Section 4.2.6 Internal audit function
CSSF Circular 22/806 on outsourcing (as amended by CSSF 25/883) · CSSF 22/806
51. The internal audit function’s activities shall cover, following a risk-based approach, the review of outsourced activities. The audit plan and programme shall include, in particular, the outsourcing arrangements of critical or important functions.
52. With regard to the outsourcing process, the internal audit function shall at least ascertain:
a. that the In-Scope Entity’s framework for outsourcing, including the outsourcing policy, is effectively implemented and is in line with the applicable laws and regulations, the risk strategy and the decisions of the management body;
b. the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions;
c. the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the In- Scope Entity’s risk strategy;
d. the appropriate involvement of governance bodies; and
e. the appropriate monitoring and management of outsourcing arrangements.