|Review of outsourcing governance and control framework|
- Provides assurance on the overall governance and control framework for outsourcing.
- Will help internal audit functions form a view on higher risk outsourcing arrangements which could be the focus of future audits.
- May be too high level to provide real challenge/insights on specific outsourcing arrangements/ controls.
|Consideration of outsourcing risks and controls within all audits|
- May provide a deeper understanding and assessment of the outsourcing arrangement in the context of the area being audited.
- Risk that some outsourcing arrangements would not be covered depending on which audits are undertaken in any one year.
- To mitigate this, internal audit would need to map the various outsourcing arrangements to the audit plan so there is clarity over coverage.
|Deep dive review of specific outsourcing arrangements|
- Can focus and target higher risk or material outsourcing arrangements and provide deeper challenge over the control framework.
- Less appropriate or useful if the firm doesn’t have higher risk or material outsourcing arrangements.
- Need to have a good understanding of each of outsourced arrangement to select the deep dive target.