The greatest risk of outsourcing the control of sensitive business data is
that your contractor won’t be as careful protecting the information as you,
making it easier for a disgruntled ex-employee or a fraudster looking to take
While data privacy is itself a hot topic, however, what with confidential
information seemingly available to all and sundry after a number of leaks,
applying vigorous controls to an outsourcer should make your data as safe as
managing it in-house.
Stand and deliver
The market for outsourcing in EMEA is put at $149.7bn (£76.3bn) annually, of
which a large percentage originates from the UK.
Despite the booming market research suggests that well over a third of
outsourcing contracts fail to deliver the expected financial results and in some
cases may fail to meet essential regulatory standards, such as data privacy or
The popularity of outsourcing means that those who have already outsourced
successfully may look to outsource even more non-core business activities
involving large volumes of customer data, for example payroll services or human
IT internal auditors can play a key role in helping to independently assess
management’s controls over the extended business. Most audit functions should
have the skills to independently assess the whole lifecycle of the outsourcing
deal from initial strategic decision and supplier selection, through to the
processes and infrastructure that govern the final delivery.
In particular, IT internal audit could be useful in identifying some risks
that are more likely to be overlooked because they naturally cross multiple
stakeholders, for example protecting the confidentiality of personal data
requires both business and IT-related controls.
Unfortunately, while they could help their organisations across the whole
lifecycle of the outsourcing contract, including assessing the controls within
the outsource entity, IT internal auditors are often only consulted when an
outsourcing arrangement has started to fail.
Failure to involve IT internal auditors in the crucial planning stages means
that common outsourcing challenges, often hidden in the detail of the
outsourcing contracts, such as data ownership and management, are not always
identified early on, when they can be addressed quickly and more cost
Defining the expected control framework in detail is not often a key feature
during the decision-making process when selecting a third party to outsource to.
Clearly, this approach is expected to change given recent high profile cases of
control failure by third parties.
Where controls are considered, these are not typically backed up by hard
evidence or validated in advance of the contract commencing. When IT internal
audit is called upon to assess situations (usually when the outsourcing is
failing) they often identify critical issues to help protect their organisations
which may have a high impact and cost associated to address them.
This late intervention by IT internal audit can be avoided through earlier
engagement with the business when they are examining outsourcing options.
Common problems identified by internal audit in outsourcing contracts
• Contracts where audit rights have been traded for other promised benefits
or cost savings during the contract negotiation phase.
• Contracts where the outsourced provider has inadequate data management and
handling practices and poor security over systems access.
• No effective processes to identify inappropriate overpayments on the
• Situations where the business process owners agree to rely on existing
third party reports on the outsourcer’s services, such as SAS70s, without
checking its relevance to their primary needs.
The reasons for not involving IT internal audit in the contract design stages
of outsourcing decisions vary. Some organisations feel that their IT auditors
lack the right business skills necessary, others may adopt a ‘need to know’
basis, particularly if jobs are cut and/or moves are planned. In the case of
small outsourcing deals, business managers may feel there is no need to involve
audit, as the perceived risks are considered to be low.
Consequently, IT internal audit is not able to independently opine on the
terms of the outsourcing contract, credentials of the proposed outsourcing
provider, whether the promised benefits are realistic or the controls in place
to manage the outsourced data are effective.
To provide even greater value to the business, IT internal audit must be
engaged in the planning stages of their company’s strategy for outsourcing.
This will allow them to provide high-level, independent advice and guidance
to executive management on matters of risk management and key controls relating
to the strategic decision and governance over the outsourcing arrangement.
Even where it is difficult to review the strategic assumptions supporting
outsourcing, IT internal audit must ensure that the outsourcing process itself
is sound, through high level interventions during both the outsourcing design,
and through the set-up process.
Bring audit in for outsourcing
Where internal audit can add value:
• Seek early involvement to independently challenge and assess the decision
being taken to outsource.
• Challenge whether ownership for the outsourced arrangements is clearly
defined and understood.
• Ensure the impact of the outsourced arrangement has been formally risk
assessed in line with the organisationÕs current risk profile.
• Ensure that the ownership and operation of key controls over outsourced
processes is clearly understood and that the right to audit is established.
Identify what personal information, on customers or staff, is exchanged with
third parties and understand how that information will be secured and used.
• Ensure that audit access to the outsourcer and the outsourcerÕs suppliers
has been contractually agreed.
• Assess whether management have strong governance procedures (including
contracts) in place and are identifying and escalating issues on a timely basis.
• Encourage the business to periodically review the contractual agreement to
ensure the commercials of the deal still make economic sense and that value is
Ameet Sharma is an IT internal audit executive director
in Ernst & Young’s technology, security and risk services practice.
Driving opportunity for all and empowering businesses for success are the key themes for the Sage Summit UK this year, which takes place on 5-6 April
The partnership will see PwC have 'physical presence' at CodeBase in Edinburgh
Unincorporated businesses under the VAT threshold given an extra year to prepare before MTD becomes mandatory
Simon Wright of CareersinAudit.com discusses how an effective cyber defence force is critical to businesses worldwide and how internal auditors can make the transition to a new career in cyber security