Page 533 - ITGC_Audit Guides
P. 533
GTAG – IT Outsourcing Delivery: Risk and Control Considerations
The project review should build controls around the practices, such as a certified Project Management
following success factors: Professional from the Project Management Institute.
1. user involvement – Business and IT users are 6. financial management – The ability to manage
involved with decision-making and information- financial resources, assess risk, and demonstrate the
gathering processes. value of the project.
2. executive support – Key executives provide 7. skilled resources – Acquire, manage, and control
alignment with business strategy and financial and skilled project personnel to move forward in the face
conflict resolution support. of turnover and other personnel hurdles.
3. Clear business objectives – Stakeholders understand 8. formal methodology – The predefined set of process-
the core value of the project and how it aligns with based techniques that provide a road map for when,
business strategy. how, and what events should occur in what order.
4. agile optimization – Using iterative development 9. Tools and infrastructure – Building and managing
and optimization processes to avoid unnecessary the project infrastructure with tools that enable
features and ensure critical features are included. management of tasks, resources, requirements,
5. project management expertise – Using project changes, risks, vendors, and quality management.
managers who understand the basic skills and
Table 4: Project Control Considerations by Stage (example)
Project Stage Control Considerations
n A clear and robust business case.
n Realistic and comprehensive assessments of costs and benefits.
Design and Development
n Involvement of all key stakeholders at an early stage.
n Thorough consideration of security and integrity controls.
n Proactive leadership and real-time reporting.
n Involvement of all key stakeholders.
Project Management n Issue identification and escalation.
n Realistic time scales and clear targets.
n Rigorous testing and piloting before going live.
n Management of change and training.
Implementation n Regular and reliable tracking of benefits.
n Ongoing customer satisfaction assessments.
ITO Service Delivery Assurance Methods policies, procedures, and operations in place to monitor the
achievement of the organization’s objectives and to identify
This section outlines the various methods management and manage the risks to them.
should use to gain assurance over the risks related to ITO.
Managing ITO risk is something that should be done by the The internal auditor may:
service provider and the user entity and will be much more
successful when there is a strong relationship between the • Provide assurance by reviewing management’s systems
two. Service providers that do not value the need to obtain for identifying and effectively managing the risks to
and give assurance through auditing and monitoring would service delivery.
be at a distinct competitive disadvantage to providers that • Provide assurance by frequently carrying out
understand the customer’s need for assurance. comprehensive reviews of the management of service
delivery.
The Internal Auditor’s Role in Service Delivery • Provide assurance by reviewing performance reporting
An organization is unlikely to meet its objectives without systems and the systems used to track and manage the
effective service delivery mechanisms. Internal auditors attainment of targets.
have a unique insight and are well-placed to assess the
21
