Audit report classification
| Report Classification | The internal audit identified one or more of the following: |
|---|---|
| Optimally Controlled | ● Well-structured design effectively achieves fit-for purpose control objectives ● Controls consistently applied and operating at optimum level of effectiveness. |
| Managed | ● Sound design achieves control objectives. ● No control design improvements identified. ● Controls consistently applied. ● Only minor instances of controls identified as not operating, which have mitigating back-up controls or the risk of loss is immaterial. ● All previous significant audit action items have been closed. |
| Some Improvement Opportunity | ● Control design improvements identified, however, the risk of loss is immaterial. ● Isolated or “one-off” significant controls identified as not operating for which sufficient mitigating back-up controls could not be identified. ● Numerous instances of minor controls not operating for which sufficient mitigating back-up controls could not be identified. ● Some previous significant audit action items have not been resolved on a timely basis. |
| M ajor Improvement Opportunity | ● Design is not optimum and may put control objectives at risk. ● Control design improvements identified to ensure that risk of material loss is minimized and functional objectives are met. ● A number of significant controls identified as not operating for which sufficient mitigating backup controls could not be identified which may put control objectives at risk. ● Losses have occurred as a result of control environment deficiencies. ● Little action taken on previous significant audit findings to resolve the item on a timely basis. |
| U nacceptable Risk Exposure | ● Control design leaves the opportunity for loss, error or abuse. ● Significant control design improvements identified to ensure that the risk of material loss is minimized and functional objectives are met. ● An unacceptable number of controls (including a selection of both significant and minor) identified as not operating for which sufficient mitigating back-up controls could not be identified creating the opportunity for loss, error or abuse. ● Material losses have occurred as a result of control environment deficiencies. ● Instances of fraud or significant contravention of corporate policy detected. ● No action taken on previous significant audit findings to resolve the item on a |