- Auditing 3rd party services must be negotiated directly with the service provider and adds significant complexity to the process (and would normally fall out of scope). There are often serious legal issues involved in auditing outside of a formal, signed agreement.
It is increasingly difficult to run complex organizations without some reliance on cloud-based service providers such as email hosting, web hosting, or document management/backup. Organizations (and as assisted by the auditor) should review their options in the selection of cloud providers, and in parallel consider ways to apply practices and policies to their use to meet organizational security requirements.
Schedule regular (annual?) reviews of the external services to ensure that they meet organizational requirements for functionality and security, business solvency, and exporting or transferring of data.
When considering formalizing the use of new 3rd party services, review the questions and processes here to help guide the decision.