The Companies Act 2013 mandates appointment of internal auditor by every listed company; every unlisted company having paid up share capital of fifty crore rupees or more, or turnover of two hundred crore rupees or more, or outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees, or outstanding deposits of twenty five crore rupees or more; and every private company having turnover of two hundred crore rupees or more, or outstanding loans or borrowings from banks or public financial institutions exceeding one hundred crore rupees. Earlier, statutory auditor was required to report the adequacy and effectiveness of internal audit.
The statutory recognition that internal audit is an important monitoring and assurance service for improving corporate governance is a milestone in the evolution of internal audit. The profession is in the process of transition from ‘service to the management’ to ‘service to the Board’. In order to serve the Board of companies, which are operating in VUCA (Volatility, Uncertainty, Complexity, Ambiguity) environment and/or exploring digital business model and automation, the internal audit function must acquire variety of specialised skills. New skills are also required to conduct higher level of audit (management audit) as a service the Board. In order to address this challenge, co-sourcing has emerged as the most preferred model. The Companies Act 2013 permits outsourcing of internal audit. It stipulates that the internal auditor may or may not be an employee of the company. It further stipulates that the Board shall decide to appoint a chartered accountant or a cost accountant or any other professional as internal auditor.
Co-sourcing is a low-cost model for acquiring the required capabilities. For example, traditionally, companies outsource IT audit because it is costly to keep the knowledge updated on the face of rapid technological changes, consistently evolving IT applications and emerging cyber-risks and also because of difficulties in providing opportunities of learning by doing. Another reason for co-sourcing is that companies find it cheaper to appoint local professionals to audit activities/functions in dispersed locations.
Outsourcing poses various challenges. Setting up a good contracting arrangement is important. Expected standard of service should be well articulated to enable the in-house team to monitor the same. There should be clarity about contract termination and the in-house team should ensure that it has access to working papers and documents even after the termination of the contract. It is also important to manage differences in the working practices used by outsourcing service providers and the policies and norms followed by the in-house team. Therefore, co-sourcing is effective only if the in-house internal audit team is strong and efficient.
Outsourcing complete internal audit with skeleton in-house team is not a good idea. One disadvantage is that if the in-house team is not constituted of senior-level executives, contract management might fail. Moreover, in-house team is best bet for financial and operation/process audit, as those audits requires in-depth knowledge of the internal environment and business processes. Similarly, strategy audit and audit of change initiatives cannot be left to an external agency due to confidentiality concerns. Complete outsourcing makes it difficult to integrate all assurance services, as the outsourced service providers lack incentives for coordinating with other assurance services. It also deprives the company of ‘add on’ services, like consultancy and training, which are provided by the in-house internal audit team.
Internal audit serves the Board effectively only if it is independent of management. It is the ‘third line of defence’ because other assurance services are not independent of the management. In order to protect the independence of internal audit, outsourcing decisions should be taken by the audit committee.
Co-sourcing of internal audit is like any other strategic decision. It requires answering question such as which capabilities to be outsourced and why; and whether all capabilities should be outsourced from a single source. It is the audit committee’s responsibility to choose correctly the capabilities to be outsourced and those to be kept in-house. The audit committee should select the outsourcing service providers and get engaged with them throughout the audit process. For example, the audit committee should discuss with the service provider the audit methodology and the draft report. The chairman of the audit committee should receive the final report directly.
The management has an inherent temptation to filter audit reports before submitting those to the audit committee. This is a possibility of which the audit committee should always be alert regardless of the level of trust it share with the management.