These days an IS auditor is more likely to encounter situations where many or some of the information technology activities in an enterprise are outsourced, i.e., performed by an external entity for a fee. In such a situation, how does the IS auditor carry out the audit? While it is true that the basic objectives of the audit and the methodologies remain as before, outsourcing does introduce certain newer elements that need to be taken into consideration. Another peculiarity of outsourcing these days is offshoring, i.e., work is performed from a remote site that could even be another country thousands of miles away.
The objective of carrying out an audit of outsourcing would be to determine whether:
- The risks associated with outsourcing, such as continued availability of services, acceptable levels of services and security of information, are adequately and effectively mitigated through appropriate controls that are implemented and functioning
- The objectives of outsourcing are being achieved
- The IT strategy has been suitably modified to make best use of outsourcing
These objectives are critical to the organization and it is important for the organization to have a fair assessment of these areas for the success of the outsourcing arrangement. Organizations resort to outsourcing for a variety of reasons, including to reduce costs, enable the organization to focus on its core activities, overcome nonavailability of skilled personnel and improve the quality of service. Whatever the reason, it is important not only that the objectives are achieved, but also that there is no negative fallout from the outsourcing. Therefore, it is essential to carry out an IS audit of outsourcing in a comprehensive manner that covers all the objectives.
An IS audit of outsourcing involves all elements of IS audit, including application security, network security, physical and environmental security, system administration and business continuity planning. The focus of this article is on the additional and varied impacts to all these areas due to outsourcing. An IS auditor who is carrying out an audit of outsourcing needs to utilize his/her skills and experience in all these areas and more.
Assessing Outsourcing Risks
Before getting into the details of how to carry out the audit, it is most important to determine and understand thoroughly the nature of the outsourced work.
The risks associated with outsourcing depend on the nature of the outsourced work, and the audit should focus on the areas of risk and evaluate the control measures pertinent to those risks.
This article will refer to the organization that is outsourcing its work as the "company" and the organization that is providing the outsourcing services as the "service provider."
The auditor is likely to see many varieties of outsourcing, as newer models of outsourcing are continuously evolving to meet specific needs of customers. However, from a perspective of carrying out audits, the outsourcing of IT work can be broadly grouped into the following areas.
- Software development—The company provides either the requirements or sometimes the design and specifications, and the service provider does the analysis, design, coding, testing and integration and all other activities in the software development life cycle. The software development can be done either onsite (i.e., at the company's office), nearshore (i.e., at a site of the service provider in nearby location in the same country or region) or offshore (i.e., at a remote site generally at the office of the service provider, which could be thousands of miles away).
- Application support and maintenance—The company could be using a number of applications. These may have been developed in house by the company or by someone else, or they may be implementations of packaged software. When application support and maintenance are outsourced, the service provider attends to the problems and bugs and all requests from users relating to the application software, often picking up the problem tickets from the help desk. The service provider also attends to the requests from users for modifications to the software, additional features, reports, etc. The service provider's work can be performed either onsite (same location as the customer) or offshore (the service provider's location, which could be thousands of miles away). For large applications, very often it is a combination of onsite and offshore. The services from offshore are provided through a network that enables the service provider to connect to the company's applications.
- Infrastructure management services—In this case, the activities outsourced are system administration of servers, database administration, network management, desktop management, security management, data center management and attending to help desk trouble tickets relating to all these areas. These services can also be provided with a combination of onsite and offshore presence.
The risks associated with each of these types of outsourcing are different and vary in magnitude.
The Audit Guideline
A few typical areas of the audit are detailed below. The IS auditor can develop an audit checklist around these points for use during an audit of outsourcing.
- Contract—Most outsourcing arrangements are put in place after a detailed process of evaluations, due diligence and negotiations, with exchange of communications between the company and the service provider over a period of time. Notwithstanding all this, it is important for both parties to have a legally enforceable contract document that details the agreed expectations on all the various facets of the arrangement. For the IS auditor, a good starting point should be the outsourcing contract. The IS auditor should make a thorough scrutiny of the contract, as would be done for any major commercial contract, and evaluate all risks as done in any contract audit.
- Statement of work—The next important information from the contract should be the statement of work that lists the work to be done by the service provider. The work may fall into one or more of the categories described above. The auditor should ascertain from the activities at the company's IT department what activities have been outsourced and what are being done in-house. The auditor should examine whether the work projects actually performed by the service provider and those mentioned in the contract are the same.
- High-level monitoring—The service provider's financial status and standing in business should be assessed formally using a defined procedure at periodic intervals, and results documented and communicated. This should also cover important developments in the service provider's country, area of operations, quarterly results, press briefings and analyst reports. The auditor should check whether this activity is being done by the company through a duly designated person/department with due care.
- Connectivity and network security—Communication facility between the company and the service provider is important to the success of the outsourcing arrangement. For certain types of limited engagements, the service provider merely delivers completed work to the company. However, in the case of larger engagements such as application support or infrastructure management from offshore locations, dedicated connectivity is a primary requirement. In all cases, dedicated communication links are established between the company and the service provider through leased lines, international private leased circuits (IPLCs) or a virtual private network (VPN) over the Internet or private VPN through other agencies. In such cases, the service provider's offshore location becomes an extended part of the company's internal network. This is illustrated in figure 1.
To perform the services, the service provider has to access the resources where the applications are running and the connectivity is established through link 1. In effect, through this link the service provider's facility X becomes a part of the company's extranet. Evaluating the security (including redundancy and high availability) of the network connection and the links is a crucial part of the IS auditor's responsibility.
Such a scenario demands that the security measures at the service provider's facility be robust. The auditor should ascertain the processes used to initially prescribe, verify and test the security measures at the service provider's facility and evaluate the mechanisms in place to ensure the continued operation and maintenance of good security periodically. Such mechanisms may include proactive monitoring of logs of security devices at the gateways through remote access, vulnerability scans and penetration testing, periodic reporting of security incidents and certifications, third-party audits and management reviews.
However, as can be seen in figure 1, both the company and the service provider's organizations are bigger than the outsourcing arrangement and both have facilities, resources and a network that exists as shown by B and Y in the diagram. In reality, the connection between the outsourcing facility and the rest of the organizations as shown by the links 2 and 3, cannot be ignored. Both B and Y will also have connections to the Internet and other networks, as indicated by 4 and 5. This entire setup with all its connections has to be secured using suitable network architecture and security devices at all the connecting points to ensure that access is controlled to the project teams that actually do the work and for the purpose intended. This audit would involve many technical aspects of network security, and the IS auditor would do well to involve an appropriate expert in this part of the assignment.
- Data security—Varying degrees of access to applications and systems would have to be provided to the personnel of the service provider to enable them to carry out the work. Proper procedures should be defined to specify how such access is granted and maintained. Security is concerned with maintaining confidentiality, integrity and availability of information. In an outsourcing scenario, events and environment at both the company and the service provider can impact any of these. The auditor should check if the security policy and processes of the service provider are in sync with those of the company. This is generally done prior to the engagement by exchange of policies and due diligence, identification of gaps and implementation of the required measures to ensure security at both ends is uniformly strong. The auditor should check if mechanisms have been established for ongoing monitoring of security and the related processes at both ends. The auditor should also evaluate the adequacy of the business continuity plans and the results of the tests and drills. In some cases, depending on the nature of work outsourced, the personnel from the service provider may even be required to have superuser access to some systems. In all such cases, suitable monitoring processes may be set up, including writing of logs on remote systems depending on the risk assessment associated with the system. The auditor should evaluate the existence and efficacy of such processes.
- Project monitoring and governance—The IS auditor should check if monitoring and governance processes as envisaged (described in the contract document) have actually been set up and are functioning as intended. The IS auditor should verify the performance measurement reports for a number of sample months, verify the methodology and calculations for compliance with service level agreements and ensure the calculation of incentives and penalties. The IS auditor should verify samples of the bills and their payments from a performance measurement perspective. A review of the performance at various levels is important and can be completed by scrutinizing periodic reports and minutes of the review meetings and noting the frequency and participant lists.
- Compliance with regulatory requirements—Privacy laws that have been enacted by many countries and states impact data processing in many ways. Some of these laws could also impact export of data to other countries for processing. The IS auditor should examine the applicability of such laws to the outsourcing arrangement and verify whether the safeguards have been implemented and are complied with. The auditor should also evaluate the confidentiality and nondisclosure agreements.
- Benefit measurement—Outsourcing is resorted to for specific reasons and with expectation of benefits. The realization of those gains is an important part of the outsourcing arrangement. The IS auditor should verify whether suitable procedures and ownership for these measurements have been instituted by the company. The IS auditor should also check and evaluate the measurement methodology to ensure that it is approved by management and includes quantitative and qualitative factors and is measured in monetary and nonmonetary terms.
- Customer satisfaction—In an outsourcing arrangement there is a change in the entity that provides the IT services to the end users and customers. A focused outsourcing service provider with expert skills could deliver better service, but there could also be gaps due to culture and other business or domain-related factors. Even in a situation where the benefits of outsourcing are being realized, it is a good idea to ascertain the level of customer satisfaction from the end users through well-designed feedback processes and administered surveys, as a means toward continuous improvement in the outsourced services. The auditor should check the existence of such exercises, evaluate the methodology and action taken on the feedback received.
- Impact on IT strategy—IT outsourcing is often strategic and done on a fairly large scale. Outsourcing needs to be incorporated into the business and IT strategy of the company. In the process of outsourcing, the company should not lose sight of the reality that IT's impact on business can be significant and beneficial for companies where there is good alignment. The IS auditor should perform a check of the overall IT scenario of the company after outsourcing, to ensure that key IT management activities have not been neglected due to lack of clarity on the ownership of these activities due to outsourcing.
Audit of outsourcing is not just audit of the service provider. An IS audit of outsourcing must look at the total picture. The many facets of the arrangement need to be reviewed as listed previously. Outsourcing has many benefits but it also needs constant monitoring and care. An IS audit looks at the technical and business aspects, as necessary, to assess the health of the outsourcing and takes necessary corrective or improvement actions. It is desirable to perform an IS audit of outsourcing at periodic intervals at least once a year.