There are various assurance and consultancy activities that internal audit may undertake which add value to organisational effectiveness, efficiencies and above all, achievement of strategic goals, aspirations and aims.
There is not an absolute distinction between assurance work and consultancy work. Assurance work may lead to the identification of further audit support in terms of a bespoke consultancy engagement. Consultancy work enriches and contributes to the overall assurance that can be delivered to the board and audit committee.
Where the organisation has requested internal audit’s contribution on a project the project manager will create the terms of reference which states the role of internal audit in the project. Internal audit will have to ensure that the role doesn’t compromise internal auditor’s independence.
Linking consultancy work to the delivery of internal audit assurance to key stakeholders
Nature of internal audit consultancy services/roles
Planning for delivery of consultancy services
Professional conduct, consultancy assignments and issues of independence/objectivity
IIA Global's glossary defines consulting services as:
Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.
Internal audit provides 'independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations...'. This is primarily achieved by the planned programme of assurance assignments.
Consultancy work may be driven by risk based planning but may also be at management request where the organisation’s risk and control systems and processes are embryonic or not yet mature, ie where there is no system of risk management or control framework to assure.
Consultancy work adds to internal audits knowledge base and contributes to the overall internal audit opinion and/or assurance rating. However, this needs to be put into context to ensure that it does not lead to a distortion of the materiality of findings against risk and control priorities.
Reporting to the audit committee should incorporate the progress on consultancy engagements as well as the work on the assurance programme for both planned and unplanned work. In fact where governance, risk management and control issues are significant to the organisation Standard 2440.C2 states that they must be communicated to senior management and the board.
The consultancy roles undertaken by internal audit may be one of the following:
Leading a control self-assessment workshop – brainstorming risks and controls, and acting as a catalyst for change.
Induction presentation to new staff regarding the role of internal audit or corporate governance best practice guidance.
Supporting management in imparting appropriate risk and control skills and techniques so that managers are better equipped to undertake their own role effectively
On risk and control issues at all levels within the organisation from strategic through to operational, offering advice but not undertaking any tasks on behalf or instead of management. Advice offered by internal audit and accepted by management does not transfer or reduce management’s accountability for their areas of responsibility.
The above roles may be at the request of management or the board or because of a change programme or project and should add value and improve organisational operations. Whilst consultancy in nature, this type of activity may also provide some level of assurance and may significantly contribute to internal audit’s unique position in terms of being able to provide senior board management with a more holistic view of the organisation, its operations and culture. The output may not be a typical type assurance report – a presentation for instance, may be the preferred method of reporting management.
The extent of consulting work undertaken by internal audit is based on the resources of the function and the assurance programme. Similar to assurance work a programme of work should be produced, although it is recognised that there will be instances where internal audit’s consultancy role may be requested in a business as usual environment rather than being part of the annual internal audit work programme.
Whilst the client may determine and direct a large part of the scope, coverage/terms of reference of a consultancy assignment, the internal audit charter must specify the consulting services that internal auditors may provide, and the circumstances under which they may be provided (Standard 1000.C1).
Care and consideration must be given to ensure that when undertaking consultancy work the internal audit service has the appropriate skills and expertise to undertake the consultancy assignment. Standard 1210.C1 states that:
'The chief audit executive must decline the consulting engagement or obtain competent advice and assistance if the internal auditors lack the knowledge, skills, or other competencies needed to perform all or part of the engagement.'
Internal auditors must also ensure that they exercise due professional care (Standard 1220.C1).
Policies governing the custody and retention of consulting engagement records must be developed along with their release to internal and external parties (Standard 2330.C1).
Whilst standard work programmes may be utilised for assurance work those for consultancy engagements may vary in form and content depending upon the nature of the engagement (Standard 2440.C1).
Consideration should also be given to the following:
When internal and external quality reviews are undertaken consultancy assignments should also be incorporated within samples to ensure they meet the criteria.
Determine does it potentially improve the management of risks and add value to an organisation’s operations (Standard 2010.C1)?
Will the work support management in their role, it should not be a substitute for managers own efforts to address the issue(s) in question?
Does it comply with internal audit’s remit as documented in the internal audit charter which has been approved by the audit committee (Standard 1000.C1)?
Management produce terms of reference to be agreed by all clearly setting out:
Does the approach ensure effective planning and communications throughout?
Has the auditor/audit function covered areas in the consultancy work previously covered by assurance work?
Is the auditor’s independence or objectivity affected (Standard 1130.C1 & C2)?
Would an assignment be declined where management want assurance that findings are not reported upward or not included in overall assurances; or alternatively would internal audit decide to undertake an assurance role instead?
The same auditors should not undertake assurance roles on areas recently worked on in a consultancy role. However, in larger teams it is likely that separate resources are available to undertake ‘independent’ assurance activities.
The standard of work is the same as that delivered for assurance work.
Ensure that final results are communicated to engagement clients.
It should be made clear to management that all consultancy work will be reported to the audit committee and be included in the overall opinion with progress on results monitored to the extent agreed upon with the client (Standard 2500.C1).
The auditor gains a better understanding of the organisation and the work increases to the internal audit knowledge base.
Where internal audit is participating in a working group and contributing to a group report preparation of a supplementary report to provide assurance that these other report(s) fairly reflect internal audits view on risk, control and governance issues, should be provided to management and the audit committee.
Consultancy work offers management confidence that internal audit can support as well as assure, and work in a number of roles with management, for example to embed risk management processes.