Insider Tips on Conducting an Audit of an Outsourced Entity
By: Mitchell H. Levine, CISA
Audit Serve, Inc.

Auditors are confronted with the task of establishing a balanced relationship with auditees when control
issues are identified in which remedial action is necessary and getting the auditee to accept such solutions.

When performing audits of areas within the organization, the ground rules are established based on past precedents. Most organizations have outsourced some functions which still need to be audited. The most commonplace areas are portions of the held desk function, which include the initial Level 1 support or technical areas which comprise level 2 support. Network support, PC support and the overall Data Center are
the other common areas which are typically outsourced.

Prior to commencing an audit of an outsourced function, it is important to understand the limitations of the audit which have been set forth in the contract. The contract may include specific "right to audit" clauses which address whether the organization can perform audits of the outsourced functions, the frequency of the audit, and the framework in which these audits need to be conducted.

If specific clauses limit the right to audit, it will be necessary to go through the proper channels within an
organization to determine whether the agreement can be amended to include the right to conduct audits.

Assuming the ability to audit the outsourced entity exists, then it is important to understand how the contract enforces remedial action necessary for control issues identified. Penalty clauses are the typical methods used to ensure control issues are addressed within a timely fashion.

Once the framework of an audit has been understood, the audit planning can truly begin. It is typical for the outsourcer to request a detailed audit scope to be pre-defined which may include the exact control components expected to be in place. The outsourcer typically makes this request so they can script their responses during the audit. This approach of pre-establishing the audit field work will limit the auditor's ability to identify all possible control issues since it is typical for the auditor to venture into unchartered audit areas based on obtaining a
greater understanding of the environment.

Another typical tactic by the outsourced entity is to conduct all meetings with large number of individuals within their organization, many of which consist of senior management. This approach limits the willingness/candor typically obtained from persons who actually perform the work, which improves dramatically when managers are not attending the meeting. In summary, the objective is to have small meetings with the persons who actually perform the work.

The last important tip when performing an audit of an outsourced entity is to document the issues onsite during the course of the audit. Do not present them remotely after the field work is completed. This is because it is easier to dispute the findings when the auditor is not onsite especially when additional field work would be required to counter the auditee's claims.



For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at

Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.


AuditNet - The Global Resource for Auditors

Audit Vision

Since 1991
Join 3,500 other subscribers



Free Audit Serve Seminars Posted Online

25 minute extract from the seminar entitled "Alternate Control Design Approaches for z/OS" presented by Mitch Levine in London (at the Churchill War Rooms) March, 2018 which would be of interest to IT Audit, Security and GRC personnel

General Data Protection Regulation Seminar

Copyright © 2015. All Rights Reserved.