Page 541 - ITGC_Audit Guides
P. 541
GTAG – Appendix B
IT OUTSOURCInG DELIVERy AUDIT PROGRAM
Control
Audit Step Full Scope Design
Audit
Walk-
through
• Incident management (IM) operators have access to CMDB information. X
• Incidents are managed to clear performance indicators: time to own (TTO) and time to fix (TTF). X
• Metrics are reviewed by management and corrective actions are taken when needed. X X
• IM operators have been trained. X
• Incidents are categorized and prioritized in a way to support the business. X
Problem Management
Audit objective: Determine whether the organization has a process to manage problems. X
Risks: Root causes of problems are not identified and incidents continue to cause business disruptions. X
• Problems are identified and classified. X
• Problems are investigated and diagnosed, with the root cause documented. X
• Problems are corrected and status/updates are communicated to management. X
Data Center Operations
Audit Objective: Determine whether the data centers impacting service have adequate infrastructure to X X
prevent outages or service interruptions (typically Tier III as defined by the Uptime Institute).
Risks: Provider is unable to provide or maintain service delivery. X X
• Physical and logical security is in place and managed appropriately. X X
• Temperature and humidity levels are monitored. X
• Power/universal power supply and grounding are installed to prevent single points of failure, outages, or X
service interruptions.
• Smoke detection and fire prevention measures are installed and tested periodically. X
Program/Project Management
Audit objective: Determine whether the organization follows a standard methodology to manage projects. X
Risks: Project does not meet business objectives; project overruns schedule and budget. X
Design and development — Determine whether the following criteria have been met: X
• A clear and robust business case for the project exists. X
• There are realistic and comprehensive assessments of costs and benefits. X
• All key stakeholders are involved at an early stage. X
• Thorough consideration of security and integrity controls exists. X
Project management — Determine whether there is: X
• Proactive leadership and real-time reporting. X
• Involvement of all key stakeholders. X
• Issue identification and escalation. X
• Realistic time scales and clear targets. X
• Rigorous testing and piloting before going live. X
Implementation — Determine whether there is: X
• Management of changes and training. X
• Regular and reliable tracking of benefits. X
• Ongoing customer satisfaction assessments. X
29
