1. Outsourcing the Internal Audit Function
Although banking regulations allow for the outsourcing of the internal audit function, the
decision to do so should be considered carefully. Most importantly, management and the Audit
Committee of the Board of Directors must recognize that a trained person is needed within the
financial institution to be responsible for the internal audit function. This person must
coordinate the outsourced audits with management and the audit committee and be
responsible for ensuring the quality and completeness of all audits.
Because internal auditing is such a critical function within a financial institution, and in light of
the need for an internal auditor to be responsible for all outsourced audits, this paper describes
the process to follow to obtain and review proposals for outsourced audit services.
Evaluating Proposals For Outsourced Internal Audit Services
Typically, the most significant problem with outsourcing the internal audit function is the
quality and experience level of the people performing the work. The staff members performing
the audit work are often junior-level employees with little knowledge of banking and the
institution’s operations. Consequently, the institution’s management staff spends a lot of time
answering seemingly needless questions and training these people.
Some questions that prospective audit firms might be asked during the interview process, after
they have submitted a response to the RFP, include:
1. How does the firm assess risk throughout the institution? (e.g., Does it perform
interviews with management and document operations, procedures, controls, etc., as
part of its risk assessment and prior to crafting the audit scope and specific audit
procedures?) Have the firm explain how and what it typically see as the areas of
greatest risk in an institution similar to your own.
2. To what extent does the firm’s assessment of risk affect the scope of individual area
audits and the specific audit procedures to be employed?
2. 3. How do the results of their work affect the scope during an audit? For example, if they
find problems, do they expand the scope?
4. To what degree do they test compliance with institution policies and banking laws and
regulations? It is important that they explain the level of detail of their compliance
testing. How do they determine and select the sample size (e.g., judgmental, random,
statistical)?
5. To what degree do they provide cost savings or earnings improvement
recommendations regarding operations, procedures, and practices of the institution?
6. Who will be assigned to the audit, and what is his or her background and prior financial
institution audit experience? This is a crucial issue, because many firms bait-and-switch,
with the partner or manager selling the engagement but actually spending relatively
little time at the institution. Instead, junior employees with little experience perform the
bulk of the work. Don’t accept recent college graduates working on their CPAs, no
matter how experienced the management team is.
7. How do they coordinate their work at the institution, with whom, and how often? Do
they utilize financial institution resources to complete audit work (e.g., prepare
schedules)? To what extent is this done? How do they verify the quality of this work?
8. Based on the data processing arrangements at the institution (i.e., outsourced versus in-
house), how will the firm approach auditing data processing? What types of testing of
systems, applications, controls, and procedures will they perform?
9. How will they present their work or results? How often? To whom?
10. How often will they meet with the Board and/or Audit Committee?
11. Will their documentation be available for inspection by the financial institution? Not just
the reports, but the audit programs, schedules, test work, memoranda, etc.? If not,
why? Challenge the argument that “It’s our property.” How else will management and
the directors be able to evaluate the completeness and effectiveness of the firm’s work
if they cannot see the work?
12. Who owns the “product” (i.e., questionnaires, audit programs, permanent work paper
files, etc.) and where the I/A files will be, including audit programs, audit work papers,
3. etc. The institution may want to bring the audit function in-house in the future, and this
information will have value in that case.