By CPA Abdallah Mambo Dallu
Internal auditors play an important role in their organization’s corporate governance, internal control structure, risk management analysis, and fi nancial reporting process. In spite of all confusions and dysfunctions, the theoreticians and practitioners in the fi eld have remarked a rapid evolution of the
internal audit. Th e internal audit, as a profession, has been redefi ned over the years and it has constantly complied with the changing needs of entities. In the past decade, auditors actively have provided management with consulting and assurance services to assist in compliance with regulations such as
the U.S. Sarbanes-Oxley Act of 2002.
Trends in internal auditing
In the coming years, internal auditors may be expected to expand their role to assume more responsibilities inimproving risk management, reducing organizational complexity and costs, and participating in developing strategic and governance processes. For example, the U.S. Securities and
Exchange Commission’s (SEC’s) Proxy Disclosure Enhancements rules released in December 2019 require
companies listed on U.S. exchanges to disclose their governance measures, including their board structure, the board’s oversight of risk management, and its relationship with executive compensation policies and practices.
These new proxy requirements will place greater pressure on hoards to demonstrate their role in the oversight of risk management, and by extension, this presents both challenges and opportunities for chief audit executives (CAEs) and their internal audit teams.The proxy disclosure rules create opportunities for internal auditors to report on and provide their opinions about their organization’s compliance with;
a) corporate governance structures,
b) risk management, and,
c) Internal controls.
In expressing an opinion on these three areas, internal auditors can follow guidance set out in the IIA Practice Guide, Formulating and Expressing Internal Audit Opinions. Moreover, The IIA’s Internal Audit Standards Board has recently proposed a new professional practices standard, Standard 2450: Overall Opinions that detail requirements for the work that internal auditors must do if they choose to provide an overall opinion.
a) Corporate Governance
Improving corporate governance and enhancing the reliability of financial statements are receiving signifi cant attention from lawmakers, regulators, the financial community, standard setting bodies, and the accounting profession. This well-deserved attention stems from the financial crisis of the past two years, widely publicized business failures, high profile financial statement frauds, the lack of vigilant oversight by boards of directors and audit committees, irresponsible management, inadequate governance structures, and ineffective audit functions.
A close working relationship between the audit committee and internal auditing can improve the effectiveness of corporate governance. First, the independence and objectivity of auditors can be strengthened when they report their findings and opinions directly to the audit committee. Second, by reviewing internal audit opinions before they are disseminated to the full board, management, regulatory bodies, and other intended users, audit committees ran fulfill their oversight responsibilities related to financial reporting, internal controls, risk management, external auditing, whistleblowing, ethics, and taxes.
b) Risk Management
Organizations of all types, sizes, and complexity arc facing a variety of risks that affect the reliability of
financial statements and effectiveness of internal controls. Effective assessment and appropriate reporting
on the organization’s risk management requires internal auditors to understand the risk assessment process from start to finish. Before auditors can formulate an opinion on risk management, they must
identify and measure risks, and weigh those risks against potential rewards to create sustainable performance.
Auditors should ensure that the established risk assessment process is improving strategic decision-making
and supporting the achievement of organizational objectives. Also, they should provide adequate risk
assessment information to the board and senior management to enable them to make risk-informed, strategic decisions. Moreover, auditors should provide assurance and consulting services to the board, audit committee, and management on the organization’s risks and risk appetite as well as the effectiveness of the process designed to manage the risks and minimize their impact on financial reporting.
c) Internal Controls
Internal auditors traditionally have used a risk-based approach in auditing controls over their company’s
operational effectiveness, reliability of financial reports, and compliance with applicable rules and regulations. Sarbanes-Oxley Sections 302 and 404 and the U.S. Public Company Accounting Oversight Board’s Auditing Standard No. 5 encourage internal auditors to focus on compliance-driven controls
when assisting management in preparing reports on internal control over financial reporting.
Although management’s responsibilities for compliance cannot be delegated or abdicated, auditors can document the effectiveness of the design and operation of internal control over financial reporting as well as provide assurance and opinions on internal control.
Organizations of all types, sizes, and complexity arc facing a variety of risks that affect the reliability of financial statements and effectiveness of internal controls. Effective assessment and appropriate reporting on the organization’s risk management requires internal auditors to understand the risk assessment process from start to finish.
The quality and reliability of Iinternal audit opinions depends on transparency, constructive recommendations, and the objectivity, independence, and organizational status of the CAE signing the report. To be relevant, opinions and recommendations should be related to the identified risks and intended controls, and should be constructive, reliable, and concise in recommending improvements.
Auditors can make such recommendations and express an opinion on internal control by:
i. Reviewing how management develops and maintains an internal control system that is adequate and effective in managing risks.
ii. Assessing the efficiency and effectiveness of risk management processes and controls.
iii. Reviewing entity-level controls that are relevant to the organization’s integrity and ethical values, management’s philosophy and operating style, the organizational structure, human resources policies and procedures, the competence and integrity of personnel, and the assignment of authority and responsibility
iv. Challenging management’s decisions pertaining to internal control when it is appropriate.
v. Working with the organization’s board, audit committee, and management to facilitate
improvements in the internal control structure. Expressed opinions on internal control should be included in annual reports.
vi. Providing internal audit opinions on internal controls is in its infancy.
To be relevant, opinions and recommendations should be related to the identified risks and intended controls, and should be constructive, reliable, and concise in recommending improvements.
Opinions Add Value
By providing audit opinions and recommendations, internal auditors can better assist in the design and
implementation of their organization’s governance measures, risk management process, and internal control systems. CAEs should take a leadership role in educating and promoting their internal audit department to be proactive in formulating and expressing internal audit opinions.
As more and more internal audit departments have begun providing audit opinions to stakeholders, a need
for guidance has arisen. Proposed IIA Standard 2450 takes a step in that direction by describing the work
auditors must do before they express an opinion. In addition, an IIA Practice Guide, Formulating and Expressing Internal Audit Opinions, provides considerable information and advice that auditors should study before they embark on offering audit opinions.
In Summary the Practice Guide’s gives the following key recommendations.
a) Relevance: – The Practice Guide provides guidance for internal auditors, boards, executive and operating management, regulatory bodies, and other assurance providers who have an obligation to form, review, or assess an opinion on an organization’s governance, risk management, and internal control system. Internal audit opinions are important because they address stakeholders’ concerns. Those opinions are likely to be disclosed to the public, which makes them a crucial communication channel. The criteria used to develop audit opinions should be transparent and stated in the audit report.
b) Planning: – Certain factors need to, be considered when planning for the opinion: Auditors should assess whether it will be a macro-level opinion based on the results of multiple audit projects, or a micro-level opinion based on a single project or a series of short-term projects.
i. If the opinion is positive, then more evidence and a broader work scope are required.
ii. Auditors should determine what kind of evidence they will need to prove that their opinion is correct.
iii. Th ere should be agreement on the criteria that will be used in forming the opinion.
iv. Auditors should consider carefully the time that the opinion is issued and the scope of the coverage.
v. Th ere must be appropriate management support for the internal audit plan.
c) Evidence Gathering: – When expressing macro-level opinions, auditors should:
i. Specify the purpose for which the opinion will be used.
ii. Detail the audit procedures and guidance that is used in formulating and expressing internal audit opinions.
iii. Gather suffi cient and competent evidence relevant to the management of a strategic risk assessment process.
iv. Identify the criteria for satisfactory performance.
When expressing micro-level opinions, auditors should establish a clear criteria framework for drawing conclusions. Using a grading scale on any level requires a well defined evaluation structure, and the scales
must be consistent over the course of years in which the audit is conducted.
d) Reporting: – Th e chief audit executive is the best individual to provide assurance on a macro-level opinion. Positive assurance implies a lot of responsibility and should be used with caution and
consideration. Grading or color coding is an appropriate way to formulate an opinion. Grades used in expressing an opinion should be agreed upon by the intended users.
Ideally, prior recommendations also should be included in opinions.An opinion may be qualified, which means that it is satisfactory overall but there are some concerns and reservations. When the results
are ready for evaluation, auditors should consider:
i. Materiality–Residual risk that the business objective will not be achieved should be assessed.
ii. Impact–It is important to understand what kind of impact audit opinions will have on the business. The scope of the issues is also important.
Moreover, overall audit opinions should be expressed on corporate governance measures, internal controls, and risk assessments.
At the end of each audit engagement, an internal auditor should report a conclusion. Based on all audit
reports throughout the year, an internal auditor may then provide an overall opinion. Th e assessment
and conclusion shouldn’t prevent senior management “from deciding what they want to do with it. They
have the ultimate responsibility to correct, not to correct, change or modify the system of internal controls using the assessment established by the internal audito