Annual internal audit opinions

Do you provide an annual internal audit opinion to your board or audit committee?

The Chartered Institute of Internal Auditors has recently published its Internal Audit Code of Practice which is aimed at internal audit in the private and third sectors. One of the recommendations (within recommendation 13) is that internal audit’s reporting to the board and / or audit committee should include:

“at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, and its conclusions on whether the organisation’s risk appetite is being adhered to, together with an analysis of themes and trends emerging from internal audit work and their impact on the organisation’s risk profile.”

Annual opinions are not new, some parts of the public sector have been providing these for many years. The Institute recommended that internal auditors in the financial services sector should do this in Effective Internal Audit in the Financial Services Sector , first published in 2013.

Providing an annual opinion should not be taken lightly, with the preparation for the opinion commencing when the plan is developed. I set out below some questions to consider for internal audit teams preparing for their first annual opinion or assessment.

Has the internal audit function undertaken sufficient work to be able to provide an opinion?

The Code recommends an assessment of the overall effectiveness of the governance, risk management and control. Many heads of internal audit may feel comfortable regarding the element of control; I find that many query what work is needed to be able to satisfy the elements relating to governance and risk management. The Code does not mean that a standalone audit of governance and of risk management must be undertaken each year; the internal audit function should be able to draw out themes from its work to form the opinion. This will require planning in advance.

What may be more difficult is to opine on whether the organisation is operating within its risk appetite, especially if the board and top management have not set a clear tone for risk and culture in the organisation. Again, this is likely to be thematic in nature, drawing on all audit work undertaken during the year.  

Who is the audience for the report?

While the audit committee is likely to be the direct recipient, the report could also be shared with the senior management team.  Many audit committees will quote or refer to the internal audit opinion in making their own annual report to the board, and therefore the opinion should be written in such a way to support this. If the organisation is regulated, there may be an expectation that the regulator will also receive a copy of the report or opinion.

How should the opinion be worded?

Some teams in the public sector have been using wording that may feel more akin to the type of assurance statement that is given in an assignment report, often accompanied by a colour coded graphic.  Other teams provide a more narrative commentary, avoiding using words that can be seen as a particular ‘thumbs up’ or ‘thumbs down’. Internal audit functions which prefer this approach may also prefer to provide more information on themes or trends observed during the year.

Internal auditing standards also set out an expectation that where an overall opinion is provided, that internal audit reporting will also explain:
•    The scope (including limitations and timeframes)
•    A summary of the information that supports the opinion, along with reasons for an unfavourable opinion
•    The overall conclusions or opinion of the internal audit function

What is the scope of the annual internal audit opinion?

The opinion should clearly explain the time period it covers. The opinion would normally cover the remit of internal audit, as set out in the internal audit charter. If there is an area where internal audit has not provided coverage, or judges that it would not be appropriate to provide an opinion, this should be explained.

Placing reliance on the work of other assurance providers

Where internal audit is placing reliance on the work of other assurance providers rather than undertaking work itself, internal audit should have undertaken an assessment of the quality of the work of the assurance provider. It is useful in the annual report (and the annual plan) for internal audit to explain where it is planning to place (or has placed) reliance on other assurance providers. This may be more straightforward for an organisation with an assurance map as part of its risk management framework

What about areas not covered by internal audit?

It is not realistic for internal audit to provide coverage of all controls, entities, or risks during any one year. Any opinion or overall assessment should be clear on the limitations of internal audit’s coverage.

Internal audit need not stop at opining only on those areas it has covered. Many years ago, a colleague provided an annual opinion to a public sector agency, qualifying the opinion due to inadequate business continuity arrangements, even though internal audit had not audited this area in the recent past.  What was the rationale for this opinion?  
•    The internal audit team had flagged business continuity as an area where it believed assurance was required.

•    The business pushed back, stating that arrangements were still be updated and finalised, and that it would be too soon for formal assurance in this area. By the end of the audit plan (some 15 months after the original plan was discussed with the audit committee), management still made this assertion.

•   The head of internal audit made the decision that this should be flagged in the annual internal audit report to emphasise audit’s concern at the slow pace of implementation of the business continuity arrangements.

Lastly, I suggest that Heads of Internal Audit do not rush into making an opinion. It may be mis-leading if the Audit Committee infers more assurance from the opinion that Internal Audit believes it can provide. A frank and open discussion with the Committee about the scope and format of the opinion, and the work required to form such an opinion is vital.