Outsourcing Technology Services

To oversee the risks associated with the use of external providers effectively, the institution should evaluate the adequacy of a provider's internal and security controls. Management should ensure the provider develops and adheres to appropriate policies, procedures, and standards. When conducting its evaluation, the institution should consider the results of internal audits conducted by institution staff or a user group, as well as external audits and control reviews conducted by qualified sources The IT Handbook's "Audit Booklet" provides additional details on the various types of external audit engagements for third-party audits of a service provider.

The institution's review of the audit should include an assessment of the following factors in order to determine the adequacy of a service provider's internal and security controls:

• The practicality of the service provider having an internal auditor, and the auditor's level of training and experience;
• The service providers external auditors' training and background; and
• Internal IT audit techniques of the service provider.

Financial institutions should conduct a regular, comprehensive audit of their service provider relationships. The audit scope should include a review of controls and operating procedures that help protect the institution from losses due to irregularities and willful manipulations.

Third-party review reports generated on external providers typically identify certain internal control measures that client institutions are responsible for implementing in order for the provider's accounting systems to be effective. These client institution internal control measures are essential. Financial institution management and audit personnel should verify that the recommended institution internal controls are working effectively, and that the controls effectively complement the accounting system controls described in the provider's third-party review.

Because of the need for an effective internal control program, designated personnel should periodically perform "around-the-computer" audit techniques that:

• Develop data controls (proof totals, batch totals, document counts, number of accounts, and pre-numbered documents) at the institution before submission to the provider. The auditor should sample the controls periodically to ensure their accuracy.
• Include spot-checking reconcilement procedures to ensure output totals agree with input totals, less any rejects.
• Sample rejected, un-posted, holdover, and suspense items to determine why they did not process and how they are addressed (to assure they are properly corrected and reentered on a timely basis).
• Verify selected master file information (such as service charge codes), review exception reports, and crosscheck loan extensions and deposit account entries to source documents.
• Spot-check computer calculations, such as loan rebates, interest on deposits, late charges, service charges, and past-due loans.
• Trace transactions to final disposition to ensure there are adequate audit trails.
• Review source input to ensure sensitive master-file change requests have the required prior approval by appropriate staff or management.
• Visit the provider periodically to assess the status of controls.
• Review other provider audits.

In addition, "through-the-computer" audit techniques allow the auditor to use the computer to check processing steps. These techniques use audit software programs to test extensions and footings and to prepare direct verification statements. These audit software programs often can invoke statistical sampling routines in generating their audit confirmations. If a serviced institution has audit software, it should make arrangements with the provider to allow its use.

Regardless of whether the information processing is internal or outsourced, the financial institution's board of directors should ensure adequate audit coverage. If the institution has no technical audit expertise, the non-technical audit methods can provide minimum coverage. The institution should supplement the internal audit with comprehensive outside IT audits.