photo credit Flickr – billsoPHOTO
I am Still amazed by the number of audit functions that produce audit Reports without providing opinions about the control environment. After all, Internal Auditing is an objective assurance function. There is no way one can provide assurance without a formal Concluding opinion.
December 2012. I had the privilege of authoring an article for the IIA magazine titled “‘Your Opinion Matters”. It is presented below in its entirety with permission from the I IA.
The power of opinions has forever changed the way we purchase goods, acquire services, and make critical decisions. Nowadays, we express our opinions by “liking” on Facebook, “tweeting” on Twitter, “endorsing” or “recommending” on Linkedin, or simply commenting on websites. Likewise, expressing opinions has always been a critical part of internal auditing. The definition of internal auditing states that “it helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes”. Yet so many auditors refuse to provide opinions regarding the control structure of areas evaluated. Stakeholders are increasingly asking audit functions opine on individual engagements, as well as on the adequacy of governance, risk management and controls enterprise wide. A failure to do so not only constitutes a disservice to the organization but also violates the spirit of the definition of internal auditing.
IIA standards contain ample support of the notion of providing audit opinions. Standard 2410: Criteria for Communicating, for example, states that, where appropriate, engagement results “must contain the internal auditors’ opinion and/or conclusions.” Moreover, The IIA’s Practice Guide, Formulating and Expressing Internal Audit Opinions, suggests that positive assurance opinions – those in which auditors take a “definite position” – are among “the strongest types of audit opinions.” It is every audit function responsibility to provide stakeholders with the strongest level of assurance.
Even if professional guidance on the topic did not exist, issuing an internal audit opinion would still constitute sensible practice. Imagine reading a review of a new high-definition TV in which the reviewer describes some positive features and some “exceptions,” without denoting the significance of those exceptions. Now imagine the reviewer also never says whether the television is a “good buy.” Most readers would find such a review unhelpful. Similarly, an audit report without an opinion does not provide stakeholders the information they need to determine if organizational risks are managed effectively.
Why do some audit functions refuse to provide adequate conclusions about the areas they audit, despite the benefits? Most likely, it is due to at least one of three reasons: Fear of having to vigorously explain and defend conclusions, lack of a structured rating methodology, and inability to classify issues according to severity and significance to the organization. And while each of these may present legitimate challenges, they can be overcome by supporting conclusions sufficiently, collaborating with clients to develop a rating methodology, communicating that methodology effectively, and making sure it is applied consistently.
Internal auditors should not make their stakeholders guess about the strength of the organization’s control environment. Instead, they should provide opinion-based audit reporting that clearly addresses the adequacy of risk mitigation strategies.
Appearing originally in the December 2012 issue of the Internal Auditor Magazine.
Reprinted with permission from the Institute of Internal Auditors
[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”]
Loading ...
We used to have a long form audit report wherein statutory auditors used to give their opinion on various matters. A somehwhat SWOT like report.Nowadays its not given importance
I agree, but why limit this to opinions on controls? In fact, you may argue that an opinion on controls is not very helpful especially when they come with the disclaimer language that we see in SOX. If I am sitting on an Executive Committee or on an Audit Committee, or even if I am just a governance owner of an area of business, I would much rather have an opinion that starts with “in my professional opinion, XYZ is in all material respects in compliance with the Export Control laws and regulations of the US for the period from A to B.” Now, how does that compare with reading that I scored “4” or was “satisfactory”? The unfortunate fact is that too few auditors are willing to consider this approach because they are afraid that they may give a wrong opinion. Then why are we in the opinion business, I ask? If you are willing to consider this, there is a model based in professional standards that can be used. I used it at Siemens. And, when you bring this to your Executive Committee, it gets real attention because you are no longer dealing in auditorspeak using scales and ranges that each auditor constructs differently. Time for a re-think, I believe.
Standard 2410.A1 distinguishes between an opinion and conclusion, but you use both these words interchangeably. Are the same or different? If different, could you please distinguish one from the other.