IIA training and events

Research report: Outsourcing and the role of internal audit

Tree 650x150

Our new report outlines a number of approaches in the private and public sectors to managing the risks associated with supplier relationships, including the practices of internal audit functions.

As part of the report we learned about the approach towards auditing contracts taken by the BBC, EDF Energy, Crossrail, Ministry of Justice and the Home Office.

Download the full report (pdf)

Read the board briefing


Executive summary


Outsourcing the service does not outsource the risk

Organisations that engage in outsourcing services, from the simplest single supplier relationship to complex, global supply chains,  seek to gain advantage. However, in seeking this advantage organisations may overlook risks which they wrongly believe they have thrown the risk ‘over the fence’ through outsourcing. 

Ultimately, reputational damage is done to the commissioning organisation and there are many obstacles and impediments to the effective use of third parties in the delivery of an organisation’s business.


The risks associated with outsourcing

Our case examples highlight a number of risks which may are borne by the commissioning organisation including:

  • Poor visibility of individual contract performance.
  • Lack of contract management skills.
  • Poor relationship and interaction with contractor.
  • Inconsistent approach to day-to-day contract management.
  • Third party provider ethical/cultural issues.
  • Unclear roles and responsibilities within contract management team.

These issues are presented in  detail along with the  organisations’responses to the issues. Our technical guidance on outsourced services provides internal audit practitioners with tools and techniques to develop their thinking and practices in relation to contracts and supplier relationships.

The consequences of overlooking such risks may result in service failure or delay, additional cost, or reputational damage.


Internal audit can support boards in relation to outsourced services

There should be an appetite at board and senior management level for assurance that the risks of outsourcing are being managed so that the organisation’s achievement of its strategic objectives is not compromised.

If outsourced services are of strategic importance then they should feature on internal audit plans. Over time, assuring outsourced projects is likely to become a regular feature of internal audits in all sectors.

The precise role, timing and extent of internal audit’s involvement will depend on: the perceived risk it presents to the organisation; the board’s risk appetite; and the cost and complexity of the outsourced service.


Internal audit has a key role to play

When a service is contracted out internal audit can get involved in the following ways as shown by our case examples:

Strategic intent and feasibility

A key area is to provide assurance that managers are using the recognised process to complete a feasibility study to show that there is a clear business case aligned to the strategic objectives of the organisation.

Implementation and management

Internal audit can review the supplier selection process and assess whether the organisation has adequate and effective policies and procedures for tendering.

Contract management arrangements

Internal audit can examine the performance management arrangements in place when a contract is in flight.


Key lessons

Our case examples highlight a number a key lessons for internal audit:

  1. It is often crucial to get involved at the early stages to help avoid contract failure.  This includes reviewing the process by which a decision was taken to seek a service externally.

  2. It is important to assess how well risk is being jointly considered between the customer organisation and the provider.

  3. Ensure that the level of audit coverage is commensurate with the scale, nature and number of contracts.

  4. An audit team working on contract audits should ideally be multidisciplinary and some should have a contract management background if necessary.

  5. Internal audit can really add value by benchmarking supplier/contractor performance to drive overall improvements.

  6. Right to audit clauses are quite common in contracts.  It is important to invoke this clause in the cases where high value/high profile contracts are of concern.

  7. It is important not to rely on a purely systems-based approach, but to complement this with an element of substantive testing to test the consequences of any control failure.

  8. Where there are several layers of assurance on a large-scale project with many contractors with complex interfaces it is important to ensure that assurance is co-ordinated properly so that audit does not hamper the progress of the project.
Content reviewed: 1 October 2019