Evaluation Of Outsourcing It Operations

2. Auditee Environment:

Delta Limited is a well-known company in online retail grocery market has an office at Cannaught Place, New Delhi with employee strength of more than 100 professional which includes IT, Accounts and Finance and Management people. The employees are highly as well as average skilled, IT trained & have adequate financial and management background. Everyone knows their respective roles, responsibilities rights, authority and the risk of working in the segment and the vulnerabilities.

3. Background and Situation-

Delta Limited has decided to move its key business application to cloud services to a renowned vendor considering the increased functionality and cost savings. Currently they are working on MARG Retail software for their existing line of business. The decision to move was taken because the IT department convinced the CEO of the company about the need to outsource considering the cost savings, enhanced features and improved technology in cloud computing and accordingly increased business productivity.
Accordingly they have decided to go on for Outsourcing IT Operations cloud computing environment to hire and use the services of cloud service provider in this regard. However the company has not done a comprehensive study of the appropriateness of proposed outsourcing arrangement.
The company’s internal audit department has reviewed the proposal and provided their findings and recommendations. After being escalated to the audit committee, the committee has decided to get the proposal reviewed by independent auditor.

4. Terms and scope of assignment:

Scope of work

a) Review of Current Business Processes, Technology and Personnel Utilisation
b) Business value assessment (Existing position Vs. Proposed Outsourcing Scenario)
c) Risk Assessment of IT Outsourcing, Recommendations to mitigate same
d) Selection of Services / Vendors based on Cost-benefit analysis and associated risk

Terms and condition

1. Deliverables
   • Recommendations based on risk assessment of vendors of cloud computing.
   • Recommendations on controls to be implemented to mitigate risk of outsourcing.
   • Report to management with cost benefit analysis and risk mitigation strategy.
2. Time Frame

The estimated time for completing the assignment is 2 weeks subject to availability of the logistics such as computers, visit to vendor site, printers, seating arrangement and all the necessary documents that are required from time to time to complete the audit.

 

5. Logistics arrangements required

To conduct the audit efficiently we would require the following infrastructure and documentation to complete the review within the time frame:
We would require the access to the current software with read only rights to check the current functionality of the application.
Also we would like management to arrange live demonstration of selected cloud computing vendors in order to have comparative analysis on functional aspects.

Further the following facilities will be required:-

1. Findings of the internal audit department.
2. Two consoles with read only right to the software.
3. User manual for generating reports.
4. Access to the printer.
5. Adequate seating space for working and space for discussion among our team and with any of your staff is need arises.
6. We would require an employee of your organization to be a coordinator to liaise between the audit team and the organization.
7. Draft copy of the proposal with vendor of Cloud Computing.
8. Any other documents that may be found relevant during the course of the assignment.
9.  

6. Methodology and Strategy adapted for execution of assignment

1. Ensuring contractual viability through continuous review, improvement and benefit gain to both parties.
2. Management of the relationship to ensure that contractual obligations are met through service level agreements (SLAs), operating level agreements (OLAs), service credit regimes and gainshare.
3. Identification and management of all stakeholders, their relationships and expectations.
4. Establishment of clear roles and responsibilities for decision making, issue escalation, dispute management, demand management and service delivery.
5. Allocation of resources, expenditure and service consumption in response to prioritised needs.
6. Continuous evaluation of performance, cost, user satisfaction and effectiveness.
7. Ongoing communication across all stakeholders.
8. Reference to COBIT components which includes;
   • a) Framework: Organizes IT governance objectives and good practices by IT domains and processes and link them to business requirements.
   • b) Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run, and monitor.
   • c) Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
   • d) Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
   • e) Maturity models: Assesses maturity and capability per process and helps to address gaps.

COBIT for Enterprises with a Primary Interest in Cloud Computing

Based on following parameters, the company has selected Software-as-a-Service (SaaS) cloud computing model as appropriate for its business.

Intuitive User Experience – Matured SaaS / PaaS vendors provide templates, tools, widgets and several advance features to create rich and interactive user experience and also handle customer support operations.

Integration with disparate internal / external systems – Access to applications with advance capabilities and latest business and technology trends. Provide anytime, anywhere access that can be consumed through multi-device clients – helps in implementing multi-channel support

Performance, Scalability and Availability – Cloud service providers working under strict SLA ensure the agreed level of performance. On demand Scalability / Elasticity to support large number of customers, especially during the holidays/events. Cloud service providers working under strict SLA ensure the agreed level of availability.

IT Support and Dependency – Free up organization resources to focus on their core business. Low skills requirements for customization of the site Security and Compliance – Cloud service providers working under strict SLA ensure the agreed level of security.

Total Cost of Ownership (TCO) – No IT infrastructure and upfront CAPAX for network, servers, database, storage and backup.

7. Documents reviewed

Following documents have verified by us:

• Functional Gap analysis, (Point Scoring Analysis)
• Public Evaluation report
• Proof of Concept (Benchmarking Solutions)
• Acceptability by end users
• Service level agreements (SLAs), Operating level agreements (OLAs)
• Copies of Documents like licenses, sample batch report, liability insurance etc.
• Accreditation status, if applicable
• QA documentation received from site
•  

8. References

• Information systems audit 2.0 modules
• Delta Limited organisation structure
• BCP plan
• Information security policy of the company
• User manual of the software
• Exception reports generated
• Access control manual
• Vendor proposal
• Internal audit findings
• www.isaca.org
• cit.icai.org
• Various personnel of vendor and the Organisation
•  

9. Deliverables

To,
The Directors,
Delta Limited,
New Delhi.

Please find herewith our report on vendor proposal for Outsourcing of IT Operations.

Objective of the assignment

The main objective is to provide the management with an independent review of the vendor proposals.

Audit environment

The review was conducted at the head office of the organisation and the vendor situated at New Delhi.

Observations:-

Some of the major observations noticed in the proposal are as below:

1. A process for reviewing the third-party compliance requirements is non-existent, and the decision has been imposed by IT.
2. On contacting customers of vendor, we were informed that when the cloud services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue, the impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts.
3. The usage of the current enterprise environment and business processes, as well as the enterprise strategy and future objectives were not considered in selecting the cloud services.
4. The external environment of the enterprise (industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud services).
   Before finalizing the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered.
5. The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management.
6. Business case for cloud service was not prepared. There is no process to identify, prioritize, specify and agree on business information, functional, technical and control
7. requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution.

Further we would inform you that the above mentioned observations are over and above the findings of the internal audit department.
Format of Report/Findings and Recommendations