Best Practices and Key Considerations in Auditing “

IT Suppliers”

Shankar Subramaniyan

ISACA Greater Houston Chapter

August 15,2013

Agenda

• Provide an overview on the “Suppliers”” environment

• ISACA Guideline for Auditing Outsourced Environment

• Discuss Key considerations/best practices

Dependency on IT SUPPLIERS

21st Century is ushering in a new kind of company…

The complex product markets of the 21st Century will demand the ability to quickly and

globally deliver a high variety of customized products. The products will be differentiated not only by form and function but also by the services provided with the product including the ability of the customer to be involved in the design of the product…A company will not be an isolated facility of production, but rather a node in a complex network of suppliers, customers, engineering and other service functions.customers, engineering and other service functions.

-William Davidow & Michael Malone

The Virtual Corporation

Increasing

dependency on

Suppliers due to

Change in Business

Model

Technology Changes

• Gartner predicts that more than 60% of enterprises will have some form of Cloud by 2013

• Gartner estimates that by the year 2015 more than 50% of the enterprises will be used SaaS applications for their business strategy

• We should be cognizant of these implications of these new technologies for effective IT auditing since Mission critical Apps with sensitive data (Finance and HR) are now moving into SAAS and HR) are now moving into SAAS

Increasing

dependency on

Suppliers due to

Technology Changes

IT SUPPLIERS

IT processes

Infrastructure Outsourcing

IT Security Outsourcing

Help Desk Outsourcing

Application Outsourcing - ERP or Custom

B2B Project Outsourcing

Business Transformation Outsourcing

Finance processes

Outsourced Processes

Application development

Application maintenance

Application hosting

Data center operations

Database administration

IT Suppliers

Finance processes

AP, AR, Billing and Invoicing

Reconciliations

Treasury and Cash Management

Budgeting and Forecasting

Financial Planning and Reporting

Procurement processes

Spend Analysis

Sourcing Support

Supplier Performance Management

Contract Administration and Management

Custom Analytics

HR processes

Recruitment process

Employee orientation programs

Employee and manager training

Benefits administration

Database administration

Desktop support

Disaster recovery services

Help desk services

IT security

Network operations

Web/e-commerce systems

KEY CONCERNS

LACK OF

VISIBILITY

LOSS OF

CONTROLCROSS

ATTACK

VECTOR

CONTROL

PHYSICAL

INACCESSABILITY

CROSS

BORDER LAWS

MULTI

TENANACY

ISACA Outsourcing Audit Guideline

www.isaca.org/Outsourced-IT-AP

Scope

• Operating infrastructure (and related processes) at the data center of the

customer or the supplier

• Processing of a proprietary application by the servicer (application services

provider)

• Development or maintenance of applications

• Managing the network• Managing the network

• Managing the information security infrastructure and supporting processes

• A combination of any of these and other business and technology

processes

KEY COMPONENTS

Planning and

Scoping the

Audit

Achievement

of business

requirements

Fulfillment of

assurance

charter and

compliance

requirements

Governance

Compliance

with contract

Relationship

management

Functionality

and controls

of provided

services

requirements

Planning and Scoping the Audit

Audit Planning

• Having decided an audit is required, the following questions must be

answered:

– What type of audit to be undertaken?

– What particular information is required and by when?

– To what depth and scope audit needs to be done?

– On what dates should the audit be done?

Audit Charter with clear scope and

methodology is very critical

– Who should perform the audit?

• Sometimes Control Description and scope is not shared with Auditee.

• The audit scope does carry the risk of being too limited or too aggressive

Audit process should also involve

tracking the previous audit non

conformities

• Type of Assurance depends on

� Compliance requirement of the customer

� What is the audit right mentioned in the contract

� Who can decide the scope and methodology / who has the bargaining power

� Type of service provided by the supplier

� Criticality of the business/IT area outsourced and associated Risk assessment

� Existing ISMS process/certifications of suppliers and it’s gap with Customer’s

requirements

Key Considerations in Audit Planning

� To what depth audit needs to be done

� Cost of Assessment

Synchronizing audit

schedule and audit

time period between

suppliers and

Customer

Mapping between

Supplier and

Customer ‘s Controls

ISO27001

SSAE16/

ISAE3402

AUP

Supplier Customer

Overcoming Resistance to Audit

• Auditors

– Use audit as an improvement tool

– Explain the process to auditees

– Touch base with auditee

– Recognize their accomplishments

– Concerns and questions of auditees

Auditee’s

Performance

appraisal has a – Concerns and questions of auditees

– Do not do manipulative and trickery audit

appraisal has a

goal of “ZERO

DEFECT” in

Audit

Agree with

Department

Representatives

on the findings

and corrective

action

Achievement of business requirements

ACHIEVEMENT OF BUSINESS REQUIREMENTS

• Review Business expectations

• Review Risk Assessment

� Review the exceptions/

Step outs /

� Retained IT

Components and their

control assessment

Sample List to consider in new project setup

� The functional and technical requirements are identified and complete enough

� Risk to the existing support levels identified (In case the applications planned to be transitioned to XXX)

� Solicited input from end user representatives

� Existing support costs and desired targets identified (if sustaining opportunity)

� Other sites and application systems considered to maximize cost savings

� Technical issues discussed and resolved

� Software and hardware purchasing/licensing requirements identified

� Performance expectations regarding service levels and deliverables identified

� Proposal reviewed by affected parties to ensure it addresses expectations

� Proper template has been used to prepare the SOW

� Acceptance criteria is clearly mentioned

Supplier Risk Management

Sample Risks are as follows :

• Intellectual property ownership

• Service levels not being met.

• Deliverables not adhering to Quality norms.

• Under/over utilization of resources.

• Sustaining engagement scope creep

• In-adequate transition of knowledge to new staff

• Deliverables are not tracked and approved timely.

• Inaccurate billing and Cost and Effort overruns.

Supplier

Relationship

Management

Supplier

Performance • Inaccurate billing and Cost and Effort overruns.

• In-adequate transition of knowledge and not able to transfer the ownership.

• Right resources not available on time

• Risk of Locking into Proprietary Supplier platforms/process

• Key resources roll-offs in the middle of the project

Supplier

Engagement

Guide

Proper process in case of Project terminationRecovery of all assets (Hardware/Software)Termination of accessKnowledge TransferDeliverables and Process DocumentsNotification of all affected partiesContract and Accounting/Invoice activities

Contract

Performance

Management

Compliance with contract

Compliance with contract

Whether the Contract includes

• Evaluation of supplier performance

• Rights to audit, information security requirements

• Payment schedule

• Issue monitoring

• Intellectual property ownership • Intellectual property ownership

• SLA, Penalty and non performance

• Clear scope and responsibilities

• Termination and transfer of services

• Legal Liabilities and Regulatory Compliance

Relationship management

RELATIONSHIP MANAGEMENT

• Role of Relationship Managers

• Adequacy of Delivery Metrics

• Delivery Performance Review

• New Project Initiation and management

• Issue management and escalation

• Billing and payment process

• Relationship review

Critical Success Factors

S No Description Remarks

1 Cultural awareness With cross-cultural awareness, the teams

can understand well on the expectations.

2 Communication Communication is the key for any

successful engagement. Clarity and

Understanding play the key role. Ensure

that the other side understood what is

being communicated. Consider the styles

of communication as well as the accent

issues.

3 Common Understanding

and sign-off on

Requirements (In-scope

SOW sign-off at the beginning of the

respective project to eliminate any

uncertainties.Requirements (In-scope

and Out-of-scope)

uncertainties.

4 Mutual Trust In the Estimates, Resources,

Management Styles and Cultural Aspects

5 Process Adherence and

following the procedures

Follow Engagement guide for all the

engagements under scope.

6 Resolution of Issues in

time

Efforts to resolve the issues and

understanding of any practical difficulties

in closure both the sides

7 Early Planning for

resources

Planning for People, tools, licenses,

logistics & timeframes

8 Right Governance Reviews & feedbacks as per the laid

down procedures & practices at each of

the check points and any necessary

corrective actions.

9 Right usage of tools Metrics tool, etc. for the proper tracking

of the progress and the deviations.

Functionality and controls of provided

services

Functionality and controls of provided services

• Services operating as Promised

• Responsibility for Controls and Processes

• Review of Supplier suggested controls

• Gap Assessment where full reliance is placed on the supplier

Difference between Process narrative, SLA and Control.

Do not combine multiple controls that differ in control objective, type, characteristic or

frequency into one. Consider the cost of Implementation and Audit point of view while

documenting controls.

Fulfillment of assurance charter and

compliance requirements

Operational responsibility might

have got transferred to Supplier,

but legal and regulatory

responsibility will still be with

Customer

Fulfillment of assurance charter and compliance requirements

• Audit rights per contract

• Third Party Reviews

• IT General Controls review

– Operating System

– Network Assurance

Requirement at – Database

– Application support and maintenance

– Access Control and Physical Security

– Information Security

• Regulatory Compliance

• Assurance to Customer’s compliance Requirements

Mapping between

different assurance

types

(SOC 1/ AUP/

ISO27001)

Requirement at

Control Objective

level vs Control

level

Audit points in Third Party reviews

• Scope mismatch:– Application or Infrastructure in use by the Customer

– Time Period

– Location, people, process or service utilized by Customer

• Process gap like Production application hosted in Dev server will not be under Supplier’s audit scope since Supplier will audit only Production server

• Review subservice providers report if any

• Review any significant changes in the supplier organization after the supplier audit and before the customer’s year end review

• Control owner and operator shared between Customer and supplier

• Mapping of Controls between Customer and Supplier

• Not clear understanding of responsibility of customer and supplier- Not clear understanding of responsibility like encryption of archive or disposal of backup tape containing personal sensitive data

• Conflicting clauses to different customers

Governance

Governance

• Policies and Procedures

• Steering Committee oversight

Compliance

requirements

should be included

from pre bid stage

itself and it should

be part of regular

status reviews

Engagement

Guide

SUMMARY

• Contract Management

• Supplier Performance monitoring

• Relationship Management

• Supplier Risk Management

What is the Role of IT Auditor ?

Thank You