Page 532 - ITGC_Audit Guides
P. 532

GTAG – IT Outsourcing Delivery: Risk and Control Considerations




            A well-maintained CMDB should be able to:           reviews are conducted. SLA management also includes the
              •  Provide accurate CI data (including dependencies   documentation, handling, monitoring, and management of
                 and relationships) to other ITIL and operational   customer complaints, compliments, and feedback.
                 processes in a central logical database.
              •  Account for all CIs and their controlled attributes.  Additionally, the following practices should be evaluated in
                                                                the ITO audit. All service level targets should be:
              •  Verify that data supports an organization’s IT,
                 financial, legal, and security obligations.      •  Clear and unambiguous.
              •  Validate actual CI data stored in the CMDB against   •  Agreed upon and approved by the client and the
                 the authorized (via change management) and          service provider.
                 discovered (via inventory/discovery tools) states   •  Measurable.
                 through verification, compliance, and audit checks.   All targets within OLAs or underpinning contracts (UCs)
                                                                should be aligned with the SLA.
            Change management is the practice of ensuring that all
            changes to configuration items are carried out in a planned   Incident and Problem Management
            and authorized manner. This includes ensuring that there   Incident management processes should record impacts
            is a business or technology reason behind each change,   of all incidents in clearly quantifiable terms, including
            identifying the specific configuration items and IT services   the number of users affected, staff hours lost, complexity,
            affected by the change, obtaining proper authorizations for   impact on business revenues, and impact on regulatory
            the change from the appropriate business and technical   compliance. An audit should examine all incident reports
            experts, planning the change, testing the change, and   and check whether they were resolved satisfactorily, the
            having a back-out plan should the change result in an   root cause analysis was performed, and preventive actions
            unexpected state of the configuration item. A change is any   were taken to avoid recurrence of the problem.
            modification to the managed IT environment, including
            the addition, removal, or replacement of any component   The critical success factors for the incident management
            (CI) or service in that environment.                process are:

            Capacity Management and Service Continuity            •  Centralized incident management data.
            As the business grows, demands on IT systems increase, and   •  Access to CMDB information.
            the capacity of networks, storage, computing, and support   •  Performance indicators.
            should keep pace with the increasing demands. An ITO   •  Clear case ownership.
            audit should validate that a process exists to ensure that the   •  Management of case dispatches.
            monitoring of capacities and planning for future capacities   •  Standard incident categorization.
            are done with participation of the business well in advance,   •  Access to SLAs.
            and that plans are reviewed periodically. Good capacity
            management ensures that the quality of service is continued   The problem management process should contain the
            at all times.
                                                                following procedures:
            Continuity management ensures critical business operations   •  Problem identification and classification.
            can continue in the event of a service interruption or   •  Problem investigation and diagnosis.
            disaster. The details of the continuity plan are documented   •  Error assessment.
            in business continuity and disaster recovery plans and   •  Problem/error closure.
            should ensure that the scope of the continuity plan contains   •  Status/update communications.
            clear and realistic recovery objectives and recovery time
            frames, is designed and developed to support recovery of
            critical business functions, and is reviewed, updated, and   Program/Project Management
            rehearsed regularly.                                A project review as part of an ITO audit should focus on
                                                                five key areas (see GTAG 12: Auditing IT Projects):
            SLA Management                                        •  Business and IT alignment.
            The SLA is the backbone of the service contract and   •  Project management.
            should be clearly measurable. All statistics relating to SLAs   •  IT solution readiness.
            should be system-generated and tamper-proof. The ITO   •  Change management.
            audit should verify whether SLA reports are submitted
            to the appropriate levels of management and meaningful   •  Post-implementation.


                                                             20
   527   528   529   530   531   532   533   534   535   536   537