Assurance and Consulting
There is a range of internal and external customers for assurance provided by internal audit. The primary customer is, classically, the audit committee of the organization. While it is often the case that internal audit reports elsewhere in the organization, most internal auditors say that they serve the organization through the stewardship of its owners, the board, or its equivalent. (In mature organizations this is reflected in the internal auditor’s reporting lines—to the audit committee for functional purposes and to the chief executive for administration.) The audit committee is the board’s agent for assurance.
The Audit Committee has three basic sources for the assurance it needs: organizational management, who are resourced to run the organization have (as a group) full knowledge of its operations and have a responsibility to account for their activity; the internal auditor, who should be resourced to examine the critical risks of the organization and is independent of management operations; and external audit, who are resourced to examine the financial statements of the organization and offer an opinion that is independent of both management and internal audit.
The mutual independence of the three arms of assurance is critical. In some circumstances, it is appropriate for the audit committee to seek confirmation from all assurance sources before making critical decisions. Any activity that might impair independence or objectivity will limit the value of the assurance provided and therefore limit the confidence of the audit committee—consulting activity can impair objectivity.
Most of the risks of the organization are beyond the scope of the external auditor. The reliability of the critical control systems for these risks is attested only by management and internal audit. In these circumstances any impairment to internal audit objectivity can be a serious issue.
While management might see assurance as little more than a statement of comfort, from the auditor’s point of view there are three components: a model of what ought to occur (the normative model); an evidence-based assessment of what is occurring; and an analysis of the difference.
For the internal auditor, identifying the normative model is often an arguable process; it is only occasionally provided by an external authority, such as accounting standards. Frequently the organization has not specified the manner in which it should operate, or even the mechanisms by which performance will be measured. The internal auditor’s first task might therefore be to construct a normative model for the organization.
Even when the organization has a model of operation, it is the internal auditor’s duty to consider whether that model adequately addresses the organization’s risks. Internal auditors are required to apply their own judgment about whether the level of risk being accepted by the organization is appropriate. The assurance that comes from this process has a level of consulting impicit within it.
Many internal audit service providers, perhaps driven by fear of an increasingly litigious society, are unwilling to provide any form of assurance at all. This seems to arise from confusion between “assurance” as used by internal auditors and what an external auditor means by the word.
As soon as the internal auditors provide recommendations to management, they have stepped from the area of assurance into that of providing advice. This is, strictly, consulting. Some internal auditors feel uncomfortable about providing recommendations because they believe that it will impede their independence should they review the same area again. However, when a process fault has been properly analyzed by the internal auditor, the next step—suggesting a solution—is logical. Often the solution will be jointly developed by the internal auditor and responsible members of management, but it still is delivered with the internal auditor’s (implicit) approval.
The internal audit function of many organizations is a significant pool of talented individuals. These individuals, by the nature of their roles, can develop a deep understanding of the organization. When the introduction of new systems or processes is contemplated, internal auditors are in a position to provide sound advice, based on their knowledge of the organization and their skill in the analysis of control systems. This type of consulting activity is an extension of the assurance process. While it is in relation to an activity that has not yet commenced, and is in the form of strong advice, the commentary of internal audit should still be regarded as recommendations and not as instructions. Some organizations ask their internal auditors to sign off or approve the implementation of systems or processes. This act moves the internal auditor from the role of adviser to the role of manager and is extremely dangerous; it makes the internal auditor partially responsible for the system or process.
The conduct of consulting activities by internal auditors is still constrained by the internal auditing standards. This has a number of direct benefits, as all the conclusions and observations made by the internal auditor will continue to be based on robust evidence.
These same standards that make the work of the internal auditor valuable also mean that internal audit consulting cannot be a private service. If the internal auditors observe control faults, or risks that would be reported if the project were an assurance review, they are required to report these issues (or make sure that they are reported) to responsible management and the audit committee.
An extreme form of consulting is where an internal auditor is seconded to a line area for a defined period. During this time they are not operating as an internal auditor and the removal of this individual from the internal audit function must be transparently reported. Such a situation encompasses many of the same issues that arise when an internal auditor is given a consulting function.