Before I start today’s post, may I ask the internal auditors who haven’t already done so to respond to my latest survey, here?
Yesterday, I fought a duel (up to you to decide who won) with my good friend, Richard Chambers. It was hosted by Jon Taber (see footnote for the links) on the topic of audit opinions.
At one point, Richard made the excellent point that you shouldn’t provide an opinion without having done the work to support it.
My reply was that you should start the audit with the end in mind.
If you plan to express an opinion at the end of the planned audit on the adequacy of controls to manage specific risks, then the scope of the audit should be designed to provide to enable that opinion.
Do enough work to reach and support your opinion – and no more, unless you desire to audit controls and processes that are not relevant to your audit objectives (“muda”).
One of the fights I have been engaged in for a long time now is against full scope audits, especially those performed on a cyclical basis.
We should (as guided by the IIA’s Standards) be performing risk-based auditing.
That means that we should be auditing the controls over the more significant risks to the achievement of enterprise objectives. That is not the same as auditing the controls over a business process!
When you…
