330 likes | 462 Views
Auditing Outsourced IT Operations. Karen Helderman October 9, 2008. Outline. Background of Virginia’s outsourced IT operations Pre-outsourcing IT audit role Post-outsourcing IT audit role Transition process Things to consider. Background.
E N D
Auditing Outsourced IT Operations Karen Helderman October 9, 2008
Outline • Background of Virginia’s outsourced IT operations • Pre-outsourcing IT audit role • Post-outsourcing IT audit role • Transition process • Things to consider Auditor of Public Accounts
Background • Virginia outsourced its IT infrastructure and operations in July 2006. • Northrop Grumman (NG) owns and operates all IT hardware and the main and backup data centers. • Agencies own and operate the applications running on NG infrastructure. • Operations are viewed similar to any other “utility” Auditor of Public Accounts
Background • Virginia pays NG $236 million annually under 10 year agreement. • At end of 10 years Virginia can renew, hire another vendor, or bring ownership and operations back in house. • Virginia can exit agreement early, both with or without cause, but there are penalties due primarily to NG’s investment. Auditor of Public Accounts
Background • Year 1-3 have involved: • refreshing old outdated equipment, • constructing new data centers and moving equipment to the centers, • designing a more homogeneous environment • Year 4-10 will involve: • centralized operations and streamlined processing; continuous refresh. Auditor of Public Accounts
Pre-Outsourcing Audit Role • APA responsible for all audit aspects, including IT audit. • Focused our IT audit resources on general control reviews using the following priority: • CAFR material activities • material federal programs • agency-based financial statement audits, such as colleges and universities Auditor of Public Accounts
Pre-Outsourcing Audit Role • APA determined IT audit scope and timing. • Central systems, such as statewide payroll system, audited in a SAS 70 approach. • Systems infrastructure was not homogeneous and required individualized audit approaches for each entity. Auditor of Public Accounts
Downside to Pre-Outsourcing Audit Activities • Limited resources resulted in inability to move beyond the minimum required audit procedures. • Trend was to audit IT controls without evaluating adequacy of agency risk model, business impact analysis, etc upon which control should be based. • Heavy reliance on financial audit staff to audit application controls. Auditor of Public Accounts
Post-Outsourcing Audit Role • APA relies on a SAS 70 audit report of NG infrastructure produced by Deloitte and Touche. But getting here was not simple. Auditor of Public Accounts
Contract Language SAS 70 Type II • On a Commonwealth fiscal year basis (7/1 – 6/30) (“Fiscal Year”), Vendor and all Key Subcontractors shall require its Auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations (“SAS 70”), of the Services and issue a report thereon (a “Type II Report”) for the applicable Fiscal Year. Vendor shall submit the proposed control objectives to VITA for approval prior to conducting the audit. Vendor and all Key Subcontractors shall deliver the Type II Report within two (2) months after conducting the SAS 70 assessment for a Fiscal Year (but in no event later than November 1 following the Fiscal Year end for which the audit was conducted) and Vendor shall prepare and implement a corrective action plan to correct any deficiencies or resolve any problems identified in such report. Auditor of Public Accounts
SAS 70 Considerations • Understanding NG’s role and division of responsibility. • Early DT presentations included auditing application controls, but NG did not control the applications. Auditor of Public Accounts
SAS 70 Considerations • What about financial-related audits issued under performance audit standards. • We needed audit rights or audit coverage over smaller entities that have sensitive or critical systems. Agreement provided for our audit rights and also random security audits to be performed by DT. Auditor of Public Accounts
SAS 70 Considerations • Understanding current Commonwealth environment – not homogeneous. • DT thought the same control procedure would be in place at each location NG managed. NG was using old agency controls and they would vary at each location. SAS 70 report would be large and would require entity by entity approach rather than random sample across Virginia. Auditor of Public Accounts
SAS 70 Considerations Auditor of Public Accounts
SAS 70 Considerations • Defining SAS 70 objectives and scope. • The NG agreement contained several areas of work where it appeared no control objectives were planned. We required DT to crosswalk control objectives to the work areas, resulting in the addition of some control objectives. • Scope, scope, scope….where to audit and why was a big discussion item due to agency interconnectivity! Auditor of Public Accounts
SAS 70 Control Objectives • #1 - Controls provide reasonable assurance that production processing activities are documented and executed in accordance with approved schedules to normal completion. Auditor of Public Accounts
SAS 70 Control Objectives • # 2 – Controls provide reasonable assurance that only authorized production programs are executed. Auditor of Public Accounts
SAS 70 Control Objectives • # 3 – Controls provide reasonable assurance that data is retained in accordance with the Commonwealth IT Security Standards 2001-01.1. Auditor of Public Accounts
SAS 70 Control Objectives • # 4 – Controls provide reasonable assurance that systems are available and that operational problems are identified and resolved in accordance with documented policies or service level agreements. Auditor of Public Accounts
SAS 70 Control Objectives • # 5 – Controls should provide reasonable assurance that physical access to the production environment, stored data, and documentation is restricted to prevent unauthorized destruction, modification, disclosure, or use. Auditor of Public Accounts
SAS 70 Control Objectives • # 6 – Controls provide reasonable assurance that logical access to the production environment, data files, and sensitive system transactions, is restricted to authorized users only. Auditor of Public Accounts
SAS 70 Control Objectives • # 7 – Controls provide reasonable assurance that the production environment is protected against environmental hazards and related damage. Auditor of Public Accounts
SAS 70 Control Objectives • # 8 – Controls provide reasonable assurance that regularly scheduled processes that are required to maintain continuity of operations in the event of a catastrophic loss of data, facilities, or to minimize the impact of threats to data, facilities or equipment, are performed as scheduled. Auditor of Public Accounts
SAS 70 Control Objectives • # 9 – Controls provide reasonable assurance that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures. Auditor of Public Accounts
SAS 70 Control Objectives • # 10 – Controls provide reasonable assurance that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures. Auditor of Public Accounts
SAS 70 Control Objectives • # 11 – Controls provide reasonable assurance that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures. Auditor of Public Accounts
Post-Outsourcing Audit Role • APA decides whether to perform additional infrastructure audit work. Authority still exists. • APA IT audit specialists spend more time reviewing agency policies and procedures and how effectively the agency communicates their requirements to NG. Auditor of Public Accounts
Post-Outsourcing Audit Role • APA IT audit specialists assist financial auditors in application control reviews. • More time available for statewide focused IT audit projects. Auditor of Public Accounts
Post-Outsourcing Audit Role • APA has heavy role in auditing and reporting on NG’s compliance with the contract and VITA’s effectiveness as the contract manager. Auditor of Public Accounts
Things to Consider • Contract must include audit provisions. • Need cooperative working environment and mutual understanding between financial and SAS 70 auditors. • Auditor’s need voice in SAS 70 objectives. • Need to establish SAS 70 reporting deadline that corresponds well to other audit deadlines. Auditor of Public Accounts
Things to Consider • Require regular status reports before final report issuance. • Re-define IT auditor role. • Perform audits of contract compliance. Auditor of Public Accounts
Questions?? Karen Helderman Karen.helderman@apa.virginia.gov (804) 225-3350 extension 331 Auditor of Public Accounts