From time to time over the past 15 years, the idea of outsourcing some of a company’s internal audit work has come into fashion, and it is once again on the agenda.
Internal audit functions overwhelmingly keep their work in-house; in 2014, for example, only 9% of their audit budgets went to outsourced or “co-sourced” services. And of that small number, many functions have seen outsourcing engagements fail to achieve their objectives, causing them to bring the function back in-house after two to three years.
There are good reasons for this: it’s hard to find the right vendor, and even harder to get the right services from them across any length of time.
It’s Hard to Get a Qualified Provider And Stick To Budget and Contracting Preferences
In most cases, audit committees and the CFO seek a single vendor contract that costs roughly the same as what they spend on an in-house department, and that gives them flexible access to scarce skills, rather than having to employ expensive specialists full time.
But this can lead to some uncomfortable trade-offs. For example, the best way to get flexible access to scare skills is by using multiple vendors – including smaller (regional) accounting firms or specialist consultants — which would lose the administrative simplicity of a single contract.
The “Big 4” audit firms can provide services under a single contract but, given a lot companies use these firms as their independent external auditors, this can limit options to only one or two of them. The involvement of a Big 4 firm in internal audit services will be questioned if the firm also acts (now or in the future) as tax advisor, external auditor, or consultant to the company.
It’s Hard to Set Up a Satisfactory Outsourcing Contract
Organizations who do find a qualified supplier, or collection of suppliers, must overcome many legal and regulatory hurdles:
Internal audit outsourcing may require regulator approval in certain sectors or jurisdictions prior to appointing an outsourced provider and regularly thereafter.
Audit teams will need to address concerns about whether auditors from the outsourced firm will be working with competitors in between assignments or after the contract ends. Asking for the same person for multiple audits is difficult for the precise reason (the flexible access to skills) that outsourcing is attractive to begin with.
Within the agreed contract terms and after any minimum spend the work will be treated a variable cost, as outsourced staff are only used when needed. It is vital, therefore, to have clarity on permissible overruns, work variations, travel and expenses (T&E), and extra costs.
Audit teams will need to manage differences in the working practices (e.g., hours worked, working style, T&E) used by outsourced providers and the policies and norms followed by company staff.
There must be absolute clarity about contract terminations; the triggers for termination and the process to transfer auditing back in-house or to another outsourced provider. The contract must clearly define ownership of audit working papers, audit reports, and the like. Find out if you will be able to access them following termination of the contract.
Budgeting and planning will be complicated after the first year of the engagement, as the outsourced provider will conduct the risk assessment and audit planning, which will then be difficult for management and the audit committee to challenge.
It’s Hard to Get a Qualified Audit Provider And Stick To Budget and Contracting Preferences
The primary rationale for outsourcing is that gives audit teams access to a wealth of technical skills. In most cases, it’s better to co-source the audit or use a guest auditor to gain these skills, instead of outsourcing it to a specialist who will leave once the work is done and take valuable company knowledge with them. And, if you’re willing to sacrifice this knowledge, success still depends on clearly specifying the skills you seek and selecting the right individuals.
Companies can specifically select the outsourced firm for their knowledge of local factors (i.e., language, legal/regulatory requirements, and culture/practices), but this could require compromises in other areas. For example, a provider could source staff from local offices to avoid T&E costs for remote audits, but can they ensure (and can you verify?) each auditor has the necessary audit, technical, operational, interpersonal, and language skills to the required standard.
Depending on the chosen vendor, its staff may have been trained as — and therefore operate as — external auditors by default and prefer to deliver financial audits. They may not have skills, business acumen, or knowledge to deliver audits of strategic or operational activities.
You Typically Lose Out on Value-Added Internal Audit Activities
There are two areas where internal audit teams provide a valuable service – what’s called “value add” in the jargon – to their business partners, and where outsourced providers often fall short.
Integrated assurance: The outsourced provider has no incentive to coordinate assurance work, remove duplication, train management, or rely on other assurance work, unless this is negotiated into the contract. As a practical matter, providing a holistic view of risk issues to the executive committee and audit committee (i.e., bringing together the results from all assurance providers) will be difficult due to differences in technology used and reporting formats between the outsourced provider and in-house departments.
Moreover, senior managers may become confused between a Big 4 firm doing an internal audit and the Big 4 firm doing the external audit, and resist what may seem like duplicative requests for time and information.
Advisory and consulting work: Confidentiality concerns can prevent an outsourced team doing strategic risk audits or assessing major change initiatives; this can prevent key risk audits from ever happening. There is also rarely audit support essential and sensitive work, such as major project reviews, M&A support, and management training in risk management.
This lack of risk management training often sends an unintended signal about the importance that the board and top executives place on maintaining a strong control and risk management environment. No matter how competent external or co-sourced providers may be, their lack of on-the-ground presence makes it harder to maintain – let alone raise – managers’ awareness of the importance of risk and controls.
In-House Is Almost Always a Better Bet
While all these outsourcing concerns abound, there are some legitimate worries that can lead companies to take the plunge. The current internal audit team may not be meeting cost or quality expectations or senior managers may question the extra value provided by the internal audit team and may only want to hire a firm to conduct standard audits.
While these are justifiable worries, there are better ways to solve them. Many internal audit teams have transformed their operations over the past several years. These companies have continued providing assurance for high-impact risks while also helping senior management achieve strategic objectives.
Changes to the audit planning process, improvements in reporting to executives and the audit committee, innovations in audit methods, and staff training and development have all been proven to address concerns about the cost, quality, or “value added” of in-house teams in a more reliable, sustainable manner than outsourcing.