Internal audit: co‑sourcing moment

Manufacturers are being pushed to rebuild internal audit around co-sourced specialist teams, not fixed annual checklists. (theiia.org) The Institute of Internal Auditors issued updated guidance on July 16, 2025 that says a risk-based audit plan should be maintained systematically and aimed at the organization’s “most pressing issues,” replacing its 2020 version. (theiia.org) Consulting firms that sell internal-audit support say co-sourcing is gaining ground because companies need skills they do not keep on staff year-round, including data analytics, information-technology audit, regulatory compliance and industry-specific reviews. Baker Tilly published that argument on January 3, 2025, and RSM repeated it on September 16, 2025. (bakertilly.com) (rsmus.com) In manufacturing, the pressure comes from risks that move faster than a 12-month audit calendar. Tariff refunds, supplier traceability and single-source material exposure can change with a court ruling, a customs hold or a factory disruption. (cbp.gov 1) (cbp.gov 2) (mdpi.com) Tariff refunds are not a theory. United States Customs and Border Protection says drawback is a refund of certain duties, taxes and fees on imported goods when the merchandise is later exported or destroyed, and all claims for entries from February 24, 2019 onward must be filed electronically in the Automated Commercial Environment under 19 Code of Federal Regulations Part 190. (cbp.gov) (ecfr.gov) Traceability is the paper trail that shows where a material came from and who handled it. The Defense Logistics Agency said on August 5, 2025 that traceability requires documented evidence from supplier to approved manufacturer, and Customs says companies should trace inputs and keep thorough records for forced-labor compliance. (dla.mil) (cbp.gov) That trade-compliance burden has grown. The Department of Homeland Security’s August 19, 2025 update to the Uyghur Forced Labor Prevention Act strategy said the United States was intensifying enforcement against goods made wholly or in part with forced labor in China. (dhs.gov) Co-sourcing is the operating model getting the most attention because it lets a company keep internal ownership of the audit plan while renting expertise for short bursts. RSM says the model sits between fully in-house and fully outsourced audit, and lets companies scale resources up or down around plan needs. (rsmus.com) The tradeoff is control. Firms promoting co-sourcing say clear role definitions, regular communication and alignment with a company’s risk appetite are necessary to avoid gaps or duplicated work. (rsmus.com) What is changing in 2026 is less the job description than the cadence. The new audit playbook is to re-rank risks as tariffs, sourcing rules and supplier data change, then pull in specialists before those issues become quarter-end surprises. (theiia.org) (cbp.gov)