You can't oursource your core tasks
There are a couple of essential tasks you cannot outsource:
- If you're about the execute a coup d'etat, you can't bring in mercenaries in key roles or positions and assume you will remain in control;
- If you want to rule a market, you cannot have key product development and innovation done solely by third parties;
- If you want to fundamentally change the way your organization functions, you cannot have a full successful reengineering done by an outside consultant;
- If you want assurances your business is run with due diligence, you cannot outsource your internal audit function
Why? Because the people you outsource this function to don't care as much or are not as informed as people on the inside. After all, they are but guns for hire. When the job is done, their work is done, and they move to another role or responsibility. Even worse, who do you believe defines when the job is done? You, the client? Don't bet on it. The job usually is done just about when the money runs out.
Providing assurance on due diligent behaviour is a core task
Your organization is likely to be about a very specific set of services, products or solutions. That's what makes your organization special. That's what clients come to experience or purchase. Some organizations are more specific than others, but the way they function internally is usually very specific and requires both a deep knowledge of the processes themselves as well as a thorough understanding on how these processes came to be what they are.
Now, in order to provide assurance on due diligent behaviour by all people involved, you need people who understand what is going on in the organization and why it is going on. Your assurance providers need to be specialized, not only in your business, but in your organization. In order to provide your organization with the most relevant value for money findings and recommendations, the internal auditor needs to be able to take the time and develop a deep understanding of your functioning.
The specialization fallacy
Most internal audit service providers will try to convince you of their uniqueness (let's be real here, they really aren't that special) and the skill set of their advisors. A couple of issues:
- The leverage model dictates a 1 to 3 (123) hierarchical structure to make a project profitable. Remember the mercenaries above who leave when the money runs out? A typical service provider aims at providing you with three juniors for every senior, with three seniors for every manager, with three managers for every director or partner. Given that deep expertise on average requires 10.000 hours of hard work, and that real chargeability will run at around 60% for seniors or above, which is where the real learning happens, you can make the calculation yourself. The more experienced the advisors are, the less likely you are to find one of those on the team being proposed to you;
- Service providers often claim sectoral experience. At the same time, they claim fire walls between their teams. This to me just doesn't add up. In a competitive environment you either have sectoral knowledge gained at a competitor. In that case, you should not be on the team. Or you have no knowledge of the sector that is relevant to me.
- If not sectoral experience, they can bring technical experience. I agree that under certain, very strict conditions, it makes sense to outsource a very technical aspect of a job because you don't have adequate knowledge of the area. However, the number of cases in which this is applicable are limited to mainly specific ICT areas. And even then ...
Bottom line, the specialization you need access to the most should not be available due to firewalls in place between teams in a sector. And it's unlikely someone will have invested significantly in your organization ... because the return usually isn't there, except for really large organizations. And if this is the case, if a consultant has invested so much in your organization, where is his independence? How independent can you remain if your goal is to be paid by this organization?
But what about experts? Experts working for a service provider are most often no longer actively involved in the practice. They have an expiration date.
Even the best technical auditors cannot make up for a lack of knowledge about the specifics of the business and the organization.
In order for internal audit to be relevant, to be able to provide adequate assurance on due diligent behaviour by the collaborators of an organization, requires deep expertise in the business or the possibility to develop this expertise. An external party often does not have the means nor the intention to invest adequately in building this expertise.
Deep expertise needs to lead to good risk assessments and the development of efficient, effective and economic audit activities focused on relevant audit objectives and audit areas.
When using external support at all, this external support can at the earliest be asked to assist in developing audit work programs. Their aim should be to optimize the audit approach, not the objectives nor areas.
The actual audit execution should, where possible, remain with the internal auditors, supported where required by ad hoc expertise which can then be acquired at the best market value.
Final reporting should always remain with the internal audit responsibles.
Providing assurance on due diligent behaviour
is a core responsibility of internal audit. The audit committee needs to have adequate assurances that the work done is not determined by the available budget for outsourcing, but rather by a deep understanding of the need of the organization to function at the best possible level, an understanding most efficiently developed from the inside.