Home > Risk > Why doesn’t audit provide an overall opinion?

Why doesn’t audit provide an overall opinion?

January 22, 2010 Leave a comment Go to comments

It is now more than 10 years since the IIA published a new definition of internal auditing. They said that it served to provide assurance on the organization’s governance, risk management, and related controls.

But, especially in the US, the vast majority of internal audit departments don’t provide an overall opinion. They can’t use as an excuse that the IIA doesn’t provide guidance on how to do it, as a Practice Guide was issued last year (available on the IIA web site).

I don’t believe that giving executive management a multitude of audit reports and opinions on individual risks is sufficient. How do they aggregate them? How do they determine whether a deficiency in one report is important enough to warrant calling the whole deficient?

Its time for internal audit departments to step up, take a deep breath, and build their audit program so it can deliver an overall opinion – consistent with the Standards and definition of internal auditing.

Yet, there are even departments that don’t even provide an opinion or assessment in individual audits. They report the deficiencies, but not whether the risk is being managed. That has to change! This is the sort of behavior that has given internal audit a bad name in the past.

Even worse are those old-fashioned departments who report the deficiency and figure it is management’s responsibility to fix the problems. They neither make recommendations nor work with management to use their objective insight to identify the appropriate corrective actions. These internal auditors are not part of the solution, and its not surprising that many of the problems they identify are not corrected in an appropriate period of time.

Check out my related post at http://www.theiia.org/blogs/marks/.

  1. January 25, 2010 at 8:30 AM

    Norman – Great point made in “Why doesn’t audit provide an overall opinion?” I have not always held this belief, but I now agree that IA should step up and do more in providing overall opinions on governance, risk management, and controls, and I feel opinions after specific audits are absolutely necessary. IA has a unique seat within the organization and most CAEs, working with their teams, have a good grasp of the key risks and issues in an organization. This information is invaluable to an Audit Committee.

    Although some may argue that IA should not make an opinion on an organization’s overall governance, risks, and controls if it has not audited everything, the results of work done over time using a good risk-based audit plan should sure provide some excellent information and insight. In addition, and in my case, I was also on the Compliance Committee as a CAE and gained even more insight through those quarterly meetings.

    I still believe CAEs should clearly state to the Audit Committee (and management) what the department did and did not examine over the course of a year, or quarter, etc., and on what information any opinion was based. However, I believe the CAE’s unique position in, and visibility of, an organization can help management and the Audit Committee identify and prevent some of the systemic failures we have seen over the past few years. I believe providing written opinions to the Audit Committee can help facilitate this communication. Failure to do this limits the value IA can bring to an organization.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: