Considerations for Outsourcing Your Internal Audit Function

Financial institutions have a long history of partnering with third-party firms to assist with internal audit activities.

There are several factors to consider if your institution looks to hire an outsourced audit team, including:

  • Should you outsource all or part of the internal audit function?
  • What are key responsibilities of an outsourced audit team?
  • How to hire an external auditor
  • What to do after an audit is complete
  • Vendor management

Why Are Financial Institutions Outsourcing Internal Audits?

Partnerships between financial institutions and outsourced auditing teams typically arise due to a need for specialized knowledge, to fill staffing shortages, and provide an independent assessment of controls and processes.

Financial institutions are subject to a broad range of regulations at the state and federal level, and it’s increasingly difficult for financial institution internal audit departments to stay current on applicable regulations.

Additionally, financial institutions with staffing shortages caused by the pandemic or retirements, may find it more appropriate to allocate certain audits of a more routine nature to third parties as an efficient way to complete audits and allow more time for existing audit staff to focus on higher risk areas.

The Role of the Audit Committee

The audit committee’s main goals include overseeing management’s financial reporting objectives and the practices and procedures put in place to safeguard the institution’s assets.

In addition to these two goals, it’s also the audit committee’s responsibility to hire, supervise, and direct the work of internal and external auditors. While internal auditors are employees of the institution, external auditors, specifically a third-party, may be engaged to complete one audit or complete an entire internal audit plan.

In cases where the internal audit plan is completed by external auditors, the audit committee generally appoints one or multiple members of management to oversee the engagements.

Should You Outsource All or Part of the Internal Audit Function?

Properly understanding what skills the audit committee and your internal audit department have and what tasks they can effectively perform is key to determining the need to outsource certain procedures to maintain the audit committee’s overall effectiveness in meeting its goals.

For instance, the internal audit department may be highly skilled at loan audits but doesn’t have the skills to complete a bank secrecy act (BSA) audit. BSA audits are commonly outsourced due to specialized skills, high level of examiner scrutiny, and number of hours to complete.

What Are Key Responsibilities of an Outsourced Audit Team?

Outsourced internal audit engagements are arranged in two different ways: fully co-sourced and fully outsourced.

Fully Co-Sourced

In a co-sourced engagement, the external audit team works closely with the institution’s internal audit department to complete the engagement. Interviews, testing, and engagement oversight functions may be split between internal and external auditors.

Co-sourced engagements typically arise when an institution needs additional staffing or wants to use the audit as an opportunity to train internal audit personnel. The scope of work for co-sourced engagements should clearly state the responsibilities and roles of each party.

Fully Outsourced

Fully outsourced engagements occur when an external firm is engaged to complete an audit from start to finish.

These engagements occur when specialized knowledge is needed or when an internal audit department has limited ability to complete the audit plan, either due to staffing or from an efficiency aspect. While the external firm executes the engagement, a liaison is typically assigned from the institution to assist the firm with project administration. This may include assisting with gathering requested documents, arranging interviews, and organizing update and exit meetings.

Regardless of whether an engagement is co-sourced or fully outsourced, management and the audit committee retains responsibility for the adequacy of the procedures performed, the internal control environment, and oversee the engagement. However, the external auditor can be an invaluable partner due to their experience working with multiple institutions and broad skillsets.

How to Hire an External Auditor

To effectively hire an outsourced auditing team, there are several key items you could consider:

  • Experience. Does the external audit firm have experience working with financial institutions and do they have all the necessary resources and skillset?
  • Firm reputation. Does the firm have available references you could interview?
  • Compensation. What are expectations around the time needed to complete the audit and related hourly rate?
  • Value. Value doesn’t mean lowest cost or lowest per hour rate—what are the benefits of working with a particular firm?


One of the most important items to assess when hiring an external auditor is how the firm manages the relationship. Check references to determine how a firm interacts with its clients. Meet with the firms to interact with them directly and get to know them. There’s only so much you can determine from a proposal and price quote.

Determine if the audit team is a good working fit long-term for management and the audit committee.

Contract Structuring

After selecting a third party but prior to entering the arrangement, management should assess whether the specific expectations and obligations of both the financial institution and the third party are outlined in a written contract.

Board approval should be obtained prior to entering any material third-party arrangements. Appropriate legal counsel should also review significant contracts prior to finalization.

The following topics could be considered as a contract is structured:

  • Timeframe covered by the contract
  • Frequency, format, and specifications of the service or product to be provided
  • Responsibilities of management and the third party
  • Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service
  • Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance
  • Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations
  • Insurance coverage to be maintained by the third party
  • Terms relating to any use of bank premises, equipment, or employees
  • Authorization for the institution to monitor and periodically review the third party for compliance with its agreement

What to Do After an Audit Is Complete

When an audit is complete, management can meet with the auditor to discuss the findings.

Consider asking these questions:

  • What are the significant controls tested?
  • Did you have any disagreements with management?
  • Are there any potential internal control issues discussed with management that didn’t end up in your written report?
  • Any difficulties or challenges in performing the audit?
  • Was the audit completed according to the agreed-upon timeline and if not, why not?
  • If you had to mention one thing that could improve the effectiveness of the audit, what would it be?
  • How did you address the significant issues impacting our financial institution this year, such as management changes, mergers, core conversions, or new branches?

Responses to these questions are beneficial to an audit committee as they execute their duties to safeguard the institution’s assets. Additionally, these questions assist with assessing the quality of the audit and the abilities of the external auditor.

Vendor Management

There are risks involved when an institution works with a third-party vendor and it’s up to the institution to be aware of those risks and safeguard against threats.

Third-Party Risk Management

There are numerous vendor management risks that may arise when an institution works with an outsourced auditing team. Failure to manage third-party risks can expose an institution to regulatory action, financial loss, litigation, and reputation damage, and impair its ability to establish new customer relationships or service existing ones.

The financial institution's board of directors, audit committee, and management should understand the nature of these risks in the context of the institution's current or planned use of third parties.

These risks are elevated when engaging a third party that doesn’t have the requisite experience performing internal audits. Consideration should be given to not just the ability to complete the audit, but if the firm worked with similar size institutions.


Institutions should maintain adequate oversight of third-party activities. Consider implementing a process to monitor and review the following:

  • The services provided to minimize exposure to potential significant financial loss, reputation damage, and supervisory action
  • Arrangements and written agreements whenever there’s a material change to the program
  • The third party's operations to verify that services are consistent with the terms of the written agreement and that risks are being controlled
  • Compliance with applicable federal and state laws, rules, and regulations, as well as internal policies and procedures

We’re Here to Help

For guidance on utilizing an outsourced auditing team or managing third-party vendors, please contact your Moss Adams professional.

You can also visit our Financial Services Practice for additional resources.

Contact Us with Questions

Enter security code:
 Security code