Articles
September 24, 2025
Talking Shop: Audit Ratings Balancing Guidelines and Gut Feeling
# Talking Shop
# Risk Management
Editor’s note: NeuGroup’s online communities provide members a forum to pose questions and give answers. Talking Shop shares valuable insights from these exchanges, anonymously. Send us your responses: [email protected].
Context: Despite scads of standards and gobs of guidance offered by groups including the Institute of Internal Auditors (IIA), when it comes to internal audit practices, processes and procedures, one size does not fit all companies. One area where that’s the case is how audit reports—and/or the individual issues or findings in them—are ranked or rated. Those rankings may determine how urgently an issue is addressed and the attention it draws from senior executives.
- The variety of approaches to such ratings is one takeaway from a recent exchange between auditors connecting on the members-only online community of NeuGroup for Internal Audit Executives, as well as follow-up communication between peer group leader Ted Howard and the member who reached out to peers.
- According to the member, “The IIA does not require internal audit reports to include ratings such as numerical scores, color codes or adjectives like satisfactory or unsatisfactory. However, the practice is widely used because it allows chief audit executives (CAEs) to quickly communicate audit results to both senior management and audit committees.”
Member question: “If anyone would like to share the ranking guidelines for their operations audits, I’d be interested in how they compare to ours. We have three types of findings: audit comments, management comments and operational comments.” (The member said these categories essentially equate to bad, less bad and not terribly bad. They do not describe the nature of the issue, with many comments “having both a financial element and a compliance element.”)
- “Audit comments involve higher risk to the company than management comments and are reported to the audit and finance committee (AFC). Operational comments express opportunities for improved effectiveness or efficiency and are not considered in the overall ranking of the audit report.
- “Every audit report has one of four ranks:
- “Rank 1: no audit comments and up to two management comments.
- “Rank 2: up to two audit comments and/or up to five management comments (recently revised; formerly had no limit on number of management comments).
- “Rank 3: three or more audit comments and/or six or more management comments.
- “Rank 4: lack of necessary business controls and/or inappropriate management tone regarding internal controls. The VP of a business or function receiving a rank 4 audit must present their remediation plans to the AFC.”
Cause for the question. In his follow-up with Mr. Howard, the member explained what prompted his question and what he did after receiving answers from several peers:
- “The main prompt for the question was an audit that had only one audit comment but eight management comments. Eight was the highest number anyone on my team remembered seeing; but per our former guidelines, the rating should have been a rank 2 (because there was only one audit comment). That did not feel right and we ultimately gave the report a rank 3.”
- “But this led us to wonder whether we should revise our guidelines. Which in turn led us to wonder whether we should even have guidelines or whether we should rate everything based on feel. Which then led us to wonder what other companies do.
- “It does appear, based on this small sample size, that we had more of a formulaic approach to ratings than other companies. While the CAE has always had authority to overrule the guidelines, this was almost never done in actual practice.”
Balancing guidelines with gut. “Based on the feedback received (summarized in the table above), we did three things:
- “Revised our guidelines to say six or more management comments should be grounds for a rank 3 (as long as there’s at least one audit comment).
- “Strengthened the language in the guidelines to emphasize that guidelines are merely guidelines and that the CAE has the final authority to rate a report however they’d like.
- “Agreed amongst ourselves that we will not just blindly follow the guidelines, but instead have a longer and more thoughtful discussion on what each report should be rated and what the gut feel is of those involved.”
A peer’s perspective. One of the members who responded ended his answer with compelling food for thought: “The final report rating is based on the overall body of evidence and issues observed. While we follow general guidelines, it’s not a rigid, formula-driven approach. When applicable, reports also include a separate ‘Opportunities for Improvement’ section highlighting potential process enhancements.
- “Personally, I’m not a strong advocate of rating reports, as it can trigger debates that distract from the real issues and observations. However, within my audit committee, there is a clear preference for an instant snapshot of where things stand with a given audit.”
Dive in