Auditing Outsourced IT Operations

1
Auditing Outsourced IT Operations
Karen Helderman October 9, 2008
2
Outline

• Background of Virginias outsourced IT operations
• Pre-outsourcing IT audit role
• Post-outsourcing IT audit role
• Transition process
• Things to consider

3
Background

• Virginia outsourced its IT infrastructure and
  operations in July 2006.
• Northrop Grumman (NG) owns and operates all IT
  hardware and the main and backup data centers.
• Agencies own and operate the applications running
  on NG infrastructure.
• Operations are viewed similar to any other
  utility

4
Background

• Virginia pays NG 236 million annually under 10
  year agreement.
• At end of 10 years Virginia can renew, hire
  another vendor, or bring ownership and operations
  back in house.
• Virginia can exit agreement early, both with or
  without cause, but there are penalties due
  primarily to NGs investment.

5
Background

• Year 1-3 have involved
• refreshing old outdated equipment,
• constructing new data centers and moving
  equipment to the centers,
• designing a more homogeneous environment
• Year 4-10 will involve
• centralized operations and streamlined
  processing continuous refresh.

6
Pre-Outsourcing Audit Role

• APA responsible for all audit aspects, including
  IT audit.
• Focused our IT audit resources on general control
  reviews using the following priority
• CAFR material activities
• material federal programs
• agency-based financial statement audits, such as
  colleges and universities

7
Pre-Outsourcing Audit Role

• APA determined IT audit scope and timing.
• Central systems, such as statewide payroll
  system, audited in a SAS 70 approach.
• Systems infrastructure was not homogeneous and
  required individualized audit approaches for each
  entity.

8
Downside to Pre-Outsourcing Audit Activities

• Limited resources resulted in inability to move
  beyond the minimum required audit procedures.
• Trend was to audit IT controls without evaluating
  adequacy of agency risk model, business impact
  analysis, etc upon which control should be based.
• Heavy reliance on financial audit staff to audit
  application controls.

9
Post-Outsourcing Audit Role

• APA relies on a SAS 70 audit report of NG
  infrastructure produced by Deloitte and Touche.
  But getting here was not simple.

10
Contract Language SAS 70 Type II

• On a Commonwealth fiscal year basis (7/1 6/30)
  (Fiscal Year), Vendor and all Key
  Subcontractors shall require its Auditors to
  conduct an examination of the controls placed in
  operation and a test of operating effectiveness,
  as defined by Statement on Auditing Standards No.
  70, Reports on the Processing of Transactions by
  Service Organizations (SAS 70), of the Services
  and issue a report thereon (a Type II Report)
  for the applicable Fiscal Year. Vendor shall
  submit the proposed control objectives to VITA
  for approval prior to conducting the audit.
  Vendor and all Key Subcontractors shall deliver
  the Type II Report within two (2) months after
  conducting the SAS 70 assessment for a Fiscal
  Year (but in no event later than November 1
  following the Fiscal Year end for which the audit
  was conducted) and Vendor shall prepare and
  implement a corrective action plan to correct any
  deficiencies or resolve any problems identified
  in such report.

11
SAS 70 Considerations

• Understanding NGs role and division of
  responsibility.
• Early DT presentations included auditing
  application controls, but NG did not control the
  applications.

12
SAS 70 Considerations

• What about financial-related audits issued under
  performance audit standards.
• We needed audit rights or audit coverage over
  smaller entities that have sensitive or critical
  systems. Agreement provided for our audit rights
  and also random security audits to be performed
  by DT.

13
SAS 70 Considerations

• Understanding current Commonwealth environment
  not homogeneous.
• DT thought the same control procedure would be in
  place at each location NG managed. NG was using
  old agency controls and they would vary at each
  location. SAS 70 report would be large and would
  require entity by entity approach rather than
  random sample across Virginia.

14
SAS 70 Considerations
15
SAS 70 Considerations

• Defining SAS 70 objectives and scope.
• The NG agreement contained several areas of work
  where it appeared no control objectives were
  planned. We required DT to crosswalk control
  objectives to the work areas, resulting in the
  addition of some control objectives.
• Scope, scope, scope.where to audit and why was a
  big discussion item due to agency
  interconnectivity!

16
SAS 70 Control Objectives

• 1 - Controls provide reasonable assurance that
  production processing activities are documented
  and executed in accordance with approved
  schedules to normal completion.

17
SAS 70 Control Objectives

• 2 Controls provide reasonable assurance that
  only authorized production programs are executed.

18
SAS 70 Control Objectives

• 3 Controls provide reasonable assurance that
  data is retained in accordance with the
  Commonwealth IT Security Standards 2001-01.1.

19
SAS 70 Control Objectives

• 4 Controls provide reasonable assurance that
  systems are available and that operational
  problems are identified and resolved in
  accordance with documented policies or service
  level agreements.

20
SAS 70 Control Objectives

• 5 Controls should provide reasonable
  assurance that physical access to the production
  environment, stored data, and documentation is
  restricted to prevent unauthorized destruction,
  modification, disclosure, or use.

21
SAS 70 Control Objectives

• 6 Controls provide reasonable assurance that
  logical access to the production environment,
  data files, and sensitive system transactions, is
  restricted to authorized users only.

22
SAS 70 Control Objectives

• 7 Controls provide reasonable assurance that
  the production environment is protected against
  environmental hazards and related damage.

23
SAS 70 Control Objectives

• 8 Controls provide reasonable assurance that
  regularly scheduled processes that are required
  to maintain continuity of operations in the event
  of a catastrophic loss of data, facilities, or to
  minimize the impact of threats to data,
  facilities or equipment, are performed as
  scheduled.

24
SAS 70 Control Objectives

• 9 Controls provide reasonable assurance that
  production environment changes are approved by
  management prior to implementation in accordance
  with documented policies and procedures.

25
SAS 70 Control Objectives

• 10 Controls provide reasonable assurance that
  necessary modifications to the existing
  production environment are implemented within the
  timeframes required by documented policies and
  procedures.

26
SAS 70 Control Objectives

• 11 Controls provide reasonable assurance that
  modifications to the production environment are
  tested prior to implementation and function
  consistent with documented policies and
  procedures.

27
Post-Outsourcing Audit Role

• APA decides whether to perform additional
  infrastructure audit work. Authority still
  exists.
• APA IT audit specialists spend more time
  reviewing agency policies and procedures and how
  effectively the agency communicates their
  requirements to NG.

28
Post-Outsourcing Audit Role

• APA IT audit specialists assist financial
  auditors in application control reviews.
• More time available for statewide focused IT
  audit projects.

29
Post-Outsourcing Audit Role

• APA has heavy role in auditing and reporting on
  NGs compliance with the contract and VITAs
  effectiveness as the contract manager.

30
Things to Consider

• Contract must include audit provisions.
• Need cooperative working environment and mutual
  understanding between financial and SAS 70
  auditors.
• Auditors need voice in SAS 70 objectives.
• Need to establish SAS 70 reporting deadline that
  corresponds well to other audit deadlines.

31
Things to Consider

• Require regular status reports before final
  report issuance.
• Re-define IT auditor role.
• Perform audits of contract compliance.

32
Questions??

• Karen Helderman
• Karen.helderman_at_apa.virginia.gov
• (804) 225-3350 extension 331