Regarding outsourced services, among other expectations, an IT auditor should obtain and document an understanding of the relationship between the services provided by third parties and the entity’s control environment. An IT auditor should consider reviewing such items as contracts, service level agreements, policies and procedures between TPPs and the entity. Furthermore, an IT auditor should review any previous TPP audit reports prepared for the entity, and plan the IT audit work to address the audit objectives relevant to the service provider’s environment; taking into account the information obtained during planning. Lastly, an IT auditor should plan TPP audit work to comply with applicable professional audit standards, as if the audit were performed in the entity’s own environment.
“View Part I of the Auditing IT Service Delivery and Support series here“
Post Note: As of January 12, 2012, Robert E. Davis, MBA, CISA, CICA is a Master of Science in IT Auditing and Cyber-Security Program instructor at Temple University.