The Institute of Internal Auditors (IIA) define internal auditing as ‘independent, objective assurance and consulting activity designed to add value and improve an organization’s operations’. It helps an organization to accomplish its objectives by bringing a systematic, disciplined
approach to evaluating and improving the effectiveness of risk management, control,and governance processes.
In most cases The internal audit function has substantially changed in recent years from a ‘policeman to an internal consultant, with a governance, and risk focus. But with all of the IIA’s efforts management still sometimes look to internal auditors as policeman, perhaps for the following reasons:
The attitude of some auditors, who still focus merely on inspection and finding mistakes
An outdated mentality still present in the governance of some Internal Audit function
Poor education and orientation for new auditors joining the team.
Internal Audit as an Internal Consultant
I believes the Internal Auditor is uniquely placed in any organization to provide practical consulting advice to Management. However, in order to reach that enhanced level of maturity there are a few steps any organization must consider:-
1. The Internal Audit function should hold itself out within the organization as an internal consultant;
2. The Internal Audit Charter should have a separate paragraph about the consultation services the Internal Audit function can provide
3. Internal Auditors should still be truly independent and not influenced by any internal conflicts that might exist
4. Auditors must be professional and well educated, knowledgeable about the business and come with a proactive and positive attitude;
5. Auditors must develop enhanced negotiation, communication and softer skills to better work alongside the business, as well as developing much deeper technical knowledge about the business itself;
6. Audit teams must be prepared to address risk and provide value-add, practical recommendations
7. Proper planning must take place in line with IIA standards, and audit scoping should include the ‘big pictured, analyze processes from end to end instead of focusing on minutia.; and
8. Auditors must at all times keep in mind the Code of Ethics governing such projects, particularly the need to balance consulting with independence.
These points will help the auditor to provide professional consultation to company management, enabling them to trust the quality of work the internal audit team can provide.
Managing the balance
But after all, isn’t Internal Audit an independent assurance function? To further enhance Internal Audit’s value, the Audit Committee needs to be properly informed about all the consulting services that the Internal Audit Function has provided as part of quarterly reports
The Audit Committee can then ensure that any consulting services do not compromise the independence of the Internal Audit Function, as well ensuring these value-add activities do not affect the progress of the annual internal audit plan.
Management of the Internal Audit Function must therefore build into the annual internal audit plan time for these value-add consulting services in a way that balances its assurance and consulting roles. This is fundamental at the planning stage to ensure that the Internal Audit Function does not focus on consulting services to the detriment of its core assurance function.
There may also be times when management want Internal Audit to undertake a consultancy assignment but seek some
form of assurance that any findings will not be reported upwards or included in Internal Audit’s overall reporting
to the Audit Committees. In such cases the assignment should be declined; the circumstances may cause Internal Audit, in
its assurance role, to want to investigate the reasons behind such a request in case it is an indicator of hidden issue.
Being able to undertake consultancy work further adds to Internal Audit’s knowledge base about risk, control and governance and
therefore makes a contribution to the overall internal audit opinion.
A benefit to any Internal Audit function is that individual internal auditors may have knowledge, experience and skills other than their internal audit skills which management would like to exploit.
For instance, internal auditors may also have particular training, experience or qualifications in IT, accountancy or legal issues.
If a consultancy assignment is to be delivered in which these skills will be of particular benefit it will, of course, make
sense to deploy those internal auditors who have these skills on the assignment. However, it will be necessary to make clear in the agreed Terms of Reference for the assignment that the Internal Audit Function can only be accountable for ensuring due professional care is taken
in developing advice offered on risk and control issues. If management choose to place reliance on specialist advice, drawing on skills beyond the internal audit skill set this must be at their own risk. An acceptances by management of advice given to them, of course, involves acceptance by management of accountability for the consequences of implementing the advice; it may be beneficial to note this in the agreed Terms of Reference for the assignment.
When establishing the formal consultancy role and in the strategic planning of the Internal Audit function it will be appropriate to assess the need for consultancy services. Elements of this assessment may include:
1. Consideration of past annual audit opinions; the more general improvement that is required in the organization’s risk, control and
governance the higher the need for consultancy activity is likely to be.
2. Consideration of the rate at which the organization and its risk, control and governance is changing. The higher this is, the more need there is likely to be for consultancy services.
3. How much of the consultancy advice being brought in could be satisfactorily and more economically delivered with the Internal Audit skills-set and how much is reliant on different specialist and technical skills.
4. An assessment of management demand. To what extent would management like to request consultancy services from Internal Audit?
5. The capacity of Internal Audit to deliver consultancy services. The consultancy role must not undermine the ability of resources to deliver
assurance work and in the short term Internal Audit may have very limited resources for consultancy work. If it is intended to increase Internal Audit’s capacity to deliver consultancy services there will be a lead-time associated with the recruitment of appropriately
It is also important that consultancy services are offered to support management in their work, not to be a substitute for management’s own efforts to address the issue in question.
The consultancy role should offer management participative advice and support in their activities.
In summarizing, I encourage all Internal Auditors to keep in mind the following when planning to conduct a consultancy assignment:
1. There should be a detailed plan setting out the scope of what is to be reviewed.
2. The objectives should be defined at least in output terms, and ideally in outcome terms.
3. The exact role of the internal auditor should be defined and we should always made it clear that internal audit is not part of any sign-off decision mechanism.
4. Reporting formats should be defined, for example will there be a specific audit report or will the internal auditor’s work contribute to a report generated by a multidisciplinary working group.
5. Timing issues should be defined in detail, including the amount of staff days allocated and targets in terms of elapsed time.
6. Both internal and external quality reviews should encompass an appropriate proportion of consultancy assignments in
their review samples.
Finally for more information and guideline about consultancy services you can visit the following link:-