Auditing Information Systems, Second Edition by Jack J. Champlain

5.2. USE OF SERVICE AUDITOR REPORTS FOR INTERNAL AUDITS

Once an organization has determined that it will contract with a service organization, one of the first steps that the project development team at the client organization should perform is to examine a copy of the most recent service auditor's report from each of the bidding service organizations. This examination should take place before any contract is entered into with the service organization. Significant control weaknesses in a service auditor's report could signal that the service organization cannot provide client organizations with an adequate level of service and information protection. If a service organization does not have a service auditor's report prepared, the client organization should seriously consider dropping that service organization from consideration. The lack of a service auditor's report may also signal that internal controls at the service organization could significantly jeopardize client operations. The internal control environment can change over time at a service organization, as with any organization. Therefore, even after a service organization has been contracted and its services have been deployed, process owners and internal auditors at the client organization should examine each service auditor's report that is prepared. Although professional auditing standards do not require the preparation of a service auditor's report for all service organizations, most reputable service organizations ...