AUDIT REPORT. Cloud Software as a Service (SaaS) Procurement and Governance Audit. June 9, 2016



Similar documents
AUDIT REPORT. Service Desk and Problem Management Audit Opinion: Satisfactory. November 14, Report Number: 2014-IT-04

AUDIT REPORT. Corporate Access and Identity Management Project Audit Opinion: Satisfactory. July 31, 2015

AUDIT REPORT. Citizens Insurance Suite Check Printing Audit Opinion: Needs Improvement. June 11, 2015

AUDIT REPORT. Citizens Data Warehouse Audit Opinion: Needs Improvement. Date: June 9, Report Number: 2014-AUD-IT-01

CHAPTER Committee Substitute for Committee Substitute for Committee Substitute for House Bill No. 1033

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

IT Vendor Due Diligence. Jennifer McGill CIA, CISA, CGEIT IT Audit Director Carolinas HealthCare System December 9, 2014

Vendor Relationship Management

FLORIDA COMMISSION ON OFFENDER REVIEW (formerly Florida Parole Commission)


PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

GUIDANCE FOR MANAGING THIRD-PARTY RISK

December 2014 Report No An Audit Report on The Telecommunications Managed Services Contract at the Health and Human Services Commission

Pharma CloudAdoption. and Qualification Trends

Audit of Business Continuity Planning

Information Technology Internal Audit Report

Vendor Management Compliance Top 10 Things Regulators Expect

Joint Audit Report for South Lakeland District Council. & Eden District Council

Audit of the CFPB s Acquisition and Contract Management of Select Cloud Computing Services

Cyber Security Auditing for Credit Unions. ACUIA Fall Meeting October 7-9, 2015

OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT

Refresher on cloud computing

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

STATE OF NORTH CAROLINA

Information Security Program

SSAE 16 for Transportation & Logistics Companies. Chris Kradjan Kim Koch

03/14/2013 Compensation Update Citizens Property Insurance Corporation Board of Governors Meeting March 22, 2013

Understanding SOC Reports for Effective Vendor Management. Jason T. Clinton January 26, 2016

Credit Union Liability with Third-Party Processors

Financial and Cash Management Task Force. Strategic Business Plan

Virginia Government Finance Officers Association Spring Conference May 28, Cloud Security 101

Information Security Program CHARTER

REPORT 2016/035 INTERNAL AUDIT DIVISION

From Information Management to Information Governance: The New Paradigm

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

May 2012 Report No

SafeBiz. Identity Theft and Data Breach Program For Small & Medium Size Businesses (SMB)

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

U.S. Department of Justice Office of the Inspector General. Improving the Grant Management Process

Auditor General s Office. Governance and Management of City Computer Software Needs Improvement

SRA International Managed Information Systems Internal Audit Report

Software as a Service: Guiding Principles

TITLE: Fraud Prevention and Detection Program IDENTIFIER: S-FW-LD-1008 APPROVED: Executive Cabinet (Pending)

Information Technology Internal Audit Report

Aberdeen City Council IT Asset Management

Cumbria Constabulary. Business Continuity Planning

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Vendor Management Best Practices

This procedure is associated with BCIT policy 6700, Freedom of Information and Protection of Privacy.

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

2014 Vendor Risk Management Benchmark Study

Hybrid Clouds. Krishnan Subramanian Analyst & Researcher Krishworld.com. A whitepaper sponsored by Trend Micro Inc.

The MORA Review Successfully Managing the Process

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

POSTAL REGULATORY COMMISSION

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

Assessment and Collection of Selected Penalties. Workers Compensation Board

States of Jersey Comptroller & Auditor General

HIPAA Compliance: Are you prepared for the new regulatory changes?

March 2007 Report No

How To Audit Cloud Computing

The Practical Guide to Cloud Service Level Agreements. May, 2012

Board Risk & Compliance Committee Charter

Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting

Validating Enterprise Systems: A Practical Guide

SECURITY RISK MANAGEMENT

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Obtaining CSF Certification Lessons Learned and Why Do It

IAPP Global Privacy Summit Protecting Privacy Under the Cybersecurity Microscope

Supporting Effective Compliance Programs

Third party assurance services

Third Party Risk Management 12 April 2012

Security Issues in Cloud Computing

Transcription:

AUDIT REPORT Cloud Software as a Service (SaaS) Procurement and Governance Audit June 9, 2016

Table of Contents: Page Executive Summary Background 1 Audit Objectives and Scope 1 Management s Assessment and Reporting on Controls Audit Opinion 2 2 Appendix Definitions 3 Issue Classifications 4 Distribution 5 Audit Performed By 5

Executive Summary Background Cloud Software as a Service (SaaS) is a software model in which a third-party provider hosts applications and makes them available to customers through an Internet connection. As opposed to traditional onpremises software which requires organizations to purchase, install and maintain IT hardware and software, SaaS providers host software at their locations. Strategically, the use of SaaS by an organization allows IT resources to be deployed in accordance with its business objectives. Citizens utilizes both SaaS and traditional on-premises applications. The Citizens IT Strategic Plan addresses the consideration of SaaS as follows: In selection of systems, or as we have lifecycle opportunity with current systems, we will evaluate options for external hosting (assess cloud options). Systems as a Service (SaaS), or other external hosting options will be assessed and are preferred where there is a good fit with overall cloud strategies, when risks can be well-managed, where integration objectives are supported, and when cost/benefit analysis is favorable. IT has also developed a cloud strategy which includes a phased approach for SaaS implementation including procurement and governance. In carrying out the SaaS strategy, Citizens is not actively seeking SaaS providers to replace existing solutions. However, as opportunities arise, SaaS providers will be considered as appropriate. In 2015, the Citizens Vendor Management Office (VMO) developed a SaaS Decision Framework to put structure around the procurement and governance of SaaS applications. The framework, approved by the Executive Leadership Team in June 2015, identifies organizational departments involved in the procurement and governance process, as well as key points where the viability of potential SaaS solutions is determined. In addition to SaaS based applications, IT is also evaluating SaaS based options for disaster recovery and potentially the ERP solution. VMO Management indicated there were roughly thirteen SaaS vendors at the time of the audit. Audit Objectives and Scope The objective of this audit was to evaluate the adequacy and effectiveness of controls related to the procurement and governance of SaaS implementations. The scope of the audit included an assessment of: Alignment of the SaaS Decision Framework to cloud industry guidance Review of the IT Strategic Plan for inclusion of a SaaS adoption strategy Controls around the SaaS procurement process and application of the SaaS Decision Framework Procurement of SaaS vendors, including cross-functional evaluation of SaaS viability for concept proposals and scoring of SaaS vendor solicitations Governance of SaaS vendors, including contract manager monitoring of SaaS vendor agreements for Service Level Agreement (SLA) performance, vendor billings, and receipt and review of SOC reports. Additionally, the SaaS vendor data breach notification process was evaluated Administration of Citizens access to SaaS vendor systems The scope of this audit did not include the vendor payment process nor re-performance of contract manager SaaS billing validation. P a g e 1

Executive Summary Management s Assessment and Reporting on Controls OIA met with Management to determine if there were any internal control issues related to the audit scope that Management would like to report. VMO stated a retroactive review of SaaS contracts for information security and data privacy language was being performed at audit inception, to ensure SaaS specific terms and conditions were included. The project was completed during the course of the audit. Audit Opinion Based upon our audit work, the overall effectiveness of the SaaS Decision Framework and related controls evaluated during the audit of Cloud SaaS Procurement and Governance is rated as Needs Minor Improvement. With the development and implementation of a SaaS strategy and decision framework, the VMO was able to implement a major step in strengthening Cloud SaaS procurement and governance controls. Our work, however, indicated specific areas where opportunities for improvement were noted including: Procedures to complement the SaaS Decision Framework have not been formally documented to ensure consistent use. Detailed procedures have not been created to support the SaaS Decision Framework for process areas that are specific to the review of cloud providers being considered in a solicitation or purchase. Contents that are missing, based upon industry guidance, include the formal assignment of roles, responsibilities and deliverables for each process step, vendor risk assessment requirements and the potential inclusion of additional vendor requirements in the service level agreement as output from the risk assessment. As well, an assurance process should be developed and implemented to validate ongoing compliance with the SaaS Decision Framework. A formalized process is not in place to ensure consistent use of the VMO SaaS Decision Framework when SaaS is purchased through a purchase order. There is not a documented procedure to ensure that procurements follow the SaaS Decision Framework for non-enterprise concept proposal cloud services less than $35K, or more than $35K, if obtained via a state term contract. VMO and the Purchasing department coordinate to obtain approvals for software purchases requested through the IT service desk application. However, if a software purchase is for cloud services, a formalized process is not in place to ensure that the SaaS Decision Framework would be applied. We would like to thank management and staff for their cooperation and professional courtesy throughout the course of this audit. P a g e 2

Appendix 1 Definitions Audit Ratings Satisfactory: The control environment is considered appropriate and maintaining risks within acceptable parameters. There may be no or very few minor issues, but their number and severity relative to the size and scope of the operation, entity, or process audited indicate minimal concern. Needs Minor Improvement: The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some minor areas of weakness in the control environment that need to be addressed. Once the identified weaknesses are addressed, the control environment will be considered satisfactory. Needs Improvement: The audit raises questions regarding the appropriateness of the control environment and its ability to maintain risks within acceptable parameters. The control environment will require meaningful enhancement before it can be considered as fully satisfactory. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate some noteworthy areas of weakness. Unsatisfactory: The control environment is not considered appropriate, or the management of risks reviewed falls outside acceptable parameters, or both. The number and severity of issues relative to the size and scope of the operation, entity, or process being audited indicate pervasive, systemic, or individually serious weaknesses. P a g e 3

Appendix 2 Issue Classifications Control Category High Medium Low Financial Controls (Reliability of financial reporting) Operational Controls (Effectiveness and efficiency of operations) Compliance Controls (Compliance with applicable laws and regulations) Remediation timeline Actual or potential financial statement misstatements > $10 million Control issue that could have a pervasive impact on control effectiveness in business or financial processes at the business unit level A control issue relating to any fraud committed by any member of senior management or any manager who plays a significant role in the financial reporting process Actual or potential for public censure, fines or enforcement action (including requirement to take corrective actions) by any regulatory body which could have a significant financial and/or reputational impact on the Group Any risk of loss of license or regulatory approval to do business Areas of non-compliance identified which could ultimately lead to the above outcomes A control issue relating to any fraud committed by any member of senior management which could have an important compliance or regulatory impact Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy. Such an issue would be expected to receive immediate attention from senior management, but must not exceed 60 days to remedy. Actual or potential financial statement misstatements > $5 million Control issue that could have an important impact on control effectiveness in business or financial processes at the business unit level Actual or potential for public censure, fines or enforcement action (including requirement to take corrective action) by any regulatory body Areas of noncompliance identified which could ultimately lead to the above outcomes Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date. Such an issue would be expected to receive corrective action from senior management within 1 month, but must be completed within 90 days of final Audit Report date. Actual or potential financial statement misstatements < $5 million Control issue that does not impact on control effectiveness in business or financial processes at the business unit level Actual or potential for non-public action (including routine fines) by any regulatory body Areas of noncompliance identified which could ultimately lead the above outcome Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 3 months, but in every case must not exceed 120 days. Such an issue does not warrant immediate attention but there should be an agreed program for resolution. This would be expected to complete within 3 months, but in every case must not exceed 120 days. P a g e 4

Appendix 3 Distribution Addressee(s) Copies Stephen Guth, VP Vendor Management Business Leaders: Barry Gilway, President/CEO/Executive Director Kelly Booten, Chief Systems and Operations Curt Overpeck, Chief Information Officer John Rollins, Chief Risk Officer Dan Sumner, Chief Legal Officer & General Counsel Christine Turner Ashburn, VP-Communications, Legislative & External Affairs Robert Sellers, VP IT Infrastructure and Operations Bruce Meeks, Inspector General Mitch Brockbank, Director IT Risk and Security Spencer Kraemer, Director Purchasing Audit Committee Juan Cocuy, Citizens Audit Committee Chairman Bette Brown, Citizens Audit Committee Member Jim Henderson, Citizens Audit Committee Member Following Audit Committee Distribution The Honorable Rick Scott, Governor The Honorable Jeff Atwater, Chief Financial Officer The Honorable Pam Bondi, Attorney General The Honorable Adam Putnam, Commissioner of Agriculture The Honorable Andy Gardiner, President of the Senate The Honorable Steve Crisafulli, Speaker of the House of Representatives Dixon, Hughes, Goodman LLP Audit Performed By Auditor in Charge Audit Director Under the Direction of Kirk Elmore, Senior Auditor Karen Wittlinger, IT Audit Director Joe Martins Chief of Internal Audit P a g e 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information