• Executive Summary
• Table of Contents

This guide provides information on the types of IT outsourcing (ITO), the life cycle of ITO, and how internal auditors can approach risk in connection with ITO delivery. ITO is the contracting of IT functions, previously performed in-house, to an external service organization. Multi-sourcing can add complexity. Key questions to ask when considering audits of IT outsourcing activities:

• How do IT control activities that have been outsourced relate to business processes?                          
• Are internal auditors appropriately involved during key stages of the outsourcing life cycle?                  
• Do internal auditors have sufficient IT knowledge and experience to consider risk and provide the right input? 
•  If IT control activities are transitioned to an IT service organization, does it understand the roles and expectations of internal audit stakeholders? Are internal auditors able to see IT risk and present recommendations for processes that have been outsourced?                                                                   
•  What role do Internal Audit teams play during renegotiation, repatriation and renewal of outsourcing contracts?

  The guide covers how to use the answers to these questions to determine a strategy for internal audit involvement regarding IT outsourcing to best protect the interest of the organization and meet stakeholder expectations.