Executive management, audit committees, and the board want to know whether their internal control systems work. The chief audit executive is often requested to issue an opinion on the adequacy of internal controls within the organization to meet this assurance need. If a CAE does issue a formal opinion, it’s crucial that all parties clearly understand the areas and issues the CAE is addressing in doing so. Otherwise, brace yourself for expectation gaps.
Expressing opinions is no easy task. The CAE must consider the scope of the audit effort and the nature and extent of auditing performed, and evaluate what the evidence from the audit(s) says about the adequacy of internal controls. A formal audit opinion should clearly express four points:
The evaluation criteria and structure used;
The scope over which the opinion applies;
Who has responsibility to establish and maintain the system of internal control; and
The specific type of opinion being expressed.
Extensive Planning To Express An Opinion
In planning the opinion, internal audit needs to understand the current “maturity” of the internal audit efforts and where the organization is in its efforts to implement a robust system of internal control. Some key questions to consider include:
Has the internal audit function evaluated the system of internal control previously?
How well-documented, stable, and understood are the organization’s controls? (Expressing an opinion is much easier in an organization where statements and management assertions about internal controls already exist, since the auditors can examine the processes underlying the statements and assertions to form their opinion.)
Has this evaluation been discussed with the board of directors?
How accurate is the disclosure to your shareholders and other stakeholders?
Have there been adverse opinions by the external auditor?
In addition to the maturity of the internal audit effort and maturity of the organization’s system of internal control, a third dimension must also be considered. That is, at what level of internal control is an internal audit opinion required?
The initial SOX-initiated internal control evaluations often covered thousands of controls, which took an inordinate amount of audit time and resources. A lesson learned was to scale back and be more selective regarding the controls to be evaluated. This is a crucial scoping decision; rather than jumping into an examination of a vast number of controls, a SOX lesson has been to focus on the “key” controls. In practice, the burning question now is exactly what the key controls are. This can only be answered in reference to the purpose being served by the internal audit opinion. What do the users of that opinion want and need?
The audit department has to consider the reality that an organization with evolving internal controls will need considerably more time and effort to identify, test and assess controls than one with stable and well-understood controls. It may also make a difference in the caveats that should be placed on the internal audit opinion. In fact, an important message has been that depending on your starting point—especially for many internal audit shops not yet providing an opinion at the “organizational” level—it will take multiple years before you have enough work and knowledge to provide an overall opinion. The issue of gathering sufficient information from all significant areas of an organization—compliance, disaster recovery, environmental, risk management, governance and internal control—to form an overall opinion is very daunting (read: amazingly labor-intensive).
Communicating The Results
Assuming planning was effective, expectations were clearly set, and audit testing was sufficient to support an opinion of some type, when internal audit communicates its opinion on the system of internal control there is still much to consider in issuing the actual opinion, including:
The evaluation criteria used must be clearly stated: what control model was used to complete the opinion, or even just what standards were used to form the opinion. Complications always exist. For example, the COSO model is most often used to evaluate the overall system of internal control, while the COBIT model is commonly used for general IT controls. The internal audit and the IT audit efforts both need to contribute to the overall audit opinion regarding the system of internal control.
The scope over which the opinion applies must be clearly communicated in the opinions document. What areas of the organization are covered, what work was completed, and what period is involved, are all examples of the issues that need to be covered within the scope statement. An opinion with a well-defined scope will not leave the reader guessing as to the relevance and focus of the opinion, nor the time period to which it applies.
Who has responsibility for the establishment and maintenance of internal controls. Here the issue is ensuring that management’s responsibility for internal controls and the board’s oversight regarding the system of internal control are both clearly stated. Internal audit is to provide assurances regarding the performance of controls and the system of internal control, but it should not take on any management responsibilities for internal control.
The specific type of opinion being expressed by the auditor. There are varying levels of assurance possible regarding internal control opinions, as well as both positive and negative assurance opinions. Fundamentally, negative assurance indicates nothing came to the attention of the auditor during the audit, while positive assurance indicates the auditor has performed sufficient testing so that the auditor believes it is very unlikely that anything materially wrong is occurring. Here, the issue is audit workload; more assurance means more work. Also, while the CEO and CFO can certify that their financial statements and the processes to create them are accurate, the senior executives are responsible for these processes. Internal audit needs to complete enough audit work to provide sufficient support for its opinion, which is something quite different.
Other considerations. There are always other issues to consider and usually these are situation-specific. Be forewarned that expressing an opinion on the system of internal control is complicated and a long-term proposition. Also, like so many other complicated things, the third time you’ve completed it, it’ll finally fall into place.
The assurance needs of the audit committee and management are very similar, but they do differ. For example, fundamentally the board wants to know that the overall system of internal control is robust and working effectively and reliably. While this is important to management, executives also want to know what significant improvement opportunities exist, and how they can make the organization more cost-effective. Internal audit needs to balance the assurance needs of both these audiences, and deliver on both.
An extensive discussion between all the key parties upfront is crucial, as setting clear expectations and the overall goals are absolutely required. As the old expression goes: “Plan your work, and work your plan.” This definitely applies to audit opinions.
Related coverage, white papers, and columns can be found in the box above, right.
No comments yet