While there are known risks and challenges for internal auditors in combining the roles of auditing and consulting, these can be overcome through adherence to the guidance from the International Standards for the Professional Practice of Internal Auditing published by the Institute of Internal Auditors (IIA) in the execution of the internal auditor's mandate.
In today's fast paced and dynamic business environment, the reality is that management within organisations requires more than just assurance. They want a partnership from which they can derive advice to take their business to greater heights. Rather than just a recommendation, organisational management is looking for a strategic action plan on the way forward, taking each point of the value chain as well as cost/benefit analysis of recommendations into consideration.
However, the challenge here is that the auditor's independence may in fact or appearance, be threatened by the consulting role. Here the auditor might, whilst performing consulting services, take on certain management functions or decision making roles which may contradict the stipulation of the IIA standards. Thus, it may become difficult to identify the distinction between the assurance responsibilities of the auditor and their role as an advisor/consultant to management.
With many audit committees being of the opinion that the auditor's primary responsibility is to provide assurance on the adequacy and effectiveness of risk management, governance, and compliance management, and the view that consulting services will impact negatively on this primary responsibility, there may, in certain instances, be a lack of support from the audit committee should the auditor take on this consulting role for management.
Another complicating factor is that the pressure of limited resources available to the auditor requires prioritisation, thereby affecting the ability of the auditor to supplement the assurance value provided to the organisation, through consulting services.
However, that being said, these challenges can be overcome. The IIA standards are clear that where consulting services will assist with the management of risks, add value, and improve the organisation's operations, the auditor can perform the consulting role.
The standards are also very clear that whilst undertaking these services, the auditor must maintain objectivity and must not assume the responsibilities of management. In addition the standards also stipulate that the auditors can only perform assurance reviews on the functions for which they provided consulting services after a period of 12 months has elapsed from the date on which the consulting services were provided.
Important is to agree on the scope and nature of consulting work upfront. It is essential that management and the auditor formally assess the risks, if any, associated with performing the consulting engagement before it commences. If an auditor perceives a potential threat to independence or objectivity by undertaking certain consulting services, this must be disclosed, discussed and addressed with the client requesting the consulting services prior to accepting such consulting services.
When it comes to the challenge of audit committees, this can be overcome through the demonstration of value derived from certain consulting engagements. In an environment where the controls need to be improved, the auditor must be able to demonstrate to the audit committee that more value will be derived from assisting management to enhance the maturity of controls rather than attempting to provide assurance in an environment where there is evident lack of controls.
This is what typically leads to repeat findings that demonstrate no improvement in the control environment. Audit committees will, however, only become convinced over time when management realise and demonstrate an improvement in the maturity of controls due to the consulting services provided by the auditor.
To address the pressure of limited resources, this too can be overcome through the demonstration of value provided by the auditor. Ultimately, when management experiences thorough value and increased improvement in their operations from consulting interventions offered by the auditors, they become more inclined to provide the budget for consulting services in addition to audit/assurance services.
However, at the end of the day, the auditor must also demonstrate to the audit committee and management that they possess or can access the requisite skills or knowledge to provide management with consulting services and that independence and objectivity will not be compromised in the process.
