This was the titled I pitched to the IIA in 2012 for an article discussing providing an opinion on the work we perform. Internal Auditors are assurance providers. We evaluate organizations on behalf of stakeholders. At some point, we should be able to tell them whether or not the organization is operating effectively and efficiently. After performing a few Quality Assurance Reviews, I was surprised at the number of audit departments that did not provide an overall opinion or rating on audit reports. That was the impetus behind the article. The IIA advocates providing opinions in audit reports. But there still seem to be many audit departments that do not.
Like most auditors, I’ve always used a red, yellow, green rating structure. At one organization, I remember receiving a complaint about providing an opinion and a dislike for the simple red, yellow or green. It was described as polarizing. This tickled me. My guess is it’s only polarizing if you see a sea of red in a report from an area that reports to you.
We’re Called Assurance Providers for a Reason
I thought this was odd. After all, we are assurance providers. Audit reports containing issues that do not provide context regarding the impact of individual issues or the total impact of on the area under review is pretty pointless. Let me give an example. I worked for one organization that received operational audits from a state agency. This agency provided no rating system for the individual nor the collective issues. When presenting the issues to the audit committee each year, the CFO would comment on the number of issues. One year there were 10 issues. The next there was one. This was viewed as a win.
The CFO was frustrated because it did not help him provide the audit committee with context surrounding the significance (or insignificance) of the issues. That seemed odd to me too. What if the one issue was a multi-million organizational risk. Surely at this point it is now more relevant than the 10 which involved generic comments surrounding updates needed to policy and procedure manuals. But this agency has its standard operating procedures.
I reached out to my fellow auditors and realized a standard simple dashboard is very customary and typically appreciated, especially by audit committee members who want information to be clear and concise. I actually received that exact comment from a past audit committee chair.
Anyway, here’s the article. My original title was rejected and we went with “Your Opinion Matters”. But I believe the premise and spirit presented still holds true to this day.
Do Rate Audit Issues or Reports?
Do you provide overall report ratings?
Do you rate individual issues in audit reports?
Either way, I’d love to hear your experience.
While you’re here, sign up to receive updates when you publish new content (Bottom right. Go ahead. Do it!)
Are you looking for good online internal audit training? You’re in luck. I have two resources for you.
- CRisk Academy offers world class online training. You might even see some courses from yours truly. If you visit Crisk, tell them we sent you.
- Also, we have online courses and books (you might find some free cpe 🙂 and apparel (shirts and stuff). Check out our online store.
If you need personalized training for your staff, good audit cosourcing/outsourcing partner, or a quality QAR, shoot me a message. Check out my book, Business Bullcrap – Craptacular Counterproductive Practices that Kill Cultures and Pummel Profits. It’s not about auditing, but rather bad business behaviors and their effect on the organization.