A new report by the Institute of Internal Auditors (IIA) Research Foundation found that 38 percent of organizations worldwide say they use third parties for some of their internal audit activity, with North American companies leading the pack at 56 percent.
According to Engaging Third Parties for Internal Audit Activities, financial-sector companies are the biggest user of outside help at 45 percent globally, followed by publicly traded companies not in the financial sector at 43 percent.
Why do companies outsource internal audit work? The most common reasons are that third-party services may provide special skill sets that in-house audit lacks, solve staffing shortages or continuously supplement staff, cover remote business locations, and handle special projects.
“As demands on internal audit evolve, we will need to turn increasingly to third-party services, so it is imperative that chief audit executives understand best practices in this area,” IIA President and CEO Richard Chambers said in a prepared statement.
The report is based on the Common Body of Knowledge 2015 Global Practitioners Survey of more than 14,500 respondents from 166 countries.
Here’s a snapshot of other findings:
- Public sector and private companies were less likely to outsource internal audit than the financial sector, public companies, and not-for-profits. Almost half (47 percent) of not-for-profits surveyed were in North America.
- South Asia, the Middle East, and North Africa are most likely to increase outsourcing budgets this year. Elsewhere, budgets are expected to remain the same.
- About a third (32 percent) of the smallest audit departments outsource, compared to 41 percent to 56 percent for medium-to-large departments. Among the largest departments, 28 percent cited very low use of third parties, but 37 percent expect that to increase.
For companies that may have to outsource all internal audit work, the IIA states that “oversight and responsibility for the internal audit activity cannot be outsourced.” Meaning, the company still has to have an employee who is responsible for the oversight of internal audit even if it’s outsourced, the report states.
For chief audit executives, the report offers four takeaways.
1. Be proactive in determining the need for outsourcing. Stakeholders will expect that.
2. The third-party agreement must state performance expectations.
3. Agree on who’s responsible for remediation and follow-through. That should be included in the service agreement.
4. Allow third-party providers to share new ideas or know-how. “In particular, third-party service providers may be able to provide an important perspective on emerging risks,” Brian Christensen, executive vice president of global internal audit for Protiviti, said in the report. “Rather than taking a reactive approach, chief audit executives can use service providers to help them meet the needs of the board of directors and the audit committee by both anticipating and creating a risk-based audit plan that addresses emerging risks.”