Page 531 - ITGC_Audit Guides
P. 531

GTAG – IT Outsourcing Delivery: Risk and Control Considerations




            the portfolio of DC services and standard operational areas,   Key ITO Service Delivery Control Categories
            which include:                                      The broad areas of IT service delivery are diverse and vary

              •  Managed mainframe services.                    from organization to organization. These areas span service
              •  Backup and storage services.                   capabilities (e.g., midrange server environment and utility/
                                                                cloud) and service delivery functions (e.g., DC operations
              •  Web hosting services.                          and ITO support). Organizing controls into manageable
              •  Server management services.                    categories will enable management to determine an
              •  Cloud services.                                assurance method and obtain a comprehensive view of risk.
              •  DC modernization services.
              •  Physical security.                             As noted, GAIT does not identify specific key controls.
              •  Facility environmental controls.               It identifies the IT general control (ITGC) processes
                                                                and related IT control objectives for which key controls
              •  Security compliance monitoring.                need to be identified and should be leveraged during the
              •  Asset management.                              risk assessment process. Other tools, such as the Control
                                                                Objectives for Information and Related Technology
            GAIT assists in the identification and assessment of   (COBIT) or the Information Technology Infrastructure
            inherent IT risk, which should be mapped to business risk   Library (ITIL), can be used to identify and then assess
            — IT risk is a subset of business risk. The information-  specific IT key controls.
            processing objectives relate to business-processing control
            activities referenced in The Committee of Sponsoring   ITIL, developed by the UK Office of Government
            Organizations of the Treadway Commission’s (COSO’s)   Commerce, is one of the most widely accepted reference
            Internal Control–Integrated Framework. By deliberately   frameworks for IT service management, providing a
            aligning GAIT control activities to information-processing   cohesive set of best practices, drawn from the public
            objectives, the CAE can drive an integrated, optimized   and private sectors. Many organizations have already
            approach for assessing IT delivery risk.            modeled their service delivery on this framework. A
                                                                service delivery audit based on the ITIL approach can
                                                                provide IT management with valuable inputs based on a
            Project Management Risks                            well-thought-out global standard for improving IT service
            Failed or challenged projects can have a significant impact   management and delivery.
            on an organization, depending on the business need behind
            the project. Examples of possible impacts include:  Components of IT Service Management

              •  Disruption of service to customers.            Understanding the operational architectural environment
              •  Loss of competitive advantage.                 related to IT service delivery is critical to the user entity
              •  Fines from failed regulatory compliance.       and the service provider. Quality of service and the
              •  Loss of revenue.                               relationship between the user entity and the service
              •  Negative impact on reputation.                 provider should be the primary focus of any review.
              •  Delays in deploying critical strategic initiatives,
                 products, or processes.                        Configuration and Change Management
              •  Loss of expected ROI.                          Within configuration management, components of
              •  Facility closure or damage.                    infrastructure and services are referred to as configuration
                                                                items (CIs), which are maintained in a database referred to
                                                                as the configuration management database (CMDB). This
            Ultimately, management is accountable for ensuring that   is more than just an asset register; it contains information
            the project and benefit outcomes are achieved, even though   that relates to the maintenance, movement, and problems
            the service provider may be penalized for failures within the   experienced with the configuration items, along with any
            project. A review of project-related risks can contribute to   relationships between CIs and their associated supporting
            the success of the project. The sooner a project is reviewed   data elements (e.g., people and organizations). A CMDB
            the better; reviews performed during the early phases of the   can be a single physical database or comprise multiple
            project can be the most valuable because they can identify   physical databases.
            issues that can be fixed relatively inexpensively compared
            to issues found later in the project or post-implementation.





                                                             19
   526   527   528   529   530   531   532   533   534   535   536