Is serving as an advisor and maintaining internal audit’s essential responsibility of objectivity, free of management influence, possible? Spoiler alert: Yes. And it’s both necessary and crucial to the internal audit profession’s standing in any organization.
It may be true that assurance work is, and will always be, the primary function in our business, while advisory or consulting services play a secondary role. The numbers tell the story with more than half of internal auditors performing few or no consulting engagements, according to a recent Institute of internal auditors flash survey.
Yet, to enhance the relevance of the internal audit function, advisory engagements should be a growing part of all internal audit plans. As that happens, internal audit leaders are going to have to understand how to successfully deliver advisory reviews without giving up their duty to be independent and unbiased.
The idea of the internal audit function serving as a trusted advisor is “a very lofty aspiration for many in our profession,” IIA CEO Richard Chambers wrote earlier this year. “To be trusted advisors, we must bring a litany of tools and attributes to the table. We must possess insatiable curiosity, be outstanding critical thinkers, possess deep expertise, and be great communicators. Yet, even if we can check the box for each of those attributes, we had still better be trusted.”
Those qualities are obviously important to having a true seat at the management table. For auditors, the other attribute that is necessary is independence. The ability to offer dispassionate opinions and advice, in spite of a dependent relationship with one’s employer, is critical.
At my company, the internal audit function’s mission is to be independent, a trusted advisor and a valued partner to management and the Audit Committee of our board of directors.
A critical driver of achieving our mission is conducting advisory engagements. We began performing consulting engagements soon after I joined the company five years ago. In order to enhance the company’s control environment, we offer advice on a wide range of projects, including:
- Pre-implementation of new systems;
- Regulatory readiness;
- New business processes;
- Due diligence on mergers and acquisitions; and
- Key strategic initiatives.
Today, about 15 percent of my team’s internal audit engagements are non-rated advisory reviews. I expect that number to only get larger. We are not focused on a specific target, however. Instead, we want to concentrate on performing the most valuable consulting projects in a risk-based approach.
In fact, the practice of advisory services is expanding at S&P Global.
Earlier this year the S&P Global internal audit team launched its project assurance process to deliver value to the organization by assessing key project risk areas for critical new products and essential new processes, and to offer observations in real time.
We’ve received very positive feedback from the management team and the audit committee since introducing this process. They understand that the project assurance process supports the company’s enterprise goals, focusing on key risk areas such as strategy, project governance, business operations, and technology that impact project outcomes and achievement of project objectives. Our CEO says the project assurance process is invaluable because it acts like an early warning system to help keep important strategic initiatives on track and on budget.
What Can You Do to Deliver Advisory Services While Maintaining Your Independence?
There are three things that can help internal audit leaders offer and execute advisory engagements while providing an unvarnished view to management and the board.
First, clearly define for executive leaders and key stakeholders the differences between advisory services and more traditional assurance services. Communicating about project outcomes and setting expectations is a good opening action item.
The second step may seem obvious, but it is especially important. Auditors must establish very strong working relationships with key stakeholders across the organization. Internal auditors should build trust with management teams and functions across an enterprise that facilitates the free flow of information. Transparency in all that we do will help build trust and credibility. This is even more critical in organizations where the perception of the Audit function is one of an inspector instead of a valued partner.
At S&P Global, our internal audit team takes a proactive view of stakeholder management. My team and I have monthly touchpoint meetings with each member of our operating committee to learn about existing and new key business initiatives. It is during these conversations that we often get asked to review new initiatives. Because our audit plan is dynamic and risk-based, meaning it is flexible, we are able to accommodate changes and address unanticipated requests throughout the year.
One of the added benefits of our regular contact with the company’s leadership teams is that we get to share information and best practices about effective strategies that are working in other parts of the business. By sharing knowledge and best practices across the enterprise, the internal audit function is able to “connect the dots” for colleagues, helping us to build credibility.
Building trust and credibility will be an easier proposition in the right environment. This leads to the third point: a company’s culture is critical. “Culture is the single biggest determinant of behavior in any organization,” Keith Darcy of Deloitte & Touche told IIA’s Tone at the Top newsletter.
My company is fortunate to have some built-in advantages in this respect.
At S&P Global, our 20,000 employees around the world live by the core values of relevance, integrity and excellence. Integrity—being honest, transparent and accountable for our actions—is at the heart of everything our employees do, and that helps the cause of internal audit greatly.
There’s no question that the tone at the top is a key ingredient to creating a culture that embraces internal audit’s role of providing independent and objective advisory services. As a CAE, I am privileged to have a CEO who spent four years as the chief auditor of a major financial institution. So he not only understands the mission-critical work we perform—that we can and should provide advisory engagements while remaining firmly independent—he also recognizes and encourages fresh thinking in terms of the services we can offer to the management team and audit committee. His leadership and support are fundamental to our success.
As a profession and as business leaders, we know that transformation and change are all around us. From emerging technologies to geopolitical and regulatory shifts, we know we need to continually evolve to serve the changing needs of our organizations.
By incorporating advisory reviews into the internal audit function, while remaining true to our responsibilities as impartial evaluators of our employer’s internal controls, we will be better positioned to ensure the profession’s relevance for many years to come.