The question of whether to co-source or outsource an internal audit function comes up more often than it used to. Rising cost pressure, the difficulty of recruiting experienced internal auditors, and the increasing complexity of the regulatory environment are pushing more firms to consider whether running a fully in-house function is the right model.

The answer is not the same for every firm, and anyone who tells you otherwise is not being straight with you.

Defining the terms

Co-sourcing means the firm retains an in-house internal audit function, typically with a Head of Internal Audit and some permanent staff, and supplements it with external resource for specific audits or specialist areas. The external provider works alongside the in-house team under the direction of the CAE.

Outsourcing means the entire internal audit function is delivered by an external provider. The firm may retain a small oversight role, sometimes a single individual who manages the provider relationship and interfaces with the audit committee, but the audit work itself is done externally.

There is a third model that often gets conflated with these two: a managed service, where an external provider delivers the function under a contract that includes defined outputs, quality standards, and governance arrangements. This is effectively outsourcing with a more structured contract, and the considerations are similar.

What co-sourcing is good at

Co-sourcing works best when the firm has a stable core audit programme that can be delivered by permanent staff, and a set of specialist requirements, technology audits, financial crime reviews, regulatory deep-dives, that require expertise the firm cannot justify employing full-time. The in-house team provides continuity, institutional knowledge, and direct accountability to the CAE; the external resource provides specialism on demand.

Co-sourcing also works well when the firm wants to maintain genuine independence within the function. An in-house CAE who reports directly to the audit committee, with external resource brought in for specific work, has a cleaner independence position than a fully outsourced model where the provider has a commercial relationship with senior management.

What outsourcing is good at

Outsourcing works best when the firm is small enough that a full-time internal audit function is not cost-effective, or when the firm needs access to a broad range of specialist expertise that a small in-house team cannot provide. It also works when the firm is going through significant change, a transformation programme, a regulatory remediation, a period of rapid growth, and needs a flexible resource model that can scale up or down without the constraints of employment.

A well-run outsourced function can deliver higher technical quality than a small in-house team, because the provider can draw on a large pool of specialists. The question is whether the provider actually does this, or whether the same small team turns up for every audit regardless of the subject matter.

Regulatory expectations

The FCA does not prohibit outsourcing internal audit, but it has expectations about how it is governed. The firm, specifically the audit committee and the board, remains responsible for ensuring that the internal audit function is effective, regardless of who delivers it. An outsourced provider who produces inadequate work, or whose independence is compromised by other relationships with the firm, is the firm's problem, not just the provider's.

For firms subject to specific internal audit requirements, the FCA's internal audit guidance for banks, for example, or the Solvency II internal audit requirements for insurers, the regulatory expectations around independence, reporting lines, and scope of work apply whether the function is in-house or outsourced. The firm needs to ensure that the provider's operating model can meet those requirements.

The decision in practice

The most useful framework is to start with the audit committee's requirements rather than with a cost model. What does the audit committee need from the internal audit function, in terms of scope, frequency, technical depth, and independence, and what is the most effective way to deliver that? Cost is a real consideration, but an internal audit function that is cheap to run and inadequate to the task is not a saving.

If the answer is co-sourcing, the key decision is where to draw the line between in-house and external work. Drawing it too tightly, using external resource only for very specialist one-off audits, means the external provider never develops enough knowledge of the firm to be genuinely useful. Drawing it too broadly means the in-house team is perpetually supplemented and never develops the depth of institutional knowledge that makes co-sourcing worthwhile.

If the answer is outsourcing, the provider selection process matters more than most firms realise. The question is not just which provider has the best credentials, it is which provider will actually staff the engagement with people who have the right experience for this firm's risk profile. References from comparable clients, reviewed before the contract is signed, are worth the time.

Kyle McMullan
Kyle McMullan
Founder, the audit hub

25 years in senior financial services internal audit and risk advisory. Kyle writes from direct practitioner experience, having held audit leadership roles, managed regulatory remediation programmes, and advised boards through some of the most complex compliance challenges in UK financial services.

Connect on LinkedIn
← Consumer Duty one year on: what the FCA's findings mean for audit functionsMaking the move from in-house audit to consultancy: what changes and what does not →