In FY2023, the Office of Internal Audit began to use audit ratings and issue ratings for workplan audits. Audit Rating Definitions are attributes used to identify the overall aggregate level of risk to audited area. Satisfactory is the highest Audit Rating that can be achieved. Note that a Needs Improvement Audit Rating is not negative. It indicates that overall conditions in the area audited are generally acceptable. An Unsatisfactory Rating is the lowest Audit Rating that an audited area can receive. Overall, how the management team responds with an action plan to improve processes is more important than the Audit Rating.
Audit Rating Definitions |
Audit Rating |
Definition |
Unsatisfactory |
Design - Design of controls is ineffective in addressing key risks
Documentation and communication - Non-existent documentation and/or communication of controls/policies/procedures
Operation/implementation - Controls are not in operation or have not yet been implemented
Compliance - Significant breaches of legislative requirements and/or departmental policies and guidelines
Risk management - Risks are not being managed
Issues/deficiencies - Most issues were rated as high and urgent corrective actions are necessary
|
Needs Improvement
|
Design - Design of controls only partially addresses key risks
Documentation and communication - Documentation and/or communication of controls/policies/procedures is incomplete, unclear, inconsistent, or outdated
Operation/implementation - Controls are not operating consistently and/or effectively or have not been implemented in full
Compliance - Breaches of legislative requirements and/or departmental policies and guidelines have occurred
Risk management - Risks are not effectively managed which could result in failure to ensure school objectives are met
Issues/deficiencies - Some high-rated and/or medium-rated issues were identified
|
Satisfactory
|
Design - Design of controls is largely adequate and effective in addressing key risks
Documentation and communication - Controls/policies/procedures have been formally documented and are up to date but are not proactively communicated to relevant stakeholders
Operation/implementation - Controls are largely operating in a satisfactory manner and are providing some level of assurance
Compliance - No known breaches of legislative requirements and/or departmental policies and guidelines have occurred
Risk management - Risks are largely effectively managed
Issues/deficiencies - No high-rated or medium-rated issues identified
|
Issue Rating Definitions
Issues will be rated high, medium, or low based on these factors:
- Level of financial impact.
- Extent of violation of external laws, regulations, and restrictions.
- Lack of documented policy, procedure, or noncompliance with a policy in an important matter.
- Lack of internal controls or ineffective controls and procedures.
- Fraud, theft, inappropriate conflicts of interest or serious waste of school system resources.
- Significant opportunity exists for real gains in processing efficiency.
- Poor cost controls or potential for significant savings and/or revenue generation.
- Condition places the school systems reputation at risk.
- Ineffective reporting and/or communication structure results in financial risks and/or inefficient operations.
- Post audit implementation review reveals little or no effort to implement an action plan in response to a previous audit finding.