Auditing IT Governance Controls Outsourcing the IT Function Introduction ● The costs, risks, and responsibilities associated with maintaining an effective corporate IT function are significant. Many executives have therefore opted to outsource their IT function to third-party vendors who take over responsibility for the management of IT assets and staff and for delivery of IT services, such as data entry, data center operations, applications development, applications maintenance, and network management. Outsourcing the IT Function Benefits of IT outsourcing ● Improved core business performance ● Improved IT performance ● Reduced IT costs Outsourcing the IT Function Logic underlying IT outsourcing ● ● Follows from core competency theory, which argues that an organization should focus exclusively on its core business competencies. This premise, however, ignores an important distinction between commodity and specific IT assets. Outsourcing the IT Function Logic underlying IT outsourcing ● Commodity IT assets are not unique to a particular organization and are thus easily acquired in the marketplace. These include such things as network management, systems operations, server maintenance, and help-desk functions. Outsourcing the IT Function Logic underlying IT outsourcing ● Specific IT assets are unique to the organization and support its strategic objectives. Specific assets have little value outside their current use. Such assets may be tangible (computer equipment), intellectual (computer programs), or human. Examples include systems development, application maintenance, data warehousing, and highly skilled employees trained to use organizationspecific software. Outsourcing the IT Function Logic underlying IT outsourcing ● Transaction Cost Economics (TCE) theory, is in conflict with the core competency theory school by suggesting that firms should retain certain specific non-core IT assets in-house. Specific assets cannot be easily replaced once they are given up in an outsourcing arrangement. Outsourcing the IT Function Risks Inherent to IT Outsourcing 1.Failure to perform 2.Vendor exploitation 3.Outsourcing costs exceed benefits 4.Reduced security 5.Loss of strategic advantage Outsourcing the IT Function Risks Inherent to IT Outsourcing 1.Failure to perform Once a client firm has outsourced specific IT assets, its performance becomes linked to the vendor's performance. Outsourcing the IT Function Risks Inherent to IT Outsourcing 2.Vendor exploitation Large-scale IT outsourcing involves transferring to a vendor “specific assets”. Once the client has divested itself of such specific assets it becomes dependent on the vendor. The vendor may exploit this dependency by raising service rates to an exorbitant level. As the client's IT needs develop over time beyond the original contract terms, it runs the risk that new or incremental services will be negotiated at a premium. Outsourcing the IT Function Risks Inherent to IT Outsourcing 3.Outsourcing costs exceed benefits Outsourcing clients often fail to anticipate the costs of vendor selection, contracting, and the transitioning of IT operations to the vendors. Outsourcing the IT Function Risks Inherent to IT Outsourcing 4.Reduced security Information outsourced to offshore IT vendors raises unique and serious questions regarding internal control and the protection of sensitive personal data (e.g., medical records). Outsourcing the IT Function Risks Inherent to IT Outsourcing 5.Loss of strategic advantage Organizations that use IT strategically must align business strategy and IT strategy or run the risk of decreased business performance. The vendor is naturally driven to toward seeking common solutions that may be used by many clients rather than creating unique solutions for each of them. Outsourcing the IT Function Audit Implications of IT Outsourcing ● ● The use of a service organization does not reduce management's responsibility to maintain effective internal control over financial reporting. Therefore, if an audit client firm outsource its IT function to a vendor that processes its transactions, hosts key data, or performs other significant services, the auditor will need to conduct an evaluation of the vendor organization's controls.
