Why doesn’t audit provide an overall opinion?
It is now more than 10 years since the IIA published a new definition of internal auditing. They said that it served to provide assurance on the organization’s governance, risk management, and related controls.
But, especially in the US, the vast majority of internal audit departments don’t provide an overall opinion. They can’t use as an excuse that the IIA doesn’t provide guidance on how to do it, as a Practice Guide was issued last year (available on the IIA web site).
I don’t believe that giving executive management a multitude of audit reports and opinions on individual risks is sufficient. How do they aggregate them? How do they determine whether a deficiency in one report is important enough to warrant calling the whole deficient?
Its time for internal audit departments to step up, take a deep breath, and build their audit program so it can deliver an overall opinion – consistent with the Standards and definition of internal auditing.
Yet, there are even departments that don’t even provide an opinion or assessment in individual audits. They report the deficiencies, but not whether the risk is being managed. That has to change! This is the sort of behavior that has given internal audit a bad name in the past.
Even worse are those old-fashioned departments who report the deficiency and figure it is management’s responsibility to fix the problems. They neither make recommendations nor work with management to use their objective insight to identify the appropriate corrective actions. These internal auditors are not part of the solution, and its not surprising that many of the problems they identify are not corrected in an appropriate period of time.
Check out my related post at http://www.theiia.org/blogs/marks/.