What are audit ratings

At the end of each audit, we issue an audit report. The report contains our unbiased assessment of the effectiveness of your unit’s processes. It includes an overall audit rating, audit findings (if any), and a list of recommended improvements. 

Audit findings

As a first step, we evaluate processes and report on those that bear a medium risk or high risk.

Medium risk indicates:

 

  • There are weaknesses in the process that present risk exposure to the unit under review.
  • The significance of these weaknesses makes it important to correct them.
  • Senior management attention is recommended, and operating management action is required.

 

High risk indicates:

 

  • There are weaknesses in the process that present risk exposure to the unit under review.
  • The significance of these weaknesses makes it imperative to correct them.
  • Senior management attention is required.

 

We also discuss less significant or low-risk issues with process area administrative leadership and these discussions are noted in our report. Details of these issues aren’t included in the report.

Audit ratings

Based on the aggregate level of risk, we issue an overall audit rating. Audit ratings indicate if your unit’s processes are effective, need to be better, or aren’t effective. 
There are three ratings:

  • Satisfactory: The processes are generally effective in mitigating risks.
  • Needs improvement: The processes are only partially effective in mitigating risks.
  • Unsatisfactory; The processes don’t mitigate risks and are seriously flawed in design or operation. 

Keep in mind that “needs improvement” is not a negative audit rating! The MIT Corporation Risk and Audit Committee and senior leaders understand that many audit ratings fall into this category. How your management team responds with an action plan to improve processes is more important than the rating. 

Who sees the audit report?

Key stakeholders who receive all of our reports include:

  • Assistant Provost, Office of the Provost
  • Vice President for Finance, Office of the Vice President for Finance
  • Vice President and General Counsel, Office of the General Counsel
  • Manager of Institutional Risk Services, Risk Management and Compliance Services
  • In addition, other stakeholders within senior administration receive the report based on the focus of the audit (e.g. Chancellor if students are involved or Vice President for Research if it is about research).

Learn more about how audits work