| Booklet:
Audit Section: Outsourcing Internal IT Audit |
|||||||||||||||||||||||||||
Action Summary
In addressing quality and resource issues, many institutions engage independent public accounting firms and other outside professionals to perform work that has been traditionally carried out by internal auditors. These arrangements are often called “internal audit outsourcing,” “internal audit assistance,” “audit co-sourcing,” or "extended audit services."
Outsourcing such audit services may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. To do this, management should ensure that there are no conflicts of interest and that the use of these services does not compromise independence. Potential conflicts of interest may arise if the outsourced auditing firm performs IT audit functions in addition to other audit services, such as providing the independent financial statement, or serving in an IT or management consulting capacity. The board of directors of an institution remains responsible for ensuring that the outsourced internal audit function operates effectively and complies with all regulations governing such arrangements.
Examiners should assess whether the structure, scope, and management of an internal audit outsourcing arrangement adequately evaluate the institution's system of internal controls. They should also determine whether or not directors and senior managers have fulfilled their responsibilities for maintaining an effective system of internal controls and for overseeing the internal audit function in an outsourced internal audit environment.
Additional detailed guidance on the structure, independence, and sound practices concerning the use of outsourcing audit providers is available in the “Interagency Policy Statement on the Internal Audit Function and Its Outsourcing.”
INDEPENDENCE OF THE EXTERNAL AUDITOR PROVIDING
INTERNAL AUDIT SERVICES
It is important that examiners ensure that management has designed any
outsourcing arrangements in order to maintain the independence of the
audit provider. An accounting firm hired to perform internal audit services
for an institution risks compromising its independence when it also performs
the external audit for the institution. Concerns arise because, rather
than having an independent review, the responsibility of performing outsourced
internal audits places the accounting firm in the position of auditing
its own work. For example, in designing procedures to audit an institution’s
financial statements, the accounting firm considers the extent to which
it may rely on the institution’s internal control system, including
the internal audit function.
The Sarbanes-Oxley Act of 2002 specifically prohibits a registered public accounting firm from performing certain non-audit services for a public company client for whom it performs financial statement audits. Among those prohibited non-audit services are internal audit outsourcing services and financial information system design and implementation. Under rules adopted by the Securities and Exchange Commission, this prohibition generally became effective on May 6, 2003, although a one-year transition period was provided for contractual arrangements in place as of that date. Under Section 36 of the Federal Deposit Insurance Act and its implementing regulation and guidelines, FDIC-insured depository institutions with total assets of $500 million or more are required to be audited annually. The guidelines require these institutions, whether or not they are public companies, and their external auditors to comply with the SEC’s auditor independence requirements. Other non-public institutions are encouraged to have their financial statements audited and to follow the Sarbanes-Oxley Act’s prohibition on outsourcing internal audit to their external auditor. However, there are circumstances in which these institutions can use the same accounting firm for both external and internal audit work.
EXAMPLES OF ARRANGEMENTS
An outsourcing arrangement is a contract between the institution and an
audit services firm to provide internal audit services. Outsourcing arrangements
take many forms and are used by institutions of all sizes. The services
under contract can be as limited as assisting internal audit staff with
an assignment in which they lack expertise. This type of arrangement would
typically fall under the control of the institution's internal audit manager,
to whom the audit provider would typically report.
Other outsourcing arrangements may call for an audit provider to perform all or several parts of the internal audit work. Under these types of arrangements, the institution should maintain an internal audit manager and, as appropriate, internal audit staff sufficient to oversee vendor activities. The audit provider usually assists the internal audit function in determining the institution’s areas of risk and the levels of risk to be reviewed, and recommends and performs audit procedures approved by the institution’s internal audit manager. In addition, the outsourced audit provider should work jointly with the internal audit manager in reporting significant findings to the board or its audit committee.
Before entering into an outsourcing arrangement, the institution should perform due diligence to ensure that the audit provider has a sufficient number of qualified staff members to perform the contracted work. Because the outsourcing arrangement is a professional or personnel services contract, the institution's internal audit manager should have confidence in the competence of the staff assigned by the audit provider and receive timely notice from the vendor of any key staffing changes. Throughout the outsourcing arrangement, management should ensure that the audit provider maintains sufficient expertise to perform effectively and fulfill its contractual obligations.
When an institution enters into an outsourcing arrangement, or significantly changes the mix of internal and external resources used by internal audit, operational risk may increase. Because the arrangement could be terminated suddenly, the institution should have a contingency plan to mitigate any significant gap in audit coverage, particularly for high-risk areas. In its planning, an institution should consider possible alternatives and determine what it will do if an auditor with specialized knowledge or skills is unable to complete reviews of high risk areas, or if an outsourcing arrangement is terminated. For example, management could maintain information about the services offered and areas of expertise, as well as contact names and phone numbers, of other firms in their geographic area that could provide internal audit assistance in specific areas or a broader range of outsourcing services.
When
negotiating the outsourcing arrangement with a vendor, an institution
should carefully consider its current and anticipated business risks in
setting each party's internal audit responsibilities. To clearly define
the institution’s duties and those of the outsourcing vendor, the
institution should have a written contract, often referred to as an engagement
letter.
The contract should:
|
|
Define the expectations and responsibilities for both parties; |
|
|
Set the scope, frequency, and cost of work to be performed by the vendor; |
|
|
Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and the board about the status of contract work; |
|
|
Establish the protocol for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract; |
|
|
State that any information pertaining to the institution must be kept confidential; |
|
|
Specify the locations of internal audit reports and the related work papers; |
|
|
Specify
the period of time that vendors must maintain the work papers; |
|
|
State
that outsourced internal audit services provided by the vendor are
subject to regulatory review and that examiners will be granted full
and timely access to the internal audit reports and related work papers
prepared by the outsourcing vendor; |
|
|
State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the audit provider; |
|
|
Prescribe a process (arbitration, mediation, or other means) for resolving problems and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and |
|
|
State that audit providers will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of an employee or a member of management of the institution, and will comply with professional and regulatory independence guidance. |
Directors and senior management should ensure that the outsourced internal audit function is competently managed. For example, larger institutions should employ sufficient competent staff members in the internal audit department to assist the internal audit manager in overseeing the outsourcing vendor. Smaller institutions that do not employ a full-time audit manager should appoint a competent institution employee to oversee the outsourcing vendor’s performance under the contract. This person should report directly to the audit committee for purposes of communicating audit issues and ideally should have no managerial responsibility for the area being audited.
Communication among the internal audit function, the audit committee, and senior management should not diminish because the institution engages an outsourcing vendor. The institution’s audit manager should be involved with the audit provider in defining the audit universe and setting a risk-based IT audit schedule. The audit provider should appropriately document all work and promptly report all control weaknesses found during the audit to the institution's internal audit manager.
The
outsourcing vendor should work with the internal audit manager to mutually
determine what audit findings are significant and should be emphasized
when reported to the board and its audit committee. The concept of materiality
as the term is used in financial statement audits is not necessarily a
good indicator of which control weaknesses to report. For example, reportable
weaknesses could affect the institution’s reputation or compliance
with laws and regulations without a direct impact on the financial statements.