Annual internal audit opinions

Do you provide an annual internal audit opinion to your board or audit committee?

 I first wrote about annual internal audit opinions in 2020. With the Global Internal Audit Standards now in place it seemed like a good time to revisit my views on this topic.

 Why provide an annual internal audit opinion?

 In some sectors, providing an internal audit annual opinion is old news. The public sector has been doing this for years. Similarly annual opinions were a recommendation of the Chartered IIA’s very first Code of Practice in 2013, Effective Internal Audit in the Financial Services Sector.

 In October 2024 The Chartered Institute of Internal Auditors published its Internal Audit Code of Practice, for the first time creating a Code for effective internal audit in financial services, private and third sectors (previously there had been two separate codes). Principle 11 of the Code covers annual reporting:
 
“At least annually, internal audit’s reporting to the board audit, board risk and any other board committees should include an overall opinion on the effectiveness of the governance, and risk and control framework of the organisation, and its overall opinion on whether the organisation’s risk appetite is being adhered to. This should support any board disclosure on the organisation’s risk management and material controls and should highlight any significant weaknesses identified.”
 
For the UK Public Sector, the requirement for an annual internal audit opinion also remains. Although the Public Sector Internal Audit Standards will go, the Application Note: Global Internal Audit Standards in the UK Public Sector applies to central government, local government and health bodies in the UK from 1 April 2025.
 

However the driver for an annual opinion could well be the assurance needs of the board or audit committee, who are seeking a formal assurance opinion to support their year-end disclosures.

 Preparing to provide an opinion

Probably the most important piece of advice

 I can share is that you need to

plan ahead to provide an opinion.

 It is fair to say that at the end of the year you could put together an opinion even if you had not known at the start of the year you would provide one. However, an opinion is an important piece of assurance, and one that boards and audit committees should take seriously and be using to support their own year-end conclusions and disclosures.

Providing an annual opinion should not be taken lightly, with the preparation for the opinion commencing as the plan is developed. I set out questions for heads of internal audit who are thinking ahead to their annual opinion.

 Has the internal audit function undertaken sufficient work to be able to provide an opinion?

 The Code recommends an assessment of the overall effectiveness of the governance, risk management and control. Many heads of internal audit may feel comfortable regarding the element of control; I find that many query what work is needed to be able to satisfy the elements relating to governance and risk management. The Code does not mean that a standalone audit of governance and of risk management must be undertaken each year; the internal audit function should be able to draw out themes from its work to form the opinion. This will require planning in advance.
 
What may be more difficult is to opine on whether the organisation is operating within its risk appetite, especially if the board and top management have not set a clear tone for risk and culture in the organisation. Again, this is likely to be thematic in nature, drawing on all audit work undertaken during the year. This is a great example of where the results of advisory work can support internal audit’s views.

 The challenge of internal audit resources and budget also looms large here. By planning in advance, heads of internal audit can be clear with audit committees well in advance if they believe they do not have sufficient resources to undertake enough work to support an opinion.  Domain III of the Global Internal Audit Standards sets expectations and I hope will result in more audit committees being clear about the budget and resource (and needs vs actual) for internal audit which should help this discussion.

 Who is the audience for the report?

While the audit committee is likely to be the direct recipient, the report could also be shared with the senior management team and / or the board. Many audit committees will quote or refer to the internal audit opinion in making their own annual report to the board, and therefore the opinion should be written in such a way to support this. If the organisation is regulated, there may be an expectation that the regulator will receive (or at least review) a copy of the report or opinion.
 

 When should we provide the opinion?

 Typically the opinion is provided after year-end but in time to inform governance statements, annual reports and disclosures by the board. Timescales can be tight, so providing a mid-year opinion or draft opinion can be helpful. For example a month 9 view from the head of internal audit would give the audit committee a view on what the end of year opinion may be.

 How should the opinion be worded?

My personal view is that an overall conclusion statement is useful, but that it must be supported by clear rationale.

Some teams in the public sector have been using wording that may feel more akin to the type of assurance statement that is given in an assignment report, often accompanied by a colour coded graphic. Other teams provide a more narrative commentary, avoiding using words that can be seen as a particular ‘thumbs up’ or ‘thumbs down’. Internal audit functions which prefer this approach may also prefer to provide more information on themes or trends observed during the year.

 In the past some parts of the public / quasi-public sector in the UK have issued guidance on the wording and format of internal audit opinions.
 
Standard 11.3 of the Global Internal Audit Standards also provides useful information that should be included in the communication of an organisation-wide conclusion.

 What is the scope of the annual internal audit opinion?

The opinion should clearly explain the time period it covers. The opinion would normally cover the remit of internal audit, as set out in the internal audit charter. If there is an area where internal audit has not provided coverage, or judges that it would not be appropriate to provide an opinion, this should be explained.

 Placing reliance on the work of other assurance providers

Where internal audit is placing reliance on the work of other assurance providers rather than undertaking work itself, internal audit should have undertaken an assessment of the quality of the work of the assurance provider. It is useful in the annual report (and the annual plan) for internal audit to explain where it is planning to place (or has placed) reliance on other assurance providers. This may be more straightforward for an organisation with an assurance map as part of its governance or risk management framework. 

 Don’t forget, if internal audit decide not to audit a risk area because another assurance provider is active in that space, this does not count as placing reliance unless the internal audit function has done enough work to be sure of the breadth, depth and quality of the work of that other provider.

What about areas not covered by internal audit?

It is not realistic for internal audit to provide coverage of all controls, entities, or risks during any one year. Any opinion or overall assessment should be clear on the limitations of internal audit’s coverage.
 
However, internal audit don’t need to limit their opinion to only those areas where there has been a formal assurance engagement. Advisory work undertaken by internal audit will provide useful insight on a variety of areas including attitudes and culture to risk and control. The fact that internal audit has not been able to provide assurance may also inform the annual opinion.

 I remember providing advice to a head of internal audit who ended up qualifying the annual opinion due to inadequate business continuity arrangements, even though internal audit had not audited this area in the recent past. What was the rationale for this opinion?

• The internal audit team had flagged business continuity as an area where it believed assurance was required.

• Management pushed back, stating that arrangements were still being updated and finalised, and that it would be too soon for formal assurance in this area. By the end of the year (some 15 months after a draft of the plan was discussed with the audit committee), management still made this assertion.

• The head of internal audit made the decision that this should be flagged in the annual internal audit report to emphasise concern about unmitigated risks due to the slow pace of implementation of the business continuity arrangements.

 
Lastly, I suggest that Heads of Internal Audit do not rush into making an opinion. It may be mis-leading if the Audit Committee infers more assurance from the opinion that Internal Audit believes it can provide. A frank and open discussion with the Committee about the scope and format of the opinion, and the work required to form such an opinion is vital.

Quick reference links:

Global Internal Audit Standards, IIA Global, 2024

Application Note: Global Internal Audit Standards in the UK Public Sector

Internal Audit Code of Practice: Principles on effective internal audit in the financial services, private and third sectors

Are you preparing an annual internal audit report for the first time, or looking to revamp your approach? We can provide support, drawing on great examples and lessons learned from a variety of organisations. Get in contact now to discuss how we can help.

This article last updated 10 February 2025