When it comes to internal audits, they should always be performed by your internal audit group. There a several reasons why, but the two most compelling are:
- The need to be independent and act in the organization's best interests vs. a line of business. Auditors must be independent as determined by the standards for independence in the AICPA Code of Professional Conduct.
- Auditors usually have specific licenses and certifications that qualify them to perform audits. Typically that is in the form of a CIA certification (Certified Internal Auditor), and many auditors also have CPA (Certified Public Accountant) Licences.
I hope that information is helpful, but I would love to hear from other members as well.
Original Message:
Sent: 07-12-2022 01:34 PM
From: Anonymous Member
Subject: Third Party Audits - Who should complete them?
This message was posted by a user wishing to remain anonymous
Hi There 👋
There are requirements to audit Third Parties mentioned in both regulations from the PRA (SS2/21) and the EBA Outsourcing guidelines. Ensuring there are audit rights in material contracts and that institutions complete periodic audits (on and/or offsite).
I would like to know who completes these audits for your organisation?
Particularly if you decide to complete these in-house (not outsource the audits to an external company), which internal teams lead this and what line of defence do they sit within?
Should this stay within the first line of defence or should it be completed by Internal Audit as they are Audit specialists and third parties are part of their extended enterprise?
I am reaching out to other TPRM colleagues to understand how this works in your world? This will hopefully help me forge some ideas on how to move this forward within my organisation.
Any thoughts would be much appreciated
🙏