Audit and advisory: how do internal audit services support decision-making?

This article answers the following questions:

• What are advisory services in auditing?
• What advisory services can auditors provide?
• How do advisory services differ from assurance services?

Contemporary challenges related to managing complex business processes often require decision-makers at the helm of companies to possess specialist knowledge and specific skills. One of the key elements necessary for effective management of organisational processes is the regular acquisition of reliable information which – when properly analysed – forms the basis for sound decision-making, particularly in conditions of high business volatility, dynamic technological development, globalisation of economic processes and in times of uncertainty and risk¹.

Audit advisory services (also referred to as consulting services), as defined by the Global Internal Audit Standards, include services through which auditors provide advice to an organisation’s stakeholders without delivering assurance and – importantly – without assuming management responsibilities.

The nature and scope of professional advisory services provided by an auditor or a statutory auditor are agreed with the enterprise prior to commencement of the engagement².

Examples of advisory services provided by internal audit experts

Advisory tasks performed by audit firms most commonly include:

• providing advice to entities – e.g. on developing, implementing or updating internal policies, processes or systems,
• conducting analyses and evaluations of processes and whole entities,
• offering consultations on accounting and risk management within the enterprise,
• investigative services aimed at detecting data leaks or operational and financial irregularities,
• delivering training for accountants, finance department staff and management,
• facilitating discussions.

The range of advisory services is, however, much broader and also includes other comprehensive services such as:

• benchmarking,
• due diligence audits,
• business process mapping,
• system development reviews,
• designing performance measurement systems.

Objectives, principles and scope of audit advisory services

Contrary to popular belief, auditors are not merely specialists in financial statement audits – their expertise is far wider. While analysing an entity’s situation during routine tasks, they may identify potential risk areas and, on their own initiative, propose advisory services or provide them directly at the request of representatives aware of processes requiring expert attention. The nature and scope of advisory services are, as a rule, agreed with the party commissioning the services.

Unlike assurance services – where objectives and scope are largely determined by internal auditors – the objectives and scope of advisory services are usually agreed jointly by auditors and the organisation’s representatives.

The overriding principle of internal auditors’ advisory activity is the value proposition. This requirement stems directly from the definition of internal auditing, which states that the purpose of the internal audit function is to add value and improve the organisation’s operations³. An internal auditor should refuse to perform advisory services that do not add value to the organisation or do not promote its best interests.

Internal auditors should strive to align task objectives with client objectives – correctly defining the objectives and scope of the task before its commencement is one of the manifestations of professional due diligence, which also requires the internal auditor to consider the cost of delivering the advisory service in relation to the potential benefits that the task may bring⁴.

Categories of advisory services in internal audit literature:

• formal advisory services – planned in advance, performed under a written agreement;
• informal advisory services – routine activities such as:
  • participation in standing committees,
  • ad hoc meetings,
  • routine information exchange;
• special advisory services – including auditor involvement in mergers and acquisitions teams or system conversion teams,
• emergency (urgent) advisory services – such as previously unplanned ad hoc activities related to:
  • participation in teams established to restore or maintain operations after a disaster or other extraordinary event,
  • participation in teams formed to provide temporary assistance upon special request or at an unusual time⁵. 

Advisory services and audit firm independence

According to the Standards, auditors providing advisory services are expected to maintain objectivity, primarily by not assuming management responsibility⁶. This means that decisions on implementing auditors’ recommendations must be taken by the entity’s management. 

The principles of independence and objectivity for advisory tasks differ slightly from those applicable to assurance services. There are no objections to an internal auditor providing advisory services in areas for which they previously bore responsibility or where they previously performed assurance tasks.

However, it is important to note that if a firm or expert provides assurance services within less than a year after formal engagement in advisory services for the same client, the independence and objectivity of such an internal auditor may be compromised, and measures to mitigate the effects of this limitation may be necessary.

It is worth noting that assurance services and advisory services are not mutually exclusive and do not exclude other internal audit services. An audit engagement may even combine assurance and advisory elements. Advisory services often stem from previously delivered assurance services (and vice versa: assurance often results from advisory services). However, auditors should not undertake advisory services solely to avoid requirements that would apply to assurance services if the area were covered by an assurance engagement.

The ultimate outcome of audit advisory activities is primarily the development of sound recommendations that contribute to improving the organisation’s management systems. Today, internal audit is increasingly focused on substantive consulting, enabling timely signalling of identified risks to decision-makers and assisting them in managing those risks.

¹ Filipiak, B., Dylewski, M., Gorzałczyńska-Koczkodaj, M. (2011). Analiza finansowa budżetów jednostek samorządu terytorialnego. Warsaw: Municipium, p. 9.

² The Institute of Internal Auditors (2024), Global Internal Audit Standards, p. 10.

³ The Institute of Internal Auditors (2024), Global Internal Audit Standards, p. 12.

⁴ The Institute of Internal Auditors (2024), Global Internal Audit Standards, pp. 98-99.

⁵ The Institute of Internal Auditors (2018), Practice Advisories for Internal Audit, pp. 5-7.

⁶ The Institute of Internal Auditors (2024), Global Internal Audit Standards, p. 92.