Co-Sourcing vs. Outsourcing: A Board-Level Comparison for Modern Internal Audit Functions

1. Intro

The internal audit function has always been integral to good governance, risk management, and compliance. However, rising complexity—from cyber threats to global regulations—is prompting boards to scrutinize how their organizations structure and resource their internal audit. The decision between outsourcing and co-sourcing is no longer a technical detail but a strategic choice with direct implications for risk oversight, corporate culture, and budget allocation.

Boards must ensure their organizations’ internal audit not only meets regulatory expectations but also delivers value by identifying operational efficiencies and strategic risks. Choosing the right sourcing model can differentiate between an audit function seen as a cost center and one that is a strategic enabler for growth and resilience.

1.2. Key Objectives of This Article

1. Clarify the Differences: Provide a crisp understanding of co-sourcing vs. outsourcing.
2. Highlight Board-Level Priorities: Emphasize what the board of directors should weigh—like independence, risk appetite, and ROI.
3. Compare Financial and Operational Impacts: Discuss how each model influences costs, quality, and accountability.
4. Offer Strategic Guidance: Suggest best practices and real-world considerations that boards can use to shape governance decisions.

By the end, board members and senior leaders will have a roadmap for evaluating whether to outsource the entire audit function or to engage in co-sourcing arrangements.

---

2. Revisiting the Role of the Modern Internal Audit Function

2.1. Historical Context and Emerging Expectations

Historically, internal audit teams focused on financial controls and basic compliance. Over time, the function evolved into a more comprehensive mechanism, covering operational, IT, and strategic risks. Boards now expect internal audit to:

• Proactively identify vulnerabilities in processes, technology, and governance.
• Offer strategic insights on how to optimize performance and align with broader goals.
• Balance compliance with forward-looking risk advisory.

This expanded mandate has changed the skill sets required for an effective audit function. Expertise now spans cybersecurity, data analytics, ESG metrics, and even organizational psychology.

2.2. Strategic, Operational, and Compliance Dimensions

Today’s internal auditors:

• Operate Strategically: Provide the board and senior executives with insights into emerging market or technological disruptions.
• Enhance Operational Resilience: Evaluate how processes scale and adapt, particularly in areas like supply chains or financial reporting.
• Ensure Compliance: Monitor adherence to regulations such as GDPR (data privacy), SOX (Sarbanes-Oxley), HIPAA (in healthcare), and more.

2.3. The Board’s Fiduciary and Oversight Responsibilities

Board members carry fiduciary duties to protect shareholder value and ensure robust governance. An under-resourced or poorly structured internal audit can lead to compliance failures, operational inefficiencies, or even major scandals. Consequently, the board’s active engagement in how internal audit is staffed—whether through outsourcing or co-sourcing—serves as a critical lever for fulfilling these duties.

---

3. Defining Co-Sourcing vs. Outsourcing

3.1. What Is Outsourcing?

Outsourcing internal audit means contracting an external firm—often a specialized audit or consulting provider—to handle all internal audit responsibilities. This covers planning, execution, and reporting. The organization typically retains minimal internal audit staff, if any, focusing instead on managing the relationship with the external provider.

• Benefits: Access to broad expertise, reduced overhead in staffing, and immediate scalability.
• Drawbacks: Potential loss of institutional knowledge, limited direct control over day-to-day operations, and possible cultural misalignment.

3.2. What Is Co-Sourcing?

Co-sourcing is a partnership model. An organization’s in-house audit team works collaboratively with an external provider. Certain audits or specialized tasks (e.g., IT security audits, regulatory compliance reviews) might be handled by the external team, while strategic oversight and other audits remain in-house.

• Benefits: Retains institutional knowledge, offers specialized skills on demand, fosters knowledge transfer.
• Drawbacks: Requires more coordination, potential for overlapping responsibilities, and possibly higher management complexity.

3.3. Core Differences and Overlap

Aspect	Outsourcing	Co-Sourcing
Control	External firm leads entirely	Shared leadership between in-house and external providers
Internal Knowledge	Potentially lost or minimized	Retained and complemented by external expertise
Skill Transfer	Limited back to the organization	Continuous, as in-house staff collaborate with specialists
Board Engagement	More oversight of provider	Balanced oversight of both internal and external teams
Scalability	Rapid but solely external	Flexible; external resources supplement an existing in-house baseline

---

4. Board-Level Strategic Considerations

4.1. Aligning Audit Strategy with Enterprise Risk Management

Boards increasingly integrate internal audit into enterprise risk management (ERM) frameworks. The sourcing decision should reflect the organization’s:

• Risk Appetite: High or low risk tolerance?
• Geographic Footprint: If operating globally, do local regulations demand internal control or specialized external support?
• Industry-Specific Demands: Complex industries like finance, energy, or healthcare often require niche expertise.

Outsourcing might suit a board seeking a turnkey solution if the in-house risk management capabilities are limited. Co-sourcing might be preferable if the board wishes to develop internal competencies while leveraging external specialists for high-risk or complex audits.

4.2. Budget Priorities and Resource Allocation

• Short-Term vs. Long-Term Costs: Outsourcing can lower overhead on staff salaries and training but may involve steady external fees. Co-sourcing can optimize costs by paying for specialized expertise only when needed, though in-house staff salaries still persist.
• Scalability: A sudden compliance blitz or major corporate event (like M&A) can strain an in-house team. With outsourcing, boards can swiftly allocate more resources. Co-sourcing is similarly scalable, but the in-house portion sets a baseline cost.

4.3. Governance and Control Implications

Boards should consider how each model affects:

• Transparency: Will the external provider offer full data access and real-time reporting?
• Conflict of Interest: Some external audit firms also provide consulting or other services to the organization, raising questions of independence.
• Board-Management Dynamics: In an outsourced model, the board might rely heavily on external reports, while co-sourcing often keeps internal leaders more involved.

4.4. Flexibility vs. Long-Term Capability Building

• Outsourcing typically offers maximum flexibility (e.g., you can switch providers at contract end), but invests little in internal growth.
• Co-Sourcing fosters skill-building within the organization, allowing your internal team to grow in parallel with external experts. This can create a more resilient, knowledge-rich environment.

---

5. Performance Factors: Quality, Expertise, and Independence

5.1. Talent Pool and Skillsets

• Outsourcing: Firms often field large teams with diverse specializations (e.g., cyber, forensic accounting, ESG). Ideal if you need broad coverage immediately.
• Co-Sourcing: You get specialized resources plus you maintain your own staff’s institutional expertise, creating synergy. In the long run, this can yield a deeper knowledge base inside the organization.

5.2. Objectivity and Independence

Boards should weigh how each model impacts the perceived and real independence of the audit function:

• Outsourcing: External auditors might be more objective but can also face potential conflicts if they provide other services to the organization.
• Co-Sourcing: Balances in-house familiarity with external impartiality. However, internal politics might still influence certain areas if not carefully governed.

5.3. Depth and Breadth of Audit Coverage

Coverage gaps can occur if:

• Outsourced teams lack organizational-specific knowledge, missing context on nuanced internal processes or culture.
• Co-sourced teams struggle with coordination or role clarity, causing duplication or oversight in scheduling audits.

Boards must ensure that whichever model they choose, the plan includes a broad audit universe—IT, compliance, strategic—and a detailed risk assessment to guarantee coverage where needed.

5.4. Continuous Improvement and Knowledge Transfer

• Outsourcing: The external firm might not always prioritize training in-house staff, potentially limiting knowledge transfer.
• Co-Sourcing: More conducive to building internal capabilities, especially if knowledge transfer is explicitly included in the contract’s Service Level Agreements (SLAs).

For boards seeking a learning culture, co-sourcing is often more appealing, provided both parties commit to open communication and skill-sharing.

---

6. Risk and Accountability

6.1. Regulatory Pressures and Compliance Demands

Modern boards face a barrage of regulatory mandates: SOX in the U.S., GDPR in Europe, AML laws in finance, and so forth. The internal audit function is critical for ensuring ongoing compliance:

• Outsourcing can help if the external provider has a global footprint and specialized compliance units.
• Co-Sourcing merges external compliance expertise with your in-house knowledge of local or specialized regulations.

6.2. Cybersecurity, Data Privacy, and Emerging Risks

Boards are increasingly aware of cyber attacks, ransomware, and data breaches. Internal audit sourcing can significantly impact how swiftly the organization identifies vulnerabilities or recovers:

• Outsourcing: Large audit firms typically have dedicated cybersecurity teams. However, third-party data exposure and security of the external provider’s systems become new risk factors.
• Co-Sourcing: An external specialist can handle advanced penetration testing or real-time monitoring. The in-house team fosters continuity for day-to-day security controls.

6.3. Reputational and Ethical Dimensions

An underperforming internal audit function can lead to fiascos—think fraud or compliance lapses going undetected. For the board:

• Outsourcing: The external firm’s brand reputation can be a boon or a risk. Reputable providers add confidence, but any scandal involving them might reflect poorly on your organization.
• Co-Sourcing: Shared accountability. The board can highlight how it invests in both internal and externalexpertise to guard against ethical pitfalls.

6.4. Contractual Obligations, SLAs, and Liability

If the external auditor fails to detect a compliance breach, does liability flow back to the organization or the auditor? Typically, the organization still bears ultimate responsibility. Boards must ensure robust SLAs and contractual protections:

• Liability Clauses: Clear delineation of indemnifications, limits of liability, and insurance coverage.
• Performance Metrics: Outsourcing deals often tie fees to performance (e.g., timely completion of audit plan), while co-sourcing might include collaborative performance reviews.

---

7. Financial Implications for the Board

7.1. Cost Models: Fixed, Variable, or Hybrid

Outsourcing can be structured as a fixed-fee arrangement, offering predictable costs. However, any additional scope might incur extra fees. In co-sourcing, certain specialized tasks are billed as needed, while in-house salaries remain a fixed overhead. Boards should weigh:

• Seasonal or Project-Based Audits: Ramping up for year-end audits or major compliance deadlines.
• Recurring Engagements: If your organization needs a constant flow of audits, a retainer-based model might be cost-effective.

7.2. ROI Perspectives and Potential Savings

An effective internal audit function can save money by preventing fraud, reducing compliance fines, and improving processes. Boards sometimes measure ROI via:

• Cost Avoidance: Potential legal penalties or settlement fees sidestepped.
• Operational Efficiencies: Streamlined processes or automation suggestions from the auditors.
• Risk Reduction: Lower risk of catastrophic events, such as data breaches.

Both outsourcing and co-sourcing can drive ROI if well-structured. However, co-sourcing might emphasize internal improvements (like skill-building and collaboration) that generate intangible returns over time.

7.3. Avoiding Hidden Costs and Scope Creep

Outsourcing can carry hidden fees if your organization frequently expands the audit scope or requires out-of-scope tasks (like specialized investigations). Co-sourcing can also lead to redundancy if in-house staff inadvertently duplicates external efforts.

Boards should direct management to:

• Define Clear Project Scopes: Avoid ambiguous language in contracts.
• Implement Rigorous Change Management: Approvals for out-of-scope tasks to prevent budget overruns.
• Track Actuals vs. Budget: Periodic reviews of hours billed, tasks completed, and unplanned requests.

7.4. Benchmarking and Cost-Effectiveness Analyses

A prudent board may request a benchmark study comparing:

1. Similar Organizations in the same industry that have outsourced vs. co-sourced.
2. Historical Performance if the organization previously had an in-house or partially outsourced model.
3. Expected Value of each approach based on risk profiles, complexity, and growth projections.

These comparisons allow the board to see if outsourcing or co-sourcing aligns with industry norms and best practices, ensuring they’re not underinvesting or overspending on audit.

---

8. Implementation and Oversight

8.1. Selecting the Right Partner(s)

Whether outsourcing or co-sourcing, the board should scrutinize potential partners’:

• Industry Experience: Do they grasp your sector’s unique risks?
• Global Reach: If multinational coverage is needed, can they handle cross-border audits effectively?
• Ethical Track Record: Firms with reputational issues or regulatory infractions may pose additional risks.
• Cultural Fit: Providers that value open communication and knowledge sharing often integrate more seamlessly.

8.2. Project Management, Communication, and Collaboration

For large or complex engagements:

• Appoint a Steering Committee: Typically includes the CFO, CAE, or relevant executives plus senior representatives from the external provider.
• Define Communication Protocols: Weekly or biweekly status meetings, monthly or quarterly board updates, and real-time escalation paths for critical findings.
• Shared Tools or Platforms: Collaboration software (e.g., audit management systems, data analytics dashboards) fosters transparency.

8.3. Metrics, KPIs, and Board-Level Reporting

Boards should demand clear KPIs, such as:

1. Audit Plan Completion Rate: Percentage of planned audits completed on time.
2. Issue Closure Velocity: How quickly critical findings are remediated.
3. Cost Variances: Actual spend vs. budget.
4. Risk Coverage: Whether high-priority risks (based on ERM) are adequately audited.

Reporting should be concise but thorough, with executive summaries for the board and detailed appendices for the Audit Committee or relevant subcommittees.

8.4. Change Management: Culture and Resistance

Shifting from an in-house to an outsourced or co-sourced model can spur employee anxiety. The board can encourage:

• Transparent Communication: Management should explain the rationale—e.g., “We’re not downsizing; we’re ensuring specialized skill sets are on tap.”
• Retention of Critical Talent: Offer pathways for existing internal auditors to upskill or partner with external teams.
• Ongoing Training: If co-sourcing, ensure knowledge transfer so staff remain engaged and valuable.

---

9. Case Illustrations: Co-Sourcing and Outsourcing in Practice

9.1. Retail Sector: Hybrid Co-Sourcing for Specialized Audits

A mid-sized retailer with 200+ stores co-sources for IT security and supply chain audits—areas requiring niche expertise. Their in-house team focuses on operational and financial controls. This balance:

• Keeps institutional knowledge for daily operational audits.
• Brings in external IT security experts who run penetration tests on e-commerce platforms and assist with GDPR compliance.

Result: Enhanced coverage at a manageable cost, with minimal friction or duplication. The board sees the retailer’s internal audit function as robust in both day-to-day oversight and specialized compliance.

9.2. Financial Services: Full Outsourcing Under Regulatory Pressure

A regional bank facing new Basel III and AML requirements opted to fully outsource its internal audit to a leading global firm. The reasons:

• Compliance Complexity: The external provider had a specialized team well-versed in global financial regulations.
• Limited In-House Skills: Upgrading or recruiting talent for advanced risk modeling was cost-prohibitive.
• Urgency: Regulators flagged multiple shortfalls, necessitating rapid transformation.

Result: The board received structured monthly updates from the outsourced provider and overcame compliance hurdles within a year. However, the bank lost some internal capability growth, remaining reliant on external expertise.

9.3. Healthcare Organization: Balancing Internal and External Expertise

A large hospital network run by a nonprofit board used co-sourcing for:

• Clinical Audits: In-house staff with medical backgrounds had the best contextual knowledge.
• HIPAA and IT Security: External specialists tested EHR (Electronic Health Records) systems.
• Financial and Insurance Claims: Handled partly in-house, partly by co-sourced forensic accountants.

Result: Improved compliance with HIPAA and state regulations, while maintaining an engaged internal team. The board lauded the arrangement for fostering continuous improvement in patient data security and administrative efficiency.

---

10. Future Directions: Evolving Models and Technology Trends

10.1. The Rise of Continuous Auditing and Real-Time Assurance

Emerging technologies—AI, IoT, blockchain—enable continuous auditing, which moves beyond periodic check-ups to ongoing monitoring of transactions, user access, or process anomalies. Boards considering co-sourcing or outsourcing must think about:

• Infrastructure Readiness: Does the external partner have AI-driven data analytics capabilities?
• Collaboration Models: Real-time dashboards accessible by both in-house and external auditors.

10.2. Automation, AI, and Advanced Analytics

As AI tools mature, tasks like data sampling, exception reporting, and even anomaly detection can be automated:

• Outsourcing: Large audit firms may bring advanced AI tools, offering immediate scale and expertise.
• Co-Sourcing: Hybrid approach fosters skill transfer, enabling internal auditors to learn and deploy these AI tools themselves.

10.3. ESG and the Board’s Growing Oversight Needs

Environmental, Social, and Governance metrics are becoming standard. The internal audit function increasingly validates carbon emissions reporting, social responsibility metrics, and governance structures:

• Outsourced specialists might have broader global ESG experience.
• Co-Sourcing can help integrate ESG oversight into the organization’s culture and everyday processes.

10.4. Globalization and Regulatory Convergence

Organizations operating across multiple regions must navigate an array of country-specific laws:

• Outsourcing to a global firm ensures the board has coverage in each jurisdiction but can risk a one-size-fits-all approach if not carefully tailored.
• Co-Sourcing with multiple specialized providers or a single partner that offers segmented services can localize audits while retaining internal strategic oversight.

---

Final Thoughts

A board’s decision to outsource or co-source its internal audit function carries substantial weight for the organization’s risk management, cost efficiency, and strategic value. While outsourcing may deliver a turnkey, immediate solution with potentially broader skill sets, co-sourcing provides a collaborative, knowledge-building approach that retains internal expertise and fosters continuous development.

Key Takeaways for Board Members

1. Assess Risk Appetite and Complexity: High-risk or heavily regulated sectors often need deeper domain expertise—outsourcing can fill that gap quickly, but co-sourcing fosters internal knowledge over time.
2. Evaluate Talent Requirements: If your internal team lacks critical skills (e.g., advanced IT audits, data analytics), outsourcing may be a faster fix, but co-sourcing might be better for long-term capability building.
3. Consider Culture and Change Management: Outsourcing can trigger employee resistance if perceived as a replacement, whereas co-sourcing can be framed as a partnership. Both require transparent communication and strong project oversight.
4. Scrutinize Cost Structures: Look beyond hourly rates or retainer fees. Factor in hidden costs, scope creep, and intangible benefits like staff upskilling.
5. Demand Clear KPIs and Reporting: Boards should establish metrics (audit coverage, issue remediation speed, budget adherence) that reflect the value of either approach.
6. Stay Attuned to Future Trends: Continuous auditing, AI, and global ESG standards are reshaping internal audit. A flexible sourcing model can adapt more swiftly to these changes.

Ultimately, the choice between co-sourcing and outsourcing is rarely absolute or permanent. Some boards adopt a hybrid or phased approach—outsourcing initially, then transitioning to co-sourcing once internal capabilities and confidence grow, or vice versa. The board’s role is to ensure that internal audit, however it is sourced, remains an independent, value-driven function closely aligned with the organization’s strategic and risk objectives.

---