Our 2015 report outlines a number of approaches in the private and public sectors to managing the risks associated with supplier relationships, including the practices of internal audit functions.
As part of the report we learned about the approach towards auditing contracts taken by the BBC, EDF Energy, Crossrail, Ministry of Justice and the Home Office.
Organisations that engage in outsourcing services, from the simplest single supplier relationship to complex, global supply chains, seek to gain advantage. However, in seeking this advantage organisations may overlook risks which they wrongly believe they have thrown the risk ‘over the fence’ through outsourcing.
Ultimately, reputational damage is done to the commissioning organisation and there are many obstacles and impediments to the effective use of third parties in the delivery of an organisation’s business.
Our case examples highlight a number of risks which may are borne by the commissioning organisation including:
These issues are presented in detail along with the organisations’responses to the issues. Our technical guidance on outsourced services provides internal audit practitioners with tools and techniques to develop their thinking and practices in relation to contracts and supplier relationships.
The consequences of overlooking such risks may result in service failure or delay, additional cost, or reputational damage.
There should be an appetite at board and senior management level for assurance that the risks of outsourcing are being managed so that the organisation’s achievement of its strategic objectives is not compromised.
If outsourced services are of strategic importance then they should feature on internal audit plans. Over time, assuring outsourced projects is likely to become a regular feature of internal audits in all sectors.
The precise role, timing and extent of internal audit’s involvement will depend on: the perceived risk it presents to the organisation; the board’s risk appetite; and the cost and complexity of the outsourced service.
When a service is contracted out, internal audit can get involved in the following ways as shown by our case examples:
A key area is to provide assurance that managers are using the recognised process to complete a feasibility study to show that there is a clear business case aligned to the strategic objectives of the organisation.
Internal audit can review the supplier selection process and assess whether the organisation has adequate and effective policies and procedures for tendering.
Internal audit can examine the performance management arrangements in place when a contract is in flight.
Our case examples highlight a number a key lessons for internal audit: