Page 540 - ITGC_Audit Guides
P. 540
GTAG – Appendix B
IT OUTSOURCInG DELIVERy AUDIT PROGRAM
Control
Audit Step Full Scope Design
Walk-
Audit
through
Change Management
Audit objective: Determine whether changes are carried out in a planned and authorized manner. X X
Risks: Unauthorized or unplanned changes result in system performance or functionality issues. X X
• Testing is performed to validate the functionality of the change before it is moved to the production X
environment.
o Changes are approved and documented before moving to a production environment. X X
o Adequate segregation of duties are in place to prevent unauthorized program changes to the X
production environment.
• The program libraries — both application libraries and database schemas (as applicable) — are reviewed X
to ensure changes are appropriate.
Capacity Management
Audit objective: Determine whether system capacity is monitored and managed to keep pace with business X
demands.
Risks: System capacity does not meet business demands. X
• A process exists to ensure the monitoring of capacities and planning for future capacities. X
• The planning is done with participation by the business and well in advance of actual demand. X
• Capacity plans are reviewed periodically. X
• Capacity is monitored and results maintained and reviewed for trending. X
Service Continuity
Audit objective: Assess whether the organization has an effective business continuity plan and disaster X X
recovery plan.
Risks: Business-critical operations are unable to continue after a disaster or business interruption. X X
• There is a documented business continuity plan. X X
• There is a documented disaster recovery plan. X X
• The plans have been reviewed and approved, and have been reviewed periodically. X X
• The plans are tested/rehearsed regularly (at least annually). X X
• The plans have realistic recovery objectives and recovery time frames. X
• The plans are developed to support the recovery of critical business functions. X
Service Level Agreement (SLA) Management
Audit objective: Assess whether the contract includes an SLA and whether the organization monitors and X X
reports on SLA metrics.
Risks: Customer satisfaction is negatively impacted; penalties could be assessed; contract may not be X X
renewed or may be cancelled.
• All service level targets are clear and unambiguous. X
• All service level targets are agreed to and approved by the user entity and the service provider. X
• All service level targets are measurable. X
• All targets within operational level agreements or underpinning contracts are aligned with the SLA. X
• The metrics are system-generated and tamperproof. X
• The SLA reports are submitted to management (and the customer) for review. X X
• There is a process to handle customer complaints. X
Incident Management
Audit objective: Determine whether the organization has a process to handle incidents. X X
Risks: Business interruptions and performance issues. X X
• A process and tool exist to handle incidents. X X
• Incident management data is centralized and accessible. X
28
