Every once in a while, especially as organizations look for ways to cut costs, the idea of outsourcing internal audit work goes on the agenda. And yet the vast majority of such work ends up staying in-house. In 2014, for example, only 9% of an organization’s audit budget went to outsourced or “co-sourced” services. Why is that?
While outsourcing may be appealing in theory, few problems with internal capabilities can’t be fixed, and there is good reason to keep internal audit in-house.
The primary rationale for outsourcing is that it offers audit teams access to a wealth of technical skills
“Several organizations have already tried outsourcing engagements and failed to meet objectives — which led them to move the work back in-house after only a few years,” says Ian Beale, senior research director at Gartner. “There are numerous reasons outsourcing engagements fail, but essentially, it’s hard to find the right vendor, and even harder to get the right services from them over a long period of time.”
Finding the right provider
Typically, internal audit teams prefer a single vendor contract that costs roughly the same as an in-house department, but gives them flexible access to scarce skills, rather than keeping full-time specialists on the payroll.
However, this can lead to uncomfortable trade-offs. For example, the best way for flexible access to scarce skills is through multiple vendors — this includes smaller (regional) accounting firms or specialist consultants — which would lose the administrative simplicity of a single contract.
Major audit firms can provide services under a single contract but a lot of organizations also use these firms as independent external auditors. This would create challenges as organizations would use a firm for internal audit services and then hire the same firm as a tax advisor, external auditor, or consultant to the company.
Settling the right contract
Even if organizations find a qualified supplier or group of suppliers, legal and regulatory requirements govern the outsourcing of internal audit in certain sectors or locations, and non-compete and privacy clauses are critical. Contracts must also specify the contractual triggers for terminations and the explicit processes for transferring audit work back in-house or to an alternative provider — and must define ownership of audit working papers and reports so the organization can still access them if the contract is terminated.
As external audit firms take over risk assessment and audit planning, organizations will also have to revamp their budgeting and planning process to make it more seamless. It is also important to draft contract terms that provide clarity on permissible overruns, work variations, travel and expenses (T&E) and extra costs.
Read more: Top Risks for Audit Leaders
Sticking to budgets and contracts
The primary rationale for outsourcing is that it offers audit teams access to a wealth of technical skills. In most cases, it’s better to co-source the audit or use a guest auditor to gain these skills, instead of outsourcing it to a specialist who will leave once the work is done and take valuable knowledge with them. Even if organizations can’t afford a specialist, they still have to identify and acquire the expertise they require for internal audit.
One criteria organizations use to choose the external vendor is knowledge of local factors (i.e., language, legal/regulatory requirements, and culture/practices). However, this may require compromises in other areas. For example, a provider could source staff from local offices to avoid T&E costs for remote audits, but they still need to ensure that the technical, operational, interpersonal, and language skills of auditors reach the desired standard.
This is crucial as different vendors may specialize in different areas. For example, external auditors who deliver financial audits may not have the skills, business acumen, or knowledge to deliver audits of strategic or operational activities.
Losing out on value-added activities
There are two areas where outsourced providers often fall short while internal audit teams provide a valuable service to their business partners.
- Integrated assurance. The outsourced provider has no incentive to coordinate assurance work, remove duplication and train management, unless it is included in the contract. Also, external vendors would find it difficult to provide a holistic view of risk assessment to a client as the technology and reporting formats they use would be different from the organization’s in-house department.
- Advisory and consulting work. One of the biggest challenges for external vendors is the issue of confidentiality. They are seldom allowed to undertake strategic risk audits or assess major change initiatives, particularly for sensitive projects or situations (eg M&A support), or train management. No matter how competent external or co-sourced providers may be, the lack of on-the-ground presence makes it harder to maintain – let alone raise – managers’ awareness of the importance of risk and controls.
Read more: Why Audit Leaders Need to Adopt RPA
In-house is almost always a better bet
Despite the challenges, there are legitimate reasons that organizations decide to outsource internal audit — especially if the in-house team fails to meet cost or quality expectations. Senior managers may question the extra value provided by an internal audit team and may choose an external vendor for standard audits. While these are justifiable issues, organizations can solve them. Many internal audit teams have transformed their operations over the past several years.
They have been able to provide assurance for high-impact risks and help senior management achieve strategic objectives. Changes to the audit planning process, improvements in the reporting structure, innovative audit methodology, use of SMEs and co-source arrangements and staff training are able to address concerns about the cost, quality, and value of in-house teams in a more reliable, sustainable manner than outsourcing.