Home > Risk > I disagree with Richard Chambers on Opinions and Ratings

I disagree with Richard Chambers on Opinions and Ratings

It is not often that I disagree with my friend, Richard, but on this occasion I have very different views.

He has shared the results of a recent survey and then his opinion on opinions in a post for his new company, Auditboard. In How do we rate? Assigning Ratings and Opinions on the Basis of Audit Results, he says:

As internal auditors strive to serve the needs of various business stakeholders as well as management and the board, we must always be cognizant of how we communicate our findings. A key part of this is providing information that stakeholders need in a manner that is clear and accurate. What I’ve observed over the course of more than two decades is that management and audit committees are typically appreciative of audit results that have been synthesized in an easy-to-digest manner. More often than not, any mechanism that can help to focus their attention, as well as any predetermined indicator of what is urgent, is greatly welcomed by executive readers.

In this, he is absolutely right. I especially like the point about “providing information that stakeholders need” rather than what we want to say. He doesn’t mention the need for the communication to be concise and timely, which I am sure he believes.

He summarizes the survey results:

  • A recent AuditBoard survey of 175+ CAEs found that audit ratings continue to be a widespread practice among internal auditors, although methodology and frequency range widely among different audit departments and companies.
  • Our CAE survey found 63% of audit departments assign overall ratings for each audit report. In addition, nearly 63% of respondents also rate individual findings in their audit reports.
  • Our survey found a range of rating schemes that differed from department to department. The most common method —preferred by nearly 70% of respondents — is using adjectives (Satisfactory, Needs Improvement, Unsatisfactory) to summarize an audit report. A less popular method is a numerical rating scheme, with about 14% of respondents indicating they prefer this method. Considering auditors are typically criteria-focused, I expected more to prefer numerical ratings to adjectival ratings. Perhaps this is one of the factors that contributes to friction or tension between internal audit and operating management when ratings are assigned.
  • Another popular method used to distinguish audit reports is color-coding (e.g. red, amber, or green): almost half (47%) of respondents employ this rating scheme both in findings and in the title of report summaries. In particular, assigning color codes to risks observed, based on findings — e.g. a lack of adequate controls, heightened risk areas, controls that may leave the organization vulnerable — can be useful for directing a reader’s eyes to urgent areas requiring attention.
  • Our survey also found that nearly 70% of respondents also assign overall opinions on internal controls periodically to management and the board.

All of this is factual with only a little of Richard’s opinions injected.

But then he says this:

  • While there are benefits to doing so, I believe that assigning opinions creates potential risk for internal auditors. Whereas external auditors offer opinions based on a specific set of standards, there is sparse guidance for internal auditors regarding issuing opinions. This is why internal auditors must exercise caution whenever assigning opinions.
  • An example of safeguarding your opinion by providing negative assurance is wording such as: “Based on the work we conducted… nothing came to our attention that would indicate the organization is not well-controlled.”
  • As audit is a profession that heavily relies on its relationships with all of its stakeholders, audit leaders must be as diplomatic and conscientious as possible when assigning ratings — being mindful of preserving relationships for the future in the process of providing assurance.

Richard is a smart guy with many years of experience.

However, my many years of experience take me down a very different path.

The clue to Richard’s position (IMHO) is in this phrase that he uses: “friction or tension between internal audit and operating management”.

Here is a summary of my position:

  1. If, as Richard has eloquently advocated over the years, internal audit is a profession, then we must act as professionals.
  2. Professionals are entitled to an opinion. That opinion can be borne of experience rather than objective facts. For example, in one audit where there had been serious accounting errors, my opinion was that the root cause was a failure of management. The manager of the accounting function didn’t trust his people, was ineffective as a manager and leader, and his treatment of them was not only demoralizing but had led to past errors and, unless changed, would lead to future errors. Was there objective “proof” of this? No. But when I shared my opinion with the CEO he agreed and appropriate actions were taken.
  3. As professionals, we are entitled to and must use our professional judgment. Contrary to what Richard says about the external auditors relying on a “specific set of standards”, they exercise a great deal of judgment. So do we, and so should we.
  4. Every conclusion on the adequacy of a control and how well it manages risk is an opinion where we use professional judgment. Even the sample size in testing is a judgment call.
  5. Management and the board are entitled to seek and obtain the opinion of the professionals they employ. Wimping out with negative assurance is failing to provide all the value our leaders and the organization deserve.
  6. The formal audit report is the last communication with management and the board, not the first. It should contain no surprises. “Friction or tension between internal audit and operating management” are best avoided by having an open two-way, constructive discussion with management at each level before the report is issued. In fact, discussions about the “findings” should be held with responsible management as soon as possible – not just to agree on facts and assessment, but so that management can take corrective actions promptly. The overall audit opinion should also be discussed. By that, I do not mean that internal audit tells management what the opinion or rating is. I mean that internal audit works with management to agree on the facts, assessment, and corrective actions (if any); they also agree on how this will be communicated to more senior management and the board. If absolutely necessary, internal audit has the final say. But that should only after seeking to find words that are fair and balanced.
  7. Any and all communications need to be fair and balanced. Our goal is not to catch management out – and that is what a report that only lists findings does – but to provide management with assurance that they can rely on their organization, systems, processes, and controls to work as needed.
  8. We must tell them what they need to know, when they need to know, so they can act as needed.
  9. Reports should not have “findings and recommendations” with management providing a response. That indicates a failure to communicate! They should have agreed assessments and action plans. Wherever possible, give management credit when they have already started or even finished work on the action items. Consider dropping issues if they have been fixed and top management and the board simply don’t need to know about them. Go even further and give credit for high performing teams and staff. I have named names, with the CEO making a personal call to junior staff to congratulate them.
  10. Negative assurance is not assurance. If you take your ailing child to the doctor and they report that they have run several tests and have not found any serious issues, is that assurance? Is that of much use at all? If you take your car to your mechanic before a log trip and they report that they have not found any issues, is that something that will give you confidence to get on a busy freeway and drive at 75mph?
  11. Don’t hide the elephant in the room. Be brave and point it out. Don’t let your concern, your fear of “friction or tension between internal audit and operating management” prevent you from doing the right thing. If controls are poor because there aren’t sufficient people to do the work, or the people don’t have the experience or ability to perform controls, you need to say so. But do it quietly, in person (Zoom is fine) and find a way to avoid HR issues with anything in writing. In the situation with the accounting manager, I glossed over it with careful words in the report but had more open discussions with the audit committee.
  12. Where possible, remember that the primary goal when there are issues is to get them fixed. The goal is not to rack up points with your audit reports. In audit committee meetings, I presented serious issues jointly with responsible senior management. That way, the board can see the issue is being handled and we are working effectively with management. The “friction” is minimal.
  13. I hate ratings. What do they mean? Would you appreciate a report that your child brings back from school that says he or she is “satisfactory”? What does “high risk” mean? High risk to what? What does it mean to the business? Do I need to change my strategy? English is a very rich language, so why not use it to explain how the results of the audit might affect the achievement of objectives?

I close with some IIA guidance that I recommend. It was written when many people opposed providing an opinion because they were afraid of being wrong. Times have changed.

It’s a Practice Guide, which is recommended guidance: Formulating and Expressing Internal Audit Opinions. (Full disclosure: I was on the IIA team that developed the guidance.)

I welcome your thoughts.

  1. John Fraser
    October 5, 2021 at 3:13 PM

    I totally agree with you and find it rather disappointing that under his leadership the IIA did not provide guidance on how to best offer opinions. If a CAE is not comfortable in giving opinions, then there are two likely reasons: 1. He is not senior enough in the organization to do the job required, e.g I reported to the CEO and Audit Committee and sometimes I had to get an incompetent manager of a project changed and was usually thanked for doing so. 2. The CAE does not have the experience, skills or training to properly negotiate, explain and handle difficult conversations. It is also a commentary on the customary inadequacy of audit committees to require opinions.

  2. Roy K
    October 6, 2021 at 12:34 AM

    Norman, I agree with you.

    If auditors do not have courage to share their opinion / views, they may be in the wrong profession…

    Without giving an opinion we will be just another bunch of consultants…

  3. October 6, 2021 at 2:48 AM

    Norman. As so often before, I fully agree with you. If you, as a professional, are not willing to “stick your neck out”, then how do you add value. You have a profession and have obtained a professional insight – this is to be leveraged to the benefit of the company (if not to any individual manager).

    Being outspoken means you also must accept push-backs. To deal with these professionally, you must have your facts and rationales in place and be willing to take that discussion with peers and (more often) superiors – otherwise, I fail to see your value to an organisation.

  4. October 6, 2021 at 3:05 AM

    Norman, I totally agree with you. Why does internal audit exist if not to provide opinions of relevance to the objectives of the organisation?

  5. October 11, 2021 at 6:11 AM

    Auditing is testing against a standard. The standard contains the set of controls (or rules and regulations). Within organisations, it is management that sets the standard. Internal audit can do two things: (1) judge the validity of the standard (or framework) (2) check it’s existance, if the controls work correctly. For (1) they can advise to adapt is, e.g. when it doesn’t comply with rules and regulations or fails to adress certain risks. I don’t think this is covered in your blog.
    (2) is the process of gathering evidence about the facts, apply hearing to check the fact and after that it’s to the auditor the judge (facts versus the standard) about right or wrong.

    • Norman Marks
      October 11, 2021 at 6:42 AM

      Kersten210, thank you for your comment. I believe you have over-simplified internal auditing. Our goal is to provide assurance that management’s processes and controls are adequate in addressing the more significant risks to the organization. It is not only about testing the design or operation of related controls.

  6. Anthony O'Reilly
    October 13, 2021 at 7:36 AM

    I was an auditor for years. Then I became an auditee. I was greatly bothered by the reluctance (even sometimes refusal) of an auditor to conclude on whether risks were generally managed or not – even to acknowledge what the key risks were. Instead, it could be deemed acceptable simply to list out all the control improvements that the auditor could find, no matter how impactful on the management of risk.

    So, yes. We do need to be able to form opinions and those opinions need to be grounded in the management of risk. Audit scopes need to be built around risk, not controls, because there is often plenty of data that demonstrates how the risk is actually being managed – even when a particular control has failed. Become a risk professional, not a controls professional.

  1. October 5, 2021 at 2:17 PM
  2. October 5, 2021 at 9:57 PM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: