Audit Serve, Inc.

The Premier Audit, Security and Sarbanes-Oxley Consulting Company

Insider Tips on Conducting an Audit 
of an Outsourced Entity

By: Mitchell H. Levine, CISA
Audit Serve, Inc.

                                                             

Low Cost & Highly Skilled 
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or 
email levinemh@auditserve.com for additional information

Auditors are confronted with the task of establishing a balanced relationship with auditees when control 
issues are identified in which remedial action is necessary and getting the auditee to accept such solutions.

When performing audits of areas within the organization, the ground rules are established based on past precedents. Most organizations have outsourced some functions which still need to be audited. The most commonplace areas are portions of the held desk function, which include the initial Level 1 support or technical areas which comprise level 2 support. Network support, PC support and the overall Data Center are
the other common areas which are typically outsourced.

Prior to commencing an audit of an outsourced function, it is important to understand the limitations of the audit which have been set forth in the contract. The contract may include specific "right to audit" clauses which address whether the organization can perform audits of the outsourced functions, the frequency of the audit, and the framework in which these audits need to be conducted.

If specific clauses limit the right to audit, it will be necessary to go through the proper channels within an 
organization to determine whether the agreement can be amended to include the right to conduct audits.

Assuming the ability to audit the outsourced entity exists, then it is important to understand how the contract enforces remedial action necessary for control issues identified. Penalty clauses are the typical methods used to ensure control issues are addressed within a timely fashion.

Once the framework of an audit has been understood, the audit planning can truly begin. It is typical for the outsourcer to request a detailed audit scope to be pre-defined which may include the exact control components expected to be in place. The outsourcer typically makes this request so they can script their responses during the audit. This approach of pre-establishing the audit field work will limit the auditor's ability to identify all possible control issues since it is typical for the auditor to venture into unchartered audit areas based on obtaining a 
greater understanding of the environment.

Another typical tactic by the outsourced entity is to conduct all meetings with large number of individuals within their organization, many of which consist of senior management. This approach limits the willingness/candor typically obtained from persons who actually perform the work, which improves dramatically when managers are not attending the meeting.  In summary, the objective is to have small meetings with the persons who actually perform the work.

The last important tip when performing an audit of an outsourced entity is to document the issues onsite during the course of the audit. Do not present them remotely after the field work is completed.  This is because it is easier to dispute the findings when the auditor is not onsite especially when additional field work would be required to counter the auditee's claims.

Copyright  2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.

This article appeared in a past issue of the Audit Vision E-Mail Newsletter.

Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US

This website has been optimized for Netscape and Internet Explorer 4.0 and above.  Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000  All rights reserved.  27 Pine Street, Suite 700, New Canaan, CT 06840 USA.