Home Services Audit and Assurance Audit IT Suppliers/Outsourcing

Have a question?

IT Suppliers/Outsourcing

Outsourcing technological services is currently common and the reason for this is to capitalize on the advantages of the supplier’s economies of scale and to access profiles, resources and knowledge that is inaccessible because of its cost or degree of specialization.

At PKF Attest we assess the inherent risks and controls established in relation to outsourcing an IT activity and check that appropriate valuation and monitoring procedures have been correctly implemented.

Possible programme of work

Analysis of outsourceable activities:

  • Existence of suitable analysis procedures (profit / cost, core functions are not outsourced, etc.)

Evaluation of the supplier:

  • Implantation in the market and business knowhow
  • Technological alignment with the client
  • Horizontal/vertical growth capacity
  • Financial situation (audit reports on accounts, other)
  • Reputation and references (expert reports, market)
  • Suppliers’ accepted partners or subcontractors
  • Rigour in complying with regulations (record, complaints, etc.)
  • Service capacity (delivery time, continuity plans)

Preparation of the contract:

  • Preparation procedures (basic contract structures, Management approval, supervision by legal advisor, etc.)
  • Compilation of clearly defined client/supplier responsibilities
  • Clearly establishing the type of service
  • Procedures for early termination (client or supplier)
  • Agreements for the orderly transfer of data/systems on expiry of the contract
  • Legal clauses (GDPR, Intellectual Property Law, compliance with internal regulations)
  • Arbitration and penalties
  • Continuity guarantee in the case of incident
  • Notifications in the case of security incidents

Pre-implementation procedures:

  • Migration of data/operations to the supplier
  • Return of the information transferred in legible format on the expiry of the contract
  • Implantation of the platform according to legal requirements (use and transfer of licences from the supplier to the client, user licences, licences for connection, etc.)
  • Methodological implementation of interconnection systems
  • Staff training
  • Taking out insurance
  • Definition of the key indicators of the service
  • Data collection through a reliable procedure
  • Capacity to review key indicators according to changes in the platform
  • Validity and appropriateness of the distribution of service management reports

Assessment of the service:

  • Different services indicators, depending on the type of IT service outsourced (development, operation, help desk, etc.)

Post-implantation procedures:

  • Migration of data/operations to the supplier
  • Staff training
  • Implementation of penalties
  • Formality for the expiry of contract

Services in the cloud

Segregation of functions

Digital channels

Cybersecurity strategy

Mobile devices

IoT (Internet of Things)

Lean IT Audit

Business Continuity / Disaster Recovery Plan

The object of continuity plans is for the company -in the face of a serious contingency- to start functioning normally again as promptly as possible so that the business is not affected.

These plans include Disaster Recovery Plans, which encompass the recovery of the company’s technological platform (servers, applications, data…).

We review the continuity strategy adopted by the company and check the existence, reasonableness and updating of the contingency and recovery plans for the business in the case of disaster.

Possible scope of our services

General aspects of the plan:

  • Risk analysis
  • Analysis and evaluation of incidents of any description. Monitoring of existing reports. Validating the correct application of the principles established to regard an incident as a “contingency”
  • Scenarios
  • Degree of cover
  • Updates
  • Establishing liabilities
  • Staff training
  • Costs


  • Alignment with the Business Continuity Plan
  • Backup management
  • Actions to be taken in the case of disaster

Support centre:

  • Process capacity
  • Level of service
  • Physical security of the support centre

Recovery of basic software and applications:

  • Qualified staff
  • Backup of development tools and applications
  • External copies of the programmes and documentation in the system

Data recovery:

  • Existing procedures
  • Evaluation of RPO (Recovery Point Objective)
  • Evaluation of RTO (Recovery Time Objective)

Contingency plan tests:

  • Frequency
  • Units and services assessed
  • Conditions and scenarios
  • Corrective action plans

Software licences (prevention / detection of non-compliances)

Physical security