Audit Rating

We are prposing the following audit rating methdology for our clients. Do you have any other suggestions. Thanks

Proposal for risk rating methodology:

Good: An audit reveals no high risks and 0, 1 or maximum 2 medium risks

Satisfactory: An audit reveals no high risk and between 1 and 8 medium risks

Marginally satisfactory: An audit reveals 1 high risk and 0 to 10 medium risks or an audit reveals 0 high risks but more than 10 medium risk

Unsatisfactory: An audit reveals 2 to 5 high risks and between 0- 25 medium risks

Unacceptable: An audit reveals more than 5 high risks and between 0 to 25 medium risk issues or an audit reveals more than 3 high risk issues and more than 25 medium risk issues.

Define the difference in high and medium risks.

I think that I would somehow incorporate low risk findings in there as well. Defining a risk as simply "high" or "moderate" might not give you much wiggle room.

How would you define high, medium and low risks? Do you base it on monetary penalty? likeliness? reimbursable? reputation?

Good point dach. If you're going to use terms like those, you'd better have definitions.

We do define each of the terms in the audit reports...

We do define each of the terms in the audit reports...

Actually, I was curious how others define their risks? I am trying to set this up at my bank as well. I know that monetary penalties pay a big part but what other factors do most people use?

I use a risk matrix that I believe someone at BOL was kind enough to give me quite a while back:

HIGH - High risk of loss, high monetary exposure, regulatory concern, key controls not in place or not operating effectively, indicates a serious control weakness/deficiency requiring action

MEDIUM - Policy or compliance issue, moderate risk of loss or monetary exposure, key controls are partially in place or only somewhat effective, indicates a control concern which requires action to be taken

LOW - Minor documentation error or minor control issue, low risk of loss, key controls are in place but could be improved

You can then further define these based on criteria you want to use at your particular shop.