The choice of outsourcing IT audit activities is basically related to the efficient use of scarce or limited resources. A business point of view may not completely agree with best practices in a theoretical way and may not adhere completely to the application of those best practices. The decision to outsource or not to outsource may very often become an argument within a company.
Often in our daily work, we run the risk of forgetting that a good audit plan must take into account the right attributes of those activities that, over the years, have become basic operational exercises. We must remember that IT general controls (ITGC) and IT application controls (ITAC) often enable continuous reflection and knowledge for auditors, which is often underestimated!
Consider the following… What professional considerations should be taken into account regarding the evaluation of an externalization choice? Why shouldn’t IT general controls be liquidated as routine checks that are carried out for reasons relating to compliance regulations and ordinary laws? Is there the potential for the auditor to excel in the performance of IT general controls if the company spends resources to educate its auditors to perform them?
I find it useful to ponder these questions because, in the course of business activities, some colleagues occasionally prove careless and casual about the routine of ITGC and ITAC.
I hope that my volume 5 article can be the beginning of a discussion and reflection on this topic.
Read Emanuele Palmas’ recent Journal article:
“IT General and Application Controls: The Model of Internalization,” ISACA Journal, volume 5, 2011