The greatest risk of outsourcing the control of sensitive business data is that your contractor won’t be as careful protecting the information as you, making it easier for a disgruntled ex-employee or a fraudster looking to take advantage.

While data privacy is itself a hot topic, however, what with confidential information seemingly available to all and sundry after a number of leaks, applying vigorous controls to an outsourcer should make your data as safe as managing it in-house.

Stand and deliver

The market for outsourcing in EMEA is put at $149.7bn (£76.3bn) annually, of which a large percentage originates from the UK.

Despite the booming market research suggests that well over a third of outsourcing contracts fail to deliver the expected financial results and in some cases may fail to meet essential regulatory standards, such as data privacy or data management.

The popularity of outsourcing means that those who have already outsourced successfully may look to outsource even more non-core business activities involving large volumes of customer data, for example payroll services or human resources management.

IT internal auditors can play a key role in helping to independently assess management’s controls over the extended business. Most audit functions should have the skills to independently assess the whole lifecycle of the outsourcing deal from initial strategic decision and supplier selection, through to the processes and infrastructure that govern the final delivery.

In particular, IT internal audit could be useful in identifying some risks that are more likely to be overlooked because they naturally cross multiple stakeholders, for example protecting the confidentiality of personal data requires both business and IT-related controls.

Unfortunately, while they could help their organisations across the whole lifecycle of the outsourcing contract, including assessing the controls within the outsource entity, IT internal auditors are often only consulted when an outsourcing arrangement has started to fail.

Failure to involve IT internal auditors in the crucial planning stages means that common outsourcing challenges, often hidden in the detail of the outsourcing contracts, such as data ownership and management, are not always identified early on, when they can be addressed quickly and more cost effectively.

Defining the expected control framework in detail is not often a key feature during the decision-making process when selecting a third party to outsource to. Clearly, this approach is expected to change given recent high profile cases of control failure by third parties.

Where controls are considered, these are not typically backed up by hard evidence or validated in advance of the contract commencing. When IT internal audit is called upon to assess situations (usually when the outsourcing is failing) they often identify critical issues to help protect their organisations which may have a high impact and cost associated to address them.

This late intervention by IT internal audit can be avoided through earlier engagement with the business when they are examining outsourcing options.

Common problems identified by internal audit in outsourcing contracts include:

• Contracts where audit rights have been traded for other promised benefits or cost savings during the contract negotiation phase.

• Contracts where the outsourced provider has inadequate data management and handling practices and poor security over systems access.

• No effective processes to identify inappropriate overpayments on the contract and;

• Situations where the business process owners agree to rely on existing third party reports on the outsourcer’s services, such as SAS70s, without checking its relevance to their primary needs.

The reasons for not involving IT internal audit in the contract design stages of outsourcing decisions vary. Some organisations feel that their IT auditors lack the right business skills necessary, others may adopt a ‘need to know’ basis, particularly if jobs are cut and/or moves are planned. In the case of small outsourcing deals, business managers may feel there is no need to involve audit, as the perceived risks are considered to be low.

Inside job

Consequently, IT internal audit is not able to independently opine on the terms of the outsourcing contract, credentials of the proposed outsourcing provider, whether the promised benefits are realistic or the controls in place to manage the outsourced data are effective.

To provide even greater value to the business, IT internal audit must be engaged in the planning stages of their company’s strategy for outsourcing.

This will allow them to provide high-level, independent advice and guidance to executive management on matters of risk management and key controls relating to the strategic decision and governance over the outsourcing arrangement.

Even where it is difficult to review the strategic assumptions supporting outsourcing, IT internal audit must ensure that the outsourcing process itself is sound, through high level interventions during both the outsourcing design, and through the set-up process.

Bring audit in for outsourcing

Where internal audit can add value:

• Seek early involvement to independently challenge and assess the decision being taken to outsource.

• Challenge whether ownership for the outsourced arrangements is clearly defined and understood.

• Ensure the impact of the outsourced arrangement has been formally risk assessed in line with the organisationÕs current risk profile.

• Ensure that the ownership and operation of key controls over outsourced processes is clearly understood and that the right to audit is established. Identify what personal information, on customers or staff, is exchanged with third parties and understand how that information will be secured and used.

• Ensure that audit access to the outsourcer and the outsourcerÕs suppliers has been contractually agreed.

• Assess whether management have strong governance procedures (including contracts) in place and are identifying and escalating issues on a timely basis.

• Encourage the business to periodically review the contractual agreement to ensure the commercials of the deal still make economic sense and that value is being delivered.

Ameet Sharma is an IT internal audit executive director in Ernst & Young’s technology, security and risk services practice.