In the current business environment, IT Suppliers have become integral part of the Customer organization and the IT environment and processes of IT Suppliers have a direct impact on the Customer Organization. Even though Operational responsibility might have got transferred to Supplier, but legal and regulatory responsibility will still be with Customer. Hence it is Customer’s responsibility to verify that appropriate controls are in effect to ensure that the organization fulfills its contractual obligations. This topic focuses on some of the key components and the best practices in auditing IT Suppliers for Compliance. It is aligned with one of the ISACA Research paper (Outsourced IT Environments Audit/Assurance Program) with additional information.
Best Practices & Considerations in “IT Suppliers Audit”
1. Best Practices and Key Considerations in Auditing “
IT Suppliers”
Shankar Subramaniyan
ISACA Greater Houston Chapter
August 15,2013
2. Agenda
• Provide an overview on the “Suppliers”” environment
• ISACA Guideline for Auditing Outsourced Environment
• Discuss Key considerations/best practices
4. 21st Century is ushering in a new kind of company…
The complex product markets of the 21st Century will demand the ability to quickly and
globally deliver a high variety of customized products. The products will be differentiated
not only by form and function but also by the services provided with the product including
the ability of the customer to be involved in the design of the product…A company will not
be an isolated facility of production, but rather a node in a complex network of suppliers,
customers, engineering and other service functions.
-William Davidow & Michael Malone
The Virtual Corporation
Increasing
dependency on
Suppliers due to
Change in Business
Model
5. Technology Changes
•
•
•
Gartner predicts that more than 60% of enterprises will have some form of
Cloud by 2013
Gartner estimates that by the year 2015 more than 50% of the enterprises
will be used SaaS applications for their business strategy
We should be cognizant of these implications of these new technologies for
effective IT auditing since Mission critical Apps with sensitive data (Finance
and HR) are now moving into SAAS
Increasing
dependency on
Suppliers due to
Technology Changes
6. IT SUPPLIERS
IT Suppliers
Outsourced Processes
IT processes
Application development
Application maintenance
Application hosting
Data center operations
Database administration
Desktop support
Disaster recovery services
Help desk services
IT security
Network operations
Web/e-commerce systems
Infrastructure Outsourcing
IT Security Outsourcing
Help Desk Outsourcing
Application Outsourcing - ERP or Custom
B2B Project Outsourcing
Business Transformation Outsourcing
Finance processes
AP, AR, Billing and Invoicing
Reconciliations
Treasury and Cash Management
Budgeting and Forecasting
Financial Planning and Reporting
Procurement processes
Spend Analysis
Sourcing Support
Supplier Performance Management
Contract Administration and Management
Custom Analytics
HR processes
Recruitment process
Employee orientation programs
Employee and manager training
Benefits administration
10. Scope
•
•
•
•
•
•
Operating infrastructure (and related processes) at the data center of the
customer or the supplier
Processing of a proprietary application by the servicer (application services
provider)
Development or maintenance of applications
Managing the network
Managing the information security infrastructure and supporting processes
A combination of any of these and other business and technology
processes
11. KEY COMPONENTS
Fulfillment of
assurance
charter and
compliance
requirements
Planning and
Scoping the
Audit
Achievement
of business
requirements
Governance
Functionality
and controls
of provided
services
Compliance
with contract
Relationship
management
13. Audit Planning
• Having decided an audit is required, the following questions must be
answered:
–
–
–
–
–
What type of audit to be undertaken?
What particular information is required and by when?
To what depth and scope audit needs to be done?
On what dates should the audit be done?
Who should perform the audit?
Audit Charter with clear
scope and
methodology is very
critical
Audit process
should also involve
tracking the
previous audit non
conformities
• Sometimes Control Description and scope is not shared with Auditee.
• The audit scope does carry the risk of being too limited or too aggressive
14. Key Considerations in Audit Planning
• Type of Assurance depends on
Compliance requirement of the customer
What is the audit right mentioned in the contract
Who can decide the scope and methodology / who has the bargaining power
Type of service provided by the supplier
Criticality of the business/IT area outsourced and associated Risk assessment
Existing ISMS process/certifications of suppliers and it’s gap with Customer’s
requirements
To what depth audit needs to be done
Synchronizing audit
schedule and audit
Cost of Assessment
time period between
ISO27001
suppliers and
Customer
Supplier
SSAE16/
ISAE3402
AUP
Customer
Mapping between
Supplier and
Customer ‘s Controls
15. Overcoming Resistance to Audit
• Auditors
– Use audit as an improvement tool
– Explain the process to auditees
– Touch base with auditee
– Recognize their accomplishments
– Concerns and questions of auditees
– Do not do manipulative and trickery audit
Agree with
Department
Representatives
on the findings
and corrective
action
Auditee’s
Performance
appraisal has a
goal of “ZERO
DEFECT” in
Audit
17. ACHIEVEMENT OF BUSINESS REQUIREMENTS
• Review Business expectations
• Review Risk Assessment
Review the exceptions/
Step outs /
Retained IT
Components and their
control assessment
Sample List to consider in new project setup
The functional and technical requirements are identified and complete enough
Risk to the existing support levels identified (In case the applications planned to
be transitioned to XXX)
Solicited input from end user representatives
Existing support costs and desired targets identified (if sustaining opportunity)
Other sites and application systems considered to maximize cost savings
Technical issues discussed and resolved
Software and hardware purchasing/licensing requirements identified
Performance expectations regarding service levels and deliverables identified
Proposal reviewed by affected parties to ensure it addresses expectations
Proper template has been used to prepare the SOW
Acceptance criteria is clearly mentioned
18. Supplier Risk Management
Sample Risks are as follows :
•
Intellectual property ownership
•
Service levels not being met.
•
Deliverables not adhering to Quality norms.
•
Under/over utilization of resources.
•
Sustaining engagement scope creep
•
In-adequate transition of knowledge to new staff
•
Deliverables are not tracked and approved timely.
•
Inaccurate billing and Cost and Effort overruns.
•
In-adequate transition of knowledge and not able to transfer the ownership.
•
Right resources not available on time
•
Risk of Locking into Proprietary Supplier platforms/process
•
Key resources roll-offs in the middle of the project
Supplier
Relationship
Management
Supplier
Performance
Management
Proper process in case of Project termination
Contract
Supplier
Engagement
Guide
Recovery of all assets (Hardware/Software)
Termination of access
Knowledge Transfer
Deliverables and Process Documents
Notification of all affected parties
Contract and Accounting/Invoice activities
20. Compliance with contract
Whether the Contract includes
• Evaluation of supplier performance
• Rights to audit, information security requirements
• Payment schedule
• Issue monitoring
• Intellectual property ownership
• SLA, Penalty and non performance
• Clear scope and responsibilities
• Termination and transfer of services
• Legal Liabilities and Regulatory Compliance
22. RELATIONSHIP MANAGEMENT
•
•
•
•
•
•
•
Role of Relationship Managers
Adequacy of Delivery Metrics
Delivery Performance Review
New Project Initiation and management
Issue management and escalation
Billing and payment process
Relationship review
23. Critical Success Factors
S No
1
Description
Cultural awareness
2
Communication
3
Common Understanding
and sign-off on
Requirements (In-scope
and Out-of-scope)
Mutual Trust
4
5
6
7
Process Adherence and
following the procedures
Resolution of Issues in
time
8
Early Planning for
resources
Right Governance
9
Right usage of tools
Remarks
With cross-cultural awareness, the teams
can understand well on the expectations.
Communication is the key for any
successful engagement. Clarity and
Understanding play the key role. Ensure
that the other side understood what is
being communicated. Consider the styles
of communication as well as the accent
issues.
SOW sign-off at the beginning of the
respective project to eliminate any
uncertainties.
In the Estimates, Resources,
Management Styles and Cultural Aspects
Follow Engagement guide for all the
engagements under scope.
Efforts to resolve the issues and
understanding of any practical difficulties
in closure both the sides
Planning for People, tools, licenses,
logistics & timeframes
Reviews & feedbacks as per the laid
down procedures & practices at each of
the check points and any necessary
corrective actions.
Metrics tool, etc. for the proper tracking
of the progress and the deviations.
25. Functionality and controls of provided services
•
•
•
•
Services operating as Promised
Responsibility for Controls and Processes
Review of Supplier suggested controls
Gap Assessment where full reliance is placed on the supplier
Difference between Process
narrative, SLA and Control.
Do not combine multiple controls that differ in control objective, type, characteristic or
frequency into one. Consider the cost of Implementation and Audit point of view while
documenting controls.
26. Fulfillment of assurance charter and
compliance requirements
Operational responsibility might
have got transferred to Supplier,
but legal and regulatory
responsibility will still be with
Customer
27. Fulfillment of assurance charter and compliance requirements
•
•
•
•
•
Audit rights per contract
Third Party Reviews
IT General Controls review
– Operating System
– Network
– Database
– Application support and maintenance
– Access Control and Physical Security
– Information Security
Regulatory Compliance
Assurance to Customer’s compliance Requirements
Assurance
Requirement at
Control Objective
level vs Control
level
Mapping between
different assurance
types
(SOC 1/ AUP/
ISO27001)
28. Audit points in Third Party reviews
•
Scope mismatch:
–
–
–
•
•
•
•
•
•
•
Application or Infrastructure in use by the Customer
Time Period
Location, people, process or service utilized by Customer
Process gap like Production application hosted in Dev server will not be
under Supplier’s audit scope since Supplier will audit only Production
server
Review subservice providers report if any
Review any significant changes in the supplier organization after the
supplier audit and before the customer’s year end review
Control owner and operator shared between Customer and supplier
Mapping of Controls between Customer and Supplier
Not clear understanding of responsibility of customer and supplier- Not clear
understanding of responsibility like encryption of archive or disposal of
backup tape containing personal sensitive data
Conflicting clauses to different customers
30. Governance
• Policies and Procedures
• Steering Committee oversight
Engagement
Guide
Compliance
requirements
should be included
from pre bid stage
itself and it should
be part of regular
status reviews