IT Audit BasicsAudit of OutsourcingBy S. Anantha Sayana, CISA, CISM, CIA Volume 5, 2004Assessing Outsourcing RisksThe Audit GuidelineIT Audit BasicsAudit of OutsourcingBy S. Anantha Sayana, CISA, CISM, CIAVolume 5, 2004These days an IS auditor is more likely to encounter situations where many or some of the information technology activities in an enterprise are outsourced, i.e., performed by an external entity for a fee. In such a situation, how does the IS auditor carry out the audit? While it is true that the basic objectives of the audit and the methodologies remain as before, outsourcing does introduce certain newer elements that need to be taken into consideration. Another peculiarity of outsourcing these days is offshoring, i.e., work is performed from a remote site that could even be another country thousands of miles away.The objective of carrying out an audit of outsourcing would be to determine whether:← The risks associated with outsourcing, such as continued availability of services, acceptable levels of services and security of information, are adequately and effectivelymitigated through appropriate controls that are implemented and functioning ← The objectives of outsourcing are being achieved ← The IT strategy has been suitably modified to make best use of outsourcing These objectives are critical to the organization and it is important for the organization to have a fair assessment of these areas for the success of the outsourcing arrangement. Organizations resort to outsourcing for a variety of reasons, including to reduce costs, enable the organization to focus on its core activities, overcome nonavailability of skilled personnel and improve the quality of service. Whatever the reason, it is important not only that the objectives are achieved, but also that there is no negative fallout from the outsourcing. Therefore, it is essential to carry out an IS audit of outsourcing in a comprehensive manner that covers all the objectives.An IS audit of outsourcing involves all elements of IS audit, including application security, network security, physical and environmental security, system administration and business continuity planning. The focus of this article is on the additional and varied impacts to all these areas due to outsourcing. An IS auditor who is carrying out an audit of outsourcing needs to utilize his/her skills and experience in all these areas and more.Assessing Outsourcing RisksBefore getting into the details of how to carry out the audit, it is most important to determine and understand thoroughly the nature of the outsourced work.The risks associated with outsourcing depend on the nature of the outsourced work, and the audit should focus on the areas of risk and evaluate the control measures pertinent to those risks.This article will refer to the organization that is outsourcing its work as the "company" and the organization that is providing the outsourcing services as the "service provider."The auditor is likely to see many varieties of outsourcing, as newer models of outsourcing are continuously evolving to meet specific needs of customers. However, from a perspective of carrying out audits, the outsourcing of IT work can be broadly grouped into the following areas.1. Software development—The company provides either the requirements or sometimes the design and specifications, and the service provider does the analysis, design, coding, testing and integration and all other activities in the software development life cycle. The software development can be done either onsite (i.e., at thecompany's office), nearshore (i.e., at a site of the service provider in nearby location in the same country or region) or offshore (i.e., at a remote site generally at the office of the service provider, which could be thousands of miles away). 2. Application support and maintenance—The company could be using a number of applications. These may have been developed in house by the company or by someone else, or they may be implementations of packaged software. When application support and maintenance are outsourced, the service provider attends to the problems and bugs and all requests from users relating to the application software, often picking up the problem tickets from the help desk. The service provider also attends to the requests from users for modifications to the software, additional features, reports, etc. The service provider's work can be performed either onsite (same location as the customer) or offshore (the service provider's location, which could be thousands of miles away). For large applications, very often it is a combination of onsite and offshore. The services from offshore are provided through a network that enables the service providerto connect to the company's applications. 3. Infrastructure management services—In this case, the activities outsourced are system administration of servers, database administration, network management, desktop management, security management, data center management and attending to help desk trouble tickets relating to all these areas. These services can also be provided with a combination of onsite and offshore presence. The risks associated with each of these types of outsourcing are different and vary in magnitude.The Audit GuidelineA few typical areas of the audit are detailed below. The IS auditor can develop an audit checklist around these points for use during an audit of outsourcing.← Contract—Most outsourcing arrangements are put in place after a detailed processof evaluations, due diligence and negotiations, with exchange of communications between the company and the service provider over a period of time. Notwithstanding all this, it is important for both parties to have a legally enforceable contract document that details the agreed expectations on all the various facets of the arrangement. For theIS auditor, a good starting point should be the outsourcing contract. The IS auditorshould make a thorough scrutiny of the contract, as would be done for any major commercial contract, and evaluate all risks as done in any contract audit. ← Statement of work—The next important information from the contract should be the statement of work that lists the work to be done by the service provider. The work may fall into one or more of the categories described above. The auditor should ascertain from the activities at the company's IT department what activities have been outsourced and