Combine internal and external expertise to drive value
Internal audit teams face rising cost pressures, new priorities for risk management and regulatory compliance, and a growing demand to achieve operational efficiency while addressing evolving technical topics.
Two pivotal strategies have emerged in response: internal audit outsourcing and co-sourcing. In traditional outsourcing, internal audit work is executed by an outside company. In co-sourcing, the partner company instead provides staff and resources to work within the structure of the client.
Grant Thornton Principal, Risk Advisory Andres Castañeda emphasized the importance of internal audit teams understanding and considering these options, particularly in light of new technological demands and the challenges of hiring and retaining staff.
“In the last few years, the cost of maintaining professional wages for anyone within the internal audit function has increased between 20 percent and 40 percent,” Castañeda said. “It’s been a war for talent, especially for people with technical skill sets.”
Both outsourcing and co-sourcing offer a solution, allowing companies to quickly expand their internal audit resources and tap into new technology, expertise and specialization. However, they come with distinct differences. Outsourcing extends capabilities through external partnerships, while co-sourcing offers tailored expertise, cost-efficiency and scalability.
This article delves into the advantages of co-sourcing in particular, showing how internal audit departments can use this collaborative approach to optimize and execute their audit plan, adapt to evolving needs, and secure long-term success.
“Co-sourcing relationships allow internal audit departments to enhance and augment their capabilities while reducing the burden of maintaining and developing a group of professionals with highly specialized skills,” Castañeda said.
Internal audit departments are seeking co-sourcing partnerships to help with internal audit topics spanning from fundamental business operations to advanced areas such as cybersecurity. These partnerships combine the specialized skills of external service providers with the invaluable institutional knowledge of the client’s existing staff – a union that enhances the overall quality and effectiveness of audits.
Compared with a full outsourcing model, co-sourcing keeps the decision-making within the host organization. At the same time, co-sourcing allows the company to tap into the subject-matter expertise of external internal audit practitioners, access powerful analytics software and other tools, and freely adjust their workforce scale to meet current demands, while still leveraging and empowering their in-house teams.
“The co-sourcing model provides the best of both worlds,” Castañeda said. “You will still have people with the institutional knowledge. They're able to truly understand how the organization functions — its culture, the players. But you’re also getting people with the technical expertise, training, certifications, and proper qualifications to take that internal audit function to the next level.”
Here’s what you need to know for a successful co-sourced internal audit project.
What kind of internal audit work is being co-sourced?
Castañeda has witnessed a notable surge in demand for co-sourced audits in particular realms.
Organizations are increasingly turning to co-sourcing to strengthen their Sarbanes-Oxley Act (SOX) compliance efforts, focusing on the enhancement and documentation of business processes and IT controls. Initial public offering SOX control readiness has emerged as a critical focus area, ensuring companies have robust controls in place during acquisitions or IPOs.
Companies also are co-sourcing:
- Automation initiatives aimed at elevating operational efficiency
- Cybersecurity efforts, especially in response to new cybersecurity audits
- Location audits, particularly among organizations with a global footprint
Location audits are a prime candidate for co-sourcing because multinational and multiregional organizations sometimes struggle with diverging and fragmented internal audit processes across their geographies, not to mention language and cultural gaps. Location audits require a comprehensive skill set and a clear understanding of regulations and operations, which can be a complex task when dealing with a large corporate footprint.
A co-sourcing provider can help institute a unified and streamlined approach at each of the company’s offices. The co-sourcing partner often can tap into the knowledge of local experts while helping to apply consistent methodologies, reporting structures and communication strategies across the client’s internal audit teams. This change enables high-quality audits while freeing internal staff to focus on strategic initiatives.
Co-sourcing providers “have the knowledge and experience to handle audits across multiple locations, industries and business areas. They've successfully executed internal audit programs across different organizations and have been exposed to various technologies,” Castañeda said.
There’s one more overarching sign that a company could benefit from co-sourcing: They’re simply not able to complete the full scope of internal audit work they desire.
“Often, organizations are unable to fully execute on their audit plans,” said Grant Thornton Manager, Risk Advisory Services Albert Fiore. As a result, key business processes and emerging priorities, such as cybersecurity, may go unaudited.
“Organizations sometimes allocate resources to audits aligned with the SOX scope defined by their external auditors, which leaves limited time and resources for conducting operational audits. It is only when issues arise or when resources become available that they discover the control environment in other areas of the business or systems may not be as robust as initially assumed,” Fiore explained.
Grant Thornton Managing Director, Strategic Assurance and SOC Services Tony Roberts added: “Lately, internal audit departments have faced challenges in both attracting and retaining IT auditors possessing the essential skills and certifications required for specialized IT audits. The co-sourcing model enhances the value of internal audit departments by providing on-demand resources with the expertise to conduct specialized IT audits or contribute to internal and operational audits with intricate technical components supported by technology."
What does successful co-sourcing look like?
In most co-sourcing arrangements, the co-sourcing partner will provide dedicated staff to work within the structure of the client. These co-sourced staffers can play an advisory role, providing advice and insights about how to navigate an audit. They also can help complete the work of the audit itself. They may work from the client’s physical offices, or, of course, it may be a remote or hybrid arrangement.
“We become part of the client. It’s one team, one goal, one strategy. It’s not them and us; it’s we,” said Castañeda, emphasizing his approach. “We’re just an additional team within the company.”
But smoothly integrating those new collaborative partners requires careful planning on multiple fronts:
Preparing the workforce. The idea of bringing in outside support can lead to concern from the client’s existing internal audit staff. They may perceive a challenge to their authority, or even a threat to their jobs. Leaders must show why those fears are misplaced. The co-sourcing partner is there to help, not to replace, existing staff.
“The key element is the ‘tone at the top’ set by senior leadership,” Fiore said. “They clearly communicate to the company that the co-sourcing partners are part of the team, that they are there to assist the internal audit team, and that everyone should collaborate as the co-sourcing partners go through the process of learning the business culture and communication style.”
In this preparation phase, leadership at the client company also should solicit — and answer — employees’ questions about the new co-sourcing arrangement. They likely will want to know not just about the mechanics of the new arrangement, but about its necessity, its duration and what it means for the future of their department.
One of the most important messages: When it’s done right, co-sourcing can become an opportunity, rather than a source of worry, for the company’s staff.
“At the end of the day, internal audit teams have institutional knowledge that no service providers will be able to obtain,” Castañeda said. “On the other hand, they will be able to learn new skills, and they could increase their value to the organization, which ultimately can enhance their job security.”
Cultural alignment. Every company has subtle, and sometimes not-so-subtle, traits that define its corporate culture.
Perhaps the company has a carefully structured approach to meetings, complete with planning sessions and agendas. It may be a culture that works heavily on email, or chat, or even phone calls. Is it a company that values efficiency, or is it important to travel for face-to-face meetings? Is it taboo to send an email after 5 p.m.?
“You have to set clear expectations for communications protocols and deliverables: What are the normal practices?” Castañeda said.
As an example, he pointed to a project earlier in his career with a European company. His team sent a status update to leadership with an element marked in red — to signify that it was significantly delayed. Within two hours, the company’s global CFO was calling, deeply concerned. As it turned out, red at this company signified a fatal flaw that required leadership intervention. Orange was the color for delay.
It was an easily resolved situation — but an example, too, of how even minor omissions in the co-sourcing planning process can lead to turbulence down the road. “Really small things can have a significant impact,” Castañeda said.
Communication. The client and internal audit provider must communicate effectively throughout the engagement.
The co-sourcing partner should ask questions such as this, according to Castañeda:
- How are the client and its staff doing?
- What should the co-sourcing partner do better?
- What does the client need that the partner is not providing?
- Where can the partner add more value?
These questions can drive continuous monitoring and improvement of the arrangement, setting the stage for years of collaborative work to come.
At the same time, the client company must be ready to provide feedback to the co-sourcing partner. Leaders should be talking with the internal audit staff to learn where the engagement is working best and where it needs adjustments — and, of course, sharing that information with the co-sourcing partner.
Ultimately, the relationship can change the client company for the better.
With the power to freely expand the internal audit function and bring on new, specialized resources, the client may take on projects that once seemed out of reach. Instead of fearing replacement, an internal audit team can be empowered — to step beyond its routine roles and help the business truly prepare for the future.
Our featured risk, compliance and controls insights
No Results Found. Please search again using different keywords and/or filters.