RATING CRITERIA FOR COSO-BASED AUDI

RATING CRITERIA FOR COSO-BASED AUDITS
Control Component CRITERIA FOR UNSATISFACTORY RATING

Control Environment "Hard controls" are missing or inadequate.
There are verified instances of breakdowns of "soft controls."

Risk Assessment Management has not predefined relevant objectives.
Such objectives are incompatible with broader objectives.
Management has not identified relevant risks to achieving its objectives.
Management does not have a basis for determining which risks are most critical.
Management has not ensured mitigation of critical operating risks.
Audit tests detect key risks not previously contemplated by management.

Control Activities Key control activities are not functioning as intended.
Management’s risk mitigation strategy is not adequately reflected within control activities.

Information & Communication Key metrics are not identified, collected, and communicated.
Employees do not understand their control responsibilities, and this is pervasive.
Customer or supplier complaints and disputes are not resolved, or remedial action is not undertaken in a timely manner.

Monitoring Management has not established a means of determining the quality of the internal control system over time, either through independent evaluations or ongoing, structured, and independent process checks.

Overall The ratings of all components should be considered to determine whether controls provide reasonable assurance that management objectives will be achieved. A strength in the internal controls of one component may compensate for a control weakness in another.