There are basically three types of Internal Audit (IA) structures that organisations can choose to adopt, In-house, co-sourced or our-sourced.
I think the Institute of Internal Auditors (IIA) hit the nail when they stated that:
“ Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organisation. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organisation's reputation, growth, its impact on the environment and the way it treats its employees.
In sum, internal auditors help organisations to succeed. We do this through a combination of assurance and consulting. The assurance part of our work involves telling managers and governors how well the systems and processes designed to keep the organisation on track are working. Then, we offer consulting help to improve those systems and processes where necessary."
There are basically three types of Internal Audit (IA) structures that organisations can choose to adopt, In-house, co-sourced or our-sourced. Having been involved in all the three different Internal Audit (IA) arrangements, I think there are definitely pros and cons for all the three options, however it was glaring that some of the pros did outweigh the cons especially for a co-source arrangement. For very small businesses with limited budget, an out-sourced function might suit well, however apart from this scenario, this should not be the way to go.
The internal audit activity must have qualified, skilled and experienced people. For the most of my career I have been part of an in-house internal audit function, which made me bias to the other options and in the beginning, blinded to the shortfalls an in-house function may have. However it was an eye opening experience being involved in a co-source and out-source internal audit setup. I immediately realised some of the frustrations I had while being in a fully in-house function, which would have been easily solved (for a $$ price of course) had we considered or managed to convinced Audit Committee to venture into a co-source option.
When it comes to recruiting team members for internal audit, I always try to get a good balance in the skill sets of my team members, and I did this successfully because as opposed to the time of my predecessors, accountants were no longer the only ones applying for internal auditor roles. I always get excited when I see an Engineer or and IT background applicant’s resume on my desk. However, it is almost impossible to acquire all the required skill sets that an internal audit function would need, and the reason behind this was simple, overheads. Organisations around the world have embarked on adopting the Lean strategy. Head of Departments in organisations are being challenged to make their operations lean and effective, and this is why getting the right skilled team member is important – it is also what feeds the thriving consulting industry. This is where having a co-sourced approach is beneficial. CAEs would be able to confidently undertake the all necessary internal audit engagements in the audit plan without fear of not being able to deliver quality value add reports because of simply not having the required knowledge pool in their department (rightfully CAEs should not be undertaking these engagement at all).
I have always believed that a successful internal audit function is one that have not only the audit committee’s confidence but also the management’s buy in on the program while maintaining its independence. There must always be a value add to any internal audit report. Apart from providing assurance to the audit committee, the internal audit function also has the responsibility to provide consulting activities to the organisation in order to provide value add. This can only be achieved when the management team understands and supports the internal audit function which will only happen though relationship and trust building over time, which is at the core of a successful in-house function. This would not be at the heart of a fully out-sourced internal audit function who would only serve the purpose of providing assurance to the audit committee and often works off the approved audit plan and shows up at the premises at the start of the audit engagement. Granted, this is a bold claim, however it is the little things that makes a relationship build over time, such as having lunch in the same kitchen, meeting at the coffee machines, sharing the same parking lots – these kind of encounters make the familiarity and builds trust to another level – something only in-house internal auditors can achieve. This rapport is important to enable the internal audit team to put forward recommendations in a way that can influence the organisation to want to take remedial action.
The balance of being able to achieve management buy in while also meeting its obligations to the audit committee and being able to also have the capability to undertake all types of internal audits will only be achieve with a strong in-house function coupled with a co-source arrangement. The Co-source partner will only be assigned specific audit engagements which are not within the pool of skills and knowledge of the in-house audit team. It is advisable that the in-house team plays a key and pivotal role in co-source engagements such as being involved in the opening and closing meetings as well as meetings with senior management to ensure that the objectives of the audit is being meet while maintaining the rapport with management. This is critical to maintain the rapport and management buy in as well as to ensure co-source audit reports have the balance of objective while still providing the value add to the management. This point of view should not be mistaken as an approach that will undermine independence.Maintaining independence is critical to theinternal auditteam, and should be maintained by not getting involved in operational decisions etc.