An internal auditor’s role as a business consultant has been a bit ambiguous over time. Earlier versions of the International Standards for the Professional Practice of Internal Auditing, from the Institute of Internal Auditors (IIA), as discussed in Chapter 9, had until recent years prohibited internal auditors from acting as business consultants. The idea had been that an internal auditor was there to review and assess internal controls and then to make recommendations for controls improvements and corrective actions through their internal audit reports. However, this no-consulting standard was not followed very closely in those earlier years as many internal auditors often acted like consultants as part of their management-oriented reviews. This author recalls his earlier days as an information technology internal auditor. With five-plus years developing and designing IT applications, managing IT projects, and a strong understanding of systems development processes, it was difficult to not act as a consultant in those earlier internal audits. Many other internal auditors all but ignored the IIA’s consulting prohibitions when making their internal audit recommendations.

The internal audit consulting prohibition became stronger in the early days of the Sarbanes-Oxley Act (SOx). While the early SOx legislation hardly mentioned internal audit, many felt that internal audit would be in violation of these no-consulting ...