The world’s #1 internal audit resource – search below

Created for IA pros using a desktop, this is an instantaneous search engine that will instantly scour through one of our thousands of articles and pieces and deliver super useful results. Search for anything – we probably have something on it somewhere.

, , , , , , ,

How to Select an Internal Audit Consulting Firm: From RFP to Onboarding

albinoyeti Group

·

As demands on internal audit evolve—from tackling advanced analytics to ensuring robust ESG oversight—many organizations seek external consulting support. Whether you need specialized expertise, additional capacity, or a fresh perspective, engaging an internal audit consulting firm can be a strategic move. However, choosing the right partner requires careful planning, from defining your requirements and crafting a Request for Proposal (RFP) to conducting final interviews and laying out expectations in the contract.

This in-depth guide walks you through the entire selection process—highlighting the questions to ask, potential pitfalls to avoid, and how to set the tone for a successful partnership. Whether you’re a Chief Audit Executive (CAE) exploring co-sourcing for the first time or an executive tasked with leading the vendor selection, these steps ensure you find a consulting firm that aligns with your goals, budget, and corporate culture.

Define Your Needs and Scope

Clarify the Business Reasons for External Support

Before you release an RFP or even start contacting firms, pinpoint exactly why you’re looking for external help. Common motivations include:

  • Filling Capacity Gaps: Your internal audit plan outstrips current staffing, or a large project/urgent request emerged, creating a backlog.
  • Obtaining Specialized Expertise: You need IT/cybersecurity audits, advanced analytics, model validations, or niche regulatory knowledge the in-house team lacks.
  • Gaining Independent Validation: The board or senior management wants an objective, outside perspective on a major risk area or an upcoming regulatory exam.
  • Enhancing Best Practices: Seeking an external team can help modernize the function, introducing agile methodologies or other leading-edge approaches.

If you define these drivers upfront, you can shape your RFP around precise deliverables, ensuring you solicit proposals from firms that truly meet those needs.

Determine the Project Scope

Think about which areas you want them to cover:

  • One-Off Engagement (e.g., a specialized IT risk review)
  • Ongoing Co-Sourcing Arrangement (partial outsourcing of certain audits each year)
  • Full Outsourcing (the entire internal audit function is externalized, though you may retain an in-house liaison)

Also, decide on timeframes. Is this a multi-year partnership for broader synergy or a short-term contract for a specific risk deep dive?

Outline Your Budget and Resources

Even if you don’t share budget figures in the RFP, it’s crucial internally to understand your financial constraints. If you can’t afford top-tier hourly rates for a big-firm approach, you might prefer smaller niche consultancies. Additionally, gauge how you’ll allocate in-house staff to collaborate. Good resource alignment fosters smooth onboarding and knowledge transfer.

Crafting a Targeted RFP

Components of a Strong RFP

An RFP (Request for Proposal) is your formal request for consulting firms to submit their qualifications, approach, and pricing. Key sections typically include:

  1. Background
    • Overview of your organization (industry, size, key risk areas).
    • Description of the existing internal audit function (staff size, structure, reporting lines).
  2. Scope of Services
    • Precisely define which audits or risk areas you want help with. (E.g., IT audits, specialized regulatory compliance, certain strategic projects, etc.)
    • Indicate your expected level of involvement from the external team (fully managed audits vs. partial collaboration).
  3. Project Timeline and Deliverables
    • Desired start date and any critical deadlines (like an upcoming audit committee meeting or regulatory filing).
    • Outline expected deliverables (reports, presentations, post-engagement follow-ups).
  4. Proposal Requirements
    • Ask for details on firm experience, team composition, methodologies, relevant credentials, and references/case studies.
    • Include a request for fee structures (hourly rates, fixed fee, or retainer options) and billing guidelines.
  5. Evaluation Criteria
    • Highlight how you’ll assess proposals: weighting for technical capability, industry expertise, cost, cultural fit, etc.
    • Clarify the timeline for RFP responses, possible interview dates, and expected decision date.

Key Questions to Include

  • Firm Experience: “Describe your relevant experience in [specific area or industry], including case examples.”
  • Proposed Engagement Team: “Identify the senior individuals who would work on our account and describe their relevant expertise.”
  • Methodology and Tools: “Outline your approach to risk assessment, testing, analytics, and reporting. Do you use any specialized software or frameworks?”
  • Knowledge Transfer: “How do you ensure our internal staff gain skills or keep knowledge within the organization once your engagement ends?”
  • Conflict of Interest: “Disclose any potential conflicts, such as providing external audit or other services that might impair independence.”
  • Cultural/Values Alignment: “How do you handle stakeholder communication, and how do you adapt to an existing corporate culture?”
  • Cost Model: “Detail your fee structure, any discount arrangements, not-to-exceed amounts, or retainer-based options.”

A well-constructed RFP filters out less suitable firms from the start, saving time for both parties.

Evaluating Proposals and Shortlisting Firms

Criteria for Assessment

Once you receive proposals, score them against a consistent rubric:

  1. Technical Expertise and Industry Fit
    • Does the firm demonstrate deep experience in the risk areas or industries you operate in? Are proposed senior staff credentials matching your scope?
  2. Methodology and Approach
    • Do they show a risk-based or innovative methodology, or just generic claims? Are they flexible enough to adapt to your existing internal audit frameworks?
  3. Proposed Team
    • Sometimes brand-name firms propose senior leaders in the pitch, then assign junior staff in practice. Request specifics on the actual day-to-day engagement team and their time commitment.
  4. Cultural and Communication Alignment
    • Internal audit can be sensitive and requires strong relationship management. Evaluate how the firm describes communication style, conflict resolution, or knowledge transfer.
  5. Cost and Value
    • Low-cost bids might save money but also might signal less experienced teams or narrower coverage. High-cost proposals should justify their premium with specialized capabilities, brand reputation, or proven results.
  6. References and Track Record
    • Ask for references in your sector or with a similar scope of co-sourcing. A quick reference check can verify the firm’s claimed successes or reveal hidden issues.

Shortlisting and Conducting Interviews

  • Initial Down-Select: Narrow the field to (usually) 2-4 promising firms.
  • Firm Presentations or “Beauty Contests”: Invite them to present to your leadership or selection committee. Confirm that the actual engagement leaders attend, not just business development staff.
  • Interview Focus: Explore how they handle your unique challenges (like specialized IT systems, intangible strategic audits) and gauge their problem-solving style.

Having multiple finalists fosters competition—improving the chance you’ll get favorable pricing and services that truly fit your environment.

Checking References and Performing Due Diligence

Reference Calls

As you near a final decision, contact 1-2 references per finalist:

  • Ask Specifics: “Which projects did they conduct for you, how complex were they, and how was the firm’s performance?”
  • Timeliness and Budget: Did they consistently meet deadlines and stay within cost estimates?
  • Adaptability: If scope changed mid-project, how flexible were they?
  • Relationship with Internal Staff: Did they leave behind knowledge or vanish post-engagement? Did personality conflicts arise?

Real-world feedback from references can confirm or contradict the firm’s claims in their proposals.

Potential Conflicts of Interest

  • If the firm also does your external audit, or has provided consulting to management in a specific domain, ensure independence isn’t compromised for the areas they’d audit internally.
  • Check if they serve close competitors—some organizations prefer unique exclusivity or at least confidentiality assurances.

Cultural Fit Exploration

  • Conduct Informal Interactions: A short “chemistry meeting” with the engagement lead can confirm if their style meshes with your corporate culture.
  • Question Team Stability: High turnover at the firm might disrupt continuity if a brand-new staff rotates onto your account repeatedly.

Final Selection and Contract Negotiation

Scope Clarification

  • Define Scope in Writing: Outline precisely which audits or function areas are included, as well as deliverables (like final reports, status updates, training).
  • Agree on a Risk-Based Work Plan: Confirm the high-priority audits or projects. If they’re doing an entire internal audit plan, itemize the coverage for the year.

Pricing and Fee Structure

  • Fixed-Fee vs. Hourly: Fixed fees offer predictability, but if scope might shift, consider an hourly or retainer model. Some contracts combine a baseline retainer plus variable hours.
  • Travel and Out-of-Pocket Costs: Clarify who bears these and whether they’re included or billed separately.
  • Discounts and Rate Locks: Larger multi-year deals might negotiate stable rates or volume discounts.

Service Level Agreements (SLAs) and Performance Metrics

  • Timelines: Indicate turnaround times for draft reports or how quickly the firm should respond to urgent requests.
  • Quality Indicators: Possibly embed measures of satisfaction from the internal audit department or other stakeholders.
  • Knowledge Transfer: If your main reason is skill-building, set specific milestones ensuring the external team mentors your staff.

Confidentiality and Data Security

  • With access to sensitive information, the contract must address non-disclosure, data protection, and any compliance with data privacy regulations.

Conflict Resolution and Termination Clauses

  • Spell out how to handle disputes (mediation, arbitration), and if you can terminate early if deliverables fall short or you don’t need the same capacity.
  • Outline transition planning if the arrangement ends, so the external firm can hand over all relevant workpapers or knowledge effectively.

Onboarding and Integration: Setting Up for Success

Even the best consulting firm won’t deliver maximum value if poorly integrated into your processes. Start strong:

Clear Roles and Accountability

  • Single Point of Contact: Assign an internal liaison (often a senior audit manager) who coordinates day-to-day interactions.
  • Team Collaboration: Provide the external staff with an organizational chart, contact lists, system access, and orientation. Ensure your in-house team understands how and when to collaborate with them.

Kickoff Meeting

  • Reconfirm Scope and Timeline: Align on priorities, deliverables, and reporting formats.
  • Discuss Culture and Communication Norms: Clarify your organization’s approach to communication—weekly check-ins, monthly dashboards, or agile sprints for audits.
  • Agree on Escalation Paths: If they identify critical issues or obstacles, how do they escalate them to you or the audit committee?

Access and Systems Setup

  • IT Onboarding: Provide secure logins, VPN or remote access as needed, and ensure data privacy settings are correct.
  • Documentation Repositories: Give them access to relevant policy manuals, prior-year audit reports, risk registers, and so forth.
  • Ethics and Security Briefing: Even external staff must adhere to your code of conduct, confidentiality rules, and any insider trading restrictions or compliance guidelines.

Monitoring Progress and Ensuring Continuous Alignment

Regular Checkpoints

  • Status Updates: Schedule weekly or bi-weekly calls to track progress, discuss emerging findings, and rectify scope drift promptly.
  • Quality Assurance: Keep an eye on workpaper quality, or do random spot-checks—particularly early in the engagement to confirm alignment with your standards.
  • Stakeholder Feedback: If certain department heads express confusion or dissatisfaction with the external firm’s approach, address it early. Communication friction can derail outcomes.

Capturing Knowledge Transfer

  • If you want to upskill your internal team, incorporate joint fieldwork or shadowing opportunities, post-engagement workshops, or “lessons learned” sessions.
  • Document the firm’s methodologies so you can replicate them next time a similar audit arises.

Handling Change Orders

  • If a new request emerges mid-year (e.g., urgent management request or a newly discovered risk), clarify with the consulting firm if it’s within the existing scope or requires an addendum to the contract. Avoid budget surprises or timeline confusion.

Dealing with Potential Pitfalls

Despite thorough planning, pitfalls can arise:

  • Overreliance: If your team leans too heavily on co-sourced staff, you risk stalling internal skill development. Maintain a balanced approach so in-house auditors learn from external experts rather than deferring all complex tasks to them.
  • Scope Creep: Engaging the external firm for one specialized audit might balloon into multiple projects if not managed carefully. Stick to a well-defined statement of work and track expansions.
  • Misaligned Goals: If the firm is primarily sales-driven, they might propose solutions beyond your actual needs. Keep the partnership grounded in the original objectives and key performance indicators.
  • Cultural Clash: Some consulting styles might be too aggressive or too formal for your organizational culture. This can harm stakeholder relationships. Address cultural alignment issues early through open dialogue or real-time feedback.

Evaluating Success and Ongoing Relationship

After an initial engagement or the first audit plan cycle:

  1. Solicit Feedback: Survey your internal audit managers, auditees, and the CAE or CFO on the external team’s performance—timeliness, thoroughness, collaboration style, etc.
  2. Measure Impact: Did they help you clear a backlog or successfully pass a regulatory exam? Did they upskill your team in a new methodology or technology?
  3. Assess ROI: Compare fees against tangible outcomes—reduced risk exposures, improved processes, or quicker detection of issues.
  4. Plan Future Engagement: If synergy is high, consider renewing or expanding. If issues persist, address them candidly or reissue an RFP to find a better-fit provider.

Final Thoughts

Selecting and onboarding an internal audit consulting firm can be a game-changer—helping you manage specialized audits, handle capacity surges, or gain objective validation of internal processes. Yet success hinges on defining your needs, crafting a clear RFP, rigorously evaluating proposals, and setting precise expectations in the contract. From the first kickoff meeting, align your in-house team with the external experts so that knowledge flows both ways, ensuring a cohesive, results-driven collaboration.

When done right, a co-sourced arrangement offers flexibility, specialized skills, and fresh perspectives, elevating your internal audit function’s contributions to the organization’s governance, risk management, and strategic resilience. By following the steps and best practices in this guide—from RFP to onboarding—you can confidently select an internal audit consulting partner that meets your unique challenges, complements your culture, and delivers sustained value year after year.

Comments

Leave a Reply

Discover more from internalauditguide.com

Subscribe now to keep reading and get access to the full archive.

Continue reading