Norman Marks on Governance, Risk Management, and Internal Audit

Last week I discussed The most important audit committee demand of internal audit as reported by Richard Chambers based on his interviews with 15 committee chairs.

Today, let’s talk about their second demand, which follows on from their first:

Express an overall opinion on the effectiveness of risk management and controls by “connecting the dots”.

Let’s be clear and honest about this: many if not most internal auditor leaders are reluctant to put themselves out on a limb and express an opinion on the overall condition of the system of internal control.

Reasons they provide (I will let you decide whether these are reasons or excuses, but be open about it – and I will discuss each momentarily) include:

• We don’t have the resources to address all the controls, even all the controls over significant risks to enterprise objectives.
• The audit committee does not expect us to do this.
• The IIA Standards do not require it.
• Others are not doing it.
• It’s too much of a risk to express a positive opinion. The most I can do is report any major findings.

Back in 2009, I was a member of the IIA’s Professional Issues Committee and five of us (Gilbert T. Radford; Bruce C. Sloan; Debbie E. H. Loxton; Norman D. Marks; and Trygve Sorlie) wrote an official IIA Practice Guide (PG), Formulating and Expressing internal audit opinions.

In 2016, the IIA published a far shorter Implementation Guide (IG), Standard 2450 – Overall Opinions.

Both are recommended guidance and worth reviewing.

While I was proud to have had a part in promoting overall opinions through the PG, it was significantly watered down to accommodate multiple dissenting views – people raising the issues listed above.

The IG is far clearer and has a lot of good language, including:

An overall opinion is the rating, conclusion, and/or other description of results provided by the chief audit executive (CAE) when addressing — at a broad level — governance, risk management, and/or control processes of the organization. An overall opinion is the professional judgment of the CAE based on the results of a number of individual engagements and other similar activities — such as reviews by other assurance providers — for a specific time interval.

The IIA loves to talk all the time about “governance, risk management, and/or control processes”. I think that is unnecessary and verbose. An effective system of internal control, as described in COSO’s Internal Control Framework (ICF), includes effective governance (in large part) and risk management.

Therefore, I always provided my opinion (which I did for about twenty years) on the system of internal control over the more significant risks to the achievement of enterprise objectives.

The IG also says (with my edits and emphases for readability):

• Overall opinions differ from conclusions in that a conclusion is drawn from one engagement, and an overall opinion is drawn from multiple engagements. Also, a conclusion is part of an engagement communication, while an overall opinion is communicated separately from engagement communications.
• The CAE then determines the scope of the overall opinion to be provided, including the time period to which the opinion relates, and considers whether there are any scope limitations.
• With this information in mind, the CAE can determine which audit engagements would be relevant to the overall opinion. All related engagements or projects are considered, including those completed by other internal and external assurance providers.
• …an overall opinion may be based on aggregate engagement conclusions at the organization’s local, regional, and national levels, along with results reported from outside entities such as independent third parties or regulators.
• The scope statement provides context for the overall opinion by specifying the time period, activities, limitations, and other variables that describe the boundaries of the overall opinion.
• Upon consideration of the relevant information, the CAE issues an overall opinion, using clear and concise language, and articulates how the opinion relates to the strategies, objectives, and risks of the organization.
• …the CAE decides how to communicate the overall opinion (verbally or in writing). Overall opinions are typically communicated in writing, although there is no requirement in the Standards to do so.
• It is important to note that the CAE is not required to issue an overall opinion; issuance of such an opinion is at the discretion of the organization and would be discussed with senior management and the board.

Now for the excuses (sorry, reasons):

1. Insufficient resources

We never have all the resources we need to address all the risks to enterprise objectives. But our audit plan (continuously updated) should be designed to address the more significant ones. The overall opinion needs to include language that makes it clear that it is based on the results of the engagements performed (including any performed by others, which I would include in an appendix) based on the risk-based audit plan.

This makes it doubly important to make sure that we are not using our scarce and valuable audit resources on risks and issues that will only ever matter to middle management.

We also need to be ruthlessly efficient, eliminating activities that don’t add value to our customer (even if required by the IIA Standards!)

2. The audit committee doesn’t require it

Maybe they should, and maybe they don’t think you are up to it. But if you did share one with them they will almost certainly value it.

3. The IIA Standards don’t require it

This is true, but the Standards don’t mandate every best practice – and I will say no more on that topic.

4. Others are not doing it

Also true. But that doesn’t mean we should not provide the audit committee with information they value very highly.

5. It’s a risk I don’t want to take

True that it is a risk, but I believe we have an obligation and the risk can be addressed.

Which brings me to how I did it at each of my very different companies for about twenty years.

Norman’s Tips

1. Start with the end in mind! Realize that an overall opinion is a great gift for the audit committee and top management. Build your audit plan accordingly. Include audits of the more significant sources of risk to the enterprise’s objectives and make sure you are not wasting scarce resources.
2. Make it clear in the opinion that it is based on the work performed, including (listed in an appendix) any work by others that you have relied upon. A typical example would be the work of the external auditors on financial reporting and related internal controls.
3. Explain that no system of internal control provides more than reasonable assurance. Refer to the exceptions in COSO ICF.
4. Consider all the assessments made over the period and update them with any progress made by management on major control weaknesses (as defined by COSO in their ICF).
5. Provide an opinion as of a specific date and discuss with management, first, whether they agree or disagree with it.
6. Consider adding other useful information, such as an overall opinion on the system of internal controls at major business units, or over compliance with applicable laws and regulations.
7. Remember that we are only taking about whether the system of internal controls provides reasonable assurance, and that this is your professional opinion.
8. Professionals provide opinions.

I welcome your thoughts.

Is this something you do? If so, how do you do it? If not, why not?