1 / 32

Auditing Outsourced IT Operations

Auditing Outsourced IT Operations. Karen Helderman October 9, 2008. Outline. Background of Virginia’s outsourced IT operations Pre-outsourcing IT audit role Post-outsourcing IT audit role Transition process Things to consider. Background.

Download Presentation

Auditing Outsourced IT Operations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Auditing Outsourced IT Operations Karen Helderman October 9, 2008

  2. Outline • Background of Virginia’s outsourced IT operations • Pre-outsourcing IT audit role • Post-outsourcing IT audit role • Transition process • Things to consider Auditor of Public Accounts

  3. Background • Virginia outsourced its IT infrastructure and operations in July 2006. • Northrop Grumman (NG) owns and operates all IT hardware and the main and backup data centers. • Agencies own and operate the applications running on NG infrastructure. • Operations are viewed similar to any other “utility” Auditor of Public Accounts

  4. Background • Virginia pays NG $236 million annually under 10 year agreement. • At end of 10 years Virginia can renew, hire another vendor, or bring ownership and operations back in house. • Virginia can exit agreement early, both with or without cause, but there are penalties due primarily to NG’s investment. Auditor of Public Accounts

  5. Background • Year 1-3 have involved: • refreshing old outdated equipment, • constructing new data centers and moving equipment to the centers, • designing a more homogeneous environment • Year 4-10 will involve: • centralized operations and streamlined processing; continuous refresh. Auditor of Public Accounts

  6. Pre-Outsourcing Audit Role • APA responsible for all audit aspects, including IT audit. • Focused our IT audit resources on general control reviews using the following priority: • CAFR material activities • material federal programs • agency-based financial statement audits, such as colleges and universities Auditor of Public Accounts

  7. Pre-Outsourcing Audit Role • APA determined IT audit scope and timing. • Central systems, such as statewide payroll system, audited in a SAS 70 approach. • Systems infrastructure was not homogeneous and required individualized audit approaches for each entity. Auditor of Public Accounts

  8. Downside to Pre-Outsourcing Audit Activities • Limited resources resulted in inability to move beyond the minimum required audit procedures. • Trend was to audit IT controls without evaluating adequacy of agency risk model, business impact analysis, etc upon which control should be based. • Heavy reliance on financial audit staff to audit application controls. Auditor of Public Accounts

  9. Post-Outsourcing Audit Role • APA relies on a SAS 70 audit report of NG infrastructure produced by Deloitte and Touche. But getting here was not simple. Auditor of Public Accounts

  10. Contract Language SAS 70 Type II • On a Commonwealth fiscal year basis (7/1 – 6/30) (“Fiscal Year”), Vendor and all Key Subcontractors shall require its Auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations (“SAS 70”), of the Services and issue a report thereon (a “Type II Report”) for the applicable Fiscal Year. Vendor shall submit the proposed control objectives to VITA for approval prior to conducting the audit. Vendor and all Key Subcontractors shall deliver the Type II Report within two (2) months after conducting the SAS 70 assessment for a Fiscal Year (but in no event later than November 1 following the Fiscal Year end for which the audit was conducted) and Vendor shall prepare and implement a corrective action plan to correct any deficiencies or resolve any problems identified in such report. Auditor of Public Accounts

  11. SAS 70 Considerations • Understanding NG’s role and division of responsibility. • Early DT presentations included auditing application controls, but NG did not control the applications. Auditor of Public Accounts

  12. SAS 70 Considerations • What about financial-related audits issued under performance audit standards. • We needed audit rights or audit coverage over smaller entities that have sensitive or critical systems. Agreement provided for our audit rights and also random security audits to be performed by DT. Auditor of Public Accounts

  13. SAS 70 Considerations • Understanding current Commonwealth environment – not homogeneous. • DT thought the same control procedure would be in place at each location NG managed. NG was using old agency controls and they would vary at each location. SAS 70 report would be large and would require entity by entity approach rather than random sample across Virginia. Auditor of Public Accounts

  14. SAS 70 Considerations Auditor of Public Accounts

  15. SAS 70 Considerations • Defining SAS 70 objectives and scope. • The NG agreement contained several areas of work where it appeared no control objectives were planned. We required DT to crosswalk control objectives to the work areas, resulting in the addition of some control objectives. • Scope, scope, scope….where to audit and why was a big discussion item due to agency interconnectivity! Auditor of Public Accounts

  16. SAS 70 Control Objectives • #1 - Controls provide reasonable assurance that production processing activities are documented and executed in accordance with approved schedules to normal completion. Auditor of Public Accounts

  17. SAS 70 Control Objectives • # 2 – Controls provide reasonable assurance that only authorized production programs are executed. Auditor of Public Accounts

  18. SAS 70 Control Objectives • # 3 – Controls provide reasonable assurance that data is retained in accordance with the Commonwealth IT Security Standards 2001-01.1. Auditor of Public Accounts

  19. SAS 70 Control Objectives • # 4 – Controls provide reasonable assurance that systems are available and that operational problems are identified and resolved in accordance with documented policies or service level agreements. Auditor of Public Accounts

  20. SAS 70 Control Objectives • # 5 – Controls should provide reasonable assurance that physical access to the production environment, stored data, and documentation is restricted to prevent unauthorized destruction, modification, disclosure, or use. Auditor of Public Accounts

  21. SAS 70 Control Objectives • # 6 – Controls provide reasonable assurance that logical access to the production environment, data files, and sensitive system transactions, is restricted to authorized users only. Auditor of Public Accounts

  22. SAS 70 Control Objectives • # 7 – Controls provide reasonable assurance that the production environment is protected against environmental hazards and related damage. Auditor of Public Accounts

  23. SAS 70 Control Objectives • # 8 – Controls provide reasonable assurance that regularly scheduled processes that are required to maintain continuity of operations in the event of a catastrophic loss of data, facilities, or to minimize the impact of threats to data, facilities or equipment, are performed as scheduled. Auditor of Public Accounts

  24. SAS 70 Control Objectives • # 9 – Controls provide reasonable assurance that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures. Auditor of Public Accounts

  25. SAS 70 Control Objectives • # 10 – Controls provide reasonable assurance that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures. Auditor of Public Accounts

  26. SAS 70 Control Objectives • # 11 – Controls provide reasonable assurance that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures. Auditor of Public Accounts

  27. Post-Outsourcing Audit Role • APA decides whether to perform additional infrastructure audit work. Authority still exists. • APA IT audit specialists spend more time reviewing agency policies and procedures and how effectively the agency communicates their requirements to NG. Auditor of Public Accounts

  28. Post-Outsourcing Audit Role • APA IT audit specialists assist financial auditors in application control reviews. • More time available for statewide focused IT audit projects. Auditor of Public Accounts

  29. Post-Outsourcing Audit Role • APA has heavy role in auditing and reporting on NG’s compliance with the contract and VITA’s effectiveness as the contract manager. Auditor of Public Accounts

  30. Things to Consider • Contract must include audit provisions. • Need cooperative working environment and mutual understanding between financial and SAS 70 auditors. • Auditor’s need voice in SAS 70 objectives. • Need to establish SAS 70 reporting deadline that corresponds well to other audit deadlines. Auditor of Public Accounts

  31. Things to Consider • Require regular status reports before final report issuance. • Re-define IT auditor role. • Perform audits of contract compliance. Auditor of Public Accounts

  32. Questions?? Karen Helderman Karen.helderman@apa.virginia.gov (804) 225-3350 extension 331 Auditor of Public Accounts

More Related