Outsourcing the IT Systems Audit: Why Not?

Outsourcing part of a company’s Internal Audit function is a practice which has become increasingly common over the last few years, particularly in the area of IT audits. As technology continues to evolve at pace it is extremely difficult for Internal Audit departments to find, let alone retain, staff with the required specialist skills to keep up with this rate of change. In addition, they aren’t able to invest the necessary time and money to keep these specialists up-to-date with current technology.

As a result, some Internal Audit departments look to acquire these technical skills via outsourced or “co-sourced” services from 3rd party service providers, in order to supplement their core skills as required. Although this model can present a very different way of working compared to more traditional methods, several benefits can be obtained from this kind of professional relationship, such as:

• IT risks and controls gain more focus during audits, which is crucial as they provide the bedrock for a sound internal control environment
• A “bottom-up” approach to audits is enabled, whereby the reliability of system-based controls can be established based on a review of IT general controls
• The experience gained from similar customers allows benchmarking activities to be performed
• Improvements to the quality and value of system audits
• Internal resources can be used more appropriately to focus on their areas of expertise

However, outsourcing the IT systems audit comes with just as many, if not more challenges which need to be managed sufficiently to enable companies to reap these worthwhile benefits, including:

• Companies want the flexibility to use these specialist skills as required, but more flexible contract terms can lead to a reduction in consistency when comparing individual auditors. In addition, client-specific knowledge gained during previous engagements is lost, and the level of expertise presented by differrent individuals is likely to vary
• Observations and risks resulting from these external 3rd party reviews need to be fully understood by the recipient party in this relationship, otherwise a fully integrated audit will not be achievable
• The Internal Audit Manager has to manage resources they don’t have day-to-day control over
• The knowledge gap for internal resources becomes worse, such that companies have insufficient resources to monitor, identify and raise any problems other than high-level IT control-related issues as they appear, and instead are forced to wait for scheduled external resources

In summary, outsourced systems audits can be a highly beneficial arrangement for Internal Audit functions of a limited size and/or without the necessary in-house skills. However, these types of audits come with a unique set of challenges which need to be fully understood from the outset so as to make the relationship, and the subsequent audits, successful overall.