A solid internal audit program is one of the most effective tools a bank has to inspire confidence — among directors, investors, regulators, and other stakeholders — in its financial processes and reporting practices. Many banks outsource the internal audit function, in whole or in part, to take advantage of external auditors’ special skills and independence, address internal staffing shortages, and control costs. Here are some factors to consider when deciding whether to outsource this function.
Advantages of outsourcing
First and foremost, by outsourcing the internal audit, a community bank can tap a level of skill and expertise — critical in the highly regulated banking industry — that may be difficult to find or too expensive to maintain in-house. Access to this expertise is particularly beneficial for banks in smaller communities and those that want to expand their product or service offerings or enter new markets. External auditors may also have access to more sophisticated software or other audit tools that would otherwise be cost-prohibitive for a community bank.
Second, in the wake of the COVID-19 pandemic, many businesses, including banks, are facing severe labor shortages. Outsourcing the internal audit function allows them to focus on filling core positions.
Third, outsourcing can help a bank control costs. It allows the bank to set an internal audit budget that meets its needs and design a program that has more flexibility. The bank avoids the fixed labor and overhead costs associated with an internal audit staff, and it can adjust the use of outside consultants as its internal audit needs fluctuate or special projects arise.
Finally, outsourcing can help enhance auditor independence. In-house auditors who develop relationships with other bank staff may lose some objectivity — or at least the appearance of objectivity. Outsourcing also facilitates the rotation of internal auditors, something that’s difficult to do in-house.
Disadvantages of outsourcing
One potential downside is that outside consultants generally lack an insider’s in-depth knowledge about the bank’s operations, particularly when outsourced auditors are rotated frequently. The resulting learning curve may reduce the cost-effectiveness of an outsourced audit. To overcome this obstacle, some community banks outsource the internal audit function to their external auditors. Although doing so is permissible under specific circumstances, a bank should consider the potential impact on the external auditor’s independence before taking this approach.
Also, outsourcing arrangements require meticulous planning and monitoring, including a comprehensive engagement letter and regular communication. It’s critical to ensure that the parties are on the same page regarding the auditing firm’s activities, the scope of the audit and the advice provided by the auditor.
Outsourcing vs. co-sourcing
Co-sourcing can be an attractive alternative to fully outsourcing the internal audit function. As the name suggests, it involves splitting internal audit activities between internal and external auditors. This approach can take many forms, depending on the bank’s needs. A short-staffed bank might use outside auditors to supplement its staff and share various auditing tasks and responsibilities.
Co-sourcing also can be a good strategy if a bank’s internal audit staff lacks certain specialized skills. For example, if in-house staff isn’t equipped to perform specialized audits — such as information technology or Bank Secrecy Act/Anti-Money Laundering (BSA/AML) audits — the bank might engage an outside auditor to conduct those audits while its internal staff focuses on areas within its skill set.
A powerful tool
A well-designed internal audit program can be a powerful tool for evaluating a bank’s internal controls, processes, and procedures. Internal auditors also can recommend improvements and share their findings with the bank’s board of directors and other stakeholders. Whether conducted in-house, outsourced or co-sourced, an internal audit provides an opportunity for a fresh look at a bank’s operations by auditors who are independent from management.
Sidebar: Managing third-party risk
For banks that outsource or co-source the internal audit function, it’s important to recognize that doing so doesn’t absolve the bank’s board or management from responsibility for the internal audit. This function also doesn’t relieve the bank from liability for compliance or consumer protection issues associated with outsourced activities.
Before you enter an outsourcing relationship, review the federal banking regulators’ guidance on managing third-party risk, including the Office of the Comptroller of the Currency’s “Interagency Policy Statement on the Internal Audit Function and its Outsourcing.” Failure to properly manage this risk can result in financial loss and regulatory action. It can also jeopardize your bank’s reputation.
Among other things, a bank should:
- Conduct a risk assessment to weigh the benefits and risks, including service provider risk, of outsourcing the internal audit.
- Exercise due diligence in vetting the provider — including an examination of its background, reputation, financial condition, internal controls, disaster recovery plans, and business continuity plans.
- Be sure that the contract or engagement letter clearly spells out each party’s rights and responsibilities. (For example, it should provide details on performance benchmarks, information sharing, audit rights, compliance, confidentiality, and indemnification.)
- Monitor the provider’s performance and compliance with contract terms throughout the life of the arrangement.
- Have a contingency plan in place in the event there are any disruptions in service.