OUTSOURCING THE IT

FUNCTION
 Chapter 2:
Auditing IT Governance Controls
• IT Governance • Disaster Recovery Planning
• Structure of the IT function • Identify Critical Applications
• Centralized data processing • Creating a Disaster Recovery Team
• The Distributed Model • Providing Second-Site Backup
• The Computer Center operations • Outsourcing of IT Function
• Physical Location • Risks Inherent to IT Outsourcing
• Construction • Audit Implications of IT
• Access Outsourcing
• Air Conditioning
• Fire Suppression
• Fault Tolerance
 Outline:
Outsourcing of IT Function
• Corporate IT Function Vs. Outsource • Learning Objective:
IT Function • Be familiar with the benefits, risks,
• Logic Underlying IT Outsourcing: and audit issues related to IT
• Core Competency Theory outsourcing.
• Core Competency Theory & Transaction
Cost Economics (TCE) Theory
• Commodity and Specific IT Assets
• Risks Inherent to IT Outsourcing • Reference:
• Audit Implications of IT Outsourcing: • Pages 57 to 60 - Information
• Statement on Auditing Standard No. 70
(SAS 70)
Technology Auditing, 3rd Edition –
by James Hall
 Corporate IT Function Vs. Outsource IT
Function
• Effective Corporate IT Function: Disadvantage - The costs, risks, and responsibilities are
significant.
• Option: Outsource IT functions to third-party vendors
• who take over responsibility for the management of IT assets and staff and for delivery of IT services, such
as data entry, data center operations, applications development, applications maintenance, and network
management.
• Benefits of IT outsourcing:
• improved core business performance
• improved IT performance (because of the vendor’s expertise)
• reduced IT costs.
• By moving IT facilities offshore to low labor-cost areas and/or through economies of scale (by combining the work of
several clients), the vendor can perform the outsourced function more cheaply than the client firm could have otherwise.
The resulting cost savings are then passed to the client organization.
• Many IT outsourcing arrangements involve the sale of the client firm’s IT assets—both human and machine—to the
vendor, which the client firm then leases back. This transaction results in a significant one-time cash infusion to the firm.
 Logic Underlying IT Outsourcing:
Core Competency Theory
• The logic underlying IT outsourcing follows from Core Competency
Theory.

• Core Competency Theory:

• argues that an organization should focus exclusively on its core business
competencies, while allowing outsourcing vendors to efficiently manage the
non–core areas such as the IT functions.
• ignores an important distinction between commodity and specific IT assets.
 Logic Underlying IT Outsourcing:
Core Competency Theory & Transaction Cost Economics (TCE) Theory

• Two (2) theories on the logic underlying IT outsourcing:

• 1) Core Competency Theory
• Makes a distinction between core and non-core competencies:
• Organization: should focus exclusively on its core areas
• Outsourcing vendors: Manage the non–core areas such as the IT functions.
• Ignores a distinction between commodity and specific IT assets.
• 2) Transaction Cost Economics (TCE) theory
• Based on commodity (not unique) and specific (unique) IT assets.
• Firms: should retain certain specific non–core IT assets in-house
• Reason: Specific assets cannot be easily replaced once they are given up in an outsourcing arrangement.
• Therefore, if the organization should decide to cancel its outsourcing contract with the vendor, it may not be able to
return to its pre-outsource state.
• Supports the outsourcing of commodity assets
• Reason: Easily replaced or obtained from alternative vendors.
 Logic Underlying IT Outsourcing:
Commodity and Specific IT Assets
Commodity IT assets (Not Unique) Specific IT assets (Unique)
• are not unique to a particular • are unique to the organization and support
its strategic objectives.
organization
• have little value outside their current use.
• are thus easily acquired in the • may be tangible (computer equipment),
marketplace. intellectual (computer programs) or Human.
• include such things as: • Include the following:
• systems development
• network management • application maintenance
• systems operations • data warehousing
• server maintenance • highly skilled employees trained to use
organization specific software.
• help-desk functions
 Risks Inherent to IT Outsourcing
• 1) Vendor’s Failure to Perform
• 2) Vendor Exploitation
• 3) Outsourcing Costs Exceed Benefits
• 4) Reduced Security
• 5) Loss of Strategic Advantage
 Risks Inherent to IT Outsourcing:
1) Vendor’s Failure to Perform
• Client’s specific IT assets performance becomes linked to the vendor’s
performance.

• Example Case: The negative implications of such dependency are illustrated

in the financial problems that have plagued the huge outsourcing vendor
Electronic Data Systems Corp. (EDS).
• In a cost-cutting effort, EDS terminated seven thousand employees, which impacted its
ability to serve other clients.
• Following an 11-year low in share prices, EDS stockholders filed a class-action lawsuit
against the company.
• Vendors experiencing such serious financial and legal problems threaten the viability of
their clients also.
 Risks Inherent to IT Outsourcing:
2) Vendor Exploitation
• Dependency on the vendor: Once the client firm has divested itself of such specific
assets, it becomes dependent on the vendor.
• Large-scale IT outsourcing involves transferring to a vendor “specific assets,” such as the design,
development, and maintenance of unique business applications that are critical to an organization’s
survival.
• Specific assets, while valuable to the client, are of little value to the vendor beyond the immediate
contract with the client.
• This dependency may threaten the client’s long-term flexibility, agility, and competitiveness and
result in even greater vendor dependency.
• Raising Service Rates: The vendor may exploit this dependency by raising service rates to
an exorbitant level.
• Premium Incremental Services: As the client’s IT needs develop over time beyond the
original contract terms, it runs the risk that new or incremental services will be negotiated
at a premium.
 Risks Inherent to IT Outsourcing:
3) Outsourcing Costs Exceed Benefits
• IT outsourcing has been criticized on the grounds that unexpected
costs arise and the full extent of expected benefits are not realized.
• One reason for this is that outsourcing clients often fail to anticipate the costs
of vendor selection, contracting, and the transitioning of IT operations to the
vendors.

• One survey revealed that 47 percent of 66 firms surveyed reported

that the costs of IT outsourcing exceeded outsourcing benefits.
 Risks Inherent to IT Outsourcing:
4) Reduced Security
• Vendor’s Internal Control and Protection of Sensitive Personal Data: Information outsourced to offshore IT
vendors raises unique and serious questions regarding internal control and the protection of sensitive personal
data.
• Losing Control of Client’s Information: When corporate financial systems are developed and hosted overseas,
and program code is developed through interfaces with the host company’s network, U.S. corporations are at
risk of losing control of their information.
• Vendor’s Security Measures, Data-Access Policies, and Privacy Laws: To a large degree U.S. firms are reliant
on the outsourcing vendor’s security measures, data-access policies, and the privacy laws of the host country.
• For example, a woman in Pakistan obtained patient-sensitive medical data from the University of California Medical Center in
San Francisco.
• She gained access to the data from a medical transcription vendor for whom she worked.
• The woman threatened to publish the records on the Internet if she did not get a raise in pay.
• Terrorism in Asia and the Middle East raises additional security concerns for companies outsourcing
technology offshore.
• For example, on March 5, 2005, police in Delhi, India, arrested a cell of suspected terrorists who were planning to attack
outsourcing firms in Bangalore, India.
 Risks Inherent to IT Outsourcing:
5) Loss of Strategic Advantage
• IT outsourcing may affect incongruence between a firm’s IT strategic planning and its
business planning functions.
• In a Corporate IT Function: Organizations that use IT strategically must align business
strategy and IT strategy or run the risk of decreased business performance.
• To promote such alignment, firms need IT managers and chief information officers (CIOs) who have a
strong working knowledge of the organization’s business.
• To accomplish such alignment necessitates a close working relationship between corporate
management and IT management in the concurrent development of business and IT strategies.
• In Outsourcing of IT Function: Difficult to accomplish when IT planning is geographically
redeployed offshore or even domestically.
• IT outsourcing depends upon the vendor achieving economies of scale, the vendor is naturally driven
to toward seeking common solutions that may be used by many clients rather than creating unique
solutions for each of them.
• This is inconsistent with the client’s pursuit of strategic advantage in the marketplace.
 Audit Implications of IT Outsourcing
• What to outsource?
• Can outsource: Management’s IT functions
• Cannot outsource: Management responsibilities for ensuring adequate IT internal controls.
• The internal controls over the outsourced services reside at the vendor location.

• Who will audit?

• Audit client’s (outsourcer) auditor, either
• Conduct an evaluation of the vendor organization’s controls, or
• Obtain a SAS No. 70 auditor’s report from the vendor’s auditor
• not compelled to test the vendor’s controls
• Vendor’s (auditee) auditor
• Expresses an opinion and issues a SAS 70 report on the control adequacy.
 Audit Implications of IT Outsourcing:
Statement on Auditing Standard No. 70 (SAS 70)
• SAS 70 - is the definitive standard by which client organizations’
auditors can gain knowledge that controls at the third-party vendor
are adequate to prevent or detect material errors that could impact
the client’s financial statements.
• SAS 70 report
• is prepared by the vendor’s auditor, attests to the adequacy of the vendor’s
internal controls.
• This is the means by which an outsourcing vendor can obtain a single audit
report that may be used by its clients’ auditors and thus preclude the need for
each client firm auditor to conduct its own audit of the vendor organization’s
internal controls.
 Audit Implications of IT Outsourcing:
Statement on Auditing Standard No. 70 (SAS 70)
• Service provider auditors issue two types of SAS 70 reports:
• 1) SAS 70 Type I report
• is the less rigorous of the two and comments only on the suitability of the
controls’ design.
• Because Section 404 requires the explicit testing of controls, SAS 70 Type I
reports are of little value in a post-SOX world.
• 2) SAS 70 Type II report
• goes further and assesses whether the controls are operating effectively
based on tests conducted by the vendor organization’s auditor.
• The vast majority of SAS 70 reports issued are Type II.
 Audit Implications of IT Outsourcing:
Statement on Auditing Standard No. 70 (SAS 70)
• The outsourcing vendor serves clients 1, 2, 3, and 4
with various IT services.
• The internal controls over the outsourced services
reside at the vendor location.
• They are audited by the vendor’s auditor, who
expresses an opinion and issues a SAS 70 report on the
control adequacy.
• Each of the client firms is audited by different auditors
A, B, C, and D, respectively, who as part of their
respective audits, rely on the vendor’s SAS 70 report
and are thus not compelled to individually test the
vendor’s controls.
• Given that a vendor may have hundreds or even thousands
of clients, individual testing under SOX would be highly
disruptive to the vendor’s operations, costly to the client, Figure 2.8 illustrates how a SAS 70 report works in relation to the
and impractical. vendor, the client firms, and their respective auditors.
 Videos to Watch
• Outsourcing: Is it good or bad? https://www.youtube.com/watch?v=7qeehDLYa8g
• Why Outsource? https://www.youtube.com/watch?v=aqhjNJkvC9w
• Blockchain and the future of audit
https://www.youtube.com/watch?v=URjWivgtaRo
• KPMG | The audit is changing (Data Analytics)
https://www.youtube.com/watch?v=O1HZYjBAooc
• Data analytics in audit https://www.youtube.com/watch?v=6qPZJfe5jXc
• What is Audit Data Analytics https://www.youtube.com/watch?v=9hLaSNkFkNI
• What is Audit? https://www.youtube.com/watch?v=pkKO9ZNyOIc
• Future of Audit - Technologies that will change the future of the Audit
https://www.youtube.com/watch?v=uIcSfDdyQGc
 Summary
• The disadvantages are the costs, risks, and responsibilities that are significant in terms of Corporate
IT Function. Thus, the option is to outsource IT functions to third-party vendors.
• The logic underlying IT outsourcing follows from Core Competency Theory argues that an
organization should focus exclusively on its core business competencies, while allowing outsourcing
vendors to efficiently manage the non–core areas such as the IT functions.
• But Transaction Cost Economics (TCE) theory, which is based on commodity (not unique) and specific
(unique) IT assets argues that firms should retain certain specific non–core IT assets in-house and it
supports the outsourcing of commodity assets.
• Risks Inherent to IT Outsourcing are Vendor’s Failure to Perform, Vendor Exploitation, Outsourcing
Costs Exceed Benefits, Reduced Security, and Loss of Strategic Advantage.
• Audit Implications of IT Outsourcing is that management may outsource its organization’s IT
functions, but it cannot outsource its management responsibilities under SOX for ensuring adequate
IT internal controls. Thus, Statement on Auditing Standard No. 70 (SAS 70), which is issued by the
outsourcer’s or vendor’s auditor, attests to the adequacy of the vendor’s internal controls.