Page 521 - ITGC_Audit Guides
P. 521

GTAG — IT Outsourcing Life Cycle: Risk and Control Considerations




              •  Manage expectations regarding deviations and        delivery or more demanding renegotiations. Manage
                 non-delivery, on either side, to contain the cost of   the current and future relationships with improved
                 unplanned disruption to operations.                 knowledge.
              •  Standardize processes before transition. This may take   •  Look for innovation from the service provider to give
                 substantial effort and investment.                  visibility into risk and improve business enablement.
              •  Perform a post-implementation analysis and work
                 relevant issues into the monitoring and reporting   Internal audit considerations:
                 phase (or issues to be considered upon renegotiation).   •  Understand how provider performance and
                 Attain assurance that the transition was executed in   compliance with the contract will be assessed and
                 accordance with the agreement and business case.    reviewed routinely by management.
                                                                  •  Evaluate the reliability of metrics that are designed
            Internal audit considerations:                           and used to manage risk regarding IT operations,
              •  Perform a pre-implementation review to ensure the   changes, and security.
                 project is following standard disciplines.       •  Assess how concerns and areas for improvement will
              •  Review contingency plans if transition is not affected   be communicated and leveraged to improve current
                 appropriately.                                      and future operations/contracts.
              •  Determine whether risks and actions are identified,   •  Ensure the outsourcing activity is part of the audit
                 mitigated, and escalated to stakeholders appropriately   universe and risk-assessed routinely.
                 and promptly during the implementation process.  •  Determine how internal audit is alerted to changes in
              •  Ascertain whether “go”/“no go” decisions are        relationships in the future.
                 governed properly and based on reliable information.   •  Assess performance against KPIs established during
              •  Assess whether management has performed the         the planning phase.
                 appropriate testing before supporting the “go live”
                 decision.                                      Renegotiation
              •  Determine whether appropriate stakeholders are
                 involved and informed.                         As the contracted term nears completion, understand the
              •  Determine whether reliable information for decision-  actual benefits and problems, changes in the market and
                 making is available to the project management and   benchmarks, and costs of taking back the process or going
                 senior management.                             to another supplier as part of renegotiations. Ensure that
                                                                problem and incident reporting is leveraged effectively.
            Monitoring & Reporting                                •  Compare steady state operations to the original
                                                                     business case and validate lessons learned.
            After transition, monitor operations to ensure they are
            delivering business requirements as defined by business   •  Benchmark with other service providers.
            requirements, key performance indicators (KPIs), and   •  Explore market alternatives and current benefits
            SLAs. This phase ensures that operations and monitoring of   versus bringing the process back in-house.
            performance are optimized and reinforces improvements in   •  Perform a new risk, cost, and benefit analysis/
            the process and the outsourced relationship:             assessment.
              •  Establish and evolve key performance measures. It is   •  Pursue more effective terms. To maintain leverage,
                 better that these are considered and designed as part   the organization should have alternatives and
                 of the contract phase and SLAs; however, all may not   understand its options (see also Reversibility in the
                 be anticipated. Ideally, metrics should ensure delivery   next section).
                 of requisite service and indicate general compliance
                 or non-compliance.                             Internal audit considerations:
              •  Receive other sources of ongoing assurance that   •  Understand the strategies and information needed to
                 operations are controlled and maintain integrity (e.g.,   ensure optimal future negotiations.
                 SSAE 16, ISAE 3402, quality assurance or compliance   •  Understand reversibility and monitoring or
                 reports on operations, or reports from independent   performance results.
                 or internal audits). Consider building in ongoing or   •  Ensure that experts and process owners are driving
                 periodic evaluations of contract compliance.        renegotiation improvements.
              •  Monitor the nature, cause, and response by providers   •  Ensure that relevant dates for audit involvement are
                 to performance and contractual issues. Ensure that   considered in the annual risk assessment process.
                 this knowledge is shared and leads to improved

                                                              9
   516   517   518   519   520   521   522   523   524   525   526