Page 528 - ITGC_Audit Guides
P. 528

GTAG — IT Outsourcing Delivery: Risk and Control Considerations




            with an outsourced IT service is subject to the process   U.S. Graham-Leach-Bliley Act (GLBA), U.S.
            outsourced, the relationship with service provider, and the   Health Insurance Portability and Accountability
            technology used by the service provider.                 Act (HIPAA), International Financial Reporting
                                                                     Standards (IFRS), King III Report on Governance,
            Failure by the service provider to implement appropriate   and the U.S. Sarbanes-Oxley (SOX) Act of 2002, and
            controls, assurance, and ongoing monitoring related to the   Payment Card Industry (PCI).
            outsourced service may result in:                     •  Poor disaster recovery and business continuity
              •  Poor service quality with an unacceptable number of   capabilities.
                 failures and errors.                             •  User entity expenditure and effort to find an
              •  Service disruption and failure to meet the          alternative service provider or to bring the outsourced
                 organization’s client obligations.                  service back in house.
              •  Privacy and confidentiality issues.
              •  Slow response, reduced system availability,    ITO risks can be identified and prioritized from the user
                 questionable integrity of information, and     entity’s and the service provider’s perspective and grouped
                 compromised security and confidentiality.      into three categories:
              •  Service provider technology and system architecture   •  Mixed ITO risks (specific to both the client and
                 issues related to scalability, capacity, and        supplier).
                 performance.                                     •  Client-specific ITO risks.
              •  Inability to maintain appropriate internal       •  Supplier-specific ITO risks.
                 operational and IT controls and meet regulatory
                 and industry requirements such as the European   Areas of shared interest should rank high in an ITO audit
                 Union Data Protection Directive (EU DPD), the   risk assessment.



            Table 2: ITO Risk Influence Matrix (example)


                  Risk Category                                       ITO Risks


             Mixed                 Conflict between the parties due to violation of contractual terms.


             Client-specific       Provider’s lack of compliance with the contract.

             Client-specific       Unexpected increase in outsourcing costs.

             Client-specific       Loss of data privacy.


             Supplier-specific     Inadequate staffing.





            Service Delivery Governance Risks                   a single capability is managed through a silo, usually by
            (methodology, model, contract)                      location, in which different teams use different processes
                                                                and tools. In contrast, the new model focuses on fewer
            When assessing risk in the outsourcing environment, the   accountable leaders by capability, is globally integrated,
            user entity should consider the ITO governance model   is automated, and drives consistent processes across the
            used by the service provider. In the old model (still used),   service capabilities.








                                                             16
   523   524   525   526   527   528   529   530   531   532   533