CONDUCTING CONSULTANCY ACTIVITIES

a) Incorporating Consultancy Activities into the Internal Audit Plan and Program

It is essential that consultancy activities are carried out within the scope of internal audit plans and programs. During the preparation of the internal audit plan, the audit resources to be allocated for consultancy activities in the planning period are determined in line with the audit strategy approved by senior management, taking into account the Public Internal Audit Strategy Document and the institution's strategic plan. Additionally, precautionary resources may be allocated in the internal audit plan and program for consultancy activities, the details of which will be determined during the period.

It is essential that consultancy activities are conducted in response to requests from units, as required by the nature of the work. However, during the preparation of the internal audit plan, it is investigated whether there are areas at both the institutional and unit/process levels where consultancy activities can add value.

In this context, areas where consultancy services can be provided are presented to senior management, taking into account the opinions and suggestions of senior executives at the institutional level. In line with the recommendations of senior management, the purpose, scope, duration, and details of the implementation of consultancy activities are clarified in collaboration with the relevant units and included in the internal audit program.

In the event of a request for non-program consultancy services, an evaluation is made by the Internal Audit Board President, considering the following points, and if deemed appropriate, consultancy services may be provided from the precautionary audit resources.

• The potential contribution of consultancy services to improving corporate governance, risk management, and control systems of the relevant process: The more weak corporate governance, risk management, and control processes are, the greater the potential contribution of consultancy.
• The magnitude of recent changes in the relevant process: The more comprehensive and radical the recent changes, such as restructuring or regulatory updates, the greater the need for consultancy. 
• The level of knowledge and experience of the internal audit regarding the consultancy topic: In areas where the Internal Audit Board has a high level of knowledge and experience, the consultancy service it provides will have a greater contribution to the process. 
• How insistent the process owner/unit manager is on requesting consultancy services: The willingness of the unit manager and active support for the consultancy process will also increase the potential contribution of consultancy.

Risk information obtained from consultancy tasks is taken into account in internal audit plan and program activities.

b) Implementation

Consultancy activities are carried out in accordance with an agreement text to be prepared in collaboration with the relevant unit, with the KİDS (Public Internal Audit Reporting System) considered. The minimum requirements of the consultancy activity are specified in the agreement text, including:

• Objectives,
• Scope,
• Duration,
• Roles and responsibilities of the Internal Audit Board and the relevant unit,
• Reporting format and how the results of the task will be monitored.

An agreement text is not prepared for consultancy activities that do not involve reporting (such as training, participation as an observer in projects or meetings).

When determining the objectives of the consultancy task, it is necessary to consider corporate governance, risk management, and control processes to the extent agreed upon with the relevant unit manager.

An internal auditor who provides consultancy services related to any process should not conduct an audit within the same process within one year.

An internal auditor conducting the consultancy task should report to the Internal Audit Board President, together with the relevant unit manager, whether they believe that the scope of the task is insufficient to achieve the objectives. Following the final evaluation by the Internal Audit Board President, if the consultancy activity is not continued, the situation is reported to the relevant unit manager.

The development of risk management processes is one of the most important objectives of the internal audit activity. Consultancy activities also provide a significant opportunity in this area. Therefore, special attention should be given to the identification and evaluation of risks during the planning phase of consultancy services. During this process, if other significant risks encountered by the unit are brought up, the internal auditors should document these risks and, in cases where they believe these risks are not being managed effectively, evaluate the services that the Internal Audit Board can provide in collaboration with the Internal Audit Board President.

In the face of identified risks, internal auditors should evaluate the effectiveness and efficiency of existing controls. To achieve this, extensive meetings can be held or evaluations of the controls can be obtained from those who have sufficient knowledge about the subject. Then, tests to be applied to review the controls that are considered effective or (in terms of cost-effectiveness) efficient against risks related to the task objectives are determined in collaboration with participants from the relevant unit, and a task work program is created to include these tests.