Page 514 - ITGC_Audit Guides
P. 514
GTAG — Executive Summary
Executive Summary
The purpose of the Information Technology (IT)
Outsourcing Global Technology Audit Guide is to help
chief audit executives (CAEs) and their audit teams
determine the extent of internal auditor involvement when
IT is partly or fully outsourced in their entities. This guide
provides information on the types of IT outsourcing (ITO)
the life cycle of IT outsourcing, and how internal auditors
can approach risk in connection with IT outsourcing
delivery.
IT outsourcing is the contracting of IT functions, previously
performed in-house, to an external service organization.
Increasingly organizations are economically motivated
to outsource portions of IT processes to focus on their
core business. In some government environments the IT
function is outsourced to a government shared services body
that provides services, including IT services to numerous
government departments. Some organizations use a single
IT service provider and some use multisourcing, that is,
the provisioning and blending of business and IT services
toward an optimal mix of internal and external providers.
Multisourcing can add complexity.
Key questions to ask when considering audits of IT
outsourcing activities:
• How do IT control activities that have been
outsourced relate to business processes?
• Are internal auditors appropriately involved during
key stages of the outsourcing life cycle?
• Do internal auditors have sufficient IT knowledge
and experience to consider risk and provide the right
input?
• If IT control activities are transitioned to an IT
service organization, does the service provider
understand the roles and expectations of internal
audit stakeholders? Are internal auditors able to see
IT risk and present recommendations for processes
that have been outsourced?
• What role do internal audit teams play during
renegotiation, repatriation, and renewal of
outsourcing contracts?
2
