WIXLIB

InformationTechnologyOutsourcing2nd Edition

Global Technology Audit Guide (GTAG ) 7Information Technology Outsourcing2nd EditionJune 2012

GTAG — Table of ContentsTable of Contents.1Executive Summary.2Introduction.3Chapter 1 — Types of IT Outsourcing.4Chapter 2 — IT Outsourcing Life Cycle: Risk and Control Considerations.7Chapter 3 — IT Outsourcing Delivery: Risk and Control Considerations.14Appendix A — IT Outsourcing Life Cycle Audit Program.24Appendix B — IT Outsourcing Delivery Audit Program.27Authors.30Reviewers and Contributors.301

GTAG — Executive SummaryExecutive SummaryThe purpose of the Information Technology (IT)Outsourcing Global Technology Audit Guide is to helpchief audit executives (CAEs) and their audit teamsdetermine the extent of internal auditor involvement whenIT is partly or fully outsourced in their entities. This guideprovides information on the types of IT outsourcing (ITO)the life cycle of IT outsourcing, and how internal auditorscan approach risk in connection with IT outsourcingdelivery.IT outsourcing is the contracting of IT functions, previouslyperformed in-house, to an external service organization.Increasingly organizations are economically motivatedto outsource portions of IT processes to focus on theircore business. In some government environments the ITfunction is outsourced to a government shared services bodythat provides services, including IT services to numerousgovernment departments. Some organizations use a singleIT service provider and some use multisourcing, that is,the provisioning and blending of business and IT servicestoward an optimal mix of internal and external providers.Multisourcing can add complexity.Key questions to ask when considering audits of IToutsourcing activities: How do IT control activities that have beenoutsourced relate to business processes? Are internal auditors appropriately involved duringkey stages of the outsourcing life cycle? Do internal auditors have sufficient IT knowledgeand experience to consider risk and provide the rightinput? If IT control activities are transitioned to an ITservice organization, does the service providerunderstand the roles and expectations of internalaudit stakeholders? Are internal auditors able to seeIT risk and present recommendations for processesthat have been outsourced? What role do internal audit teams play duringrenegotiation, repatriation, and renewal ofoutsourcing contracts?2

GTAG — IntroductionIntroductionPerformance StandardsMany reasons exist for outsourcing technology to serviceorganizations, including expertise, cost restructuring,capacity management, and risk management; however, userentity management retains responsibility for the controlactivities and operational results.2130 – Control: The internal audit activity mustassist the organization in maintaining effectivecontrols by evaluating their effectivenessand efficiency and by promoting continuousimprovement.Often, core financial and operational processes aredependent on technology that is outsourced. When ITprocesses — such as security, change management, andoperations in support of key business processes — areoutsourced, the internal auditor may be required to considerthe effect on control activities. How will the serviceorganization give the user entity visibility into ongoingoperation of controls? Technology such as cloud computingfacilitates the achievement of the user entity’s strategybut can limit visibility into the effectiveness of controlactivities.2130.A1 – The internal audit activity must evaluatethe adequacy and effectiveness of controls inresponding to risks within the organization’sgovernance, operations, and information systemsregarding the:Depending on the nature of the outsourced process,the internal audit activity may need to evaluate theadequacy and effectiveness of IT controls conducted by aservice provider, subject to performance Standard 2130.A1: Control. As a result, assurance is often required todetermine whether there is sufficient internal control overprocessing performed by the service provider, because ITgeneral controls are integral to assessing risk regardinginformation reliability, operations, and complianceobjectives.nReliability and integrity of financial andoperational information.nEffectiveness and efficiency of operations andprograms.nSafeguarding of assets.nCompliance with laws, regulations, policies,procedures, and contracts. Walk the internal auditor through the most commontypes of IT outsourcing and discuss the seven lifecycle stages often experienced when considering IToutsourcing:1. Strategic fit and sourcing evaluation.2. Decision-making process and business case.The complexity of the IT function, changes in technology,and proximity of expertise compel the user entity’s CAE toassess risk to the business and the operating effectiveness ofthe control activities conducted by the service provider.3. Tender process and contracting.4. Implementation and transition.5. Monitoring and reporting.6. Renegotiation.Internal auditor involvement varies depending on:7. Reversibility.1. Management’s capability and the governancestructure in place to deal with business and IT risks. Provide the user entity guidance about risk andcontrol considerations when deciding on outsourcinga function to an IT service provider. Provide the service provider guidance regardingrisk and control considerations in connection withdelivery of the outsourced IT process.2. Management’s experience with outsourcing complexactivities and managing large projects.3. Involvement of other functions such as riskmanagement, compliance groups, or other internalaudit functions.4. The nature of the control activities delivered by theIT service provider.The appendix contains an audit program for the ITOutsourcing Life Cycle and IT Outsourcing Delivery.5. Expectations of key internal audit stakeholders.This guidance is specific to IT outsourcing risk andprocesses. Where businesses are interdependent, and where“external” and “extended” business relationships exist,internal auditors may also find useful the Practice Guide,Auditing External Business Relationships.This guide will: Outline the common IT outsourcing risks for theCAE to consider and mechanisms for providingassurance.3

GTAG — T ypes of IT Outsourcing1 – Types of IT Outsourcingthe user entity. The user requirements or work statementshould be defined clearly from the beginning of the formalstages of the development phase. Consider involvinginternal auditors, as recommended in GTAG 12 AuditingIT Projects:IT outsourcing has changed from traditional outsourcedservices, such as application development and IT helpdesk activities, to high-end services, such as productdevelopment, specialized research & development (R&D),and distributed computer support. Organizations continueto outsource IT services as new technologies emerge. To provide ongoing advice throughout strategicprojects. To identify key risks or issues early.Outsourcing is sometimes confused with off-shoring. Thedifference between outsourcing and off-shoring is:In most cases, the SDLC process ends with the successfulcompletion of the client’s user acceptance testing, althoughthe service provider may be responsible only until the unittesting’s completion. The system, integration, and usertesting phases are essential elements that ensure the systemsatisfies the client’s requirements. Testing can be conductedby the client team or jointly by the client and serviceprovider. In either case, any problems or issues noted in thetesting phase are referred back to the service provider forcorrection.Outsourcing: Contracting the operation of specific businessfunctions or knowledge-related work with an externalservice provider.Off-shoring: Relocating activities that were previouslymanaged in the domestic country.The scope of this guide relates to IT outsourcing, nomatter whether they are located domestically or in foreignlocations. However, risk considerations should be given todomestic versus foreign providers in the business case tooutsource. This guide does not apply to internal off-shoringactivities, although many considerations may be similar.Ongoing maintenance of existing applications andapplication upgrades should respond to softwaredevelopment recommendations by the business processusers and stakeholders. Recommendations may be minorchanges, such as the creation of new fields or reports, ormajor changes, such as the creation of a new module.The most common outsourced IT services include: Application development and maintenance.Infrastructure management.Help desk.Independent testing and validation.Data center management.Systems integration.R&D.Managed security.Cloud computing.Infrastructure ManagementServices to manage and maintain the IT infrastructurecan be classified as infrastructure management. Theseservices include network management, maintainingoverall infrastructure performance and availability, disasterrecovery strategies and capabilities, troubleshooting errors,maintaining databases, and backing up and restoringservices. More recent and value-added services under thiscategory are the monitoring of IT infrastructure activitiesand capacity management, performing of downtimeanalyses, and reporting of critical system failures and theirimplications.Service providers and user entities may use different namesfor the types of outsourced services. User entities also mayoutsource one or more of these services to multiple serviceproviders.Help DeskAny maintenance service, such as troubleshootingproblems, production support, and infrastructuremanagement, can be categorized as a help desk service.Under this arrangement, the service provider’s personnelsupport the client through various IT problems either onsite (i.e., at the client’s premises) or off site (i.e., from theservice provider’s premises). Turn-around time (TAT) (i.e.,responses and resolutions) is then defined for each level ofservice.Application Development & MaintenanceWhen development and specific functionalities ormodules within a software application are outsourced,the user entity should give priority to third-party softwaredevelopment firms with technical skill and experientialknowledge to address client specifications. Coding shouldfollow a rigorous software development life cycle (SDLC)methodology established as part of the service provider’sstandard quality process. In certain arrangements, SDLCsteps may be specified, monitored, and managed directly by4