The IIA likes to talk about GRC as an acronym that stands for governance, risk management, and internal control. The rest of the world has ‘compliance’ as the last part.
That doesn’t really matter.
The point is that we are talking about the organization, systems, processes, and related controls that management relies on to not only manage ‘risks’ but achieve their objectives.
They rely on them to function properly and do what is asked of it.
One of the valued services that internal audit provides is assurance, as expressed in the last part of the IIA’s Definition of Internal Auditing:
It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
The majority of internal audit functions perform a variety of audits every year and provide an opinion (ideally) or at least a list of risk-ranked weaknesses (far less than ideally) on the scope of each audit.
But too few provide an overall opinion on whether management and the board can rely on “the effectiveness of risk management, control, and governance processes” taken as a whole, or at least for the more significant risks and opportunities.
This is something I did at each of my companies and I was part of the team that developed a Practice Guide in 2009: Formulating and Expressing Internal Audit Opinions. Its Background section stated:
Internal auditors are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).
I strongly recommend that every internal audit leader become familiar with the Practice Guide. Since 2009, I have developed reservations about a grading system as discussed in the Guide. However, it covers very important issues such as:
- The form and scope of the opinion
- The work required to support it
- Reliance on the work of others
I covered this important topic in Auditing that Matters (my essential book for practitioners). I said:
I am a strong advocate that the CAE should provide a formal overall assessment of the systems of internal control and risk management to the audit committee (or full board) and top management on an annual basis.
While some do not think this is necessary or even achievable, a growing number of governance codes around the world require internal audit to provide an overall opinion. I believe that in time this will be recognized as not only best practice but mandatory.
I started doing this in the mid 1990’s at Tosco and have not looked back. The board very much appreciated the assessment, as did management.
I believe this is the primary value that internal audit can provide to any organization.
It provides leadership of the organization with confidence that they can rely on its people, processes, and systems to support their initiatives and achieve enterprise objectives.
It provides leadership with the confidence to take the risks necessary for success.
An opinion on the overall systems of internal control and risk management does not mean that the CAE is opining on the management of every risk. It represents the CAE’s professional opinion on whether there is reasonable assurance that the risks that matter, the risks addressed in the audit plan, are at desired levels.
Let me break that down.
An opinion is just that, an opinion.
As professionals, we are capable of forming and communicating our opinion.
Every professional provides an opinion. It’s not a statement of fact, it’s an opinion – and we are not only entitled to form but to share that opinion.
There is a possibility that we are wrong, but if we and our team perform the work to appropriate professional standards we should be able to stand behind it and provide an overall assessment of the condition of the controls over the risks that matter.
I argue that if we don’t provide that opinion, we are shirking our professional responsibilities.
There’s a huge difference in the quality and value of assurance provided by an overall opinion compared to the value of individual reports with opinions on the management of specific risks.
The overall opinion is clear, concise, and actionable.
When only individual reports are provided, the CAE is leaving the audit committee and management to determine for themselves whether, overall, the systems of internal control and risk management are adequate.
Why make them make that assessment, guessing whether deficiencies in one area mean that the overall assessment is that it is deficient?
I think the CAE should step up, take the risk, and share his opinion.
When I provide my opinion, it:
• Is formal, in writing
• Is an assessment of the systems of risk management and internal control over the more significant risks to the organization and its objectives, based on the work performed during the year; that work is reflected in the audit plan and reports on the audit engagements that have been completed
• Is based in part on the insights obtained by auditing by walking around, talking to management, and being present. The assessment is not limited to the formal audits that have been completed
• Is a positive statement, rather than a ‘negative’ opinion. The latter is where you point out the risk and control issues but don’t make a positive assertion on the condition of the risk and internal control systems. I dislike the negative opinion as it makes the board and top management guess what our real opinion is
• Where there are risk and control issues that merit special attention, or where parts of the organization are of concern, they are highlighted
In other words, I try to provide the board and top management with the information they need if they are to understand the condition of the risk and internal control systems, whether risks are being managed at acceptable levels, and whether action is required by them.
For example, while at Tosco, I highlighted the issues at the Avon refinery in Northern California while praising the strength of the Bayway refinery in New Jersey. The contrast was especially useful to the audit committee.
I explained that controls over financial reporting were fine, but those over some operational risks were not. I told them what they needed to know.
My communication is intended to help the board and top management discharge their governance and oversight responsibilities. It is not about telling them how good we are and how successful we have been in identifying deficiencies.
Because my primary end product is this annual assessment, I design the audit plan to give me the input, the information about the management of risk that I need.
In the book, I provide an example of the opinion I shared with the audit committee of the board at Tosco Corporation. I also share how I developed the audit plan and the team to execute it.
- Do you provide an opinion on each audit rather than ratings or a list of weaknesses?
- Do you provide an overall opinion annually?
- Do you do the right work to support that opinion?
- Do you do work that is not necessary for that opinion – and if so why?
I welcome your answers and comments.
 I consider governance processes to be part of the systems of internal control and risk management. Technically, internal control exists to manage risk, so I could readily make the case that we should just be assessing the management of risk – but it is easier to talk about the more traditional view of internal control and how it helps manage the risks that matter.
There are some that believe internal audit should provide assurance on governance, risk management, and compliance (or control). I don’t agree with this position. Internal audit can provide advisory services to help the board assess its practices, but I don’t believe internal audit should put itself in the position of assessing the competence, integrity, or performance of either the board or executive management. Instead, I believe we should assess whether there are processes and controls in place that address the risk of ineffective governance. We can also share best practices in governance. But going further is a step too far, in my opinion.
- Auditing at the speed of risk with an agile, continuous audit plan - June 22, 2022
- Do smaller companies manage risk better than larger ones? - May 18, 2022
- Is there an effective risk culture? - April 20, 2022