Internal audit function's expertise: Risk & Control
add value by providing insights through its consulting activities. assist the organization in keeping abreast of emerging risks
Example: initiating discussions that explore the increased risk in areas that are particularly affected by an economic downturn
Internal audit function: Assurance Service
familiar with most (all) areas of organization
aware of the changes occurring in these areas
in a unique position to advise management about how to deal effectively with these changes
The Difference Between Assurance and Consulting Services
The number of parties involved in the engagement
The application of The Institute of the Standards
The purpose of the engagement
Communication of the results of the engagement
Engagement Parties
Consulting Services:
The engagement customer (advice seeker and receiver)
The internal audit function (advice provider)
Engagement Parties
Assurance Services:
The auditee ( directly involved with the subject matter)
The internal audit function ( making the independent assessment)
The user ( relying on the independent assessment)
Application of Standards
The different sets of Implementation Standards for each
Structure differences
Consulting Services:
Less parties involved
structure is less complex
Assurance Services:
More parties involved
The Standard is more stringent and numerous
Engagement Purpose
Consulting Services: to provide
Advisory
Education
Facilitation
Insights
Engagement Purpose
Services: to provide
Independent assessments
Engagement Communication
Consulting Services:
Based on scope and purpose of the engagement
Engagement Communication
Assurance Services:
Recipient:
Auditee
Users
Format: standardized
Types of Consulting Services
Advisory
Training
Facilitative
Advisory Consulting Engagement ---advise on
Control design
Development of policies and procedures
High risk projects (such as system development)
Security breaches or business continuity interruptions
Certain enterprise risk management activities
Educational Consulting Engagement ---
Training on
Risk management
Internal control
Educational Consulting Engagement
Benchmarking
Intracompany: internal areas vs. other comparable areas
Intercompany: org. vs. other similar organization
Company vs. industry average or industry best practices
Educational Consulting Engagement -
Postmortem analysis
Determining lessons learned from completed project
Facilitative Consulting Engagement ---facilitate:
Risk assessment process
Management's control self-assessment (CSA)
Task force charged with redesigning controls and procedures for a new or significantly changed area
As liaison between management and outside 3rd parties (i.e., auditors, gov. agencies, ve
Blended Engagements
Internal audit engagements that incorporate elements of both
Consulting services
Assurance services
Communicate the outcome separately
Scope and purpose are different
Selecting Consulting Engagements to Perform is based on
the magnitude of the associated risk or opportunity
Sources of consulting engagements:
Annual internal audit plan�
Engagements are proposed during the annual risk assessment process and included in the annual internal audit plan if identified as high-priority
Requested by management
New or changing conditions
Warrants internal audit's atten
Internal Audit's Risk assessment
cost vs. benefit
worth the consulting services?
Annual Internal Audit Plan
Areas within the organization that
have gone through the risk assessment process and
were selected as priorities for the internal audit function
Priorities represents both
assurance and consulting engagements. Subjected to risk assessment process before being added to the internal audit plan
Requests from Management
Arise from unforeseen events at the time of planning
Vie for resources out of the planned internal audit budget
Often time sensitive
May preempt assurance engagements in the annual internal audit plan
May be performed simultaneously with assurance engagem
New or Changing Conditions
Internal audit function is often in the position to identify such changes and the need of the service
Examples:
Management reorganization
Department restructuring
New product offering
Subjected to risk assessment process
The Consulting Engagement Process
Plan
Perform
Communicate
Planning the Advisory Consulting Engagement
Determine: engagement objectives and scope
Obtain: final approval of objectives and scope from customer
Understand: environment and relevant business processes
Understand: relevant risks (if appropriate)
Understand: relevant controls (if appropriate)
Eval
Performing the Advisory Consulting Engagement
Gather and evaluate evidence
Must be documented
Examples of procedures may be performed:
Understanding management issues related to the area under review
Gathering information
Performing analytical procedures
Reviewing documentation
Using computer-assiste
Communicating the Advisory Consulting Engagement
Determine nature and form of communications with customer
Vet advice with engagement customer
Conduct interim and preliminary engagement communications
Develop final engagement communication
Distribute final engagement communications
Perform monitoring an
Consulting Engagement Working Papers
Focus is on the final product and providing observations and recommendations to management
Sufficient documentation should be maintained to support those overall internal audit recommendations
Increasing need for consulting services
be proactive!
CAEs can lay the foundation for partnering with other areas by:
Building relationship with other depart.
Increasing internal auditors' subject matter expertise through:
Training
Rotating internal auditors into other business units
Hiring associates from other business units into the internal audit function
Obtaining b
Skills and Experience Required for consulting engagement:
Facilitation and collaboration
Broad business experience
Specific subject matter expertise
Interpersonal skills
Analytical thinking in a dynamic environment
Information processing
Communication (quick and accurate, by presentation or writing)
Sourcing for consulting engagement
Financial reporting
Technology
Treasury/cash management
Fraud examination
Engineering and environmental compliance
Regulatory compliance
Specialists may be needed for consulting engagement
Internal audit service providers
Independent outside accountants or tax specialists
IT and security specialists
Fraud investigators
Actuaries, statisticians, and appraisers
Engineers, geologists, and environmental specialists
Lawyers
Which of the following would be a typical consulting engagement activity performed by the internal audit function?
a. Testing compliance with accounts payable policies and procedures.
b. Determining the scope of an engagement to test IT application contro
c. Reviewing and commenting on a draft of a new ethics policy created by the company.
Which of the following is not a required consideration regarding proficiency and due professional care when choosing to perform a consulting engagement?
a. Availability of adequate skills and resources to conduct the engagement.
b. Needs and expectations
d. Potential impact on the independent outside auditor's financial statement audit.
Senior management of an organization has requested that the internal audit function help educate employees about internal control concepts. This work is an example of:
a. An assurance engagement.
b. A training consulting engagement.
c. A facilitative cons
b. A training consulting engagement.
It would be appropriate for the internal audit function to perform which of the following:
a. Design controls for a process.
b. Develop a new whistleblower policy.
c. Review a new IT application before implementation.
d. Lead a process reengineering proje
c. Review a new IT application before implementation.
Which of the following is not likely to be a step during a consulting engagement?
a. Understanding the objectives of a process.
b. Assessing the risks in a process.
c. Flowcharting the key steps in a process.
d. Expressing a conclusion on the design adequ
d. Expressing a conclusion on the design adequacy and operating effectiveness of a process.
The chief operating officer (COO) has requested that the internal audit function advise her regarding a new incentive plan being developed for sales representatives. Which of the following tasks should the CAE decline with respect to providing advice to t
b. Determining the appropriate bonus formula for inclusion in the plan.
When conducting a consulting engagement to improve the efficiency of a production process, the internal audit team is faced with a scope limitation because several months of the production data has been lost or is incomplete. Faced with this scope limitat
b. Discuss the problem with the customer and together evaluate whether the engagement should be continued.
The audit committee has requested that the internal audit function assist with the annual risk assessment process. What type of consulting engagement does this assistance represent?
a. An assurance engagement.
b. A training consulting engagement.
c. A fac
c. A facilitative consulting engagement.
What is a methodology encompassing facilitated meetings and surveys that enables internal auditors and managers to collaborate in assessing business risks and evaluating internal controls?
Control self assessment
a financial services organization is planning on staffing a complex consulting engagement that involves the consolidation of two large banking organizations, including changing many of the processes.Which of the following skills is the least important for
...
Internal auditors are working to become trusted advisors to management on risk management techniques. Which of the following would be the best way for internal audit to demonstrate they are truly a trusted advisor?
...