Outsourcing Internal IT Audit
The board of directors of an institution that outsources its internal IT audit function should ensure that the structure, scope, and management of the outsourcing arrangement provides for an adequate evaluation of the system of internal controls.
In addressing quality and resource issues, many institutions engage independent public accounting firms and other outside professionals to perform work that has been traditionally carried out by internal auditors. These arrangements are often called "internal audit outsourcing," "internal audit assistance," "audit co-sourcing," or "extended audit services."
Outsourcing such audit services may be beneficial to an institution if it is properly structured, carefully conducted, and prudently managed. To do this, management should ensure that there are no conflicts of interest and that the use of these services does not compromise independence. Potential conflicts of interest may arise if the outsourced auditing firm performs IT audit functions in addition to other audit services, such as providing the independent financial statement, or serving in an IT or management consulting capacity. The board of directors of an institution remains responsible for ensuring that the outsourced internal audit function operates effectively and complies with all regulations governing such arrangements.
Examiners should assess whether the structure, scope, and management of an internal audit outsourcing arrangement adequately evaluate the institution's system of internal controls. They should also determine whether or not directors and senior managers have fulfilled their responsibilities for maintaining an effective system of internal controls and for overseeing the internal audit function in an outsourced internal audit environment.
Additional detailed guidance on the structure, independence, and sound practices concerning the use of outsourcing audit providers is available in the "Interagency Policy Statement on the Internal Audit Function and Its Outsourcing."
Audit Participation in Application Development, Acquisition, Conversions, and Testing
Independence of the External Auditor Providing Internal Audit Services