Informatica Economică vol. 14, no.

1/2010 113

Risks and Audit Objectives for IT Outsourcing

Claudiu BRÂNDAŞ
West University of Timisoara, Faculty of Economics and Business Administration
[email protected]

In the recent years, as a result of globalization, internet and IT progress, the outsourcing of
IT services has seen an exponential growth. As a result more and more companies decide to
outsource, partially or totally, their IT services. Nevertheless, the outsourcing process expos-
es both clients and service providers to a series of risks that can seriously affect their activi-
ties. Managing these risks by improving the quality and efficiency of internal control has
made the ITO audit a necessary component for all the companies involved in this process. The
goal of this paper is to identify analyze and map the influence areas of ITO risks in order to
suggest a series of objectives for ITO audit.
Keywords: Information Technology, Outsourcing, Audit, Risks, Service Provider

1 Introduction
Outsourcing is becoming an essential compo-
nent for most of the businesses today. Globaliza-
shown that there is no direct correlation be-
tween the amount of money that a company
is spending on IT and its profitability. The IT
tion of business environment enabled an expan- department must work together with all de-
sion of outsourcing activities. This new economic partments in a company in order to ensure
context stimulated many companies to reposition that all IT systems contribute effectively to
themselves into the service sector. company’s goals.
In this respect the development of IT services  The IT department authority within the or-
outsourcing (ITO) has seen a progressive evolu- ganization could also impact the outsourcing
tion. decision. Generally the head of the IT de-
The two aspects of global economy influencing partment resists the outsourcing decision be-
the growth of IT outsourcing are: (1) the tenden- cause this will cost his/hers and other em-
cy to relocate productive processes where pro- ployees jobs.
duction factors are less expensive [11]; (2) the  The financial situation of a company might
growing acceptance of the Internet as a means of be considered the driving force behind the
communication intra- or inter- organizations [17]. outsourcing decisions.
At the end of last century, globally, the IT servic-  The way in which IT is perceived by the ac-
es outsourcing has become a consolidated indus- counting. If the IT is considered fixed costs,
try with an average turn-over of $100 billion [9]. all the other company’s departments will per-
The service range has extended to incorporate ceived these services as being free of charge.
both IT traditionally services, and infrastructure The outsourcing might modify these percep-
operations as: tions and might generate some discipline in
 software development; the IT system evaluation.
 applications support and maintenance;  The transference of risk. Many managers be-
 ERP system implementation and customiza- lieve that if they outsource one or more IT
tion; services, they transfer some of the associated
 operations, database, system security and risks with these services.
network administration;  The company structure might affect the out-
 Internet hosting; sourcing decisions.
 cloud computing service provider.  Culture, national and organizational, might
The IT outsourcing decisions are based on the affect the outsourcing decisions.
following factors [4]: IT Outsourcing can generate significant financial
 The IT department effectiveness and effi- and functional advantages for a company. How-
ciency. The management might consider that ever this decision could imply increased internal
the IT department is not working properly and external risks for the organization. These
and might decide to outsource this function risks occur at the client level as well as at service
to an external provider. The research has provider level. ITO risks identification and eval-
114 Informatica Economică vol. 14, no. 1/2010

uation in addition to the development of control factors the literature discusses several risk miti-
functions to minimize those risks represents the gation strategies. Some authors analyze risk miti-
main objective for the management of the com- gation on a general level such as: signing short-
panies. In order to assure the proper administra- term contracts [15], engaging multiple suppliers
tion of the client and supplier side and that the [5], outsourcing standard IT services for which
system performs at the optimal level, more and there are many suppliers capable of delivering
more companies use ITO audit. good services [1], [7], [14], and insourcing highly
ITO audit can be defined as an activity of gather- specific assets [21]. Others outline the risks spe-
ing and evaluating samples of client/supplier in- cific to certain types of outsourcing, such as ap-
formational system in order to determine if: con- plication service provision or offshore outsourc-
tractual terms are clearly defined and complied ing.[12] examine specific risks and risk mitiga-
with; processes and data that are outsourced are tion strategies for application service provi-
secured; legal aspect is considered and complied sion.[19] identifies eighteen risks and risk control
with; outsourcing decision process complies with mechanisms specific to offshore systems devel-
organization strategy. opment.
In the second section of this paper we conducted Another approach is to develop specific frame-
an analytical research of the existing literature works for the ITO risk analysis. Thus [12] devel-
regarding ITO audit and ITO risks. In the third oped a framework for IT outsourcing risk analy-
section we presented the research methodology. sis with “relational due diligence” in risk mitiga-
In the fourth part we identify and discussed ITO tion. The fuzzy framework for risk assessment
risks and their determinant factors in the areas of developed by [18] could be applied to assess risk
influence. In the fifth part we discussed ITO audit of clients as well as service providers. Mathew
objectives. The last part presents our conclusions identifies some key risk indicators in IT outsourc-
based on the research we have conducted. ing. These are mapped to an output risk category
through a fuzzy inference engine.
2 Literature review Analyzing the current research studies it can be
The strategic importance of IT services outsourc- implied that in most of cases the academic re-
ing activity led the managerial and academic lite- search paid more attention to client side issues ra-
rature to focus upon this subject. The research of ther than supplier side in ITO risks.
IT outsourcing (ITO) has examined multiple as- Regarding the audit and control of IT outsourc-
pects of the phenomena, from reasons why or- ing, the academic and managerial literature re-
ganizations outsource, to long-term consequences commends very few references. Most of the au-
of outsourcing from both client and supplier thors reduced their studies to ITO risk analysis.
perspectives. The main aspects approached are However, there are few authors who managed to
[3]: (1) motivations of IT services outsourcing, cover some aspects of ITO audit [20]. Besides
(2) the relationships between client and IT ser- academic research, professional associations had
vices provider, and (3) internal and external fac- a major impact on studying ITO audit and con-
tors impacting the decision make process. Sum- trol. One of the most notable study in this area is
marizing the current research on the importance “Outsourced IT Environments Audit/Assurance
of ITO risk analysis the following questions may Program” from ISACA (Information Systems
arise: Audit and Control Association) [25]. According
 What are the risks of IT outsourcing? to ISACA this program was designed and created
 What is the impact of every risk factor? primarily as an informational resource for audit
 How are IT outsourcing risks mitigated? and assurance professionals. Another study from
The literature on ITO risk analysis identifies sev- ISACA, COBIT (Control Objectives for Informa-
eral risk factors and risk mitigation strategies. tion Technologies) guide, makes a series of refer-
According to Lacity, Khan and Willcocks [16] ences regarding ITO in the context of organiza-
the most cited paper on ITO risks is written by tional internal control [25].
[8] Earl discusses eleven risks of IT outsourcing: Likewise, IIA (The Institute of Internal Auditors)
possibility of weak management, inexperienced has made a study regarding ITO in the context of
staff, business uncertainty, outdated technology internal audit and control [26]. This study de-
skills, endemic uncertainty, hidden costs, lack of scribes how outsourcing activities should be ma-
organizational learning, loss of innovative ca- naged by implementing well-defined plans that
pacity, dangers of an eternal triangle, technology are supported by a companywide risk, control,
indivisibility, and fuzzy focus. Considering these compliance, and governance framework. Accord-
Informatica Economică vol. 14, no. 1/2010 115

ing to IIA this study offers the chief audit execu- low us to group the ITO risks in three categories:
tive (CAE), internal auditors, and management  Mixed ITO risks (specific both for the client
information on the types of IT outsourcing activi- and supplier).
ties and the IT outsourcing lifecycle.  Client specific ITO risks.
 Supplier specific ITO risks.
3 Research Methodology Mixed ITO risks are: violation of contractual
Consistent with current research this study ana- terms which will create a conflict between the
lyses the risks and characteristic factors of ITO parties; legal consequences; impossibility to
by grouping them into areas of influence and adapt to new technologies.
identifying the ITO audit objectives. This study Client specific ITO risks are: provider’s lack of
has a quantitative approach and it is manly bases compliance with the contract; unexpected in-
on previous research on the topic and case stu- crease in outsourcing costs; losing data privacy
dies. for the outsourced services; total dependence /
exit barriers.
4 IT Outsourcing Risks Supplier specific ITO risks here according to Das
The rapid development of IT outsourcing has led Aundhe and Mathew (2009) the risks can be
recently to a more profound risks analysis regard- grouped into three categories: project specific, re-
ing ITO. This in-depth analysis has shown a di- lationship specific and macroeconomic [17].
rect correlation between the amount of out- Project specific risks include risks generated by
sourced IT services and risks to which an organi- project delivery. This category covers risks due
zation can be exposed to [10]. Moreover the na- to (mis)management of schedule and budget,
ture and complexity of these services has a direct client expectations, requirements capture, know-
influence on ITO risks. Therefore it is very im- ledge transfer and staffing. Relationship specific
portant that IT audit correctly identifies labels risks for service providers include structural
and estimates the impact of ITO risks. changes in an organization, cultural differences
Our paper will focus on identifying the most im- and the client’s opportunistic behavior. Macroe-
portant ITO risks. For a better understanding we conomic risks occur due to exchange rate fluctua-
will correlate ITO risks with their influencing tions and changes in government policies. The
factors and with their area of influence. As area table 1 summarizes the existing correlation be-
of influence we denote the client and the service tween ITO risks, areas of influence and influen-
provider or the supplier. This correlation will al- cing factors.

Table 1. ITO risks impacting factors on area of influence

Influence on ITO Risks Determinants
Client / Supplier Violation of contractual terms which  Unclear contractual terms regarding roles and
will create a conflict between the par- responsibilities.
ties [2], [14]  Lack of experience and expertise of the client
and/or of the supplier with outsourcing con-
tracts [8]
 Insufficient legislation knowledge
Client/Supplier Legal Consequences [22]  Change in government policies [6]
 Contractual terms
Client/Supplier Impossibility to adapt to new technol-  Inability of client’s employees to adapt to new
ogies technologies.
 Implementation failure of supplier’s new tech-
nologies
 Supplier financial stability [8]
Client Provider’s lack of compliance with the  Lack of experience and expertise of the suppli-
contract [10] er with the activity [8]
 Complexity of the outsourced activities
 Insufficient understanding of client needs. [6]
Client Unexpected increase in outsourcing  Lack of experience and expertise of the client
costs [8],[14],[3] with contract management [8],[14]
 Lack of experience and expertise of the suppli-
er with the activity [8]
 Complexity of the outsourced activities
 Transition costs incurred by switching suppliers
116 Informatica Economică vol. 14, no. 1/2010

[3]
Client Losing data privacy for the outsourced  Unclear contractual terms regarding data priva-
services [22] cy
 Impossibility for the internal audit to supervise
all the functions and processes of the service
provider for the outsourced IT services.
 Supplier’s systems lack of security manage-
ment.[22]
Client Total dependence / exit barriers [22]  Small number of suppliers
 Asset specificity
Supplier Inadequate requirements capture [6]  Inadequate communication with the customer
 Lack of experience and expertise of the suppli-
er with the activity [8]
 Lack of experience and expertise of the client
with the activity [8],[14]
 Lack of system development technology
 Ambiguity in requirements gathering
Supplier Inadequate staffing  Supplier size [8]
 Lack of competent employees
Supplier Difficulties in client relations • Changes in client’s corporate structure [6]
• Engaging with an inexperienced client
• Client culture
• Client size
Supplier Supplier locked-in  Client’s activity is very specific
 The Client owns more than 70% from the sup-
plier’s business.

In the context of the presented risks, the auditor business processes;

must evaluate and quantify as many of these risks  Provide management with an evaluation of
as possible. This task should be done regardless the internal controls affecting business
of the nature of the internal or external audit. processes relating to the activities outsourced
and internal processes affected by the out-
5 Audit objectives of IT Outsourcing sourcing.
The literature review has emphasized a consider- ITO has become a very important resource for
able discrepancy between ITO risk analysis and business worldwide; therefore many governments
ITO audit and control. We consider that efficient and professional associations begin to understand
and effective risk analysis and risk mitigation the strategic role of this process. This new under-
strategies can be accomplished only with the standing of ITO processes triggered a series of
support of ITO audit (internal or external). The changes in professional audit standards which
arguments supporting our statement are: (1) risk specify some audit guideline for all the parties
management and risk mitigation for a company involved in an ITO process. For example AIC-
that has outsourced some or all its IT services PA’s SAS 70 has become a widely recognized
must be effectively through appropriate controls; standard and indicates that a supplier has had its
(2) assurance of the compliance with contractual control objectives and activities examined by an
terms and that the services are provided in good independent accounting and auditing firm.
conditions; (3) effectiveness of the ITO security At organization level, ITO audit can be included
management; (4) assurance of the ITO com- not only in the internal audit process but also in
pliance with organization’s business strategy. the external audit process. Moreover ITO audit
According with ISACA’s the main objectives of can be extended from client to service provider.
the ITO review are to [25]: Regardless of his/hers position, the auditor must
 Provide management with an independent as- focus on evaluating the particular risks of the au-
sessment of the IT outsourcing process relat- dited area and testing the effectiveness and effi-
ing to the attainment of outsourcing objec- ciency of deployed controls.
tives, compliance with the terms and condi- Considering the multitude of ITO risks and the
tions of the outsourcing contract, the accura- role of IT audit in this process, Table 2 will
cy of billing, and successful remediation of present the major objectives of ITO audit. For a
issues identified during the execution of better understanding we will separate these ob-
Informatica Economică vol. 14, no. 1/2010 117

jectives in client area and supplier area. among the auditor communities such as ISACA’s
For each of the above mentioned objectives, the “Outsourced IT Environments Audit/Assurance
auditor may develop a series of questionnaires Program” and IIA’s “Global Technology Audit
and work procedures according to the nature and Guide (GTAG) 7: Information Technology Out-
the scope of the audited topic. Several help sourcing”.
guides and specific ITO software were developed

Table 2. ITO audit objectives

Area Audit objectives
• Outsourcing decision process
• Service provider selection and evaluation
• Forecasting outsourcing cost
• Outsourcing contract and SLA (Service-Level Agreement)
• Budget allocation and execution
Client
• Communication with service provider
• Reliance on service provider
• Monitor provider’s service execution and performance
• Managing risks in client/service provider relationship
• Impact on IT strategy

• The analysis of the client requirements in the pre-contractual phase

• The outsourcing contract and SLA Service-Level Agreement)
• Control tools and system security
• Analysis and implementation of client requirements
Supplier • SDLC Controls
• Delivery of services and client satisfaction monitoring
• Personnel selection, training and performance monitoring
• Client dependency
• Change Management

In the context of the present study the most im- can have more confidence in a service provider
portant audit objectives are: the outsourcing con- who has been audited by an external IT auditor.
tract, the SLA (both client/Supplier area) and the In this paper we tried to identify the major risks
control procedures and system security (supplier associated with the IT outsourcing and to focus
area). These three objectives are the most rele- the risks analysis on two dimensions: client and
vant for this study and cover the majority of the service provider. Based on the risks categories
possible risks. However, the other objectives that we have identified we tried to present what
should not be ignored since the auditor has to de- are the main objectives of an ITO audit so that an
velop its working tool to be compliant with the auditor could test and evaluate the efficiency and
nature and the scope of the audit mission. effectiveness of audit controls.
Our goal is to underline the fact that ITO audit
6 Conclusions has a positive impact on risk mitigation and qual-
The outsourcing of IT services is and will be a ity of internal control. Moreover we tried to ana-
major component of business world. The expan- lyze the nature and the variety of ITO risks in or-
sion of ITO can be seen as a natural effect of glo- der to suggest a series of objectives for ITO au-
balization and the exponential growth of internet dit.
and IT. Thus more and more companies find fi-
nancial and functional incentives to outsource, References
partially or totally, their IT services. However the [1] U. Apte, M. Sobol, S. Hanaoka, T. Shimada,
outsourcing decision exposes the companies to a T. Saarinen, T. Salmela and A. Vepsalainen,
series of new risks that needs to be analyzed. “IS outsourcing practices in the USA, Japan,
The outsourcing related risks can inflict substan- and Finland: a comparative study,” Journal
tial influence on both the client and the service of Information Technology, Vol. 12, 1997,
provider activities. Therefore it is very important pp. 289–304.
for both parties to ensure a very solid ITO risk [2] B. A. Aubert, M. Patry and S. Rivard, “A
management policy as well as a thorough ITO Tale of Two Outsourcing Contracts,” Cahier
audit. In this context we consider that the client du GreSI, 97-05, 1997.
118 Informatica Economică vol. 14, no. 1/2010

[3] J. Barthélemy and D. Geyer, “An empirical mation Systems Management, Vol. 11, No. 4,
investigation of IT outsourcing versus quasi- 1994., pp. 7–18.
outsourcing in France and Germany,” Infor- [15] M. Lacity and L. Willcocks, “An empirical
mation & Management, Vol. 42, No. 4, 2005, investigation of information technology
pp. 533–542. sourcing practices: lessons from experience,”
[4] I. Boldea and C. Brandas, “Some considera- MIS Quarterly, Vol. 22, No. 3, 1998, pp.
tions about IT Outsourcing process,” MPRA - 363–408.
Munich Personal RePEC Archive, 2007. [16] M. C. Lacity, S. A. Khan and L. P. Will-
[5] W. Currie, “Using multiple suppliers to miti- cocks, “A review of the IT outsourcing litera-
gate the risk of IT outsourcing at ICI and ture: Insights for practice”, Journal of Stra-
Wessex Water,” Journal of Information tegic Information Systems, no. 18, 2009, pp.
Technology, Vol. 13, 1998, pp. 169–180. 130–146.
[6] Das Aundhe and S. K. Mathew, “Risks in off- [17] N. Marchand H. A. and Jacobsen, “An eco-
shore IT outsourcing: A service provider nomic model to study dependencies between
perspective,” European Management Jour- independent software vendors and applica-
nal, No. 27, 2009, pp. 418– 428. tion service providers,” Electronic Com-
[7] L. A. De Loof, “Information systems out- merce Research, Vol. 1 No. 3, 2001, pp. 315-
sourcing decision making: a framework, or- 34.
ganizational theories and case studies,” Jour- [18] S. K. Mathew, “Understanding risk in IT
nal of Information Technology, No. 10, 1995, outsourcing, a fuzzy framework,” Journal of
pp. 281–297. Information Technology Cases and Applica-
[8] M. Earl, “The risks of outsourcing IT,” Sloan tion Research (JITCAR), Vol. 8, No. 3, 2006.
Management Review, Vol. 37, No. 3, 1996, [19] S. Sakthivel, “Managing risk in offshore
pp. 26–32. systems development,” Communications of
[9] E. Gelbstein, “Outsourcing,” International the ACM, Vol. 50, No. 4, pp.60, 69–75.
Computing Center, United Nations, Encyclo- [20] A. Sayana, “Audit of outsourcing,” Informa-
pedia of Information Systems, Vol. 3, 2003. tion Systems Control Journal, Vol. 5, 2004.
[10] R. Gonzales, J. Gasco and J. Llopis, “Infor- [21] B. Watjatrakul, “Determinants of IS sourc-
mation systems outsourcing risks: a study of ing decisions: a comparative study of transac-
large firms,” Industrial Management & Data tion cost theory and the resource-based
Systems, Vol. 105, No. 1, 2005, pp. 45-62. view,” Journal of Strategic Information Sys-
[11] R. Heecks et al., “Synching or sinking? tems Vol. 14, 2005 pp. 389–415.
Global software outsourcing relationships,” [22] C. Wright, ”Top Three Potential Risks With
IEEE Software, Vol. 18, No. 2, 2001, pp. 54- Outsourcing Information Systems,” Informa-
60. tion Systems Control Journal, Vol. 5, 2004.
[12] T. Kern and L. P. Willcocks, “The Relation- [23] C. Yang and J. B. Huang, “A decision model
ship Advantage,” Information Technologies, for IS outsourcing,” International Journal of
Sourcing and Management, Oxford Universi- Information Management, Vol. 20, No. 3,
ty Press Inc., New York, 2001. 2000, pp. 225-239.
[13] T. Kern, L. Willcocks and M. Lacity, “Ap- [24] A. Zhaohui Zeng, “A synthetic study of
plication service provision: risk assessment sourcing strategies,” Industrial Management
and risk mitigation”, MIS Quarterly Execu- & Data Systems, Vol. 100, No. 5, 2000, pp.
tive, Vol. 1, No. 2, 2002, pp. 113–126. 219-26.
[14] M. Lacity, R. Hirschheim and L. Willcocks, [25] ***, www.isaca.org
“Realizing outsourcing expectations,” Infor- [26] ***, www.theiia.org

Claudiu BRANDAS is Associate Professor at the University of the West

Timisoara, Faculty of Economics and Business Administration, Department
of Business Information Systems and Statistics. He earned his PhD from
"Babes-Bolyai" University of Cluj-Napoca, the Faculty of Economics in De-
cision Support Systems conception and design. Currently, his research inter-
ests include DSS (Decision Support System), Business Intelligence, Business
Information Systems Analysis and Design, Business Process Modeling, and
Information Systems Control and Audit.