The traditional approach to building the audit plan, consistent with what is described in PwC’s new paper Maximizing Internal Audit is to identify the higher risks to the organization (including strategic, operational, as well as financial and reporting risks). The CAE then develops a plan to audit as many of those as he can given scarcity of resources and technical skills, etc.
However, the definition of internal auditing from the IIA says that internal audit should provide assurance on governance, risk management, and related internal controls.
How do you provide assurance unless you express your overall opinion? I don’t believe providing some number of individual audit opinions, from a multitude of individual audits, is close to providing assurance on management’s governance, risk management, and related controls. All internal auditing is doing is providing assurance on individual risks, not on the management of risks in general.
Do you believe that the audit committee and executive management can draw a reasonable opinion on the condition of the whole by themselves? How do they balance the good and the bad assessments? How do they assess whether deficiencies in one or more audits mean that there is a major problem with the overall management of risks?
The leading practice for internal audit functions is to provide an overall opinion. This is even a requirement in the South African governance framework (King III).
What does this mean? How is it different?
In short, the audit plan should be designed to cover enough ground that an overall opinion is feasible. The CAE should consider that the overall opinion will include a description of the basis of the opinion, and can not only detail the audit engagements contributing to the opinion but also the risk areas that were not addressed.