The majority of publicly listed companies in Malaysia (54 percent) fully outsourced their internal audit functions in 2016, according to a survey conducted by The IIA's affiliate in that rapidly growing country. The survey found that outsourcing is more prevalent in smaller companies and less so in the financial sector.
This survey raises an important age-old question that a growing number of organizations may be facing in the future as the demands of effective governance and risk management become more complex. Is outsourcing internal audit a viable option?
There is little question that the profession will have to expand its skill sets as it pivots to meet stakeholder demands for assurance related to emerging risks and to be trusted advisors when it comes to risk, business, and operating strategies. Management and boards, especially those responsible for quickly evolving, tech-driven sectors, will seek arrangements that best suit their demands and budgets.
While I believe a well-resourced and independent internal audit department comprised of company executives and employees remains the best option for most organizations, there are alternative sourcing strategies including co-sourcing or guest auditors that can augment the staff of an internal audit function, and provide necessary specialization required for specific engagements or to meet temporary staffing needs. Indeed, The IIA's 2015 Common Body of Knowledge survey found 38 percent of organizations turn to outside services to meet some of those demands. The deployment of co-sourcing strategies by large-cap U.S. companies is even more prevalent.
But when an organization seeks to fully outsource internal audit, it is vital for management and the board to understand their responsibility to ensure that service is of the highest quality and serves the best interests of the organization.
A valuable resource for organizations considering this step is an IIA position paper that outlines key organizational roles and responsibilities. The Role of Internal Auditing in Resourcing the Internal Audit Activity states clearly that the organization must maintain ownership of the function and ensure its quality no matter who ultimately provides the service.
"In cases where total outsourcing is selected as the method for obtaining internal audit services, The IIA believes that oversight and responsibility for the internal audit activity cannot be outsourced. An in-house liaison, preferably an executive or senior management-level employee should be assigned responsibility for 'management' of the internal audit activity. Consideration of the independence of the assigned in-house liaison must be evaluated if this individual has other (non-internal audit) responsibilities. The role of the board or equivalent governing body also is important in the oversight process and the level of active oversight should be considered."
The IIA position paper also offers a list of key considerations for organizations thinking about outsourcing the internal audit function:
- Available resources – The organization's financial situation may require outsourcing as the only viable option for competent and timely professional internal audit services.
- Size of the organization – Organizations of any size may need to turn to co-sourcing or outsourcing at any time for any number of reasons, including temporary staff shortages, specialty skill needs, tight deadlines, and coverage of remote business locations. Also, small organizations may find it necessary to explore outsourcing due to the inability to hire permanent or full-time internal auditors.
- Applicable laws and regulations – Some jurisdictions may prohibit outsourcing of internal audit functions. However, even if laws permit outsourcing, the internal audit function should never be outsourced to the external auditing firm that audits the organization's financial reports as this would pose a clear conflict and possibly impair independence.
Part of the deliberation must also include a clear-eyed discussion of the challenges of building and maintaining a robust internal audit function. The best functions thrive and operate at the highest levels when management, the board, and internal audit have open and honest communications and a sophisticated understanding of their respective roles. These ideal conditions are difficult to achieve in the best of circumstances. Outsourcing the function adds a layer of complexity to that challenge. Indeed, I believe management and the board have a higher obligation to maintain the quality of the internal audit function when it is fully outsourced.
This demands that organizations give careful consideration to the content of contract and engagement letters of any outsourcing arrangement. From The IIA position paper:
"Deliverables, such as workpapers, reports, recommendations, conclusions, opinions, ratings, benchmarking information, and analyses (such as value added), should be considered. Deadlines, progress reports, access to staff for discussion of results, and follow-up should be addressed. Ownership of workpapers and use of results should be addressed. Restrictions or limitations, as well as strengths and additional benefits, should be evaluated. Compensation issues should be clearly defined."
The report makes plain the complexity of outsourcing. Clearly identifying objectives, scope of services, level of expertise needed, performance metrics, responsibilities for remediation and follow up, and the creation of a quality assurance and improvement program should be spelled out contractually at a minimum. And in an era where much of an organization's value can be based on proprietary data, third-party agreements also must include an assessment of the provider's own security and governance practices, clear understanding of the status of workpapers once the contract has ended, and possibly limitations on work the provider may take on involving the organization's competitors.
Every organization is unique, and demands on staffing, resources, and internal audit's scope of work will dictate the best option for providing assurance on governance and risk management. But it is imperative that organizations considering outsourcing the function understand the pros and cons before taking that step.
As always, I look forward to your comments.