Does anyone risk-weight compliance audit findings for management such as High, Medium, Low? I don't mean grading the audit overall, but each exception that you find as a result of the review? I'm looking at incorporating such a process, but I'm having trouble determining what critera to use to weight the risk.

I found that if you do that, anything rated low will never be fixed.

We rate every exception as high, moderate or low.

That's a concern that I have, too, RL. In trying to categorize exceptions as "High", or "Medium", I feel I'm hitting my head against a wall. The only thing I can consider is if I risk weight according to quantity or errors, or based on civil money penalties.

osucpa, did you have a program that assisted with that process, or did you manually determine how you would rate your exceptions?

We do this manually. For instance, let's take a mortgage loan and a particular disclosure is missing from a loan file. We may rate this exception as either low or moderate. If we look at 10 loans and 8 of them are missing this disclosure, we could have a systemic issue and the exception would be rated high. It also helps the audit committee in identifying issues.

If you are dealing with true violations of law or regulation, there is no such thing as low, medium, or high. That would be like telling your child, it's OK to steal a candy bar at the 7-11, but for god's sake don't rob a bank.

In my reports within the executive summary, I handle it just like the regulators. For those issues that have the most significant risks, I classify them as needing immediate management attention and leave it at that. You never see a regulator rate individual exceptions. Why should you internally?

Leo, I think sometimes it can be only one error but still be a high risk...if it demonstrates that a control is missing/compromised.

I use high/medium/low, too. And Randy, above, is right.

Up until now, I have used my own judgment to decide where my findings landed, but no more. This year, I have been requested to quantify. Should be fun.

That's the way we have choosen to identify exceptions and never had an issue with it. Examiners have reviewed every one of my reports and never made a comment about it.

Examiners have reviewed every one of my reports and never made a comment about it.

Why would they? They only care about the identification of weaknesses in internal controls and their correction.

I have seen banks spend months and months of time, meetings, memos, etc., regarding the development of these type of individual audit findings ratings and then sat through hours of debate over whether or not this or that findings was rated appropriately. All it did was change the focus from fixing or developing an appropriate internal control into a argument about needless semantics.

If you want to assign overall audit ratings - great. Rating individual findings however is counter productive in almost every instance.

They commented on mine....and now I have to quantify!

I used my system like they use theirs, I thought .... a high risk is one that needs management's attention right now. A medium risk is one that management needs to fix soon. Go ahead, take a quarter.

But, I it's the only thing I had to fix, so I'll do it and move on. Just hate getting locked into a certain number of errors, etc.

I don't rank the entire audit though, but I think "they" were wanting me to.

Clearly, there is more than one way to rate an audit exception and an audit. You have to do what works best for you and your readers (audit committee).

Regulators (mainly pushed by FRB with OCC "agreeing" since it was a joint exam of the internal audit department)recently are requiring us to risk rate all findings (not just compliance findings) individually on the audit reports. Prior to that they required us to risk rate them on our finding documentation in the workpapers and also on our issue tracking sheets for internal use and that go to the Audit Committee and Board. Every year they need to add some other "requirement" that is not a true "requirement".

We are approaching the methodology similar to osucpa and Cornfed Turtle's methodology. No hard measures/rules, our judgement comes into play. We take into consideration if it was an isolated incidence (would be rated low)or systemic issue (would be rated high), or something in between (would be rated moderate). We just started putting this in practice for 2014.

Next I anticipate the examiners questioning why we rated something moderate as compared to high. It never ends.

What a waste of time. You are correct. Give them time and they will make something else up.

I agree 100% rlcarey!

Here is how I risk rate findings in my audits. With each finding management needs to make a response. If it is a best practice they can choose to fix it or accept the risk. If they accept the risk then I do not write it up again until I feel the risk is to great to let it go unchanged.

Critical - A result will be rated as critical if it appears to be a singular or multiple occurrences of noncompliance with a significant provision of a rule, regulation, regulatory expectation, or internal policy. A result will also be rated critical if it is a situation that could lead to financial liability, customer service concern, regulatory concern, or significant loss of revenue or reputation.

Repeat - A result will be rated as repeat if it was noted in this report and was noted in prior reports or regulatory examinations.

Systemic - A result will be rated systemic to reflect multiple instances of noncompliance with noncritical laws, regulations, regulatory guidelines, regulatory expectations, internal policies and procedures, or system design issues. These do not reflect a significant risk of financial liability, customer service concern, regulatory concern or a significant loss of revenue or reputation.

Isolated or Technical - A result will be rated isolated to reflect limited instances of noncompliance with noncritical laws, regulations, regulatory guidelines, regulatory expectations, or internal policies and procedures. These do not reflect a significant risk of financial liability, customer service concern, regulatory concern, or a significant loss of revenue or reputation.

Best Practice - A result will be rated as best practice if it would be a prudent practice or is considered an industry best practice, would augment existing controls, or would enhance operations, security, productivity, or customer service.

We risk rate all of our issues, as either priority 1,2, or 3. We consider evey true violation as a P1 and issues that could lead to violations as either P2 or P1 depending on the law and how it applies to us.