Domain IV: Consulting role of the Internal Auditor (IA)


The objective of this module is to better prepare the participant to pass the Certification in Risk Management Assurance Exam by discussing and analyzing the technical dimensions of this domain while discussing techniques to best manage multiple-choice questions. 


Included are discussions of the skill requirements of a CRMA to:

A. Facilitate identification and evaluation of risks


B. Coach management in responding to risks


C. Coordinate risk management activities


D. Consolidate reporting on risks


E. Maintain and develop the risk management framework


F. Advocate for the establishment of risk management


G. Develop risk management strategy for board approval







The 1999 IIA Standards states that each internal audit organization should define both assurance and consulting services in terms of what is appropriate for their own organization, and those definitions should be formal and published in the internal audit charter.

The IIA Standards clearly identify the opportunity for internal audit to increase its contribution to the success of an organization by using consulting to add value and improve an organization’s operation in a consulting


“Internal auditing is a …consulting activity designed to add value and improve an organization's operations. …”

Source: 1999 IIA Standards from




The auditor as a consultant has long been debated.  The question is, should internal auditors act as consultants or not?  In practice, some audit departments say “no” and some say “yes”.  In addition to further complicate this debate the need or opportunity for internal auditors to act as consultants changes with the needs of the business. Therefore, at any one point in time, an audit department that says “yes” may at another time say “no”.  An audit department that at one point in time that says “no” may at another time say “yes”.  This change in opinion is most often a result of business needs and leadership.

Therefore, with all this confusion, it is probably best to understand what internal auditors actually do, what consultants do, and how the professional practices from the Institute of Internal Auditors provide guidance.

This definition is sometimes difficult because each person seems to have a definition of consultant based on that person’s business and personal experience.  This definition is also difficult because of the many types of consultants including those making a small hourly wage, those making 100s of dollar an hour, those working for major firms, those working for small organization, self-employed individuals, and a seemly endless number of variations of these.

To discuss the consulting role of the internal auditor related to risk management it is important to define what a consultant is and what a consultant does.  Then a comparison can be made between an auditor and a consultant.  Taking an increased involvement in risk management does not imply that the internal auditor abandons auditing but that they increase their opportunities and the benefits to the clients by increasing their use of consulting skills.  One approach to define a consultant is to use a dictionary that contains the following definition.


Dictionary definition of consultant

“ … one who offers professional advice or professional products … “


Using this definition it is clear that internal auditors are already acting as consultants as the only purpose of internal audit is to provide professional advice and products (like audits and other services) to the organization.  Providing advice related to risk management is to continue to provide that advice and those services or to expand the internal audit role further.




Internal audit’s in-depth knowledge of internal controls has created excellent opportunities for internal audit to provide education or training to all levels of an organization from the board of director to direct supervisor about many of the features of risk management including services that internal audit can provide.  These services are available because the fact that internal audits are performed throughout an organization providing unique views of risk gained from a history of audits in all of the many areas of an organization.

Consulting Role of the Internal Auditor (IA)

4.2  The risk formula to determine the probability of a control failure is:

1.      modified annual loss expectancy

2.      annual loss expectancy

3.      direct probably estimate

4.       modified risk versus control failure probability




Answer 1 is the correct answer.  First, answer 4 can be eliminated.  Although it may sound relative to risk assessment and this question it is just a set of random words.  Of the three remaining answers answer 1 the modified annual loss expectancy is the correct answer and the formula that will help determine the probability of a control failure.