Boards should not approve strategically important outsourcing projects without first getting full assurance from their internal audit teams that the potential risks have been properly considered and effective controls are in place, warns the Chartered Institute of Internal Auditors (The institute) in a new report launched at its annual conference today.
The institute explains that the role of internal audit is to provide independent assurance that an organisation’s risk management, governance and internal control processes are operating effectively.
Drawing on the experience of outsourcing and best practice in organisations across the public and private sector, including the Ministry of Justice, EDF Energy, Crossrail and the BBC, the report highlights the importance of internal audit in providing assurance on the proper management of the risks associated with outsourcing.
Failure to foresee and manage outsourcing risks can result in service failures, delays in the implementation of new projects, significant additional costs and reputational damage, undermining the cost savings and other benefits that outsourcing is intended to deliver.
In some cases, critical failures in outsourcing could even open organisations up to regulatory fines. For example, last year three banks were fined £42 million by the Financial Conduct Authority for failures in IT managed by third parties, which led to customers being unable to access banking services.
The Institute says getting outsourcing right is increasingly important as it becomes more widespread among both private and public sector organisations seeking to cut costs and increase efficiency by buying-in specialist services.
Dr Ian Peters MBE, Chief Executive of the Chartered Institute of Internal Auditors, comments: “Outsourcing the service does not outsource the risk. Organisations may think they have thrown the risk ‘over the fence’ but this is absolutely not the case.”
“Internal audit can support boards in relation to outsourced services. There should be an appetite at board and senior management level for assurance that the risks of outsourcing are being managed so that the organisation’s achievement of its strategic objectives is not compromised.”