Let me start this post by reminding you that these views and commentary are my own and not necessarily consistent with those of the IIA and its leaders. (But, maybe with your comments and discussion we can be an influence on their thinking.)
The definition of internal auditing from the IIA is:
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Let’s focus on two points:
- It is an
assurance and consulting activity.
- It should evaluate and improve the effectiveness of risk management, control, and governance processes.
I don’t think you can provide
assurance by just telling people what is wrong.
Imagine you are considering buying a house and have engaged a home inspector. The report details several things that are not working, distinguishing those that must be fixed now and those that can wait (i.e., risk-rating them) — but fails to tell you whether the house is safe, structurally sound, etc. You can use the report to ensure corrective actions are taken, but it does not give you the
assurance you need before you invest your savings and family. The report does not include an opinion from the home inspector.
An internal audit report that identifies things that are not working, even if they are “risk-rated,” puts the burden on the executive and board reader of the report to guess whether everything is safe and reliable. If we are to be seen as assurance professionals within our own organization, we need to step up and provide an opinion.
After all, if the board members and top executives are expected to sign the financial statements, including an audit committee report, assessments of disclosure and internal controls, and (in a growing number of geographies) assessments of risk management, why are we not expected and required to form and share our opinion on the effectiveness of governance, risk management, and internal controls? In a growing number of countries, that is now a formal requirement. However, my understanding is that the majority of internal audit departments do not provide their stakeholders with an opinion, only a list of the repairs that need to be made to the structure.
I started providing formal opinions on the overall adequacy of internal control 20 years ago. I suggested it to the audit committee and they embraced it as “helping them sleep through the night.” It provided the assurance they needed to be effective in their audit committee oversight responsibilities. As board members, they valued the assurance that instructions from the bridge of the ship would be based on reliable information and executed in the engine room and elsewhere as instructed.
Although management (especially the general counsel) was initially a little nervous about this leading edge practice, they quickly saw the value and gave their full support to the practice.
I shared my experience as part of the team that developed the IIA’s Practice Guide (strongly recommended guidance) on
Formulating and Expressing Internal Audit Opinions — which I recommend.
Today, I would seek a broader opinion than just internal control. My opinion would be along these lines:
Over the last period, and as discussed in routine audit committee meetings, we have completed a number of audit engagements (see attached) designed to address the more significant risks to the organization’s ability to achieve its objectives and create value.
In our opinion, based on the work performed, the systems of governance, risk management, and internal controls provide reasonable assurance that the more significant risks are managed within organizational tolerances.
What is your opinion? Care to share?