Does your internal audit function really provide assurance?
Does the internal auditor say the same thing to the members of the board? The image of the board is different from that of a helpless young infant. The board is a collection of mature individuals with extensive life experiences. But they share with a young child a need for assurance, a need to know that they don’t need to worry because the controls are in place, adequately designed and operating effectively, to manage risks at the desired levels.
Board members are not involved in the day-to-day operations of the organization. Yet they have oversight responsibilities regarding the management of risks and the provision of internal controls. Internal Audit’s assurance services should be designed to tell them whether they need to worry about those processes and controls.
Imagine your child has been taken to the hospital after a car accident. When the doctor approaches you, which of these would you like to hear?
Option 1: “David is going to be all right. He just has some bumps and bruises.”
Option 2: “We examined David. He has some bumps and bruises that are not high risk.”
If the doctor told me that he had examined David and found some bumps and bruises that are not high risk, I think I would immediately ask her “so David is going to be all right?” I would be worried until I heard that positive assurance.
When an internal audit report provides an opinion that spells out, clearly, that the controls over the risks covered by the audit are adequately designed and operating effectively (I.e., they manage the risk at acceptable levels), that is positive assurance that has high value to the board and to management stakeholders.
But when the audit report only provides a list of control weaknesses, even if the significance of those weaknesses is rated, that is called negative assurance. The board has to assume, because the report doesn’t say so, that “everything is going to be all right with these risks.”
Some internal auditors are reluctant to provide their formal written opinion, whether at the end of each audit for the scope of that audit, or at the end of the year for the overall system of controls over the risks that matter. There is more personal risk to the auditor when he or she provides a formal written opinion. That is true. But is it better to make the board and top management assume that because you only found certain control weaknesses that overall everything is OK and they don’t need to worry? Is it acceptable to make the board evaluate all the reported control weaknesses to see if they add up to a conclusion that the risks are not effectively managed? Shouldn’t that be our job?
If you were on the board or in top management and asked the auditor about the results of their audit of an important area, would you be satisfied with a list of their findings? Or would you insist on their professional opinion of the adequacy of the controls in managing the risks?
Why should the board be satisfied with “our audit found these weaknesses” when they can be told “we found these weaknesses, but you don’t have to worry because overall the controls are adequate?”