Audit toolbox for outsourcing: Information Technology Perspective
Saarinen, Noora (2023)
Saarinen, Noora
2023
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2023112731988
https://urn.fi/URN:NBN:fi:amk-2023112731988
Tiivistelmä
Managing outsourcing arrangements has become a huge task for financial institutions. European banking authority has emphasized the need for a harmonized way to manage the outsourcing arrangements in banking and has established Guidelines on outsourcing arrangements.
The vague monitoring of service providers can lead to huge risks for the institutions. No matter to what extent the function or process has been outsourced, the institutions always have the final responsibility of the outsourcing activities. Creating operating models, handling outsourcing management and getting the information technology perspective covered are getting attention currently in the industry.
The objective of the thesis was to have an audit toolbox for planning audits on outsourcing arrangements from information security perspective. The toolbox was addressed for internal auditors with little or no background in information technology. There were limitations recognized before the development work started. The industry was restricted to banking and regulatory aspects. The toolbox did not focus on technical audits and the use is limited to support the audit planning phase.
The thesis was conducted by using design science research methodology and design research process to support it. The development work was iterative process and besides the knowledge base and theory, experts and their knowledge were utilized in the process. The outcome was an excel-based tool.
The knowledge base combines outsourcing, regulation, and internal auditing. Outsourcing presents the outsourcing life cycle, its phases and how to manage the outsourcing. Key factors in outsourcing, such as the most common issues with outsourcing, were presented. The key factors emphasize the need for managing the outsourcing arrangements to avoid risks and remain control over organization’s processes. The most relevant regulation, such as Guidelines on outsourcing (EBA/GL/2019/02), Guidelines on ICT and security risk management (EBA/GL/2019/04) and General Data Protection Regulation (GDPR) are presented to gather the regulatory requirements regarding outsourcing. Lastly, internal audit fundamentals, audit process and IT audit aspects are presented so that the context of audit toolbox could be determined.
In conclusion, the tool is adjustable and can be used in other industries as well. The toolbox is suitable for audit planning and checking if the selected areas by the auditor are existing or not in a particular outsourcing arrangement. However, it was concluded that being able to audit outsourcing arrangements from information technology perspective, the auditor does need subject matter expertise to analyze what the is level of maturity of the audited areas of information technology.
The vague monitoring of service providers can lead to huge risks for the institutions. No matter to what extent the function or process has been outsourced, the institutions always have the final responsibility of the outsourcing activities. Creating operating models, handling outsourcing management and getting the information technology perspective covered are getting attention currently in the industry.
The objective of the thesis was to have an audit toolbox for planning audits on outsourcing arrangements from information security perspective. The toolbox was addressed for internal auditors with little or no background in information technology. There were limitations recognized before the development work started. The industry was restricted to banking and regulatory aspects. The toolbox did not focus on technical audits and the use is limited to support the audit planning phase.
The thesis was conducted by using design science research methodology and design research process to support it. The development work was iterative process and besides the knowledge base and theory, experts and their knowledge were utilized in the process. The outcome was an excel-based tool.
The knowledge base combines outsourcing, regulation, and internal auditing. Outsourcing presents the outsourcing life cycle, its phases and how to manage the outsourcing. Key factors in outsourcing, such as the most common issues with outsourcing, were presented. The key factors emphasize the need for managing the outsourcing arrangements to avoid risks and remain control over organization’s processes. The most relevant regulation, such as Guidelines on outsourcing (EBA/GL/2019/02), Guidelines on ICT and security risk management (EBA/GL/2019/04) and General Data Protection Regulation (GDPR) are presented to gather the regulatory requirements regarding outsourcing. Lastly, internal audit fundamentals, audit process and IT audit aspects are presented so that the context of audit toolbox could be determined.
In conclusion, the tool is adjustable and can be used in other industries as well. The toolbox is suitable for audit planning and checking if the selected areas by the auditor are existing or not in a particular outsourcing arrangement. However, it was concluded that being able to audit outsourcing arrangements from information technology perspective, the auditor does need subject matter expertise to analyze what the is level of maturity of the audited areas of information technology.