When performing IT audits, you may find that more companies are outsourcing their IT services than you realize.

In this article, we'll look at some considerations for successful auditing in an outsourced environment.

It should go without saying, but you should identify the scope of work being performed by the outsourced service provider. When auditing a company involved in outsourcing, documentation related to the service level agreement (SLA) should be used to assess whether the services provided comply with the agreed upon standards, responsibilities between the parties are defined and the scope of work is clear. In particular, provisions requiring compliance with security controls and requirements should be included, and support should be available for audit response.

Service providers should adhere to the policies and procedures of the company being audited, but in some cases, evaluate the policies and procedures for outsourced service providers.

Please refer to the following articles for ITGC and ITAC assessment items related to IT audits.

- ITGC: http://tokenterrace.com/eng/132?sfl=wr_subject&stx=ITGC&sop=and

- ITAC: http://tokenterrace.com/eng/133?sfl=wr_subject&stx=ITAC&sop=and

The company is responsible for ensuring that the outsourced service provider is complying with security controls and requirements on an ongoing basis. The company should be able to provide periodic reports to monitor this, or be able to confirm that changes to systems/infrastructure/data, etc. are being made by the outsourced service provider only with the company's authorization. This should be supported by objective documentation so that a third party, such as an IT auditor, can have reasonable assurance.

For example, suppose a company has outsourced the management of its IT infrastructure to a third-party service provider. If the IT auditor finds that the service provider has not implemented appropriate access controls for employees granted administrative privileges, the company may require the service provider to conduct regular monitoring of access logs to identify suspicious activity and regular reviews of the service provider's policies and procedures for access management. The company may also require the service provider to conduct regular training sessions on appropriate access control procedures. 

Another example is to prevent a breach of company data due to a service provider's failure to comply with agreed-upon security standards, such as failing to patch software vulnerabilities or using weak passwords. 

Companies can require service providers to provide regular reports on their security posture and conduct regular penetration tests to identify vulnerabilities. 

You may also want to consider adding language to your contracts that specifies the security standards the service provider must adhere to and the consequences of non-compliance.

And make sure that the company is aware of any changes to ownership of any systems/infrastructure/data/etc. and that changes are only made with your approval.

(In environments where a pre-approval process is not realistically feasible, there should also be an after-the-fact reporting process in place)

By implementing both internal and external controls, companies can reduce the risk of IT-related issues in an outsourced environment and ensure a successful IT audit. 

It is important to regularly review and update these controls to ensure they are effective in mitigating potential risks.