New report finds effective communication, supervision are keys to make third-party audits work

Companies are increasingly turning to outside service providers to help out with their internal audit activities, especially when it comes to specialized work, according to a recent report.

An annual survey of global internal audit professionals finds that, on average, one in three corporate internal audit departments worldwide outsource some of that work to third-party services. And North American companies have the highest rate of using third parties for internal audits, with 56 percent of responding firms relying on outside services.

In partnership with the Institute of Internal Auditors Research Foundation (IIARF), Dereck Barr-Pulliam, an assistant professor of accounting and information systems at the University of Wisconsin-Madison's Wisconsin School of Business, examined data from the IIARF's 2015 Common Body of Knowledge survey to measure the use of third parties for internal audits and evaluate best practices.

"The purpose of this report was to determine who uses third parties for internal audit activity, what services the third parties provide, and how to properly engage and supervise those service providers," says Barr-Pulliam of the Wisconsin School of Business.

Barr-Pulliam also broke down the numbers by industry sector and discovered that financial companies, publicly traded organizations (non-financial sector), and not-for-profits were the most likely to use third parties for internal audit activities.

"Internal audits are an essential tool for companies to evaluate how they are functioning and to take a deep dive into such areas as operations, governance, and compliance," says Barr-Pulliam. "Chief audit executives may not have enough staff to do all that work or may be missing a particular skill set on their team, so many outsource these aspects of their audit function."

The 2002 passage of the Sarbanes-Oxley Act led to a significant increase in the number of public and private U.S. companies with an in-house internal audit function. But prior research by the IIARF and other academics has found that the size, quality, and expertise of those internal audit functions vary significantly and sometimes make it necessary to outsource some of the work to ensure the annual audit plan is completed and to ensure the internal audit function can respond to emerging risks within the company.

Barr-Pulliam found that some large companies turn to third-party service providers when a certain specialization is needed—such as the need to examine pension liabilities on a periodic basis or to provide language skills to work with a particular office in a multinational corporation. At the same time, smaller companies may lack sufficient expertise in-house to fully perform internal audit functions, so they may rely more heavily on third-party service providers.

In addition to the quantitative data provided by the survey, Barr-Pulliam interviewed chief audit executives, third-party service providers, and audit committee members to corroborate the findings and identify best practices for effectively managing relationships with third parties.

"Asking the right questions up front is essential to building a strong relationship with a third-party service provider," says Barr-Pulliam. "It is also critically important for chief audit executives to do their due diligence in engaging that party and to make sure their skill set and prior experience is a good match for the work that needs to be done."

Among the best practices Barr-Pulliam identifies in his research is the role of the chief audit executive. As the chief audit executive is ultimately responsible for all internal audit activity, including the work of a third-party service provider, it is essential for that person to:

have a sufficient understanding of the objectives the service provider will fulfill;communicate and document those objectives during the engagement process; provide adequate supervision to the service provider to ensure objectives are met; andclearly delineate which party is responsible for remediation and follow-up on issues noted in the third party's report of findings.

The full report, "Engaging Third Parties for Internal Audit Activities," by Dereck Barr-Pulliam can be found here.