Audit Projects without Opinions are Pointless

photo credit Flickr – billsoPHOTO

I am Still amazed by the number of audit functions that produce audit Reports without providing opinions about the control environment.  After all, Internal Auditing is an objective assurance function. There is no way one can provide assurance without a formal Concluding opinion.

December 2012. I had the privilege of authoring an article for the IIA magazine titled “‘Your Opinion Matters”.  It is presented below in its entirety with permission from the I IA.

The power of opinions has forever changed the way we purchase goods, acquire services, and make critical decisions.  Nowadays, we express our opinions by “liking” on Facebook, “tweeting” on Twitter, “endorsing” or “recommending” on Linkedin, or simply commenting on websites.  Likewise, expressing opinions has always been a critical part of internal auditing.  The definition of internal auditing states that “it helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”.  Yet so many auditors refuse to provide opinions regarding the control structure of areas evaluated.  Stakeholders are increasingly asking audit functions opine on individual engagements, as well as on the adequacy of governance, risk management and controls enterprise wide.  A failure to do so not only constitutes a disservice to the organization but also violates the spirit of the definition of internal auditing.

IIA standards contain ample support of the notion of providing audit opinions.  Standard 2410: Criteria for Communicating, for example, states that, where appropriate, engagement results “must contain the internal auditors’ opinion and/or conclusions.”  Moreover, The IIA’s Practice Guide, Formulating and Expressing Internal Audit Opinions, suggests that positive assurance opinions – those in which auditors take a “definite position” – are among “the strongest types of audit opinions.”  It is every audit function responsibility to provide stakeholders with the strongest level of assurance.

Even if professional guidance on the topic did not exist, issuing an internal audit opinion would still constitute sensible practice.  Imagine reading a review of a new high-definition TV in which the reviewer describes some positive features and some “exceptions,” without denoting the significance of those exceptions.  Now imagine the reviewer also never says whether the television is a “good buy.”  Most readers would find such a review unhelpful.  Similarly, an audit report without an opinion does not provide stakeholders the information they need to determine if organizational risks are managed effectively.

Why do some audit functions refuse to provide adequate conclusions about the areas they audit, despite the benefits?  Most likely, it is due to at least one of three reasons: Fear of having to vigorously explain and defend conclusions, lack of a structured rating methodology, and inability to classify issues according to severity and significance to the organization.  And while each of these may present legitimate challenges, they can be overcome by supporting conclusions sufficiently, collaborating with clients to develop a rating methodology, communicating that methodology effectively, and making sure it is applied consistently.

Internal auditors should not make their stakeholders guess about the strength of the organization’s control environment.  Instead, they should provide opinion-based audit reporting that clearly addresses the adequacy of risk mitigation strategies.

 

Appearing originally in the December 2012 issue of the Internal Auditor Magazine.

Reprinted with permission from the Institute of Internal Auditors

[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”]

Do you provide overall ratings or opinions in audit reports?

View Results

Loading ... Loading ...
[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

Robert Berry (77)

Robert (That Audit Guy) Berry is a risk, compliance and auditing advocate, educator and innovator. He helps good professionals become better by creating articles, web services and training that allow them to expand their knowledge network.

Share this post

Newsletter signup

Want the latest tips, strategies, and insights for auditors?
Subscribe to our newsletter and never miss an update

Subscribe to our newsletter

Mission Statement: Empowering auditors with the tools, skills, and confidence to excel in their careers and serve their clients better.

Scroll to Top