Consulting provided by the internal public audit function

This paper tackles an important issue related to internal public audit, namely specific consulting. Thus, we conceptually approach the three types of consulting engagements, focussing on a comparison between the assurance and the consulting engagements. Then, after an analysis of good practices in planning and unfolding consulting engagements, there is a conclusion section and we close the article with proposals for the enhancement of consulting afforded by internal public audit.


Introduction
Internal public auditors unfold two types of engagements, respectively assurance engagements and consulting engagements (Law no. 672/2002 on internal public auditing), both types of engagements being included in the internal public auditing annual plans of public entities (MFP, 2016, Report on internal public auditing activity for 2015). However, the UCAAPI Report shows the overwhelming weight of assurance in the framework of audit engagements unfolded in 2015, so that this type of engagement stands for 82.19% of the overall audit engagements conducted by public entities. The use, in a law proportion, of consulting engagements in the internal audit activity may be accounted for by the failure to clearly differentiate between the two concepts and by the way it is used in practice.
In this respect, this article aims at highlighting the characteristics of consulting engagements, the differences from the engagements of assurance, as well as at identifying proposals to enhance planning and performance of consulting engagements.

The consulting engagement concept
The fundamental normative act in the field (Law no. 672/2002 on public audit) defines consulting engagements as being the activities "… meant to add value and enhance governance processes at the level of public entities, without internal auditor taking over managerial responsibilities". Authors such as Dascălu & Nicolae (2006), in accordance with Arens & Laebbecke (2003), consider that, besides the assurance, the consulting activity also represents a fundamental element of internal audit.
According to International Standards for the Professional Practice of Internal Audit, issued by the Internal Auditors Institute of the USA (www.theiia.org), consulting is advisory in nature and involves, as a general rule, an express requirement of the beneficiary of this type of engagement. The approved general norms on the conduct of internal public auditing (Government Decision no. 1086/2013) define three types of consulting engagements, respectively: a) Counselling, which is aimed at identifying objectives hindering normal unfold of activities, establishing causes and proposing solutions to rule them out; b) Facilitating understanding, which is meant to acquire a deep knowledge of a system operation or of a normative provision to support staff in charge of implementing them; c) Professional training and further training, aimed at providing theoretical and practical knowledge relating to financial management, risk management and managerial internal control through training classes organisation. Furthermore, relating to the unfold of the consulting engagements, the above mentioned Norms (Government Decision no. 1086/2013) establish three possibilities, as follows: a) Formal consulting engagements, which are similar, in point of procedure and methodology, to the engagements of assurance -they are included in the annual audit plan and conducted in compliance with the general charter for consulting engagements. In this respect, an example could be an engagement the theme of which is the identification of solutions to delays in the award of public procurement contracts at the level of a public entity; b) Informal consulting engagement, which do not necessarily involve a written formalisation and which are conducted by participating within various standing committees or to definite duration projects, to meetings, engagements, current exchanges of information. For example, internal audit function establishes a contact point so as to answer the questions relating to the implementation of managerial internal control tools; c) Consulting engagements for exceptional situations, which represent a specific audit engagement, in the sense that they involve activities which may be the object of internal audit through the participation, at the level of teams established to resume activities following a force majeure situation or an exceptional event. In such a case, it could involve participation of the auditor in a team established at the level of the entity to recover accounting files lost following a cybernetic attack.
A series of authors (Dascălu & Nicolae, 2006) put forward a classification of consulting engagements in relation to their characteristics, as per the following table: The consulting engagement is conducted in the framework of the usual activities Special The consulting engagement is conducted in relation to key project, planned as unique, singular ones Urgent The consulting engagement conducted is not planned and it emerges following a crisis or an unexpected event In point of consulting engagements organisation and unfold, as well as in point of form, the above-mentioned general Norms provide that they are proposed by the chief audit executive and are approved by the entity management. Furthermore, it is provided that it is mandatory to define the organisation and unfold modalities in the internal auditing Charter.

A brief comparison between assurance engagements and consulting engagements
According to the International Standards for the Professional Practice of Internal Auditing (the International Internal Audit Standards of the U.S.A., www.theiia.org) assurance engagements "involves the objective assessment of evidence by the internal auditor, so as to issue an independent opinion or conclusion concerning an entity, an operation, a function, a process, a system or another aspect." Consequently, assurance engagements do not involve a specific request from the audited structure, they involve independence and objectivity of the auditor, as well as the assessment/verification of an aspect characteristic to the auditee (for example, verification of the reliable recording of the patrimony being administered by the entity) following which a conclusion or opinion is issued.
As to consulting engagements, the International Internal Audit Standards provide that "…they are advisory in nature and they are generally performed at the specific request of an engagement client". Thus, in the instance of consulting, it is necessary that a need or a request of the engagement beneficiary exists, the independence and objectivity not being as important as in the instance of the assurance, since consulting engagements do not involve an assessment and do not necessarily suppose the issue of an opinion or conclusions.
The above-mentioned Standards provide, in point of type and scope of engagements, that in the instance of the assurance, they fall under the responsibility of the internal auditor, who needs to display independence and objectivity. As different from assurance, in consulting the type and scope of the engagement are unlimited, and shall be established jointly with the beneficiary of the engagement. In point of number of participants, respectively the process owner, the internal auditor and the beneficiary of the engagement.
Thus, in the instance of consulting, there exists a direct relationship between the internal auditor and the engagement beneficiary, who also has the capacity as an auditee (beneficiary of the consulting), while in assurance, the auditee differs from the beneficiary of the engagement. Furthermore, the existence in the case of consulting of only two participants involves the possibility that the endorsement process of such an engagement does not involve the entity management, since a time frame is only allocated to this destination. This possibility is not provided in the General Norms for the exercise of internal public auditing, which provides that any engagement, including consulting ones, need to be approved by the manager of the public entity, a reason which may trigger reticence of line management of public entities to request consulting on sensitive issues.
In point of engagement aim, in the instance of assurance it consists in providing an independent assessment, while in consulting, the aim is provision of counsel, advice, facilitation, and training (Kurt F. Reding, Internal Auditing, Third Edition, The IIA Research Foundation, 2013). Though in consulting, independence and objectivity are not as important as in an assurance engagement (Lawrence B. Sawyer, Sawyer's Internal Auditing, The Institute of Internal Auditors, 2005), special attention shall be paid to the time frame allotted to consulting engagements, since an excessive number of consultants may show a possible impairment of internal audit independence relating to its capacity to unfold assurance engagements. That is why we consider that consulting engagements need to be limited to a threshold set as a percent from the time frame allotted to internal audit engagements.
As to the communication of the engagement results (Reding, 2013) in the instance of assurance, given that it involves the beneficiary of the engagement which differs from the audited structure, communication needs to include these parties, while the communication form is standard and, mandatorily in writing. On consulting, the communication form is not standard and there exist several forms in relation to scope and type of engagement, the notification of the results is not mandatorily made in writing, and the result notification only involves the engagement beneficiary. The table below comparatively shows the assurance and consulting engagements according to the differentiation criteria. As it can be seen, in point of stages, the consulting methodology is similar to the assurance one, they differ in that on consulting there is no risk analysis, there is no conciliation and no issues identification and analysis files are drafted. The fact that the consultation methodology is similar to the assurance one may lead beneficiaries to confuse assurance and consulting.
Furthermore, audit teams conducting formalized consulting engagements need to allot a longer period for the engagement, which would allow them to cover all stages and establish the documents provided, and dedicate less time to the analysis-proper of the consultation theme and to the identification of possible solutions to solve the issues raised by the consulting services beneficiary.
It can be noticed that the consulting methodology involves the performance of tests and establishing findings (procedure P-08), materialised in tests, checking lists, work files, interviews, surveys. All these instruments are specific to assurance audit engagements, especially the regularity ones, which involve comparison with a standard or norm which has to be complied with. As different from compliance, consulting involves aspects varying in form and substance, which do not necessarily aim at a lack of compliance, but sooner at issues, difficulties of the respective manager and which expect, from the part of the audit team, possible and feasible solutions to overcome those. As mentioned in the comparison between the consulting engagements and the assurance ones, consulting is conducted, as a general rule, upon request and is focussed on a need of the beneficiary. Consequently, the use of a formalized consulting engagement in the instance of an urgent consulting request, in the short term, would generate deadline issues to the audit team, since methodology imposes a minimum set of procedures and documents which need to be observed. Consequently, the author's opinion is that the methodology for the conduct of formalized consulting engagements needs to be simplified, so that it may be adapted to the beneficiary's consulting needs.
In point of competence, according to the Internal audit international Standards, the chief audit executive is kept to refuse consulting engagements if the internal auditors do not have the know-how, capacity or other competences required to integrally fulfil the engagement or a part of such.
Considering that audit resources are limited, and so is the obligation of the internal audit compartment to unfold planned missions of assurance, there results that all proposed consulting engagements may not always be conducted. Thus, it is considered (Reding 2013) that a selection needs to be conducted of consulting engagements to be conducted, based on an assessment of the risk size associated to consulting or on the opportunity to unfold this type of engagement. In this respect, the same author (Reding, 2013) provides the following methods to identify consulting engagements: -Engagements are proposed in the framework of the annual planning process, by identifying the areas with a high risk score; -Specific consultation themes, requested by management to approach issues or doubts in the accountability domain; -Modifications emerging in the entity's internal or external environment, which call for the internal audit compartment attention.
Referring to the assessment of potential consulting engagements risk assessment, Kurt F. Reding (2013) states that risk analysis needs to be similar to the assurance engagements one, based on several risk factors. To assess risk factors, an assessment scale shall be defined and weights are established, and it is recommended to also consider the importance the management places on the assessed consulting engagements unfold.
Relating to consulting engagements planning, Standard 2010.C1 (International Standards for the Professional Practice of Internal Auditing, www.theiia.org) provide that, in order to include a consulting engagement in the internal audit plan, the chief audit executive needs to consider the possibility that they enhance risk management, add value and improve the organization's activities.
Mention shall be made that assurance internal audit engagements may not be denied by the internal audit compartment on account that they do not have the required competences, and in case a certain competence is missing, the latter needs to be supplemented by an expert. As different from assurance, consulting engagements may be refused, that is why consulting needs to be justified from the point of view of the utility for the organization in order to be included in the annual internal audit plan.
As a result, any consulting request needs to be analysed by the internal audit compartment, at least from the point of view of the following criteria (Dascălu & Nicolae, 2006): -The internal audit compartment has the required competences to fulfil the consulting engagements (or else, the engagement request needs to be denied); -The value added/the benefits obtained following consulting engagements performance (whether the engagement is justified); -The weaknesses of the entity, respectively the domains in which entity employees need consulting to improve their activities; -It should be compatible with the internal auditors' tasks as provided in the internal audit Charter; -It shall be complementary to the assurance engagements unfold in the organization; -The advice proposed should not impact the objectivity or independence of internal auditors.
Considering that consulting engagements are related to the beneficiary's needs, there exists the possibility (Reding, 2013) that certain consulting themes are not known as of the moment the internal audit annual plan is established, a reason why the internal audit compartment needs to allot a time frame for the consultations which may be requested during the year.
In this sense, certain authors (Dascălu & Nicolae, 2006) consider that, upon drafting the internal audit annual plan, each internal audit structure can plan one or two consulting engagements, and in case the management has additional requests, the objectives of the new engagements may be included in the already planned engagements.
Also in point of planning, standards (Standard 2201.C1 -International Standards for the Professional Practice of Internal Auditing) provide the obligation of internal auditors to make an agreement with the consulting engagement beneficiaries relating to the objectives, scope, responsibilities and other expectations of the latter, and for significant consulting, the agreement shall be documented.
Kurt F. Reding (2013) mentions that, initially, internal auditors need to discuss with the consulting beneficiary the audit services expected level and the objectives of the engagement. Subsequently, the auditors appointed to unfold the engagement need to agree with the beneficiary all details relating to the requested consulting engagement. Thus, the success of a consulting engagement depends on the way in which the internal audit team manages to identify and answer the consulting beneficiary's expectations. That is why, on drafting the internal audit annual plan, the name or type of the consulting engagements are not important, since it would be difficult to foretell the needs of the consulting beneficiaries resulting from the unfold of the activities they are in charge of, which involves the obligation to allot, in the internal audit plan, a minimum time frame for consulting, for example, 5% of the overall time allotted to audit engagements. In the instance this time frame is not used up, it may be re-distributed towards assurance engagements or towards ad-hoc engagements.
A general restriction is imposed on internal auditors within the framework of assurance engagements, respectively that to avoid substituting themselves to the entity management, in the sense of making decisions in the place of the management.
This issue is highlighted in the International Standards for the Professional Practice of Internal Auditing (IIA, Standard 2020.C3) which stipulates that internal auditors, when supporting the entity management in improving risk management, "… shall avoid taking over any managerial responsibility which involves, in fact, risk management." Considering that within a consulting engagement, both the scope and the objective may be modified in relation to the information received from the beneficiary, Kurt F. Reding considers that it is not mandatory to establish a work program for the consulting engagements, as in the instance of assurance missions. On the other hand, the International Standards for the Professional Practice of Internal Auditing provide the obligation to have a work program for each internal audit engagement, that is including for consulting. Nevertheless, in the instance of consulting engagements, Standards provide that they can vary in point of form and content (IIA, Standard 2240.C1), according to the type of engagement.
The notification of consulting engagements results depends of their specific character, so that the consultation report form cannot be a standard one. However, the detail level in the report differs in relation to the engagement beneficiary's requirements. International Standards too (IIA; Standard 2410.C1) provide a great flexibility in the notification of the consulting results, highlighting that they differ in point of form and content, in point of engagement type and beneficiary requirements. The dissemination of the consulting results, in keeping with Standard 2440.C1 (IIA), needs to be done only by the beneficiaries of this engagement, while the obligation to notify the entity management is not provided, as in the instance of the assurance. Nevertheless, Standard 2440.C2 (IIA) provides that in case during consulting engagements significant malfunctions are identified, they shall be notified to the entity management.
Based on the information collected within the framework of consulting engagements and related to the beneficiary's requirements, the audit team will draft recommendations. A distinction needs to be made between the recommendations drafted within the framework of an assurance engagement, which are mandatory for the auditee if they were endorsed by the entity management and the ones drafted following a consulting engagements, which are under the form of proposed solutions. Thus, they need not be mandatorily implemented by the beneficiary and need not to be endorsed by the entity manager.
Recommendations within consulting engagements need to be understood by the beneficiary, be useful and feasible. The fact that the implementation of the recommendations within consultation, as well as their monitoring are optional, results from the Internal Audit International Standards (IIA, Standard 2500.C1), which provide that the recommendations drafted during consulting engagements need only be monitored if it is agreed with the engagement beneficiary.
Mention shall be made that consulting engagements are strongly preventive in character, if the management uses this type of engagement whenever they have issues in the conduct of activities, as well as indications relating to the possibility to make decisions which trigger significant failures to comply or serious irregularities.

Conclusions
The consulting methodology, as provided in the General Norms on the conduct of the internal public auditing are similar to a great extent to the assurance one, so that it is difficult to make a differentiation between the assurance and the consulting concept based on the methodology. This fact generated confusions between assurance and consulting for the potential beneficiaries of the consulting engagements and triggered a failure to use it at its overall potential being a strongly preventive engagement. The existence of a formalized methodology generates the focussing the consulting engagements on the covering of the forms and drafting of documents established in the detriment of the analysis proper of the consulting theme and of the identification of the solutions to settle the issues raised by the beneficiary. That is why, the methodology on the conduct of formalized consulting engagements needs to be simplified so that the audit team may adapt it to the consultation requirements of the beneficiary.
The good practices in the field of internal audit show the need to conduct a risk analysis and a selection of the consultation themes, using a risk factors system, similar to the one used for the selection of audit themes within the framework of assurance engagements. Thought the current methodology for formalized consulting engagements conduct provides that follow-up is mandatory, in relation to the requirements of the engagement beneficiary. The current legislation in the field of internal public audit provides the existence of three participants in the framework of consulting, as in the instance of assurance engagements, respectively -the entity manager -who endorses the counselling engagement, the audit team and the consulting beneficiary, when the good practicies in the fiels only indicate two participants, respectively the audit team and the consultation beneficiary.
Considering the above mentioned issues, in order to improve the consultation provided by internal public auditors, here are our proposals: -Modification of the national legislation in the field of internal public auditing, so that a clear distinction is made between consulting and assurance, in compliance with the good practices in the field; -Making the methodology for formalized consulting engagements simpler and more flexible, so that it may be adapted to the beneficiary's consulting requirements and not be a potential hindrance in point of deadlines; -Modification of the following aspects in Annex no. 1 to the above-mentioned Government Decision relating to consulting: ü Setting minimal criteria for the selection, by the chief audit executive of the consulting engagements proposed by the entity management; ü Making it possible for line management or top management to request, directly, from the internal audit compartment, consulting engagements, whithout the previous approval of the public entity manager, within the ceiling of a time frame allotted for consulting, so as to rule out the possible reticence of line management to request sensitive issues consulting which need to be approved by entity management; ü Providing a global time frame for consulting in the internal audit annual plan, calculated as a percent of the overall time frame for audit of the internal audit compartment (for example, 3%-5%); ü Ruling out the mandatory character of implementing and following-up the recommendations made in the framework of consulting engagements.