DETAIL OF AUDIT FINDINGS

Risk ratings are based on the use of professional judgment to assess the extent to which deficiencies could have an adverse effect on the performance of systems and controls within a process.  The levels of assessed risk range from low to high.  The definitions below provide for classifying audit findings by risk levels based upon varying levels of deficiency seriousness.  

Low: A finding that represents a minor control weakness with a minimal but reportable adverse impact on the ability to achieve process objectives.  Requires management attention; requires action commensurate with process objective(s).

Moderate: A finding that represents a significant control weakness, which could cause or is causing moderately adverse effects on the ability of the process to meet its objective(s).  Requires substantial management intervention and may require possible external assistance; requires prompt action.

High: A finding that represents a material weakness, which could cause or is causing major disruptions of the process or major adverse effects on the ability of the process to achieve its strategic or operational objectives.  Requires significant senior management intervention and may require significant mobilization of resources, to include external assistance; requires prompt to immediate action.

Audit recommendations are not directives, but proposals meant to address and correct the basic cause of deficiencies highlighted by audit findings.  Management ultimately decides if and how to address and correct audit findings.  Operational observations include recommendations that do not result from an internal control deficiency within the scope of the audit, but reflect suggestions for improved efficiency or goals for better practices.  Operational observations are provided in the Management Letter by the internal auditor, and not included within the Audit Report.

NOTE: The risk levels above were modified from the Napier City Council’s Audit & Risk Committee.