So I was prompted to think about internal audit consultancy this week.
What is it? Well it certainly is a misnomer, because true consultants of the Bain, McKinsey etc type actually impose. Imposers rather than consultants. The whole point (and cost) of these guys is to provide their expertise, which the buying organisation does not have, to deliver a change or recommend a change. The problem with this, as I’ve written on this blog before, is that it does not take account of the organisation it is being delivered to. In other words it is context independent knowledge, not context dependent knowledge.
So if we try to define it more clearly. The IIA standards for internal auditing say they are:
‘Advisory and related client service activities, the nature and scope of which are agreed with the client, are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.’.
But compare this to the definition of assurance:
‘An objective examination of evidence for the purpose of providing an independent assessment on governance, risk management and control processes for the organisation. Examples may include financial, performance, compliance, system security and due diligence engagements.’
Spot the difference? I can’t see it. If we think about what a consultant does, they look at objectives and look at improving the processes and chances of delivering it. Well I think that sounds similar to the above as well. The only differences I see are that audit is imposed by an independent auditor, consultancy is commissioned by a manager. Audit is reported to the governing body and formally followed up. Consultancy is reported to management and ignored if inconvenient.
The other way we auditors (some of us) differentiate is that if something is done to a higher standard and is reflective and less prescriptive it is consultancy. Well let’s not do down internal audit. Internal audit should be as good and should deliver in a non-prescriptive manner. After all we are not perfect and do not have all of the answers, if we did we would pay ourselves a lot more and manage our clients.
So I would say practically all of my work is consulting. Only compliance stuff or non risk based audit would not be, in my view. I would, like any consultant, not take responsibility for risk decisions and implementation decisions. I would have no problem with advising (as I do in all of my audits) and letting my client decide to take my advice or not. For if a control environment is weak, do we not effectively step in with our suggestions or recommendations and design the solution?
So go out and be proud, for internal audit consultancy is much better than standard consultancy as it benefits from context dependent information, but is applied with context independent objectivity found only in internal audit as function.