When it comes to Internal Audit (IA), one long-standing debate continues to divide professionals: should audit findings and reports be rated or not? Historically, audit departments have relied on a rating system assigning levels such as “high,” “medium,” and “low” to findings, and providing an overall rating to the entire report such as “Satisfactory”, “Needs Improvement”, “Unsatisfactory”. While this method may have been effective when IA served as the “compliance police,” the evolving role of IA as a strategic partner to the organization urges us to find a fresh perspective.

In its traditional role, Internal Audit focused heavily on compliance, with ratings used to enforce accountability and highlight urgent risks. High-risk findings or report ratings acted as red flags for executives and board members, generating immediate responses. However, this practice often led to unintended consequences like defensiveness, blame-shifting, and discussions centered around negotiating ratings rather than addressing the root problems. The classic scenario was less about fixing the issue and more about determining whether it was truly “high-risk.”

Today, Internal Audit has matured into a function that adds significant value beyond compliance. It provides key insights into risk management, operational improvement, and even drives revenue growth. In this strategic partner role, the conventional rating system can backfire, creating adversarial dynamics that reduce cooperation. However, eliminating ratings completely might leave the organization without a clear roadmap for prioritization, especially when limited resources are available to address issues. So, what’s the solution?

The Case for a Hybrid Approach

Balance, as the old saying goes, is key. I believe a hybrid approach—one that involves rating individual findings but refraining from assigning an overall report rating—offers the best of both worlds. By maintaining ratings for individual findings, we help prioritize the most critical issues and ensure that important risks are addressed promptly. At the same time, avoiding an overall report rating prevents the focus from shifting away from the issue itself toward assigning blame or defending ratings.

This hybrid method not only mitigates defensiveness but also fosters more collaborative discussions. The goal is to keep the focus on solutions and risk mitigation, rather than on who is responsible or how severe the report’s rating is. As Internal Audit professionals, our mission is to provide nuanced insights and actionable recommendations that help organizations thrive—not to act as enforcers with a rigid grading system.

A Path Forward

Transitioning companies toward this more collaborative approach requires education and clear communication, starting with executives and audit committees. Here’s how we can guide this shift:

1. Initial Awareness: Start by hosting briefing sessions that outline the drawbacks of traditional ratings and the benefits of the hybrid model. Use benchmarking examples from industry leaders who have successfully adopted this approach to show real-world improvements.
2. Interactive Workshops: Engage stakeholders in workshops where they can experience how the hybrid model works. Use practical scenarios to show how shifting the focus from ratings to root-cause solutions improves outcomes.
3. Customized Reporting: Develop reporting formats that highlight key risks and priorities without grading the entire audit. Visual tools like heat maps and dashboards can help prioritize issues while keeping the focus on solutions.
4. Ongoing Communication: Establish regular feedback loops with executives and audit committees to continuously refine the process and ensure the approach aligns with organizational goals. Foster a culture of collaboration by regularly highlighting the strategic value IA brings.

By implementing these steps, organizations can gradually move away from a “scarlet letter” mentality and embrace a more cooperative, value-driven relationship with Internal Audit. This not only enhances issue resolution but also positions IA as a trusted partner in achieving long-term success.

Comparing the Approaches

To better understand the different reporting options, let’s look at a comparison of the traditional, modern, and hybrid models:

The Hybrid Approach in Action

The hybrid approach allows us to retain the best parts of traditional rating systems while evolving toward a more collaborative model. By prioritizing findings, we maintain clarity and focus on the most pressing risks. Meanwhile, removing the overall report rating reduces tension and keeps conversations centered on how to solve problems, not labels or grades.

In this way, we position Internal Audit as a strategic partner that provides not just risk assessments but actionable insights that drive continuous improvement.

What are your thoughts on this approach? I’d love to hear your experiences and perspectives in the comments below.

References:

The Institute of Internal Auditors, “Global Perspectives and Insights,” https://www.theiia.org/en/content/guidance/recommended/supplemental/global-perspectives-and-insights/

PwC, “2021 State of the Internal Audit Profession Study,” https://www.pwc.com/us/en/services/consulting/risk-regulatory/library/internal-audit-transformation-study.html

Ernst & Young, “To rate or not to rate,” https://assets.ey.com/content/dam/ey-sites/ey-com/en_gl/topics/advisory/ey-to-rate-or-not-to-rate.pdf