The Auditor's Role In A Data Center Outsourcing Contract
By: Mitchell H. Levine, CISA
Audit Serve, Inc.
As part of the corporate trend of downsizing, most companies have considered the benefits and ramifications of outsourcing all or part of their IS organizations. An auditors involvement is required during the early phases of the project. At a minimum, the auditor should be involved during the development of the RFP (Request for Proposal) which is sent to all prospective outsourcing firms. The auditor's involvement at this stage of the project will ensure that the outsourcing firm's (i.e., system integrator) proposal addresses all of the required areas, which will also be used to draft the contract.
Based on my personal experience, which included the representation of a financial institution in the outsourcing of its data center and the conversion of its legacy applications, the most important rule is to document every part of the deal in the contra ct. The areas within a data center outsourcing contract which an auditor should review include:
Processing Functions Performed
Each data center processing area must be documented in a manner which specifically describes how each processing function will be performed. This information will impact other areas described below, as well as the procedure manual provided by the outsourcing firm.
Processing Functions Roles and Responsibilities
The level of control granted to an outsourcing firm varies. Unless total control is granted to the outsourcing firm, the roles and responsibilities of all parties must be clearly defined. When determining the amount of control that will be granted to th e outsourcing firm an analysis of the risks associated with each level of control granted within an organization must be performed.
One of the most critical issues of outsourcing a data center is to determine how security will be administered. Will the outsourcing firm be entirely responsible for granting and approving access to the outsourcing firm's own personnel and an organization's users or will your organization maintain a level of control by either pre-approving access granted or performing a post-verification review? The same decision must also be made for other critical control functions which require its own monitoring process to ensure control compliance. Will the outsourcing firm be responsible for ensuring their own compliance or will your organization establish its own compliance area to perform this function?
Service Level Agreements
Based on the services provided by the outsourcing firm, key deliverables and processing components must be defined in a service level agreement. In addition, specific fines and bonuses should be clearly defined based upon whether service levels are met. The procedures as to how the service levels will be measured must be documented and analyzed to ensure their accuracy.
The standards as to the type and level of controls required is unique to each organization. Therefore, when outsourcing an environment, it cannot be expected that the outsourcing firm will have the same interpretation of these required controls.
Since cost savings is one of the reasons for which outsourcing is considered in the first place, to achieve these cost savings outsourcing firms have tools which automate certain tasks, but invariably they achieve savings by using less staff which eliminates job functions to support control functions.
The required control processes must be documented, along with audit trails used, to provide a mechanism for determining compliance.
Right to Perform An Audit
To ensure that the all of above areas are incorporated into the outsourcing firm's processing environment to support an organization's business, an independent review must be performed by the internal and/or external auditors. The right to perform an audit must be documented in the contract, along with penalties, to ensure that audit findings are resolved.
Copyright 2006, Audit Serve, Inc. All rights reserved. Reproduction, which includes links from other Web sites, is prohibited except by permission in writing.
For a free proposal to perform an audit of your organization or provide SOX support & testing services, contact Mitchell Levine of Audit Serve at (203) 972-3567 or via e-mail at Levinemh@auditserve.com