The last section has focused on outsourcing connected with the work done by external auditors and some other service providers such as IT firms. To conclude this discussion we should also consider outsourcing arrangements for internal auditing chores, which are not the darlings of regulators or of major commercial bankers but might be necessary for smaller outfits. Such arrangements are often called 'internal audit assistance' or 'extended audit services'. Those who like them say that they might be beneficial to an institution if internal auditing outsourcing is:
• Properly structured
• Carefully conducted
• Prudently managed and
• Its final responsibility rests with the board.
Because all these four prerequisites are rarely fulfilled, bank supervision agencies are concerned that the structure, scope, and management of internal audit outsourcing schemes does not contribute to the institution's safety and soundness. Therefore, the supervisors want to ensure that arrangements with an outsourcing vendors do not leave directors and senior managers with the impression that they have been relieved of their responsibility for:
• Reliable financial reporting and accounting reconciliation
• Maintaining an effective system of internal control and
• Overseeing the internal audit function of their company.
In to its fundamentals, an outsourcing arrangement of the type under discussion is a contract between the bank and a third party, a vendor which contracts to provide what should have been internal auditing services. One of the reasons why it is difficult to clearly state the 'do's' and 'don'ts' with regard to internal auditing outsourcing arrangements is that they take many forms:
• The contracted services can be limited to helping internal audit staff in an assignment for which they lack expertise.
Limited outsourcing approaches are typically under the control of the institution's management of internal auditing. In these cases, the
The Contribution of External Auditors 331 outsourcing vendor, typically a firm of chartered accountants, reports to the internal auditing director.
• But outsourcing arrangements may also require an outsourcing vendor to perform virtually all internal audit work.
When this is the case, the bank should maintain a manager of internal auditing with a small internal staff. The outsourcer assists this staff in determining risks to be reviewed; recommends and performs auditing procedures as approved by the internal auditing manager; and reports its findings jointly with the internal audit manager to either the full board or its audit committee.
To help bank management appreciate its responsibilities, the US regulatory agencies have set out some characteristics of sound practices for the internal auditing function, in connection with the use of outsourcing vendors for audit activities. In addition, the regulators provide guidance on how these outsourcing arrangements may affect the Fed's examiners assessment of internal control.
For instance, if the examiner's evaluation of a given outsourcing scheme indicates that the outsourcing arrangement has diminished the quality of the institution's internal audit function, he will adjust the scope of his examination by making more rigorous. He will also:
• Bring that matter to the attention of senior management and the board of directors and
• Incorporate it in the rating he gives to the institution's management.
If I can make a contribution to this process it will be by suggesting the use of confidence intervals connected to a rating scale. It is always a great assistance to decision-making to be able to see a trend and also account for the fact that since any evaluation contains subjective elements there is, for example, a 95 per cent confidence interval connected to the trend line.
This is shown in Figure 13.4, which reflects the rating of an internal control service through answers provided to a questionnaire, and the two 95 per cent thresholds computed on the basis of variance in opinions (A sort of modified Delphi method (Chorafas, 2000c).) The careful reader will observe that the trend line is improving over time, but rather slowly. While it starts with a rating below 70 per cent, successive evaluations reach about 85 per cent in the rating scale, but only after a regulatory long period of time. Alternatively we can use quality control charts by variables and by attributes' such as those already discussed.
QUALITY RATING
90 85 H 80 75
70 65 6 0 4
95 PER CENT THRESHOLD
ASSIGNED RATING
95 PER CENT THRESHOLD
TIME
Figure 13.4 Rating the quality of internal auditing and/or outsourced services using confidence intervals
The Contribution of External Auditors 333 The use of quality control charts will fit well with current practice by the Fed that when an examiner's initial review of an outsourcing arrangement raises doubts about the external auditor's independence, he would ask the institution and the external auditor to demonstrate that the arrangement has not compromised the auditor's independence. If the examiner's concerns are not adequately addressed, then the regulatory agency follows up.
Let's always keep in mind that when outsourcing internal auditing functions the accountability of the board, the CEO, and senior management is being engaged. Central to top management's responsibility is the fact that when outsourcers provide internal audit services, the board of directors and senior executives of the bank must sign their report and assume personal responsibility for its contents. Therefore, when negotiating the outsourcing arrangement with a vendor, an institution should:
• Set out in clear terms the scope, frequency, and content accountability of the work to be performed
• Establish the system of reporting to senior management and directors about the contracted work and
• Elaborate the protocol for changing the terms of a service contract, if significant issues are being raised.
In any company, internal rules and regulations should see to it that all work by the outsourcing vendor is well documented and all findings of control weaknesses are promptly reported to the institution's board or auditing committee. Furthermore, prior to entering an outsourcing arrangement the institution should perform enough due diligence to satisfy itself that the outsourcer has sufficient staff qualified to perform the contracted work.
Because an outsourcing arrangement is a personal services contract, the institution's internal audit manager should have confidence in the competence of the staff assigned by the outsourcing vendor, and receive prior notice of staffing changes. In spite of this, it should be appreciated that when an institution enters into an outsourcing arrangement (or significantly changes the mix of internal and external resources used by internal auditing), it increases its operating risk.
Finally, because the arrangement might be suddenly terminated, a company should have a contingency plan to mitigate any significant discontinuity in audit coverage, particularly for high-risk areas. Planning for a successor to the prospective outsourcer should be part of negotiating the hitter's service contract. Contingency planning, however, goes further
334 Case Studies on Implementation
than that. It requires that the bank has on hand a skeleton of internal resources able to track the outsourced functions - as outlined in the opening paragraphs of this section.