Course Description
Most organizations have adopted some form of outsourcing. Whether it includes outsourcing IT operations, application maintenance, systems development, applications services, information security, or networking, they all constitute outsourcing. The advent of the “cloud” has added another dimension to outsourcing.
The process and results are fraught with risks, but also have rewards. As an auditor, it is essential to understand how outsourcing affects the controls environment and the audit universe and how to apply it.
You will discuss the:
- Business of outsourcing
- Effect on the audit universe
- The principles of outsourcing – its benefits and limitations
- How to audit in an outsourced environment
Learning Objectives:
- Understand the benefits and risks of outsourcing
- Identify the specific risks and controls for the various outsourced environments
- Describe how to use a Third-Party Report as an audit tool
- Identify common issues that have arisen in both the process of outsourcing and how to audit the outsourced business processes
Course Outline
Defining Outsourcing
- Outsourcing concepts/terms
- Outsourced scope
- Applications
- Infrastructure
- Development
- Cloud Computing
- Comparing Company and Vendor Motivation for Outsourcing
General Risks
- Company risks
- Strategic
- Financial
- Operational
- Organizational
- Vendor Risks
- Additional Risks with Cloud Computing
Organizational Changes Required to Manage Outsourcing
- Issue Management
- Delivery ManagementRisks
- Relationship Management
Contracts
- Considerations in the New Contract
- Intellectual Property
- Auditability
- SLAs
- Managing Audits with In-Force Contracts
- Regulatory Compliance
- Governance
Auditing the Outsourced Environment
- The effect on the audit universe
- Planning
- Scoping the audit to satisfy audit requirements
- Understanding the your limits in auditing the vendor
- Overcoming compliance issues
- Using Third-Party Reports
- Understanding the Benefits and Limitations of the Third-Party Reports
- Types of Third-Party Reports (SSAE16, SOC 1/2/3)
- Performing the audit
- Gap analysis
- Internal gap remediation
- Vendor gap reporting and remediation
- Auditing contract and service level compliance
- Solving vendor/company differences
- Auditing contract and service level compliance
- Relationship management
Additional Information
Who Should Attend
Internal audit professionals responsible for evaluating the controls and processes during an outsource project and as current-state outsource operation.
Learning Level
Intermediate
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
Understanding of information systems general IT controls, project management processes, SSAE16, third party reviews, and contract management.
Session Duration
On Site: 1 day
CPE Credits: 8