We’ve taken a completely different approach.
Our audits are fixed frequency. Our testing procedures are uniform. But each test we perform (132 of them) generates a risk rating from 1 to 10. These are categorized using the five COSO categories of Compliance, Financial Condition, Financial Reporting, Operational Efficiency and Strategic Management. Composite risk ratings are totaled in each of these categories, and then an overall composite risk score is assembled for the unit as a whole.
Risks identified are then triaged – the items appear in the report from high risk to low. This tells management what they need to work on first as it is the most critical.
Senior management, in addition to getting the individual audit reports, also gets a composite report with a financial summary and risk numbers for each location on a monthly basis, summarized by mid-level management divisions (generally 1-3 states).