Consulting Engagements

Created by

Jinny D

Cards (37)

Consulting services are advisory in nature and are generally performed at the specific request of an engagement client.
What two parties do consulting services involve?
the person or group offering the advice
the person or group seeking and receiving the advice
When performing consulting services, the internal auditor should maintain objectivity and not assume management responsibility.
The nature of consulting services must be defined in the internal audit charter.
What is the first consulting role internal audit should play when determining whether or not to provide consulting services?
Determining if the first or second lines of defence responsible or better equipped to provide the service.
What are the three main types of consulting engagements?
advisory, training, and facilitative
What are the examples of advisory engagements?
Advising on control design.
Advising during policies and procedures development.
Participating in an advisory role for high-risk projects.
Advising on security breaches or business continuity interruptions.
Advising on certain enterprise risk management activities.
system development life cycle review
due diligence
privacy
What is system development life cycle review in nature?
It may be either advisory or facilitative in nature, but they are most often conducted as advisory engagements.
What are the internal auditor's responsibilities during the SDLC review (system development life cycle)?
Ensuring that stakeholder interests are prioritised for the development objectives
Ensuring that the development project follows the organization’s standards for systems development
Ensuring that the IT activity adheres to a framework or methodology such as the SDLC
When could internal auditors be involved in a system design review?
During systems analysis as a member 1)to define the goals of a procedure or function and 2) to identify ways to accomplish those goals efficiently, 3) to evaluate the feasibility of proposed systems or the feasibility assessment process itself.
During system design or selection as a member to ensure that controls are designed
During conversion and implementation to ensure that the project meets objectives
During feedback as part of a post-project design or acquisition review for continuous improvement
What is the evaluation of the feasibility of proposed systems?
To determine if a project will add value and satisfy objectives at a reasonable cost
What does system analysis involve?
applying problem-solving methodologies
applying a system-wide perspective
deconstructing the parts and subparts of the system to gain an understanding of the system in details
What is system design?
It is the process of defining the architecture, modules, interfaces, and data for a system to satisfy the organization’s requirements for the system.
What may internal auditors do to help ensure that system design is comprehensive and the architecture is sound?
Internal auditors may be able to take their holistic view of organizational processes and the overall goals of the process identified in systems analysis to help ensure that systems design is comprehensive and that the overall architecture or framework is sound.
Systems design can be seen as an extension of?
System theory.
Due diligence in a consultative capacity, what may be an example of internal audit activity?
Internal audit may provide advice and insight regarding a proposed transaction’s contributions to the organization’s strategic objectives and the transaction’s impact on ongoing core business activities.
What can internal audit do in a privacy consulting engagements?
Help keep the organization up-to-date on the latest trends, regulations, and controls.
Leverage its holistic perspective of the organization to provide valuable advice to management and the board regarding the most appropriate privacy framework and the most cost-effective investments in privacy.
What are the examples of training engagements?
Training on risk management and internal control.
Post-mortem analysis.
Business process mapping.
What type of consulting engagement is business process mapping?
Training engagements
What is business process mapping?
It is a method of understanding what is really needed to make a business process function versus what is being done but isn’t adding any value to the end customer.
What are the steps of business process mapping?
Business process mapping often begins with a process owner leading the internal auditor on a walkthrough.
Then a flowcharting activity is conducted to map the process and identify where value is added and where business process improvements could be made.
What is an example of internal control training?
Providing clients with the opportunity to attend a well-structured workshop on internal controls or the COSO internal control framework.
What are the benefits of audit clients attending a training workshop on internal control and COSO IC framework?
Help them understand the importance of internal controls related to their job responsibilities to achieve the objectives.
internal audit activities to be understood and better received by the clients, which makes them more comfortable with the process and more willing to provide useful, complete information.
Facilitative consulting engagements require the internal audit function to be more involved with the activity rather that just offering the necessary knowledge for an individual outside of the function to carry out a task.
What are the examples of facilitative engagement?
Facilitating the risk assessment process.
Benchmarking internal areas with comparable areas of other similar organizations.
Facilitating management’s control self-assessment.
Facilitating a task force charged with redesigning controls or procedures.
Acting as a liaison between management and the external auditors, government agencies, vendors, and contractors.
Facilitating discussion on a post-mortem of a major systems or process interruption.
What are examples of internal and external benchmarks?
Internal benchmarks:
historical data
goals and objectives
External benchmarks:
industry standards
best practices
regulatory requirements
Benchmarking is especially appropriate in what types of audit?
Performance and quality audits.
What are the 6 common classification of benchmarking?
internal benchmarking
competitive benchmarking
industry benchmarking
functional benchmarking
general benchmarking
best-in-class benchmarking
What does internal benchmarking compare?
Comparing similar information within a process or entity, either achievable performance above a current baseline or stellar practice.
What does a competitive benchmarking compare?
Comparing measures with similar measures of direct competitors, locally, nationally, or worldwide.
What does functional benchmarking compare?
Comparing related functions in the same technical area to show what is being achieved in other industries.
What does general benchmarking compare?
Comparing processes in one operation against processes with similar features but in another industry.
What does best-in-class benchmarking compare?
Comparing measures with those of organizations that are best in class for a function.
What type of consulting engagement does internal auditors do for control self-assessment activity?
Facilitative consulting engagements
What is a CSA (Control Self-Assessment)?
A CSA is a process whereby employee teams and management, at local and executive levels, continuously maintain awareness of all material factors affecting the likelihood of achieving the organization’s objectives, thereby enabling them to make appropriate adjustments.
What does a CSA integrate?
Business objectives, risks, with control processes.
Blended engagements incorporate elements of both consulting and assurance services. Care must be taken that neither independence nor objectivity is compromised. It is often necessary to communicate outcomes of these engagements separately.