Audit Serve, Inc.
 |
Technical Articles |
|
|
Conferences |
|
|
Audit Programs |
|
|
Audit Serve Seminars |
|
|
Consulting Services |
|
|
Audit Vision Email Newsletter Free! |
|
|
What's New |
|
|
Contact Us |
The Worldwide Connection for Audit, Security, Control and SOX Professionals
The Auditor's Role In A Data Center Outsourcing Contract
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
Low Cost &
Highly Skilled
IT Audit and SOX Consulting Resources Available Immediately
Call Mitch Levine at (203) 972-3567 or
email levinemh@auditserve.com
for additional information
As part of the corporate trend of downsizing, most companies have considered the benefits and ramifications of outsourcing all or part of their IS organizations. An auditors involvement is required during the early phases of the project. At a minimum, the auditor should be involved during the development of the RFP (Request for Proposal) which is sent to all prospective outsourcing firms. The auditor's involvement at this stage of the project will ensure that the outsourcing firm's (i.e., system integrator) proposal addresses all of the required areas, which will also be used to draft the contract.
Based on my personal experience, which included the representation of a financial institution in the outsourcing of its data center and the conversion of its legacy applications, the most important rule is to document every part of the deal in the contra ct. The areas within a data center outsourcing contract which an auditor should review include:
Processing Functions Performed
Each data center processing area must be documented in a manner which
specifically describes how each processing function will be performed.
This information will impact other areas described below, as well as the
procedure manual provided by the outsourcing firm.
Processing Functions Roles and Responsibilities
The level of control granted to an outsourcing firm varies. Unless total
control is granted to the outsourcing firm, the roles and responsibilities
of all parties must be clearly defined. When determining the amount of
control that will be granted to th e outsourcing firm an analysis of the
risks associated with each level of control granted within an organization
must be performed.
One of the most critical issues of outsourcing a data center is to determine how security will be administered. Will the outsourcing firm be entirely responsible for granting and approving access to the outsourcing firm's own personnel and an organization's users or will your organization maintain a level of control by either pre-approving access granted or performing a post-verification review? The same decision must also be made for other critical control functions which require its own monitoring process to ensure control compliance. Will the outsourcing firm be responsible for ensuring their own compliance or will your organization establish its own compliance area to perform this function?
Service Level Agreements
Based on the services provided by the outsourcing firm, key deliverables
and processing components must be defined in a service level agreement. In
addition, specific fines and bonuses should be clearly defined based upon
whether service levels are met. The procedures as to how the service
levels will be measured must be documented and analyzed to ensure their
accuracy.
Control Processes
The standards as to the type and level of controls required is unique to
each organization. Therefore, when outsourcing an environment, it cannot
be expected that the outsourcing firm will have the same interpretation of
these required controls.
Since cost savings is one of the reasons for which outsourcing is considered in the first place, to achieve these cost savings outsourcing firms have tools which automate certain tasks, but invariably they achieve savings by using less staff which eliminates job functions to support control functions.
The required control processes must be documented, along with audit trails used, to provide a mechanism for determining compliance.
Right to Perform An Audit
To ensure that the all of above areas are incorporated into the
outsourcing firm's processing environment to support an organization's
business, an independent review must be performed by the internal and/or
external auditors. The right to perform an audit must be documented in the
contract, along with penalties, to ensure that audit findings are
resolved.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
This article appeared in a past issue of the Audit Vision E-Mail Newsletter.
Technical Articles | Conferences | Audit Programs | Audit Serve Seminars | Consulting Services | Audit Vision Newsletter | What's New | Contact US
This website has been optimized for Netscape and Internet Explorer 4.0
and above. Your comments and suggestions are always welcome, please email webmaster@auditserve.com.
Copyright © 2000 All rights reserved. 27 Pine Street, Suite 700, New Canaan,
CT 06840 USA.