Page 527 - ITGC_Audit Guides
P. 527
GTAG — IT Outsourcing Delivery: Risk and Control Considerations
important for the user entity to evaluate whether it 5. application: Application architectures consist of
has contracted the right service provider and for the integrated and interoperable back-office, front-
provider to measure whether it is best positioned to office, virtual-office, desktop, laptop, personal digital
meet customer expectations. assistants, and other thin-client applications that
2. operating system: An operating system (OS) is support the current and to-be business strategy.
software that runs on computers, manages computer Applications should be standardized to support
hardware resources, and provides common services activities, processes, employees, customers, suppliers,
for executing various application software programs. and partners regardless of where they sit physically
The OS acts as an intermediary between application or how mobile they are. Most large and mid-sized
programs and the computer hardware. Additionally, organizations have large enterprise applications
the OS provides: such as ERP and customer relationship management
(CRM) systems. There also are proprietary
– System tools (programs) used to monitor applications and Internet or Web-facing applications
computer performance, debug problems, or that interface with customers, suppliers, and partners.
maintain parts of the system. Finally, there are applications that help organizations
– A set of libraries or functions that programs may manage their applications and the computing and
use to perform specific tasks especially relating to communications infrastructure (e.g., network and
interfacing with computer system components. systems management applications).
Operating systems are often an avenue of attack, 6. metrics & reporting: The SLA is one of the primary
especially when critical patches or updates are metrics used to measure performance, and it can
missing. As a result, performance and availability provide management with the evidence to support
issues could begin to surface, or the system could the evaluation of the customer/supplier relationship.
suffer unauthorized access and disclosure of sensitive An OLA supports the SLA and provides specific
or proprietary data. process goals to achieve the SLA. Organizations in
3. network: Outside the Internet and intranet, and IT outsourcing relationships should have an ongoing
the need for connectivity, the network is constantly monitoring process to ensure the service provider’s
adjusting to new business models and service performance is aligned with the outsourcing contract.
offerings such as business-to-customer (B2C) and KPIs and key risk indicators (KRIs) should be
business-to-business (B2B) transaction processing, established to help the client and the service provider
business-to-government (B2G) transactions, meet their business objectives.
e-learning, collaborative customer service, and real- 7. program/project management: In achieving its
time, rich media-based teleconferencing. Increasing particular purpose, a project will have a discreet
numbers of employees are working from home, beginning and end, undertaken within defined
from the road, or in virtual spaces where they are constraints of scope, quality, and cost. Projects will
connected constantly. The pressure to provide vary in size and scope and could include building new
reliable, secure, cost-effective communications is infrastructure, new product development, and the
unprecedented and will continue to grow. The Web, implementation of new business processes or business
which sits outside corporate firewalls, is emerging as a transformations. In the evaluation of such projects at
virtual operating system and is becoming the preferred various stages, it is necessary to understand the key
platform for more and more organizations. risks and to develop a set of key criteria.
4. database: Data lies at the heart of all business
models. “Operational data,” especially if it is in Key ITO Service Delivery Risk Areas
different forms, often should get translated into a
form where it can be used by many people in the This section outlines the common ITO risks related to
organization. Safeguarding substantial amounts of the IT service delivery architecture. Fundamental to
sensitive and confidential data, personal information, outsourcing is accepting that although service delivery
intellectual property, and trade secrets from malicious (operational responsibility) is transferred to the service
attacks and accidental loss is one of the biggest provider, the user entity retains responsibility for the
challenges for IT management. Strategically, the management of and adherence to policies, procedures, and
trend has been to place more value on unstructured regulatory requirements. This is ITO risk. To manage this
data and less emphasis on traditional hierarchical risk, the user entity should have an effective outsourcing
file systems, which were never designed to operate at oversight program with a framework for management to
today’s scale. identify, measure, monitor, and control the process area
risks associated with outsourcing. The risk associated
15
