CEB Blogs


Internal Audit

Why Outsourcing Internal Audit is a Big Risk

Caveat emptor; it's almost always better to stick with an in-house team than outsourcing audit planning

Calculating the decision to outsource or notFrom time to time over the past 15 years, the idea of outsourcing some of a company’s internal audit work has come into fashion, and it is once again on the agenda.

Internal audit functions overwhelmingly keep their work in-house; in 2014, for example, only 9% of their audit budgets went to outsourced or “co-sourced” services. And of that small number, many functions have seen outsourcing engagements fail to achieve their objectives, causing them to bring the function back in-house after two to three years.

There are good reasons for this: it’s hard to find the right vendor, and even harder to get the right services from them across any length of time.

It’s Hard to Get a Qualified Provider And Stick To Budget and Contracting Preferences

In most cases, audit committees and the CFO seek a single vendor contract that costs roughly the same as what they spend on an in-house department, and that gives them flexible access to scarce skills, rather than having to employ expensive specialists full time.

But this can lead to some uncomfortable trade-offs. For example, the best way to get flexible access to scare skills is by using multiple vendors – including smaller (regional) accounting firms or specialist consultants — which would lose the administrative simplicity of a single contract.

The “Big 4” audit firms can provide services under a single contract but, given a lot companies use these firms as their independent external auditors, this can limit options to only one or two of them. The involvement of a Big 4 firm in internal audit services will be questioned if the firm also acts (now or in the future) as tax advisor, external auditor, or consultant to the company.

It’s Hard to Set Up a Satisfactory Outsourcing Contract

Organizations who do find a qualified supplier, or collection of suppliers, must overcome many legal and regulatory hurdles:

  • Internal audit outsourcing may require regulator approval in certain sectors or jurisdictions prior to appointing an outsourced provider and regularly thereafter.

  • Audit teams will need to address concerns about whether auditors from the outsourced firm will be working with competitors in between assignments or after the contract ends. Asking for the same person for multiple audits is difficult for the precise reason (the flexible access to skills) that outsourcing is attractive to begin with.

  • Within the agreed contract terms and after any minimum spend the work will be treated a variable cost, as outsourced staff are only used when needed. It is vital, therefore, to have clarity on permissible overruns, work variations, travel and expenses (T&E), and extra costs.

  • Audit teams will need to manage differences in the working practices (e.g., hours worked, working style, T&E) used by outsourced providers and the policies and norms followed by company staff.

  • There must be absolute clarity about contract terminations; the triggers for termination and the process to transfer auditing back in-house or to another outsourced provider. The contract must clearly define ownership of audit working papers, audit reports, and the like. Find out if you will be able to access them following termination of the contract.

  • Budgeting and planning will be complicated after the first year of the engagement, as the outsourced provider will conduct the risk assessment and audit planning, which will then be difficult for management and the audit committee to challenge.

It’s Hard to Get a Qualified Audit Provider And Stick To Budget and Contracting Preferences

The primary rationale for outsourcing is that gives audit teams access to a wealth of technical skills. In most cases, it’s better to co-source the audit or use a guest auditor to gain these skills, instead of outsourcing it to a specialist who will leave once the work is done and take valuable company knowledge with them. And, if you’re willing to sacrifice this knowledge, success still depends on clearly specifying the skills you seek and selecting the right individuals.

Companies can specifically select the outsourced firm for their knowledge of local factors (i.e., language, legal/regulatory requirements, and culture/practices), but this could require compromises in other areas. For example, a provider could source staff from local offices to avoid T&E costs for remote audits, but can they ensure (and can you verify?) each auditor has the necessary audit, technical, operational, interpersonal, and language skills to the required standard.

Depending on the chosen vendor, its staff may have been trained as — and therefore operate as — external auditors by default and prefer to deliver financial audits. They may not have skills, business acumen, or knowledge to deliver audits of strategic or operational activities.

You Typically Lose Out on Value-Added Internal Audit Activities

There are two areas where internal audit teams provide a valuable service – what’s called “value add” in the jargon – to their business partners, and where outsourced providers often fall short.

  1. Integrated assurance: The outsourced provider has no incentive to coordinate assurance work, remove duplication, train management, or rely on other assurance work, unless this is negotiated into the contract. As a practical matter, providing a holistic view of risk issues to the executive committee and audit committee (i.e., bringing together the results from all assurance providers) will be difficult due to differences in technology used and reporting formats between the outsourced provider and in-house departments.

    Moreover, senior managers may become confused between a Big 4 firm doing an internal audit and the Big 4 firm doing the external audit, and resist what may seem like duplicative requests for time and information.

  2. Advisory and consulting work: Confidentiality concerns can prevent an outsourced team doing strategic risk audits or assessing major change initiatives; this can prevent key risk audits from ever happening. There is also rarely audit support essential and sensitive work, such as major project reviews, M&A support, and management training in risk management.

    This lack of risk management training often sends an unintended signal about the importance that the board and top executives place on maintaining a strong control and risk management environment. No matter how competent external or co-sourced providers may be, their lack of on-the-ground presence makes it harder to maintain – let alone raise – managers’ awareness of the importance of risk and controls.

In-House Is Almost Always a Better Bet

While all these outsourcing concerns abound, there are some legitimate worries that can lead companies to take the plunge. The current internal audit team may not be meeting cost or quality expectations or senior managers may question the extra value provided by the internal audit team and may only want to hire a firm to conduct standard audits.

While these are justifiable worries, there are better ways to solve them. Many internal audit teams have transformed their operations over the past several years. These companies have continued providing assurance for high-impact risks while also helping senior management achieve strategic objectives.

Changes to the audit planning process, improvements in reporting to executives and the audit committee, innovations in audit methods, and staff training and development have all been proven to address concerns about the cost, quality, or “value added” of in-house teams in a more reliable, sustainable manner than outsourcing.

More On…

3 Responses

  • Todd Davies says:

    Having been on all sides of these arrangements (sales for the big 4, purchaser as an in-house chief auditor, and now specialist procurement advisor for large companies), it’s fair to say that the conversation is far more nuanced than it was in the past.

    Ian is correct, setting up a good contracting arrangement can be a challenge but in some cases it does make a lot of sense. Being strategic around it is important, and at the risk of being self-promoting, good advice definitely helps.

    Like any other strategic sourcing contract, the key is determining what capabilities you want to keep in house and why. If you can do this then much of the rest of your resourcing strategy will drop out fairly quickly. A blended approach (in-house led, supplemented by external expertise) is often a very good model, but not necessarily in all cases, and from time to time it does make sense to change the balance.

  • Lisa Gunther says:

    Having been on both sides of this equation, I happen to agree with Ian with one caveat ~ IT Audit. When I was in the Big 4, I was the IT Audit Director for about 4 companies. There are two reasons to out source your IT Audit Function ~ a. These people are technical and at the rate technology changes, and b. regular IA depts do not have the money to spend keeping these people up to date on current technology. Or we would use my favorite ~ read it, learn it, do it and teach it method. That is how I became a SAS70 expert. At a big 4 firm we actually did not require that much training ~except for the very technical stuff~ because we learned it from our other clients who were on the leading edge of new technology and other companies got the benefit of that knowledge. Out sourcing is also good for special project work if you do not have that skill set in house.

    IT Audit is particularly good for SOX work, because all financial systems work essentially the same at every company which makes them easy to audit from an IT perspective. We look at the controls of the financials and then IA can do the ticking and tying. This works especially well if the are using an erp system like Oracle. We see these systems all the time so we know where to look for issues. When I was the Director of Audit, for SOX I did all the system testing and let my staff tie out the numbers, mostly because I cannot stand doing it. During the implementation of Oracle, I set up the Security Architecture with having no prior experience with the software. This was a year before SOX. They were going to put it in without security and as an auditor, I could not allow that to happen because it would be a material reporting condition and we would get a qualfied opinion. And both my management and the external auditors would freak out.

    From and internal audit ~i.e. financial and operational audits ~ these should be kept in house because no one will know the entire structure of the company better than a staff of auditors there everyday.

  • Tom B says:

    Agree with much of the article. Co sourcing is a good solution to gain the widest array of expertise at a good price. You have to be aware of scope creep with third parties, but many have wonderful experts. Recently, I used salary freed up due to turnover and engaged external auditors to assist. This had worked well for us. A new set of eyes on process that was audited by I/A worked well for us.

Leave a Reply to Tom B



Recommended For You

Why Internal Audit Needs to Tread Lightly

Hundreds of heads of audit worry about the ever-increasing pace of change in business and...