Auditing Outsourced IT Operations Karen Helderman October 9, 2008.

Auditing Outsourced IT Operations

Karen HeldermanOctober 9, 2008

Outline

• Background of Virginia’s outsourced IT operations

• Pre-outsourcing IT audit role

• Post-outsourcing IT audit role

• Transition process

• Things to consider

Auditor of Public Accounts 2

Background

• Virginia outsourced its IT infrastructure and operations in July 2006.

• Northrop Grumman (NG) owns and operates all IT hardware and the main and backup data centers.

• Agencies own and operate the applications running on NG infrastructure.

• Operations are viewed similar to any other “utility”


Background

• Virginia pays NG $236 million annually under 10 year agreement.

• At end of 10 years Virginia can renew, hire another vendor, or bring ownership and operations back in house.

• Virginia can exit agreement early, both with or without cause, but there are penalties due primarily to NG’s investment.


Background

• Year 1-3 have involved:– refreshing old outdated equipment, – constructing new data centers and moving

equipment to the centers, – designing a more homogeneous environment

• Year 4-10 will involve:– centralized operations and streamlined

processing; continuous refresh.


Pre-Outsourcing Audit Role

• APA responsible for all audit aspects, including IT audit.

• Focused our IT audit resources on general control reviews using the following priority:– CAFR material activities– material federal programs– agency-based financial statement audits,

such as colleges and universities


Pre-Outsourcing Audit Role

• APA determined IT audit scope and timing.

• Central systems, such as statewide payroll system, audited in a SAS 70 approach.

• Systems infrastructure was not homogeneous and required individualized audit approaches for each entity.


Downside to Pre-Outsourcing Audit Activities

• Limited resources resulted in inability to move beyond the minimum required audit procedures.

• Trend was to audit IT controls without evaluating adequacy of agency risk model, business impact analysis, etc upon which control should be based.

• Heavy reliance on financial audit staff to audit application controls.


Post-Outsourcing Audit Role

• APA relies on a SAS 70 audit report of NG infrastructure produced by Deloitte and Touche. But getting here was not simple.


Contract Language SAS 70 Type II

• On a Commonwealth fiscal year basis (7/1 – 6/30) (“Fiscal Year”), Vendor and all Key Subcontractors shall require its Auditors to conduct an examination of the controls placed in operation and a test of operating effectiveness, as defined by Statement on Auditing Standards No. 70, Reports on the Processing of Transactions by Service Organizations (“SAS 70”), of the Services and issue a report thereon (a “Type II Report”) for the applicable Fiscal Year. Vendor shall submit the proposed control objectives to VITA for approval prior to conducting the audit. Vendor and all Key Subcontractors shall deliver the Type II Report within two (2) months after conducting the SAS 70 assessment for a Fiscal Year (but in no event later than November 1 following the Fiscal Year end for which the audit was conducted) and Vendor shall prepare and implement a corrective action plan to correct any deficiencies or resolve any problems identified in such report.


SAS 70 Considerations

• Understanding NG’s role and division of responsibility.– Early DT presentations included auditing

application controls, but NG did not control the applications.



• What about financial-related audits issued under performance audit standards.– We needed audit rights or audit coverage

over smaller entities that have sensitive or critical systems. Agreement provided for our audit rights and also random security audits to be performed by DT.



• Understanding current Commonwealth environment – not homogeneous.– DT thought the same control procedure would

be in place at each location NG managed. NG was using old agency controls and they would vary at each location. SAS 70 report would be large and would require entity by entity approach rather than random sample across Virginia.





• Defining SAS 70 objectives and scope.– The NG agreement contained several areas

of work where it appeared no control objectives were planned. We required DT to crosswalk control objectives to the work areas, resulting in the addition of some control objectives.

– Scope, scope, scope….where to audit and why was a big discussion item due to agency interconnectivity!


SAS 70 Control Objectives

• #1 - Controls provide reasonable assurance that production processing activities are documented and executed in accordance with approved schedules to normal completion.



• # 2 – Controls provide reasonable assurance that only authorized production programs are executed.



• # 3 – Controls provide reasonable assurance that data is retained in accordance with the Commonwealth IT Security Standards 2001-01.1.



• # 4 – Controls provide reasonable assurance that systems are available and that operational problems are identified and resolved in accordance with documented policies or service level agreements.



• # 5 – Controls should provide reasonable assurance that physical access to the production environment, stored data, and documentation is restricted to prevent unauthorized destruction, modification, disclosure, or use.



• # 6 – Controls provide reasonable assurance that logical access to the production environment, data files, and sensitive system transactions, is restricted to authorized users only.



• # 7 – Controls provide reasonable assurance that the production environment is protected against environmental hazards and related damage.



• # 8 – Controls provide reasonable assurance that regularly scheduled processes that are required to maintain continuity of operations in the event of a catastrophic loss of data, facilities, or to minimize the impact of threats to data, facilities or equipment, are performed as scheduled.



• # 9 – Controls provide reasonable assurance that production environment changes are approved by management prior to implementation in accordance with documented policies and procedures.



• # 10 – Controls provide reasonable assurance that necessary modifications to the existing production environment are implemented within the timeframes required by documented policies and procedures.



• # 11 – Controls provide reasonable assurance that modifications to the production environment are tested prior to implementation and function consistent with documented policies and procedures.



• APA decides whether to perform additional infrastructure audit work. Authority still exists.

• APA IT audit specialists spend more time reviewing agency policies and procedures and how effectively the agency communicates their requirements to NG.



• APA IT audit specialists assist financial auditors in application control reviews.

• More time available for statewide focused IT audit projects.



• APA has heavy role in auditing and reporting on NG’s compliance with the contract and VITA’s effectiveness as the contract manager.


Things to Consider

• Contract must include audit provisions.

• Need cooperative working environment and mutual understanding between financial and SAS 70 auditors.

• Auditor’s need voice in SAS 70 objectives.

• Need to establish SAS 70 reporting deadline that corresponds well to other audit deadlines.


Things to Consider

• Require regular status reports before final report issuance.

• Re-define IT auditor role.

• Perform audits of contract compliance.


Questions??

Karen Helderman

[email protected]

(804) 225-3350 extension 331


mailto:[email protected]

Auditing Outsourced IT Operations Karen Helderman October 9, 2008.

Documents

audit scope

audit rights

audit resources

audit coverage

audit aspects

audit role postoutsourcing

financial audit staff

performance audit standards