The Information Systems Audit and
Control Association & Foundation
www.isaca.org
OUTSOURCING
AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE
The Information Systems Audit and Control Association & Foundation
With more than 22,000 members in more than 100 countries, the Information Systems Audit and Control Association® (ISACA™) is
a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor ™) designation attained by more than 23,000
professionals worldwide, and develops globally-applicable Information Systems (IS) Auditing and Control Standards. An affiliated
Foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, an offshoot of the
Association, sponsors a new web site dedicated to the theory and practice of IT governance for the purpose of ensuring that IT
activities achieve business objectives.
Purpose of These Audit Programs and Internal Control Questionnaires
One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on outsourcing and various eBusiness topics for member use through the GIR.
These products are intended to provide a basis for audit work.
The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or
applicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies,
practices and operational environment.
Control Objectives for Information and Related Technology
COBIT® has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and
control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.
Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the professional
development of ISACA members and others in the IS Audit and Control community. Although we trust that they will be useful for
that purpose, ISACA cannot warrant that the use of this material would be adequate to discharge the legal or professional liability of
members in the conduct of their practices.
October 2000
Outsourcing
Page ____ of ____
Introduction
Outsourcing is the process by which an organization contracts services that augment functionality and/or
operations. Reasons for outsourcing vary from downsizing to sharing expertise. In any event the result of
sharing functionality is sharing assets in the form of information and data as well as any shared resources. The
audit focus is on the agreement and it should be noted that without an agreement, the audit of an outsourced
function/operation may not be possible. The agreement review must take place before the deal is consummated,
and not after. This can mean the difference between a successful outsource venture and one which becomes a
major aggravation from which the organization cannot easily remove itself.
The work that needs to be performed with respect to outsourcing should be discussed up front, since the Audit
Department would have a key role to play. This discussion should include:
 How to determine what should be outsourced
 The various alternatives with respect to outsourcing (outsource, cosource, application rental)
 Reasons for outsourcing
 Key aspects of the outsourcing project (communication, staff transfer, asset transfer, etc.)
 Key components of the contract
 What comprises the contract and what will be handled outside the contract.
 Contract cancellation issues as part of the up front agreement
 Performance – increasing improvement expectations, etc.
The outsource contract is critical and if improperly prepared and structured, can hurt an organization or damage
it so severely by putting it at a competitive disadvantage. It is for this reason that the Audit Department must be
involved at the front end of the process and not serve as a reviewer after the fact.
The Education Board cautions users not to consider these audit programs and internal control questionnaires to
be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on
an organization’s constraints, policies, practices and operational environment.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and
steps are included. For more information on COBIT Third Edition, including free downloads, please visit
ISACA’s web site at http://www.isaca.org/cobit.htm
Outsourcing
Page ____ of ____
Audit Objectives
COBIT Control Objective
Control over the process of managing third-party services that satisfies the business requirement to ensure that
roles and responsibilities of third parties are clearly defined, adhered to and continue to satisfy requirements is
enabled by control measures aimed at the review and monitoring of existing contracts and procedures for their
effectiveness and compliance with organization policy.
Functional Objectives
1. Data integrity, availability, confidentiality in accordance with business needs are determined by senior
management via policy and are maintained and contractually supported in any outsource arrangement.
2. Asset protection requirements are clearly defined and understood by the principals in any outsource
agreement. Data and information custodial responsibilities are well defined and complied with.
3. Service levels are acceptable (When considering Outsourcing, COBIT’s process DS1 Define and Manage
Service Levels is important. Therefore, reference and content should be included in the Internal Control
Questionnaire)
4. Billings and invoices are accurate and costs are within budgeted amounts.
Outsourcing
Page ____ of ____
AUDIT PROGRAM
Audit Step
Completed
Test Results, Remarks,
By/Date
W/P Ref.
Auto. COBIT
Tool Reference
used
A. Prior Audit/Examination Report
Follow Up
Review prior report and verify completion of
any agreed-upon corrections. Note remaining
deficiencies
Perform benchmarking of third party services
M1, M4
B. Preliminary Audit Steps
DS2
Review outsourcing policies and contract
requirements
Obtain a list of all current third party contracts
and compare to vendor list. Determine scope
of your review and select contract(s) for
testing
Review organization-wide procedures relating to
purchased services and third party vendor
relationships
C. Detailed Audit Steps
Management and Planning
For each contract selected: Review contract content for all
requirements (see Internal Control
Questionnaire ICQ)
Review transition plans for completeness and
involvement from all affected areas. Assure
that a baseline analysis was performed to
support the need for outsourcing
Review organizational and vendor constraints
Review any risk assessment methodology
used in deciding to outsource
Review the vendor selection process
Review project plans for completeness against
existing project management standards
Review costing and payment processes
Review technical support procedures
DS1
DS2
DS2
Outsourcing
Audit Step
Security
Review outsourcer’s contingency plans and
back-up procedures for adequacy
Review outsourcer’s access control practices
as they relate to our information assets
Review termination procedures for vendors,
contractors and subcontractors.
Determine access is cutoff when appropriate
Review access control processes for applicable:
- Operating System
- Application System(s)
- Networks
- Remote Access
Review assignment of technology inventory
to contractors
At the outsourcer location (s), review physical
security controls including access issuance,
administration and maintenance
Administrative
Review billings, payables and disbursements
for accuracy and compare to budget noting
significant variances
Review internal procedures to monitor
outsourcer’s performance
Review outsourcer’s purchase options (if
applicable)
Page ____ of ____
Completed
Test Results, Remarks,
By/Date
W/P Ref.
Auto. COBIT
Tool Reference
used
Outsourcing
Page ____ of ____
INTERNAL CONTROL QUESTIONNAIRE
Completed By:
Question No.
Question Description
Management and Planning
Date:
Response
YES NO N/A
COBIT
Reference
DS2
Are management requirements and expectations clearly defined
in the contract?
Do policies regarding purchased services, and, in particular,
third party vendor relationships exist?
DS2
Do clearly defined benefits and business purposes exist to support
the decision to outsource?
DS2
Have prospective outsourcers been reviewed regarding:
- R&D expenditures?
- Ability to listen to need and not dictate direction?
- Flexibility to need?
- Support in worldwide endeavors?
- Presence in applicable industry(ies)?
- Sufficient technological expertise?
- Ability to handle problems?
- Current resource performance levels?
Were vendor selection processes followed?
DS2
Do contract reviews and approval processes exist and were they
followed?
DS2
Outsourcing
Page ____ of ____
Completed By:
Question No.
Question Description
Does the outsourcing contract contents include the following?
Date:
Response
YES NO N/A
COBIT
Reference
DS2
Formal management and legal approval?
Legal entity providing services?
Detail of services provided?
Service level agreements :
- Quantitative?
- Qualitative?
Costs of services?
Payment requirements and frequencies?
Problem resolution process?
Penalties for non-performance?
Dissolution process?
Agreement modification process?
Reporting procedures:
- Content?
- Frequency?
- Distribution?
Roles and responsibilities of principals?
Business continuity processes?
User/provider communications process and frequency?
Duration of contract?
Appropriate access levels defined and provided to vendor(s)?
Security requirements?
Non-disclosure guarantees?
Right to access and right to audit?
Are transition plan, with completed requirements from all affected
Entities, completed? (baseline analysis)
DS2
Outsourcing
Page ____ of ____
Question No.
Question Description
Were existing contractual impacts considered?
Response
YES NO N/A
COBIT
Reference
DS2
e.g. - labor
- business partners
- other _____________________________
Have all costs been identified?
DS2
e.g. - transfer of objects
- construction
- indirect
- cost shifting
- other
Have all technical expertise requirements been identified and
obtained?
DS2
For the operation/function to be outsourced, can the vendor support
location dispersion where applicable?
DS2
Are project plans used for the management of outsourcing
transitions? Do they contain:
DS2
Contingency plans?
Training plans?
Clear definition of:
- HW requirements?
- SW requirements?
- Service levels?
- Error handling procedures?
- Legal issues?
Are warranties provided or given? If yes, detail in Work Papers.
DS2
Are we compliant to warranty requirements?
DS2
Are customer service levels defined?
DS2
Outsourcing
Question No.
Page ____ of ____
Question Description
Does the service level agreement include:
- Definition of service?
Response
YES NO N/A
COBIT
Reference
DS1
- Cost of service?
- Quantifiable minimum service level?
- Level of support from information services function?
- Availability, reliability, capacity for growth?
- Disaster recovery/contingency planning?
- Security requirements?
- Change procedure for any portion of the agreement?
- Written and formally approved agreement between
provider and user of service?
- Effective period and new period review/renewal/non renewal?
- Content and frequency of performance reporting and payment
for services?
- Realistic charges compared to history, industry, best practices?
- Calculation for charges?
- Service improvement commitment?
Are responsibilities of users and providers defined?
DS1
Has outsourced function/operation allowed the customer
service levels to be maintained or improved?
DS2
Outsourcing
Page ____ of ____
Question No.
Question Description
Has competitive advantage been achieved due to this outsourcing
arrangement? (List all selected)
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________
Response
COBIT
YES NO N/A Reference
DS2
Is costing flexible in the agreements? (i.e. if the term of the
agreement is 10 years, are costs adjustable because the cost of
technologies reduces quickly.)
DS2
Have responsibilites for maintenance and technical support been
clearly defined?
DS2
Security
DS2
Are security requirements clearly defined in the contract?
Do clear practices exist for access elimination when terminations
and/or transfers occur?
DS2
Does the outsourcer have adequate back-up procedures?
DS2
Does the outsourcer have adequate logical access control?
DS2
Does the outsourcer have adequate physical access controls and
administration and maintenance?
DS2
Are technology resources properly assigned and recorded to
vendors/contractors from inventory records sucha as on PCs, software
and licenses.
DS2
Does the outsourcer properly segregate access to our data from
other clients?
DS2
Outsourcing
Page ____ of ____
Question No.
Question Description
Administrative
Response
YES NO N/A
COBIT
Reference
DS2
Are billings and payables verified to the contract for validity?
Is vendor performance monitored?
DS2
Are technology purchase options monitored closely?
DS2