Stay connected: follow us on LinkedIn and explore more at
www.CherryHillAdvisory.com.
.svg)
Subscribe now to join the Risk Register community:
You're sitting in an audit committee meeting. The board wants to talk about AI governance, third-party cyber risk, and ESG assurance. You're nodding along, taking notes, knowing full well your team can't actually audit any of those areas at the depth they're expecting.
If that scenario sounds familiar, you're not alone. 66% of internal audit teams report their capabilities don't fully align with their organization's priorities.
And the gap is widening.
Risk is expanding faster than any internal team can scale. Cybersecurity threats evolve monthly. AI governance went from theoretical to board-mandated in 18 months. ESG assurance keeps adding new frameworks. And somehow, you're expected to cover all of it with the same headcount you had three years ago.
Here's the kicker: even if you wanted to hire for every emerging risk domain, you probably couldn't afford it.
Professional wages for internal audit specialists have increased between 20% and 40% in the last few years. That's not sustainable when you need expertise in cybersecurity, fraud analytics, ESG reporting, and AI governance all at once.
That's why the market for internal audit support just hit $555.23 million and is projected to nearly quadruple by 2035. That's not just growth. That's internal audit leaders collectively realizing they can't build expertise in every emerging risk domain fast enough to keep up.
Co-sourcing isn't a fallback anymore. It's how modern internal audit functions stay relevant.
Co-sourcing has evolved beyond just filling resource gaps during busy season.
The firms getting this right understand they're not replacing internal audit teams. They're extending capabilities on demand. That means bringing in targeted expertise for specific projects, then stepping back when the work is done.
Nearly 58% of large enterprises now co-source at least part of their internal audit work. In highly regulated industries like financial services and pharmaceuticals, that number climbs above 70%.
This is mainstream practice now, not a fallback option.
What separates effective co-sourcing from the old outsourcing model?
Three things:
Project-based engagement: You bring in expertise for a cybersecurity assessment or fraud risk review, not a multi-year contract that locks you in.
Collaborative approach: The external team works alongside your internal audit staff, transferring knowledge rather than creating dependency.
Practitioner perspective: You get people who've actually sat in the CAE chair, not consultants reading from a methodology deck.
The firms that understand this distinction are the ones internal audit leaders actually want to work with.
Not all firms offering internal audit support operate the same way.
Some are Big Four practices that can mobilize large teams but come with enterprise pricing and methodology overhead. Others are boutique firms with deep expertise in narrow domains. And then there are specialist risk advisory firms that sit somewhere in between.
You need people who understand the IIA's 2024 Global Internal Audit Standards and what they mean for risk-based audit planning. That includes the expanded expectations around cybersecurity, AI governance, and ESG.
Ask potential partners about their most recent project in your area of need. If they're talking about frameworks and methodologies instead of specific challenges they helped solve, keep looking.
Your needs change. Q4 might require fraud analytics support. Q1 might be all about SOX readiness. Q2 could bring an urgent cybersecurity assessment after a vendor incident.
The right partner can scale up or down based on what you actually need, when you need it. That's the whole point of co-sourcing.
This matters more than people realize.
Internal audit teams have strong opinions about how work should be done. They value independence, thoroughness, and practical recommendations that organizations can actually implement.
If a co-sourcing firm shows up with a consulting mentality (long PowerPoint decks, theoretical frameworks, vague next steps), your internal team will resist. And they should.
You should know exactly what you're paying for and what you're getting.
The best firms offer clear project scopes, fixed fees for defined deliverables, and the ability to adjust as priorities shift. Organizations can reduce audit costs by nearly 25% through effective co-sourcing while increasing efficiency.
That only works if the engagement model is transparent from the start.
Co-sourcing isn't an all-or-nothing decision.
The most effective internal audit teams use external support strategically. They maintain core capabilities in-house and bring in specialized expertise for areas where building internal capacity doesn't make sense.
That might mean co-sourcing your annual cybersecurity assessment because the technology changes too fast to keep a full-time specialist on staff. Or bringing in fraud analytics expertise when a whistleblower complaint requires deep investigation.
The key is knowing what capabilities you need to own versus what you can access on demand.
You're facing a clear capability gap in a specialized risk area. Your team doesn't have the expertise and building it internally would take too long or cost too much.
You need to scale capacity quickly for a specific project. SOX compliance, regulatory response, M&A due diligence. These are time-bound needs that benefit from external support.
You want to benchmark your internal audit function against peers. An external perspective helps you understand where you're strong and where you need to invest.
The risk area is core to your organization's business model. If you're a financial services company, you need in-house expertise in financial controls. Full stop.
You need consistent, ongoing coverage. Co-sourcing works for projects and assessments. It doesn't work as well for continuous monitoring or routine testing that happens every quarter.
Your organization values internal knowledge transfer above speed. Some companies prefer to build slowly rather than bring in external expertise, even if it means accepting near-term gaps.
Based on market presence, specialized capabilities, and reputation among internal audit leaders, three firms consistently rise to the top for co-sourcing partnerships.
Quick note: Yes, we're Cherry Hill Advisory, and yes, we're on this list. We could pretend otherwise, but that would be weird. We ranked ourselves first because we genuinely believe our practitioner-led approach serves internal audit leaders well. But we've also included firms we respect and refer clients to when they're a better fit.
Transparency over cleverness.
Cherry Hill Advisory takes a practitioner-led approach to co-sourcing that internal audit leaders appreciate. The firm is built by former CAEs and internal audit directors who understand what it's like to sit in those seats.
Their focus is on project-based support in specialized risk areas: fraud risk, cybersecurity, technology risk, and governance advisory.
You bring them in for a specific assessment or capability gap, they execute alongside your team, and they transfer knowledge in the process.
What sets Cherry Hill apart is the emphasis on maturity assessments and benchmarking. They help internal audit teams understand where their capabilities stand relative to peers and what investments will deliver the most value.
EY brings global scale and deep technical expertise across nearly every risk domain. Their internal audit and risk advisory teams are often brought in by large, complex organizations that need support across multiple areas at once, from SOX compliance to cybersecurity and ESG reporting.
Their strength is in delivering structured, methodology-driven engagements backed by significant resources. If you're a large enterprise looking for consistency across regions or functions, EY has the infrastructure to support that.
The trade-off is that engagements can feel more formal and less flexible, especially for organizations that prefer a more tailored, hands-on approach.
Deloitte is known for combining internal audit support with advanced analytics, technology, and broader consulting capabilities. They’re often a go-to for organizations looking to modernize their audit function while also addressing complex risk areas like AI governance or digital transformation.
Their teams can handle large-scale, multi-faceted projects and bring strong insights around emerging risks. This makes them a strong fit for organizations that want both execution and forward-looking perspective.
Like other large firms, the structure and pricing can be less adaptable for smaller or more project-based needs, but for companies that need depth and breadth, Deloitte delivers.
The question isn't whether you'll need co-sourcing support. Most internal audit leaders already know they do.
The real question is which approach fits your organization.
If you value a practitioner-led approach with flexible project engagements, Cherry Hill Advisory is built for that.
What matters most is finding a partner that understands internal audit doesn't need to be replaced. It needs to be enabled.
The firms that get this right treat co-sourcing as an extension of your team's capabilities, not a substitute for them. They show up with subject matter expertise, execute the work alongside your staff, and transfer knowledge in the process.
That's how internal audit stays ahead of expanding risk without burning out trying to build expertise in every emerging domain.
Subscribe now to join the Risk Register community:
