Businesses are increasingly turning over all or part of their information technology functions to outside service providers. While this may create certain efficiencies, the organization is still ultimately responsible for risks associated with the availability and functions of I.T. services, as well as proper access and use of company data.

This means the chief information officer or equivalent I.T. leader must ensure that selected service providers have the proper structure, financial stability and continuity plans in place to consistently deliver the contracted services.

It also means I.T. leaders must assess the effectiveness of the service provider’s policies and procedures, to ensure the integrity and security of the company’s sensitive data and proprietary information.

An estimated $1 trillion per year industry, I.T. outsourcing takes many forms. An organization may turn over its entire I.T. department to a vendor, or it may hire one to perform data center operations, network management or other specific functions. 

Commonly outsourced I.T. functions include:

• Software application development,
• Software application support,
• Data-center operations,
• Help-desk support,
• Network management,
• Cybersecurity,
• Platform or infrastructure as a service, and
• Software as a service.

In the past, CIOs focused primarily on the physical product supply chain. Today, however, they must be concerned with the supply chain for both products and services.

Assessing and managing risk in third-party technology service suppliers can be a challenge, since significant portions of the service environments are under the control of the provider, and are likely beyond the purview of the acquiring organization. Due diligence must be performed up front to assess the risks associated with engaging an external party.

Before engaging with an I.T. service provider, the CIO must understand:

• What is being outsourced, 
• What business processes will be supported by the service,
• What data will be stored, processed or accessible via the outsourced service, and
• Who will have access to systems, applications and data related to the outsourced service.

The process can begin with a basic I.T. services risk assessment form, designed to capture answers to these questions from staff within the organization. In addition, a supplier pre-assessment form can be used to gather preliminary information from a potential service provider. Common questions to ask in a supplier pre-assessment form include:

• Has your company ever declared bankruptcy?
• Does your company's insurance policy include errors and omission (or general liability) claims? If yes, what are the limits of the policy?
• Is your company involved in pending litigation?
• Has your company ever been a party to a regulatory investigation?
• Does your company have a privacy policy?
• Does your company have a documented security program in place?
• Will your company agree to complete a questionnaire regarding your information security and privacy programs?
• Does your company have a Service Organization Controls (SOC) report?
• Does your company have a comprehensive business continuity plan to address continuance of operations in the event of incidents disrupting normal operations?

These assessment forms should provide sufficient information to determine whether additional diligence is needed. Based on the level of potential risk, this additional diligence could include requiring the service provider to respond to a more detailed questionnaire; reviewing the service provider’s SOC report in detail, or engaging with the organization’s internal audit function or a qualified external audit firm to conduct a vendor assessment.

Conducting these assessments is critical when establishing a relationship with a new provider. It’s also important to continue to review each supplier on an ongoing basis. The frequency and extent of those reviews should be based on the risks associated with the services being provided.

These assessments are tailored toward service providers, but the concepts can be adapted for key technology product providers as well. The main thing is for the CIO to understand the potential risks of engaging with a supplier, and have an understanding of how each supplier manages its business risks. In this way, the CIO will be better able to anticipate the impact of outsourcing risks on the organization.

Service provider assessments can be assigned to various functions within an organization, including I.T., risk management or internal audit. Assessments may also be performed by a qualified third party.

However, it is the responsibility of the CIO or equivalent I.T. leader to review the information gathered from the assessments, and determine whether engaging with the proposed technology service provider is aligned with the organization’s goals and risk-tolerance levels. A thorough assessment today will help ward off bigger problems down the road.

Robert Neill is director of CIO Advisory Services for Weaver, a national CPA and advisory firm.