50. The internal audit function’s [Regarding the responsibilities of the internal audit function, institutions should refer to Section 22 of the EBA Guidelines on internal governance and payment institutions should refer to Guideline 5 of the EBA guidelines on the authorisation of payment institutions.] activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan [See also EBA Guidelines on the supervisory review and evaluation process] and programme should include, in particular, the outsourcing arrangements of critical or important functions.
51. With regard to the outsourcing process, the internal audit function should at least ascertain:
a. that the institution’s or payment institution’s framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body;
b. the adequ
…