Warning

The content on this page has been converted from PDF to HTML format using an artificial intelligence (AI) tool as part of our ongoing efforts to improve accessibility and usability of our publications. Note:

  • No human verification has been conducted of the converted content.
  • While we strive for accuracy errors or omissions may exist.
  • This content is provided for informational purposes only and should not be relied upon as a definitive or authoritative source.
  • For the official and verified version of the publication, refer to the original PDF document.

If you identify any inaccuracies or have concerns about the content, please contact us at [email protected].

FRC Offshore delivery centres - Good practice suggestions

The FRC does not accept any liability to any party for any loss, damage or costs howsoever arising, whether directly or indirectly, whether in contract, tort or otherwise from any action or decision taken (or not taken) as a result of any person relying on or otherwise using this document or arising from any omission from it.

The Financial Reporting Council Limited 2024

The Financial Reporting Council Limited is a company limited by guarantee. Registered in England number 2486368. Registered Office: 8th Floor, 125 London Wall, London EC2Y 5AS

1. Introduction

This publication addresses the traditional use of Offshore Delivery Centres (ODCs), known as the Shared Service Model. Under this approach, ODCs are used for routine, non-judgemental, and less complex aspects of audit work, and certain administrative procedures, which are assigned by the onshore audit teams. These are usually pre-defined in a "catalogue” of services. The drivers for this model are improving audit quality, cost savings and efficiency arising from standardisation of work.

In recent years, some UK audit firms have expanded the scope of work being performed by ODCs to include more complex and/or judgemental tasks and are allowing offshore staff to engage directly with the audited entity's management. Some firms are also adopting an 'Extended Team Model'. Neither of these are discussed here.

The purpose of this publication is to share good practice points that we have observed in relation to the ODC Shared Service Model. It is important that firms wishing to consider these points do not see them as a mandatory checklist. Firms should take a customised and proportionate approach to setting up, operating and monitoring ODCs in accordance with their strategic and quality objectives, taking into account the key risks to these objectives and their risk appetite.

Firms should also ensure that they consider ODCs in the context of how they design, implement, and operate a System of Quality Management in line with the requirements of ISQM (UK) 1. This should include assessing if ODCs should be classified as a network resource or a service provider under this standard.

Disclaimer

These best practice suggestions do not identify all the risks associated with firms' ODC activities and operations. The ultimate responsibility for identifying and assessing risks remains with the firms' leadership.

2. Considerations for the effective use of ODCs in the delivery of audits

We have identified the following elements of good practice for effective use of ODCs in the delivery of audits.

Identifying and managing the risks specifically to the UK firm from the use of ODCs.

  • The UK firm should undertake a risk assessment of the use of the ODCs in the delivery of UK audits. This should cover the full spectrum of risks, including quality, which will involve an assessment of the ODCs' System of Quality Management.
  • If the UK firm relies on the ODC's System of Quality Management, it needs to gain assurance over this system. The firm should assess if it has a dependency on the global firm, or another network firm, undertaking risk and quality reviews over the ODC's system. If so, the UK firm should understand and assess the scope and extent of testing to ensure that there are no gaps. Where gaps exist, additional testing should be commissioned. Where any findings are identified the firm should assess the significance of these to its own risks, including quality risks.
  • Risks relating to the UK firm's use of ODCs should be included in the UK firm's management information with appropriate KPIs, which are presented to the responsible UK Management Committee and to the Audit Board for monitoring and oversight.
  • The UK firm's Internal Audit function should review ODCs, based on the UK firm's own independent risk assessment. However, if the global or a network firm's Internal Audit undertakes an assessment, the UK Internal Audit team should assess the scope of work undertaken and the output, to identify any gaps against its own risk assessment and, where any gaps are identified, commission an additional review.

A robust approach to audit quality control policies, ensuring the quality of work performed by ODCs is taken into consideration in the UK firm's System of Quality Management.

  • A clear policy defining the scope of services and audit procedures that the ODCs can deliver should be in place, which considers engagement and audited entity risk factors. In circumstances where ODCs need to perform procedures outside the pre-defined scope, a technical consultation should be undertaken, and an approval process should be in place.
  • Criteria should be in place to determine the nature and type of work that can be assigned to ODC staff. This could include quality assessment, external qualifications, grade, experience, and internal accreditation. Related to this, there should also be a policy on the extent of review of working papers that can be undertaken by staff at ODCs. This would provide onshore audit engagement teams with clear guidance on the extent of work they can assign to ODCs, including for reviewing and supervision purposes, and it creates mutual understanding of the processes and protocols expected from both onshore and offshore teams.
  • Clear documentation in the planning section of an audit file should be in place outlining the list of audit work assigned to the ODCs based on audit risk level and the offshore individuals' skills and experience, including rationale and conclusion in cases of any deviation from firm's policy.
  • Firms should have central mechanisms to monitor the quality of the ODC's work and the extent to which the use of the ODC is contributing to, or poses a risk to, audit quality. This should include ensuring coverage through internal cold file reviews, and consideration of the role of ODCs as a causal factor in root cause analysis over file review findings.
  • The UK audit team should exercise strong management skills to ensure that the ODC delivery elements are incorporated into the overall audit delivery project plan.

There should be effective oversight by key governance bodies both at ODCs and in the UK over the use of ODCs and the quality of work which is performed by the ODCs.

  • A steering committee should be in place at each ODC consisting of representatives from each user member firm's audit service line to review and approve the type of audit procedures proposed to be performed by the ODC. This reflects the enhanced oversight needed in mitigating the engagement and regulatory risk involved in allocating certain audit procedures to an ODC.
  • Regular reporting of relevant quality and risk metrics to the ODCs' governance bodies and to the user firm's key governance and management bodies should be undertaken. This allows the governance bodies to have timely and relevant management information to enable them to make informed decisions and gain adequate assurance over the operating and control environments at the ODCs and the user firm.
  • Strategic changes in the usage of the ODCs by the UK firm should be reported to the key governance body providing oversight of the UK audit practice (including independent non-executives where these are in place). This body should also receive regular reporting of a variety of relevant key performance, quality, and risk indicators.

Staff at ODCs should be equipped with the technical knowledge and skills to enable them to perform UK audit procedures.

  • A gap analysis between the ODC and UK training curriculums should be performed to identify additional training required to ensure consistency in skills, technical knowledge and UK specific requirements.
  • Graduate hires in the UK should be provided with on-the-job training on the routine and non-judgemental tasks usually allocated to ODCs. This would develop onshore junior auditors' skills and knowledge in understanding and reviewing the work being completed by ODCs, and improve their approach to collaboration with the staff at the ODCs.
  • Staff in ODCs should have appropriate support and be provided with on-the-job coaching, including receiving feedback from senior staff. For example, a two-way feedback mechanism could be put in place between the onshore and offshore teams, allowing both teams to provide feedback to identify areas of improvement for the future.

Regular assessment and review of alignment between resourcing plans in the UK and at the ODCs.

  • The resourcing growth plans for ODCs should be aligned with the UK's plans to ensure there are sufficient qualified and skilled resources onshore to supervise and review the work undertaken by the ODCs, as the statutory responsibility for quality of audits rests with the UK firm.
  • Appropriate controls should be in place to manage potential risks arising from competing resourcing demands at the ODCs, particularly in cases where the UK does not have dedicated staff allocated at the ODCs.

Effective use of integrated technology and tools to facilitate collaboration between ODCs and onshore audit teams in the UK.

  • A single workflow tool should be used to manage centralised services assigned from the onshore team to ODCs. This would allow interaction between offshore and onshore teams to be maintained in the same place: from request initiation, progress tracking, queries logging, issue-raising and follow-up and providing feedback.
  • Firms should make use of appropriate technology to facilitate effective collaboration and communication throughout the audit, including between UK and ODC teams and, where appropriate, with the audited entity.
  • There should be comprehensive internal accreditation programmes with accreditation levels maintained within the ODC staff booking system. This would provide information to the onshore teams to allow them to select staff from the ODCs with appropriate skills, experience, and accreditation to book on the audit.

Use of people engagement initiatives to bridge any communications gap between ODCs and onshore teams.

  • It is useful to set up a network of ODC champions at the UK firm to provide on-the-ground support to onshore audit engagement teams on using ODCs effectively in the delivery of audits.
  • Firms should define and agree communication methods between the UK and offshore teams at the start of the audit.
  • Firms should seek to further enhance integration between the UK and offshore practice through in person visits, for example through onshore leaders and team members visiting the offshore location regularly and offshore team members attending training events in the UK or undertaking secondments to the UK firm. This is important for team members to feel part of the same team and understand ways of working, increasing efficiency and knowledge.

Consideration of cultural alignment between the ODC and the UK firm.

  • Embedding and incentivising the UK audit practice's core values and behaviours at the ODCs to support delivery of high-quality audits, in particular the importance of professional scepticism and challenge of management. This should include the UK firm having insight and input into how ODC staff are appraised, remunerated and promoted.

Effective controls over information security, ensuring that UK firm's data continues to be protected against loss, damage and malicious acts.

  • ODCs' staff should access working papers stored on the UK firms' servers through a virtual desktop system and minimal data should be stored on the ODCs' own servers; access should be subject to an appropriate risk assessment being undertaken.
  • Robust processes should be in place to protect and preserve data, including through daily backups and at least annual restoration tests.

Business continuity plans should include disruptive business events in the ODCs that could impact the UK firms.

  • The UK firm's business continuity plans should include the potential for disruption to services received from ODCs, with a focus on people, premises, processes, and systems.
  • ODCs' business resilience risks should be monitored by the UK firm's business resilience team.

Financial Reporting Council 8th Floor 125 London Wall London EC2Y 5AS +44 (0)20 7492 2300

www.frc.org.uk

Follow us on Linked in or X @FRCnews

File

Name FRC Offshore delivery centres - Good practice suggestions
Publication date 30 April 2024
Type Guidance
Format PDF, 1.9 MB
Download original
Back to top