I see where you are coming from, but ...
>> Always a laugh when internal IT has a whole list of unreasonable demands (sole ownership of copyright on code, third-party audits) and business goes over their heads, leaves them out of the picture and goes SaaS. As long as the data is theirs they couldn't care less.
That is indicative of a bigger problem, of which the local/cloud is only one element.
Perhaps the requirements didn't actually come from IT, but from management themselves ? I've been there, you see yet another man in a suit, carrying a clipboard, wandering around with a manager and wonder who he is. Then next thing, a list of "instructions" on things we *will* change. Note that in many cases the auditor (whether from the insurers, parent company, accountants, whoever) never spoke to anyone in IT, never asked if there were reasons for doing things the way they were, or what mitigation techniques we might already have in place to deal with a risk - we just get a diktat from management that "we are required to do/change <x>". Never mind if <x> is actually supported by our aged systems, or if it will break something else, or if we've already got the risk addressed - the <whoever> likes to see <x> and so we are going to do <x>.
On more than one occasion I took great delight in doing <x>, having suggested it wasn't a good idea, and then sat back until it started casing problems (such as randomly preventing logins*). Management refused to accept it wasn't a good idea, so we had to do it - and sure enough, it caused problems we'd end up either reverting the change or having to do other changes to work around that.
* SCO OpenServer - auditors stated that they expect to see logins blocked after 3 failed attempts on a terminal. Sure enough, when someone caused a terminal line to get locked, it blocked logins - but not on that physical device as nearly everything was on virtual lines over telnet. Whoever got the blocked virtual line got a failed login, and while they had that line in use, others could log in on higher numbered lines. Once the blocked line was free again, the next person to try would get a failure. Oh what fun to watch :)
Given this attitude from senior management, is it any surprise they will go behind the backs of IT and outsource things ? But who will they blame if anything goes wrong ? I think we all know the answer to that one !
I do agree that "sole ownership of copyright on code" is just daft (unless you are paying for all of it to be written of course). Third party audits may well be reasonable - it depends on who you are and what you have to comply with.
The first is probably imposed by some PHB, the latter probably imposed by some auditor who couldn't be bothered to ask anyone.