Internal Audit adds value by objectively evaluating and making recommendations in respect to the internal control environment. This is the traditional ‘third line’ view of internal audit based on the Three Lines Model by the Institute of Internal Auditors.
But consider the following scenario:
- As part of the development of the organisation’s next internal audit plan, management tells the Chief Audit Executive (CAE) that “Process A” is completely defective. It’s not working as intended, there are some large risks, there are regular issues and errors and Process A desperately needs review.
- At management’s request, the CAE includes an internal audit of Process A as a high priority on the audit plan.
- Internal audit conducts an assurance audit of Process A and confirms that it is indeed a mess and needs urgent review and remedial action. Remedial options are presented and recommendations for improvement are made.
- Management expresses disappointment in the audit outcome because they already knew the process was broken and they thought an audit would help to fix it.
- Management defers or disagrees with the timing of a number of audit recommendations because there are insufficient resources available to fix the problem.
Sound familiar? How much value has internal audit really added?
The role of internal audit
Often the root cause of the above scenario is a lack of understanding about the potential roles that internal audit can play.
According to the Institute of Internal Auditors, the definition of internal audit is:
“… an independent, objective assurance and consulting activity designed to add value and improve an organisation’s operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
This definition recognises that internal audit can undertake two broad types of activities – assurance and consulting. Whilst assurance engagements are relatively commonplace and generally well understood, internal audit consulting engagements are perhaps less prevalent.
Internal audit as consultants
The Internal Audit Standards define consulting services as:
“Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organization’s governance, risk management, and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation, and training.”
Going back to our scenario above, would a better approach be to consider whether internal audit could provide consulting services to assist those responsible for Process A to design and implement process improvements and more robust controls? Rather than spending time and resources independently corroborating what management already knew, wouldn’t it be better to get in and help fix the problem?
The above scenario highlights a common problem whereby management and even the internal audit function have a limited or conflicting view of the role of internal audit. There is often an automatic assumption that everything on the audit plan is an assurance assignment that involves testing of controls and providing assurance. If consulting or advisory services are required these typically get added to the internal audit work program as extras or one offs after the plan has been adopted.
Extracting more value from internal audit
But there is no reason why the audit plan can’t include consulting assignments. If an area or process has already been identified as requiring remedial action and the responsible business unit needs help and assistance to do this, why can’t it be included on the audit plan as a consulting engagement?
This is envisaged by the Internal Audit Standards which state:
“2010.C1 – The chief audit executive should consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.”
The Standards also provide considerable guidance on everything from scoping a consulting engagement to ensuring that internal audit maintains independence and doesn’t assume management responsibility.
For example, the Standards state:
“2201.C1 – Internal auditors must establish an understanding with consulting engagement clients about objectives, scope, respective responsibilities, and other client expectations. For significant engagements, this understanding must be documented.
2210.C1 – Consulting engagement objectives must address governance, risk management, and control processes to the extent agreed upon with the client.
2210.C2 – Consulting engagement objectives must be consistent with the organization’s values, strategies, and objectives.”
Overcoming internal audit independence issues
In relation to the potential for a consulting engagement to impair a future assurance review, the Standards provide:
“1130.A3 – The internal audit activity may provide assurance services where it had previously performed consulting services, provided the nature of the consulting did not impair objectivity and provided individual objectivity is managed when assigning resources to the engagement.”
If there are concerns that a consulting engagement may impair a future assurance review another option would be to outsource the assurance review especially if it is within a year or two of the consulting engagement. Diagram 1 below provides some guidance on consulting roles that internal audit should and shouldn’t undertake.
Diagram 1: Consulting roles internal audit should and shouldn’t undertake
As indicated already, part of the problem may stem from a lack of understanding by management and the Audit Committee that internal audit can play a consulting role as well as an assurance role. If this is the case, then there is a need for CAE’s to educate management and the Committee about the different ways in which internal audit can add value to the organisation.
In some jurisdictions, there is a specific requirement for Audit Committees to look at business improvement initiatives. For example, the NSW Local Government (Governance and Planning) Act 2016, will, once commenced, require councils to have an Audit, Risk and Improvement Committee. Amongst other things, the Committee will be required to keep under review programs and measures to improve the performance of council and the services it provides. This could be partly achieved through engaging internal audit to undertake or assist with service reviews and process improvements.
So in summary, it is really important to understand the role internal audit can play in your organisation to add value. Next time someone suggest that internal audit of a broken process would be a good idea, consider whether a consulting type engagement to help fix the process would be preferable to an assurance audit that confirms what everyone already knew. If it is, then, subject to resourcing, experience and capacity constraints, include it on the internal audit plan.
How we can help
InConsult is committed to helping organisations better understand the benefits and value of internal audit. We have extensive experience in internal auditing, risk management, probity, fraud and corruption prevention, cyber security, crisis management, business continuity, climate risk management and pandemic planning.
If you would like to know more about our internal auditing services, contact us to discuss your needs.