Auditing of Information Technology Controls in Outsourcing

Conference paper
Part of the Lecture Notes in Information Systems and Organisation book series (LNISO, volume 6)


The paper analyzes the level of Information Technology (IT) and the quality of IT Controls (ITC) in outsourcing. We collected data through a questionnaire sent to a sample of Italian listed companies and performed robustness tests. Our results show that in Italy: (1) IT in outsourcing is widespread; (2) ITC in outsourcing complies with USA frameworks. ITC mainly follow the Statement of Auditing Standard No. 70 (SAS 70) Report Types 1 and 2. Concerns about quality are related to the absence of a direct evaluation in outsourcer location and the absence of audit provisions.


Outsourcing Information technology controls Internal control over financial reporting 


  1. 1.
    Altinkemer, K., Chaturvedi, A., Gulati, R.: Information systems outsourcing: issues and evidence. Int. J. Inf. Manag. 14(4), 252–278 (1994)CrossRefGoogle Scholar
  2. 2.
    Loh, L., Venkatraman, N.: Determinants of information technology outsourcing: a cross-sectional analysis. J. Manag. Inf. Syst. 9(1), 7–24 (1992)Google Scholar
  3. 3.
    Hall, J.A., Liedtka, S.L.: Financial performance, CEO compensation, and large-scale information technology outsourcing decisions. J. Manag. Inf. Syst. 22(1), 193–221 (2005)Google Scholar
  4. 4.
    Cannon, D.M., Growe, G.A.: How does Sarbanes-Oxley affect outsouring? J. Corp. Account. Financ. 16(3), 13–20 (2005)CrossRefGoogle Scholar
  5. 5.
    PCAOB—Public Company accounting oversight board: auditing standard n.5, Un audit of internal control over financial reporting that is integrated with an audit of financial statements. PCAOB, USA (2007)Google Scholar
  6. 6.
    SEC—Securities and exchange commission: release nos. 33-8810. 34-55929, FR-77, File S7-24-06, commission guidance regarding management’s report on internal control over financial reporting under part 13(a) or 15(d) of the securities exchange act of 1934. SEC, USA (2007)Google Scholar
  7. 7.
    COSO—Committee of sponsoring organizations of the treadway commission: guidance for smaller public companies reporting on internal controls over financial reporting. COSO, New York (2006)Google Scholar
  8. 8.
    IT Governance Institute: COBIT. Control objectives for information and related technology 4.1. IT Governance Institute (ITGI), USA (2007)Google Scholar
  9. 9.
    IT Governance Institute: COBIT for SOX. IT Control Objectives for Sarbanes-Oxley: The Role of IT in the design and implementation of internal control over financial reporting, 2nd edn. IT Governance Institute, USA (2006)Google Scholar
  10. 10.
    AICPA—American Institute of Certified Public Accountants: Statement on Auditing Standard 70 (SAS70). AICPA, USA (1992)Google Scholar
  11. 11.
    Denyer, C.: Understanding the Dynamics of SAS 70. Audits Benefits Compens. Digest. 43(8), 11–15 (2006b)Google Scholar
  12. 12.
    Laurent, W.: Outsourcing governance. Data Min Rev Mag. 16(10), 14 (2006) Google Scholar
  13. 13.
    Hoffman, T.: Sarbanes-Oxley mandates lead to IT certification push. Computrworld 37(44), 14 (2003)Google Scholar
  14. 14.
    McCann, D.: The truth about SAS70. CFO 26(7), 27–29 (2010)Google Scholar
  15. 15.
    McCollum, T.: A Fix for SAS70 Abuse. Intern. Auditor 67(5), 13–14 (2010)Google Scholar
  16. 16.
    Gazzaway, T.: SAS 70 new life for an old audit standard. Financ. Executive. 20(3), 43–44 (2004)Google Scholar
  17. 17.
    Bednarz, A.: Offsite security complicates compliance. Netw. World 22(11), 27–28 (2005)Google Scholar
  18. 18.
    Denyer, C.: Attention benefit managers: if you’re outsourcing HR/benefit functions, you need to know about SAS 70 audits. Employee Benefit News, 20(8), 14 (2006) Google Scholar
  19. 19.
    Germano, L., Baker, A.: Why an SAS70 review will benefit your organization. J. Pension Benefits Issues Adm. 11(1), 69–73 (2003)Google Scholar
  20. 20.
    Stanton, L.: Why your organization might need a SAS70 report. 401K Advisor 11(4), 8–9 (2004)Google Scholar
  21. 21.
    Nickell, C.G., Denyer, C.: An Introduction to SAS70. Audits Benefits Law J. 20(1), 58–68 (2007)Google Scholar
  22. 22.
    Rustagi, S., King, W., Kirsch, L. J.: Predictors of formal control usage in IT outsourcing partnerships. Inf. Syst. Res. 19(2), 126–143 (2008)Google Scholar
  23. 23.
    Barthélemy, J.: The hidden cost of IT outsourcing. MIT Sloan Manag. Rev. 42(3), 60–69 (2001)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Tatiana Mazza
    • 1
  • Stefano Azzali
    • 1
  • Luca Fornaciari
    • 1
  1. 1.Università Degli Studi Di ParmaParmaItaly

Personalised recommendations