚 intention to provide corrective actions to our recommendations.聽 As is indicated in UToledo Policy 3364-40-20 鈥淧olicy for dissemination of an internal audit report鈥, management (i.e., the process owner) is responsible for providing responses to all recommendations made in an internal audit report within 10 business days of receipt. The following procedures will be followed and discussed with the process owner at the opening meeting:
-
- Internal audit will create an audit program after discussions with the process owner regarding areas of concern, risk, and any known fraud in the area.
- Internal audit will perform fieldwork.
- A closing meeting will be held with the process owner to discuss audit findings and the draft audit report.
- The draft audit report will be issued requesting written management responses. Management should indicate whether they agree with the recommendation or not, and if so, what they will do to implement it (whether what internal audit suggests or something else) and the timeframe for doing so. For reports considered 鈥淓ffective鈥, management should know that they can still agree with the recommendation, but do nothing, if they intend to assume the risk. If they disagree with the recommendation (and the matter was not resolved in the closing meeting), they need to state why and document controls in place to mitigate the finding.
- The process owner will have 10 business days to provide these management responses (as stated in the policy).
- If the process owner has not responded within 10 business days, internal audit will follow-up with the process owner and their senior leader indicating a response is past due and ask when we should expect it.
- If the process owner does not respond within 5 business days, internal audit will issue a final report without management responses.
If a final report has been issued without management responses and there are any aspects of the report not considered 鈥淓ffective鈥, in the report internal audit will indicate that it is the responsibility of the senior leader and the President to resolve any findings identified.
When the draft report is presented to management, they will also be afforded an opportunity to correct any 鈥渆rrors of fact鈥 documented in the report.聽 Please note, however, that errors of fact do not include the report rating, which is the sole judgment of the Internal Audit team.
The final decision on the rating of an internal audit report rests with the Executive Director of Internal Audit (i.e., Chief Audit Executive), and cannot be delegated to others within or outside the department.聽 Attempts by management to influence the final rating by appealing to members of the Chief Audit Executive鈥檚 administrative chain of command will be reported directly by the Chief Audit Executive to the Board.
Internal audits rated as 鈥淣eeds Improvement鈥 , 鈥淣eeds Improvement with Concerns鈥 or 鈥淚neffective鈥 will be subject to a full follow-up audit, shortly after the scheduled implementation date of the last management action plan in response to our recommendations. Those findings in internal audits that are rated as 鈥淓ffective鈥 will be assessed individually, shortly after each management action plan is scheduled for implementation.
All Internal Audit reports are authored by either the Chief Audit Executive or the Manager of Internal Audit and addressed to the executive of the area under review (i.e., VP or dean). The president, chief financial officer, and chief risk officer are automatically copied on all reports.
A project is considered 鈥淐ompleted鈥 when the Chief Audit Executive is satisfied that all recommendations have been implemented, or management has agreed to accept the risk of the finding.
Reports emanating from special projects or other activities (i.e., compliance-based, or advisory/consulting project) where internal control attestation/testing is not an objective, will not receive a rating.