auditng external business relationships

8/3/2019 Auditng External Business Relationships

http://slidepdf.com/reader/full/auditng-external-business-relationships 1/19

IPPF – Paie Gie

AudItInG ExtErnAl

BusInEss rElAtIonshIPs

MAY 2009



www.theiia.org/guidance / A

IPPF – Paie Gie

Aiig Eea Bie reaiip

Table o ContentsIntroduction .................................................................................................................1

Executive Summary .....................................................................................................

Overview o External Business Relationships (EBRs) ..................................................2

Examples o EBRs ........................................................................................................

Benets o EBRs ..........................................................................................................3

Business Risks o EBRs ...............................................................................................6

Auditing EBRs ............................................................................................................12

Understand the Organization and Its Relationships ............................................13

Assess Risks and Controls ..................................................................................13

Perorm Audit Procedures ...................................................................................14

Report.................................................................................................................14

Monitor Progress ................................................................................................15



www.theiia.org/guidance /

IPPF – Paie Gie

Aiig Eea Bie reaiip

IiThis guide provides internal auditors with guidance in au-

diting external or extended business relationships (EBRs).

Management also may use this guide in managing and

monitoring the risks associated with these relationships.

Eeie sa When contemplating the role o the internal audit activity

in external business relationships, consider the ollowing:

1. Organizations have multiple EBRs that satisy a variety

o business needs;

2. Each relationship presents risks;

3. It is management’s responsibility to manage these risks

and achieve the benets;

4. Internal auditing plays a key role in assisting manage-

ment and validating management’s eorts.

Organizations conduct business with EBR partners or a

variety o reasons. Organizations may seek benets like

enhancing revenues through licensing and distribution ar-rangements, reducing costs in areas o an organization’s

that are outside o its core competencies, or augment-

ing existing resources ocused on its core competencies.

However, with these business relationships also comes

inherent and control risks associated with working with

external business partners. By associating with exter-

nal partners, an organization oten bears risks similar to

those it would experience internally, without the external

association (or example, an organization still bears risks

or outsourced processes). In addition, the organization

is exposed to risks imposed by association with the third

party, as well as the activities o the third party, including

reputation, brand, and economic risks. Internal auditors

can help management and the board identiy, assess, and

manage these risks.

Organizations’ managements are responsible or manag-

ing and monitoring their EBRs and related risks. While

entering into a business relationship does allow an orga-nization to create benets and share some risk with the

EBR, the organization still retains ultimate responsibility

and accountability over a number o risks. Not all risks

can be relegated to the business partner. The organization

needs to monitor and manage these risks.

The organization is responsible or risk management ac

tivities encompassing tasks such as selection o business

partners, contract eectiveness, partner/customer con

tract management controls, contract compliance monitor

ing and reporting, and business relationship management Without proper controls in place to address the risks as

sociated with these responsibilities, the organization may

lose revenue or incur higher costs, as well as have ine-

cient operations, misreporting, and even damaged brand

in addition to impacted business relationships.

By taking ownership and control o these responsibili-

ties, organizations have the ability to reduce risk and help

oster a relationship o trust and accountability with its

business partners. With good oversight o its business re

lationships, an organization can account or all revenuesand potentially reduce costs the organization can receive

the ull benets o the business relationship.

Internal auditors need to understand all o the elements

associated with EBRs, rom initiating a relationship, con

tracting and dening a relationship, procurement, manag

ing and monitoring the continued relationship (including

control environment considerations o objectivity and in

dependence o those responsible or managing and moni

toring), and nally discontinuing the relationship. Ater

understanding the expectations o both parties, along withthe appropriate processes to manage and monitor the re-

lationship, the internal auditor develops an appropriate

audit program with relevant audit objectives or audits o

external relationships. In addition, internal audit proce-

dures may include elements o evaluating adherence to

(and compliance with) contractual terms to determine

whether monetary and non-monetary obligations are met



www.theiia.org/guidance / 2

IPPF – Paie Gie

Aiig Eea Bie reaiip

It is important or organizations to know that they aregetting what they are paying or, that they are collecting

what they are earning, or, simply, that they are receiving

the benets anticipated rom the relationship. Such audit

procedures may uncover missed revenue or cost savings,

improve reporting accuracy, and enhance value resulting

rom the relationship through one or more o the ollow-

ing: limiting raudulent activity, increasing trust within the

relationship, ostering eedback, improving relationships,

and helping management improve internal and external

controls.

oeiew Eea Biereaiip (EBr)“External business partners,” “extended relationships,”

and “contractual relationships” are among the numerous

names by which today’s organizations dene their extend-

ed business relationships. Throughout this practice guide

we will simply reer to these relationships as EBRs and

the other entity as the EBR partner.

Organizations oten use business relationships and variedpartnerships to accomplish their objectives. To suppor

and sustain growth, businesses are increasingly supported

through outsourcing and licensing. More than ever, prod

ucts and services are now developed through strategic al-

liances and joint development arrangements. Businesses

have chosen to leverage these business relationships or

reasons ranging rom cost savings, a more economical

or ecient labor orce, increasing customer reach and

scalability, or enhancing access to new technologies or

a known brand. This business model, where businesses

are interdependent, and where “external” and “extended”business relationships exist, is also known as the extended

enterprise.

As used in this guide, EBRs do not include business rela-

tionships where the organization only urnishes inorma-

tion to other organizations and relationships are not nec-

essarily created as a matter o choice; examples include

rating agencies, nancial analysts, and tax authorities.

rElAtIonshIP tyPE sErvIcE ExAmPlEs

Service Provider •Processing (e.g., benets, payroll)

•Accounting/computer service centers

• Inormation technology

•Shared service centers

• Internal audit co-sourcing or outsourcing

•Warranty processing

•Call centers

•Advertising/marketing

•Leasing

•Construction

Eape EBr




IPPF – Paie Gie

Aiig Eea Bie reaiip

Supply-side Partners •Production outsourcing or assistance

•Research & development

•Suppliers/vendors

•Sotware development

Demand-side Partners •Distributor/reseller

•Franchisee

•Licensee

•Replicator

•Original equipment manuacturer (OEM)

Strategic Alliances, Consortia, and

Joint Ventures

•Cost sharing relationships (e.g., pharmaceutical development, production and

distribution o oil and gas products, and media production and distribution)

•Revenue sharing relationships (e.g., pharmaceutical development and media

production and distribution)

•Prot sharing (e.g., real estate, pharmaceutical, media)

•Combination o the above

Intellectual Property (IP) Partners • IP licensees

• Internal IP usage (e.g., sotware)

•Bandwidth (e.g., telecom)

•Subscribers

Organizations choose to do business with EBR partners

or a variety o reasons. There is value that an EBR partner

brings a value that an organization, by itsel, cannot e-

ciently or eectively create or its customers and potential

customers. Some o the more common reasons or using

EBRs include cost savings and leveraging a competence

o the EBR partner that is not a core competence o the

organization; but the benets o using an EBR do not end

there. See the table below or some o the benets o us-

ing an EBR partner.

Beef EBr

BEnEFIt dEscrIPtIon oF BEnEFIt

Cost Reduction • Access to EBR partner’s lower cost structure

•Lower labor cost

•Reduce operational ineciencies

Examples o EBRs continued




IPPF – Paie Gie

Aiig Eea Bie reaiip

Organizations may reduce costs through EBRs. For ex-

ample, costs may be reduced through leveraging an EBR

partner’s lower cost structure which could exist through

a greater economy o scale or location in a country with

lower labor costs. Organizations that choose to proceedwithout using EBR partners are responsible or all costs,

including research, marketing, development, and employ-

ee costs. Cost reduction is a common reason organizations

choose to work with EBR partners.

Another key benet gained through EBRs is enablement;

an organization can leverage the capabilities o others and

may ocus on its own core competencies. Through the

use o EBRs, organizations do not spend their resources

on areas where they do not have expertise. By spending

resources on non-core competencies, organizations may

lose their competitive advantages and valuable interna

resources such as employees are required to support activities that tend to be more costly and less protable

Meanwhile, resources pulled rom an organization’s

core business could cause a reduction in the success o

its core business. EBR partners can solve this problem

by addressing those areas outside o the core business

and internal resources can better leverage their skills by

ocusing on the core business.

Organization ocus on core capabilities

and oerings

•Allow the organization to ocus on primary business and core competencies

•Better use o in-house resources

•EBR partner’s comparative advantage in providing service

Improved quality o service or product •Utilize expertise o EBR partner

•Combined and collaborative knowledge brings together strengths o

each organization

•Reduction in operational ineciencies and errors

Access to new markets • Increased opportunities to reach new markets

•Leverage relationships through EBR partners

•Economies o scale and size

•EBR partner’s knowledge o local culture and language

Timely completion o projects •Timely, agile, and fexible resource pool, including personnel

•Larger and deeper knowledge pool to develop and implement more ecient and

productive action plans

Resource augmentation •Larger and more fexible personnel resource pool

•Access to a new resource pool o knowledge•Access to better technologies and skills

Sharing o risk and risk management •Sharing o investment risk

• Increased agility to allow an organization to change and react to risks

more quickly

Benefts o EBRs continued




IPPF – Paie Gie

Aiig Eea Bie reaiip

EBR partners also have the ability to help the organizationdeliver improved services or create an improved product.

An EBR may bring specialized skills or knowledge that an

organization does not have. This knowledge and skill can

greatly enhance the organization’s service or product by

bringing innovation, learned eciencies, and many

other attributes the organization may not have. In addi-

tion, this collective knowledge and knowledge sharing

may lead to greater innovation and better products and

services as skills are used collaboratively.

EBRs may bring access to new markets. An EBR partner

may have a presence in an existing market where an or-

ganization is trying to enter. By working with that EBR

partner, the organization increases and enhances its abil-

ity to penetrate and grow within that new marketplace.

The EBR partner may be able to share its relationships;

it may have a known brand the organization can leverage

in the new marketplace, it may have capabilities to lever-

age the organization’s intellectual property, or it may have

regulatory, cultural, or other relevant knowledge o a new

marketplace the organization does not have. An EBR part-ner may also increase an organization’s ability to penetrate

and grow within a market through increased economies

o scale and size by providing resources to help match the

accelerated growth within a new market.

Projects may be completed more timely with the help o

EBRs. One o the benets EBRs can provide is a larger,

more fexible resource pool. They can quickly provide an

organization with skilled, specialized resources, which

can help with the timely completion o projects that the

organization may not have the resources to complete. Inaddition, EBR partners may have more experience in the

area the organization is seeking help with, which can im-

prove the likelihood or timelier completion o tasks and

projects. The organization will not need to struggle on its

own as it learns on the job. Ramp-up time will be reduced

through the benet o known successes and operational

eciencies rom the EBR partner.

In general, an EBR partner can augment and improve theoverall resource pool with experienced, knowledgeable

skilled personnel on a greater scale. This resource pool

can augment areas o weakness or which an organization

may have neither the resources nor inclination to address

EBR partners can also provide resources other than per

sonnel, such as technology, to benet an organization

Access to specialized technology can provide the organi

zation with benets such as automating existing manua

processes, thus improving operating eciency, produc

tion and service quality, or increasing the scalability o an

organization’s output or reducing errors. Using an EBRcan help the organization improve its internal controls, or

example when the EBR partner has stronger controls than

the organization.

Lastly, through EBRs, an organization can benet through

the sharing o risk and risk management. An organization

can share its investment risk with an EBR partner in a

new venture through capital investment, resource invest

ment, and time investment. This may be the most com

mon way in which organizations share risk. By sharing its

capital, resources, and time investments in a project or venture, an organization reduces its risk o “putting all o

its eggs in one basket.” The impact to an organization is

reduced i business partners share in these investments

allowing the organization to make other investments and

diversiy its portolio. Risk can also be reduced and risk

management improved through EBRs. The comparative

advantages that an EBR partner brings may be in areas

that address the biggest risk an organization aces, thus

reducing the overall risk o a project or venture. Benets

can include an increased ability to react to risks and make

the appropriate changes with the EBR partner’s resourc-es, knowledge, and skills available. Because an EBR may

provide these benets, internal auditors need to consider

EBRs in making recommendations to improve operations

and controls.




IPPF – Paie Gie

Aiig Eea Bie reaiip

Bie ri EBrEven though EBRs are designed to achieve benets, there

are signicant overall and detailed risks. The ollowing

table lists a ew examples o general business objectives

and goals, associated risks, as well as potential control

activities to mitigate those risks. Risks and controls as-

sociated with a sound procurement and contract manage-

ment process are not addressed in the table below; rather,

they are addressed in various IIA publications and training

courses. Further, many aspects o Corporate Social Re-

sponsibility (CSR) are relevant when conducting business

with EBRs. The table below briefy touches upon a ew

CSR concepts, but a broader discussion can be ound in

other IIA publications and inormation.

To achieve the benets o EBRs and mitigate the associ-

ated risks, the organization needs to develop appropriate

procedures and controls. These are addressed in the chart

below and include the need to comply with EBR agree-

ments and to proactively manage the relationship to en-

hance value and minimize risk.

GoAl / oBjEctIvE

PotEntIAl rIsks thAt mAy

PrEvEnt AchIEvEmEnt oF GoAls

And oBjEctIvEs

PossIBlE orGAnIzAtIonAl

ActIvItIEs to mItIGAtE rIsksNote: In each example below, conducting audits of EBR

compliance is generally appropriate.

1. Identiy and assess all EBRs EBRs are not identied.

Additional risks:•Relationships not identied cannot be as-

sessed nor monitored appropriately.

•Relationships not identied may not have

contracts in compliance with organization’s

contract policy and guidelines or organiza-

tion’s EBR policy and guidelines.

Designated employees document all EBRs and

keep the documentation current.

Supervisors review the documentation or ap-

propriateness.

Identiy risks inherent in each relationship and

assess residual risks, ater considering controls.

2. Maintain positive reputation EBR’s actions negatively impact organization’s

reputation.

Additional risks:

•EBR misrepresents organization values.

•EBR does not comply with contractual

obligations.

•EBR violates laws and government regulations

Legal department reviews contract to determine

whether it includes ethical standards, compli-

ance with laws/regulation clauses, compliance

requirements with specic organization values,and a well-documented right to audit (more than

‘books and records’, it relates to the broader

relationship risks).

When the relationship is initiated, appropri-

ate due diligence is perormed to determine i

the EBR is likely to misrepresent organization

values.




IPPF – Paie Gie

Aiig Eea Bie reaiip

3. Minimize insurable risks

(e.g., proessional indemnity)

EBR partner does not maintain adequate/

eective insurance coverage, including or the

ollowing:

•Workers’ Compensation (e.g., or time lost due

to injury)

•Proessional Indemnity

•Public Liability

•Motor Vehicle Insurance

Additional risks:

Other risks arise where consortia are ormed

to provide a service or where the organization

providing the service is a subsidiary o a larger

organization (especially where the parent is not

based in the same country):

• Insurance recommended or the particular

contract might not cover all o the consortia

members or that particular contract.

• In the case o a subsidiary, the insurance rec-

ommended or the particular contract mightnot apply to the subsidiary and/or the country

in which the work is to take place.

•The parent company takes actions that void

the insurance coverage o the subsidiary.

•Solvency o the underwriter and reinsurers.

Management review o adequacy and eective-

ness o EBR partner’s insurance coverage, beore

signing o contract and during the lie o the

contract. Management may review:

•How the level o insurance was determined,

and whether or not it is adequate.

•Whether insurance needs to be increased

during the term o the relationship (e.g., the

eect o infation; previous claims record o

provider).

•Whether EBR partners provide third party

proo, such as a certicate rom the insurance

company.

•Contract clauses that require provider

urnishing updated insurance certicates dur-

ing long term contracts (where the contract

extends beyond the expiry date o the initial

insurance certicate).

•Eectiveness (including solvency) o

insurance provider.

Management’s review may include engaging an

insurance specialist, review o case histories

or similar circumstances, direct inquiry o the

insurance company, and review o insurance

coverage o the consortia or subsidiary.

Business Risks o EBRs continued




IPPF – Paie Gie

Aiig Eea Bie reaiip

4. Clear understanding o

service levels between the

organization and its EBR

Service levels are inadequate or unsatisactory.

Disputes or disagreements regarding the scope

o services between the organization and its

EBR.

Additional risks:

•The scope o the EBR’s deliverables are not

adequately dened in contract documentation,

a memorandum o understanding, a service

level agreement, or some other similar docu-

mentation detailing the terms o reerence.

•Dierences in understanding or interpretation

o the service requirements.

Initially, this may be documented in a request or

tenders/quotes, where an organization requests

potential EBR partners to provide the best value

or money solution.

Products to be delivered or constructed may be

dened in a scope o work document that denes

quality requirements, regulations or standards to

be complied with.

Whatever the orm o service or product to be de-

livered, the guiding principle is that the service

or product to be delivered is adequately dened,

understood and agreed upon by all parties.

Management and legal review o contract or the

ollowing:

•Are the contract and/or supporting documen-

tation clearly documented?

•Have key stakeholders in the relationship

approved the document?

•Does the contract include an adequate right

to audit clause (not just limited to nancial

books and records) and an agreed-upon

disputes resolution process?

•Has responsibility or managing the contract

been assigned?

•Does the contract include clear duty to report

key parameters on a regular and timely basis?

•Does the EBR partner have adequate skills

and experience?

•Are invoices received rom the EBR partner

adequately documented to enable identica-

tion o “out o scope” requests?

•Are approvals or work to be perormed andpayments to be made at an appropriate level

o authority?

•Are processes adequate to measure and

validate expected levels o service?

• Is inormation provided by the EBR partner

validated or accuracy, relevance and

timeliness?





IPPF – Paie Gie

Aiig Eea Bie reaiip

5. EBR is able to provide

services without conficts o

interest

EBR identies conficts o interest in providing

services.

Additional risks:

Conficts o interest may be actual, potential, or

perceived. A confict o interest may not neces-

sarily preclude an EBR rom providing a service;

however, adequate controls are needed to miti-

gate the risks. Examples o how these may arise

in an EBR include:

• Qualityortimelinessofworkmaybead-

versely aected due to other contracts in place.

• Informationobtainedduringthecontract

may adversely infuence decision making due to

other contracts in place.

•Requiring the EBR partner to declare any

actual, potential, or perceived conficts o

interest prior to accepting appointment.

•Requiring the EBR partner to declare any

actual, potential, or perceived conficts o

interest as and when they may arise through-

out the contract.

•Management review o declarations o interest

or impact and to decide whether this is a

contract violation and what action to take

6. The organization receives

appropriate remuneration or

intellectual property (IP).

The EBR appropriately

secures the organization’s

intellectual property (IP)

Intellectual property (IP) licensed to others could

be receiving inappropriate royalty streams.

Thet or misuse o ideas or technology.

Additional risks:

•Revenue leakage

•Breach o condential inormation

• Inappropriate usage o intellectual property

•Risks associated with diering jurisdictions,

legal practices, legal ineciency, or even

legal corruption.

Management and legal review to determine

whether contract includes clauses that ideas,

technology, and/or intellectual property (IP) sup-

plied by the organization are receiving appropri-

ate royalty streams and remain the organiza-

tion’s property.

The contract is clear as to measurement and

validation o royalty streams and who owns the

IP generated as a result o the contract and what

the provider can and cannot do with such IP.

To reduce the risk in countries with less than

adequate legal protection, the contract with the

EBR partner is written so that the EBR partner

shares in the loss o poor control over IP.





IPPF – Paie Gie

Aiig Eea Bie reaiip

7. Accurate ees or

EBR services

Overcharges or ineciencies or services not

perormed.

Overcharges because o clerical billing errors.

Additional risks:

•Services perormed do not agree with contrac-

tual obligations.

•Require the EBR partner to maintain eective

controls over its time recording system and

any other system(s) that aect the amount

charged.

•Project management plans identiy the

achievement o milestones and quality assur-

ance over the services provided.

•Require the EBR partner to maintain eective

controls over billing.

•Project director/manager review whetheroutputs o the contract meet all requirements

and approve all charges or services prior to

payment.

8. Risk o EBR going out o

business is consistent with

organization’s expectations

EBR goes out o business and is unable to ulll

contractual obligations.

Additional risks:

•Solvency o guarantors or insurers could also

pose risks.

Prior to appointment, management perorms

due diligence o the EBR partner’s business to

provide reasonable assurance that it will remain

viable throughout the contract period. The due

diligence may include review o such areas as:

•What will be the impact o the contract on the

EBR partner’s business?

•Does the EBR partner over rely on certain key

contracts?

•Do key nancial indicators appear reason-

able?

•Has data provided been audited?

•Does the organization have contingency plans

in place to cover cancellation or the EBR

partner’s inability to ulll the contract?

For longer-term contracts, management updates

this review at least annually.





IPPF – Paie Gie

Aiig Eea Bie reaiip

Some o the risks may be raud risks, such as where the

EBR partner raudulently misappropriates the organiza-

tion’s assets.

Lastly, and while not the ocus o this guide, the internal

auditor should consider whether the organization has ap-propriately complied with obligations and commitments it

assumes when contracting with others, i.e., mitigating the

risk that the organization itsel does not comply with con-

tractual requirements.


9. Inormation shared with EBR

is properly secured and in

compliance with appropriate

privacy rules

Loss o condential inormation.

Additional risks:

•Reputational risk

•Legal risk associated with loss o personally

identiable inormation (PII).

•Require the EBR partner to maintain appro-

priate physical and logical security controls

in place to restrict access to appropriate

individuals.

•Require the EBR partner to review access to

inormation on a periodic basis or appropri-

ateness.

•Require the EBR partner to comply with data

privacy and other laws and regulations.

•Management evaluates the EBR partner’sStatement on Auditing Standards (SAS) 70

or International Standard on Auditing (ISA)

402 report.




IPPF – Paie Gie

Aiig Eea Bie reaiip

Aiig EBrSimilar to other internal audits, the International Stan-

dards or the Proessional Practice o Internal Auditing

apply when auditing EBRs. For example, the chie audit

executive (CAE) includes internal audits o EBRs in the

audit universe, determines which audits to perorm each

year, and stas each audit with a competent independent

internal audit team. The internal auditor may combine the

audit o EBRs with other audits either o operational, com-

pliance with laws and regulations, or nancial statements.

The CAE needs to decide whether to audit each EBR asa separate audit, audit certain types o relationships, or

audit the EBR process in totality. This last approach may

allow the internal auditor to provide overall assurance on

the EBR process. The remainder o this practice guide o-

cuses on auditing the EBR. The broader context, includ

ing contract management, business partner selection, and

others, are beyond the scope o this practice guide.

The ollowing chart illustrates the cycle in perorming in-

dividual EBR audits.

Understand the

Organization and

Its relationships

Assess Risks

and Controls

Perform Audit

Monitor Progress

Report




IPPF – Paie Gie

Aiig Eea Bie reaiip

The ollowing are the essential steps like most internalaudits, the process is usually iterative and need not ollow

the order below:

Understand the Organization andIts Relationships

•Understand the organization – The organization may

have a variety o reasons or maintaining EBRs, as pre-

viously discussed. Each relationship presents its own

set o risks and benets. EBRs may be entered into and

managed by one department or many, and may repre-

sent a broad range o importance to an organization.Understanding the organization’s structure, business

model, strategic goals, and enterprise risks will enable

an internal auditor to better understand the risks o

non-compliance by an EBR partner.

•Understand the environment – Determine whether the

organization’s EBRs have been identied; i not, request

management to identiy them. I the EBRs have been

suciently identied, obtain inormation about the

nature o each relationship, including contact inorma-

tion or the EBR partner, what they provide, amountsinvolved, contract details, and other actors.

•Understand your organization’s processes – How does

the organization:

– Determine the need or an EBR?

– Determine and document the objectives and goals

or the EBR?

– Identiy, assess, and document risks or the EBR?

– Control the identied risks?

– Perorm due diligence (including obtainingbackground and checking reerences) on the EBR

partner?

– Approve entering into the agreement?

– Approve the wording o the agreement?

– Manage the relationship?

– Monitor the EBR partner’s perormance?

– Provide eedback to EBRs? – Monitor its own compliance with the agreement?

– Determine whether objectives were achieved?

– Learn rom the EBR partner?

– Terminate the relationship?

– Continue the relationship?

•Understand the general nature o each EBR – What are

your organization’s objectives? What type o service is

rendered? Who controls and monitors the relations with

the EBR partner? Is there a written agreement, including appropriate expectations and protections? What

are the key provisions? What level o approval did it re

ceive? How important is the EBR to the organization’s

business model? Is there an audit clause in the contract

with the EBR partner? What does the organization do to

enhance the relationship?

Assess Risks and Controls

•Understand the inherent risks – Determine poten

tial impacts in the absence o any controls o inherent

risks that the organization has assessed, along withthose that the internal auditor has identied and as-

sessed. See “Business Risks o EBRs” or examples o

overall inherent risks and details.

•Understand the design o controls your organiza-

tion has put in place to mitigate risks – Evaluate

the control risk on a preliminary basis.

•Determine the key controls – Key controls, which

i not eective would mean the risks are not mitigated

See table above or some typical controls.`

•

Understand the EBR partner’s environment, pro-cesses, and controls – How will goods or services be

provided and how will the EBR partner’s processes and

controls mitigate the organization’s risks? This will pro-

vide urther background and help in the internal audi

tor’s risk assessment.

•Determine which EBRs to audit urther, which pro-

cesses to audit, and the audit objectives – The audit




IPPF – Paie Gie

Aiig Eea Bie reaiip

could be an operational audit (or example, did your or-ganization achieve its objectives at a reasonable cost?),

a compliance audit (is the EBR complying with laws

and regulations, such as employee saety, child labor,

product quality, or contractual obligations?), a nancial

audit (are controls over nancial reporting eective and

in compliance with regulatory guidelines such as Sar-

banes-Oxley and is inormation airly stated?), or some

combination o these audits.

•Determine whether the EBR partner’s internal audi-

tor has perormed work relating to the contract – Con-

siderations include the objective, scope, and resultso their work. Does the substance o the work support

your objectives; and how or whether you will use their

work?

Perorm Audit Procedures

•Determine whether to perorm on-site work at

the EBR – Based on the audit objectives, determine

i procedures need to be perormed at the EBR (Note:

some EBRs may not allow access by a business partner’s

internal audit activity unless the contract provides ac-

cess). I appropriate, design and perorm tests to deter-

mine whether the key controls are operating eectively

and/or to validate substantive matters.

The auditor may obtain the EBR partner’s user manuals

and other guidance about its processes. For nancial pro-

cesses, this usually includes recommended procedures or

the user and reports rom a service auditor. International

Standard on Auditing 402 (Revised and redrated), Audit

Considerations Related to an Entity Using a Third Party

Service Organization (ISA 402) provides guidance and

standards or external auditors; this guidance is useul orinternal auditors testing those relationships. [ISA 402 is

similar to SAS 70 (AU 324) in the US].

ISA 402 discusses two types o reports that a service audi-

tor may provide:

– Type A – Report on the Design and Description o

Controls at a Service Organization;

– Type B – Report on the Design, Description andOperating Eectiveness o Controls at a Service

organization. Type A reports are used to understand

the service organization’s processes and the design o

controls. The internal auditor uses Type B reports to

determine whether controls at the service organiza-

tion are operating eectively. For urther guidance,

see ISA 402.

The organization’s internal auditor may use the work o

other auditors in auditing EBRs. For example, the inter-

nal auditor may work with the internal auditor o an EBR

partner to obtain needed inormation or to perorm necessary tests. Beore making a decision to rely on the work o

another auditor, the internal auditor determines whether

the auditor perorming the work is competent and objec-

tive. Further, the nature, objectives, and scope o the work

to be relied upon are evaluated to determine i it supports

the organization’s internal audit objectives.

•Evaluate test results.

•Identiy fndings and, as appropriate, reach con-

clusions – In doing so, consider whether ndings ap

ply beyond the individual EBR to other EBRs or to the

organization’s entire EBR process. Taken individually

the results o EBR audits may identiy deciencies at

the EBR partner or in the organization’s individual busi

ness processes. Even i the CAE did not plan the audits

to reach overall conclusions, it may sometimes be pos-

sible to do so. By aggregating the results o individua

EBR audits, the internal auditor may identiy broader

systemic issues. Ater perorming the individual con

tract audits, the internal auditor may consider orming

an overall assessment and conclusion on the eective-ness o the organization’s EBR monitoring program. In

doing so, the internal auditor considers whether enough

work was done to reach overall conclusions.

Report

•Drat, discuss, and report the results – Results may be

reported internally to aid in business process and contro




IPPF – Paie Gie

Aiig Eea Bie reaiip

improvements. Normally the auditor ollows the usualreporting process to communicate with management

and, i appropriate, with the board. However, when the

auditor nds deciencies in the controls or operations

o the EBR, the auditor may also communicate with

those managing the relationship with the EBR partner.

Monitor Progress

•Provide eedback to the EBR – Those charged with

managing the relationship may communicate with the

EBR about the need to correct any deciencies identi-

ed. I the deciencies are not corrected, those manag-ing the relationship and others in management deter-

mine how to best mitigate the risks, including whether

to continue the EBR. This may be considered when the

EBR is scheduled to be renewed or earlier or a signi-

cant deciency. This is easier i the contract allows or

renegotiation when signicant deciencies are ound.

The internal auditor may periodically perorm procedures

to determine whether management has appropriately ad-

dressed the ndings identied and may be called upon to

assist management to determine whether EBRs are being

appropriately managed.

This guide provides internal auditors with guidance in au-

diting external or extended business relationships (EBR).

Management also may use this guide in managing and

monitoring the risks associated with these relationships.




IPPF – Paie Gie

Aiig Eea Bie reaiip

Paie Gie tea mebeDavid W. Zechnich, CIA

Abraham D. Akresh

Gregory S. Dubis, CIA, CCSA

Gaston L. Gianni Jr., CGAP

Stephen J. Linden

Gilbert T. Radord, CIA

Susan L. Rudolph, CIA



About the InstituteEstablished in 1941, The Institute o Internal

Auditors (IIA) is an international proessional as-

sociation with global headquarters in Altamonte

Springs, Fla., USA. The IIA is the internal audit

proession’s global voice, recognized authority, ac-

knowledged leader, chie advocate, and principal

educator.

About Practice GuidesPractice Guides embody an IIA statement to as-

sist a wide range o interested parties, includingthose not in the internal audit proession, in un-

derstanding signicant governance, risk, or con-

trol issues and in delineating the related roles and

responsibilities o internal auditors on a signi-

cant issue. Position Papers are part o The IIA’s

International Proessional Practices Framework.

As part o the Strongly Recommended category

o guidance, compliance is not mandatory, but

it is strongly recommended and the guidance is

endorsed by The IIA through ormal review and

approval process. For other authoritative guid-ance materials provided by The IIA please visit

our Web site, www.theiia.org/guidance.

DisclaimerThe IIA publishes this document or inormation-

al and educational purposes. This guidance mate-

rial is not intended to provide denitive answers

to specic individual circumstances and as such

is only intended to be used as a guide. The IIA

recommends that you always seek independent

expert advice relating directly to any specic situ-

ation. The IIA accepts no responsibility or any-

one placing sole reliance on this guidance.

CopyrightThe copyright o this position paper is held by The

IIA. For permission to reproduce, please contact

The IIA at [email protected].

GloBAl hEAdquArtErs t: +1-407-937-1111

247 Maitland Ave. F: +1-407-937-1101

Altamonte Springs, FL 32701 USA W: www.theiia.org

auditng external business relationships

Documents