The nature and extent of consulting to be offered by the internal audit activity must be set out clearly in the charter (in accordance with Standard ) and, like all activities undertaken by the internal audit function, must be limited to those tasks that can be performed competently by available capabilities. Standard states that:
The chief audit executive must decline the consulting engagement or obtain competent advice
and assistance if the internal auditors lack the knowledge, skills, or other competencies
needed to perform all or part of the engagement.
This is in contrast to assurance engagements, which are not to be declined if resources are lacking
internally. (In such assurance cases, resources would be secured from other sources.)
Advisory work focuses on governance, risk, and control, which form internal audit’s primary
knowledge base. Consulting can take many forms.The various kinds of consulting services the internal auditors may provide or contribute to include:
- Business process improvement.
- Continuous monitoring.
- Control self-assessment of risk and control self-assessment.
- Forensic auditing.
- Governance and ethics training.
- Internal control review.
- Internal control training.
- Participation on committees or task forces.
- Readiness.
- Review of a new product or service before implementation.
- Risk self-assessment.
We will focus on seven types of consulting engagements related to risk management:
- Assisting in the identification and evaluation of risks through an analysis of strategy and the internal and external environments.
- Developing management’s capabilities in respect to risk responses by providing coaching
- Helping to draw risk management activities together across the organization in a more coherent, effective, and deeply embedded fashion
- Strengthening risk reporting by ensuring it is timely, relevant, and focused.
- Maintaining and improving the risk management framework through a combination of testing, validation, and the offering of potential solutions to identified weaknesses .
- Promoting risk management across the organization by acting as its champion (IV.F).
- Advancing the progression toward greater risk maturity by developing the risk management strategy.
There are several characteristics, as well as important differences, that assurance and consulting
engagements have in common. The similarities arise from the simple fact that any activity carried out
by the internal auditors should be delivered in accordance with high standards of professional
practice. More specifically, both types of internal audit engagements must be:
- Defined in the internal audit charter.
- Delivered by the internal auditors with:
- Due professional care.
- Independence and objectivity
- Needs and expectations of clients, including the nature, timing, and communication of engagement results.
- Relative complexity and extent of work needed to achieve the engagement’s objectives.
- Cost of the consulting engagement in relation to potential benefits.
Furthermore, if it is clear at the outset that if there are any impediments to independence or
objectivity, they must be declared before accepting the engagement. This is also evident in the
Standards:If internal auditors have potential impairments to independence or objectivity relating to proposed consulting services, disclosure must be made to the engagement client prior to accepting the engagement.
The overriding safeguard is that, under no circumstances, should the internal auditors take
responsibility for risk management. It is also clear that a consulting engagement should not be
accepted simply because management requests it. It must be relevant and planned.