Upload
shankar-subramaniyan
View
134
Download
2
Tags:
Embed Size (px)
DESCRIPTION
In the current business environment, IT Suppliers have become integral part of the Customer organization and the IT environment and processes of IT Suppliers have a direct impact on the Customer Organization. Even though Operational responsibility might have got transferred to Supplier, but legal and regulatory responsibility will still be with Customer. Hence it is Customer’s responsibility to verify that appropriate controls are in effect to ensure that the organization fulfills its contractual obligations. This topic focuses on some of the key components and the best practices in auditing IT Suppliers for Compliance. It is aligned with one of the ISACA Research paper (Outsourced IT Environments Audit/Assurance Program) with additional information.
Citation preview
Best Practices and Key Considerations in Auditing “
IT Suppliers”
Shankar Subramaniyan
ISACA Greater Houston Chapter
August 15,2013
Agenda
• Provide an overview on the “Suppliers”” environment
• ISACA Guideline for Auditing Outsourced Environment
• Discuss Key considerations/best practices
Dependency on IT SUPPLIERS
21st Century is ushering in a new kind of company…
The complex product markets of the 21st Century will demand the ability to quickly and
globally deliver a high variety of customized products. The products will be differentiated not only by form and function but also by the services provided with the product including the ability of the customer to be involved in the design of the product…A company will not be an isolated facility of production, but rather a node in a complex network of suppliers, customers, engineering and other service functions.customers, engineering and other service functions.
-William Davidow & Michael Malone
The Virtual Corporation
Increasing
dependency on
Suppliers due to
Change in Business
Model
Technology Changes
• Gartner predicts that more than 60% of enterprises will have some form of Cloud by 2013
• Gartner estimates that by the year 2015 more than 50% of the enterprises will be used SaaS applications for their business strategy
• We should be cognizant of these implications of these new technologies for effective IT auditing since Mission critical Apps with sensitive data (Finance and HR) are now moving into SAAS and HR) are now moving into SAAS
Increasing
dependency on
Suppliers due to
Technology Changes
IT SUPPLIERS
IT processes
Infrastructure Outsourcing
IT Security Outsourcing
Help Desk Outsourcing
Application Outsourcing - ERP or Custom
B2B Project Outsourcing
Business Transformation Outsourcing
Finance processes
Outsourced Processes
Application development
Application maintenance
Application hosting
Data center operations
Database administration
IT Suppliers
Finance processes
AP, AR, Billing and Invoicing
Reconciliations
Treasury and Cash Management
Budgeting and Forecasting
Financial Planning and Reporting
Procurement processes
Spend Analysis
Sourcing Support
Supplier Performance Management
Contract Administration and Management
Custom Analytics
HR processes
Recruitment process
Employee orientation programs
Employee and manager training
Benefits administration
Database administration
Desktop support
Disaster recovery services
Help desk services
IT security
Network operations
Web/e-commerce systems
KEY CONCERNS
LACK OF
VISIBILITY
LOSS OF
CONTROLCROSS
ATTACK
VECTOR
CONTROL
PHYSICAL
INACCESSABILITY
CROSS
BORDER LAWS
MULTI
TENANACY
ISACA Outsourcing Audit Guideline
www.isaca.org/Outsourced-IT-AP
Scope
• Operating infrastructure (and related processes) at the data center of the
customer or the supplier
• Processing of a proprietary application by the servicer (application services
provider)
• Development or maintenance of applications
• Managing the network• Managing the network
• Managing the information security infrastructure and supporting processes
• A combination of any of these and other business and technology
processes
KEY COMPONENTS
Planning and
Scoping the
Audit
Achievement
of business
requirements
Fulfillment of
assurance
charter and
compliance
requirements
Governance
Compliance
with contract
Relationship
management
Functionality
and controls
of provided
services
requirements
Planning and Scoping the Audit
Audit Planning
• Having decided an audit is required, the following questions must be
answered:
– What type of audit to be undertaken?
– What particular information is required and by when?
– To what depth and scope audit needs to be done?
– On what dates should the audit be done?
Audit Charter with clear scope and
methodology is very critical
– Who should perform the audit?
• Sometimes Control Description and scope is not shared with Auditee.
• The audit scope does carry the risk of being too limited or too aggressive
Audit process should also involve
tracking the previous audit non
conformities
• Type of Assurance depends on
� Compliance requirement of the customer
� What is the audit right mentioned in the contract
� Who can decide the scope and methodology / who has the bargaining power
� Type of service provided by the supplier
� Criticality of the business/IT area outsourced and associated Risk assessment
� Existing ISMS process/certifications of suppliers and it’s gap with Customer’s
requirements
Key Considerations in Audit Planning
� To what depth audit needs to be done
� Cost of Assessment
Synchronizing audit
schedule and audit
time period between
suppliers and
Customer
Mapping between
Supplier and
Customer ‘s Controls
ISO27001
SSAE16/
ISAE3402
AUP
Supplier Customer
Overcoming Resistance to Audit
• Auditors
– Use audit as an improvement tool
– Explain the process to auditees
– Touch base with auditee
– Recognize their accomplishments
– Concerns and questions of auditees
Auditee’s
Performance
appraisal has a – Concerns and questions of auditees
– Do not do manipulative and trickery audit
appraisal has a
goal of “ZERO
DEFECT” in
Audit
Agree with
Department
Representatives
on the findings
and corrective
action
Achievement of business requirements
ACHIEVEMENT OF BUSINESS REQUIREMENTS
• Review Business expectations
• Review Risk Assessment
� Review the exceptions/
Step outs /
� Retained IT
Components and their
control assessment
Sample List to consider in new project setup
� The functional and technical requirements are identified and complete enough
� Risk to the existing support levels identified (In case the applications planned to be transitioned to XXX)
� Solicited input from end user representatives
� Existing support costs and desired targets identified (if sustaining opportunity)
� Other sites and application systems considered to maximize cost savings
� Technical issues discussed and resolved
� Software and hardware purchasing/licensing requirements identified
� Performance expectations regarding service levels and deliverables identified
� Proposal reviewed by affected parties to ensure it addresses expectations
� Proper template has been used to prepare the SOW
� Acceptance criteria is clearly mentioned
Supplier Risk Management
Sample Risks are as follows :
• Intellectual property ownership
• Service levels not being met.
• Deliverables not adhering to Quality norms.
• Under/over utilization of resources.
• Sustaining engagement scope creep
• In-adequate transition of knowledge to new staff
• Deliverables are not tracked and approved timely.
• Inaccurate billing and Cost and Effort overruns.
Supplier
Relationship
Management
Supplier
Performance • Inaccurate billing and Cost and Effort overruns.
• In-adequate transition of knowledge and not able to transfer the ownership.
• Right resources not available on time
• Risk of Locking into Proprietary Supplier platforms/process
• Key resources roll-offs in the middle of the project
Supplier
Engagement
Guide
Proper process in case of Project terminationRecovery of all assets (Hardware/Software)Termination of accessKnowledge TransferDeliverables and Process DocumentsNotification of all affected partiesContract and Accounting/Invoice activities
Contract
Performance
Management
Compliance with contract
Compliance with contract
Whether the Contract includes
• Evaluation of supplier performance
• Rights to audit, information security requirements
• Payment schedule
• Issue monitoring
• Intellectual property ownership • Intellectual property ownership
• SLA, Penalty and non performance
• Clear scope and responsibilities
• Termination and transfer of services
• Legal Liabilities and Regulatory Compliance
Relationship management
RELATIONSHIP MANAGEMENT
• Role of Relationship Managers
• Adequacy of Delivery Metrics
• Delivery Performance Review
• New Project Initiation and management
• Issue management and escalation
• Billing and payment process
• Relationship review
Critical Success Factors
S No Description Remarks
1 Cultural awareness With cross-cultural awareness, the teams
can understand well on the expectations.
2 Communication Communication is the key for any
successful engagement. Clarity and
Understanding play the key role. Ensure
that the other side understood what is
being communicated. Consider the styles
of communication as well as the accent
issues.
3 Common Understanding
and sign-off on
Requirements (In-scope
SOW sign-off at the beginning of the
respective project to eliminate any
uncertainties.Requirements (In-scope
and Out-of-scope)
uncertainties.
4 Mutual Trust In the Estimates, Resources,
Management Styles and Cultural Aspects
5 Process Adherence and
following the procedures
Follow Engagement guide for all the
engagements under scope.
6 Resolution of Issues in
time
Efforts to resolve the issues and
understanding of any practical difficulties
in closure both the sides
7 Early Planning for
resources
Planning for People, tools, licenses,
logistics & timeframes
8 Right Governance Reviews & feedbacks as per the laid
down procedures & practices at each of
the check points and any necessary
corrective actions.
9 Right usage of tools Metrics tool, etc. for the proper tracking
of the progress and the deviations.
Functionality and controls of provided
services
Functionality and controls of provided services
• Services operating as Promised
• Responsibility for Controls and Processes
• Review of Supplier suggested controls
• Gap Assessment where full reliance is placed on the supplier
Difference between Process narrative, SLA and Control.
Do not combine multiple controls that differ in control objective, type, characteristic or
frequency into one. Consider the cost of Implementation and Audit point of view while
documenting controls.
Fulfillment of assurance charter and
compliance requirements
Operational responsibility might
have got transferred to Supplier,
but legal and regulatory
responsibility will still be with
Customer
Fulfillment of assurance charter and compliance requirements
• Audit rights per contract
• Third Party Reviews
• IT General Controls review
– Operating System
– Network Assurance
Requirement at – Database
– Application support and maintenance
– Access Control and Physical Security
– Information Security
• Regulatory Compliance
• Assurance to Customer’s compliance Requirements
Mapping between
different assurance
types
(SOC 1/ AUP/
ISO27001)
Requirement at
Control Objective
level vs Control
level
Audit points in Third Party reviews
• Scope mismatch:– Application or Infrastructure in use by the Customer
– Time Period
– Location, people, process or service utilized by Customer
• Process gap like Production application hosted in Dev server will not be under Supplier’s audit scope since Supplier will audit only Production server
• Review subservice providers report if any
• Review any significant changes in the supplier organization after the supplier audit and before the customer’s year end review
• Control owner and operator shared between Customer and supplier
• Mapping of Controls between Customer and Supplier
• Not clear understanding of responsibility of customer and supplier- Not clear understanding of responsibility like encryption of archive or disposal of backup tape containing personal sensitive data
• Conflicting clauses to different customers
Governance
Governance
• Policies and Procedures
• Steering Committee oversight
Compliance
requirements
should be included
from pre bid stage
itself and it should
be part of regular
status reviews
Engagement
Guide
SUMMARY
• Contract Management
• Supplier Performance monitoring
• Relationship Management
• Supplier Risk Management
What is the Role of IT Auditor ?
Thank You