The Research Foundation of the Institute of Internal Auditors recently published a report titled Business Management Auditing: Promotion of Consulting Auditing. The purpose of this article is to review and summarize those portions of the report dealing with the impact of consulting activity on the independence of internal auditors.
The study identified thirty nine non-traditional services that are performed by internal auditors. For the majority of internal auditors, performing those non-traditional services is considered consulting activity that in most instances carries a relatively high risk of jeopardizing independence.
The risk to independence was perceived as greatest when the consulting activity involved accounting system implementation or design, or business/accounting related issues such as business planning, mergers, cash management, budgeting and inventories. The risk to independence was perceived to be least when the consulting activity involved non-accounting systems consulting, total quality management, pension cost review, evaluating external audit work, contract compliance, and reviewing performance of outside vendor services. Examples of other consulting assignments with varying degrees of perceived risk to independence include contingency planning, forecasts and projections, vulnerability assessments, environmental and regulatory compliance, employee performance and benefits programs, and due diligence assignments.
Based upon the Standards for the Professional Practice of Internal Auditing (SPPIA), the requirement for independence and objectivity can be summarized as follows: "Internal auditors should be independent of the activities they audit. Such independence permits internal auditors to perform their work freely and objectively. Without independence, the desired results of internal auditing cannot be realized. ... (Independence) is achieved through organizational status and objectivity. ... Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. Internal auditors are not to subordinate their judgment on audit matters to that of others. ... Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity."
These are the primary citations in the SPPIA:
STANDARD 100, and Guideline 100.01.
STANDARD 110, and Guidelines 110.01.1. and 110.01.2
STANDARD 120, and Guidelines 120.01., 120.02., 120.02.1, 120.02.2, 120.02.3, 120.02.4, 120.02.5, 120.03.
GENERAL STANDARD 100 - Independence.
Internal Auditors should be independent of the activities they audit.
Guideline 100.01. Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organizational status and objectivity.
SPECIFIC STANDARD 110 -Organizational Status.
The organizational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities.
Guideline 110.01.1. The director of the internal auditing
department should be responsible to an individual in the organization
with sufficient authority to promote independence and to ensure broad
audit coverage, adequate consideration of audit reports, and appropriate
action on audit recommendations.
Guideline 110.01.2 The director of internal auditing should have direct communication with the board. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest.
SIAS #7 - Communicating with the Board of Directors
The term "board," as used in the Standards and in this statement, includes boards of directors, audit committees of such board, heads of agencies or legislative bodies to whom internal auditors report, boards of governors or trustees on nonprofit organizations, and any other designated governing bodies of organizations.
SPECIFIC STANDARD 120 - Objectivity.
Internal auditors should be objective in performing audits.
Guideline 120.01. Objectivity is an independent mental
attitude which internal auditors should maintain in performing audits.
Internal auditors are not to subordinate their judgment on audit matters
to that of others.
Guideline 120.02. Objectivity requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Internal auditors are not to be placed in situations in which they feel unable to make objective professional judgments.
Guideline 120.03.The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity.
About 6 % of the study participants were EDP auditors. 90% were regular internal auditors. The remaining 4% did not provide job classifications. The study shows that EDP auditors spent substantially more time performing consulting activity: 17% of the EDP audit managers time; 15% of the EDP supervisors time; and 9% of the EDP audit staff time was spent performing consulting work for their organizations. On the other hand, regular audit managers spent 10% of their time consulting; regular audit supervisors spent about 8% of their time on consulting work; and regular audit staff spent only about 6% of their time consulting for their organizations. Taking these distributions and weightings into account, consulting work averaged about 7% of the work activity for internal audit organizations as a whole.
Following is a summary of the study's major findings regarding consulting and audit independence.
There was a wide range of opinion among the participants regarding the differentiation between auditing and consulting. A large majority agreed that compliance reviews and risk assessment objectives were very strongly associated with auditing, and that implementing policies and procedures was very strongly associated with consulting. A significant majority, however, believed that the identification of critical issues and recommendations to solve problems were a mix of auditing and consulting. The study identified the following general but unique traits about auditing and consulting:
The participants were widely divided as to whether the traditional auditing role includes making recommendations to management and identifying critical issues in need of management attention. (The Standards for the Professional Practice of Internal Auditing are specific in this regard - making recommendations to management and identifying critical issues are an intrinsic part of internal auditing - see Standard 430, Guidelines 430.05; 430.01.1; and 430.04.7.d). However, because making recommendations and identifying critical issues are also an intrinsic part of certain types of consulting work, they are not a unique identifying feature of either auditing or consulting. Among internal auditors, this overlapping clouds the definition of auditing vs. consulting.
The definition is further clouded based on individual experience. The study found that overall, the participants classified 24/39 (62%) of non-traditional services as consulting, and therefore the report concluded that a significant majority of internal auditors believe non-traditional services to be consulting activity. However, participants who did not have experience in providing non-traditional services considered the large majority of non-traditional services (31/39, or 80%) to be consulting. Participants who did have experience in providing non-traditional services considered most of the non-traditional services (30/39 or 77%) to be auditing.
It should be noted that the study did not enquire whether participants who had performed non-traditional services had done so before becoming internal auditors, or in the course of their duties as internal auditors. The study also does not draw any conclusions as to cause and effect relationships within these two sub-groups , nor does the study indicate the ratio of those having no experience to those having experience performing non-traditional services. The inference, however, is that a minority of participants had experience performing non-traditional services, and this may influence the perception of such work as auditing, or may influence the willingness to undertake such work as auditing. According to the report, "A number of respondents defined auditing as anything an auditor does"(a rather liberal and probably an inaccurate interpretation. (According to the Standards, internal auditing is first and foremost an attest function that evaluates whether control systems provide reasonable assurance that organizational objectives can be achieved; and an attest function that evaluates the quality of performance in achieving organizational objectives. Anything that internal auditors do that is not an attest function is consulting, or at least non audit work.).
While there is disagreement about the status of many non-traditional services, most study participants agreed that the following seven services are consulting activities: Business Planning (90% agreed), Non-Accounting System Consulting (84% agreed), Business or Project Feasibility Studies (83% agreed), Accounting System Design and Implementation (79% agreed), Total Quality Management (74% agreed), Budgeting (72% agreed), and Forecasts and Projections (72% agreed).
According to the report, more than 50% of the participants were concerned that consulting activities posed risks, which can be summarized as follows:
"Consulting projects frequently have a political component. For example, top management may look to the internal auditor to legitimize or accept responsibility for unpopular or controversial decisions. The auditors' reputations as unbiased and objective observers are at stake, and with them, the credibility of their audit reports". 53% believed that there is a risk of getting involved with internal organizational politics, a risk of political exposure, or a risk of negative political pressure from within the organization (all independence and objectivity related issues);
58% believed that involvement in consulting activity has a high probability of involvement with a project that could fail, fostering negative perceptions of the entire internal audit department if a high profile project fails;
59% believed that conflicts of interest can arise from auditing one's own work (or overseeing the audit of one's own work) at a later time (an independence and objectivity related issue).
84% believed that management expectations would rise regarding performing other consulting work in the future. Once an internal audit department provides good consulting services, management will expect more of the same. This impacts on the ability to provide traditional audit services. In a worst case scenario, consulting work could be used to completely side track internal auditing. The report states that "at worst, consulting can deplete the resources available for scheduled audits, thereby interfering with the [audit] department's ability to fulfill its primary mission."
51% believed that use of internal audit resources can be put at risk. Consulting projects are harder to plan, budget and manage, thus increasing the risk of cost and time overruns. Once consulting work is integrated into the routine functions of an internal audit department, time spent on consulting work reduces the time available to perform traditional audits. In turn this reduces the likelihood of completing the annual audit plan, and impacts on the primary mission of internal auditing.
The report states: "One of the most significant risks is that of violating a cornerstone of the Standards, namely, that auditors must be independent of the activities they audit." Overall, about 38% of the participants were specifically concerned that consulting activities would jeopardize independence and objectivity, thus making "independence" a specific high risk area.
Initial work with focus groups indicated: "The most serious risk associated with consulting ... was that auditors may be asked to audit the activities that they had previously recommended, designed, or implemented, thereby violating the independence principle that is so basic to the profession. Related risks associated with consulting include: (a) internal auditing might lose its reputation for objectivity and independence and instead become embroiled in organizational politics; and (b) mistakes may be highly visible and could damage the reputation of the entire internal auditing department".
"Internal auditors must appear to be independent as well as actually be independent. Should other individuals, upon observing the internal auditor engaged in certain activities, conclude that the auditor is no longer independent, the auditor will be unable to perform effectively in the future." About 49% of the participants believed that "There is a high potential for independence to be at risk when an internal auditor is part of a team designing new systems or procedures". As one participant stated "Once I ended up training all department heads on how to use some new guidelines. ...And now my staff is reviewing the guidelines in an audit. It's tough to say I'm independent... Theoretically the staff on this audit don't report to me for this project, but I have to review everything that comes out of the office, and I have to respond to questions. Independence has gone out the window".
Overall, the risk to independence was perceived to be relatively high when performing non-traditional activities as opposed to traditional auditing services. The risk to independence was perceived as greatest when the activity involved accounting system implementation or design , or business/accounting related issues such as business planning, mergers, cash management, budgeting and inventories. The risk to independence was perceived to be least when the non-traditional activity involved non-accounting systems, total quality management, pension cost review, evaluating external audit work, contract compliance, and reviewing performance of outside vendor services. Examples of other non-traditional assignments with varying degrees of perceived risk to independence include contingency planning, forecasts and projections, vulnerability assessments, environmental and regulatory compliance, employee performance and benefits programs, and due diligence assignments.
Internal auditors have a wide range of opinion about what constitutes consulting and the effects of consulting on independence. A substantial proportion of internal auditors are engaging in activities that are considered consulting activities by many of their peers. There was a distinct difference in perception between those who had experience performing non-traditional services and those who did not. Participants who had experience in providing non-traditional services considered the large majority of services to be auditing, and believed that performing the services did not jeopardize independence. Participants who did not have experience in providing non-traditional services considered the majority of non-traditional services to be consulting and believed that performing the service would jeopardize independence.
According to the study, this could indicate that experience shows the risk to independence is manageable when performing non-traditional services. However, the report speculates that it may also represent a "false sense of security. That is, although [the auditors experienced in providing non-traditional services] believe they are independent, others might question this conclusion. ... Given the importance of independence and objectivity to the internal audit function, it is important to consider the latter possibility. ... The credibility and effectiveness of the entire internal audit function is at stake if, by engaging in certain activities, auditors are risking their independence."
"The greatest risk of violating the independence principle emerges not from activities widely recognized as consulting, but rather from those that are a mixture of consulting and auditing. The fuzzy boundaries between auditing and consulting offer opportunities for at least some observers to conclude that auditors, by performing non-traditional services without implementing appropriate safeguards, have violated the independence principle. The lack of clarity about what constitutes consulting rather than auditing increases the possibility that internal auditors may not be independent. This is especially true when consulting requires involvement in internal politics or conflict."
For the most part internal auditors believe that performing consulting services carries a relatively high risk of jeopardizing independence. However, they also believe the benefits associated with consulting outweigh the associated risk to independence . How is the risk to independence managed? Some examples from the report: About 90% of the participants expect staff to come forward when they feel unable to be independent and objective (in accord with SPPIA Guideline 120.02.2), and 97% recommended this approach. About 40% of the participants have formal policies that time bar internal auditors from auditing the activities they participated in as consultants (in accord with SPPIA Guideline 120.02.5), and a large majority (67%) of the participants recommended such a policy. (Another measure recommended by a focus group, but not evaluated in the study, suggested temporarily reassigning the auditor to another department and title for the duration of the consulting project and never allowing the auditor to review the area in which the consulting occurred.) Only 12% of the participants maintain separate consulting units within the internal audit department, and only 23% of the participants recommended doing so.
The report concludes: "To exploit the opportunities and to minimize the risks associated with consulting activities, it is important to take a proactive approach to resolving the challenges created by the increasing involvement of auditors in consulting."
In each of our internal audit organizations, we need to establish criteria to differentiate auditing and consulting work. We need to establish clear objectives and outcomes for our consulting activities. We need to identify the risks and obstacles to our independence that are associated with undertaking each consulting project. We need to establish and monitor control activities to minimize the risks and overcome the obstacles to independence. In other words, we need to practice the same planning, organizing and directing skills we expect of our audit clients, so that we go in with our eyes open, understanding the risks involved, and with reasonable assurance that we can successfully protect the independence and objectivity that are a cornerstone of our profession.
The purpose of this article has been to provide an overview of concepts developed and presented in Business Management Auditing: Promotion of Consulting Auditing., published by the Research Foundation of the Institute of Internal Auditors. The interpretations presented here are those of the author. Readers are encouraged to refer to that publication for a full discussion of this topic in order to form their own opinions.Copyright © 1995 Mark R. Simmons, All rights reserved