Much of internal audit’s calendar is filled up with a hectic audit plan that is sometimes more aspirational than realistic. It can be so tightly scheduled with assurance projects that it leaves internal auditors feeling like they have little time to think, never mind strategizing or taking on extra work. Yet savvy chief audit executives recognize that some of the most high-value work can be in advisory projects.
In fact, a recent Institute of Internal Auditors survey found that CAEs in general hope to increase the amount of advisory work their functions provide to the organization. According to the 2025 Pulse of Internal Audit survey, released in the spring, internal audit teams hope to increase the balance of work from about 75 percent assurance and 25 percent advisory today to roughly 60 percent assurance and 40 percent advisory in the future.
Let’s take a moment to define advisory work, as opposed to assurance work. According to the IIA, assurance services are those “through which internal auditors perform objective assessments to provide assurance. Examples of assurance services include compliance, financial, operational and performance, and technology audit engagements.”
In contrast, advisory services are those “through which internal auditors provide advice to an organization’s stakeholders without providing assurance or taking on management responsibilities. The nature and scope of advisory services are subject to agreement with relevant stakeholders. Examples include advising on the design and implementation of new policies, processes, systems, and products; providing forensic services; providing training; and facilitating discussions about risks and controls.”
While every internal audit department is different, and there is no perfect ratio of assurance work to advisory work, many CAEs see advisory work as higher value-add services that can elevate internal audit’s profile in the organization. Yes, the core value proposition to its primary client, the audit committee, is assurance work – that is internal audit’s foundation—but The IIA’s articulated Purpose of Internal Auditing is to: “strengthen the organization’s ability to create, protect, and sustain value by providing … objective assurance, advice, insight, and foresight.” So, not just assurance, but advice, insight, and foresight. We get there by also doing advisory work. It’s how internal audit can sometimes best add value to the organization.
Why is advisory work generally more value-adding than assurance work to organizational leadership? It’s because the organization, in general, isn’t as concerned with the fact that controls, as important as they are, are working effectively. That falls under day-to-day business operations. It is because they want to be successful in achieving strategic priorities and goals. And, adding value to such successful achievement is, quite frankly, where internal audit can add the most strategic value.
Finding the Right Balance Between Advisory and Assurance Work
Every company is different, and every company may have a different view on internal audit doing advisory work depending on business cycle and leadership preferences. Companies that are stable and rather static may not see the need for advisory work as much as companies that are undergoing a lot of change. So, the right amount of advisory work for your internal audit function will be different from other internal audit functions, and may change over time. Like Goldilocks, you don’t want to do too little or too much, but instead find a balance that is “just right.”
Finding that “just right” sweet spot will take trial and error, building a base of delivering credibly on advisory projects, conversation with the Audit Committee and the c-suite, and investing in the right talent and competencies to be able to competently deliver advisory work, which takes some different competencies than assurance work.
So, Why Are You Not Being Asked to do Advisory Work?
If internal audit wants to do more advisory work for its company than it is doing at present, it’s a lot better to be asked to do more than to try to force itself on the situation. Advisory work is much more successful when internal audit is “invited to the party,” rather than “crashing the party,” so to speak. So, what are some of the reasons internal audit isn’t being asked to do more advisory work (assuming it wants to do more)?
- Internal audit is not seen as credible or competent
- It’s not viewed as helpful or relevant
- It lacks strong cross-functional relationships
- It doesn’t have the skills, talent, or competencies
- It lacks a successful advisory track record
- Clients fear internal audit will escalate issues unnecessarily or prematurely
So, some are issues of perception, and some are issues of reality. CAEs must diagnose what they need to change – whether it’s perception or reality. Internal audit needs to be viewed as credible, competent, and capable of adding value with advisory services if it ever expects to be asked to perform advisory work. This is something that should be reflected in your internal audit function’s strategic plan, with both strategies and tactics directed towards it.
The Chicken and Egg of Advisory Work
You cannot get advisory experience without doing it – but how do you start without experience?
Start small. Begin with an advisory project in an area where you have a strong, trusting relationship with functional leadership. Get an invitation to the party (in other words, get invited to do some advisory work for them). As you start to accumulate successes, have those organizational leaders start to give you and your team endorsements for others in the organization to hear about. And, before you know it, if you are adding value with advisory work, you’ll break the chicken and egg dilemma, and get even more advisory work than you can absorb. You’ll know when you are there when you have to start turning down requests!
Managing Expectations in an Advisory Project
While assurance projects should certainly be done with the input of the area being audited, internal audit can set the scope and execute much of an assurance project based on what internal audit wants to do. That is not the case with an advisory project. The biggest beneficiary of an advisory project is the leadership or management of the area where internal audit is providing advisory work. This needs to be a synergistic relationship, and internal audit has to be viewed as working to help, not to report negative things on, the advisory work at hand. Does it matter if you think you are adding value? Perhaps. Does it matter if the leadership or management of the area thinks you are adding value? Without a doubt.
So, lots of open, honest, and constructive feedback needs to flow in both directions. You did not likely invite yourself to the project, but were invited to participate. You want to be invited back. Now, that doesn’t completely absolve you of your primary assurance auditor obligations. But if, as a result of the advisory work, you feel obligated to raise and report issues that might have important risk considerations outside of the people who lead or manage the area, you must not do it without prior discussion. And, you better have lots of conversation and agreement on any “risky” issue at hand. Absolutely no surprises!
Demonstrating Advisory Project Success
Advisory projects are very different from assurance projects. As a result, reporting on the results of advisory projects should be different than what internal audit does on assurance projects. This isn’t about audit observations (or, as many call them, audit findings), this is about helping the organization to be successful by providing advice and guidance based on expertise and experience. CAEs do not want to alienate operating management by saying that they’re here to help, and then turn around and report what’s being done wrong or could be done better.
Yes, the audit committee should know what advisory projects internal audit is involved with. They should support the efforts, and understand the tradeoffs if internal audit is doing advisory work in place of assurance work. And, at a summary level, the audit committee should be aware of internal audit’s conclusions from the totality of its advisory efforts. They need to see the benefits of this work for the organization, and how it is a worthwhile use of precious internal audit resources.
The mindset should otherwise be that internal audit is working for the operating management of the area where it is conducting advisory work, and the reporting should be tailored to best support them. Also, remember to keep your administrative boss fully aware of what you are doing.
The best scenario is that internal audit builds a strong, positive reputation for doing advisory work with a few key senior leaders, and then begins to function as your advocate throughout the organization. Yes, there’s nothing wrong with tooting your own horn every once in a while, but having management or senior leadership giving positive endorsements goes much further than your own boasting.
My best advice on advisory projects is to address the subject thoroughly in the internal audit function’s strategic plan. That way, all of the key people in the organization know the strategic intent and plan for such critical work and agree on that plan! Get some early successes, develop advocates in the organization for advisory efforts, and soon, internal audit’s advisory pipeline will build strong momentum. And the organization will be all the better as a result. 
Hal Garyn is Contributing Editor at Internal Audit 360°, and Managing Director and Owner of Audit Executive Advisory Services, LLC based in FL.
Insightful article, though the picture is still hazy, still not as clear as Assurance Services, and not easy to invite yourself at the party, without crashing into it – Business Leaders just do not know how to leverage the IA potential for advice!