My opinion of audit opinions
Last week, I was in a duel with Richard Chambers on the topic of internal audit opinions.
Neither of us had much time to express our views, so I am taking the opportunity of today’s post to share some insights that might be useful.
Last month, I ran a survey that asked internal auditors “How do you communicate your overall opinion?” The answers were:
- We don’t include an overall opinion on the adequacy of controls over the risks in scope… 8.7%
- We use traffic lights, such as red/yellow/green… 19.0%
- We use language like “the controls are effective, adequate, or ineffective”… 41.3%
- We construct an opinion statement that reflects not only whether the controls are adequate overall, but which risks might not be at unacceptable levels… 23.0%
- Other… 7.9%
Consider four identical manufacturing companies where internal audit has completed an audit of their inventory management processes. This is a critical activity for them (as it is for businesses in many sectors, such as retail and wholesale, oil and gas, and more).
Imagine that you are on the boards of each company and reading the audit reports.
All the audits found the very same six issues. But they reported them differently.
The auditors of Company A wrote that they had completed their audit of inventory management processes and found a number of issues of concern. In their Findings section, they explained that six controls were not functioning as designed. The auditors went on to recommend that management ensure they function properly in future, and management responded that they would.
Company B’s auditors had a different report. While they also reported that they had completed their audit of inventory management processes and found a number of issues of concern, they commented that the controls over inventory management “needed improvement”. They listed the six findings in the Executive Summary and put a traffic light color next to each, indicating their opinion of the severity of the finding.
Company C was different again. The report was similar to that for Company B, but this time the opinion specified the risks that had been audited, not just the controls. The auditors’ opinion was that the controls over inventory-related risks, such as ensuring the accuracy of inventory records and the quality of materials, needed improvement.
Finally, there is Company D. This time, the audit opinion was:
“Several controls were not operating properly, and management has agreed. As a result, there is an unacceptable level of risk that insufficient raw materials will be on hand when needed for production. In addition, what material is in inventory may not be of the appropriate quality. Should that occur, sales and customer satisfaction will be severely impacted and the company’s revenue targets for the quarter (if not the year) might not be achieved.
“Management has agreed with this assessment and has already started the process of upgrading the controls, scheduled for completion next month.”
My survey indicated that less than a quarter of internal audit departments (if the survey is representative) would include an opinion like that of Company D.
In the duel, Richard and I both agreed that we needed to provide the assurance, advice, and insight that management and the board need.
Which of the four company’s audit departments did that?
The auditors at Company D had to do more work, primarily sitting down with management and having a constructive discussion to (a) confirm the facts, (b) agree on what the facts meant, (c) consider options for addressing the risks, (d) review the language that will be in the report, and (e) discuss how best to communicate the situation to senior management.
But there is huge value in that additional work.
Where are you?
Are you going to adopt Company D’s approach?
I welcome your comments.
By the way, if you haven’t responded to my second survey, please do so.
Leave a comment
Norman Marks on Governance, Risk Management, and Internal Audit 
As a director, I would want to know: what works (risks properly determined, controls properly operating?) ; what doesn’t work (controls not bringing risks to an acceptable level) ; what the impact is (what objectives might not be achieved) ; what the management are doing (who, what and when). So it’s Company D for me.
Norman, I was reminded of a workshop I led years ago in a large US based Metropolitan Transportation Authority. The Purchasing Department was responsible for managing parts inventory for the fleet. We started by determining the relevant objectives. One group thought it was to minimize fleet life cycle cost, another to ensure continuous operation of the fleet, and still another to prevent vendor fraud. The lack of unanimity was not surprising, (a risk in and of itself) and multiple objectives are necessary. But no useful opinion is possible without understanding critical business objectives or the level of performance being achieved. I doubt if I am telling you anything you don’t already know, but I see too little of it in practice. It’s a good place to start.
IMHO, one key responsibility of an auditor is to provide and opinion. In my opinion this means stating whether the controls are good, need work or are unacceptable (choose your own wording) and for impact I always added a colour coded opinion (red, yellow, or green) so there was no doubt as to my opinion and this allowed management and the board to focus on priorities to be fixed. “No guts, no glory!” The verbiage in D above would be in the body of the audit report.