Page 516 - ITGC_Audit Guides
P. 516

GTAG —  Types of IT Outsourcing




            1 – Types of IT Outsourcing                         the user entity. The user requirements or work statement
                                                                should be defined clearly from the beginning of the formal
            IT outsourcing has changed from traditional outsourced   stages of the development phase. Consider involving
            services, such as application development and IT help   internal auditors, as recommended in GTAG 12 Auditing
            desk activities, to high-end services, such as product   IT Projects:
            development, specialized research & development (R&D),   •  To provide ongoing advice throughout strategic
            and distributed computer support. Organizations continue   projects.
            to outsource IT services as new technologies emerge.    •  To identify key risks or issues early.

            Outsourcing is sometimes confused with off-shoring. The   In most cases, the SDLC process ends with the successful
            difference between outsourcing and off-shoring is:
                                                                completion of the client’s user acceptance testing, although
                                                                the service provider may be responsible only until the unit
            outsourcing: Contracting the operation of specific business   testing’s completion. The system, integration, and user-
            functions or knowledge-related work with an external   testing phases are essential elements that ensure the system
            service provider.                                   satisfies the client’s requirements. Testing can be conducted
            off-shoring: Relocating activities that were previously   by the client team or jointly by the client and service
            managed in the domestic country.
                                                                provider. In either case, any problems or issues noted in the
                                                                testing phase are referred back to the service provider for
            The scope of this guide relates to IT outsourcing, no   correction.
            matter whether they are located domestically or in foreign
            locations. However, risk considerations should be given to   Ongoing maintenance of existing applications and
            domestic versus foreign providers in the business case to   application upgrades should respond to software
            outsource. This guide does not apply to internal off-shoring   development recommendations by the business process
            activities, although many considerations may be similar.
                                                                users and stakeholders. Recommendations may be minor
                                                                changes, such as the creation of new fields or reports, or
            The most common outsourced IT services include:
                                                                major changes, such as the creation of a new module.
              •  Application development and maintenance.
              •  Infrastructure management.                     Infrastructure Management
              •  Help desk.                                     Services to manage and maintain the IT infrastructure
              •  Independent testing and validation.            can be classified as infrastructure management. These
              •  Data center management.                        services include network management, maintaining
              •  Systems integration.                           overall infrastructure performance and availability, disaster
              •  R&D.                                           recovery strategies and capabilities, troubleshooting errors,
              •  Managed security.                              maintaining databases, and backing up and restoring
                                                                services. More recent and value-added services under this
              •  Cloud computing.                               category are the monitoring of IT infrastructure activities
                                                                and capacity management, performing of downtime
            Service providers and user entities may use different names   analyses, and reporting of critical system failures and their
            for the types of outsourced services. User entities also may   implications.
            outsource one or more of these services to multiple service
            providers.
                                                                Help Desk
            Application Development & Maintenance               Any maintenance service, such as troubleshooting
                                                                problems, production support, and infrastructure
            When development and specific functionalities or    management, can be categorized as a help desk service.
            modules within a software application are outsourced,   Under this arrangement, the service provider’s personnel
            the user entity should give priority to third-party software   support the client through various IT problems either on
            development firms with technical skill and experiential   site (i.e., at the client’s premises) or off site (i.e., from the
            knowledge to address client specifications. Coding should   service provider’s premises). Turn-around time (TAT) (i.e.,
            follow a rigorous software development life cycle (SDLC)   responses and resolutions) is then defined for each level of
            methodology established as part of the service provider’s   service.
            standard quality process. In certain arrangements, SDLC
            steps may be specified, monitored, and managed directly by


                                                              4
   511   512   513   514   515   516   517   518   519   520   521