Auditing outsourcing 

How to face risks ?

Patrick Soenen
Auditing outsourcing


The organisations have traditionally seen outsourcing as a way to reduce casts and simultaneously increase their return on investment. Companies who wanted to leverage the cost benefits shifted outsourcing from low-risk to high-end functions like IT services, Business Processing Outsourcing [BPO] and research services. Today outsourcing has become a key business strategy for enterprises who believe in devoting their resources to their key business operations. Outsourcing has only continued to grow and is now being embraced by organizations of all sizes and domains. From start-ups to large enterprises, outsourcing continues to be a tool of choice to gain competitive advantage. In the public sector the incentives revolve around the need to make efficiency savings and to achieve value for money for the taxpayer. And outsourced cloud computing is offering a dynamic way of attaining IT capability hardware, software or services from third parties through Internet technology.


Outsourcing can be a major risk to organizations in both the public and private sectors due to uncertainties over cost, quality, security, management and delivery. Today, the outsourcing decision is risky, due to increased regulatory requirements and the variety of service providers available in terms of size, scope, and geographical location. The decision is further complicated by the fact that many businesses use multiple external service providers, and in an increasing number of cases, those third parties are reliant on fourth and even fifth parties. Things can and do go wrong.

The most serious risks associated with outsourcing are summarized in the beside figure. Let's review them all.

  • Governance related risks: Companies, called outsourcers, that commit to an outsourcing partnership without a strong governance capability usually do not have the means to properly manage the outsourced activity. A robust governance framework requires skill and expertise so that the organization can deliver the strategy, operational, and project management guidance necessary for the outsourcing activity to be effective. Because the outsourcing activity spreads across two or more separate organizations, the need for a clear governance structure is critical when specifying the processes, roles, responsibilities, and incentives that will form the outsourcing arrangement.
  • Operational and delivery risk covers the consequences due to schedule and budget is management, unfulfilled client expectations, inadequate knowledge transfer and staffing, resulting in the lack of fully derived benefits. The return on investment will not meet expectations or will be minimal compared to the outsourcing casts. The incapability to adapt new technologies may impact the operational efficiency and the delivery quality. As a result, the third party will fail to deliver the service or merely will not deliver according to the standard specified in the agreement.
  • Relationship risks for service providers include cultural differences, structural changes in the organization, and the opportunistic behavior by favoring its own interests to the detriment of those of the outsourcer.
  • Information security. The higher the volume of confidential and/or sensitive data a third party manages and the more frequently data is being processed, the greater the risk that the confidentiality and/or the integrity of that data will be compromised.
  • Business continuity. Is the third party able to continue the service delivery in the event that his care infrastructure or business is impacted by a major disaster? Does he dispose of a business continuity plan and has its effectiveness been tested?
  • Legal risks. The absence of a well-drafted agreement could lead to a situation in which the outsourcer might be unable to fall back on a legally binding document to ensure compliance to intended contractual terms. The violation of contractual terms either by the provider or by the outsourcer will generate conflicts between the parties.
  • Regulatory compliance. Insufficient legislation knowledge or the failure to act according to the regulations may lead to potential breaches of regulatory compliance. While the service provider's liability is possibly limited to damages arising out of the outsourcing agreement, the outsourcer remains exposed to regulatory liability, eventually impacting its reputation.


By committing personal data to the systems managed by a cloud provider, the outsourcers may no longer be in exclusive control of the information while the required measures necessary to ensure adequate data protection aren't deployed. This lack of control may manifest itself in different manners:

  • Vendor lock-in may result from the provider's reliance on proprietary technology. The outsourcer may encounter difficulties to shift information between different (cloud-based) systems, i.e. lack of data portability, or to exchange information with entities that use services managed by different providers, i.e. lack of interoperability.
  • Lack of integrity may be caused by the sharing of resources at the provider's premises. Conflicting interests might arise at cloud providers processing personal data emanating from a wide range of data subjects and organizations.
  • The security and business continuity risks have already been covered above.
  • Lack of intervenability related namely to the data subjects' rights occurs when a cloud provider doesn't implement the necessary measures and tools to assist the controller to manage the data in terms of access, deletion or correction of data.
  • Lack of isolation: Administrators at the cloud provider with privileged access might be able to link information across outsourcers.

Processors, including cloud providers, may subcontract additional subprocessors which then gain access to personal data. In this case, the processors are obliged to make the contracting information available to the outsourcer, detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and guarantee that these services comply with the applicable (data protection) regulations.


The service provider's control environment sets the organization’s tone, impacts user behavior, and is the foundation for the other internal control components. The control environment prerequisites include the prevalence of strong documented policies, procedures, and guidelines, as well as a clear definition of the roles and responsibilities of the staff. Service organizations also are required to perform periodic risk assessments that take into consideration various factors affecting the services provided.

The security risks need to be managed effectively by taking information protection measures to ensure appropriate network security, physical security, personnel security and adequate logical access controls to application systems.

Business Continuity Management
ensures proactive measures are developed according to a risk based approach to ensure the continuing availability of business support systems. To reduce service disruptions risks, the provider should be able to recover from a disaster, minimize losses, and have the
best level of preparedness to deal with business interruptions and restore operations.

Change management controls
should exist to ensure all changes to business processes and information systems are made properly. Controls may involve the authorizations of change requests, reviews, approvals, documentation, and testing, as well as impact assessments of requested changes.

Successful outsourcing also depends on people. Therefore, an evaluation of the provider's HR policies and procedures is important in the successful implementation and operating effectiveness of designed controls.


Managing the outsourcing risks has made the audit a necessary component for all outsourcers. The internal auditor plays a crucial role in evaluating the service provider's control environment. As a result, auditors need to assess the strength of the control framework and control activities affecting the risk is being effectively managed outsourced processes, as well as inform management on the effectiveness of outsourcing operations from operations and a compliance standpoint.

The "right to audit" clause is a necessity for all types of organizations, of all sizes, not only as a way to demonstrate due care, but also to be proactive in preventing incidents and disasters. The key outsourcing controls should be audited at those service parties deemed to be high risks. Alternatively, the provider could provide SOC [Service Organization Controls] reports, in which an external auditor describes, evaluates, and issues an opinion on the service provider's security and data protection controls.

However, the SOC 1 reports typically do not address uptime requirements, disaster recovery, confidentiality, and very basic security controls or monitoring controls. On the other hand, SOC 2 and SOC 3 reports, aligned with the AICPA Trust Services Principles and Criteria, are more likely relevant to the users of IT and cloud service providers. These reports have standard reporting formats that address security, confidentiality, privacy, availability and integrity issues. A type 2 SOC reporting should be requested as the "suitability of the design and operating effectiveness of controls" for a given period is tested, whereas fora type 1 SOC reporting, there is no testing on the "operating effectiveness of controls".

lnternal auditors need to assess the efficiency and the effectiveness of the certifying organization’s review processes. Audit results will help outsourcers determine how much they can rely on the service provider's activities based on the certification obtained.

Does GDPR impact the right to audit? 
For instance, regulations require financial institutions, when entering into outsourcing agreements covering critical or important business functions, to ensure the regulator can exercise a right of effective access to the premises of the service provider. The requirements are primarily to ensure that the outsourcing of the regulated activities does not lead to an outsourcing of accountabilities by the entity in question, or pose a barrier to effective supervision.

However, cloud providers are sometimes unable or unwilling to offer effective access. The General Data Protection Regulation [GDPR], which will apply from 25 May 2018, could force cloud providers to update their approach to auditing rights in relation to the processing of personal data. Under GDPR, processors that process personal data in a way which does not conform to their contract
terms will not just be exposed to potential claims of breach of contract, but will be potentially held in breach of the regulation itself, and subject to severe sanctions. GDPR will require cloud providers to make available to their customers all information necessary to demonstrate their own compliance with the new data processor requirements and allow for and contribute to audits conducted by the controller or an auditor mandated by the controller.

The Article 29 Working Party gives its backing to third party data protection certifications as a mechanism to fulfil the auditing requirement. lt should let cloud providers demonstrate compliant data protection practices to data controllers.


Senior management and the board want reasonable assurance that outsourcing risk is being effectively managed so that the organization’s achievement of its strategic objectives is not compromised. lf outsourced services are of strategic importance, then they should feature on internal audit plans.

lnternal audit can add value by reviewing the effectiveness and efficiency of controls for the overall outsourcing process by ensuring a recognized process exists to perform a feasibility study providing a clear business case, aligned to the strategic objectives. lnternal audit can review the supplier selection process and assess whether the organization has adequate and effective policies and procedures for tendering. Finally, internal audit can examine the performance management arrangements in place when the contract is being executed, and ensure an exit strategy is in place.


lnternal audit should get involved at the early stages to help avoid outsourcing contract failure. How well risk is being jointly considered between the outsourcer and the provider is an important aspect to assess. lnternal audit can add value by benchmarking supplier/contractor performance to drive overall improvements. And the "right to audit" clauses should be invoked in these cases where high value and/ or high profile contracts are of concern. Performing substantive testing may be important to evaluate the consequences of any control failure.

Patrick Soenen is Certified in Govemance of Enterprise IT [CGEIT] and in Risk and Information Systems Control/ [CRISC] and is acting as a COB/T accredited trainer. After a career of more than 20 years in information technology, he performs IT audit assignments and provides IT governance advice since 15 years.