Risk-based Audit Plans: Do You Have a Skills Gap?

By Hal Garyn, Managing Director, Audit Executive Advisory Services, LLC


IIA Standards require us to establish a risk-based internal audit plan. However, when focusing on the highest organizational risks it is highly likely we will have a talents and skills gap. Although possibly tempting, ignoring risk-based audit projects where we might lack the skills is not an acceptable course of action. Alternatively, we could hire additional internal audit staff to fulfill these skill gaps, but we may then acquire skills we do not need to possess on staff every single day, year-after-year. While other options (e.g., loaned staff) exist, many Chief Audit Executives (CAEs) select to close the skill gap with co-sourcing.

What is Co-Sourcing?

Let us define co-sourcing as contracting third party subject matter expertise to either supplement the skills your team possesses to complete a planned project or hiring an entire group of third-party experts to compete an entire project. Essentially you are supplementing your existing staff by “out-sourcing” skills and renting them in-house for a time. In any event, you as the CAE still retain control of the project scope and the project final deliverables as a part of executing your audit plan.

Do I Have to Co-Source?

Co-sourcing is not explicitly required by the Standards. However, how can you conform to other long existing IIA Standards if you do not? How can you best serve your organization in executing your plan if you do not?

The following Standards are most germane. (Emphasis added)

  • Standard 2010 – Planning: The CAE … “must establish a risk-based plan to determine the priorities of the internal audit activity …”
  • Standard 1210 – Proficiency: … internal audit … “must possess or obtain the knowledge, skills, and other competencies to perform its responsibilities”.

Taken together, these two Standards articulate the need to obtain the “knowledge, skills, and other competencies” to supplement what you already have on your internal staff, as evaluated on a project-to-project basis.

Challenges with Co-Sourcing

If you have completed co-sourced projects previously, undoubtedly some of these projects have not gone as well as you would have anticipated (or worse). Well, while a lot can go right, a lot can also go wrong.

Successful co-sourcing projects depend on how well you manage the entire process, from beginning to end. Some challenges (there are many more) and some mitigation options, follow:

  • Wrong personalities – You hired the right skills, but operating management of the audited area are still complaining about the people on the project.
    • When hiring third-party resources, you are vetting not only their technical skills but their interpersonal skills. While not always practical, involve operating management of the audited area in the selection process of the individuals on the team. Remember that you are hiring the whole person, not just the technical skills. Vet both hard and soft skills. Importantly, trust your instincts if something seems amiss.
  • Wrong skills The people on the project end up not having the skills necessary, and the project is quickly becoming a disaster with operating management quite upset.
    • A lot of effort needs to be spent vetting the people assigned to the project before they commence the work. You cannot trust the firm providing the resources to understand exactly what you need, and/or trust them to deliver on a promise. Strongly consider having frequent touch points with the third-party team and, separately, with operating personnel in the area to check-in and assess “how’s it going”. Not reacting to, or responding to, early warning signs of the wrong skills on the project can be disastrous. Again, always trust your instincts.
  • Loss of control – The project ends up not delivering what it was supposed to. You, effectively, lost control of the project at some point.
    • Setting the scope of the project clearly at the outset, having clearly defined checkpoints and check-ins, having a presence during key client interactions, and reviewing work product at interim stages (not waiting until the end) can help tremendously.
  • Scope disconnects – You thought you had clearly agreed on what would be included and not included in the project’s scope, but as the project progressed you constantly found yourself asking the team why they were looking at some things that did not seem relevant and/or not considering things you thought were supposed to be addressed.
    • Scope setting is critical in any project, but especially when you are using third party resources. You are usually paying for the resources on a per hour basis and, as they say, time is money. Be crystal clear what the scope of the project is, and what is in and out of scope. If the team has doubts at any point during the project, they should check-in and seek clarification. And, if the team feels the need to change or expand scope, they should not do so without your explicit concurrence. Frequent status meetings on the project, as well as period separate check-ins with the client, are highly recommended to help manage scope issues and the risk of unintentional “scope creep”.
  • Knowledge transfer miscues – While the project skills you needed to acquire are likely not needed routinely on future projects, some skills could be learned, at least to some degree, by your staff and leveraged in the future. But, unfortunately, the project ends, and you and your staff are left none the wiser and all the knowledge walks out the door in the heads of your co-sourced resources.
    • Purposely build knowledge transfer into the project, and explicitly state this expectation in the contract and work order governing the project. Make sure your internal staff assigned to the project also understand your expectations. Hold all parties accountable.
  • Deliverable weaknesses – Generally, the work accomplished achieved your expectations and the audit client found the team competent and easy to get along with, but when it came time to get draft findings, interim reports, a final report draft, and/or the workpapers you were very disappointed with the quality of what you had received. You then invest a lot of time coaching, correcting, and fixing.
    • Start by setting clear expectations on workpaper standards and expectations at the beginning of the project, hold a training session, and have a process established for periodic interim reviews of workpapers throughout the project. Preferably, do not let anything be shared with client personnel without your approval. When it comes to reports and reporting, it helps to share examples of audit reports your department has issued previously that might be representative of the type, style, structure, and quality you expect. And do not be bashful about asking for samples of writing from your co-sourced personnel before any work begins.


Moving Forward

Co-source partners and co-source projects … sometimes it feels like a “you cannot live with them, but you cannot live without them” scenario.

Take your time vetting the third-party vendors that are available, develop a relationship with key people in the firm, and dedicate all the time needed to make these challenging projects a success. Talk with other CAEs in your industry, talk with other CAEs in your geography, and be thorough. Every step taken as precaution is worth a pound of cure, as they say.

Sometimes all it takes is to have someone with lots of experience co-sourcing projects to guide you, as the CAE, through some of the challenges. Hiring a confidential adviser to help you navigate co-sourcing successfully may be a worthwhile and relatively small investment and potentially minimize collecting a few grey hairs in the process.