What are advisory reports?

An advisory report sets out best practices to be followed and internal controls needed, in order to improve risk management over the subject area. The Chartered Institute of Internal Auditors paper, Consultancy engagements (22 September 2020) says “There are various assurance and consultancy activities that internal audit may undertake.” Assurance is normal auditing work whereas consultancy is limited scope audit advisory.

IIA Global's glossary defines consulting services as:

Advisory and related client service activities, the nature and scope of which are agreed with the client and which are intended to add value and improve an organisation’s governance, risk management and control processes without the internal auditor assuming management responsibility. Examples include counsel, advice, facilitation and training.

It goes on to suggest, inter alia, that:

  • The standard of work is the same as that delivered for assurance work.
  • It should be made clear to management that all consultancy work will be reported to the audit committee and be included in the overall opinion with progress on results monitored to the extent agreed upon with the client (Standard 2500.C1). 

This second bullet point is particularly important in the context of this article.

What should they not do, or evolve into?

If you look at the Croydon tram derailment in 2016, a safety audit occurred after the event in which a tram driver fell asleep and there were seven fatalities. An audit report was presented a short while afterwards, but this was downgraded to an advisory piece to make it more palatable. This is neither the purpose of advisory work nor is it an acceptable action for a professional internal audit function.

If a piece of work sets out as an audit then it should have an opinion. Auditors need to “own” their opinion and playing with the recommendation gradings to make the report more palatable undermines their credibility as well as the reputation of the organisation concerned and the profession as a whole. If there is a disagreement on the accuracy of the facts on which the opinion is based, then this needs to be addressed and, if appropriate, the opinion revised. However, if the facts are substantiated then the professional opinion of the auditor should stand. It always helps if the basis of opinions is set out in advance. For example, what constitutes a high, medium, or low finding in financial terms (or other) appropriate to the scale of the entity being audited or the speed with which a risk may manifest and how the opinion for this audit fits within the overall assurance framework.

If the work scope sets out as an advisory piece then, the report purpose and format, as well as the methodology implemented should be agreed up front.

However, there is a role for advisory reports and whilst some organisations use them as a Plan B where audits would be unpalatable, others use them effectively to supplement the assurance work and give a broader overview or assist management in developing the entity’s control framework.

Advantages

A non-executive on the Board may struggle to get certain audits on the plan, but may be able to petition to get advisory pieces on it, despite the politics or timing of critical dependencies.  

That gives you some insight into what management is struggling with, what the Board is struggling with, and what the auditors think, without it being formalised into an opinion. It is a difficult area – you would far rather have opinions on everything, but if you cannot get an opinion piece done because of the environment then an advisory piece is your next best option in some circumstances.

In particular, with the ongoing Covid-19 pandemic, if it is not going to be feasible to cover all planned audits, we could nevertheless do a short advisory piece that will shine a light into the corner and see what comes out, and maybe be able to get an audit on the plan thereafter if issues are detected.

Another advantage is that it is easier to get advisory pieces finished because people seldom argue if there are no opinions involved! And from an auditor’s perspective, purely advisory pieces are better for professional indemnity insurance as you can limit your liability if you are not giving an opinion that you can be held to account on.

Disadvantages

With advisory pieces, it will be difficult to hold the auditors to account. Where it is done as an advisory piece, you will not be able to query the opinion for the area under consideration. Even if you are crystal clear up front what you want from an advisory piece, the fact that it is advisory and auditors are working WITH management rather than being held to account on an opinion, makes it much more difficult to get the quality that the Board needs out of it.

Whilst being able to limit your liability is an advantage of doing advisory pieces, it is also a disadvantage as the way to limit your liability is to exclude as much as possible, blame management for failing to provide you with the information you need, and not give any kind of opinion that you can be held to account on. That is likely to mean that stakeholders will not be able to get as much value as they would like from the work that you have done.

Advisory pieces tend be based on experience and best practice. It can be a case of “I’ve seen this somewhere else – it works well – you should consider it” instead of  “I’ve looked at your control framework and it’s not working because you’ve got a gap here and you’ve got an exception there and there’s a work around over the other place”. Audit work actually looks at what you’ve got and determines whether that is fit for purpose.

Where there has been an incident, Internal Audit should go in and see what exactly happened, where the control failures are, and what is being done around it. Advisory can come in and look at the bigger picture and identify the areas of improvement, but the audit or the investigation needs to have taken place before you can get to that stage.

Hybrid approaches

Some internal auditors adopt a hybrid approach – they look at what controls are in place and whether they are working effectively. They ask if various actions have been thought about and then suggest improvements. Fundamentally it’s an audit review but then with some advisory added on top of it.

A final comment

This article seeks to consider the advantages and disadvantages of advisory reports without making a recommendation. We’d be interested in your thoughts on what you’ve seen work or fail as a result of “advisory workscope”. What value did it drive?  Which best practices did you see? To continue the conversation, please go to the GRACE LinkedIn group for ACCA members and share your experiences with others.