Outsourcing: a vulnerability checklist – internal audit outsourcing
Worried about being outsourced? Take our quiz to see just how concerned you should be.
Almost everyone agrees that internal audit outsourcing is a trend that won’t be disappearing anytime soon. As the traditional revenue streams of external audit firms are continually squeezed, internal audit outsourcing has become a promising source of new income. In fact, some firms have used the traditional year-end audit service as a loss leader, hoping to recover fees and increase profit margins by adding consulting services.
The top accounting firms are not alone in these initiatives; large regional firms are aggressively seeking internal audit work, as well. I recently received calls from two regional firms offering to augment my scarce resources with their own staff. Although I politely declined, I wondered what my boss would have said had they called him.
Outsourcing is, after all, a valid business strategy, and many internal audit organizations are ripe for takeover. Sure, conflict of interest concerns, economies of scale, in-depth knowledge of company operations, and above all, responsiveness to management, are benefits that a competent internal audit department can use to their advantage. But the opportunity to significantly reduce costs while maintaining quality is attractive. If internal audit services are not being provided in a timely, efficient manner; if customer dissatisfaction is high; if costs are extreme; and if continuous improvement is not a departmental goal, then the internal audit department should be outsourced.
If your CFO or CEO is even considering outsourcing the internal audit department, your function is probably not adding value to the organization. That’s the bottom line. Now may be the time for you to take a step back and honestly evaluate your internal audit operation to determine whether or not you’re a candidate for outsourcing.
After I received the calls I mentioned previously, I asked myself and my staff several questions regarding our audit services. As a result, we developed the outsourcing self-assessment on the next page and incorporated it into our departmental standards. Every six months we take the self-assessment quiz to determine where we stand. How vulnerable are you?
1 HOW MUCH DOES YOUR DEPARTMENT COST?
The answer to this question goes beyond simple budget figures to the opportunity your department has to slash overhead. Yesterday’s empire builders have become today’s excess baggage.
What percentage of your total staff is involved in non-audit work? More subtly, but more importantly, what percentage of time does your audit staff devote to non-audit, administrative work? If you’re pushing 20 percent, you might be okay; but a higher percentage should send up a red flag. Look at your support staff. How many secretaries, administrative assistants, and LAN administrators do you employ? How much space does your department occupy? The less, the better.
2 HOW MUCH TRAINING HAS YOUR STAFF RECEIVED IN THE PAST YEAR?
Too often, audit staff, including senior audit executives, do not receive enough training to stay current. Every staff member should receive at least 20 hours a year.
3 HOW FAMILIAR IS YOUR STAFF WITH THE ORGANIZATION’S TECHNOLOGY AND BUSINESS?
Take a look at your organization’s business and technological environment. Has your company added a new product or service in the last year? Do you have the expertise to audit it? More to the outsourcing point, does your staff have the ability to perform quality audits of your organization’s technology platforms? A “no” answer to either of these questions can indicate a potential outsourcing opportunity.
4 HOW MANY NEW, FIRST-YEAR AUDITS HAVE YOU DONE IN THE PAST 18 MONTHS?
If your audit plan has not expanded to provide for audits of new products, services, and technologies, you could be making yourself obsolete. Strive for at least one new audit a year.
5 WHAT PERCENTAGE OF YOUR STAFF HAS TWO CERTIFICATIONS?
That’s right, two certifications. My contention is that it is no longer adequate to have only the traditional CPA or CIA. Audit professionals, especially senior audit executives, must demonstrate a commitment to continuous learning. A technology certification or certification in the organization’s core business is mandatory. Strive for an initial 15 percent and keep it growing.
6 WHAT IS YOUR AUDIT CYCLE TIME?
On average, how long does it take to conduct an audit? Remember, this is a self-test, so be brutally realistic. Benchmark the time lapse between announcement of the audit and issuance of the final report. Analyze the components of the entire audit cycle. Review the time spent evaluating and testing versus the time expended in workpaper preparation, workpaper review, report writing, and report revision. My experience has been that the administrative “tail” of the audit can account for a significant portion of the audit cycle. The “tail” should account for no more than 20 percent of total audit time.
7 HAVE YOU SATISFIED YOUR CUSTOMERS?
This is the key question! To answer it accurately, you must first define your customers and identify their needs. Examine the corporate landscape. Line management, the audit committee, senior management, peers, external auditors, and even your organization’s customers could all be considered the customers of the internal audit department. Each may have different needs. Evaluate the effectiveness of your department in satisfying these needs. Talk, survey, poll, and notice how often management requests the services of the internal audit department. If the organization has many consultants, especially if they are external accounting firms, you may need to alter the way you do business.
8 IF THE INTERNAL AUDIT DEPARTMENT WERE YOUR OWN PRIVATE BUSINESS, WOULD YOU BE SATISFIED WITH IT?
This is a summation of your self-test. Carefully and honestly review the test results. Gauge the effectiveness of the department’s activities. Ask yourself, if your audit function were an outsourcing firm, would you market your services to a company? If your answer is less than an resounding “yes,” develop a corrective action plan with tasks, deliverables, timetables, and accountabilities.
9 HOW CAN YOU MAKE IT BETTER?
Even in the best of functions, areas of improvement can be targeted. Everything’s okay? Maybe. Look for opportunities to create an even more exceptional group, one that will add value and be seen by senior management as integral to the success of the organization.
MICHAEL LAPELOSA, CFE, CISA, is Audit Director for Group Health Inc. in New York City.
COPYRIGHT 1997 Institute of Internal Auditors, Inc.
COPYRIGHT 2004 Gale Group