This Practice Guide is provided as a service to members of The IIA.
IIA members: Please LOGIN to download a FREE copy (PDF).
Non-members: Add this item to your shopping cart to purchase a copy for download. Please allow 48-72 hours after placing the order to receive an email containing the link and access code to download your purchased product.
Learn more about the value of an IIA Membership.
Practice Guides provide detailed guidance for conducting internal audit activities. They include detailed processes and procedures, such as tools and techniques, programs, and step-by-step approaches, as well as examples of deliverables. Practice Guides are part of The IIA's International Professional Practices Framework. As part of the Strongly Recommended category of guidance, compliance is not mandatory, but it is strongly recommended and the guidance is endorsed by The IIA through formal review and approval process.
The guide discusses the risks associated with doing business with external parties. The Practice Guide provides guidance for both internal auditors and management when addressing these risks and responsibilities, as well as generating significant enterprise value.
This guide provides internal auditors with guidance in auditing external or extended business relationships (EBRs). Management also may use this guide in managing and monitoring the risks associated with these relationships.
When contemplating the internal audit activity's EBR responsibilities, consider the following:
- Organizations have multiple EBRs that satisfy a variety of business needs;
- Each relationship presents risks;
- It is management’s responsibility to manage these risks and realize the benefits;
- Internal auditing plays a key role in assisting management and validating management’s efforts.
Organizations conduct business with EBR partners for a variety of reasons. Organizations may seek benefits like enhancing revenues through licensing and distribution arrangements, reducing costs in areas of an organization’s that are outside of its core competencies, or augmenting existing resources focused on its core competencies. However, with these business relationships also comes inherent and control risks associated with working with external business partners. By associating with external partners, an organization often bears risks similar to those it would experience internally, without the external association (for example, an organization still bears risks for outsourced processes). In addition, the organization is exposed to risks imposed by association with the third party, as well as the activities of the third party, including reputation, brand, and economic risks. Internal auditors can help management and the board identify, assess, and manage these risks.
Organizations’ managements are responsible for managing and monitoring their EBRs and related risks. While entering into a business relationship allows an organization to create benefits and share some risk with the EBR, the organization still retains ultimate responsibility and accountability over a number of risks. Not all risks can be relegated to the business partner. The organization needs to monitor and manage these risks.
The organization is responsible for risk management activities encompassing tasks such as selection of business partners, contract effectiveness, partner/customer contract management controls, contract compliance monitoring and reporting, and business relationship management. Without proper controls in place to address the risks associated with these responsibilities, the organization may lose revenue or incur higher costs, as well as have inefficient operations, misreporting, and even damaged brand, in addition to impacted business relationships.
By taking ownership and control of these responsibilities, organizations have the ability to reduce risk and help foster a relationship of trust and accountability with its business partners. With good oversight of its business relationships, an organization can account for all revenues and potentially reduce costs ? the organization can receive the full benefits of the business relationship.
Internal auditors need to understand all the elements associated with EBRs, from initiating a relationship, contracting and defining a relationship, procurement, managing and monitoring the continued relationship (including control environment considerations of objectivity and independence of those responsible for managing and monitoring), and finally discontinuing the relationship. After understanding the expectations of both parties, along with the appropriate processes to manage and monitor the relationship, the internal auditor develops an appropriate internal audit program with relevant audit objectives for internal audits of external relationships. In addition, internal audit procedures may include elements of evaluating adherence to (and compliance with) contractual terms to determine whether monetary and non-monetary obligations are met.
It is important for organizations to know that they are getting what they are paying for, that they are collecting what they are earning, or, simply, that they are receiving the benefits anticipated from the relationship. Internal audit procedures may uncover missed revenue or cost savings, improve reporting accuracy, and enhance value resulting from the relationship through one or more of the following: limiting fraudulent activity, increasing trust with participants in the relationship, fostering feedback, improving relationships, and helping management improve internal and external control.