The start of a new year can be a time to think about annual internal audit opinions and year-end statements on the control environment. Internal auditors provide assurance opinions throughout the year at the end of each engagement too. Assurance can be specific to an individual process or risk but also overarching; a consolidated view across a period of time or area of operation.
Does satisfactory or reasonable mean the same thing to two different people?
Assurance is obvious to an internal auditor. It is an objective examination of evidence for the purpose of providing an independent assessment – according to the IPPF glossary definition of assurance services.
But it’s not straightforward for our colleagues, audit clients and board/audit committee members.
Currently there is no set terminology. Every chief audit executive is free to define the criteria and language for their audit opinion. This makes it difficult for independent board members (trustees, non-executive directors) to compare different organisations; particularly relevant within the public sector where members sit across multiple boards.
Agree or refresh with the board as part of the annual planning process. Definitions should always be agreed and communicated before audit engagements (advisory and assurance) are started.
Create a clear link, using consistent criteria between the assessment of activity-based opinions (audit engagements) and the annual opinion. For example, it is confusing to switch from colours to words.
Type of Opinion |
Guidance for when opinion may be provided |
Substantial Assurance |
The control environment is sound and operating effectively to mitigate key risks, which is contributing to the achievement of business objectives.
|
Reasonable Assurance |
The control environment is adequate and controls to mitigate key risks are generally operating effectively, although a number of controls need to improve to ensure business objectives are met.
|
Limited Assurance |
The control environment is not operating effectively to mitigate key risks. Several key controls are absent or are not being applied to meet business objectives.
|
No Assurance |
A control environment is not in place to mitigate key risks. The organisation is exposed to abuse, significant error or loss and/or misappropriation. Objectives are unlikely to be met.
|
No Opinion |
Insufficient internal audit work has been undertaken during the period to substantiate an independent opinion, and internal audit is unable to place reliance on the work of 1st or 2nd lines. The rationale for this will be fully explained in the report |
NOTE: |
|
Depending on the maturity of your audience, assurance may need to be broken down into control design and control effectiveness. It could also be an overarching opinion or specific to elements such as governance, risk, internal control, financial control, non-financial control, innovation etc.
Here are a couple of examples of how assurance can be defined.
Positive Opinion |
Level of Assurance |
Adequacy of Control and Design | Effectiveness of Operating Control |
Full Assurance | The controls fully mitigate the specific risks. | The controls are operating effectively. | |
Substantial Assurance | In the main, the controls mitigate the risks, but not fully. | Partial effective operation exists over key controls to a material level. | |
Adequate Assurance | Some key controls do not fully mitigate the specific risk. | Some key controls are not operating effectively, and/or controls are not adequately documented. Or systemic lapse of minor controls. | |
Negative Opinion |
Limited Assurance | Many of the deemed key controls are not adequately mitigating the risks in the majority of instances. | The operational effectiveness of the control is poor. |
No Assurance | No controls are in place. | Controls are ineffective or it is not possible to assess their effectiveness. |
Take a moment to think about the assurance definitions you use:
A new year. A new beginning.
If your assurance definitions need a tweak, now is the time to do it.
Members can access more guidance on the audit opinion here.