You are on page 1of 14

Auditing IT Governance Controls

Outsourcing the IT Function
Introduction
● The costs, risks, and responsibilities
associated with maintaining an effective
corporate IT function are significant. Many
executives have therefore opted to outsource
their IT function to third-party vendors who take
over responsibility for the management of IT
assets and staff and for delivery of IT services,
such as data entry, data center operations,
applications development, applications
maintenance, and network management.
Outsourcing the IT Function
Benefits of IT outsourcing
● Improved core business performance
● Improved IT performance
● Reduced IT costs
Outsourcing the IT Function
Logic underlying IT outsourcing
● Follows from core competency theory, which
argues that an organization should focus
exclusively on its core business competencies.
● This premise, however, ignores an important
distinction between commodity and specific IT
assets.
Outsourcing the IT Function
Logic underlying IT outsourcing
● Commodity IT assets are not unique to a
particular organization and are thus easily
acquired in the marketplace. These include
such things as network management, systems
operations, server maintenance, and help-desk
functions.
Outsourcing the IT Function
Logic underlying IT outsourcing
● Specific IT assets are unique to the
organization and support its strategic
objectives. Specific assets have little value
outside their current use. Such assets may be
tangible (computer equipment), intellectual
(computer programs), or human. Examples
include systems development, application
maintenance, data warehousing, and highly
skilled employees trained to use organization-
specific software.
Outsourcing the IT Function
Logic underlying IT outsourcing
● Transaction Cost Economics (TCE) theory,
is in conflict with the core competency theory
school by suggesting that firms should retain
certain specific non-core IT assets in-house.
Specific assets cannot be easily replaced once
they are given up in an outsourcing
arrangement.
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
1.Failure to perform
2.Vendor exploitation
3.Outsourcing costs exceed benefits
4.Reduced security
5.Loss of strategic advantage
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
1.Failure to perform
Once a client firm has outsourced specific IT
assets, its performance becomes linked to the
vendor's performance.
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
2.Vendor exploitation
Large-scale IT outsourcing involves transferring to
a vendor “specific assets”. Once the client has
divested itself of such specific assets it becomes
dependent on the vendor. The vendor may
exploit this dependency by raising service rates
to an exorbitant level. As the client's IT needs
develop over time beyond the original contract
terms, it runs the risk that new or incremental
services will be negotiated at a premium.
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
3.Outsourcing costs exceed benefits
Outsourcing clients often fail to anticipate the costs
of vendor selection, contracting, and the
transitioning of IT operations to the vendors.
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
4.Reduced security
Information outsourced to offshore IT vendors
raises unique and serious questions regarding
internal control and the protection of sensitive
personal data (e.g., medical records).
Outsourcing the IT Function
Risks Inherent to IT Outsourcing
5.Loss of strategic advantage
Organizations that use IT strategically must align
business strategy and IT strategy or run the risk
of decreased business performance.
The vendor is naturally driven to toward seeking
common solutions that may be used by many
clients rather than creating unique solutions for
each of them.
Outsourcing the IT Function
Audit Implications of IT Outsourcing
● The use of a service organization does not
reduce management's responsibility to maintain
effective internal control over financial reporting.
● Therefore, if an audit client firm outsource its IT
function to a vendor that processes its
transactions, hosts key data, or performs other
significant services, the auditor will need to
conduct an evaluation of the vendor
organization's controls.