What’s the best way to really know what’s going on in a company? You peek inside “the window into a company”—its internal audit function (IAF). In some cases, part of the view through that window is provided by third-party service providers that the IAF may engage to help meet both its long- and short-term assurance and consulting needs.
Chief audit executives (CAEs) have ultimate responsibility for ensuring that they have sufficient staff with the requisite knowledge and expertise to ensure they can respond appropriately and timely to both inherent and emerging risks within the company for which they work. Across the globe, rather than hiring additional staff or in response to a lack of budget sufficiency to hire additional staff, CAEs often rely on third-party service providers to provide expertise where it does not currently exist.
A joint project with the Institute of Internal Auditors Research Foundation (IIARF), my report, “Engaging Third Parties for Internal Audit Activities,” provides valuable insights into the current use of third parties around the world and presents a high-level roadmap on how to properly engage and supervise both internal and external service providers. The report is based on data from the Common Body of Knowledge (CBOK) survey conducted annually by the IIARF and administered to all internal audit professionals around the world. It is the most comprehensive survey of its kind and provides rich data on the structure, operations, and effectiveness of the represented IAFs.
The primary purpose of the IAF is to provide an objective perspective on how well a company is functioning. Many of the things an internal auditor does are similar to what an external auditor does, but often include more depth and goes beyond what’s reported in the financial statements. An internal audit might examine operations, governance, compliance, or other areas, all with a goal of ensuring the company is well-controlled. Internal audits also provide an opportunity for senior management and the audit committee to address areas of risk or concern prior to the annual external audit, which focuses on the financial reporting process.
The 2015 CBOK survey covered 166 countries. In North America, 56 percent of the respondents reported using third parties for internal audit activity. The Middle East and North Africa followed with 43 percent, and South Asia was next at 40 percent. The global average was 38 percent.
After the Sarbanes-Oxley Act (SOX) was passed by the U.S. Congress in 2002 and instituted stricter reforms focused on improving public companies’ financial reporting, the number of public (and private) U.S. companies with an in-house internal audit function significantly increased. Many in the internal audit profession consider SOX their “Full-Employment Act.” Prior research by both the IIARF and academics suggest that the size, quality, and expertise of these new IAFs vary significantly. Consequently, where necessary, companies rely heavily on outsourcing the needed skills to a third party. The 2015 CBOK report suggests that while large companies might have an internal audit staff that is of sufficient size and quality, they might need a certain specialization (e.g., to examine pension liabilities on a periodic basis or to provide language skills for a multinational company) and will rely on a third party service provider to assist. On the other hand, smaller companies might lack both size and breadth and depth of expertise and may rely more heavily on third-party service providers. Some companies may even fully outsource the IAF other than the CAE, who remains in-house and facilitates the relationship(s) with the service provider(s).
Because the U.S. has such strong governance and oversight, companies in other countries often emulate the U.S. model. For example, the survey suggests the use of third-parties is highest in developing and emerging markets in the Middle East/North Africa and South Asia. Interviews with audit committee members and prior auditing research by academics suggest that as markets continue to develop, the IAF is an important tool to ensure that the company respond to areas of inherent and emerging risk and can help ensure that controls are operating effectively and efficiently.
The survey and semi-structured interviews also suggest that the services third parties provide for the IAF vary depending upon organization type. For example, the percentage of third-party use is highest in the financial sector (for both publicly traded and privately held companies) and is lowest in the public sector and privately held companies (excluding finance).
My findings related to the financial sector were not surprising, because most financial institutions such as banks have very large IAFs (some with more than 500 auditors), which allow them to acquire highly specialized knowledge in-house. This suggests that when the financial sector brings in a third party it’s in a more limited, specialized role.
Most outsourced tasks are specialty skills that in-house internal auditors do not have, either because the skill is hard to acquire or only needed periodically or by request from management or the audit committee. One emerging skill provided by third parties is data analytics. The internal audit function in large companies typically has the technical expertise to harness the vast data the company has in order to learn what a company’s top risks are or to determine if internal controls are functioning effectively. For small companies the data may exist, but both the internal audit and technical expertise do not. Thus, they often look to third parties to provide the expertise.
Third parties also can help solve staff shortages, boost staff seasonally, or perform special projects that are not related to assurance.
Understanding who outsources internal audit functions and why helps to address one of the key takeaways from this research: What are the best practices for relationships with third parties?
Based on the semi-structured interviews of CAEs, third-party service providers, and audit committee members, common themes emerged. Consistently, interviewees suggested that asking the right questions up front can help create a good relationship, with CAEs clearly communicating objectives to the third party. Simply saying you need help isn’t enough, and experienced internal audit firms typically establish clearer objectives. In order to ensure a third party meets the CAE’s needs, he or she not only needs to do due diligence in engaging the third party, but also needs to follow up by re-examining the résumés and prior experience of the resources provided before work begins.
It’s also important to agree upon and document responsibility for remediation of and follow up on issues identified by the third party—whether the responsibility lies with the third party or with the IAF. In addition, thi
rd-party service providers can be a source of new ideas or knowledge for the company. Several interviewees suggested that significant knowledge transfer occurs when CAEs effectively supervise and proactively maintain the relationship with third-party providers.
Third-party service providers can be either a long-term or short-term solution. Whichever is the case, one thing that both the data and interviews suggest is no decline in reliance on these service providers in the future. Consequently, creating and maintaining great relationships with third-party service providers can only bolster the effectiveness of an already-important function within any organization—the internal audit function.
Read the full report, “Engaging Third Parties for Internal Audit Activities,” as part of the Institute of Internal Auditors 2015 Common Body of Knowledge.
Dereck Barr-Pulliam is assistant professor of accounting & information systems at the Wisconsin School of Business.