Page 520 - ITGC_Audit Guides
P. 520
GTAG — IT Outsourcing Life Cycle: Risk and Control Considerations
• Consider management-of-change requirements. Internal audit considerations:
How does one create an environment inside an • Evaluate bid evaluation process, timing, criteria,
organization to enable an outsourcing environment completeness, and approval transparency.
(e.g., change of policies, operational procedures, and • Review control assurance requirements of
infrastructure support)?
management such as a service auditor’s report (e.g.,
Statement on Standards for Attestation Engagements
Internal audit considerations: (SSAE) No. 16: Reporting on Controls at a Service
• Assess whether information in the detailed analysis Organization, issued by The American Institute
is reliable and considers all business risks and of Certified Public Accountants (AICPA) or
implementation risk. International Standard on Assurance Engagements
• Ascertain whether governance and approval processes (ISAE) 3402, issued by the International Accounting
are transparent, documented, and completed. and Assurance Standards Board (IAASB) of the
• Determine whether appropriate parties and experts International Federation of Accountants (IFAC)) or
are included in the evaluation process. ongoing evaluations; ensure that the organization’s
• Determine whether other major stakeholders are kept right to audit clause is drafted effectively.
informed. • Assess the project team’s experience and capability as
• Assess management’s contingency plans if the well as whether it is resourced appropriately to meet
the need.
outsourcing initiative fails at various stages.
• Evaluate whether estimates of failure and the • Evaluate whether risk management, legal, human
resources (HR), and finance functions are involved as
probable impacts/costs are considered in the business needed.
case or when comparing options among providers.
• Evaluate sensitivity of cost/benefits to assumptions. • Perform due diligence reviews or assess management’s
review of provider operations.
• Identify key performance measures and data sources.
• Consider ongoing or periodic evaluations conducted
by other assurance providers for gaining comfort on
Tender Process and Contracting performance capability control effectiveness. Review
Conduct request for proposals, vendor selection, and SLAs and OLAs to ensure that performance measures
structure a deal in line with the business case: are defined and reliable. This should be done initially
by management; however, internal audit can assess
• Develop a detailed scope of work so providers can reliability with a focus on risk/control performance
make informed bids and highlight other relevant expectations and compliance with key provider
matters. standards or those specifically demanded by the
• Evaluate bids based on relevant criteria as generally customer or applicable regulations.
used in business cases or specific considerations
needed.
• Detail any new risks arising or any significant Implementation/Transition
deviations from the approved business case. Develop a transition plan, secure necessary funding, and
• Select provider based on criteria and bids/proposals formalize program/project management sponsorship,
submitted. support, and other resources:
• Staff an experienced team to perform an operational • Formalize plans and set governance expectations for
due diligence review and ensure key performance any outsourcing of a significant process or operation.
indicators — service level agreements (SLAs) and Consider incorporating a schedule on governance in
operational level agreements (OLAs) — are addressed the contract, budget for it in the business case, and
in the contract. schedule/build contract compliance audits.
• Assess potential losses, breakdowns, and • Determine fundamental timing, funding, deliverable
non-performance results. Determine tolerance dates, testing, and ongoing monitoring.
thresholds and what will happen (recourse) when • Address human resource issues and cultural
deviations occur. adjustments as critical success factors before, during,
• Obtain sign-off by sponsor and inform key and after transitions.
stakeholders, highlighting any deviations or new risks. • Obtain service provider resource accreditation. How
Include legal compliance reviews and necessary legal does one ensure operationally and contractually that
steps to finalize a binding agreement (including exit service provider resources are qualified to perform
strategies and plans if terminated or not renewed). the job?
8
