Examples of Arrangements
An outsourcing arrangement is a contract between the institution and an audit services firm to provide internal audit services. Outsourcing arrangements take many forms and are used by institutions of all sizes. The services under contract can be as limited as assisting internal audit staff with an assignment in which they lack expertise. This type of arrangement would typically fall under the control of the institution's internal audit manager, to whom the audit provider would typically report.
Other outsourcing arrangements may call for an audit provider to perform all or several parts of the internal audit work. Under these types of arrangements, the institution should maintain an internal audit manager and, as appropriate, internal audit staff sufficient to oversee vendor activities. The audit provider usually assists the internal audit function in determining the institution's areas of risk and the levels of risk to be reviewed, and recommends and performs audit procedures approved by the institution's internal audit manager. In addition, the outsourced audit provider should work jointly with the internal audit manager in reporting significant findings to the board or its audit committee.
Before entering into an outsourcing arrangement, the institution should perform due diligence to ensure that the audit provider has a sufficient number of qualified staff members to perform the contracted work. Because the outsourcing arrangement is a professional or personnel services contract, the institution's internal audit manager should have confidence in the competence of the staff assigned by the audit provider and receive timely notice from the vendor of any key staffing changes. Throughout the outsourcing arrangement, management should ensure that the audit provider maintains sufficient expertise to perform effectively and fulfill its contractual obligations.
When an institution enters into an outsourcing arrangement, or significantly changes the mix of internal and external resources used by internal audit, operational risk may increase. Because the arrangement could be terminated suddenly, the institution should have a contingency plan to mitigate any significant gap in audit coverage, particularly for high-risk areas. In its planning, an institution should consider possible alternatives and determine what it will do if an auditor with specialized knowledge or skills is unable to complete reviews of high risk areas, or if an outsourcing arrangement is terminated. For example, management could maintain information about the services offered and areas of expertise, as well as contact names and phone numbers, of other firms in their geographic area that could provide internal audit assistance in specific areas or a broader range of outsourcing services.
When negotiating the outsourcing arrangement with a vendor, an institution should carefully consider its current and anticipated business risks in setting each party's internal audit responsibilities. To clearly define the institution's duties and those of the outsourcing vendor, the institution should have a written contract, often referred to as an engagement letter.In general, the contract between the institution and the audit provider may or may not be the same as the engagement letter. The contract should:
- Define the expectations and responsibilities for both parties;
- Set the scope, frequency, and cost of work to be performed by the vendor;
- Set responsibilities for providing and receiving information, such as the manner and frequency of reporting to senior management and the board about the status of contract work;
- Establish the protocol for changing the terms of the service contract, especially for expansion of audit work if significant issues are found, and stipulations for default and termination of the contract;
- State that any information pertaining to the institution must be kept confidential;
- Specify the locations of internal audit reports and the related work papers;
- Specify the period of time that vendors must maintain the work papers;If work papers are in electronic format, contracts often call for the vendor to maintain the software that allows the institution and examiners access to electronic work papers during a specified period of time.
- State that outsourced internal audit services provided by the vendor are subject to regulatory review and that examiners will be granted full and timely access to the internal audit reports and related work papers prepared by the outsourcing vendor;FDICIA Section 112 (12 USC Section 1831m(g)(3)) provides that all auditors are required to make their work papers available to bank examiners. 12 CFR 715.9(c) requires credit unions to obtain a signed audit engagement letter that includes a certification of unconditional access to the complete set of original working papers by credit union examiners.
- State that internal audit reports are the property of the institution, that the institution will be provided with any copies of the related work papers it deems necessary, and that employees authorized by the institution will have reasonable and timely access to the work papers prepared by the audit provider;
- Prescribe a process (arbitration, mediation, or other means) for resolving problems and for determining who bears the cost of consequential damages arising from errors, omissions, and negligence; and
- State that audit providers will not perform management functions, make management decisions, or act or appear to act in a capacity equivalent to that of an employee or a member of management of the institution, and will comply with professional and regulatory independence guidance.
Directors and senior management should ensure that the outsourced internal audit function is competently managed. For example, larger institutions should employ sufficient competent staff members in the internal audit department to assist the internal audit manager in overseeing the outsourcing vendor. Smaller institutions that do not employ a full-time audit manager should appoint a competent institution employee to oversee the outsourcing vendor's performance under the contract. This person should report directly to the audit committee for purposes of communicating audit issues and ideally should have no managerial responsibility for the area being audited.
Communication among the internal audit function, the audit committee, and senior management should not diminish because the institution engages an outsourcing vendor. The institution's audit manager should be involved with the audit provider in defining the audit universe and setting a risk-based IT audit schedule. The audit provider should appropriately document all work and promptly report all control weaknesses found during the audit to the institution's internal audit manager.
The outsourcing vendor should work with the internal audit manager to mutually determine what audit findings are significant and should be emphasized when reported to the board and its audit committee. The concept of materiality as the term is used in financial statement audits is not necessarily a good indicator of which control weaknesses to report. For example, reportable weaknesses could affect the institution's reputation or compliance with laws and regulations without a direct impact on the financial statements.
Independence of the External Auditor Providing Internal Audit Services
Third-Party Reviews of Technology Service Providers