Building the Audit Plan Around Assurance on Governance, Risk Management, and Related Controls

The traditional approach to building the audit plan, consistent with what is described in PwC’s new paper Maximizing Internal Audit is to identify the higher risks to the organization (including strategic, operational, as well as financial and reporting risks). The CAE then develops a plan to audit as many of those as he can given scarcity of resources and technical skills, etc.

However, the definition of internal auditing from the IIA says that internal audit should provide assurance on governance, risk management, and related internal controls.
How do you provide assurance unless you express your overall opinion? I don’t believe providing some number of individual audit opinions, from a multitude of individual audits, is close to providing assurance on management’s governance, risk management, and related controls. All internal auditing is doing is providing assurance on individual risks, not on the management of risks in general.
Do you believe that the audit committee and executive management can draw a reasonable opinion on the condition of the whole by themselves? How do they balance the good and the bad assessments? How do they assess whether deficiencies in one or more audits mean that there is a major problem with the overall management of risks?
The leading practice for internal audit functions is to provide an overall opinion. This is even a requirement in the South African governance framework (King III).
What does this mean? How is it different?
Check out the IIA Practice at
In short, the audit plan should be designed to cover enough ground that an overall opinion is feasible. The CAE should consider that the overall opinion will include a description of the basis of the opinion, and can not only detail the audit engagements contributing to the opinion but also the risk areas that were not addressed.

Posted on Jan 22, 2010 by Norman Marks

Share This Article:    

  1. Check out my related post at

  1. Hello Norman:  A few thoughts.

    I think it is feasible for an internal audit function to provide an opinion on the risk management process.  Has the organization identified the risk silos? Has each silo reported their objectives, risks, measures and mitigation plans? Did some central entity combine and prioritize the risks with buy-in from the top executives and board?  Was a comprehensive strategic plan provided to the board? Is progress related to the objectives and risk mitigation efforts monitored throughout the year?

    I think IA can craft an engagement to answer the above questions and opine on that annually.

    Howver, I do not belive IA is qualified or independent enough to opine on the governance aspect; that should be done by an outside party.  Further, the scope of operations is wide enough to where IA cannot opine on control of the enterprise overall.  Just think of how much audit work is involved in SOX, which is just financial reporting.  Operations is much broader.

  1. It would be great for IA to give an overall opinion in an ideal world, but ask yourself how realistic this is for the average corporation? 

    First - there are often key risks are not audited by IA and there is little in IA standards to require this if the Aud Co and Senior Execs are happy with how the matter is being dealt with. I have put this point to the IIA UK. Also some risks are fast moving to the point that what would have looked like an acceptable process and treatment a month ago might not be when the latest information is considered. 

    Second - there are inevitably resource constraints for IA - how can an audit function of 10, 50, 100 really provide an up-to-date overall opinion on risk management, vs an organisation of 100+ times that size? The Board and Chief Exec should be able to - they have resources of 1000, 10000, etc.

    Third - IA wont have the expertise to opine on all key risks, even if it had the mandate to look at them and the resources; as an example - should the CAE comment on the processes and treatment of all key legal risks during the year or the General Counsel? I think it should be the latter.

    We should also be wary of the value of opining on the risk processes alone and not the content / actual treatment. Its hard, but the risk of false assurance is huge; with an average Aud Co member taking comfort that both the process and the position are fine if the verdict is satisfactory. 

    I think this is an important debate, and that this boundary needs clearer definition, but more than anything I believe IA functions and the IIA should be asking the top level question of how CEOs and Boards get overall assurance on risk and governance (which gets into the practical application of COSO and questions around assurance mapping, and the role IA should play in that), rather than delegating/transferring that task to the CAE! 

  1. James, my view is similar to David's when it comes to risk management. We should assess management's processes for identifying, assessing, responding to, and managing risks to the success of the organization. We do not have the resources and experience management has, and management has to retain ownership and responsibility for risk management.

    With respect to assessing the processes and not the results, this is similar in my opinion to assessing controls over management reporting, EH&S compliance, etc. We can assess management's processes for required environmental reporting without auditing and affirming the completeness and accuracy of the reports themselves.

  1. David, my view (see my other post, on a Closer Look at Governance) is that there are many areas of governance we can and should assess. Where there are independence issues, we can work with management to engage a third party - and then reflect their results in our overall opinion.

  1. Hi Norman,

    Please allow me to to add my 5 cents worth perspectives to this discussion.

    First, I must disagree with your statement about King III - the new SA corporate governance code. According to the priciples laid out therein, the auditor is not required to issue an overall opinion. The code speaks about'providing a 'written assessment', which could take the form of anything but an overall opinion (such as some form of long form report). As the code is new (and practice notes have not been issued yet), we need to see how practice develops. I also do not believe that it is internal auditors' purpose in life to issue 'opinions'. Assurance can be provided in many ways.

    Second, let's not forget that auditing is about comparing something against a set of normative rules. It's perfectly allright for the internal auditor to take whatever the company has defined as its policy and practices for (enterprise) risk management, investigate the operational efectiveness thereof and then report back to the board thereon. This, by the way, is also in the spirit of King III as I understand it.


  1. Steven, thank you for sharing your views - and I concur that we disagree.

    1. I don't believe assurance is provided without an opinion. How can you be assured that the controls are adequate unless somebody says they are adequate, or at least says there are no major deficiencies and implies that therefore they are adequate?

    2. What is the difference between a "formal assessment" and an opinion? You are seeing something I am not. I have spoken to the IIA people who were on the subcommittee working on the King Code, and they talked about an opinion.

    3. I do not agree that auditing to a standard is acceptable, when you don't assess whether the standard is appropriate to the business. I thought this form of compliance auditing was dying out.

  1. Hi Norman,

    Thanks for your reply. I guess the idea is to not get into an all too technical discussion or a debate about the meaning of words, but since you are asking and challenging (some of) my views, please allow me to clarify some points and respond to the questions you have raised. I will have to split my response into parts.

    Notwithstanding the IIA people you have spoken to and that have contributed to the writing: in the entire King Code of 2009, being 140 pages, the word 'opinion' is not used in relation to (reporting on) the work of internal audit. I think deliberately. If you say that there is no difference between an opinion and an assessment, the question why the King Committee refers to a written assessment (and not an opinion), apparently leaving room for ambiguity, is justified. I personally think an assessment and an opinion do not necessarily mean the same thing but I accept that we may agree to disagree on this point and I reiterate that some practical guidance on this point from the King Committee is still to be issued. Now, let's turn to IIA practice guidance on the matter then (April 2009; Formulating and Expressing Audit Opinions). 

    (1/3 - continues...)

  1. (...continued from 1/3)

    According to this Practice Guide the internal auditor may either express 'micro level' or 'macro level' opinions (or both) and may qualify these opinions or only provide negative assurance, all dependent on scope, circumstances, stakeholder's needs, etc. This is all fine (although I personally believe that some of what's in the framework of this Practice Guide may be challenged). My point is that other forms of assurance may be provided. For instance in the form of a report on agreed-upon-procedures or a 'review' which may be very suitable in satisfying stakeholders' needs in certain cases but do not necessarily need to take the form of expressing an (overall) 'opinion'. Either because it's not necessary or because the scope or nature of the work performed (and supporting evidence) simply makes it impossible to express an opinion.

    (2/3 - continues...)

  1. (...continued from 2/3)

    I note that the IIA in contrary to standards developed for external auditors is not very prescriptive in what makes an opinion an opinion (nor to the object or subject on which an opinion is expressed) nor to its format and wording, which has its advantages in practice but perhaps contributes to why we are having this discussion. Then to my point 2 and your point 3 I would just like to refer to what the IIA says in paragraph 3.3 of its practice guide about a criteria framework (developed internally) and how this should be used by the CAE as a frame of reference and an evaluation tool (specifically in relation to governance, risk management and control practices), which is exactly in line with the point I was trying to make.

    Last but not least, I agree with King III in stressing the importance of the principles of the 'combined assurance model', which includes internal, external auditors, management and other assurance providers. In this model, internal audit makes an important contribution, but is not the sole provider of assurance; it's not so much up to the CAE (compare IIA PG) but to the Audit Committee to decide whether based on the information from these different providers an overall conclusion (an opinion) can be reached. I hope this was useful.

    (3/3/ - ends)

  1. Steve, you make some excellent points. BTW, I was one of the members of the team that developed the IIA guidance on opinions.

    Prof. King commented to Internal Auditor (see the February issue): "Opinion has connotations in the legal and accounting worlds, and I didn't want to start a whole debate about opinions."

    Whether you call it an assessment or an opinion, it has to be formal and in writing, and sufficient for the board to form their own opinion.

    In practice, how will the CAE avoid answering the question: "are the controls effective?"

Leave a Reply