Once you start viewing what IT does as services, you then start thinking about a couple of questions:

1. How well do we perfom this service compared to others?
2. How much is it costing us?
3. Could someone else do it cheaper? Better? Both?

Once that happens, you starting thinking about outsourcing, a very emotionally charged topic no matter level of outsourcing you are contemplating.  If you are just bringing in a specialist you might alienate one of your best technical people by not giving him the opportunity to learn a new skill.  If you are outsourcing an entire business process like Human Resources, you are talking about eliminating most of your own HR people and all of the IT people who supported the HR applications.  It’s never easy.

As an auditor you need to remember that all the original process risks remain and some new ones are added.  You need to think about the purpose for the relationship, is the organization realizing the value it anticipated?  Consider how the process is working, are the SLA’s being met?  How is the relationship being managed?  What are the procedures for reconciling a disput? Have they been used?  All of these make many organizations not consider outsourcing out of hand.

That’s unfortunate as often there are considerable advantages beyond cost.  Consider a small company like a $10MM mental health agency.  If the agency outsources all of its systems to a cloud provider they are still responsible for:

• All the compliance risks
• Desktop security risks
• Data communication security (VPN?)
• Account provisioning risks
• General IS Security policy and employee compliance risks
• Data quality risk, etc.

On the other hand, think of the risks that a professional IT shop are now managing.

• Application availability risks
• Application update risks
• Infrastructure update risks
• Network security risks
• Infrastructure security risks
• Backup and recovery risks, etc.

While different decision makers might legitimatly make different decisions in this case, I think most knowledgable IT professionals would conclude that outsourcing to the cloud provided represents the lowest total risk for the organization.

Readings

1. What different kinds or IT outsourcing are there?
2. What is business process outsourcing and how is it related to IT?
3. If you were the manager of a major outsourced service and heard you were to be audited, what aspects of the outsourcing arrangement would you want to make sure were strong?
4. What is the difference between an outsourcing contract and a statement of work?  Which should you be interested in as an auditor? Why?

Crafting and Executing an Offshore IT Sourcing Strategy: GlobShop’s Experience

Think about these questions as you prepare for Tuesday’s discussion:

1. If you were auditing GlobShop’s move to offshoring how would you evaluate their decision? Did they do the right thing?  Why or why not? What evidence do you see?
2. Briefly list the critical challenges that GlobShop faced in executing its offshore strategy? What would you look for if you were auditing the implementation of this outsourcing deal?
3. Suppose GlobShop moved its more mission-critical activities offshore. How would your audit of the relationship change?