Getting the Most from Your Third-Party Internal Audit Provider
Introduction to ILA’s International Standards for the Professional Practice of Internal Auditing
The IIA’s International Standards for the Professional Practice of Internal Auditing (the “Standards”) talks about maintaining an effective internal audit activity ( Standard 2070 – External Service Provider and Organizational Responsibility for Internal Auditing) when utilizing external service providers or “third-party” providers.
These services can be on a co-source or full outsource basis. Whichever situation, the IIA believes that oversight and control of the internal audit activity must be in the hands of an in-house liaison, preferably the existing internal audit function head, or an executive or senior management-level employee such as a risk officer or CFO.
However, you, as that in-house liaison, might have reasons to utilize the resources of third-party providers like the Big-4, other national firms and regional and what are referred to as “boutique” firms in your area.
Why you might want to engage external service providers for internal audit?
Reasons include they have the horsepower to get the work done that small internal shop cant in a given year; or they have the requisite knowledge garnered from repeatedly performing a specific audit over the years. Also training on new trends and exposure to regulatory bodies is a big upside.
As a writer, I have nothing negative to say about utilizing third-parties. I’ve been on both sides and know the need and the value. What I can offer is some insight into ensuring the engagement goes as smoothly as it can.
That said, I’ve provided a short bullet lists of your “rights” as the buyer.
Your rights in engaging an external internal audit service provider
You have the right to:
- Ask for a deal. Many times the focus is on the audit or year at hand. But if you can enter into a longer term arrangement you can ask for better pricing (of course you can always ask for a deal – nothing ventured nothing gained). It’s worth it for all parties to avoid the annual renewal scramble. Remember good contracts have opt-out clauses for both parties, usually with reasonable parameters.
- Get the schedule of audits you want. Don’t be afraid to push them and your organization to schedule as much of the year as you can. Again, avoid scrambling.
- Get the people assigned you think are the best. You don’t want the whole team to be green college grads.
- Call a meeting to discuss the work if there are questions or schedule re-occurring ones to ensure everyone is talking and staying in touch.
- Discuss what goes in the report and what doesn’t. You know your business and the readers of the report. If the outsourced firm thinks you are making a mistake, they will have that discussion with you.
- Get reports in the format your audience is accustomed to. This may take some finessing but it’s really all just formatting. But the third-party is there to help you so ask for the best report for you.
- Have them attend and present at your audit committee meetings – this cuts down on the chances of unanswered questions from your audit committee on their work.
- Get the work papers after the audit for your records.
- Ask them to coordinate with your external auditors on testing, specifically coverage for SOX or FDICIA – the more consistency, standardization and agreement the better.
- Ask for their help with questions. After all they are holders of a lot of knowledge. You are not alone.
You are in the driver’s seat in this relationship
A good third-party provider will work with you to ensure they are offering and delivering value-adding services and will tailor their approach and work to meet your specific needs. So, always remember that you are in the driver’s seat to ensure you are getting the most from the third-party relationship.