Risk is always involved when third-party entities are given access to sensitive customer data, privileged business operation details, or intellectual property vulnerable to public or competitor disclosure.
Financial processing (such as credit cards and EDI)
Web (B2B & B2C) portals
Application development and maintenance
Help desk services
Data center management
Research and development (R&D)
Managed Security Services and Security Management
Information technology outsourcing has grown in popularity as an efficient, cost-effective, and expert solution designed to meet the demands of systems implementation, maintenance, security, and operations.
Security - network, physical, environment, personal and logical access
System Development Life Cycle (SDLC) controls
Change management controls
Business continuity and disaster response
Key issues can range from requiring the vendor to maintain specified levels of security through employee awareness training and contractual obligations and company indemnification by the vendor for any breaches.
Outsourced IT Environments Audit/Assurance Program , ISACA
Cloud Computing Management Audit/Assurance Program , ISACA
Supervision of Technology Service Providers , IT Examination Handbook, Federal Financial Institutions Examination Council, http://www.ffiec.gov/ffiecinfobase/booklets/outsourcing/outsourcing_booklet.pdf
Global Audit Technology Guide (GTAG) 7, Information Technology Outsourcing , Institute of Internal Auditors
Standards for Attestation Engagements (SSAE) No. 16 ., Reporting on the Controls of a Service Organization, American Institute of Certified Public Accountants
Cloud Controls Matrix and Security Guidance for Critical Areas of Focus in Cloud Computing, Cloud Security Alliance, http://www.cloudsecurityalliance.org/