Audit Findings
Risk Rating Audit Findings
Framework for assessing and rating the severity of audit findings
2025-12-20
Risk Rating audit findings helps prioritize management attention and resources toward the most significant issues requiring immediate remediation.
📊 Common Rating Scales
Critical/High/Medium/Low - Four-tier approach
Severity 1-5 - Numerical scale for granularity
Red/Yellow/Green - Visual traffic light system
⚖️ Risk Rating Factors
- Likelihood: Probability of occurrence or exploitation
- Impact: Financial, operational, or reputational consequences
- Velocity: Speed at which risk could materialize
- Detectability: Ease of discovering the issue
- Pervasiveness: Scope across organization
📋 Rating Definitions Example
Critical: Immediate threat; requires urgent executive action
High: Significant risk; prompt remediation needed
Medium: Moderate risk; address within reasonable timeframe
Low: Minor issue; opportunistic improvement
💡 Best Practice
Maintain consistency in rating methodology across audits. Document your rating criteria and calibrate ratings with management to ensure shared understanding of severity.