The outsourcing of portions of an information technology function can introduce risks, regarding effective oversight of and accountability for controls in place. Management should ensure that proper due diligence is conducted, prior to contracting with a vendor. Additionally, ongoing communication must be present throughout the business relationship with the vendor.

To evaluate the adequacy of controls surrounding outsourced IT operations, areas similar to those below may be addressed:

  • Is a risk analysis of any potential vendor conducted, including financial stability, and the adequacy of key officers/personnel?
  • Are specific requirements and/or guidelines in place at the Federal, State, or University level, that must be addressed?
  • Are specific requirements regarding expectations, such as “right-to-audit” clauses, and required insurance/assignment of liability agreed upon and documented?