Once you start viewing what IT does as services, you then start thinking about a couple of questions:
- How well do we perfom this service compared to others?
- How much is it costing us?
- Could someone else do it cheaper? Better? Both?
Once that happens, you starting thinking about outsourcing, a very emotionally charged topic no matter what level of outsourcing you are contemplating. If you are just bringing in a specialist you might alienate one of your best technical people by not giving her the opportunity to learn a new skill. If you are outsourcing an entire business process like Human Resources, you are talking about eliminating most of your own HR people and all of the IT people who supported the HR applications. It’s never easy.
As an auditor you need to remember that all the original process risks remain and some new ones are added. You need to think about the purpose for the relationship, is the organization realizing the value it anticipated? Consider how the process is working, are the SLA’s being met? How is the relationship being managed? What are the procedures for reconciling a dispute? Have they been used? These issues make many organizations not consider outsourcing out of hand.
That’s unfortunate as often there are considerable advantages beyond cost. Consider a small company like a $10MM mental health agency. If the agency outsources all of its systems to a cloud provider they are still responsible for:
- All the compliance risks
- Desktop security risks
- Data communication security (VPN?)
- Account provisioning risks
- General IS Security policy and employee compliance risks
- Data quality risk, etc.
On the other hand, think of the risks that a professional IT shop are now managing.
- Application availability risks
- Application update risks
- Infrastructure update risks
- Network security risks
- Infrastructure security risks
- Backup and recovery risks, etc.
While different decision makers might legitimatly make different decisions in this case, I think most knowledgable IT professionals would conclude that outsourcing to the cloud provided represents the lowest total risk for the organization.