If you ask auditors what they do, most will answer that they perform audits. They may vary on that theme by saying that they assess and test controls, add value, identify control weaknesses, or similar; but if they say or imply that their job is to perform audits, then they are mistaken.
Our job is not to perform audits. It is to provide assurance (first) and then (secondarily) assist the organization through consulting services that identify opportunities for improving operations.
That's not only my opinion, but what The IIA's International Standards for the Professional Practice of Internal Auditing (Standards) tell us — and there is a tremendous difference between providing assurance and performing audits!
The Standards define an internal audit activity as:
A department, division, team of consultants, or other practitioner(s) that provides independent, objective assurance and consulting services designed to add value and improve an organization's operations. The internal audit activity helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of governance, risk management, and control processes.
This definition doesn't even mention audits! It talks about providing assurance and evaluating the effectiveness of management's processes.
Providing assurance means that we are not only assessing the adequacy of management's governance, risk management, and related internal control processes but sharing that assessment with our key stakeholders (generally the board/audit committee and executive management). It means that we are not only reporting whether there are any issues needing attention, but whether the processes we assessed are adequate.
Now we generally are able to assess management's processes by performing audits. But audits are the means and not the end. In fact, we also provide assurance when we perform consulting projects such as reviews of new computer applications and systems. By assessing and providing advice (prior to implementation) so these new systems will have appropriate levels of security and adequate controls, we are ensuring that management's processes will be adequate. When we communicate that result, we are providing assurance.
Assurance is not achieved without communication to our stakeholders. In fact, I cannot see how we can communicate our assessment of management's processes if our audit reports do not contain an opinion to that effect! I do not believe that an audit report that informs stakeholders that there are seven control deficiencies, none of which is a high risk, is the same thing as clearly stating whether those processes are adequate to manage the business. Let's not make stakeholders guess. Say what you think!
Further, I do not see how we are providing assurance of "the effectiveness of governance, risk management, and control processes" if we do not provide a formal report to management to that effect periodically.
Some will argue that because we don't audit every risk area, and because our work is spread out over the year, they are not able to provide a formal assessment of management's processes. I disagree. All it takes is for the formal report to stakeholders to explain that the auditor's opinion is based on the audits and other activities performed during the period, and that not all risks were assessed — only those identified as being more significant and addressed in the audit plan. The opinion is subject to those limitations.
I admit that the Standards don't state that we have to provide a formal report on the adequacy of management's governance, risk management, and related internal control processes. But they should, and I believe in time they will. International governance standards, like King III in South Africa, already require formal assurance from internal auditing, so it is only a matter of time.
Anyway, how do you provide assurance if you don't provide an opinion?
Is your audit department performing audits, or providing assurance?