The Companies Act 2013 mandates appointment of an internal auditor by every listed company; every unlisted company with paid up share capital of Rs 50 crore or more, or turnover of Rs 200 crore or more, or outstanding loans or borrowings from banks or public financial institutions, exceeding Rs 100 crore, or outstanding deposits of Rs 25 crore or more; and every private company with turnover of Rs 200 crore or more, or outstanding loans or borrowings from banks or public financial institutions exceeding Rs 100 crore. Earlier, a statutory auditor was required to report the adequacy and effectiveness of internal audit.
The statutory recognition that internal audit is an important monitoring and assurance service for improving corporate governance is a milestone in the evolution of internal audit. The profession is in transition from 'service to the management' to 'service to the Board'. To serve boards of companies, which operate in VUCA (Volatility, Uncertainty, Complexity, Ambiguity) environment and/or explore digital business model and automation, the internal audit function must acquire a variety of specialised skills. New skills are also required to conduct higher level of audit (management audit). In order to address this challenge, co-sourcing has emerged as the most preferred model. The Companies Act permits outsourcing of internal audit. It stipulates that the internal auditor may or may not be an employee of the company. It further says the board shall decide to appoint a chartered accountant or a cost accountant or any other professional as internal auditor.
Co-sourcing is a low-cost model for acquiring the required capabilities. For example, traditionally, companies outsource IT audit because it is costly to keep the knowledge updated in the face of rapid technological changes, consistently evolving IT applications and emerging cyber-risks and also because of difficulties in providing opportunities of learning. Another reason for co-sourcing is companies find it cheaper to appoint local professionals to audit activities/functions in dispersed locations.
Outsourcing poses various challenges. Setting up a good contracting arrangement is important. Expected standard of service should be well articulated to enable the in-house team to monitor this. There should be clarity about contract termination and the in-house team should ensure that it has access to working papers and documents even after the termination of the contract. It is also important to manage differences in the working practices used by outsourcing service providers and the policies and norms followed by the in-house team. Therefore, co-sourcing is effective only if the in-house internal audit team is strong and efficient.
Outsourcing complete internal audit with skeleton in-house team is not a good idea. One disadvantage is that if the in-house team is not constituted of senior-level executives, contract management might fail. Moreover, in-house teams are best the bet for financial and operation/process audit, as those audits require in-depth knowledge of the internal environment and business processes. Similarly, strategy audit and audit of change initiatives cannot be left to an external agency because of confidentiality concerns. Complete outsourcing makes it difficult to integrate all assurance services, as the outsourced service providers back incentives for coordinating with other assurance services. It also deprives the company of 'add on' services, like consultancy and training, which are provided by the in-house internal audit team.
Internal audit serves the board effectively only if it is independent of management. It is the 'third line of defence' because other assurance services are not independent of the management. In order to protect the independence of internal audit, outsourcing decisions should be taken by the audit committee.
Co-sourcing of internal audit is like any other strategic decision. It requires answering questions such as which capabilities to be outsourced and why; and whether all capabilities should be outsourced from a single source. It is the audit committee's responsibility to choose correctly the capabilities to be outsourced and those to be kept in-house. The audit committee should select the outsourcing service providers and engage with them throughout the process. For example, the committee should discuss with the service provider the methodology and draft report. The chairman of the audit committee should receive the final report directly.
The management has an inherent temptation to filter audit reports before submitting those to the committee. This is a possibility of which the audit committee should always be alert, regardless of the level of trust it shares with the management.
The writer is professor and head of the School of Corporate Governance and Public Policy in the Indian Institute of Corporate Affairs; and chairman of the Riverside Management Academy
asish.bhattacharyya@gmail.com
