The audit opinion
Senior management and the board often expect an overall audit opinion from the Chief audit executive (CAE) about the organization’s risk management process and system of internal control. This opinion can be one of positive or negative assurance.
The IIA recommends in its paper Practical Considerations Regarding Internal Auditing Expressing an Opinion on Internal Control that when the CAE is issuing an opinion on internal control, he or she needs to consider the scope of the audit work and the nature and extent of audit work performed, and evaluate what the evidence from the audit says about the adequacy of internal controls. Such an opinion should express clearly:
• The evaluation criteria and structure used
• The scope over which the audit opinion applies
• Who is responsible for establishing and maintaining internal control
• The specific type of opinion being expressed by the auditor
The IIA also recommends that CAEs consider a few other items in this process:
1. Be careful that the opinion expressed is consistent with the internal audit activity’s charter as approved bythe board and supported by a sufficient amount of audit evidence.
2. Resist expressing an opinion related to a subject that is inconsistent with the charter.
3. Do not express an opinion that is not supported by sufficient audit evidence.
4. Understand fully the reason and proposed use of any opinion he or she is requested to use.
5. Ensure that any opinion is appropriate for its intended use and audience.
With regard to Sarbanes-Oxley Section 404, a number of CAEs have been asked to sign an attestation stating that internal auditing has evaluated ICFR and found either that the controls were effective or that they have material weaknesses or deficiencies.
These attestations are often drafted based on the attestation to be signed by the CEO and CFO of the organization for inclusion in the annual filings with the SEC.
The IIA recommends that CAEs carefully consider the wording of such an attestation before signing it. Signing an attestation is similar in effect to expressing an opinion and is subject to the concerns discussed above. The IIA further recommends that CAEs consider:
• Whether a positive or negative assurance opinion is appropriate for the situation
• Limiting the opinion to the areas that have been audited according to the audit plan
• Not implying that the CAE has any management responsibility for internal control as part of his/her opinions expressed in support of Section 404
• Whether there has been any impairment of internal audit’s independence and objectivity
A good audit opinion should be characterised by high audit independence.