IS OUTSOURCING VITAL?
The organisations have traditionally seen outsourcing as a way to reduce casts and simultaneously increase their return on investment. Companies who wanted to leverage the cost benefits shifted outsourcing from low-risk to high-end functions like IT services, Business Processing Outsourcing [BPO] and research services. Today outsourcing has become a key business strategy for enterprises who believe in devoting their resources to their key business operations. Outsourcing has only continued to grow and is now being embraced by organizations of all sizes and domains. From start-ups to large enterprises, outsourcing continues to be a tool of choice to gain competitive advantage. In the public sector the incentives revolve around the need to make efficiency savings and to achieve value for money for the taxpayer. And outsourced cloud computing is offering a dynamic way of attaining IT capability hardware, software or services from third parties through Internet technology.
YOU CAN'T OUTSOURCE RISK
Outsourcing can be a major risk to organizations in both the public and private sectors due to uncertainties over cost, quality, security, management and delivery. Today, the outsourcing decision is risky, due to increased regulatory requirements and the variety of service providers available in terms of size, scope, and geographical location. The decision is further complicated by the fact that many businesses use multiple external service providers, and in an increasing number of cases, those third parties are reliant on fourth and even fifth parties. Things can and do go wrong.
The most serious risks associated with outsourcing are summarized in the beside figure. Let's review them all.
IS CLOUD COMPUTING WORTH THE RISK?
By committing personal data to the systems managed by a cloud provider, the outsourcers may no longer be in exclusive control of the information while the required measures necessary to ensure adequate data protection aren't deployed. This lack of control may manifest itself in different manners:
Processors, including cloud providers, may subcontract additional subprocessors which then gain access to personal data. In this case, the processors are obliged to make the contracting information available to the outsourcer, detailing the type of service subcontracted, the characteristics of current or potential sub-contractors and guarantee that these services comply with the applicable (data protection) regulations.
KEY OUTSOURCING CONTROL CONSIDERATIONS
The service provider's control environment sets the organization’s tone, impacts user behavior, and is the foundation for the other internal control components. The control environment prerequisites include the prevalence of strong documented policies, procedures, and guidelines, as well as a clear definition of the roles and responsibilities of the staff. Service organizations also are required to perform periodic risk assessments that take into consideration various factors affecting the services provided.
The security risks need to be managed effectively by taking information protection measures to ensure appropriate network security, physical security, personnel security and adequate logical access controls to application systems.Business Continuity Management ensures proactive measures are developed according to a risk based approach to ensure the continuing availability of business support systems. To reduce service disruptions risks, the provider should be able to recover from a disaster, minimize losses, and have the
best level of preparedness to deal with business interruptions and restore operations.Change management controls should exist to ensure all changes to business processes and information systems are made properly. Controls may involve the authorizations of change requests, reviews, approvals, documentation, and testing, as well as impact assessments of requested changes.
Successful outsourcing also depends on people. Therefore, an evaluation of the provider's HR policies and procedures is important in the successful implementation and operating effectiveness of designed controls.
GETTING THE RIGHT TO AUDIT!
Managing the outsourcing risks has made the audit a necessary component for all outsourcers. The internal auditor plays a crucial role in evaluating the service provider's control environment. As a result, auditors need to assess the strength of the control framework and control activities affecting the risk is being effectively managed outsourced processes, as well as inform management on the effectiveness of outsourcing operations from operations and a compliance standpoint.
The "right to audit" clause is a necessity for all types of organizations, of all sizes, not only as a way to demonstrate due care, but also to be proactive in preventing incidents and disasters. The key outsourcing controls should be audited at those service parties deemed to be high risks. Alternatively, the provider could provide SOC [Service Organization Controls] reports, in which an external auditor describes, evaluates, and issues an opinion on the service provider's security and data protection controls.
However, the SOC 1 reports typically do not address uptime requirements, disaster recovery, confidentiality, and very basic security controls or monitoring controls. On the other hand, SOC 2 and SOC 3 reports, aligned with the AICPA Trust Services Principles and Criteria, are more likely relevant to the users of IT and cloud service providers. These reports have standard reporting formats that address security, confidentiality, privacy, availability and integrity issues. A type 2 SOC reporting should be requested as the "suitability of the design and operating effectiveness of controls" for a given period is tested, whereas fora type 1 SOC reporting, there is no testing on the "operating effectiveness of controls".
lnternal auditors need to assess the efficiency and the effectiveness of the certifying organization’s review processes. Audit results will help outsourcers determine how much they can rely on the service provider's activities based on the certification obtained.
Does GDPR impact the right to audit?
For instance, regulations require financial institutions, when entering into outsourcing agreements covering critical or important business functions, to ensure the regulator can exercise a right of effective access to the premises of the service provider. The requirements are primarily to ensure that the outsourcing of the regulated activities does not lead to an outsourcing of accountabilities by the entity in question, or pose a barrier to effective supervision.
However, cloud providers are sometimes unable or unwilling to offer effective access. The General Data Protection Regulation [GDPR], which will apply from 25 May 2018, could force cloud providers to update their approach to auditing rights in relation to the processing of personal data. Under GDPR, processors that process personal data in a way which does not conform to their contract
terms will not just be exposed to potential claims of breach of contract, but will be potentially held in breach of the regulation itself, and subject to severe sanctions. GDPR will require cloud providers to make available to their customers all information necessary to demonstrate their own compliance with the new data processor requirements and allow for and contribute to audits conducted by the controller or an auditor mandated by the controller.
The Article 29 Working Party gives its backing to third party data protection certifications as a mechanism to fulfil the auditing requirement. lt should let cloud providers demonstrate compliant data protection practices to data controllers.
HOW CAN AUDIT SUPPORT BOARDS OVER OUTSOURCED SERVICES?
Senior management and the board want reasonable assurance that outsourcing risk is being effectively managed so that the organization’s achievement of its strategic objectives is not compromised. lf outsourced services are of strategic importance, then they should feature on internal audit plans.
lnternal audit can add value by reviewing the effectiveness and efficiency of controls for the overall outsourcing process by ensuring a recognized process exists to perform a feasibility study providing a clear business case, aligned to the strategic objectives. lnternal audit can review the supplier selection process and assess whether the organization has adequate and effective policies and procedures for tendering. Finally, internal audit can examine the performance management arrangements in place when the contract is being executed, and ensure an exit strategy is in place.
DRAWING AUDIT KEY LESSONS...
lnternal audit should get involved at the early stages to help avoid outsourcing contract failure. How well risk is being jointly considered between the outsourcer and the provider is an important aspect to assess. lnternal audit can add value by benchmarking supplier/contractor performance to drive overall improvements. And the "right to audit" clauses should be invoked in these cases where high value and/ or high profile contracts are of concern. Performing substantive testing may be important to evaluate the consequences of any control failure.
Patrick Soenen is Certified in Govemance of Enterprise IT [CGEIT] and in Risk and Information Systems Control/ [CRISC] and is acting as a COB/T accredited trainer. After a career of more than 20 years in information technology, he performs IT audit assignments and provides IT governance advice since 15 years.