Online Exclusive: Finding the Right Match

Cosourcing is similar to outsourcing, yet it has a unique advantage. While external partners take full charge in outsourcing arrangements, cosourcing allows the organization to have control over final decisions.

This approach also encourages greater interaction between internal audit and the service provider. “With cosourcing, the process is more collaborative,” says Uday Gulvadi, managing director at global investment bank and advisory firm Stout in New York.

However, despite its benefits, choosing a cosourcing partner from among the many potential providers can be daunting. Experts say asking the right questions can help CAEs select a partner that best fits internal audit’s needs.

Why Partner?

For many internal audit functions, cosourcing has become essential to address today’s complex risks, particularly in the financial services sector. Choosing to work with an expert provider isn’t just a backup plan for departments with limited resources or experience — it provides many benefits, according to a Grant Thornton article, “Unlock Internal Audit’s Full Potential Through Co-sourcing.”

Maximize Risk Coverage and Efficiency. External providers can bring expertise to address highly technical risks such as cybersecurity and artificial intelligence (AI). Andres Castañeda, principal, Risk Advisory, with Grant Thornton, says cosourcing enables internal audit functions “to enhance and augment their capabilities while reducing the burden of maintaining and developing a group of professionals with highly specialized skills.”

Increase Agility. Internal audit can add cosourcing to its audit plan quickly, giving it flexibility when risks change. For example, internal audit functions often spend considerable time on audits related to the U.S. Sarbanes-Oxley Act of 2002. Because of this, they may not have enough time to focus on operational audits.

“It is only when issues arise or when resources become available that they discover the control environment in other areas of the business or systems may not be as robust as initially assumed,” notes Albert Fiore, manager, Risk Advisory Services at Grant Thornton in the article.

Add Advanced Expertise. External providers often focus on specific areas, so they stay current with the latest news and technology in their field. Even well-staffed and experienced audit teams can benefit from working with outside experts who have deep knowledge of certain risks.

“The cosourcing model provides the best of both worlds,” Castañeda explains in the article. Internal audit staff know how the organization works, while the service provider’s team brings technical skills, professional training, and certifications to enhance the function’s performance.

Build Skills. Working alongside cosourcing partners can give staff auditors hands-on experience, which they can supplement through mentoring and training programs.

Evaluate Providers

Of course, cosourcing also can bring some risks, such as an inconsistent audit approach, conflicts of interest, communication challenges, and data privacy and cybersecurity issues. To avoid these problems, CAEs should have a clear, detailed strategy for selecting the right partner.

“Many organizations will have some kind of vendor evaluation system,” Gulvadi says. “It’s almost like a point system that factors in criteria such as the number of clients and pricing. Some smaller organizations might have a more subjective analysis approach.”

CAEs should consider several elements when evaluating proposals from potential partners. They should use discussions with providers to gather information in each of these areas.

Expertise. Providers should share details about their skills and qualifications, along with examples of past work and client feedback. “The potential client needs to see the provider’s success stories with current clients,” says Baher Abdelaziz, a partner at Cairo-based advisory firm Facelift Consulting. “The most trusted message to the market is when a client comes back to you again and again.”

In talking with providers, Gulvadi says CAEs should ask:

• What organizations has the provider worked with and what industries or regions do they operate in? The latter can be particularly important, Gulvadi says. “If you are international, you want to make sure your partner has capabilities to account for that,” he says. For example, Gulvadi notes a client with a Canadian subsidiary recently asked whether Stout had expertise with Canadian anti-money laundering regulations needed to audit that risk.
• What specialized skills and certifications — such as cybersecurity, fraud, and data analytics — does the provider’s team have? According to Gulvadi, this need not be limited to what is mandatory. For example, his firm was able to show clients that it had adopted the Global Internal Audit Standards for third-party risk management before they became mandatory. “Showing we are ahead in that regard was a huge plus,” he says.
• Can the provider present relevant case studies comparable to internal audit’s needs? Many service providers are recommended through referral systems, which help validate the provider’s credibility, Gulvadi says. These systems also provide evidence that the provider has delivered successful results for similar organizations, even if the projects were different.
• Does the provider have experience with the organization’s specific regulatory risks?
• How is the provider different from its competitors?

In addition to the provider’s experience, CAEs should consider the cost of its services as well as its commitment, flexibility, and trustworthiness.

Scalability. Experience is valuable, but it is not the whole story. Cosourcing providers also should be able to show they can adapt their services to meet internal audit’s needs, experts say. What works for one organization may not work for another. This might be particularly true in the financial services sector.

For example, organizations often cosource cybersecurity audits, which for financial service firms can involve anti-money laundering controls and check and wire fraud controls, Gulvadi explains. “You’ll have to deep dive into the firm to ensure they have the specialists on hand that reflect your risk environment,” he says.

Communication, Tools, and Audit Approach. Because cosourcing is a partnership between separate teams, both parties must clearly understand how that relationship will function in practice before work begins, Abdelaziz says. “There should be a strong focus on how the parties will work together to achieve the end product,” he explains. “This is important not just for the success of the audit, but for the audit partner that is providing the team with valuable learning experiences.”

Collaboration should be a key part of the provider’s sales pitch, Gulvadi says. “Clients find the emphasis on collaboration valuable,” he notes. The firm emphasizes that clients aren’t just hiring a provider to perform a specific task. “Instead, it’s a regular engagement, complete with periodic updates and opportunities for feedback and adjustments,” he explains. “That element opens up a lot of opportunities for the audit function to improve and grow.”

Also, upon request, service providers sometimes will allow clients to keep using the firm’s tools and techniques after the engagement ends, Gulvadi adds.

In assessing how the provider collaborates with clients, CAEs should ask:

• How does the provider plan to integrate with the internal audit team? To what degree will it work collaboratively versus independently with the organization’s auditors?
• How will the provider ensure its audit approach aligns with the organization’s internal audit plan?
• What processes will the provider have in place to prevent duplication of work?
• Will the provider’s team use automation, AI, or other technologies in its audit process? If so, would these tools be available for continued use?

Focus on Value

Cosourcing is an investment that should be approached carefully. If a provider’s cost does not appear to match the value it offers, CAEs should keep searching, Abdelaziz says. “The cost needs to justify itself, especially considering cosourcing is still going to include standard internal audit staff costs,” he explains. “Value is something the cosourcing partner should make clear.”

The selection process can take time and effort. Yet, finding the right partner can greatly benefit both internal audit and the organization.