Welcome » IT Booklets » Audit » Outsourcing Internal IT Audit » Examples of Arrangements
An outsourcing arrangement is a contract between the institution and an audit services firm to provide internal audit services. Outsourcing arrangements take many forms and are used by institutions of all sizes. The services under contract can be as limited as assisting internal audit staff with an assignment in which they lack expertise. This type of arrangement would typically fall under the control of the institution's internal audit manager, to whom the audit provider would typically report.
Other outsourcing arrangements may call for an audit provider to perform all or several parts of the internal audit work. Under these types of arrangements, the institution should maintain an internal audit manager and, as appropriate, internal audit staff sufficient to oversee vendor activities. The audit provider usually assists the internal audit function in determining the institution's areas of risk and the levels of risk to be reviewed, and recommends and performs audit procedures approved by the institution's internal audit manager. In addition, the outsourced audit provider should work jointly with the internal audit manager in reporting significant findings to the board or its audit committee.
Before entering into an outsourcing arrangement, the institution should perform due diligence to ensure that the audit provider has a sufficient number of qualified staff members to perform the contracted work. Because the outsourcing arrangement is a professional or personnel services contract, the institution's internal audit manager should have confidence in the competence of the staff assigned by the audit provider and receive timely notice from the vendor of any key staffing changes. Throughout the outsourcing arrangement, management should ensure that the audit provider maintains sufficient expertise to perform effectively and fulfill its contractual obligations.
When an institution enters into an outsourcing arrangement, or significantly changes the mix of internal and external resources used by internal audit, operational risk may increase. Because the arrangement could be terminated suddenly, the institution should have a contingency plan to mitigate any significant gap in audit coverage, particularly for high-risk areas. In its planning, an institution should consider possible alternatives and determine what it will do if an auditor with specialized knowledge or skills is unable to complete reviews of high risk areas, or if an outsourcing arrangement is terminated. For example, management could maintain information about the services offered and areas of expertise, as well as contact names and phone numbers, of other firms in their geographic area that could provide internal audit assistance in specific areas or a broader range of outsourcing services.
When negotiating the outsourcing arrangement with a vendor, an institution should carefully consider its current and anticipated business risks in setting each party's internal audit responsibilities. To clearly define the institution's duties and those of the outsourcing vendor, the institution should have a written contract, often referred to as an engagement letter.In general, the contract between the institution and the audit provider may or may not be the same as the engagement letter. The contract should:
Directors and senior management should ensure that the outsourced internal audit function is competently managed. For example, larger institutions should employ sufficient competent staff members in the internal audit department to assist the internal audit manager in overseeing the outsourcing vendor. Smaller institutions that do not employ a full-time audit manager should appoint a competent institution employee to oversee the outsourcing vendor's performance under the contract. This person should report directly to the audit committee for purposes of communicating audit issues and ideally should have no managerial responsibility for the area being audited.
Communication among the internal audit function, the audit committee, and senior management should not diminish because the institution engages an outsourcing vendor. The institution's audit manager should be involved with the audit provider in defining the audit universe and setting a risk-based IT audit schedule. The audit provider should appropriately document all work and promptly report all control weaknesses found during the audit to the institution's internal audit manager.
The outsourcing vendor should work with the internal audit manager to mutually determine what audit findings are significant and should be emphasized when reported to the board and its audit committee. The concept of materiality as the term is used in financial statement audits is not necessarily a good indicator of which control weaknesses to report. For example, reportable weaknesses could affect the institution's reputation or compliance with laws and regulations without a direct impact on the financial statements.