This Practice Guide provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
This may be applicable to and useful for:
- Chief Audit Executives (CAEs).
- Executive and operating management.
- Other assurance providers (OAPs).
- Other professional regulatory bodies.
Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).
Examples of macro and micro opinions include:
- An opinion on the organization’s overall system of internal control over financial reporting (macro).
- An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
- An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
- An opinion on an individual business process or activity within a single organization, department, or location (micro).
- An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
- An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).Formulating and Expressing Internal Audit Opinions