Formulating and Expressing Internal Audit Opinions[ii]
Internal auditors generally provide opinions for each audit and it can often be a challenging task to ensure the opinion provides all the necessary information to meet stakeholders’ objectives.
Planning
Auditors should determine stakeholder requirements for audit opinions including the level of assurance required before beginning an audit. Careful planning and development of an audit plan helps to ensure the auditor obtains sufficient evidence to support an opinion. Audit plans and opinions must consider the scope of work performed. Common elements to consider when defining the scope include:
- Descriptions of the portions of the organization being covered;
- Control components covered by the audit;
- The point in time or the time period over which the opinion is expressed.
Types of Opinions
Opinions generally fall into one of the following categories:
- Macro-level – broad level for the organization as a whole
- Micro-level – individual components of the organization’s operations
Macro-level opinions are more complex and may require aggregation of findings from several audits, incorporation of evidence obtained through less formal means, and consideration of evidence obtained through reliance on the work of others. Recent surveys indicate that most audit organizations issue micro-level audit opinions.
Generally, stakeholders request that internal audit activities provide positive assurance opinions. A positive assurance opinion involves the auditor taking a definite position (i.e. internal controls are or are not effective), provides the highest level of assurance, and requires the highest level of evidence. Positive assurance opinions imply the auditor gathered sufficient evidence to provide reasonable assurance that they would identify evidence contrary to the opinion if it existed. Opinions can be qualified if there is an exception to the general opinion (i.e. controls were satisfactory with the exception of accounts payable controls, which require significant improvement).
In contrast, a negative assurance opinion is a statement that nothing came to the auditor’s attention about a particular objective (i.e. the effectiveness of a system of internal control). The internal auditor takes no responsibility for the sufficiency of the audit scope and procedures to find all significant concerns or issues. In general, this opinion is less valuable than positive assurance.
Results
Developing criteria framework can help achieve the objective of providing a valued opinion. This framework provides a baseline against which to apply measurement and judgment to evidence obtained in the course of the audit. When establishing suitable criteria, it is important to determine if the organization has established basic principles regarding what constitutes an appropriate governance, risk management, and control process. These criteria may include:
- Definition of the control framework used by the organization (i.e. COSO or COBIT).
- Management’s understanding of what constitutes a satisfactory level of control (i.e. 90% of transactions are conducted in accordance with control procedures).
- Management’s risk tolerance
Auditors should base evaluation of results on an established methodology such as materiality and impact. Many internal audit activities use a grading system when issuing audit reports. Internal auditors must be careful with wording especially around defining “waterlines” such as adequate or inadequate. Auditors should ensure that the organization has a common understanding of terms such as satisfactory, effective, or unsatisfactory. Use a grading scale requires a well-defined evaluation structure.
When internal auditors consider relying on other assurance providers (OAPs) work in developing an opinion, they should consider the following:
- The OAP’s knowledge, skill, and competencies
- Organizational relationships and ability of OAP to develop an impartial opinion
- Objectives and scope of the OAP’s work
Conclusion
Providing opinions in audit reports is one way Internal Audit can add more value to the organization. These opinions can result in the organization placing more reliance upon internal audit reports. This increased reliance can also increase the legal ramifications if there is a control failure. Therefore, the Chief Audit Executive (CAE) should include appropriate disclaimers relative to the limitations of the audit work. This generally takes the form of notification that the report provides reasonable assurance and that it is not possible to provide absolute assurance. The CAE should encourage management to consider legal ramifications of placing total reliance upon the audit report and opinion.
McKonly & Asbury is available for consultation on this or other Internal Audit matters. Please contact Elaine Nissley, MBA, CISA, PMP, CRISC, Principal, in charge of the Risk Management Services group at ENissley@macpas.com.
[i] The IIA Practice Guides are located at: http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/
[ii] The Practice Guide – Formulating and Expressing an Audit Opinion is located at http://www.theiia.org/guidance/standards-and-guidance/ippf/practice-guides/formulating-and-expressing-internal-audit-opinions/).
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
.jpg){kind=logo}
Comments