Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
2 September 2016

Outsourcing the IT Systems Audit: Why Not?

numbers-tunnel-350.jpgOutsourcing part of a company’s Internal Audit function is a practice which has become increasingly common over the last few years, particularly in the area of IT audits. As technology continues to evolve at pace it is extremely difficult for Internal Audit departments to find, let alone retain, staff with the required specialist skills to keep up with this rate of change. In addition, they aren’t able to invest the necessary time and money to keep these specialists up-to-date with current technology.

As a result, some Internal Audit departments look to acquire these technical skills via outsourced or “co-sourced” services from 3rd party service providers, in order to supplement their core skills as required. Although this model can present a very different way of working compared to more traditional methods, several benefits can be obtained from this kind of professional relationship, such as:

  • IT risks and controls gain more focus during audits, which is crucial as they provide the bedrock for a sound internal control environment
  • A “bottom-up” approach to audits is enabled, whereby the reliability of system-based controls can be established based on a review of IT general controls
  • The experience gained from similar customers allows benchmarking activities to be performed
  • Improvements to the quality and value of system audits
  • Internal resources can be used more appropriately to focus on their areas of expertise

However, outsourcing the IT systems audit comes with just as many, if not more challenges which need to be managed sufficiently to enable companies to reap these worthwhile benefits, including:

  • Companies want the flexibility to use these specialist skills as required, but more flexible contract terms can lead to a reduction in consistency when comparing individual auditors. In addition, client-specific knowledge gained during previous engagements is lost, and the level of expertise presented by differrent individuals is likely to vary
  • Observations and risks resulting from these external 3rd party reviews need to be fully understood by the recipient party in this relationship, otherwise a fully integrated audit will not be achievable
  • The Internal Audit Manager has to manage resources they don’t have day-to-day control over
  • The knowledge gap for internal resources becomes worse, such that companies have insufficient resources to monitor, identify and raise any problems other than high-level IT control-related issues as they appear, and instead are forced to wait for scheduled external resources

In summary, outsourced systems audits can be a highly beneficial arrangement for Internal Audit functions of a limited size and/or without the necessary in-house skills. However, these types of audits come with a unique set of challenges which need to be fully understood from the outset so as to make the relationship, and the subsequent audits, successful overall.

Turnkeys Guide to Preventing and Managing Fraud