Thread Options
#2000432 - 03/07/15 12:21 PM Audit Ratings - Who Determines?
Sisyphus Offline
100 Club
Sisyphus
Joined: Jun 2008
Posts: 222
We have no inhouse audit staff and use an outside firm as our internal auditors. I am the audit liaison. The new internal audit firm does not have its own rating system to determine the overall rating for each audit; they rate the individual issues as high, medium, or low. They told me that I am responsible for determining the overall rating and cited the 2003 Interagency Guidance on internal audit function as support. They have asked for our rating system so they can use it to recommend and rating, and then I would agree or disagree with their recommended rating. Our former internal audit firms did not expect us to provide them with a rating system; instead, they explained theirs in each audit report. Naturally, if we disagreed with a rating, we could discuss it with them, but have been under the impression that the assignment of a rating was ultimately up to the firm. Your thoughts?

Return to Top
Audit
#2000434 - 03/07/15 01:27 PM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
I think ratings are overrated. If the auditors are suggesting what the severity of the individual findings are and sufficient attention is placed on them in the executive summary, of what real value does an overall rating have on the required actions of management?

You have topical audits that many times cross many departmental lines. If you get an audit that is labeled unsatisfactory - who are you going to hold to the fire over it. You have to go back to the individual findings to do that anyway.

Most of my clients want to know the impact of the audit on the current risk rating process in that specific area/topic in order to adjust the future audit schedule if necessary. The areas of focus are Quantity of Risk, Quality of Risk Management, Aggregate Risk, and Direction of Risk. They could care less about someone slapping a "needs to improve" label on an audit. They already know that if they bother to read the report.

If you can't get your outside auditors to put forth recommendations in those areas for management considerations, then you probably should be looking to find a new outside source.

If rating the audits by the outside firm was that important, why in the world was this not discovered during your vendor due diligence process??
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2000437 - 03/07/15 02:02 PM Re: Audit Ratings - Who Determines? Sisyphus
Sisyphus Offline
100 Club
Sisyphus
Joined: Jun 2008
Posts: 222
I agree with your comments about even having an overall rating. Regarding the question about the due diligence process, it was not questioned since, in our experience, our previous firms provided the rating and it appeared as a standard that all firms did...there was no reason to ask about it.

Return to Top
#2000442 - 03/07/15 03:09 PM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
Depends on your State, the type of firm you hired and the accountancy laws in your State. In some states, a firm cannot provide a rating, as that assumes attestation, and if the firm is not a licensed CPA firm you can't do attestation audits. Few firms engage in attestation audits when doing internal audit work in the first place.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2000619 - 03/09/15 08:04 PM Re: Audit Ratings - Who Determines? Sisyphus
happyauditor Offline
Platinum Poster
happyauditor
Joined: Nov 2004
Posts: 809
NY
I agree with you rlcarey regarding the "value" of a rating, but FYI, our regulator basically required us give an overall rating of the audited area (such as requires improvement, satisfactory, etc.) on each audit report (as well as risk rate each individual issue). There was no arguing with them. They cite "best practice" for their argument as to why it is required.
_________________________
* My opinion is not necessarily that of my employer.

Return to Top
#2000659 - 03/09/15 09:14 PM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
OK, I can accept that, but I still feel that in that case it is a management issue and not an audit issue. Only management is in a position to properly weigh the ultimate risk the findings present to the organization as a whole and whether they feel that the audit represents a sat. or unsat. outcome.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2003204 - 03/22/15 03:17 PM Re: Audit Ratings - Who Determines? Sisyphus
Sisyphus Offline
100 Club
Sisyphus
Joined: Jun 2008
Posts: 222
I'm still puzzled by this. So, as audit liaison (not an auditor), I should insert "my" rating into our audit firm's report!

Return to Top
#2003205 - 03/22/15 03:47 PM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
I would not place this burden on the "audit liaison". An audit liaison in most institutions is merely the person that is assigned by management to be the coordinator from the bank side of things to make sure that the auditors get everything they need, that they stay on scope, and things move along in a timely manner.

If the audit committee deems it necessary to assign an overall audit rating to each report, either from self desire or pressure from the regulators, then the audit committee should develop the framework for the assignment of such ratings.

For example, I will not provide a rating in one of my audit reports as I cannot do attestation work in Texas as I am not a CPA. However, if the bank provides me a copy of their rating system, I have no problem indicating in the report that based on the bank's audit rating system, the rating on this specific report appears to XX.

However, it is still ultimately the audit committee's and management's responsibility to decide if they agree or not agree with that assessment.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2003215 - 03/23/15 12:19 PM Re: Audit Ratings - Who Determines? Sisyphus
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,400
I would not create a rating as the audit liasion. We have experienced this with our outside IT auditors. They normally do not assign an overall rating to their IT audit. We have requested they provide an overall rating to the audit.

Return to Top
#2003478 - 03/24/15 01:20 AM Re: Audit Ratings - Who Determines? rlcarey
Sisyphus Offline
100 Club
Sisyphus
Joined: Jun 2008
Posts: 222
What if the bank does not provide a rating methodology to you? Does that mean there is no overall rating in the report?

Return to Top
#2003486 - 03/24/15 02:19 AM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
That pretty much sums it up. I'm not going to risk the accountancy board coming after me.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top
#2003489 - 03/24/15 07:56 AM Re: Audit Ratings - Who Determines? Sisyphus
Sisyphus Offline
100 Club
Sisyphus
Joined: Jun 2008
Posts: 222
But our internal audit firm auditor or their managers who review the audit reports are CPAs, so why can't they issue the rating?

Return to Top
#2003494 - 03/24/15 12:27 PM Re: Audit Ratings - Who Determines? Sisyphus
osucpa Offline
Diamond Poster
Joined: May 2011
Posts: 1,400
CPAs have nothing to do with it. My experience is external firms do not want the "liability" of providing an audit rating. Executive management and particularly an Audit Committee like the audit rating, to use as a snap shot of the area being audited.

Return to Top
#2003506 - 03/24/15 01:18 PM Re: Audit Ratings - Who Determines? Sisyphus
rlcarey Offline
10K Club
rlcarey
Joined: Jul 2001
Posts: 79,279
Galveston, TX
Originally Posted By: Sisyphus
But our internal audit firm auditor or their managers who review the audit reports are CPAs, so why can't they issue the rating?


You are going to have to ask them, but it most likely has to do with whether or not in order to rate the report, they move themselves into the "attestation" environment with the associated liabilities from the environment of performing internal audit services at the direction of management. Hence, it is management's role to supply the rating system.

There is a specific reason that I have the following paragraph on my cover letter to the Audit Committee on all of my reports: "I am not a CPA licensed in the state of Texas and was not engaged to perform attestation services for this project or any other project. Further, the comments in this report are not to be construed as an expression of an attestation or legal opinion. The review procedures were performed under the direction of XXXXX Bank involving data or answers to inquires as provided by the Bank. I did not execute any action that could be construed as making management decisions or performing management functions during this engagement. XXXX Bank is solely responsible for any accounting records, policies, procedures and internal controls used as part of this review."

I'm sure your reports have similar language. I have to do this in order to maintain my E&O insurance and keep out of trouble with the Texas Accountancy Board. Every State is also a little different and some accountancy boards are much more active that others.
_________________________
The opinions expressed here should not be construed to be those of my employer: PPDocs.com

Return to Top

Moderator:  Andy_Z