The Information Systems Audit and

Control Association & Foundation

www.isaca.org

OUTSOURCING

AUDIT PROGRAM
&
INTERNAL CONTROL QUESTIONNAIRE

The Information Systems Audit and Control Association & Foundation

With more than 22,000 members in more than 100 countries, the Information Systems Audit and Control Association® (ISACA™) is
a recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,
administers the globally respected CISA® (Certified Information Systems Auditor ™) designation attained by more than 23,000
professionals worldwide, and develops globally-applicable Information Systems (IS) Auditing and Control Standards. An affiliated
Foundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, an offshoot of the
Association, sponsors a new web site dedicated to the theory and practice of IT governance for the purpose of ensuring that IT
activities achieve business objectives.

Purpose of These Audit Programs and Internal Control Questionnaires

One of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and
industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released
audit programs and internal control questionnaires on outsourcing and various eBusiness topics for member use through the GIR.
These products are intended to provide a basis for audit work.

The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or
applicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies,
practices and operational environment.

Control Objectives for Information and Related Technology

COBIT® has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and
control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.
This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.

Disclaimer
The topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the professional
development of ISACA members and others in the IS Audit and Control community. Although we trust that they will be useful for
that purpose, ISACA cannot warrant that the use of this material would be adequate to discharge the legal or professional liability of
members in the conduct of their practices.
Outsourcing Page ____ of ____

October 2000
Outsourcing Page ____ of ____

Introduction

Outsourcing is the process by which an organization contracts services that augment functionality and/or
operations. Reasons for outsourcing vary from downsizing to sharing expertise. In any event the result of
sharing functionality is sharing assets in the form of information and data as well as any shared resources. The
audit focus is on the agreement and it should be noted that without an agreement, the audit of an outsourced
function/operation may not be possible. The agreement review must take place before the deal is consummated,
and not after. This can mean the difference between a successful outsource venture and one which becomes a
major aggravation from which the organization cannot easily remove itself.

The work that needs to be performed with respect to outsourcing should be discussed up front, since the Audit
Department would have a key role to play. This discussion should include:
 How to determine what should be outsourced
 The various alternatives with respect to outsourcing (outsource, cosource, application rental)
 Reasons for outsourcing
 Key aspects of the outsourcing project (communication, staff transfer, asset transfer, etc.)
 Key components of the contract
 What comprises the contract and what will be handled outside the contract.
 Contract cancellation issues as part of the up front agreement
 Performance – increasing improvement expectations, etc.

The outsource contract is critical and if improperly prepared and structured, can hurt an organization or damage
it so severely by putting it at a competitive disadvantage. It is for this reason that the Audit Department must be
involved at the front end of the process and not serve as a reviewer after the fact.

The Education Board cautions users not to consider these audit programs and internal control questionnaires to
be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on
an organization’s constraints, policies, practices and operational environment.

This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and
steps are included. For more information on COBIT Third Edition, including free downloads, please visit
ISACA’s web site at http://www.isaca.org/cobit.htm
Outsourcing Page ____ of ____

Audit Objectives

COBIT Control Objective

Control over the process of managing third-party services that satisfies the business requirement to ensure that
roles and responsibilities of third parties are clearly defined, adhered to and continue to satisfy requirements is
enabled by control measures aimed at the review and monitoring of existing contracts and procedures for their
effectiveness and compliance with organization policy.

Functional Objectives

1. Data integrity, availability, confidentiality in accordance with business needs are determined by senior
management via policy and are maintained and contractually supported in any outsource arrangement.

2. Asset protection requirements are clearly defined and understood by the principals in any outsource
agreement. Data and information custodial responsibilities are well defined and complied with.

3. Service levels are acceptable (When considering Outsourcing, COBIT’s process DS1 Define and Manage
Service Levels is important. Therefore, reference and content should be included in the Internal Control
Questionnaire)

4. Billings and invoices are accurate and costs are within budgeted amounts.
Outsourcing Page ____ of ____

AUDIT PROGRAM

Completed Auto. COBIT

Test Results, Remarks,
Audit Step By/Date Tool Reference
W/P Ref.
used
A. Prior Audit/Examination Report
Follow Up

Review prior report and verify completion of M1, M4

any agreed-upon corrections. Note remaining
deficiencies
Perform benchmarking of third party services DS1

B. Preliminary Audit Steps DS2

Review outsourcing policies and contract

requirements
Obtain a list of all current third party contracts
and compare to vendor list. Determine scope
of your review and select contract(s) for
testing
Review organization-wide procedures relating to DS2
purchased services and third party vendor
relationships

C. Detailed Audit Steps DS2

Management and Planning

For each contract selected: Review contract content for all
requirements (see Internal Control
Questionnaire ICQ)
Review transition plans for completeness and
involvement from all affected areas. Assure
that a baseline analysis was performed to
support the need for outsourcing

Review organizational and vendor constraints

Review any risk assessment methodology
used in deciding to outsource
Review the vendor selection process
Review project plans for completeness against
existing project management standards
Review costing and payment processes
Review technical support procedures
Outsourcing Page ____ of ____

Completed Auto. COBIT

Test Results, Remarks,
Audit Step By/Date Tool Reference
W/P Ref.
used
Security
Review outsourcer’s contingency plans and
back-up procedures for adequacy
Review outsourcer’s access control practices
as they relate to our information assets
Review termination procedures for vendors,
contractors and subcontractors.

Determine access is cutoff when appropriate

Review access control processes for applicable:
- Operating System
- Application System(s)
- Networks
- Remote Access
Review assignment of technology inventory
to contractors
At the outsourcer location (s), review physical
security controls including access issuance,
administration and maintenance

Administrative
Review billings, payables and disbursements
for accuracy and compare to budget noting
significant variances
Review internal procedures to monitor
outsourcer’s performance
Review outsourcer’s purchase options (if
applicable)
Outsourcing Page ____ of ____

INTERNAL CONTROL QUESTIONNAIRE

Completed By: Date:

Response COBIT
Question No. Question Description
YES NO N/A Reference
Management and Planning DS2

Are management requirements and expectations clearly defined

in the contract?

Do policies regarding purchased services, and, in particular, DS2

third party vendor relationships exist?

Do clearly defined benefits and business purposes exist to support DS2

the decision to outsource?

Have prospective outsourcers been reviewed regarding:

- R&D expenditures?

- Ability to listen to need and not dictate direction?

- Flexibility to need?

- Support in worldwide endeavors?

- Presence in applicable industry(ies)?

- Sufficient technological expertise?

- Ability to handle problems?

- Current resource performance levels?

Were vendor selection processes followed? DS2

Do contract reviews and approval processes exist and were they DS2
followed?
Outsourcing Page ____ of ____

Completed By: Date:

Response COBIT
Question No. Question Description
YES NO N/A Reference
Does the outsourcing contract contents include the following? DS2
Formal management and legal approval?

Legal entity providing services?

Detail of services provided?

Service level agreements :

- Quantitative?

- Qualitative?

Costs of services?

Payment requirements and frequencies?

Problem resolution process?

Penalties for non-performance?

Dissolution process?

Agreement modification process?

Reporting procedures:

- Content?

- Frequency?

- Distribution?

Roles and responsibilities of principals?

Business continuity processes?

User/provider communications process and frequency?

Duration of contract?

Appropriate access levels defined and provided to vendor(s)?

Security requirements?

Non-disclosure guarantees?

Right to access and right to audit?

Are transition plan, with completed requirements from all affected DS2
Entities, completed? (baseline analysis)
Outsourcing Page ____ of ____

Response COBIT
Question No. Question Description
YES NO N/A Reference
Were existing contractual impacts considered? DS2
e.g. - labor
- business partners
- other _____________________________

Have all costs been identified? DS2

e.g. - transfer of objects
- construction
- indirect
- cost shifting
- other

Have all technical expertise requirements been identified and DS2

obtained?

For the operation/function to be outsourced, can the vendor support DS2

location dispersion where applicable?

Are project plans used for the management of outsourcing DS2

transitions? Do they contain:

Contingency plans?

Training plans?

Clear definition of:

- HW requirements?

- SW requirements?

- Service levels?

- Error handling procedures?

- Legal issues?

Are warranties provided or given? If yes, detail in Work Papers. DS2

Are we compliant to warranty requirements? DS2

Are customer service levels defined? DS2

Outsourcing Page ____ of ____

Response COBIT
Question No. Question Description
YES NO N/A Reference
Does the service level agreement include: DS1
- Definition of service?

- Cost of service?

- Quantifiable minimum service level?

- Level of support from information services function?

- Availability, reliability, capacity for growth?

- Disaster recovery/contingency planning?

- Security requirements?

- Change procedure for any portion of the agreement?

- Written and formally approved agreement between

provider and user of service?

- Effective period and new period review/renewal/non renewal?

- Content and frequency of performance reporting and payment

for services?

- Realistic charges compared to history, industry, best practices?

- Calculation for charges?

- Service improvement commitment?

Are responsibilities of users and providers defined? DS1

Has outsourced function/operation allowed the customer DS2

service levels to be maintained or improved?
Outsourcing Page ____ of ____

Response COBIT
Question No. Question Description
YES NO N/A Reference
Has competitive advantage been achieved due to this outsourcing DS2
arrangement? (List all selected)
______________________________________________________
______________________________________________________
______________________________________________________
______________________________________________________

Is costing flexible in the agreements? (i.e. if the term of the DS2

agreement is 10 years, are costs adjustable because the cost of
technologies reduces quickly.)
Have responsibilites for maintenance and technical support been DS2
clearly defined?

Security DS2

Are security requirements clearly defined in the contract?

Do clear practices exist for access elimination when terminations DS2
and/or transfers occur?

Does the outsourcer have adequate back-up procedures? DS2

Does the outsourcer have adequate logical access control? DS2

Does the outsourcer have adequate physical access controls and DS2
administration and maintenance?

Are technology resources properly assigned and recorded to DS2

vendors/contractors from inventory records sucha as on PCs, software
and licenses.
Does the outsourcer properly segregate access to our data from DS2
other clients?
Outsourcing Page ____ of ____

Response COBIT
Question No. Question Description
YES NO N/A Reference
Administrative DS2

Are billings and payables verified to the contract for validity?

Is vendor performance monitored? DS2

Are technology purchase options monitored closely? DS2