Internal Auditor

May 2013 Risk Assessment Issues Common Shortcomings Noted in Risk Assessments Related to IT Outsourced Ser ice !ro iders Risk areas are not #ormally considered' Most commonly( strategic risk( systemic risk( e)it strategy risk( and counter$arty risk *ill %e missing altogether #rom the risk assessment documentation' "usti#ication Ty$ically !ro ided %y Management Management *ill argue that such risks are not re+uired to %e considered #ormally %ecause, The organi.ation has %een *ith the same IT ser ice $ro ider #or many years' The IT ser ice $ro ider has a strong re$utation' There are clauses in the original contract or ser ice le el agreement /S0A1 that $rotect the organi.ation %y de#ining a$$lica%le $enalties i# ser ice le els are not met %y the endor' !ossi%le Res$onses &rom the Internal Auditor

3 en #or signi#icant risk areas( management may not ha e any controls in $lace( es$ecially in relation to IT ser ice $ro iders' Management may document

Management may argue that it does not ha e ade+uate skilled $ersonnel to monitor the outsourced ser ice $ro ider( there#ore it has not im$lemented any controls'

The internal auditor should challenge management and insist that all areas %e #ormally considered and documented' The auditor can cite e)am$les o# ma2or telecommunication ser ice $ro iders that are #acing challenges in deli ering ser ices to their customers' Also( the auditor can sho* statistics o# ho* many contracts are terminated early due to $oor ser ice deli ery' The auditor should insist that management #ormally document *here it %elie es the S0A or contract #ully sa#eguards the com$any #rom risks' Once management has #ormally documented all risk areas( it may reali.e that it should im$lement #urther controls or make changes to the e)isting S0A or contract *ith the ser ice $ro ider' Internal auditors should not acce$t management4s 2usti#ication *ithout a thorough analysis' I#( in #act( management does not ha e ade+uate skills to monitor the

that it is *illing to acce$t such risks'

Management may state that the reason to outsource the IT $rocess or #unction *as that e)ecuti es do not ha e the e)$ertise'

ser ice $ro ider at all( the auditor should insist that management consider in ol ing third5$arty auditors to $er#orm such audits'

Management u$dates the current5year risk assessment documentation %ased on $rior5year risk assessments'

Many IT ser ice $ro iders ha e an audit $er#ormed %y an inde$endent e)ternal auditor on an annual %asis' The e)ternal auditor may $er#orm the audit and re$ort results %y #ollo*ing one o# t*o ser ice organi.ation re$orting standards( Statement on Standards #or Attestation 3ngagements No' 16( issued %y the American Institute o# Certi#ied !u%lic Accountants( and International Standard on Assurance 3ngagements No' 3702( issued %y the International &ederation o# Accountants' Alternati ely( management could re+uest the ser ice $ro ider esta%lish an inde$endent com$liance or internal audit #unction( *hich *ould re$ort to management $eriodically' This may in ol e changing the original contract or S0A *ith the ser ice $ro ider and could result in im$lementing controls to mitigate risk areas' Management may argue that Internal auditors should no signi#icant changes ha e remind management that occurred in the organi.ation4s risks can arise not only due to en ironment( there#ore no changes at its o*n u$dates to the risk assessment organi.ation %ut also due to ha e %een made' changes at the ser ice $ro ider /e'g'( #inancial( Another common argument strategic( $ersonnel8sta##ing1'

management might $resent is that %ecause com$onents( s$eci#ications( or con#iguration o# the outsourced IT en ironment ha e remain unchanged( no u$date to the IT risk assessment has %een $er#ormed'

Internal auditors also should educate management that e en i# s$eci#ication( con#iguration( or com$onents o# the outsourced IT en ironment ha e remain unchanged( changes in sta##( $rocesses( or $olicies at the ser ice $ro ider can introduce ne* risks that should %e assessed' The auditor should eri#y *hether any signi#icant changes at the ser ice $ro ider ha e occurred that could im$act the conclusions reached in the risk assessment'

Internal Auditor 279 Maitland A e( Altamonte S$rings &lorida( 32901 Tel' 123 ***'internalauditoronline'org