
Written by:
Editorial Team
DSG.AI
Co-source when you already have an internal audit function and need capacity, niche skills, or independent review without giving up control. Outsource when you have no function to staff, need full independence fast, or audit is not a capability you intend to build. That is the decision in one sentence. The table below is the decision in one screen.
Most articles on co-sourcing vs. outsourcing internal audit stop at definitions and never put a number next to them. That is not an accident. The firms publishing them bill at the rates the numbers would expose. Here are the numbers.
The decision in one table
| Dimension | In-House | Co-Sourced | Fully Outsourced |
|---|---|---|---|
| Who does the work | Your employees | Your team plus an external partner, side by side | An external firm, start to finish |
| Who keeps control | You | You: the CAE owns the plan and sign-off | The provider runs it; you receive reports |
| Independence | Lowest (auditing your own org) | High | Highest |
| Knowledge retention | Stays in-house | Transfers to your team during the engagement | Leaves with the provider |
| Specialist access (IT, cyber, regulatory) | Limited to who you hired | On demand, per engagement | Broad, but generic |
| Cost structure | Fixed: salaries, benefits, tools, training, all paid year-round | Variable: pay for the hours and skills you use | Variable, but priced at full-service premium |
| Speed to deploy | Slow (hire, onboard, train) | Fast (partner staffs in weeks) | Fast |
| Best fit | Mature function, predictable workload | Established function needing surge capacity or niche skills | No function, or a deliberate choice to keep audit external |
| Main risk | Paying for 100% capacity you use seasonally | Coordination overhead if roles are unclear | Loss of institutional knowledge and culture fit |
Print that, hand it to the board, and the conversation gets shorter.
Co-sourcing vs. outsourcing internal audit: what each actually means
The two words get used interchangeably. They are not the same, and the difference is control.
In fully outsourced internal audit, an outside firm executes the work start to finish. You define scope, they deliver findings. The internal audit function is, in practice, the contract.
In co-sourced internal audit, the external partner supplies people and skills that work inside your function. Your Chief Audit Executive still owns the audit plan, the methodology, and the sign-off. The partner fills a gap (a cybersecurity audit you can't staff, a regional engagement, a busy-season spike), and when the engagement ends, the methodology and findings stay with your team.
That distinction drives everything else: independence, knowledge retention, and cost all follow from who holds the pen.
What the numbers say
Sourcing is now the norm, not the exception. The Institute of Internal Auditors' 2024 North American Pulse of Internal Audit found that around 60% of internal audit functions use some form of outsourcing or co-sourcing, up from the 54% of chief audit executives reported in the IIA's 2022 global research.
The split by size is the part worth noticing. The same Pulse data shows the smallest functions source about 32% of their work, while the largest source about 74%. Large, mature functions co-source more, not less, because they have the in-house team to retain control and they use partners surgically, for the work they can't or shouldn't staff full-time. The most commonly sourced areas are cybersecurity, IT, and regulatory compliance: specialized, fast-moving, and expensive to keep on the payroll.
The signal: co-sourcing is what experienced functions do once they stop trying to hire for every skill they need twice a year.
The cost question the incumbents won't answer
Here is what the advisory-firm articles leave out. When you fully outsource to a Big 4 firm, you pay senior-firm rates for work that junior staff perform under a partner's name. The model is structurally expensive, and the firms publishing "co-sourcing vs. outsourcing" explainers have no incentive to quantify it: doing so would undercut their own price list.
Run the in-house comparison honestly and it isn't free either. An internal auditor's wage is the smallest line; the real cost is loaded with benefits, tooling, training, and the fact that you pay for full-time capacity you use in seasonal bursts. A function staffed for peak season is overpaying for ten months.
This is the gap a modern delivery model closes. We deliver audits at 40-60% below typical Big 4 co-sourcing rates, because the work is performed by production AI systems with auditors in oversight, not by junior staff billed at senior rates. The same approach drives 50%+ reductions in audit cycle time and 3-5x increases in coverage, measured across 250+ production deployments, not pilots. You can read the full cost breakdown in our pillar guide to audit as a service.
When to choose each
Choose in-house when audit is a core, year-round capability, your workload is predictable, and independence from the work you review is manageable through reporting lines. Keep it in-house, and make it efficient.
Choose co-sourcing when you have a functioning team but need to: cover a specialist area like a third-party risk or cybersecurity audit; absorb a busy-season spike without permanent headcount; or bring an independent perspective into an engagement while keeping the CAE in control. This is the right answer for most established functions, which is why the largest ones use it most.
Choose full outsourcing when you have no internal audit function and no plan to build one, when a regulator or the board wants maximum independence, or when audit is deliberately not a capability you want to own. Accept the trade: you gain independence and lose institutional knowledge.
Three signals you have outgrown your current model: you are declining audits because you can't staff them; you are paying premium rates for routine testing a system could perform; or your coverage has not grown in three years while your risk universe has. Any one of those is a sourcing conversation.
The fourth option: audit performed, not just staffed
Co-sourcing and outsourcing both answer the same question, who supplies the people, and both still bill by the hour. Audit as a service changes the question. Instead of renting auditors, you get the audit performed: evidence collected from source systems, controls tested across the full population rather than a sample, and findings produced on a subscription, with auditors governing the work rather than grinding through it.
That is the model behind assureIQ. It keeps the control advantage of co-sourcing (your function owns the plan and the sign-off) while removing the hourly-billing ceiling that makes both traditional models expensive. For functions weighing co-sourcing against outsourcing, it is worth pricing as a third quote. It is usually the one the incumbents hoped you wouldn't ask for.
The bottom line
Co-source when you have a function and need to extend it without losing control: the right call for most established teams. Outsource when you have no function or need full independence. And before you sign either, get a price on having the audit performed rather than staffed: it is the column the one-table comparison has been missing, and it is the one that moves the cost line. Start with our audit services overview, then bring all three quotes to the table.
<!-- related-links:start (auto-managed by seo/sync-internal-links.mjs) -->

