The definition of internal auditing was amended with much debate in 1999 to include consulting as
an explicit and distinct part of its role. Those opposed to broadening the definition in this way raised
four main objections:
- Internal audit had always included a consulting element through the recommendations it delivers within an assurance engagement and, therefore, it is unnecessary, unhelpful, and perhaps even damaging to separate it out.
- Consulting is not a distinctive activity, as many other functions offer advice and guidance to management. The primary value of internal audit comes through the delivery of assurance.
- There is a potential conflict of interest if internal audit takes on a consulting role separate from the delivery of assurance.
- The new definition includes both assurance and consulting with no indication of which is more important—the natural conclusion is that there should be an even split between the two activities. However, while consulting may be a trendier or more attractive role, assigning it undue emphasis could damage the primary focus for internal audit, which is and should remain assurance.
Despite these arguments, it has proved tremendously helpful to the profession and its stakeholders
for the definition to make clear the two ways in which internal audit adds value with independence and
objectivity. This has been supported by the development of corresponding standards and guidance that
provide much needed assistance for implementation. It is important to point out that the internal
auditors can only recommend, as they are not in a position to implement such actions, and
management is free to accept or reject any proposals.
In addition to the features that consulting and assurance engagements have in common, there are
some significant differences (see below). In practice, it may sometimes be hard to separate assurance
and consulting. For one thing, it is common for an assurance engagement to address weaknesses in
internal control and offer recommendations for improvement, and for a consulting engagement to
contribute to an overall audit opinion. Indeed, it is a requirement of the Standards that information
garnered through consulting be applied to the auditing of risk management:
- Internal auditors must incorporate knowledge of risks gained from consulting engagements into their evaluation of the organization’s risk management processes.
- Internal auditors must incorporate knowledge of controls gained from consulting engagements into evaluation of the organization’s control processes.
in the first place, leading to discussions with management regarding actions. Consulting, on the other
hand, can provide additional assurance by giving management detailed insights on a particular aspect
of the organization. The internal auditor should take care when framing an opinion on the basis of a
consultancy assignment to avoid any distortion regarding the materiality of the findings with respect
to risk and control.
Standards defines consulting services as follows:
Advisory and related client service activities, the nature and scope of which are agreed with
the client, are intended to add value and improve an organization’s governance, risk
management, and control processes without the internal auditor assuming management
responsibility. Examples include counsel, advice, facilitation, and training.
Consulting services are advisory in nature, and are generally performed at the specific
request of an engagement client. The nature and scope of the consulting engagement are
subject to agreement with the engagement client. Consulting services generally involve two
parties: (1) the person or group offering the advice—the internal auditor, and (2) the person
or group seeking and receiving the advice—the engagement client. When performing
consulting services, the internal auditor should maintain objectivity and not assume
management responsibility.
Despite the origin of the consulting engagement, the skills and insights that enable an internal auditor to follow a risk-based approach in evaluating controls and delivering an opinion on their effectiveness are also highly valuable when providing constructive advice about systems development and business improvement.
However, assurance and consulting are distinct. If an assurance engagement identifies the potential value that consulting may bring to the same area of review, the scope must not shift from assurance to consulting without setting out a new proposition. If significant consulting opportunities arise during an assurance engagement, a specific written understanding as to the objectives, scope, respective responsibilities, and other expectations should be reached and the results of the consulting engagement communicated
in accordance with consulting standards.