Page 525 - ITGC_Audit Guides
P. 525
GTAG — IT Outsourcing Life Cycle: Risk and Control Considerations
Stages Objectives Key Activities Manager Roles * 2 Risks Auditor
Involvement 3
G: Reversibility Ensure that the n Make decision Process owner,* n Inability to react n Determine the
arrangement can to bring back in- procurement, to adverse contingency plans
be unwound and house and identify executive sponsor, situations or other if arrangement
considered in the impact of risk, BCP, and other opportunities. does not work;
business case/ doing so. experts. n Lack of leverage what are the
strategy. n Determine how to in future estimated costs
change vendor. negotiations. and likelihood.
n Identify business n Loss of assets and n Ask whether
case impact. interruption of the costs and
services if brought likelihood have
back in-house been considered
or to another in the business
provider. case and ROI
n Unanticipated needs.
costs if n Ask whether
outsourcing fails. other providers
are able to be
used effectively.
Ask about the
provider’s viability.
n Determine
whether the
trigger points
to initiate or
consider changes
in provider are
understood and
pre-defined.
n Find out whether
other risks have
been considered
that might
drive the need
for bringing
operations
back in-house
and whether
these have
been assessed,
including
macroeconomic
and political/
geographic
concerns.
n Ask whether
the provider
has sound BCP
capabilities.
n Determine
whether the
vendor’s BCP
efforts are
sustainable.
n Assess how the
contract addresses
the need to exit.
*Primary responsibility and typical owner of stage.
13
