Consulting engagements are much more fun than audit engagements: less restrictions, less documentation, and often more interesting work.
And to top it off, on a consulting engagement you get to be helpful instead of critical. Nice!
But if your main gig is auditing, consulting can be problematic. One problem arises when applying GAO auditing standards.
Tension between standard setting bodies
While there are several differences between the IIA’s International Professional Practices Framework and the GAO’s Government Auditing Standards (GAGAS), the most pressing one for shops seeking to follow both standards involves consulting engagements.
Because the GAO values auditing and promulgates auditing (not consulting) standards and thinks that auditor independence is one of the key ingredients of a good audit, the GAO standards encourage auditors to stick to their knitting and safeguard their independence by avoiding consulting engagements.
In contrast, the IIA divides its standards into consulting standards and attest standards and encourages internal auditors to ‘add value’ to the organization by taking on consulting engagements.
This conflict between the standards can be a real drag for audit shops seeking to comply with both standards.
Before we talk more about exactly what the GAO says regarding consulting engagements vs. audit engagements, let’s get clear on the difference between the two.
Consulting engagements vs. audit engagements: a crude analogy
In an audit, the auditor evaluates a subject matter against a given criteria and reports back to a governing body on whether the subject matter met the criteria.
In a consulting engagement, the consultant helps the client create the subject matter.
Warning! Here comes the crude part! On a consulting engagement, the consultant is helping to make the baby (the subject matter), and on an audit, the auditor is being asked to say whether the baby is ugly.
Anyone who has kids knows that your very own offspring are angels and blessings and the most beautiful creatures on earth (What!?! Did I just lose my objectivity?).
The GAO, by putting restrictions on consulting engagements, seeks to preserve the auditor’s objectivity and independence. This will allow an auditor to call babies ugly all day long with no remorse.
And an auditor should do everything it can to maintain credibility with their clients – because once they lose credibility, their work can be questioned and doubted which means there was no point in having the audit done in the first place.
Here is what the GAO says about that:
GAGAS 2018 3.19 Auditors and audit organizations should avoid situations that could lead reasonable and informed third parties to conclude that the auditors and audit organizations are not independent and thus are not capable of exercising objective and impartial judgment on all issues associated with conducting the engagement and reporting on the work.
An extreme example that might help explain why the GAO is so strict
One state auditor kept writing the state pension system up for not calculating the pension obligation correctly, so the pension leaders finally threw up their hands and said, “You know what? If you’re so smart, why don’t you do it for us?”
The auditor proudly took over the calculation but, unfortunately, they kept performing the audit, too.
After about a decade, the state auditor performing the consulting work (calculating the pension obligation) retired and the audit team was refreshed. It was then that both the consultant and the auditor realized that the calculation was still wrong and the state was behind in funding their obligation by tens of millions of dollars.
To save face, the state auditor thought about not saying anything, but then they remembered their duty to the citizens and the pensioners, and admitted their mistake. Obviously, the press had a field day with this news and the credibility of the auditor was damaged.
Eventually, the audit of the pension system was contracted out to a big 4 firm and a few layers of management at the state auditor were politely asked to find another gig.
Are there work-arounds?
So, at this point, you might be saying to yourself, “Ding it! I want to keep doing consulting engagements. I like being helpful. There has got to be a work-around.”
So let’s examine a few work-arounds. First, let’s look at framing the consulting engagement as an audit. And, next, let’s look at calling the consulting engagement what it is while simultaneously safeguarding our independence.
Can you turn a consulting engagement into a performance audit?
Recently, someone asked me if they could still do a consulting engagement if they called it a performance audit instead. And I told them they could, if they took a few important – but not so easy – steps.
You can turn a consulting engagement into a performance audit if:
- step 1: you alter your objective
- step 2: you follow all of the performance audit standards in chapter 8 & 9 of GAGAS
Step 1: Tweaking the objective
The first step in turning a consulting engagement into a performance audit is to tweak the objective.
Per GAGAS, a performance audit must have an objective (GAGAS 2018 1.14). And a performance audit objective has a subject matter and a criteria (GAGAS 2018 8.08). And there should be a conclusion to match each objective on a performance audit (GAGAS 2018 9.19).
Consulting engagements usually lack firm criteria AND they don’t reach a conclusion.
Consulting engagements goals might sound like “Evaluate the departments efforts to bla bla bla …” and then you would write a report including opinions on whether the department made a good effort and maybe include some suggestions on how they could improve.
An audit objective sounds more like this, “Does the Department comply with X?” (X being the criteria). And then the conclusion would be “The Department does not comply with X.”
For more on what makes a good audit objective, check out this self-study video.
Step 2: Following all the performance audit standards
The second step you will take to turn a consulting engagement into a performance audit is to follow all of the other GAGAS performance audit standards. This will likely feel artificial and silly, like trying to stick a square peg into a round hole.
That is because on a consulting engagement, you probably don’t need to perform an inherent risk assessment or a control risk assessment; you likely won’t apply the Green Book; you won’t gather physical and documentary evidence, and you won’t have criteria for your findings.
For instance, I just finished a combo engagement where I performed a peer review which evaluated the audit team’s compliance with audit standards AND a secondary engagement where I rated the team on a scale of 1-5 on the IIA’s Internal Audit Capability Maturity Model.
The peer review was more akin to an audit and the Maturity Model assessment was more akin to a consulting engagement.
The peer review was much more straight forward because it had firmer criteria and I could rely on physical or documentary evidence to support my findings and conclusions. For instance, I concluded that the audit team met the CPE requirements by examining documentary evidence like attendance records and certificates.
For the Maturity Model piece of the engagement, the criteria was much squishier. I assessed things like whether the team was communicating effectively with stakeholders bla bla bla. I based my conclusions on surveys and interviews. I try to never back up a finding or conclusion in an audit report with testimonial evidence, but on a consulting engagement, that might be all you have.
Work around #2: Leave it as a consulting engagement and justify your choice in writing
So, instead of turning a consulting engagement into a performance audit, you might just want to leave it as a consulting engagement.
That isn’t exactly a walk in the park either. The GAO calls consulting engagements ‘non-audit services’ and puts up as many barriers to performing them as possible.
For instance, the auditor must justify – in writing – that auditor independence has not been compromised by applying the ‘conceptual framework’; the client must have SKE (skills, knowledge and experience), and the client must agree – again, in writing – that they are responsible for the results of the consulting engagement. Check out 2018 GAGAS sections 3.64, 3.65, 3.76, 3.107.
Some of the highlights of those sections are:
3.64 Before auditors agree to provide a non-audit service… determine whether providing such a service would create a threat to independence…
3.65 …the audited entity has designated an individual who possesses suitable skill, knowledge, or experience and that the individual understands the services to be provided sufficiently to oversee them..
3.76…obtain agreement from audited entity management that…management… assumes all management responsibilities, oversees the service, evaluates the adequacy of results.., accepts responsibility for the services
3.107 …documentation requirements…
a. document threats to independence… along with safeguards applied,in accordance with the conceptual framework…
c. document consideration of audited entity management’s ability to oversee
d. document the auditors understanding with an audited entity
e. document the evaluation of the significance of the threats created…
Make sure to manage expectations with the client
We said some things on the consulting engagement and the peer review that were pretty hard for the client to swallow and they resisted our findings and wanted us to offer proof. We could easily prove the peer review results, but we were standing on squishier ground with the consulting engagement.
Over time, you have trained your audit client to take your word as the gospel because you back up everything you say with evidence. If you take on a consulting engagement, the client needs to be warned (up front!) that you are only expressing your professional opinions based on your professional judgment.
Unfortunately, my team did not do a good job communicating this to the client in advance and the final meetings were unnecessarily tense and dramatic as a result. Never again!
The three options: consulting engagements vs. audit engagements
So, what is the bottom line? Consulting engagements vs. audit engagements? You have three options that will keep you in compliance with Yellow Book standards.
First, you can morph your consulting engagement into a performance audit if you can change your consulting objectives to sound more like audit objectives and if you comply with all of the performance audit standards in Chapters 8 and 9 of the Yellow Book.
Secondly, you can leave your engagement as a consulting engagement but follow all of the GAO’s additional documentation requirements.
Or, third, the most conservative option: don’t perform the consulting engagement at all and just stick to auditing.
I know that is not what you wanted to hear, but you can comfort yourself by remembering that auditing is a valuable service in and of itself. You do have an important role to play and you are adding value to the organization you work for by providing assurance.
I’d love to hear your feedback on this one. Write to email@example.com.
For more on auditor independence under Yellow Book Standards, please check out this video for performance auditors.