The IIA's International Standards for the Professional Practice of Internal Auditing and its definition of internal auditing require chief audit executives (CAEs) and their team to provide assurance on governance, risk, and internal control processes. But surveys and studies have shown that:
Only about 50 percent of internal audit departments provide an overall opinion of internal controls for the area reviewed in their audit reports. Instead, they limit their reports to a discussion of the control weaknesses found. Some don't even rate those weaknesses (e.g., high/medium/low risk).
Very few CAEs provide a formal assessment of internal control to the board and executive management, even on an annual basis.
Even fewer provide an opinion on the effectiveness of risk management for the scope covered in individual audits.
Relatively speaking, only a few internal audit departments are auditing their organization's risk management processes — and rarely when there is no formal risk management department — let alone providing an overall assessment of risk management for the entity.
While many departments are auditing some of the governance processes (e.g., employee certification of the code of conduct), it is rare that an audit team assesses the entire governance process and almost unheard of for it to provide an overall assessment of governance.
The definition of internal auditing was approved in 1999, so we are 10 years on and struggling as a profession to deliver on its requirements. Will we get there in 10 more years? Will we ever get to the point that the vast majority of audit departments are providing assurance on governance, risk, and internal control processes?