Audit report classification

Report Classification

The internal audit identified one or more of the following:

Optimally Controlled

  • Well-structured design effectively achieves fit-for purpose control objectives

  • Controls consistently applied and operating at optimum level of effectiveness.

Managed

  • Sound design achieves control objectives.

  • No control design improvements identified.

  • Controls consistently applied.

  • Only minor instances of controls identified as not operating, which have mitigating back-up controls or the risk of loss is immaterial.

  • All previous significant audit action items have been closed.

Some Improvement Opportunity

  • Control design improvements identified, however, the risk of loss is immaterial.

  • Isolated or “one-off” significant controls identified as not operating for which sufficient mitigating back-up controls could not be identified.

  • Numerous instances of minor controls not operating for which sufficient mitigating back-up controls could not be identified.

  • Some previous significant audit action items have not been resolved on a timely basis.

Major Improvement Opportunity

  • Design is not optimum and may put control objectives at risk.

  • Control design improvements identified to ensure that risk of material loss is minimized and functional objectives are met.

  • A number of significant controls identified as not operating for which sufficient mitigating backup controls could not be identified which may put control objectives at risk.

  • Losses have occurred as a result of control environment deficiencies.

  • Little action taken on previous significant audit findings to resolve the item on a timely basis.

Unacceptable Risk Exposure

  • Control design leaves the opportunity for loss, error or abuse.

  • Significant control design improvements identified to ensure that the risk of material loss is minimized and functional objectives are met.

  • An unacceptable number of controls (including a selection of both significant and minor) identified as not operating for which sufficient mitigating back-up controls could not be identified creating the opportunity for loss, error or abuse.

  • Material losses have occurred as a result of control environment deficiencies.

  • Instances of fraud or significant contravention of corporate policy detected.

  • No action taken on previous significant audit findings to resolve the item on a timely basis.