This Practice Guide is provided as a service to members of The IIA.
IIA members: Please LOGIN to download a FREE copy (PDF).
Non-members: Add this item to your shopping cart to purchase a copy for download. Please allow 48-72 hours after placing the order to receive an email containing the link and access code to download your purchased product.
Learn more about the value of an IIA Membership.
Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as:
- Tools and techniques,
- Step-by-step approaches
- Examples of deliverables
Practice Guides are part of The IIA's International Professional Practices Framework. As part of the Recommended category of guidance, compliance is not mandatory, but it is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process.
This document provides practical guidance to internal auditors who wish to form and express an opinion on some or all of an organization’s governance, risk management, and internal control systems.
This may be applicable to and useful for:
- Chief audit executives (CAEs)
- Executive and operating management
- Other assurance providers (OAPs)
- Other professional regulatory bodies
Internal audit is being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report as well as on the overall adequacy of governance, risk management, and control within the organization. These requests may be for an assurance or opinion at a broad level for the organization as a whole (macro-level opinion) or on individual components of the organization’s operations (micro-level opinion).
Examples of macro and micro opinions include:
- An opinion on the organization’s overall system of internal control over financial reporting (macro)
- An opinion on the organization’s controls and procedures for compliance with applicable laws and regulations, such as health and safety, when those controls and procedures are performed in multiple countries or subsidiaries (macro).
- An opinion on the effectiveness of controls such as budgeting and performance management, when such controls are performed in multiple subsidiaries and coverage comprises the majority of the organization’s assets, resources, revenues, etc. (macro).
- An opinion on an individual business process or activity within a single organization, department, or location (micro).
- An opinion on the system of internal control at a subsidiary or reporting unit, when all work is performed in a single audit (micro).
- An opinion on the organization’s compliance with policies, laws, and regulations regarding data privacy, when the scope of work is performed in a single or just a few business units (micro).
Item Number: 10.1178