it governance and outsourcing - qualified-audit … · it governance and outsourcing ......

I N F O R M A T I O N S Y S T E M S C O N T R O L J O U R N A L , V O L U M E 5 , 2 0 0 4

IT Governance and OutsourcingBy Hugh Parkes, CISA, FCA

ITgovernance is a subset of corporate governance. Itrefers to how well an organisation governs orcontrols those of its activities that involve the use of

information technology. In both business and governmentorganisations, there are now few key activities that do notinvolve the use of IT as either an enabler or an intrinsic part ofthe capacity to allow the activity to take place. It should bestressed that IT governance refers to how the entire activityusing IT is controlled—not just the IT department or thephysical manifestations of IT, but the business knowledge andinformation that the activity requires for its successful operation.

Outsourcing, in its most common form, involves thecontracting out of one or more of an organisation’s activities toan enterprise outside the corporate or government bounds.Activities of many types can be outsourced. The form ofcontracts or agreements that set the parameters under whichthe outsourced activity will be carried out can also varyconsiderably. Properly constituted organisations have thecapacity to enter into contracts with one another, and manylegal endeavours go into working out the terms of the contract,as well as assessing how its terms are complied with duringthe duration of the contract. However, the leaders of the

organisations entering into an outsourcing agreement need toask if their experience in reality delivers the objectives theyhave set for themselves in making the strategic decision tooutsource or to provide the service now outsourced.

IT Governance Perspectives forOrganisations Outsourcing Activities

The perspective of executives or directors toward the need foreffective IT governance depends on how important the activityor resource provision outsourced is in the context of achievingthe organisation’s strategies. If what is outsourced is areplaceable commodity or service, then problems can beovercome by going to an alternative supplier with low transferrisks. However, if what is outsourced is vital for theorganisation’s ability to operate, then IT governanceconsiderations and the frequency of reporting on servicedelivery and effectiveness of associated performance become ofhigh importance. Figure 1 sets out types of activities that can beoutsourced, the risks associated with outsourcing such activitiesand what IT governance issues should be considered.

Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.

Figure 1—Outsourcing Activities, Risks and Considerations

Outsourced Activities Risks From Outsourcing and IT Governance Considerations forPossible Consequences Executives and Boards

1.Outsourced information management and storage Very high risk—Depending on how critical the • Ensure the outsourcing contract covers(all value stored, databases, customer files, key information stored with the outsourcer is acceptable access rights and clearparameters, etc.) • Consequences of loss or unauthorised access ownership of information.

via penetration or poor security • Ensure adequate backup and disaster• Immediate impact, meaning this instant recovery arrangements have been made.• Exposure to a wide spectrum of risks, e.g., loss, Executives should cite specific evidence of

theft, integrity corruption, competitor access successful recovery testing. Directors should• Outsourcer negotiating power through request from CEO written confirmation that

organisation dependence on continuing access this test has taken place.• Inquire as to security over information stored

and communications channels with access tothe information.

• Inquire as to information managementeffectiveness (how it is stored, how it is used,what management reports are derived from itand about its condition—this is where theorganisation’s value is stored).

• Inquire as to the extent of information mining in use, information architectural fitwith organisation’s needs, and level ofintegration of related information for process effectiveness.

• Ensure that the cost of outsourced serviceand the level of service received meetstrategic needs.


Figure 1—Outsourcing Activities, Risks and Considerations (cont.)


2.Outsourced core knowledge systems and High to very high risk—Depending on how • Ensure adequate backup and disasterdevelopment of new, or maintenance of existing, critical the outsourced knowledge systems are recovery arrangements have beensystems (corporate memory, key knowledge to the organisation’s strategic operations made (as noted previously).elements, activity processes, executive • Exposure to a wide spectrum of risks, including • Inquire as to security over system stored onpreferences, etc.) intellectual property theft, process integrity the outsourcer’s servers or in its computer

corruption and competitor access installation.• Dependence on an outsourcer to develop new • Inquire into how systems access information

systems and/or associated intellectual property is stored by outsourcers and the security ofcan mean extreme vulnerability or loss of associated communication channels. credibility. • Inquire as to the level of the organisation’s

dependency on the outsourcer fordevelopment or maintenance of new orexisting software; understand whereknowledge and necessary competenciescovering systems now reside—it may now be in Bangalore rather than San Jose.

• Inquire as to project delivery management fornew systems.

• Inquire as to system uptime and maintenanceperformance, e.g., is the IT engine beingadequately maintained?

• Ask if the contracted service and uptimeoperational commitments are being met bythe outsourcer.

3.Outsourced major computer installation and Medium to high risk • Ensure adequate backup and disasterancillary support services • Establishing major data centres run by major recovery arrangements have been made and

outsourcers should lower risk via economies tested (as noted previously) with participation of scale, experience, sound data centre or observers from the organisation onsite.procedures, and depth of supporting services. • Inquire as to assurance reports on

• Organisation outsourcing needs to ensure that installation service and uptimeoutsourcer’s installation is soundly run and performance.contractually arrange access rights and • Ask if the contracted service and uptimeverification arrangements (possibly via a third operational commitments are being met byparty such as a competent assurance provider). the outsourcer.

• Risks arise where outsourcing organisation does not monitor the service received or the ongoing condition of the computer installation on which it depends.

4.Outsourced networks or communications Medium to high risk • Ensure adequate backup and disaster• Risks include illegal or malicious penetration recovery arrangements have been

(hacking), denial-of-service attacks, made and tested.information or system corruption, intellectual • Inquire deeply as to security at all points ofproperty theft, viruses, worms and Trojan the network, extranets and intranets, as wellhorse attacks. as over links to the Internet, to Internet

• Alternate network routing capabilities must service providers (ISPs) and to theexist and have been tested for major networks organisation’s web site.so single point of failure dependency • Inquire as to the adequacy of bandwidth or(bottleneck risk) is overcome. communication network capacity to the

• Insufficient communications capacity slows organisation, e.g., does it meet strategic processing or lengthens customer service needs?centre response times. • Ask if the contracted service and uptime

operational commitments for networks andcommunication channels are being met by the outsourcer.

5.Provision of computer equipment, replacement of Usually low risk • Comply with terms of outsourcing agreementnetwork PCs and servers, network devices • Alternate suppliers available (service received/payments made). (Issues

• Contract does not meet commercial/entity arising are normally handled by entityneeds over time. middle management.)

• Poor service is received leading to lower • Bring to executive or directors’ attentionproductivity or higher downtime. only if a disaster occurs, probably to

• Outsourced service provider does not keep seek recovery fund.equipment current.


Easy-to-Understand ReportingIt is usually possible to present clear reports to executives

and directors in the form of overview flowcharts of outsourcedactivities with problem areas highlighted in colour (e.g., red formajor IT governance concern area), as well as showing thelinkages to activities that have not been outsourced. ITgovernance covers a wide range of risk issues as well asoperational and commercial delivery issues. Some people findit much easier to get the “big picture” from a diagram ratherthan from long reports in technical jargon. If understandablereports are not being received at present by executives ordirectors, then IT governance issues can become a majorcorporate governance liability.

Figures 2 and 3 provide examples of reporting on ITgovernance in an overview flowchart form, allowing one to get the big picture on internal controls and security quickly,and to focus on what matters.

IT Governance Perspectives forOrganisations Providing Outsourcer Services

The other party in an outsourcing arrangement is theoutsourcer—the entity providing the original organisation withservices. The outsourcer is the other party to the contract forservice delivery, and has a different perspective to be consideredfor IT governance purposes from that of the receivingorganisation. The differences are emphasised in figure 4.

Hugh Parkes, CISA, FCA is a director of Parkes & Parkes, management consultants,based in Melbourne, Victoria, Australia. Parkes has extensiveexperience in IT consulting, banking and financial services,which has included the management of outsourcedrelationships as well as the provision of services as anoutsourcer. A past member of the IT Governance Board,ISACA’s International Board of Directors and the AustralianAuditing Standards Board, Parkes currently serves as chairman or independent member of a number of auditcommittees in Australia.

OPERATIONS

MANUFACTURING

CALL CENTRES

SHARED SUPPORTSERVICES

FACILITIESMANAGEMENT

SINGAPORE

BELGIUM

CALIFORNIA

IRELANDINDIA

SupplyChain Processes

Globally

ManufacturingProcesses

PURCHASINGSUPPLY CHAIN

CANADA

Finance/AccountingProcesses Globally

HR ProcessesGlobally

Facilities ManagementProcesses

IT ProcessesGlobally

Call CentreProcesses

WarehouseProcesses

Sales + MarketingKNOWLEDGE SUPPORT

InternationalMarketing International Sales

ManagementInventory

KOREA MFG

Information SystemsAUSTRALIA

Finance andAccounting

Distribution

Personnel

INTERNATIONALOPERATIONS

AND SUPPORT

OperationsProcesses

RESEARCH AND DEVELOPMENT

Board of Directors

EXECUTIVETEAM

Executive TeamProcesses

Board Processes

OverallOperation of

InternalControls

Extent of 24/7/365Automated

Monitoring ofInternalControls

Sound internal controls—Automated monitoring in place (or assurance review within last 12 months)

Not assessed by assurance within 12 months. Internal control condition not validated. No automated monitoring in place..DO NOT KNOW!

Major control issues identified. CEOand board attention required.

Control deficiencies identified, management action in progress. Being monitored.

HOW OUR INTERNALCONTROLS ARE

OPERATED

Figure 2—Reporting on IT Governance


Figure 4—Differences in Perspective


5.Outsourced information management and storage Very high risk—Depending on how critical the • Ensure the outsourcing contract covers(all value stored, databases, customer files, key information stored with the outsourcer is customer access and clear responsibilitiesparameters, etc.) (and does the outsourcer understand this) for ownership of information.

• Loss of information through penetration, • Profitability of service and cost of the level hacking of service actually provided

• Data corruption or inability to provide service • Ensure adequate backup and disaster• Risks of embarrassment to reputation in the recovery arrangements have been made.

marketplace Executives should cite specific evidence of• Breach of contract/risks of legal action successful recovery testing. Directors should• Costs of recovery request written confirmation from CEO

that this testing has been confirmed astaking place.

• Inquire as to security over information stored for customers.

• Inquire as to information managementeffectiveness, e.g., is it reliable, is thecustomer advised of quality issues on data received?

Comms.Controllers

HEAD OFFICE

SCADAController

Server

Data

Firewall

Belgium

Singapore

California

India

Ireland

Canada

Server

Server

Server

Server

Server

Server

Firewall

Firewall

Firewall

Firewall

Firewall

Firewall

PhysicalSecurity

ManufacturingKorea

ServerPhysicalSecurity

Firewall

Server

Servers

Firewall

Firewall

Sales +Marketing

SupplyChain

PurchasingWarehousing

Server

Firewall

FinanceServer

FacilitiesServer

HRSERVER

SHAREDSERVICESResearch &

Development

DataStores

DataStores

ResearchMainframe

Firewall

Servers

REMOTECOMPUTERS

WebSERVER

NetworkSecurity Gateways

Data

Data

Data

Data

PABX

Disk arrayMain ComputerEnvironment

Firewall

LOGICAL + PHYSICALSECURITYOVERVIEW

PhysicalSecurity

HRSERVER

ResearchMainframe

MAJOR SECURITY RISKS PLUSIDENTIFIED EXPOSURES

EXPOSURES identified,under investigation

WELL SECURED plus assurance received within last three months to BS 7799

H.Parkes 2003

IT Operationsand Applications

INTERNALSECURITY

Figure 3—The Security Story: An Important IT Governance Perspective


Figure 4—Differences in Perspective (cont.)


4.Outsourced core knowledge systems and High to very high risk—Depending on how • Ensure adequate backup and disaster development of new or maintenance of existing critical the outsourced knowledge systems are recovery arrangements have been madesystems (e.g., corporate memory, key knowledge to the customer (as noted).elements, activity processes, executive preferences) • Keeping customer’s systems operating at • Inquire deeply as to security over systems

agreed uptime and service levels stored at the data centre on behalf• Continuing ability to develop new systems and of customers.

associated intellectual property • Inquire deeply into the security of• Continuing ability to maintain/support associated communication channels.

customer’s existing software in times of rapid • Ensure contracted software developmentchange or where there are major and software maintenance services areredesign/paradigm changes to install provided to contracted standards.

• Loss of software skills, especially on obsolete • Inquire deeply as to project deliverysoftware languages still requiring support management for new systems.

• Inquire as to system uptime and maintenanceperformance, e.g., are service delivery levelsbeing consistently met?

• Ensure that the recruitment and training ofstaff with required skills is taking place.

3.Outsourced major computer installation and Medium to high risk • Ensure adequate backup and disasterancillary support services • Cost of keeping major data centres operational recovery arrangements have been

and able to provide contracted support services made and tested (as noted).• Cost of investment in future technology • Limit disruption caused by auditors providing

infrastructure to remain market-credible, assurance reports on installation servicecompetitive and sustainable and uptime performance; consider

• Changing ways of doing business may lead to appointing a sole provider for this purpose.customer paradigm shifts. • Ask if the contracted service and uptime

operational commitments are being met bythe data centre.

• Ensure customers are not being overserviced or are paying for services out of the agreed scope.

2.Outsourced networks or communications Medium to high risk • Ensure that adequate backup and disaster• Risks include illegal or malicious penetration recovery arrangements have been

(hacking), denial-of-service attacks, information made and tested (as noted).or system corruption, intellectual property • Inquire as to security at all points of thetheft, viruses, worms and Trojan horse attacks. network, extranets and intranets, as well as

• It is critical to provide alternate network routing over links to the Internet, Internet servicewhere outsourcer also provides networking providers (ISPs), Internet service and web services to customer. sites directly linked to the data centre.

• Insufficient communications capacity to meet • Ensure that adequate capacity planningcustomer demands/contracted service levels. is done to meet expected customer

demand trends.1.Provision of computer equipment, replacement of Usually low risk • Comply with terms of outsourcing agreement

network PCs and servers, network devices • Market competition (service provided/payments received).• Contract not meeting customers’ needs • Ask about the condition of customer

over time relationship and customer satisfaction• Excessive service demands from customer levels with outsourced IT services provided.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntaryorganization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Auditand Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journaldoes not attest to the originality of authors' content.

© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from theassociation. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articlesowned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of theassociation or the copyright owner is expressly prohibited.

www.isaca.org

it governance and outsourcing - qualified-audit … · it governance and outsourcing ......

Documents