Audit and Risk Committee decision to outsourced, co-source or insource the Internal Audit function
King IV puts the responsibility on the governing body to ensure that the internal audit function is capacitated and skilled enough to perform its duties. Every now and then the Audit and Risk Committee (sub-committee of the Board of Directors responsible for audit and risk management) finds itself confronted with three options of formulating an effective internal audit function;
- Set-up an inhouse Internal Audit team (insourcing);
- Set-up an inhouse Internal Audit team which is supported by external services providers for some audit reviews (co-sourcing); or
- Fully outsource the function to an external service provider.
The Chief Audit Executive needs to develop an audit strategy that complements the strategy of the organisation to be approved by the Audit and Risk Committee. The strategy with the audit plan will indicate whether there are enough resources within the organisations’ internal audit function with the appropriate skills, experience, and qualifications to effectively carry out internal audit activities.
Every organisation is unique, and thus there is no simple solution that can cater for all. This is true even for related entities. It would be an injustice to assume what works for one related entity would suffice for the next entity.
To make the decision, The Audit and Risk committee needs to at least consider these organisation specific factors and the associated risk:
1. The strategy of the entity
The long-term direction of the entity dictates how it will structure internally, and therefore the decision on whether to insource or outsource is impacted by the strategy of the business. It is possible to adopt one strategy with a plan to shift towards the other overtime as the entity evolves and grows. It is important that the intent is set on the onset and the evolution is monitored regularly. As an example, an entity that is formulating the function from scratch, might need to consider fully outsourcing with a plan to insource in a few years by hiring a chief audit executive to manage and monitor the external service provider. The contract with the external service provider must make a provision for skills transfer as the inhouse team grows.
2. The size of the entity
The size and complexity of operations plays a pivotal role in making this decision. Other things to consider related to the entity are:
- The Financial Performance and position;
- Budget available to run the Internal Audit Function;
- The staff complement;
- The geographical spread;
- The number of divisions within an entity;
- Technological and data maturity; and
- Etc
The above elements would determine the adequate size of the Internal Audit function that would effectively serve the organisation and thus would impact decision-making.
The skills and expertise required for carrying audits in different industries may require certain experts which makes the decision whether to insource, outsource or co-source very important. Often, based on the audit plan and skill level of the internal audit team, a decision can be made to co-source to obtain expertise and skills that are not necessarily available inhouse. In this way an expert is co-sourced, and the entity would not need to invest its limited resources in capacitating the internal audit team with knowledge of a certain process or software used in the industry. This option is often cheaper as the entity will be budgeting for only the hours required, whereas an insourcing option would mean the resource is carried for the entire year and enjoys all benefits that are associated with having employment in the entity, which may be a bit costly. This is in complex industry with highly technical and high risks areas if the skills are lacking inhouse. In cases like these, overtime the co-sourced service providers will transfer the skills to the inhouse team.
3. Independence of the auditors
Internal auditors need to be independent in both fact and appearance. This is a contributing factor in determining how to have a division of internal audit considering that internally they must report on HR matters to the executive, on financial matters to the CFO and on key performance issues to the CEO, from an administrative point of view. In an out-sourced function, the service provider is appointed by the Audit and Risk Committee who approves the renumeration contracts and as internal audit functionally reports to the Audit and Risk Committee, they also monitor performance of the service provider in relation to the audit plan. Therefore, independence may seem easier when there is an outsourced function, that is not necessarily involved in the day-to-day functioning and running of the entity.
All in all, there is no one-size fits all, the Audit and Risk Committee will need to determine together with the Chief Audit Executive on what is the appropriate approach. The cost-benefit analysis needs to be applied in making the decision.
The question to the Audit and Risk Committee however, is whether the current function is adequately resourced and skilled to support the organisations’ strategy and objectives. This can be assessed by
- Querying the effectiveness of the function in covering the organisations’ significant risks, responding to emerging risks and overall value adding capabilities;
- Obtaining external quality assessments of the function’s conformance to the internal audit practice standards and reviewing the results of Internal ongoing assessments and periodic self-assessments and/or reviews; and
- The functions’ structure and skills reports prepared by the Chief Audit Executive to inspect if we have highly skilled resources with capabilities to carry out successfully complete assignments.
It is important to note, no strategy is set in stone, therefore changes can always be made to improve the performance of the function.