Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
Most internal audit functions are running into the same problem in 2026. Risk is expanding faster than headcount. The audit committee is asking sharper questions than it was twelve months ago. The pipeline for senior internal auditors with deep specialty experience is thin.
The IIA's 2026 Pulse of Internal Audit found budget and staff cuts both jumped to roughly 1 in 5 functions in 2025, nearly double the year before. The math does not work if the answer is hiring alone.
The functions handling that gap well are pulling in senior co-sourced support on the parts of the plan where specialty matters, and leaving the function with capability it did not have before the engagement started.
Done right, co-sourcing feels like an extension of your team that flexes with the plan. Done wrong, it is an expensive contract that produces a deliverable and changes nothing.
Here is what we see CAEs getting right in 2026.
Co-sourcing means we work alongside your internal audit team on specific projects. You keep the function, the relationships, the institutional knowledge, and the ownership of the audit plan.
We bring senior subject matter expertise onto the bench for the project window. The internal team stays in the center of the engagement. When the work closes, the work hands back, and your team is closer to running the same kind of audit independently the next time it comes around.
This is different from staff augmentation, where bodies are sent in to clear a backlog. It is different from outsourcing, where the function is handed off entirely. Co-sourced internal audit scales up when the plan is heavy and scales back down when it is not.
That kind of flexibility is what most 2026 plans actually need.
Most engagements fit one of four categories.
The first is co-sourced internal audits. Operational, financial, IT, regulatory, or integrated reviews that the internal team is leading but does not have the depth or capacity to deliver alone. We work the audit alongside the team, contribute the specialty judgment, and the team retains ownership of the findings and the relationship with the business.
The second is Sarbanes-Oxley compliance. Most SOX programs are running under cost pressure with new exposure to absorb, including generative AI in the close, model-based estimates, and automated controls in journal-entry workflows. Functions that have rationalized their key controls are redirecting capacity into the AI-touched parts of the close. The ones that have not are paying for redundant testing while the new exposure goes uncovered.
The third is fraud risk assessments and investigations. Synthetic identities, voice-cloned executive impersonation, and deepfake-driven invoice fraud are showing up in the loss data right now. A 2026 fraud risk assessment that does not test for AI-assisted impersonation is testing yesterday's controls.
The fourth is audit management office and quality management office services. Standing up or operating the program management layer for an internal audit function, including plan execution, methodology, reporting, and quality. This is the layer most strained internal audit teams cannot run well at the same time they are doing the audits.
The work that comes through co-sourcing usually originates with the audit committee, and sometimes with the executive management team. The CFO commissions some of it. The CAE owns the relationship and the plan.
That sponsorship matters because it sets the tone of the engagement. When the audit committee is the primary stakeholder, the work is framed as quality and capability, not as headcount substitution. When the executive team is the sponsor, the conversation is often closer to a specific operational concern (a vendor concentration, an ERP rollout, a regulatory inquiry).
Both are legitimate. They run differently.
The CAE should be clear about which one is driving the engagement before scoping begins.
This is the differentiator most firms underdeliver on.
A real co-sourcing partner is in your standups. Their senior practitioners know your audit committee chair's name and what she cares about. They use your methodology when it works and propose changes only when it does not. Your team trusts them enough to ask the hard questions.
The firms that treat co-sourcing as an inbound contract (show up at the kickoff, work in their own channels, hand over a report at the closing meeting) are running a staff-augmentation model with co-sourcing branding. The difference shows up six months later, when your team either retained the methodology or did not.
Ask any prospective partner how they integrate. Ask whether their senior practitioner will be in your weekly standup and the audit committee debrief. Ask what scaling down looks like at the end of the engagement. The answers tell you which model you are buying.
Most CAEs have been burned at least once by what looked like senior co-sourcing and turned out to be junior staff billed at senior blended rates.
The senior people on the engagement should have actually been internal auditors. Have they sat in your chair? Have they presented to an audit committee chair? If the senior partner cut their teeth in generalist consulting and pivoted into audit later, they bring a generalist methodology lens. That is fine for some work. It is not what you want when the audit committee is paying attention.
Industry and risk depth is the second test. Generic audit approaches rarely hold up in regulated or specialty environments. Ask for engagement examples, anonymized as needed. Ask how the firm handles scope changes mid-year. Listen for whether the answer sounds like partnership or contract negotiation.
Start with a clear scope and a defined deliverable. Vague engagements produce vague results. Specify what you need (a risk assessment, control testing for a specific area, a fraud investigation, an AMO ramp-up), define success in the SOW, and write the success metrics into the kickoff.
Integrate the co-sourced team with your internal team. Treat them as part of the function for the project window, not as external consultants kept at arm's length.
Plan for knowledge transfer from day one. Document everything. Have your team shadow the parts of the work that matter most. Schedule debriefs after major milestones. Capability building, not gap filling.
Measure outcomes, not activity. Did the work improve your risk coverage? Did it lift your team's capability? Did it strengthen your credibility with the audit committee? Results matter at the end of an engagement. Activity reports do not.
Four show up repeatedly.
Treating co-sourcing as a substitute for strategy. Co-sourcing brings capacity and senior expertise. It does not tell you what to audit, how to prioritize risk, or what to put in front of the audit committee. That work belongs to the CAE.
Failing to set audience expectations. Frame the engagement to your audit committee and senior leadership as capability building and senior judgment, not as a sign your team is struggling. The committees we work with respect functions that bring in the right senior help on the hard parts.
Choosing on price alone. The firms competing primarily on price are usually the ones billing senior blended rates against junior delivery. Ask for the senior practitioner's hour commitment by name, in writing.
Not planning for the end of the engagement. Who owns the documentation? Who answers questions from the external auditors or the regulators six months later? Answer those in the SOW, not in the closing meeting.
Used well, co-sourcing solves a specific set of problems. Specialty expertise your team lacks. Temporary capacity gaps. Capability building. High-visibility projects where senior judgment matters. Functions using it that way come out the other side stronger.
What it does not do is fix a broken audit plan. A weak risk assessment will not get better because a senior co-sourced practitioner audits against it. Same goes for a strained audit committee relationship. The committee needs to hear from the CAE, not the co-sourced firm.
Chronic understaffing is a different problem. If your function is permanently below the headcount it needs, that is a budget conversation with the audit committee chair, not a co-sourcing problem. Full stop.
What did your last co-sourcing engagement actually leave behind in your function?
The functions handling 2026 well are the ones with the most flexible capacity, the most senior judgment on the hardest parts of the plan, and a partner that feels like part of the team rather than a vendor.
If your 2026 plan has work that needs senior judgment, not extra hours, reach out. We would rather talk through the engagement with you before you sign the standard SOW.
The next disruption is coming. The functions with the right senior practitioners on the bench will answer the next round of audit committee questions differently than the function with extra hands. The question is which side of that you want to be on, before the next agenda comes out.
Until next time.
Subscribe now to join the Risk Register community:
