Presentation is loading. Please wait.

Presentation is loading. Please wait.

Auditing Outsourced IT Operations Karen Helderman October 9, 2008.

Similar presentations

Presentation on theme: "Auditing Outsourced IT Operations Karen Helderman October 9, 2008."— Presentation transcript:

1 Auditing Outsourced IT Operations Karen Helderman October 9, 2008

2 Outline Background of Virginias outsourced IT operations Pre-outsourcing IT audit role Post-outsourcing IT audit role Transition process Things to consider Auditor of Public Accounts2

3 Background Virginia outsourced its IT infrastructure and operations in July 2006. Northrop Grumman (NG) owns and operates all IT hardware and the main and backup data centers. Agencies own and operate the applications running on NG infrastructure. Operations are viewed similar to any other utility Auditor of Public Accounts3

4 Background Virginia pays NG $236 million annually under 10 year agreement. At end of 10 years Virginia can renew, hire another vendor, or bring ownership and operations back in house. Virginia can exit agreement early, both with or without cause, but there are penalties due primarily to NGs investment. Auditor of Public Accounts4

5 Background Year 1-3 have involved: –refreshing old outdated equipment, –constructing new data centers and moving equipment to the centers, –designing a more homogeneous environment Year 4-10 will involve: –centralized operations and streamlined processing; continuous refresh. Auditor of Public Accounts5

6 Pre-Outsourcing Audit Role APA responsible for all audit aspects, including IT audit. Focused our IT audit resources on general control reviews using the following priority: –CAFR material activities –material federal programs –agency-based financial statement audits, such as colleges and universities Auditor of Public Accounts6

7 Pre-Outsourcing Audit Role APA determined IT audit scope and timing. Central systems, such as statewide payroll system, audited in a SAS 70 approach. Systems infrastructure was not homogeneous and required individualized audit approaches for each entity. Auditor of Public Accounts7

8 Downside to Pre-Outsourcing Audit Activities Limited resources resulted in inability to move beyond the minimum required audit procedures. Trend was to audit IT controls without evaluating adequacy of agency risk model, business impact analysis, etc upon which control should be based. Heavy reliance on financial audit staff to audit application controls. Auditor of Public Accounts8

9 Post-Outsourcing Audit Role APA relies on a SAS 70 audit report of NG infrastructure produced by Deloitte and Touche. But getting here was not simple. Auditor of Public Accounts9

10 Contract Language SAS 70 Type II On a Commonwealth fiscal year basis (7/1 – 6/30) (Fiscal Year), Vendor and all Key Subcontractors shall require its Auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations (SAS 70), of the Services and issue a report thereon (a Type II Report) for the applicable Fiscal Year. Vendor shall submit the proposed control objectives to VITA for approval prior to conducting the audit. Vendor and all Key Subcontractors shall deliver the Type II Report within two (2) months after conducting the SAS 70 assessment for a Fiscal Year (but in no event later than November 1 following the Fiscal Year end for which the audit was conducted) and Vendor shall prepare and implement a corrective action plan to correct any deficiencies or resolve any problems identified in such report. Auditor of Public Accounts10

11 SAS 70 Considerations Understanding NGs role and division of responsibility. –Early DT presentations included auditing application controls, but NG did not control the applications. Auditor of Public Accounts11

12 SAS 70 Considerations What about financial-related audits issued under performance audit standards. –We needed audit rights or audit coverage over smaller entities that have sensitive or critical systems. Agreement provided for our audit rights and also random security audits to be performed by DT. Auditor of Public Accounts12

13 SAS 70 Considerations Understanding current Commonwealth environment – not homogeneous. –DT thought the same control procedure would be in place at each location NG managed. NG was using old agency controls and they would vary at each location. SAS 70 report would be large and would require entity by entity approach rather than random sample across Virginia. Auditor of Public Accounts13

14 SAS 70 Considerations Auditor of Public Accounts14

15 SAS 70 Considerations Defining SAS 70 objectives and scope. –The NG agreement contained several areas of work where it appeared no control objectives were planned. We required DT to crosswalk control objectives to the work areas, resulting in the addition of some control objectives. –Scope, scope, scope….where to audit and why was a big discussion item due to agency interconnectivity! Auditor of Public Accounts15

16 SAS 70 Control Objectives #1 - Controls provide reasonable assurance that production processing activities are documented and executed in accordance with approved schedules to normal completion. Auditor of Public Accounts16

17 SAS 70 Control Objectives # 2 – Controls provide reasonable assurance that only authorized production programs are executed. Auditor of Public Accounts17

18 SAS 70 Control Objectives # 3 – Controls provide reasonable assurance that data is retained in accordance with the Commonwealth IT Security Standards 2001-01.1. Auditor of Public Accounts18

19 SAS 70 Control Objectives # 4 – Controls provide reasonable assurance that systems are available and that operational problems are identified and resolved in accordance with documented policies or service level agreements. Auditor of Public Accounts19

20 SAS 70 Control Objectives # 5 – Controls should provide reasonable assurance that physical access to the production environment, stored data, and documentation is restricted to prevent unauthorized destruction, modification, disclosure, or use. Auditor of Public Accounts20

21 SAS 70 Control Objectives # 6 – Controls provide reasonable assurance that logical access to the production environment, data files, and sensitive system transactions, is restricted to authorized users only. Auditor of Public Accounts21

22 SAS 70 Control Objectives # 7 – Controls provide reasonable assurance that the production environment is protected against environmental hazards and related damage. Auditor of Public Accounts22

23 SAS 70 Control Objectives # 8 – Controls provide reasonable assurance that regularly scheduled processes that are required to maintain continuity of operations in the event of a catastrophic loss of data, facilities, or to minimize the impact of threats to data, facilities or equipment, are performed as scheduled. Auditor of Public Accounts23

24 SAS 70 Control Objectives # 9 – Controls provide reasonable assurance that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures. Auditor of Public Accounts24

25 SAS 70 Control Objectives # 10 – Controls provide reasonable assurance that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures. Auditor of Public Accounts25

26 SAS 70 Control Objectives # 11 – Controls provide reasonable assurance that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures. Auditor of Public Accounts26

27 Post-Outsourcing Audit Role APA decides whether to perform additional infrastructure audit work. Authority still exists. APA IT audit specialists spend more time reviewing agency policies and procedures and how effectively the agency communicates their requirements to NG. Auditor of Public Accounts27

28 Post-Outsourcing Audit Role APA IT audit specialists assist financial auditors in application control reviews. More time available for statewide focused IT audit projects. Auditor of Public Accounts28

29 Post-Outsourcing Audit Role APA has heavy role in auditing and reporting on NGs compliance with the contract and VITAs effectiveness as the contract manager. Auditor of Public Accounts29

30 Things to Consider Contract must include audit provisions. Need cooperative working environment and mutual understanding between financial and SAS 70 auditors. Auditors need voice in SAS 70 objectives. Need to establish SAS 70 reporting deadline that corresponds well to other audit deadlines. Auditor of Public Accounts30

31 Things to Consider Require regular status reports before final report issuance. Re-define IT auditor role. Perform audits of contract compliance. Auditor of Public Accounts31

32 Questions?? Karen Helderman (804) 225-3350 extension 331 Auditor of Public Accounts32

Download ppt "Auditing Outsourced IT Operations Karen Helderman October 9, 2008."

Similar presentations

Ads by Google