IT Outsourcing Andy Darnell Jennifer Lawrence Jessica Pruitt
36 Slides3.13 MB
IT Outsourcing Andy Darnell Jennifer Lawrence Jessica Pruitt
Why is Outsourcing Important http://www.tmcnet.com/channels/call-center-jobs/articles/18420-gartner-worldwide-outsourcing-market-grow-81-percent-2008.htm http://www.pwc.com/extweb/home.nsf/docid/61A657C13E328E98852574A3005DFB20 http://www.isaca.org/Content/ContentGroups/Journal1/20058/jpdf0505-Outsourcing-BA-Risk-Manage.pdf
Why is Outsourcing Important Expected 8.1% rise in outsourcing worldwide in 2008 http://www.tmcnet.com/channels/call-center-jobs/articles/18420-gartner-worldwide-outsourcing-market-grow-81-percent-2008.htm http://www.pwc.com/extweb/home.nsf/docid/61A657C13E328E98852574A3005DFB20 http://www.isaca.org/Content/ContentGroups/Journal1/20058/jpdf0505-Outsourcing-BA-Risk-Manage.pdf
Why is Outsourcing Important Expected 8.1% rise in outsourcing worldwide in 2008 In 2007, IT work was the number 1 outsourced service http://www.tmcnet.com/channels/call-center-jobs/articles/18420-gartner-worldwide-outsourcing-market-grow-81-percent-2008.htm http://www.pwc.com/extweb/home.nsf/docid/61A657C13E328E98852574A3005DFB20 http://www.isaca.org/Content/ContentGroups/Journal1/20058/jpdf0505-Outsourcing-BA-Risk-Manage.pdf
Why is Outsourcing Important Expected 8.1% rise in outsourcing worldwide in 2008 In 2007, IT work was the number 1 outsourced service 75% of U.S. companies outsourced some type of IT activity in 2004 http://www.tmcnet.com/channels/call-center-jobs/articles/18420-gartner-worldwide-outsourcing-market-grow-81-percent-2008.htm http://www.pwc.com/extweb/home.nsf/docid/61A657C13E328E98852574A3005DFB20 http://www.isaca.org/Content/ContentGroups/Journal1/20058/jpdf0505-Outsourcing-BA-Risk-Manage.pdf
Why Companies Outsource? 29% - Cost or internal headcount needs to be reduced 22% - Internal capacity is constrained by increasing market demand 20 % - Internal manufacturing or service performance is insufficient 19% - Strategic process 6% - Regulatory, legal or environment 4% - Internal capacity underutilized http://www.isaca.org/Content/ContentGroups/Journal1/20058/
Disadvantage of Outsourcing Companies may not fully understand the actual work that is outsourced This could affect cost and satisfaction with end product or service PwC 2007 Global Outsourcing Survey found that less than one third of companies who outsourced were completely satisfied, but 91% said they would continue to outsource http://www.pwc.com/extweb/home.nsf/docid/7AD0D4EDCB1213178525749600662148
Categories of Outsourced IT Activities Software Development Application Support & Maintenance Infrastructure Management Services
Audit of Outsourcing The objective of an audit of outsourcing is to determine whether: Risks associated with outsourcing are mitigated Objectives of outsourcing are being met IT strategy has been modified to make best use of outsourcing “Audit of Outsourcing” Anantha Sayana
Risks of Outsourcing: Business Risks Outsourcing undesirable functions versus the ones that will provide the greatest competitive advantage Costs of outsourcing Not having defined goals and objectives carried over to the service provider “Outsourcing Audit Program & Internal Control Questionnaire” – www.isaca.org
Risks of Outsourcing: Business Risks Contract improperly prepared or structured Flexibility limitations in the future Going concern “Outsourcing Audit Program & Internal Control Questionnaire” – www.isaca.org
Risks of Outsourcing: SAS 70 If third-party services directly impact financial reporting or internal control environment activities, a company’s management is now responsible for evaluating the design and effectiveness of the control structure
Risks of Outsourcing: Offshoring Political, socio-economic, or other factors may amplify outsourcing risks Weak controls may affect customer privacy Privacy regulations may not be as strict in some areas Different laws and regulations Language barriers “10 Things to Consider when Offshoring Operations” – Tejus Trivedi, CISA, CA
Risks of Outsourcing: Security Risks Network security issues Customer data theft or misuse Cyber crime Inability to closely monitor security claims
Auditing and Outsourcing It is important for the auditor to be a part of the process if a client decides to outsource Determining what should be outsourced and reasons for outsourcing Various alternatives with respect to outsourcing Key components of the contract Performance expectations “Outsourcing Audit Program & Internal Control Questionnaire” – www.isaca.org
ISACA Audit Guidelines for Outsourcing Document G4
Audit Charter Any outsourced services must be included in the scope of the audit charter The audit charter should explicitly include the auditor’s right to: Review the agreement between the service user and the service provider Carry out necessary audit work regarding the outsourced function Report findings, conclusions and recommendations to service user management “G4 Outsourcing of IS Activities to Other Organizations – ISACA IS Auditing Guideline –
Planning Obtain an understanding of the nature, timing and extent of the outsourced services Identify and assess risks associated with the outsourced services Obtain an understanding of which controls are the responsibility of the service provider and which controls will remain the responsibility of the service user. “G4 Outsourcing of IS Activities to Other Organizations – ISACA IS Auditing Guideline –
Performance of Audit Work Audit work should be performed as if the service was being provided in the service user’s own IS environment. Auditor must consider contractual agreements and legal requirements Auditor should review management of outsourced services Auditor should consider restrictions on scope and report them to management “G4 Outsourcing of IS Activities to Other Organizations – ISACA IS Auditing Guideline –
Reporting After completing the audit work, the auditor should provide an audit report to the service user The service provider may receive a report from the service user if deemed necessary The IS auditor should also consider including a statement excluding liability to third parties “G4 Outsourcing of IS Activities to Other Organizations – ISACA IS Auditing Guideline –
Follow-Up Activities Request appropriate information from the service user and the service provider on previous relevant findings, conclusions and recommendations Determine whether appropriate corrective actions have been implemented by the service provider in a timely manner. “G4 Outsourcing of IS Activities to Other Organizations – ISACA IS Auditing Guideline –
Why information is important?
Why information is important? The diffusion of technology and the commodification of information transforms the role of information into a resource equal in importance to the traditionally important resources of land, labor and capital.Peter Drucker Information Security Governance pg. 7
Why information security is important? Protecting this information is vital to the business
How do we protect this information? Governance
What effects do strong IS governance provide business? Governance Strategic alignment Risk management Resource management Performance measurement Value delivery Information Security Governance pgs. 11-12
What does information security governance provide to companies?
What does information security governance provide to companies? Value
What does information security governance provide to companies? Value Assurance
What does information security governance provide to companies? Value Assurance Predictability
How does outsourcing affect information security governance?
How does outsourcing affect information security governance? Less oversight
How does outsourcing affect information security governance? Less oversight More trust
Where is IT outsourcing headed? More prevalent Total system outsourcing Trend toward closer outsourcing Nicaragua Mexico US http://www.outsourcing-journal.com/oct2008-nicaragua.html http://www.outsourcing-journal.com/oct2008-mexico.html http://www.outsourcing-journal.com/feb2008-adm.html
Where is IT outsourcing headed? Competitive Better service More flexibility Lower cost
Questions? http://www.outsourcing-journal.com/oct2008-china.html