Definition

Co-sourcing internal audit is the model in which an in-house audit team retains ownership of the audit plan, methodology, and Audit Committee relationship while engaging an external provider (Big Four, BDO, Protiviti, or specialist boutique) for specific skills — cloud security, actuarial, or forensic — under a defined engagement and KPI structure. IIA Standard 2050 governs service provider oversight; co-sourcing differs from full outsourcing in that institutional knowledge, the audit charter, and CAE accountability remain internal.

Why it matters

The pressure on Internal Audit programmes is shifting in specific, observable ways:

• SAMA and CBUAE supervisory expectations require the CAE to be an employee of the regulated entity; full outsourcing of internal audit to an external provider violates these expectations and triggers regulatory findings.
• Co-sourcing reduces skill-gap risk without building permanent headcount: a GCC bank can access cloud-audit expertise (CCSP-certified) for 8–12 weeks per year at AED 18,000–35,000/day versus AED 500,000–800,000 annual FTE cost.
• Without a structured KPI and knowledge-transfer framework, co-source providers accumulate institutional knowledge that leaves with their team at engagement end, recreating the same skill gap in Year 2.
• IIA Standard 2050 requires the CAE to ensure that external providers understand the organisation's risk profile and culture; unmanaged co-source relationships produce generic findings that management ignores.

Evidence sources to capture

What an auditor or reviewer will sample for — wire each source into your evidence repository before the next review cycle:

• Co-source engagement letter — defined scope, deliverables, hours, rates (AED/SAR per day), independence declaration, and knowledge-transfer obligations.
• Working paper handover checklist — confirmation that all working papers are transferred to the in-house team's repository (AuditBoard or TeamMate+) at engagement close.
• KPI scorecard — provider-specific metrics: on-time delivery rate, finding quality score, management acceptance rate, and knowledge-transfer session completion.
• Skills matrix — in-house team competencies before and after co-source engagement to measure capability build.
• Audit Committee report section — disclosure of co-source provider identity, scope, fees, and independence statement per IIA Standard 2050.

Recommended next actions

A 90-day plan, sequenced so each step produces evidence the next step depends on:

• Day 0-30: CAE defines co-source strategy: identify skill gaps from audit plan (e.g. cloud IaaS, SAP GRC), select provider category, and draft engagement scope with explicit knowledge-transfer clause.
• Day 31-60: Issue RFP to ≥3 providers; evaluate on technical competency (certifications: CISA, CCSP, CFE), prior GCC regulated-entity experience, and day rate; select and contract.
• Day 61-90: Onboard provider with a two-day knowledge transfer from in-house team covering risk profile, audit methodology, and Audit Committee preferences; co-develop test scripts.
• Day 90+: Execute co-sourced engagements with mandatory in-house auditor embedded (≥20% of engagement hours) for knowledge retention; review all findings before issuance.
• Ongoing: Conduct quarterly KPI review with provider; require knowledge-transfer workshop at each engagement close; reassess co-source scope annually against skills-matrix progress.

Example metrics

Instrument these and report them monthly to the executive sponsor; sustained adverse trends become board-level conversations:

• Co-sourced engagements with in-house auditor embedded ≥20% of total hours — 100%.
• Working papers transferred to in-house repository within 5 days of engagement close — 100%.
• Provider finding quality score ≥8.0/10 on firm rubric.
• In-house skills matrix improvement: ≥2 new competency levels gained per co-sourced domain per year.
• Co-source day rate within budget variance ≤10% per engagement.

The executive frame

For an executive sponsor, the decision behind this piece reduces to three questions: what changes in the next two quarters, what is the cost of not acting, and what is the minimum credible response?

Held against the audit committee under the company's charter and the IIA International Professional Practices Framework, the answer is rarely "do nothing" — but it is also rarely "rebuild the programme". The honest answer for most Internal Audit buyers is a sharply scoped uplift focused on the two indicators that move the most: EQA score and conformance level and plan completion rate.

• What changes. The supervisory bar has moved on operating evidence, not on the control text itself.
• Cost of inaction. Findings carried into the next cycle compound; remediation in a regulator-driven timeframe costs 3–5× what proactive remediation costs.
• Minimum credible response. A 90-day uplift focused on the two indicators above, with a board-level commitment to the next review point.

Pitfalls we keep seeing

Across MAST Consulting Group's Internal Audit portfolio, the same recurring failure modes show up cycle after cycle. None are exotic; all are expensive when they reach the audit report.

• Pattern: a universe that lists processes but not the underlying risks. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: plan utilisation skewed to easier engagements. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: quality-assurance and improvement programme that is paper-only. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.
• Pattern: follow-up that loses momentum after 90 days. What good looks like: the same control evidenced inside the workflow it governs, not separately for the audit.

Tooling we actually reach for

MAST Consulting Group is deliberately tool-agnostic, but in practice the same shortlist keeps appearing on Internal Audit engagements because the integrations are cheap and the evidence is defensible:

• TeamMate+ / Workiva / Galvanize for audit lifecycle — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• Power BI for audit analytics — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.
• issue trackers that the auditees actually use — used not because it is fashionable, but because the audit trail it generates is one the reviewer accepts on the first ask.

How MAST Consulting Group can help

MAST Consulting Group runs Internal Audit programmes for banks, insurers, healthcare networks, payments providers, telcos and government entities across the UAE, KSA, India and the wider GCC. We bring Lead Practitioners, sector specialists, and a working library of policies, risk methodologies and evidence templates that have passed audit at firms recognisable to your board.

If anything in this briefing is relevant to a programme you are scoping or rescuing, the fastest next step is a 30-minute working session with the practice lead. We will look at your specific situation, share what we have seen work for Internal Audit programmes at similar scale, and tell you honestly if the work is something you should bring to us or run in-house.