Revisiting Audit Reports and Ratings Based on a Report by E&Y
E&Y has published a thought-provoking piece in their 5 Insights for Executives series. This one is Internal Audit: a 3-D look at risk.
The opening scenario painted by E&Y is a scary one, given where I thought we have been moving as a profession. It describes a situation where internal audit is providing reports to the top executives and the Audit Committee that fail to provide basic information on whether the controls tested were “passing or failing”, the level of risk to the organization, whether control failures were previously known to management, and whether management is working to fix them.
- Management’s assessment of both the inherent risk (and maximum potential exposure) and residual risk levels. If I had to choose one to report, it would be residual and not inherent. My report would indicate whether I agreed with that assessment or not, and if not why not (which is where I would describe deficiencies in the design or operation of the combination of controls). My residual risk level would take into account an adjustment if any controls are not effective.
- A trend line, showing whether risk management is improving or not.
- Whether management will correct any deficiencies in a timely fashion. I have always followed a practice of acknowledging when management is already aware of an issue and working on it.
Posted on May 13, 2011 by Norman Marks
Share This Article: