IPPF Practice Guide

AudItInG ExtErnAl BusInEss rElAtIonshIPs

MAY 2009

IPPF Practice Guide

Auditing External Business relationships

Table of Contents
Introduction .................................................................................................................1 Executive Summary .....................................................................................................1 Overview of External Business Relationships (EBRs) ..................................................2 Examples of EBRs........................................................................................................2 Benefits of EBRs ..........................................................................................................3 Business Risks of EBRs ...............................................................................................6 Auditing EBRs ............................................................................................................12 Understand the Organization and Its Relationships ............................................13 Assess Risks and Controls..................................................................................13 Perform Audit Procedures ...................................................................................14 Report.................................................................................................................14 Monitor Progress ................................................................................................15

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Introduction
This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.

entering into a business relationship does allow an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks. The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships. By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs the organization can receive the full benefits of the business relationship. Internal auditors need to understand all of the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate audit program with relevant audit objectives for audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.

Executive summary
When contemplating the role of the internal audit activity in external business relationships, consider the following: 1. Organizations have multiple EBRs that satisfy a variety of business needs; 2. Each relationship presents risks; 3. It is managements responsibility to manage these risks and achieve the benefits; 4. Internal auditing plays a key role in assisting management and validating managements efforts. Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organizations that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks. Organizations managements are responsible for managing and monitoring their EBRs and related risks. While

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Such audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust within the relationship, fostering feedback, improving relationships, and helping management improve internal and external controls.

overview of External Business relationships (EBrs)

External business partners, extended relationships, and contractual relationships are among the numerous names by which todays organizations define their extended business relationships. Throughout this practice guide we will simply refer to these relationships as EBRs and the other entity as the EBR partner.

Organizations often use business relationships and varied partnerships to accomplish their objectives. To support and sustain growth, businesses are increasingly supported through outsourcing and licensing. More than ever, products and services are now developed through strategic alliances and joint development arrangements. Businesses have chosen to leverage these business relationships for reasons ranging from cost savings, a more economical or efficient labor force, increasing customer reach and scalability, or enhancing access to new technologies or a known brand. This business model, where businesses are interdependent, and where external and extended business relationships exist, is also known as the extended enterprise. As used in this guide, EBRs do not include business relationships where the organization only furnishes information to other organizations and relationships are not necessarily created as a matter of choice; examples include rating agencies, financial analysts, and tax authorities.

Examples of EBrs
rElAtIonshIP tyPE
Service Provider

sErvIcE ExAmPlEs
Processing (e.g., benefits, payroll) Accounting/computer service centers Information technology Shared service centers Internal audit co-sourcing or outsourcing Warranty processing Call centers Advertising/marketing Leasing Construction

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Examples of EBRs continued

Supply-side Partners Production outsourcing or assistance Research & development Suppliers/vendors Software development Demand-side Partners Distributor/reseller Franchisee Licensee Replicator Original equipment manufacturer (OEM) Strategic Alliances, Consortia, and Joint Ventures Cost sharing relationships (e.g., pharmaceutical development, production and distribution of oil and gas products, and media production and distribution) Revenue sharing relationships (e.g., pharmaceutical development and media production and distribution) Profit sharing (e.g., real estate, pharmaceutical, media) Combination of the above Intellectual Property (IP) Partners IP licensees Internal IP usage (e.g., software) Bandwidth (e.g., telecom) Subscribers

Benefits of EBrs
Organizations choose to do business with EBR partners for a variety of reasons. There is value that an EBR partner brings a value that an organization, by itself, cannot efficiently or effectively create for its customers and potential customers. Some of the more common reasons for using EBRs include cost savings and leveraging a competence of the EBR partner that is not a core competence of the organization; but the benefits of using an EBR do not end there. See the table below for some of the benefits of using an EBR partner.

BEnEFIt
Cost Reduction Lower labor cost

dEscrIPtIon oF BEnEFIt
Access to EBR partners lower cost structure Reduce operational inefficiencies

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Benefits of EBRs continued

Organization focus on core capabilities and offerings Allow the organization to focus on primary business and core competencies Better use of in-house resources EBR partners comparative advantage in providing service Improved quality of service or product Utilize expertise of EBR partner Combined and collaborative knowledge brings together strengths of each organization Reduction in operational inefficiencies and errors Access to new markets Increased opportunities to reach new markets Leverage relationships through EBR partners Economies of scale and size EBR partners knowledge of local culture and language Timely completion of projects Timely, agile, and flexible resource pool, including personnel Larger and deeper knowledge pool to develop and implement more efficient and productive action plans Resource augmentation Larger and more flexible personnel resource pool Access to a new resource pool of knowledge Access to better technologies and skills Sharing of risk and risk management Sharing of investment risk Increased agility to allow an organization to change and react to risks more quickly Organizations may reduce costs through EBRs. For example, costs may be reduced through leveraging an EBR partners lower cost structure which could exist through a greater economy of scale or location in a country with lower labor costs. Organizations that choose to proceed without using EBR partners are responsible for all costs, including research, marketing, development, and employee costs. Cost reduction is a common reason organizations choose to work with EBR partners. Another key benefit gained through EBRs is enablement; an organization can leverage the capabilities of others and may focus on its own core competencies. Through the use of EBRs, organizations do not spend their resources on areas where they do not have expertise. By spending resources on non-core competencies, organizations may lose their competitive advantages and valuable internal resources such as employees are required to support a ctivities that tend to be more costly and less profitable. Meanwhile, resources pulled from an organizations core business could cause a reduction in the success of its core business. EBR partners can solve this problem by addressing those areas outside of the core business, and internal resources can better leverage their skills by focusing on the core business.

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

EBR partners also have the ability to help the organization deliver improved services or create an improved product. An EBR may bring specialized skills or knowledge that an organization does not have. This knowledge and skill can greatly enhance the organizations service or product by bringing innovation, learned efficiencies, and many other attributes the organization may not have. In addition, this collective knowledge and knowledge sharing may lead to greater innovation and better products and services as skills are used collaboratively. EBRs may bring access to new markets. An EBR partner may have a presence in an existing market where an organization is trying to enter. By working with that EBR partner, the organization increases and enhances its ability to penetrate and grow within that new marketplace. The EBR partner may be able to share its relationships; it may have a known brand the organization can leverage in the new marketplace, it may have capabilities to leverage the organizations intellectual property, or it may have regulatory, cultural, or other relevant knowledge of a new marketplace the organization does not have. An EBR partner may also increase an organizations ability to penetrate and grow within a market through increased economies of scale and size by providing resources to help match the accelerated growth within a new market. Projects may be completed more timely with the help of EBRs. One of the benefits EBRs can provide is a larger, more flexible resource pool. They can quickly provide an organization with skilled, specialized resources, which can help with the timely completion of projects that the organization may not have the resources to complete. In addition, EBR partners may have more experience in the area the organization is seeking help with, which can improve the likelihood for timelier completion of tasks and projects. The organization will not need to struggle on its own as it learns on the job. Ramp-up time will be reduced through the benefit of known successes and operational efficiencies from the EBR partner.

In general, an EBR partner can augment and improve the overall resource pool with experienced, knowledgeable skilled personnel on a greater scale. This resource pool can augment areas of weakness for which an organization may have neither the resources nor inclination to address. EBR partners can also provide resources other than personnel, such as technology, to benefit an organization. Access to specialized technology can provide the organization with benefits such as automating existing manual processes, thus improving operating efficiency, production and service quality, or increasing the scalability of an organizations output or reducing errors. Using an EBR can help the organization improve its internal controls, for example when the EBR partner has stronger controls than the organization. Lastly, through EBRs, an organization can benefit through the sharing of risk and risk management. An organization can share its investment risk with an EBR partner in a new venture through capital investment, resource investment, and time investment. This may be the most common way in which organizations share risk. By sharing its capital, resources, and time investments in a project or venture, an organization reduces its risk of putting all of its eggs in one basket. The impact to an organization is reduced if business partners share in these investments, allowing the organization to make other investments and diversify its portfolio. Risk can also be reduced and risk management improved through EBRs. The comparative advantages that an EBR partner brings may be in areas that address the biggest risk an organization faces, thus reducing the overall risk of a project or venture. Benefits can include an increased ability to react to risks and make the appropriate changes with the EBR partners resources, knowledge, and skills available. Because an EBR may provide these benefits, internal auditors need to consider EBRs in making recommendations to improve operations and controls.

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Business risks of EBrs

Even though EBRs are designed to achieve benefits, there are significant overall and detailed risks. The following table lists a few examples of general business objectives and goals, associated risks, as well as potential control activities to mitigate those risks. Risks and controls associated with a sound procurement and contract management process are not addressed in the table below; rather, they are addressed in various IIA publications and training courses. Further, many aspects of Corporate Social Responsibility (CSR) are relevant when conducting business with EBRs. The table below briefly touches upon a few CSR concepts, but a broader discussion can be found in other IIA publications and information. To achieve the benefits of EBRs and mitigate the associated risks, the organization needs to develop appropriate procedures and controls. These are addressed in the chart below and include the need to comply with EBR agreements and to proactively manage the relationship to enhance value and minimize risk.

GoAl / oBjEctIvE
1. Identify and assess all EBRs

PotEntIAl rIsks thAt mAy PrEvEnt AchIEvEmEnt oF GoAls And oBjEctIvEs

EBRs are not identified. Additional risks: Relationships not identified cannot be assessed nor monitored appropriately. Relationships not identified may not have contracts in compliance with organizations contract policy and guidelines or organizations EBR policy and guidelines.

PossIBlE orGAnIzAtIonAl ActIvItIEs to mItIGAtE rIsks

Note: In each example below, conducting audits of EBR compliance is generally appropriate.

Designated employees document all EBRs and keep the documentation current. Supervisors review the documentation for appropriateness. Identify risks inherent in each relationship and assess residual risks, after considering controls.

2. Maintain positive reputation

EBRs actions negatively impact organizations reputation. Additional risks: EBR misrepresents organization values. EBR does not comply with contractual obligations. EBR violates laws and government regulations

Legal department reviews contract to determine whether it includes ethical standards, compliance with laws/regulation clauses, compliance requirements with specific organization values, and a well-documented right to audit (more than books and records, it relates to the broader relationship risks). When the relationship is initiated, appropriate due diligence is performed to determine if the EBR is likely to misrepresent organization values.

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Business Risks of EBRs continued

3. Minimize insurable risks (e.g., professional indemnity) EBR partner does not maintain adequate/ effective insurance coverage, including for the following: Workers Compensation (e.g., for time lost due to injury) Professional Indemnity Public Liability Motor Vehicle Insurance Additional risks: Other risks arise where consortia are formed to provide a service or where the organization providing the service is a subsidiary of a larger organization (especially where the parent is not based in the same country): Insurance recommended for the particular contract might not cover all of the consortia members for that particular contract. In the case of a subsidiary, the insurance recommended for the particular contract might not apply to the subsidiary and/or the country in which the work is to take place. The parent company takes actions that void the insurance coverage of the subsidiary. Solvency of the underwriter and reinsurers. Management review of adequacy and effectiveness of EBR partners insurance coverage, before signing of contract and during the life of the contract. Management may review: How the level of insurance was determined, and whether or not it is adequate. Whether insurance needs to be increased during the term of the relationship (e.g., the effect of inflation; previous claims record of provider). Whether EBR partners provide third party proof, such as a certificate from the insurance company. Contract clauses that require provider furnishing updated insurance certificates during long term contracts (where the contract extends beyond the expiry date of the initial insurance certificate). Effectiveness (including solvency) of insurance provider. Managements review may include engaging an insurance specialist, review of case histories for similar circumstances, direct inquiry of the insurance company, and review of insurance coverage of the consortia or subsidiary.

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Business Risks of EBRs continued

4. Clear understanding of service levels between the organization and its EBR Service levels are inadequate or unsatisfactory. Disputes or disagreements regarding the scope of services between the organization and its EBR. Additional risks: The scope of the EBRs deliverables are not adequately defined in contract documentation, a memorandum of understanding, a service level agreement, or some other similar documentation detailing the terms of reference. Differences in understanding or interpretation of the service requirements. Initially, this may be documented in a request for tenders/quotes, where an organization requests potential EBR partners to provide the best value for money solution. Products to be delivered or constructed may be defined in a scope of work document that defines quality requirements, regulations or standards to be complied with. Whatever the form of service or product to be delivered, the guiding principle is that the service or product to be delivered is adequately defined, understood and agreed upon by all parties. Management and legal review of contract for the following: Are the contract and/or supporting documentation clearly documented? Have key stakeholders in the relationship approved the document? Does the contract include an adequate right to audit clause (not just limited to financial books and records) and an agreed-upon disputes resolution process? Has responsibility for managing the contract been assigned? Does the contract include clear duty to report key parameters on a regular and timely basis? Does the EBR partner have adequate skills and experience? Are invoices received from the EBR partner adequately documented to enable identification of out of scope requests? Are approvals for work to be performed and payments to be made at an appropriate level of authority? Are processes adequate to measure and validate expected levels of service? Is information provided by the EBR partner validated for accuracy, relevance and timeliness?

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Business Risks of EBRs continued

5. EBR is able to provide services without conflicts of interest EBR identifies conflicts of interest in providing services. Additional risks: Conflicts of interest may be actual, potential, or perceived. A conflict of interest may not necessarily preclude an EBR from providing a service; however, adequate controls are needed to mitigate the risks. Examples of how these may arise in an EBR include: Quality or timeliness of work may be adversely affected due to other contracts in place. Information obtained during the contract may adversely influence decision making due to other contracts in place. 6. The organization receives appropriate remuneration for intellectual property (IP). The EBR appropriately secures the organizations intellectual property (IP) Intellectual property (IP) licensed to others could be receiving inappropriate royalty streams. Theft or misuse of ideas or technology. Additional risks: Revenue leakage Breach of confidential information Inappropriate usage of intellectual property Risks associated with differing jurisdictions, legal practices, legal inefficiency, or even legal corruption. Management and legal review to determine whether contract includes clauses that ideas, technology, and/or intellectual property (IP) supplied by the organization are receiving appropriate royalty streams and remain the organizations property. The contract is clear as to measurement and validation of royalty streams and who owns the IP generated as a result of the contract and what the provider can and cannot do with such IP. To reduce the risk in countries with less than adequate legal protection, the contract with the EBR partner is written so that the EBR partner shares in the loss of poor control over IP. Requiring the EBR partner to declare any actual, potential, or perceived conflicts of interest prior to accepting appointment. Requiring the EBR partner to declare any actual, potential, or perceived conflicts of interest as and when they may arise throughout the contract. Management review of declarations of interest for impact and to decide whether this is a contract violation and what action to take

www.theiia.org/guidance

IPPF Practice Guide

Auditing External Business relationships

Business Risks of EBRs continued

7. Accurate fees for EBR services Overcharges for inefficiencies or services not performed. Overcharges because of clerical billing errors. Additional risks: Services performed do not agree with contractual obligations. Require the EBR partner to maintain effective controls over its time recording system and any other system(s) that affect the amount charged. Project management plans identify the achievement of milestones and quality assurance over the services provided. Require the EBR partner to maintain effective controls over billing. Project director/manager review whether outputs of the contract meet all requirements and approve all charges for services prior to payment. 8. Risk of EBR going out of business is consistent with organizations expectations EBR goes out of business and is unable to fulfill contractual obligations. Additional risks: Solvency of guarantors or insurers could also pose risks. Prior to appointment, management performs due diligence of the EBR partners business to provide reasonable assurance that it will remain viable throughout the contract period. The due diligence may include review of such areas as: What will be the impact of the contract on the EBR partners business? Does the EBR partner over rely on certain key contracts? Do key financial indicators appear reasonable? Has data provided been audited? Does the organization have contingency plans in place to cover cancellation or the EBR partners inability to fulfill the contract? For longer-term contracts, management updates this review at least annually.

www.theiia.org/guidance

10

IPPF Practice Guide

Auditing External Business relationships

Business Risks of EBRs continued

9. Information shared with EBR is properly secured and in compliance with appropriate privacy rules Loss of confidential information. Additional risks: Reputational risk Legal risk associated with loss of personally identifiable information (PII). Require the EBR partner to maintain appropriate physical and logical security controls in place to restrict access to appropriate individuals. Require the EBR partner to review access to information on a periodic basis for appropriateness. Require the EBR partner to comply with data privacy and other laws and regulations. Management evaluates the EBR partners Statement on Auditing Standards (SAS) 70 or International Standard on Auditing (ISA) 402 report. Some of the risks may be fraud risks, such as where the EBR partner fraudulently misappropriates the organizations assets. Lastly, and while not the focus of this guide, the internal auditor should consider whether the organization has appropriately complied with obligations and commitments it assumes when contracting with others, i.e., mitigating the risk that the organization itself does not comply with contractual requirements.

www.theiia.org/guidance

11

IPPF Practice Guide

Auditing External Business relationships

Auditing EBrs
Similar to other internal audits, the International Standards for the Professional Practice of Internal Auditing apply when auditing EBRs. For example, the chief audit executive (CAE) includes internal audits of EBRs in the audit universe, determines which audits to perform each year, and staffs each audit with a competent independent internal audit team. The internal auditor may combine the audit of EBRs with other audits either of operational, compliance with laws and regulations, or financial statements.

The CAE needs to decide whether to audit each EBR as a separate audit, audit certain types of relationships, or audit the EBR process in totality. This last approach may allow the internal auditor to provide overall assurance on the EBR process. The remainder of this practice guide focuses on auditing the EBR. The broader context, including contract management, business partner selection, and others, are beyond the scope of this practice guide. The following chart illustrates the cycle in performing individual EBR audits.

Understand the Organization and Its relationships

Monitor Progress

Assess Risks and Controls

Report

Perform Audit

www.theiia.org/guidance

12

IPPF Practice Guide

Auditing External Business relationships

The following are the essential steps like most internal audits, the process is usually iterative and need not follow the order below:

Provide feedback to EBRs? Monitor its own compliance with the agreement? Determine whether objectives were achieved? Learn from the EBR partner? Terminate the relationship? Continue the relationship? Understand the general nature of each EBR What are your organizations objectives? What type of service is rendered? Who controls and monitors the relations with the EBR partner? Is there a written agreement, including appropriate expectations and protections? What are the key provisions? What level of approval did it receive? How important is the EBR to the organizations business model? Is there an audit clause in the contract with the EBR partner? What does the organization do to enhance the relationship?

Understand the Organization and Its Relationships

Understand the organization The organization may have a variety of reasons for maintaining EBRs, as previously discussed. Each relationship presents its own set of risks and benefits. EBRs may be entered into and managed by one department or many, and may represent a broad range of importance to an organization. Understanding the organizations structure, business model, strategic goals, and enterprise risks will enable an internal auditor to better understand the risks of non-compliance by an EBR partner. Understand the environment Determine whether the organizations EBRs have been identified; if not, request management to identify them. If the EBRs have been sufficiently identified, obtain information about the nature of each relationship, including contact information for the EBR partner, what they provide, amounts involved, contract details, and other factors. Understand your organizations processes How does the organization: Determine the need for an EBR? Determine and document the objectives and goals for the EBR? Identify, assess, and document risks for the EBR? Control the identified risks? Perform due diligence (including obtaining background and checking references) on the EBR partner? Approve entering into the agreement? Approve the wording of the agreement? Manage the relationship? Monitor the EBR partners performance?

Assess Risks and Controls

Understand the inherent risks Determine potential impacts in the absence of any controls of inherent risks that the organization has assessed, along with those that the internal auditor has identified and assessed. See Business Risks of EBRs for examples of overall inherent risks and details. Understand the design of controls your organization has put in place to mitigate risks Evaluate the control risk on a preliminary basis. Determine the key controls Key controls, which if not effective would mean the risks are not mitigated. See table above for some typical controls.` Understand the EBR partners environment, processes, and controls How will goods or services be provided and how will the EBR partners processes and controls mitigate the organizations risks? This will provide further background and help in the internal auditors risk assessment. Determine which EBRs to audit further, which processes to audit, and the audit objectives The audit

www.theiia.org/guidance

13

IPPF Practice Guide

Auditing External Business relationships

could be an operational audit (for example, did your organization achieve its objectives at a reasonable cost?), a compliance audit (is the EBR complying with laws and regulations, such as employee safety, child labor, product quality, or contractual obligations?), a financial audit (are controls over financial reporting effective and in compliance with regulatory guidelines such as Sarbanes-Oxley and is information fairly stated?), or some combination of these audits. Determine whether the EBR partners internal auditor has performed work relating to the contract Considerations include the objective, scope, and results of their work. Does the substance of the work support your objectives; and how or whether you will use their work?

Type B Report on the Design, Description and Operating Effectiveness of Controls at a Service organization. Type A reports are used to understand the service organizations processes and the design of controls. The internal auditor uses Type B reports to determine whether controls at the service organization are operating effectively. For further guidance, see ISA 402. The organizations internal auditor may use the work of other auditors in auditing EBRs. For example, the internal auditor may work with the internal auditor of an EBR partner to obtain needed information or to perform necessary tests. Before making a decision to rely on the work of another auditor, the internal auditor determines whether the auditor performing the work is competent and objective. Further, the nature, objectives, and scope of the work to be relied upon are evaluated to determine if it supports the organizations internal audit objectives. Evaluate test results. Identify findings and, as appropriate, reach conclusions In doing so, consider whether findings apply beyond the individual EBR to other EBRs or to the organizations entire EBR process. Taken individually, the results of EBR audits may identify deficiencies at the EBR partner or in the organizations individual business processes. Even if the CAE did not plan the audits to reach overall conclusions, it may sometimes be possible to do so. By aggregating the results of individual EBR audits, the internal auditor may identify broader, systemic issues. After performing the individual contract audits, the internal auditor may consider forming an overall assessment and conclusion on the effectiveness of the organizations EBR monitoring program. In doing so, the internal auditor considers whether enough work was done to reach overall conclusions.

Perform Audit Procedures

Determine whether to perform on-site work at the EBR Based on the audit objectives, determine if procedures need to be performed at the EBR (Note: some EBRs may not allow access by a business partners internal audit activity unless the contract provides access). If appropriate, design and perform tests to determine whether the key controls are operating effectively and/or to validate substantive matters. The auditor may obtain the EBR partners user manuals and other guidance about its processes. For financial processes, this usually includes recommended procedures for the user and reports from a service auditor. International Standard on Auditing 402 (Revised and redrafted), Audit Considerations Related to an Entity Using a Third Party Service Organization (ISA 402) provides guidance and standards for external auditors; this guidance is useful for internal auditors testing those relationships. [ISA 402 is similar to SAS 70 (AU 324) in the US]. ISA 402 discusses two types of reports that a service auditor may provide: Type A Report on the Design and Description of Controls at a Service Organization;

Report
Draft, discuss, and report the results Results may be reported internally to aid in business process and control

www.theiia.org/guidance

14

IPPF Practice Guide

Auditing External Business relationships

improvements. Normally the auditor follows the usual reporting process to communicate with management and, if appropriate, with the board. However, when the auditor finds deficiencies in the controls or operations of the EBR, the auditor may also communicate with those managing the relationship with the EBR partner.

Monitor Progress
Provide feedback to the EBR Those charged with managing the relationship may communicate with the EBR about the need to correct any deficiencies identified. If the deficiencies are not corrected, those managing the relationship and others in management determine how to best mitigate the risks, including whether to continue the EBR. This may be considered when the EBR is scheduled to be renewed or earlier for a significant deficiency. This is easier if the contract allows for renegotiation when significant deficiencies are found. The internal auditor may periodically perform procedures to determine whether management has appropriately addressed the findings identified and may be called upon to assist management to determine whether EBRs are being appropriately managed. This guide provides internal auditors with guidance in auditing external or extended business relationships (EBR). Management also may use this guide in managing and monitoring the risks associated with these relationships.

www.theiia.org/guidance

15

IPPF Practice Guide

Auditing External Business relationships

Practice Guide team members

David W. Zechnich, CIA Abraham D. Akresh Gregory S. Dubis, CIA, CCSA Gaston L. Gianni Jr., CGAP Stephen J. Linden Gilbert T. Radford, CIA Susan L. Rudolph, CIA

www.theiia.org/guidance

16

About the Institute

Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association with global headquarters in Altamonte Springs, Fla., USA. The IIA is the internal audit professions global voice, recognized authority, acknowledged leader, chief advocate, and principal educator.

Disclaimer
The IIA publishes this document for informational and educational purposes. This guidance material is not intended to provide definitive answers to specific individual circumstances and as such is only intended to be used as a guide. The IIA recommends that you always seek independent expert advice relating directly to any specific situation. The IIA accepts no responsibility for anyone placing sole reliance on this guidance.

About Practice Guides

Practice Guides embody an IIA statement to assist a wide range of interested parties, including those not in the internal audit profession, in understanding significant governance, risk, or control issues and in delineating the related roles and responsibilities of internal auditors on a significant issue. Position Papers are part of The IIAs International Professional Practices Framework. As part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process. For other authoritative guidance materials provided by The IIA please visit our Web site, www.theiia.org/guidance.

Copyright
The copyright of this position paper is held by The IIA. For permission to reproduce, please contact The IIA at guidance@theiia.org.

GloBAl hEAdquArtErs 247 Maitland Ave. Altamonte Springs, FL 32701 USA

t: F: W:

+1-407-937-1111 +1-407-937-1101 www.theiia.org