The internal auditor as consigliere
Much has been written and discussed about auditor advising. Last Friday, June 25, the volume 'Auditors advise. Advice by and for auditors' was released as part of the ESAA symposium. ARC Partner Marc van Heese contributed his view on the desirability of advising by internal auditors, based on almost 25 years of experience in internal audit.
"My view is that the internal auditor needs to start advising more in order to provide sufficient added value to the organization, and my view is that this is and will happen more and more. This view is not new: for some time now there have been noises within the internal audit profession about providing 'insight' and being a 'trusted advisor.' I will take you through my thoughts on this view."
The new reality: continuous change
As we know, we live in a "VUCA world": the world is changing faster and faster, the changes are difficult to foresee, they are complex and not unambiguous.
To survive in this world, organizations are changing faster and faster than before or they exist for a shorter period of time. Product cycles are becoming shorter, and work within organizations is becoming more project-based. Unique Selling Points are easier for competitors to copy and cheap money is plentiful to market challengers. Yesterday's challenger is tomorrow's winner. Business as usual hardly exists anymore for many organizations; change is the only constant.
An environment like this affects all parts of the organization, so too for internal audit. An audit plan for the next three years does not fit an organization that is constantly changing. The same goes for audits with long lead times.
One answer from internal audit departments is Agile Auditing. Agile Auditing is a way of auditing in which the topics to be audited are continuously adapted to the changing needs (and risks) of the organization(source). As a result, audits tend to have a short(er) lead time and are more relevant by adapting the audit calendar and audits to new situations more quickly.
More than Agile Auditing
Adapting the way of auditing is a step in the right direction, but there are more ways to move with organizations that are constantly changing. Moving along is not only in the "how" (how are the subjects to be audited selected and how does internal audit proceed during the fieldwork) but also, in my opinion, in the "what" (what work does internal audit perform). Another way for internal audit to stay in tune with the changing organization is to provide more advice and less assurance.
Audits (generally) look back and provide assurance about past control. In a changing world, this assurance is certainly still relevant because, after all, lessons can be learned for the future, to improve things, and it gives confidence about future goal achievement. But looking ahead becomes more relevant in this day and age. Determining in retrospect (too late) that something has gone wrong can have enormous impact in a VUCA world; after all, a competitor may have realized a lead by now because of the mistake that cannot be made up by the organization.
In practice, during the Corona crisis, I saw quite a few examples of internal auditors participating in crisis teams. For example, they were involved in thinking about being able to work from home in a controlled way without running too great a risk with regard to information security or bringing online shopping quickly and safely. Or an internal auditor of a funeral insurer who presented scenario analyses to management, showing whether the organization could move sufficiently with the estimated death rates in the coming period. Or an analysis comparing the public NOW register with the customer portfolio to determine the exposure to loss of sales or failure to pay outstanding invoices. These are clear examples of what can be referred to as the advisory role. A large proportion of existing audit functions have assumed this temporary advisory role(source). In this rapidly and unexpectedly changing environment, there was a clear need for advice, through input of specific expertise, from the internal auditor.
Not only in acute crisis situations is the shift from assurance to consulting noticeable. This shift also occurs in a going concern environment (read: no acute crisis situation). An audit function at a retailer that focuses less on where fraud has occurred and more on recognizing signals where fraud is occurring or may occur (so-called predective analytics). Based on this, possible fraud can be prevented or the damage can be more limited. No assurance can be given about the future, but advice can be given.
From hindsight to foresight
So a movement from hindsight to foresight. Bruce Turner, an Australian expert in internal audit, talks about the movement from "hindsight" to "insight" and ultimately to "foresight"(source). I subscribe to this vision. If internal audit does not move with the changing environment, organizations where internal audit is not a legally mandated function may well find that it moves out of the picture. From "hindsight" to "out of sight. In a complex world, a retrospective observation that some processes did not run as they should is no longer sufficient.
KPMG, among others, also identifies the challenge that internal audit is expected to not only protect but also increase organizational value(source). The recent adaptation of the 3 lines model by IIA Global, where the focus is not only on protecting value but also increasing it, is in line with this(source). In another article, KPMG talks about the pressure on audit departments to undertake work other than just providing assurance, such as consulting, related to risk and performing predictive data analysis(source). In providing assurance, more and more automation and continuous monitoring are being pursued. This too will require Internal Audit's value to shift more to consulting if internal audit is to continue to add value.
Some internal audit puritans will balk at this development. At best, consulting is allowed temporarily in times of crisis. However, now that we live in a VUCA world, some organizations will continuously be in some form of crisis, or at least in a situation with elements of a crisis. Therefore, I see internal audit becoming more advisory as moving with the new reality: need for advice grows relative to need for assurance. The added value of internal audit will shift more and more to giving advice, is my expectation. The internal auditor will function more like a consigliere: a critical advisor to management. The literal translation of consigliere is "adviser" and comes from the Latin word consilium meaning "plan" or "policy"(source). Thus, we still keep connection with the Latin origin of the word auditor, coming from the Latin word 'audire' meaning to listen.
Professional standards and advice
The purpose of this opinion piece is not to thoroughly weigh the extent to which the applicable standards of the International Professional Practices Framework (IPPF) of the Institute of Internal Auditors (IIA) permit this ongoing advisory role. The main reason for this is that progress of the internal audit profession, as far as I am concerned, should not be hindered by the applicable standards. Standards can be adjusted if that advances the progress of the internal audit profession. What is important is whether it fits the definition and mission of Internal Audit: after all, we should not take up activities that are completely outside of it.
Important words that fit the desired advisory role in both the definition and mission are "value-added," "advice"/"advisory services" and "insights. These provide sufficient scope for the provision of advice by an internal audit function. In addition, the IIA has defined specific standards (the C standards) for consulting services. These standards provide sufficient scope for consulting; the question is whether, given the expected shift in focus from audit to consulting, they provide sufficient scope. This contribution to the volume does not discuss this further.
Limitations of a more continuous advisory role
The case is not made here for an unlimited advisory role for the internal auditor. For internal audit to be successful in an advisory role, there are limitations. The most important limitations in a row:
- One limitation is that internal audit should not provide advice outside its area of focus and knowledge: thus, the focus is on governance, risk management and control.
- The foregoing limitation raises a second potential limitation: the above area of focus is a broader one than might at first appear. Risk management ranges from financial risks to strategic risks and from IT risks to climate risks. Internal audit may or may not want to offer advice, but the question is whether internal audit has sufficient in-house knowledge for all of these topics. In an earlier opinion piece from 2018, I expressed my concerns about the sustainability of the internal audit profession and whether it is moving sufficiently with all the technical developments(source). In particular, my concerns lay (and still lie) in the internal auditor's knowledge of technology. Technology is one of the main drivers of the VUCA world. It is good if the internal audit department knows its limitations before deciding to advise on a topic.
- Finally, there is the well-known collision danger: can internal audit at a later stage still audit something it has previously advised on? In larger departments, this can be mitigated by having auditors other than the advising auditor audit the specific topic. But in smaller departments, this mitigating measure is difficult to enforce (and most audit positions are small, up to 5 FTEs). The extent to which the consulting auditor can still audit later will also depend on other factors, such as: was the auditor's advice followed, what is the scope of the audit, how long has it been since the advice was given, and is the advice given then still relevant today? One should also consider that advice is a broad concept: asking critical questions, which causes management to reconsider matters, can also count as advice. It therefore also depends on the type of advice given. This will have to be considered on a case-by-case basis and a decision made in consultation with management. Good advice can outweigh the risk of collision at a later stage.
Some questions about this development
In addition to the aforementioned limitations, a shift to more of a (continuous) advisory role raises two important questions:
- What are the advantages of an internal auditor for providing advice over an external consultant?
- If there is more advice, is there not a 2nd line role? A very important difference with an external consultant is the knowledge of the organization: the internal auditor's knowledge is many times greater, which makes it possible to come up with sound advice faster. In addition, the internal auditor uses a methodical approach: advice starts with a thorough analysis and the diagnostic audit is a good tool for that. Finally, there is an independent position of the internal auditor: there is no commercial urge to give advice that is desired but from its independent position the internal auditor can give an objective positive critical advice that may also not be in line with what management wants to hear. At the same time, it is good to realize that there is also another side to this story: an external consultant brings less knowledge from within but again more from outside the organization, and in contrast to the independence of the internal auditor associated with the permanent position is again the critical capability that an external consultant can develop because he or she does not have to go further into the organization.
To what extent is advising on governance, risk management and control not a 2nd line role? One can answer this question in the affirmative: yes, the internal auditor moves into a 2nd line role to some extent in an advisory role. A counter question is whether this is serious. Auditors like to think in the 3 lines (of defense) model but the reality is that for many companies this model a: is not always known or used and b: is not always (legally) necessary.
The answer to whether this is a serious development depends on many factors: is an independent third line legally necessary, is there even a 2nd line function, or is there room in the "assurance map" to jump into a gap?
Another (positive) reality is that more and more audit departments are emerging in various industries, with no legal requirement. Consider the education and healthcare sectors. Within those organizations, there is often no 2nd line (yet). In such sectors and situations insisting on a strict separation between 2nd and 3rd line could undermine the understanding of internal audit and the importance of internal control.
Conclusion: assurance remains important and sometimes includes implicit advice
With the above argument, I am certainly not advocating abandoning the assurance role; this remains an essential and valuable role of the auditor, provided the right topics are selected.
Through assurance, auditors often already pass on implicit advice:
- in consultation, determine the scope of the audit based on a risk analysis;
- establish a framework of standards that outlines an ideal situation;
- identify where there are imperfections in the organization and thus where things need to improve.Some auditors already provide more explicit advice in their reports by giving direction on the possible solutions for the improvements identified.
Continuing to provide assurance is also more relevant in some sectors in connection with regulators who impose requirements or where specific legislation applies: think of financial institutions supervised by DNB and AFM. Also, the lengthening of outsourcing chains requires more assurance on third-party control. As a result, a focus on assurance by internal audit will simply remain important.
Assurance thus remains an important task of the internal auditor and a large part of the work but the added value in the future will largely come from the advisory role.
Marc van Heese
Partner ARC People
The bundle 'Advising Auditors. Advice by and for auditors' can be requested here.
