Page 523 - ITGC_Audit Guides
P. 523

GTAG — IT Outsourcing Life Cycle: Risk and Control Considerations





                 Stages          Objectives     Key Activities  Manager Roles * 2    Risks           Auditor
                                                                                                   Involvement 3
             B: Decision-making   Build a reliable   n   Conduct detailed   Process owner,*   n   Optimal supplier   n   Assess whether
               Process –     business case.     business risk and   executive sponsor,*   not selected.   information in
               Business Case                    benefit analysis.   finance, legal, IT,   n   Loss of   detailed analysis
                                              n   Factor in    human resources, and   assets, ROI, or   is reliable and
                                                execution risks   other experts.  reputational     consider all
                                                and failure impact.               damage as quality   business risks and
                                              n   Select best option              of services may be   implementation
                                                and detail cost/                  diminished.      risk.
                                                benefits.                       n   Negative     n   Determine
                                              n   Identify                        regulatory impact.  whether
                                                relationship                                       governance
                                                between strategy                                   and approval is
                                                and governance.                                    transparent and
                                                                                                   reliable.
                                                                                                 n   Determine
                                                                                                   whether the
                                                                                                   right parties
                                                                                                   and experts are
                                                                                                   assigned. Assess
                                                                                                   whether major
                                                                                                   stakeholders are
                                                                                                   kept informed.
                                                                                                     Auditor
                 Stages          Objectives     Key Activities  Manager Roles *      Risks
                                                                                                   Involvement
             C: Tender Process   Select a provider and   n   Detail   Process owner,*   n   Deal is not   n   Determine
               and Contracting  design a contract that   requirements,   procurement,*   optimized or   whether there is
                             promotes success.  scope, and     project team,      organization is not   an appropriate
                                                requests for   executive sponsor,   protected from   approval and
                                                proposals.     legal, and finance.  gaps in delivery of   procurement
                                              n   Select provider                 quality, availability,   process.
                                                and perform due                   and integrity/  n   Review contract
                                                diligence.                        privacy needs.   and control
                                              n   Negotiate                     n   Loss of assets,   assurance needs
                                                contract.                         ROI, and         from provider
                                              n   Develop exit plan.              reputational     (e.g., need for
                                                                                  damage.          SSAE 16 or
                                                                                n   Impact on      other available
                                                                                  regulatory needs.  Statement on
                                                                                                   Audit Standards
                                                                                                   (SAS) 70-type
                                                                                                   assurance reports
                                                                                                   from provider) and
                                                                                                   assess whether
                                                                                                   the organization
                                                                                                   has drafted its
                                                                                                   right to audit
                                                                                                   clause effectively.
                                                                                                 n   Determine
                                                                                                   whether the
                                                                                                   project team has
                                                                                                   appropriate skills.
                                                                                                   Ask whether risk
                                                                                                   management,
                                                                                                   legal, HR, and
                                                                                                   finance are
                                                                                                   involved as
                                                                                                   needed.
                                                                                                 n   Perform due
                                                                                                   diligence reviews,
                                                                                                   or assess
                                                                                                   management’s
                                                                                                   review of the
                                                                                                   provider.


            *Primary responsibility and typical owner of stage.


                                                             11
   518   519   520   521   522   523   524   525   526   527   528