IT Governance and Outsourcing

Transcription

1 Copyright 2004 Information Systems Audit and Control Association. All rights reserved. IT Governance and Outsourcing By Hugh Parkes, CISA, FCA is a subset of corporate governance. It refers to how well an organisation governs or ITgovernance controls those of its activities that involve the use of information technology. In both business and government organisations, there are now few key activities that do not involve the use of IT as either an enabler or an intrinsic part of the capacity to allow the activity to take place. It should be stressed that IT governance refers to how the entire activity using IT is controlled not just the IT department or the physical manifestations of IT, but the business knowledge and information that the activity requires for its successful operation. Outsourcing, in its most common form, involves the contracting out of one or more of an organisation s activities to an enterprise outside the corporate or government bounds. Activities of many types can be outsourced. The form of contracts or agreements that set the parameters under which the outsourced activity will be carried out can also vary considerably. Properly constituted organisations have the capacity to enter into contracts with one another, and many legal endeavours go into working out the terms of the contract, as well as assessing how its terms are complied with during the duration of the contract. However, the leaders of the organisations entering into an outsourcing agreement need to ask if their experience in reality delivers the objectives they have set for themselves in making the strategic decision to outsource or to provide the service now outsourced. IT Governance Perspectives for Organisations Outsourcing Activities The perspective of executives or directors toward the need for effective IT governance depends on how important the activity or resource provision outsourced is in the context of achieving the organisation s strategies. If what is outsourced is a replaceable commodity or service, then problems can be overcome by going to an alternative supplier with low transfer risks. However, if what is outsourced is vital for the organisation s ability to operate, then IT governance considerations and the frequency of reporting on service delivery and effectiveness of associated performance become of high importance. Figure 1 sets out types of activities that can be outsourced, the risks associated with outsourcing such activities and what IT governance issues should be considered. Figure 1 Outsourcing Activities, Risks and Considerations 1.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is acceptable access rights and clear parameters, etc.) Consequences of loss or unauthorised access ownership of information. via penetration or poor security Ensure adequate backup and disaster Immediate impact, meaning this instant recovery arrangements have been made. Exposure to a wide spectrum of risks, e.g., loss, Executives should cite specific evidence of theft, integrity corruption, competitor access successful recovery testing. Directors should Outsourcer negotiating power through request from CEO written confirmation that organisation dependence on continuing access this test has taken place. Inquire as to security over information stored and communications channels with access to the information. Inquire as to information management effectiveness (how it is stored, how it is used, what management reports are derived from it and about its condition this is where the organisation s value is stored). Inquire as to the extent of information mining in use, information architectural fit with organisation s needs, and level of integration of related information for process effectiveness. Ensure that the cost of outsourced service and the level of service received meet strategic needs.

2 Figure 1 Outsourcing Activities, Risks and Considerations (cont.) 2.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new, or maintenance of existing, critical the outsourced knowledge systems are recovery arrangements have been systems (corporate memory, key knowledge to the organisation s strategic operations made (as noted previously). elements, activity processes, executive Exposure to a wide spectrum of risks, including Inquire as to security over system stored on preferences, etc.) intellectual property theft, process integrity the outsourcer s servers or in its computer corruption and competitor access installation. Dependence on an outsourcer to develop new Inquire into how systems access information systems and/or associated intellectual property is stored by outsourcers and the security of can mean extreme vulnerability or loss of associated communication channels. credibility. Inquire as to the level of the organisation s dependency on the outsourcer for development or maintenance of new or existing software; understand where knowledge and necessary competencies covering systems now reside it may now be in Bangalore rather than San Jose. Inquire as to project delivery management for new systems. Inquire as to system uptime and maintenance performance, e.g., is the IT engine being adequately maintained? operational commitments are being met by the outsourcer. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Establishing major data centres run by major recovery arrangements have been made and outsourcers should lower risk via economies tested (as noted previously) with participation of scale, experience, sound data centre or observers from the organisation onsite. procedures, and depth of supporting services. Inquire as to assurance reports on Organisation outsourcing needs to ensure that installation service and uptime outsourcer s installation is soundly run and performance. contractually arrange access rights and verification arrangements (possibly via a third operational commitments are being met by party such as a competent assurance provider). the outsourcer. Risks arise where outsourcing organisation does not monitor the service received or the ongoing condition of the computer installation on which it depends. 4.Outsourced networks or communications Medium to high risk Ensure adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, made and tested. information or system corruption, intellectual Inquire deeply as to security at all points of property theft, viruses, worms and Trojan the network, extranets and intranets, as well horse attacks. as over links to the Internet, to Internet Alternate network routing capabilities must service providers (ISPs) and to the exist and have been tested for major networks organisation s web site. so single point of failure dependency Inquire as to the adequacy of bandwidth or (bottleneck risk) is overcome. communication network capacity to the Insufficient communications capacity slows organisation, e.g., does it meet strategic processing or lengthens customer service needs? centre response times. operational commitments for networks and communication channels are being met by the outsourcer. 5.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Alternate suppliers available (service received/payments made). (Issues Contract does not meet commercial/entity arising are normally handled by entity needs over time. middle management.) Poor service is received leading to lower Bring to executive or directors attention productivity or higher downtime. only if a disaster occurs, probably to Outsourced service provider does not keep seek recovery fund. equipment current.

3 Easy-to-Understand Reporting It is usually possible to present clear reports to executives and directors in the form of overview flowcharts of outsourced activities with problem areas highlighted in colour (e.g., red for major IT governance concern area), as well as showing the linkages to activities that have not been outsourced. IT governance covers a wide range of risk issues as well as operational and commercial delivery issues. Some people find it much easier to get the big picture from a diagram rather than from long reports in technical jargon. If understandable reports are not being received at present by executives or directors, then IT governance issues can become a major corporate governance liability. Figures 2 and 3 provide examples of reporting on IT governance in an overview flowchart form, allowing one to get the big picture on internal controls and security quickly, and to focus on what matters. IT Governance Perspectives for Organisations Providing Outsourcer Services The other party in an outsourcing arrangement is the outsourcer the entity providing the original organisation with services. The outsourcer is the other party to the contract for service delivery, and has a different perspective to be considered for IT governance purposes from that of the receiving organisation. The differences are emphasised in figure 4. Hugh Parkes, CISA, FCA is a director of Parkes & Parkes, management consultants, based in Melbourne, Victoria, Australia. Parkes has extensive experience in IT consulting, banking and financial services, which has included the management of outsourced relationships as well as the provision of services as an outsourcer. A past member of the IT Governance Board, ISACA s International Board of Directors and the Australian Auditing Standards Board, Parkes currently serves as chairman or independent member of a number of audit committees in Australia. Figure 2 Reporting on IT Governance HOW OUR INTERNAL CONTROLS ARE OPERATED Sound internal controls Automated monitoring in place (or assurance review within last 12 months) Control deficiencies identified, management action in progress. Being monitored. International Marketing Sales + Marketing KNOWLEDGE SUPPORT International Sales Major control issues identified. CEO and board attention required. Not assessed by assurance within 12 months. Internal control condition not validated. No automated monitoring in place..do NOT KNOW! Board of Directors OPERATIONS Operations INTERNATIONAL OPERATIONS AND SUPPORT Management Inventory Board EXECUTIVE TEAM SUPPLY CHAIN MANUFACTURING Supply Chain KOREA MFG PURCHASING Distribution Manufacturing Warehouse BELGIUM CALIFORNIA SINGAPORE Overall Operation of Internal Controls Executive Team CALL CENTRES Call Centre INDIA IRELAND CANADA Extent of 24/7/365 Automated Monitoring of Internal Controls SHARED SUPPORT SERVICES RESEARCH AND DEVELOPMENT Finance and Accounting Finance/Accounting Personnel HR FACILITIES MANAGEMENT Facilities Management Information Systems AUSTRALIA IT

4 Figure 3 The Story: An Important IT Governance Perspective LOGICAL + PHYSICAL SECURITY OVERVIEW HEAD OFFICE Web Sales + Marketing Supply Chain s Purchasing Warehousing Belgium Singapore Physical s REMOTE COMPUTERS Research & Development Research Mainframe Stores Stores India Ireland Canada SHARED SERVICES Finance HR Facilities Manufacturing Physical Korea SCADA Controller H.Parkes 2003 California Network PABX IT Operations and Applications INTERNAL SECURITY Gateways Main Computer Environment Research Mainframe Physical Disk array MAJOR SECURITY RISKS PLUS IDENTIFIED EXPOSURES EXPOSURES identified, under investigation WELL SECURED plus assurance received within last three months to BS 7799 HR Comms. Controllers Figure 4 Differences in Perspective 5.Outsourced information management and storage Very high risk Depending on how critical the Ensure the outsourcing contract covers (all value stored, databases, customer files, key information stored with the outsourcer is customer access and clear responsibilities parameters, etc.) (and does the outsourcer understand this) for ownership of information. Loss of information through penetration, Profitability of service and cost of the level hacking of service actually provided corruption or inability to provide service Ensure adequate backup and disaster Risks of embarrassment to reputation in the recovery arrangements have been made. marketplace Executives should cite specific evidence of Breach of contract/risks of legal action successful recovery testing. Directors should Costs of recovery request written confirmation from CEO that this testing has been confirmed as taking place. Inquire as to security over information stored for customers. Inquire as to information management effectiveness, e.g., is it reliable, is the customer advised of quality issues on data received?

5 Figure 4 Differences in Perspective (cont.) 4.Outsourced core knowledge systems and High to very high risk Depending on how Ensure adequate backup and disaster development of new or maintenance of existing critical the outsourced knowledge systems are recovery arrangements have been made systems (e.g., corporate memory, key knowledge to the customer (as noted). elements, activity processes, executive preferences) Keeping customer s systems operating at Inquire deeply as to security over systems agreed uptime and service levels stored at the data centre on behalf Continuing ability to develop new systems and of customers. associated intellectual property Inquire deeply into the security of Continuing ability to maintain/support associated communication channels. customer s existing software in times of rapid Ensure contracted software development change or where there are major and software maintenance services are redesign/paradigm changes to install provided to contracted standards. Loss of software skills, especially on obsolete Inquire deeply as to project delivery software languages still requiring support management for new systems. Inquire as to system uptime and maintenance performance, e.g., are service delivery levels being consistently met? Ensure that the recruitment and training of staff with required skills is taking place. 3.Outsourced major computer installation and Medium to high risk Ensure adequate backup and disaster ancillary support services Cost of keeping major data centres operational recovery arrangements have been and able to provide contracted support services made and tested (as noted). Cost of investment in future technology Limit disruption caused by auditors providing infrastructure to remain market-credible, assurance reports on installation service competitive and sustainable and uptime performance; consider Changing ways of doing business may lead to appointing a sole provider for this purpose. customer paradigm shifts. operational commitments are being met by the data centre. Ensure customers are not being overserviced or are paying for services out of the agreed scope. 2.Outsourced networks or communications Medium to high risk Ensure that adequate backup and disaster Risks include illegal or malicious penetration recovery arrangements have been (hacking), denial-of-service attacks, information made and tested (as noted). or system corruption, intellectual property Inquire as to security at all points of the theft, viruses, worms and Trojan horse attacks. network, extranets and intranets, as well as It is critical to provide alternate network routing over links to the Internet, Internet service where outsourcer also provides networking providers (ISPs), Internet service and web services to customer. sites directly linked to the data centre. Insufficient communications capacity to meet Ensure that adequate capacity planning customer demands/contracted service levels. is done to meet expected customer demand trends. 1.Provision of computer equipment, replacement of Usually low risk Comply with terms of outsourcing agreement network PCs and servers, network devices Market competition (service provided/payments received). Contract not meeting customers needs Ask about the condition of customer over time relationship and customer satisfaction Excessive service demands from customer levels with outsourced IT services provided. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCA TM Information Systems Control Association TM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass , to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25 per page. Send payment to the CCC stating the ISSN ( ), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.