Welcome » IT Booklets » Outsourcing Technology Services » Risk Management » Ongoing Monitoring » General Control Environment of the Service Provider
To oversee the risks associated with the use of external providers effectively, the institution should evaluate the adequacy of a provider's internal and security controls. Management should ensure the provider develops and adheres to appropriate policies, procedures, and standards. When conducting its evaluation, the institution should consider the results of internal audits conducted by institution staff or a user group, as well as external audits and control reviews conducted by qualified sources The IT Handbook's "Audit Booklet" provides additional details on the various types of external audit engagements for third-party audits of a service provider.
The institution's review of the audit should include an assessment of the following factors in order to determine the adequacy of a service provider's internal and security controls:
Financial institutions should conduct a regular, comprehensive audit of their service provider relationships. The audit scope should include a review of controls and operating procedures that help protect the institution from losses due to irregularities and willful manipulations.
Third-party review reports generated on external providers typically identify certain internal control measures that client institutions are responsible for implementing in order for the provider's accounting systems to be effective. These client institution internal control measures are essential. Financial institution management and audit personnel should verify that the recommended institution internal controls are working effectively, and that the controls effectively complement the accounting system controls described in the provider's third-party review.
Because of the need for an effective internal control program, designated personnel should periodically perform "around-the-computer" audit techniques that:
In addition, "through-the-computer" audit techniques allow the auditor to use the computer to check processing steps. These techniques use audit software programs to test extensions and footings and to prepare direct verification statements. These audit software programs often can invoke statistical sampling routines in generating their audit confirmations. If a serviced institution has audit software, it should make arrangements with the provider to allow its use.
Regardless of whether the information processing is internal or outsourced, the financial institution's board of directors should ensure adequate audit coverage. If the institution has no technical audit expertise, the non-technical audit methods can provide minimum coverage. The institution should supplement the internal audit with comprehensive outside IT audits.