Internal Audit Opinions on the Effectiveness of Governance, Risk, and Internal Control

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.


Let me start this post by reminding you that these views and commentary are my own and not necessarily consistent with those of the IIA and its leaders. (But, maybe with your comments and discussion we can be an influence on their thinking.)

The definition of internal auditing from the IIA is:

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.

Let’s focus on two points:

  1. It is an assurance and consulting activity.
  2. It should evaluate and improve the effectiveness of risk management, control, and governance processes.

I don’t think you can provide assurance by just telling people what is wrong.

Imagine you are considering buying a house and have engaged a home inspector. The report details several things that are not working, distinguishing those that must be fixed now and those that can wait (i.e., risk-rating them) — but fails to tell you whether the house is safe, structurally sound, etc. You can use the report to ensure corrective actions are taken, but it does not give you the assurance you need before you invest your savings and family. The report does not include an opinion from the home inspector.

An internal audit report that identifies things that are not working, even if they are “risk-rated,” puts the burden on the executive and board reader of the report to guess whether everything is safe and reliable. If we are to be seen as assurance professionals within our own organization, we need to step up and provide an opinion.

After all, if the board members and top executives are expected to sign the financial statements, including an audit committee report, assessments of disclosure and internal controls, and (in a growing number of geographies) assessments of risk management, why are we not expected and required to form and share our opinion on the effectiveness of governance, risk management, and internal controls? In a growing number of countries, that is now a formal requirement. However, my understanding is that the majority of internal audit departments do not provide their stakeholders with an opinion, only a list of the repairs that need to be made to the structure.

I started providing formal opinions on the overall adequacy of internal control 20 years ago. I suggested it to the audit committee and they embraced it as “helping them sleep through the night.” It provided the assurance they needed to be effective in their audit committee oversight responsibilities. As board members, they valued the assurance that instructions from the bridge of the ship would be based on reliable information and executed in the engine room and elsewhere as instructed.

Although management (especially the general counsel) was initially a little nervous about this leading edge practice, they quickly saw the value and gave their full support to the practice.

I shared my experience as part of the team that developed the IIA’s Practice Guide (strongly recommended guidance) on Formulating and Expressing Internal Audit Opinions — which I recommend.

Today, I would seek a broader opinion than just internal control. My opinion would be along these lines:

Over the last period, and as discussed in routine audit committee meetings, we have completed a number of audit engagements (see attached) designed to address the more significant risks to the organization’s ability to achieve its objectives and create value.

In our opinion, based on the work performed, the systems of governance, risk management, and internal controls provide reasonable assurance that the more significant risks are managed within organizational tolerances.

What is your opinion? Care to share? 

Posted on Aug 17, 2013 by Norman Marks

Share This Article:    

  1.  Very good 

  1.   Financially, I agree this level of attestation is prudent...I.e., from a P & L perspective.  However, from an IT Audit perspective (which has the capability to disrupt P & L  forecasts), there is probably insignificant evidence to support positive assurance or the gumption to state it.  If IT Audit would begin to leverage quantitative statements of risk such as what's FAIRiq enables THEN such sweeping assurance opinions could be possible.

  1. Alan, good to see you commenting. You have always had strong opinions, which I value and respect.

    The key for me is that we focus on risks to the business and its achievement of objectives and creation of value. In other words, lets not focus on so-called IT risks in isolation.

    Also, we are looking at management's processes and their ability to manage business risks (including the impact of IT-related failures).

    We should not be in the business of independently assessing risks and taking over that management responsibility.

    Our assurance is on management's capability, and we should be able to opine even on their ability to address issues in IT-related activities that could affect business risks.

    IMHO, of course.

  1. Norman, I couldn't agree more, but my suggested opinion would be slightly different (it even brings in IT!): 'The internal audit plan agreed at the last Audit Committee specified that we aimed to provide assurance on 125 risks identified as significant in the Risk Register. This represented 10% of the significant risks. Over the last period, we have completed audit engagements (see attached) which have examined the internal controls managing these risks. Of the 125 risks, three have disappeared due to the suspension of the operation which gave rise to them. An additional six risks were discovered during the audits. Audit work confirmed that internal controls managed 120 of the 128 risks to within the risk appetite approved by the board. Seven of the risks are now within the risk appetite following improvements made as a result of the audits. The remaining risk is at the Brazilian subsidiary and involves employees using their personal smartphones, tablets and computers to access the company's network without adequate virus and access checks. We consider this to be a risk with potentially catastrophic consequences as the computer network is essential for the operation of the company. We have been promised that controls will be implemented by 30 September 2013.' OK it's long but it is objective and gives a 'score' liked by some boards.
  1. I've realized the above doesn't give an opinion! The last paragraph could be 'These results from the last three months, plus those from the preceding nine months, show that 50% (615) of the company's risks are controlled to within the risk appetite except for three risks which are detailed separately. On this basis, we consider that the significant risks threatening the company's objectives are being properly managed.'
  1.  Norman,

    The role of the Internal Audit function is to attest to compliant and adequate processes, criteria, and methodology of management activity including risk management, but not to actual level of risk as this is a management function.  So, if the IA attest to policies, processes, etc. surrounding the risk management system and practices, that would be an appropriate statement.  However, if you are saying that the IA is to attest to anything related to actual business results and the management function and responsibility of managing risk (e.g., whether a risk has reached beyond an acceptable level within a firm's risk appetite/criteria) then it would require the IA to be involved with business decisions which would compromise the independence of the IA.  

    Using your example of the home inspector, his role is to gather and report info to the purchaser.  The purchaser should review the home inspector's report and reach his/her decision as to whether or not the house is safe, based on many other circumstances and AWAY from all quirkiness of technical requirements and legal factors embedded in the inspector's report.  I have yet to meet an inspector who is willing to actually deliver an all-encompassing and risky recommendation as to how safe a house may be to occupy in a blanket and non-technical manner.

  1. The totality of the opinion (and asociated waivers) will depend on the relationship that the CAE has with the Audit Committee. If that relationship is open and a good level of trust has been established between the two parties then a full & detailed opinion is not required. A simple statement, saying that on the basis of the work performed during the year, I can give xxxx assurance on the internal control environment, should be sufficient. The accompanying report can then set out the work that has been performed to support that opinion. Giving an opinion isn't difficult, indeed it should be mandatory.
  1. Norman: Great topic to debate. My own opinion and one I regularly offer to boards during risk oversight training is that boards should require an opinion from internal audit on whether the board is receiving materially reliable information on the state of residual/retained risk. They require reliable information to oversee management's risk appetite and tolerance. Board risk oversight criteria published by the NACD in the U.S. are excellent "audit criteria" IA can use to complete the assessment. I teach this approach in the Standard 2120 training I present for internal auditors. The challenges boards face overseeing management's risk appetite and tolerance are significant and one of the major handicaps is traditional internal audit approaches where auditors form subjective opinions on whether they think controls are "effective" or not on a small % of key value creation/value erosion objectives. This is a long way from where IA needs to be today to support their key client who should be the board of directors.
  1. If the internal audit plan is driven by and aligned to the risk register then the auditor should be reviewing the effectiveness of the controls that mitigate risk. The audit report issued will detail whether the controls are effective or not. (Indeed, if the controls are not working effectively, the auditor can not only suggest actions for improving those controls [the traditional audit report approach] but also provide a comment to managers on the overall level of assurance that can be taken in respect of the totality of the controls that are managing a particular risk - a real value adding task). If this approach is understood by the audit committee then a simple opinion/assurance statement is able to be given - both on an audit by audit basis and annually. This opinion isn't subjective but supported by findings from the audit reviews completed. This approach isn't rocket science or leading edge, but a fairly straight-forward way to give the audit committee the assurance they require on the how well risks are being managed/mitigated.
  1. David; A significant problem when IA focuses solely on "controls" is that it ignores other forms of "risk treatments" including risk financing/insurance, risk transfers including indemnities and risk avoidance strategies that can include changing objectives. I have often seen IA shops that have very limited understanding of other viable forms of risk treatments. This does not result in a balanced report to the board on management's current macro level risk appetite/tolerance. Richard Chambers focused on the need for internal auditors to broaden their scope beyond "internal controls" to fully analyze the organization's retained risk status in his remarks this month at the GRC Conference in Arizona. I will be presenting on the topic of "Honorably Retire "Internal Controls: Promote "Risk Treatments" - It's Time" at the IIA All Star Conference in New Orleans in October. In my experience, IA departments frequently do not have a full understanding of senior management's and the board's risk appetite/tolerance.
  1.  Norman,

    This is the key issue for our profession.  If we do not give opinions we cannot expect our customers to value us in the same way that they value (and pay for) the opinions of others.   The primary concern of most Boards is 'can I sleep at night?'  They do not understand the opaque and multifarious scoring schemes with numbers and colors that we come up with - a different model at each company on whose Board they serve. What this leads to is a lack of brand. Without a clear brand, we cannot promote our value clearly and consistently to the world.  Today, we cannnot do this as a whole, only as individuals.  So, some internal audit groups are well funded and accomplish much and others are left to their own devices to do as best they can.

    I got personally involved in the assurance debate at Siemens and I won't go on about this here, I will only say that we have to start with a single, agreed-upon audit report.  The wording needs to be clear and consistent.  I believe it must include the following phrases, "in my professional opinion",  "in all material respects" and a definite statement that "we are" or "we are not" in compliance with a regulation/rule or in agreement with management's presentation of the facts.  If done right, we will find there are serious and practical hurdles to doing this, but they can be dealt with.  I feel so strongly that this is the issue for us that I made it my first ever post, which is linked here if anyone wants to read more.

    All the best



  1. Thanks for this post. Have not been asked to give an overall annual opinion on GRC but I think it is something worth introducing though it must be someting I am confident to give.   

  1.  Hi, this is yet another interesting post. When providing an overall opinion of te governance, risk management and control system of an organization, how would you consider the maturity and effectiveness of the second line of defence?

  1.  Interesting question, Olof. In some situations, organizations in the second line of defence may perform their own inspections or audits that provide a measure of assurance. Internal audit may be able to place a degree of reliance on those activities, and the IIA has provided guidance on the topic.

  1. Ok, thanks. I work in IA in the banking sector and we are expected to consider the effectivenes of the second line of defence when doing audits and providing overall opinions. Is that the practice guide you refer to? I read the IIA book on combined assurance which I found valuable. Whats your thoughts on moving towards a combined assurance framework in organizations? Personally I see many benefits and I believe it is time to move towarsd a fully integrated assurance approach in organizations.

  1.  Olof, I meant this Practice Advisory: 2050-3 - Relying on the work of other assurance providers.

    I don't have any opinion on a combined assurance framework, other than any assessment should be based on whether the level of risk is acceptable. This will vary from time to time and people have to use their professional judgment and not checklists.

  1.   Thank you Norman for this very important information,

    For me, i have  included in the Internal Audit Charter that an opinion will be given on the three core areas of Internal Audit as enshrined in the IIA 's defination of Internal Audit. 




Leave a Reply