Report Classification The internal audit identified one or more of the following:

Optimally Controlled
  • Well-structured design effectively achieves fit-for purpose control objectives
  • Controls consistently applied and operating at optimum level of effectiveness.

Managed
  • Sound design achieves control objectives.
  • No control design improvements identified.
  • Controls consistently applied.
  • Only minor instances of controls identified as not operating, which have mitigating back-up controls or the risk of loss is immaterial.
  • All previous significant audit action items have been closed.

Some Improvement Opportunity
  • Control design improvements identified, however, the risk of loss is immaterial.
  • Isolated or “one-off” significant controls identified as not operating for which sufficient mitigating back-up controls could not be identified.
  • Numerous instances of minor controls not operating for which sufficient mitigating back-up controls could not be identified.
  • Some previous significant audit action items have not been resolved on a timely basis.

Major Improvement Opportunity
  • Design is not optimum and may put control objectives at risk.
  • Control design improvements identified to ensure that risk of material loss is minimized and functional objectives are met.
  • A number of significant controls identified as not operating for which sufficient mitigating backup controls could not be identified which may put control objectives at risk.
  • Losses have occurred as a result of control environment deficiencies.
  • Little action taken on previous significant audit findings to resolve the item on a timely basis.

Unacceptable Risk Exposure
  • Control design leaves the opportunity for loss, error or abuse.
  • Significant control design improvements identified to ensure that the risk of material loss is minimized and functional objectives are met.
  • An unacceptable number of controls (including a selection of both significant and minor) identified as not operating for which sufficient mitigating back-up controls could not be identified creating the opportunity for loss, error or abuse.
  • Material losses have occurred as a result of control environment deficiencies.
  • Instances of fraud or significant contravention of corporate policy detected.
  • No action taken on previous significant audit findings to resolve the item on a timely basis.

Audit report classification