Internal auditors have always had a problem expressing an opinion - or rather, expressing an opinion that others take the right way, with a proper understanding of its scope and type and the criteria used to produce it.The issue has come to the forefront recently as more corporate officers and audit committees respond to the demands of the Sarbanes-Oxley Act, especially Section 404, which requires officers to certify that their internal controls are sound and effective.
Understandably, these officers often rely on internal auditors to confirm that internal controls are adequate. They ask for an opinion from the chief audit executive, though neither they nor the CAE really know the scope and validity of the requested opinion. Understandably, the CAE is often reluctant to provide such an opinion.
In response to the widening need for clarification and advice, the Institute of Internal Auditors has released a position paper, "Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control."
IIA president David Richards said that his organization's paper should help auditors and audit committees understand what they're talking about when they talk about opinions.
"A lot of internal audit departments are being asked to sign a statement for management or to do something, and we're saying that internal auditors should be careful that they don't just cavalierly sign a piece of paper without having thought through the ramifications and knowing what they're being asked to sign for," Richards said. "If you have professional judgment, you should not have to give it up just because somebody asked you to sign something."
Richards said that the paper was recently downloaded from the IIA Web site 3,200 times over a two-week period - more than three times the number of downloads of another IIA paper, on outsourcing, that was issued at the same time.
Many internal auditors have never expressed opinions on the adequacy of controls for organizations as a whole. Rather, they have only identified specific weaknesses that they have found. The readers of such a limited opinion, Richards said, have no way of knowing how to interpret its significance. Too often, such a limited opinion is interpreted as a certification of excellence or even perfection.
Larry Harrington, vice president of audits at Raytheon, who helped author the paper, agreed that internal auditors have been reluctant to issue opinions.
"Internal auditors are not used to giving an overall opinion," Harrington said. "You may do 50 audits a year, but you express an opinion on each one. Expressing an opinion on the entire system of internal controls can be difficult because you have not audited everything. This position paper talks about the fact that audit committees are moving toward asking internal audit for overall opinions on internal control within the company, so the struggle that the internal auditor has is whether the various individual audits are enough for the auditor to give the audit committee an opinion on internal control across the entire company."
Very often, the paper stated, audit committees do not give internal auditors sufficient resources to conduct an overall audit that justifies the opinion that the committee is requesting. The paper helps audit committees understand the different kinds of opinions that they can request and what kinds of information are needed for each.
The IIA paper differentiates between negative assurance (the assurance that nothing wrong was found) and positive assurance (the assurance that a system has been positively identified as effective and without flaw).
The paper also noted that opinions can vary in scope, from an assessment of an isolated system, to an assessment of an entire organization. Typical internal audits focus heavily on internal controls related to transactional processes, but do not necessarily extend to broader aspects of internal controls.
Likewise, the criteria that support the opinion may be limited to a specified few areas, yet interpreted as being general or comprehensive, and the evaluation structure can be so vague as to be meaningless in interpretation.
Differences of opinion
While the major points in the paper might seem to be self-evident, the members of the committee that wrote it were not always in complete agreement. One big issue was over defining what constitutes an opinion.
"There are auditors who don't want to express a hard opinion," said Warren Malmquist, vice president of global audit and ethics at Coors-Molson Brewing Co., who chaired the committee. "They don't want to put their jobs on the line or stick their necks out because what if they're found to be wrong? Does that mean they're not a good auditor? Do they lose credibility?"
Malmquist said that most auditors do give opinions of some sort, often just orally. When it comes to putting certain opinions in writing, however, they see a lot more of what he calls "personal liability" - not necessarily legal liability, but the liability that involves competence and credibility.
In the discussion over the concepts of positive and negative assurance, Malmquist argued that the latter was a "low-value opinion." The IIA paper makes it clear that positive assurance opinions not only imply that controls are adequate, but that "sufficient evidence was gathered to be reasonably certain that evidence to the contrary, if it exists, would have been identified."
"Negative assurance," Malmquist said, "tends to come from auditors who don't want to give an opinion or have not performed enough work."
Malmquist pointed out one point of controversy that was not resolved in the paper - the question of outsourcing. Very often, external providers of internal audit services are reluctant to offer opinions. They may give resident internal auditors the criteria and specifics behind their findings, but they leave it to the resident to express the opinion.
Malmquist said that he is uncomfortable with external providers unwilling to express an opinion, and with audit departments using outsourced information as the basis of an opinion. The paper does not resolve the issue, but Malmquist said that it helps by establishing the need for definitions about the audit. Given those definitions, internal and outsourced auditors can contribute to an opinion.
"What some of us are calling for is that contracts with outsource providers for work that has an assurance objective, that contract should ask for an opinion in accordance with the internal auditor's definitions," Malmquist said.
Harrington called the paper "a first step."
"Hopefully, this will get people talking in a constructive way about what an auditor can or can't, should or shouldn't provide to an audit committee," he said, "and to form a discussion that the chief executive can have with the audit committee when asked about some of these issues."
