Home » Opinion » The auditor as consultant
Energized in part by the new definition of internal auditing, many internal auditors currently find themsleves performing a much broader spectrum of activities than ever before. In particular, the addition of consultative services to the internal auditor's defined set of competencies has introduced an entirely new dimension to the profession.

The auditor as consultant

Careful planning is required as audit practitioners transition toward a broader orientation and expanded role in the organization.

ENERGIZED IN PART BY THE NEW DEFINITION of internal auditing, many internal auditors currently find themsleves performing a much broader spectrum of activities than ever before. In particular, the addition of consultative services to the internal auditor's defined set of competencies has introduced an entirely new dimension to the profession. Audit practitioners who at one time focused largely on measuring, evaluating, and reporting on the effectiveness of internal controls are now expanding their role by working with management on ways to improve operations and add continuous value to the organization. By providing consulting services, many auditors are helping to ensure that management sees the audit function as essential to achieving organizational goals and objectives. Although consulting work provides many new opportunities for internal auditors, it can also pose a threat to the audit function if the transition toward consultant auditing is not managed carefully. Specifically, consulting may jeopardize internal auditing's traditional role as the board's trusted, independent, and neutral monitor of management's actions. The board may find that auditing's consulting work with management affects its ability to review management activity objectively and to provide the board with an unbiased appraisal. Failure to effectively serve the board's needs could damage auditing's credibility and, in some organizations, ultimately lead to downsizing – or even outsourcing – of the audit function.

The challenge, then, is for internal auditors to provide consulting services to management without compromising their role as monitor for the board. At the Office of the City Auditor in Tallahassee, Fla., we have found an effective way to achieve this goal that is applicable to almost all audit settings, including those that do not include a board of directors. Our approach, as explained in the context of principal– agent theory, may be helpful to internal auditors seeking to adapt to their new role as consultant while maintaining their commitment to traditional audit services.

THEORY BEHIND THE PRACTICE
Principal-agent theory, in its simplest form, analyzes the dynamics between two parties engaged in business. In a basic principal-agent relationship, one party (the principal) grants another party (the agent) the authority to act on its behalf The agent, then, is responsible for making decisions that further the interests of the principal.

A potential problem with principal– agent relationships occurs when the interests of the agent and those of the principal conflict. That is, the agent may make decisions that are not in the best interest of the principal, hence calling the reliability of the agent into question. To help resolve this problem, the principal typically establishes some way of monitoring the agent's activity.

The dynamics of principle-agent theory apply to the relationship between internal auditors and their clients. When examined in light of auditing's traditional role, the board can be identified as the principal, management as the agent, and the internal auditor as the board's trusted, independent, and neutral monitor. More specifically, the auditor serves as an extension of the board, representing its interests and reviewing the actions of management in carrying out the board's directions. In addition, the auditor reports to the board – in the form of assurance services – on management's actions.

When viewed in this context, it becomes clear that internal auditors face a potential conflict when requested by management – the agent – to provide consulting services on monitored activities. Principal-agent theory suggests that rendering these additional services for management would violate the auditor's relationship with the board. That is, the monitor's objectivity may be compromised, reducing its effectiveness as a watchdog for the principal.

Furthermore, principal-agent theory, and the conflict it illustrates, can be applied to internal auditors who do not report to a board, but instead report to top-level management or to an organization head in the private or government sector. Auditors in these settings may face similar issues when monitoring for the highest levels of the organization and providing consulting services for those at other levels.

Principal-agent theory, then, helps to illustrate the dilemma faced by auditors who act as consultants: Can auditors serve their “principal” as monitor of the agent's actions when they also concurrently perform consulting services for the agent? Finding an effective way to manage this issue is key to the success, and even survival, of internal auditors looking to provide consulting services to their clients.

MEETING THE CHALLENGE
At the city of Tallahassee, the city auditor serves as monitor for the city commission (the principal), which represents the legislative arm of city government. The city's manager, attorney, and treasurer-clerk function as agents for the commission and represent the executive arm of the government. These three individuals are charged with carrying out city commission policy and implementing services and programs in an economical, efficient, and effective manner. The commission established the position of city auditor to serve as the monitoring link between itself and executive management.

The Office of the City Auditor has embraced the new definition of internal auditing and provides both assurance and consulting services for the city. For example, we often render both types of services during our audits of major information-technology projects. As monitor, we provide assurances to the commission on project compliance with city policies and procedures, risk management and project controls, and project status and accomplishments to date. As consultant, we offer advice and counsel to management relating to risk and controls, we assess the number and competency of city staff and vendor staff, and we identify and provide direction for significant milestones that must be achieved as projects move forward.

Our audit team realizes the potential conflict of interest that may arise as we perform consultative services for management. We therefore took proactive steps toward managing the potential pitfalls and leveraging the opportunities presented by our added services.

To ensure the success of our consulting efforts, as well as the ongoing effectiveness of our assurance work, our office has implemented a number of measures to help prevent conflicts between our role as monitor for the commission and consultant to management. The following initiatives represent some of the efforts that contributed toward our strategy for success.

DEFINING THE LIMITS OF CONSULTING WORK.
We caution ourselves, during meetings and at other times, to remain mindful of the fine line that often exists between consulting and actual management activity. As a group, we help each other to determine where this line is drawn on individual assignments and ensure that we do not perform management functions or make management decisions when participating as part of a team. We are also careful to avoid creating even the appearance of performing management duties, as perceptions regarding the nature of our work must be managed just as carefully as the actual work we perform.

During consulting projects, we do not vote on management's proposed actions. Instead, we identify available alternatives, as well as the pros and cons for each alternative. In addition, we do not “partner” with management, but rather listen to management's views, provide advice, and seek solutions that are in the best interest of the organization. If our group were viewed openly as management's partner – or if we referred to ourselves in this way – our integrity and objectivity would be called into question.

RECOGNIZING CONSULTING AS A FORM OF AUDITING.
A number of rules and regulations issued recently have impacted auditors' practice of consulting services. The U.S. Securities and Exchange Commission, for example, prohibits the performance of certain nonaudit services that are deemed inconsistent with an auditor's independence, and the U.S. Comptroller General identifies consulting as a nonaudit service, prohibiting audit organizations from performing audit and selected nonaudit services for the same client.

In response to these actions, several external audit firms have divested themselves of their consulting business. This trend has in turn generated much discussion among internal auditors about the use of the term “consulting” in the definition of internal auditing in light of its identification as a nonaudit service by other professional bodies.

Our position on this issue is that consulting services – as defined by The IIA and implemented by the Standards for the Professional Practice of lnternal Auditing – represent audit work and that such work falls under the broad umbrella of the definition of internal auditing. As long as we perform these services in accordance with The IIA's Attribute and Performance Standards for consulting, we see no conflict with either Government Auditing Standards or recent government rules or law. Furthermore, much of the activity we perform as consultants would be viewed as a performance audit in Government Auditing Standardsbecause our work provides a basis for conclusions, recommendations, and opinions.

OPENLY COMMUNICATING OUR APPROACH.
In addition to holding face- to-face meetings, we issued a letter to the city leadership team (executive management), the city commission, and the city audit committee that explained the new definition of internal auditing and described the assurance and consulting services offered by our office. The letter also assured the commission that it would receive copies of all audit reports, as before, but noted that management would be considered the primary client for consulting services. We felt it was important to communicate this in writing so that a record would exist of our efforts to begin educating members of the organization about our new role and to prepare them for change. We wanted to build trust at all levels of city government, to distance ourselves from the traditional view that auditors have an “I got you” mentality, and to demonstrate our desire to follow issues to a positive resolution. Furthermore, to highlight the differing services we provide to each party, we state in our audit reports that comments of a consulting nature are presented for the commission's information and for management's further analysis and resolution.

To ensure buy-in by both the commission and executive management, all audit work – assurance and consulting – is included in our annual audit plan and approved by the audit committee and the commission. We believe our office could not effectively perform consulting work, nor would executive management feel comfortable requesting this type of service, unless the city commission understood and accepted management's relationship to the audit function.

REVISING OUR MISSION STATEMENT.
To ensure that our objectives are clearly understood, both internally and by those whom we serve, we revised our mission statement to reflect internal auditing's changing role. Currently, the mission reads as follows:

To provide the City Commission an independent, objective, and comprehensive auditing program of city operations; to advance accountability through the provision of assurance and consulting services; and to proactively work with appointed officials in identifying risks, evaluating controls, and making recommendations that promote economical, efficient, and effective delivery of city services.

The mission statement conveys our goal to be responsive and responsible to the commission, to provide a broad scope of work, and to maintain a positive and professional relationship with management. Just as The IIA's Framework for the Professional Practice of Internal Auditing is built around the definition of internal auditing, our approach to audit work stems from and is guided by our mission statement. The statement shows our desire to maintain the trust of the commission as its primary, neutral, independent, and objective monitor of management actions, as well as our commitment to helping management achieve organizational goals and objectives.

PRIORITIZING BETWEEN CONSULTING AND MONITORING.
One of the challenges we've faced since adopting the role of consultant is ensuring adequate audit resources to balance our consulting and traditional services. Although we are committed to fulfilling management requests for consuiting services, we also need to ensure that this work is not rendered at the expense of our monitoring responsibilities. In some instances, we are forced to choose between consulting and traditional auditing.

When we discover fraud, for example, or when management requests our assistance in reviewing allegations of fraud, consulting receives a lower priority. We often struggle with this decision, especially when the alleged fraud involves only a small amount of money. Our group frequently questions whether we add more value to the organization by continuing to work on consulting projects instead of immediately responding to these types of allegations. However, providing timely and trustworthy information related to the loss of city resources is one of our most important responsibilities, and the commission depends on us to report such instances promptly. Certain traditional audit duties, then, must sometimes take priority over our consulting work.

RESULTS OF OUR EFFORTS
To date, members of management, as well as the commission, have commented favorably about the combination of services we've provided. In 2001, for example, we performed an audit of citywide cash controls, involving both consulting and assurance work, that was particularly well-received. Our audit report for this assignment was traditional on one hand, as it identified risk and provided assurance, but also added value from a consulting point of view by identifying available alternatives and providing specific recommendations for improvement. In addition to the city manager's formal response to our services, she sent us a note explaining that she had been overwhelmed with positive remarks from city employees and commissioners regarding the professionalism and comprehensive nature of our audit.

Our follow-up audit in March 2002 showed that 95 percent of planned action steps were either completed or substantially completed within six months after the audit was issued. We believe our up-front approach to consulting work with all parties in the organization has led to increased trust in our work as well as greater enthusiasm for the new services we provide.

ADDING VALUE
Changes in the auditor's role and responsibilities in the organization present numerous challenges for practitioners as they address issues relating to independence, objectivity, consulting, and monitoring. Although the integration of consulting services requires careful planning and attention to the potential risks, the end result is well worth the effort. Internal auditors who successfully balance their assurance and consulting responsibilities will have the opportunity to add significant value to the organization and help the audit function to be perceived as integral to achieving organizational goals.

ADAPTING TO THE ROLE OF CONSULTANT
The increasing demand for internal auditors to add value to the organization has led many audit units to incorporate consulting activities into their repertoire of services. Adjusting to this new role, however, may prove difficult for many auditors. Serving in an advisory capacity represents a significant departure from traditional audit services, and it requires somewhat of a change in perspective for audit practitioners. To be successful as consultants, internal auditors need to re-think their approach to auditing and re-evaluate their purpose in the organization. Recent business-management publications lend support to the idea that auditors need to embrace change to ensure effectiveness in their new role.

PROCESS CONSULTATION
Traditionally, internal auditors are viewed as the organization watchdog. Those outside the profession often see auditors strictly as a policing function that reviews events on an after-the-fact basis and focuses on reporting negative information.

Edgar Schein takes the traditional auditor to task in his book, Process Consultation, by observing that internal auditing is often seen as nonhelpful or as perpetuating an adversarial relationship with line management. To alleviate this problem, he advises that auditors have line involvement with managers responsible for audited areas, adopt horizontal rather than vertical reporting relationships, and issue reports that are descriptive rather than evaluative – all actions that are associated with the consulting process. Each of these measures, he suggests, would serve to improve relationships with management and help to reduce negative perceptions of the audit department.

Schein also notes that a “process consultant” is one who helps clients to help themselves. Part of the learning curve for new consultant auditors involves knowing the cutoff point for consulting services. Auditors will need to learn how to assist clients in the identification of alternative solutions without imposing their own preferences or actually functioning or making decisions as part of management.

A NEW WAY OF THINKING
Traditional audit work focuses largely on management accountability. That is, auditors performing monitoring services must report on management's efforts to assess risk and to establish, implement, and monitor control systems. Over time, this type of focus may influence the culture of the audit organization and make the transition to a more consultative approach more difficult.

James G. March and Johan P. Olsen, authors of the book Democratic Governance, warn of negative outcomes that can result from excessive concern with accountability. They caution that accountability increases apprehension about change and reduces risk taking. Instead, they say, it promotes:

* The favored position of the status quo.

* Increased focus on risk aversion.

* Social conformity.

* Adoption of positions that are expected to be acceptable to others.

* Unwillingness to gamble on gains from cooperativeness.

* Increased rigidity and defensiveness.

* Procrastination and excessive consideration of possibilities.

* Increased focus on process rather than change.

Because an emphasis on accountability can be strongly embedded in the culture of audit organizations, resistance to change is almost inevitable. For this reason, audit groups moving in the direction of consulting need to have leadership that is committed to facilitating change and progressive thinking. Effective consultant audit leaders focus on outcomes, ensure that each audit adds value to the organization, and emphasize the importance of helping management to find solutions rather than just pointing out problems. At the staff level, auditors need to be prepared for change and recognize the potential need to acquire additional training and to develop their communication skills.

Sam M. McCall, CIA, CPA, CGFM, is city auditor for the city of Tallahassee, Fla. To comment on this article, e-mail the author at smccall@theiia.org.

Leave a Reply