control, and governance
Risk Assessment Issues
|Common Shortcomings Noted in Risk Assessments Related to IT Outsourced Service Providers||Justification Typically Provided by Management||Possible Responses From the Internal Auditor|
|Risk areas are not formally considered. Most commonly, strategic risk, systemic risk, exit strategy risk, and counterparty risk will be missing altogether from the risk assessment documentation.||Management will argue that such risks are not required to be considered formally because:
The internal auditor should challenge management and insist that all areas be formally considered and documented. The auditor can cite examples of major telecommunication service providers that are facing challenges in delivering services to their customers. Also, the auditor can show statistics of how many contracts are terminated early due to poor service delivery. The auditor should insist that management formally document where it believes the SLA or contract fully safeguards the company from risks.
Once management has formally documented all risk areas, it may realize that it should implement further controls or make changes to the existing SLA or contract with the service provider.
|Even for significant risk areas, management may not have any controls in place, especially in relation to IT service providers. Management may document that it is willing to accept such risks.||Management may argue that it does not have adequate skilled personnel to monitor the outsourced service provider, therefore it has not implemented any controls. Management may state that the reason to outsource the IT process or function was that executives do not have the expertise.||Internal auditors should not accept management’s justification without a thorough analysis. If, in fact, management does not have adequate skills to monitor the service provider at all, the auditor should insist that management consider involving third-party auditors to perform such audits.
Many IT service providers have an audit performed by an independent external auditor on an annual basis. The external auditor may perform the audit and report results by following one of two service organization reporting standards, Statement on Standards for Attestation Engagements No. 16, issued by the American Institute of Certified Public Accountants, and International Standard on Assurance Engagements No. 3402, issued by the International Federation of Accountants.
Alternatively, management could request the service provider establish an independent compliance or internal audit function, which would report to management periodically. This may involve changing the original contract or SLA with the service provider and could result in implementing controls to mitigate risk areas.
|Management updates the current-year risk assessment documentation based on prior-year risk assessments.||Management may argue that no significant changes have occurred in the organization’s environment, therefore no updates to the risk assessment have been made.
Another common argument management might present is that because components, specifications, or configuration of the outsourced IT environment have remain unchanged, no update to the IT risk assessment has been performed.
|Internal auditors should remind management that risks can arise not only due to changes at its own organization but also due to changes at the service provider (e.g., financial, strategic, personnel/staffing).
Internal auditors also should educate management that even if specification, configuration, or components of the outsourced IT environment have remain unchanged, changes in staff, processes, or policies at the service provider can introduce new risks that should be assessed.
The auditor should verify whether any significant changes at the service provider have occurred that could impact the conclusions reached in the risk assessment.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.