2.1 Outsourcing Function (Doshi)

Question 1

In-Sourced

Answer 1

Activity performed by the organization’s staff

Question 2

Outsourced

Answer 2

Activity performed by vendor’s staff

Question 3

Hybrid

Answer 3

Activity performed jointly by organization’s staff & vendor’s staff

Question 4

Onsite

Answer 4

Staff works onsite in IT department

Question 5

Offsite

Answer 5

• Staff works from remote location in same geographical area.
• Also known as near-shore

Question 6

Offshore

Answer 6

Staff works from remote location from different geographical area.

Question 7

When functions should not be outsourced

Answer 7

1- In case of core functions of the organization
2-If function requires specific knowledge, processes and critical staffs that cannot be replicated externally or in another location.
3-In case of contractual or regulatory restrictions preventing outsourcing.
4-Accountability

Question 8

When can functions be outsourced?

Answer 8

1-If it can be performed with the same quality (or higher quality ) with same price (or lower price) by another party without increasing risk.

2- If Organization has sufficient experience of managing third parties performing on behalf of organization

Question 9

Steps for Outsourcing

Answer 9

1-Define the function to be outsources
2-Define Service Level requirements
3-Know the current In-house cost to be compared with bids.
3-Conduct due diligence of service providers,
4-Confirm contractual or regulatory requirements for outsourcing.

Question 10

What is outsourcing?

Answer 10

A convenient way to transfer some operations to an external organization, thereby allowing the outsourcing organization to be more agile to improve focus on core competencies.

Question 11

Risk Reduction options for outsourcing

Answer 11

1. Service level Agreement to contain measurable performance requirements.

2· Escrow arrangement for propriety software.

3· Use of multiple suppliers to reduce risk of dependency.

4· Periodic performance review.

5· Establishing cross-functional contract management team.

6· Establishing necessary controls for foreseen contingencies.

Question 12

Provisions in Outsourcing Contracts

Answer 12

Service level Agreement should serve as instrument for control

Question 13

Clauses in the SLA

Answer 13

1· Service level Agreement to contain measurable performance requirements.

2· Confidentiality agreements protecting both the parties.

3· ‘Right to Audit’ clause.

4· Business Continuity & Disaster Recovery Provisions.

5· Protecting Intellectual Property Rights.

6· Requirements for confidentiality, Integrity & Availability (CIA) of resources/systems/data.

Question 14

Role of IS Auditor-Monitoring of Outsourced Activities:

Answer 14

1· Regular review of contracts and service levels.

2· Review of outsources documented procedures and outcome of their quality programs.

3· Regular audits to certify that the process and procedures meet the quality standards.

Question 15

In any given scenario, out of all the options, most desirable option has to be

Answer 15

‘to have written agreement with outsourcing vendors’. First and most important priority should be given to written agreement for outsourcing contract.

Question 16

Following clauses are must in any outsourcing contracts from IS auditor point of view:

Answer 16

• clause with respect to ownership of intellectual property rights
• clause with respect to data confidentiality and privacy.
• clause with respect to BCP & DRP.
• clause with respect to right to audit.

Question 17

In any given scenario, two main advantage of outsourcing in their preferential order are:

Answer 17

• Expert service can be obtained from outside (so organisation can concentrate on its core business)
• Cost Saving.

Question 18

In any given scenario, no organisation can outsourced or transfer its

Answer 18

accountability. Even if any process has been outsourced, final accountability lies with the organization.