More IA teams are providing benefits to the business and themselves through advisory work.
Internal auditors are increasing their roles as advisors as businesses transform and adapt to new technologies like generative AI and navigate emerging risks such as climate change and reporting on ESG initiatives. That’s forcing some internal audit (IA) teams to grapple with how they define and report advisory work, communicate about it effectively with the audit committee (AC) of the board of directors, and combine advisory with traditional audits.
- Members of NeuGroup for Internal Audit Executives discussed these issues and benchmarked how much advisory work they are doing at their H1 meeting and in a recent monthly session. Most agreed that while advisory work is good for both the business and IA, it comes with challenges.
- “We spend a lot of time finding different areas where we can partner with the business,” one member said. “The challenge when looking at the organization is there’s so many places where you can have assurance work as well as advisory, and making sure you have that balance.”
When and why auditors are advisors. “Forty-five percent of our plan is advisory projects this year; normally it’s more like fifteen percent,” one member said. Technology and digital transformation are fueling the increase for this member and others, several of whom reported doing AI security control reviews and AI governance advisory work. The cloud is another catalyst.
- “When we transitioned to the cloud, we were embedded on the project as it went,” one member said. “We would provide recommendations as the process was going. We issued health-checks. Once a quarter we’d say here are some things we uncovered during this part of the project.”
- Tech also plays a role in some advisory work focused on ESG. “ESG is a perfect area where the company was deploying software but didn’t have maturity to understand risk controls, etc. We spent a lot of time in areas like that,” another member said.
- New businesses or those getting shaken up are advisory targets for IA. “If it’s an area we’ve never looked at and it’s just being stood up then that’s the most common type of advisory we do,” one member said. “There is something this year that we’ve always audited but it’s getting a complete overhaul so we’re doing it as an advisory.”
- Another member said, “Part of how we define [advisory] projects is maturity of process or program. When it’s new, we go in and get a preliminary feeling. If there isn’t maturity there, this is where we can provide value. That way there is some more time passed before we can do an actual audit.”
The SOX factor. When new processes or systems are being implemented, it’s important for IA to weigh in. The team can ensure that the proper controls are in place and that the new process or system is less likely to be subject to a serious audit finding in the future.
- That’s especially important with processes involving financial reporting related to the Sarbanes-Oxley Act (SOX). If internal audit can influence the design of controls for SOX related systems, new initiatives are much more likely to be successful.
- “We are certainly doing advisory—typically in new areas of SOX,” one member said, “We had a whole new order to cash process.” Another said, “I see a challenge here—every time there is a project like that, the project managers don’t properly build in time to establish their controls.”
Communication and credit. Internal audit teams report their standard audit findings to the AC with audit ratings and opinions on their findings, with some variance depending on the shop. How teams report advisory to the AC is less established, raising concerns that it is fully acknowledged.
- With many member IA teams seeing their advisory workload increase, some members worry that the AC “doesn’t understand all the things we’re doing,” one member said. “I feel like we’re not getting credit in a sense.”
- They asked how peers present non-audit work to the committee. Some build advisory work into annual audit plans presented to the AC. One said, “Recently, I started including audit and advisory work on the same page so the committee could see everything we’re doing.” This member’s advisory engagements weren’t being considered in the total work effort for the department. But after talking to some fellow members, they decided to include it for visibility.
Reporting on and tracking completed advisory work. Standard audits require formal reporting and tracking of management action plans, whereas the process for advisory work is less formal. That’s why the majority of members don’t provide an overall rating or opinion in advisory engagements. They make recommendations that they can follow up on when the area is audited in the future, but they typically don’t formally track those recommendations.
- “We have so much of formal ops audit tracking that we don’t necessarily want to track it all,” said one member. Another added, “It’s a nightmare to track issues already.”
- However, several members said that their work “isn’t free,” meaning if they find an issue, they will come back to check, via a formal audit or otherwise, that issue has been rectified or mitigated.
An ad for internal audit. There was broad consensus that not only does advisory help the business, but it also works as an advertisement for the IA function and leads to more cooperation internally down the road.
- One member talked about how valuable it is to spread the word about the function’s ability to provide value to the business. Their company has a guest auditor rotation plan. When speaking about embedded advisory work, this member said, “Those tend to get highlighted a lot because of the rotational aspect, and with AI advisory, we’ll get a lot of attention.”
- And while most advisory jobs are initiated by IA itself or senior management, business units occasionally seek IA’s guidance. “It’s always nice when our phone rings—when people start reaching out, instead of the other way,” one member said.