In today’s business environment there has been an increase in companies that are economically motivated to outsource portions of Information Technology (IT) processes to focus on their core business. Some companies use a single IT service provider and others use multi-sourcing, that is, the provisioning and blending of business and IT services to achieve an optimal balance of internal and external providers. The purpose of the Global Technology Audit Guide (GTAG) 7, Information Technology Outsourcing, 2nd Edition is to help chief audit executives and their audit teams determine the extent of internal auditor involvement when IT is partially or fully outsourced in their entities.
This guide provides information on the types of IT outsourcing (ITO), the life cycle of ITO, and how internal auditors can approach risk in connection with ITO delivery. ITO is the contracting of IT functions, previously performed in-house, to an external service organization. Multi-sourcing can add complexity. Key questions to ask when considering audits of IT outsourcing activities are:
- How do IT control activities that have been outsourced relate to business processes?
- Are internal auditors appropriately involved during key stages of the outsourcing life cycle?
- Do internal auditors have sufficient IT knowledge and experience to consider risk and provide the right input?
- If IT control activities are transitioned to an IT service organization, does it understand the roles and expectations of internal audit stakeholders? Are internal auditors able to see IT risk and present recommendations for processes that have been outsourced?
- What role do internal audit teams play during renegotiation, repatriation, and renewal of outsourcing contracts?
The guide covers how to use the answers to these questions to determine a strategy for internal audit involvement regarding IT outsourcing to best protect the interest of the organization and meet stakeholder expectations.