Much has been written and discussed about auditor advising. Last Friday, June 25, the volume 'Auditors advise. Advice by and for auditors' was released as part of the ESAA symposium. ARC Partner Marc van Heese contributed his view on the desirability of advising by internal auditors, based on almost 25 years of experience in internal audit.
"My view is that the internal auditor needs to start advising more in order to provide sufficient added value to the organization, and my view is that this is and will happen more and more. This view is not new: for some time now there have been noises within the internal audit profession about providing 'insight' and being a 'trusted advisor.' I will take you through my thoughts on this view."
As we know, we live in a "VUCA world": the world is changing faster and faster, the changes are difficult to foresee, they are complex and not unambiguous.
To survive in this world, organizations are changing faster and faster than before or they exist for a shorter period of time. Product cycles are becoming shorter, and work within organizations is becoming more project-based. Unique Selling Points are easier for competitors to copy and cheap money is plentiful to market challengers. Yesterday's challenger is tomorrow's winner. Business as usual hardly exists anymore for many organizations; change is the only constant.
An environment like this affects all parts of the organization, so too for internal audit. An audit plan for the next three years does not fit an organization that is constantly changing. The same goes for audits with long lead times.
One answer from internal audit departments is Agile Auditing. Agile Auditing is a way of auditing in which the topics to be audited are continuously adapted to the changing needs (and risks) of the organization(source). As a result, audits tend to have a short(er) lead time and are more relevant by adapting the audit calendar and audits to new situations more quickly.
Adapting the way of auditing is a step in the right direction, but there are more ways to move with organizations that are constantly changing. Moving along is not only in the "how" (how are the subjects to be audited selected and how does internal audit proceed during the fieldwork) but also, in my opinion, in the "what" (what work does internal audit perform). Another way for internal audit to stay in tune with the changing organization is to provide more advice and less assurance.
Audits (generally) look back and provide assurance about past control. In a changing world, this assurance is certainly still relevant because, after all, lessons can be learned for the future, to improve things, and it gives confidence about future goal achievement. But looking ahead becomes more relevant in this day and age. Determining in retrospect (too late) that something has gone wrong can have enormous impact in a VUCA world; after all, a competitor may have realized a lead by now because of the mistake that cannot be made up by the organization.
In practice, during the Corona crisis, I saw quite a few examples of internal auditors participating in crisis teams. For example, they were involved in thinking about being able to work from home in a controlled way without running too great a risk with regard to information security or bringing online shopping quickly and safely. Or an internal auditor of a funeral insurer who presented scenario analyses to management, showing whether the organization could move sufficiently with the estimated death rates in the coming period. Or an analysis comparing the public NOW register with the customer portfolio to determine the exposure to loss of sales or failure to pay outstanding invoices. These are clear examples of what can be referred to as the advisory role. A large proportion of existing audit functions have assumed this temporary advisory role(source). In this rapidly and unexpectedly changing environment, there was a clear need for advice, through input of specific expertise, from the internal auditor.
Not only in acute crisis situations is the shift from assurance to consulting noticeable. This shift also occurs in a going concern environment (read: no acute crisis situation). An audit function at a retailer that focuses less on where fraud has occurred and more on recognizing signals where fraud is occurring or may occur (so-called predective analytics). Based on this, possible fraud can be prevented or the damage can be more limited. No assurance can be given about the future, but advice can be given.
So a movement from hindsight to foresight. Bruce Turner, an Australian expert in internal audit, talks about the movement from "hindsight" to "insight" and ultimately to "foresight"(source). I subscribe to this vision. If internal audit does not move with the changing environment, organizations where internal audit is not a legally mandated function may well find that it moves out of the picture. From "hindsight" to "out of sight. In a complex world, a retrospective observation that some processes did not run as they should is no longer sufficient.
KPMG, among others, also identifies the challenge that internal audit is expected to not only protect but also increase organizational value(source). The recent adaptation of the 3 lines model by IIA Global, where the focus is not only on protecting value but also increasing it, is in line with this(source). In another article, KPMG talks about the pressure on audit departments to undertake work other than just providing assurance, such as consulting, related to risk and performing predictive data analysis(source). In providing assurance, more and more automation and continuous monitoring are being pursued. This too will require Internal Audit's value to shift more to consulting if internal audit is to continue to add value.
Some internal audit puritans will balk at this development. At best, consulting is allowed temporarily in times of crisis. However, now that we live in a VUCA world, some organizations will continuously be in some form of crisis, or at least in a situation with elements of a crisis. Therefore, I see internal audit becoming more advisory as moving with the new reality: need for advice grows relative to need for assurance. The added value of internal audit will shift more and more to giving advice, is my expectation. The internal auditor will function more like a consigliere: a critical advisor to management. The literal translation of consigliere is "adviser" and comes from the Latin word consilium meaning "plan" or "policy"(source). Thus, we still keep connection with the Latin origin of the word auditor, coming from the Latin word 'audire' meaning to listen.
The purpose of this opinion piece is not to thoroughly weigh the extent to which the applicable standards of the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) permit this ongoing advisory role. The main reason for this is that progress of the internal audit profession, as far as I am concerned, should not be hindered by the applicable standards. Standards can be adjusted if that advances the progress of the internal audit profession. What is important is whether it fits the definition and mission of Internal Audit: after all, we should not take up activities that are completely outside of it.
Important words that fit the desired advisory role in both the definition and mission are "value-added," "advice"/"advisory services" and "insights. These provide sufficient scope for the provision of advice by an internal audit function. In addition, the IIA has defined specific standards (the C standards) for consulting services. These standards provide sufficient scope for consulting; the question is whether, given the expected shift in focus from audit to consulting, they provide sufficient scope. This contribution to the volume does not discuss this further.
The case is not made here for an unlimited advisory role for the internal auditor. For internal audit to be successful in an advisory role, there are limitations. The most important limitations in a row:
In addition to the aforementioned limitations, a shift to more of a (continuous) advisory role raises two important questions:
To what extent is advising on governance, risk management and control not a 2nd line role? One can answer this question in the affirmative: yes, the internal auditor moves into a 2nd line role to some extent in an advisory role. A counter question is whether this is serious. Auditors like to think in the 3 lines (of defense) model but the reality is that for many companies this model a: is not always known or used and b: is not always (legally) necessary.
The answer to whether this is a serious development depends on many factors: is an independent third line legally necessary, is there even a 2nd line function, or is there room in the "assurance map" to jump into a gap?
Another (positive) reality is that more and more audit departments are emerging in various industries, with no legal requirement. Consider the education and healthcare sectors. Within those organizations, there is often no 2nd line (yet). In such sectors and situations insisting on a strict separation between 2nd and 3rd line could undermine the understanding of internal audit and the importance of internal control.
With the above argument, I am certainly not advocating abandoning the assurance role; this remains an essential and valuable role of the auditor, provided the right topics are selected.
Through assurance, auditors often already pass on implicit advice:
Continuing to provide assurance is also more relevant in some sectors in connection with regulators who impose requirements or where specific legislation applies: think of financial institutions supervised by DNB and AFM. Also, the lengthening of outsourcing chains requires more assurance on third-party control. As a result, a focus on assurance by internal audit will simply remain important.
Assurance thus remains an important task of the internal auditor and a large part of the work but the added value in the future will largely come from the advisory role.
Marc van Heese
Partner ARC People
The bundle 'Advising Auditors. Advice by and for auditors' can be requested here.