Welcome » IT Booklets » Outsourcing Technology Services » Appendix A: Examination Procedures
EXAMINATION OBJECTIVE: Assess the effectiveness of the institution's risk management process as it relates to the outsourcing of information systems and technology services.
Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives.
TIER I OBJECTIVES AND PROCEDURES
Objective 1: Determine the appropriate scope for the examination.
1. Review past reports for weaknesses involving outsourcing. Consider:
2. Assess management's response to issues raised since the last examination. Consider:
3. Interview management and review institution information to identify:
Objective 2: Evaluate the quantity of risk present from the institution's outsourcing arrangements. 1. Assess the level of risk present in outsourcing arrangements. Consider risks pertaining to:
2. If the institution engages in cloud computing, determine whether:
3. If the institution engages in cloud computing, identify the type(s) of service model that is or will be used:
4. If the institution engages in cloud computing, identify the type of deployment model to be used:
1. Evaluate the outsourcing process for appropriateness given the size and complexity of the institution. The following elements are particularly important:
2. Evaluate the requirements definition process.
3. Evaluate the service provider selection process.
4. Evaluate the process for entering into a contract with a service provider. Consider whether:
5. If the institution engages in cloud processing, determine that inherent risks have been comprehensively evaluated, control mechanisms have been clearly identified, and that residual risks are at acceptable levels. Ensure that
6. Evaluate the institution's process for monitoring the risk presented by the service provider relationship. Ascertain that monitoring addresses:
7. Determine whether the following policies and processes have been revised in light of the need for increased controls brought about by the implementation of cloud computing:
8. Review the policies regarding periodic ranking of service providers by risk for decisions regarding the intensity of monitoring (i.e., risk assessment). Decision process should:
9. Evaluate the financial institution's use of user groups and other mechanisms to monitor and influence the service provider. Objective 4: Discuss corrective action and communicate findings 1. Determine the need to complete Tier II procedures for additional validation to support conclusions related to any of the Tier I objectives. 2. Review preliminary conclusions with the EIC regarding:
3. Discuss findings with management and obtain proposed corrective action for significant deficiencies. 4. Document conclusions in a memo to the EIC that provides report ready comments for the Report of Examination and guidance to future examiners. 5. Organize work papers to ensure clear support for significant findings by examination objective. TIER II OBJECTIVES AND PROCEDURES A. IT REQUIREMENTS DEFINITION 1. Review documentation supporting the requirements definition process to ascertain that it appropriately addresses:
B. DUE DILIGENCE 1. Assess the extent to which the institution reviews the financial stability of the service provider:
2. Evaluate whether the institution's due diligence considers the following:
C. SERVICE CONTRACT
1. Verify that legal counsel reviewed the contract prior to closing.
2. Verify that the contract appropriately addresses:
3. Review service level agreements to ensure they are adequate and measurable. Consider whether:
4. Review the institution's process for verifying billing accuracy and monitoring any contract savings through bundling. D. MONITORING SERVICE PROVIDER RELATIONSHIP(S)
1. Evaluate the institution's periodic monitoring of the service provider relationship(s), including:
2. Review risk rankings of service providers to ascertain:
3. Review actions taken by management when rankings change, to ensure policy conformance when rankings reflect increased risk. 4. Review any material subcontractor relationships identified by the service provider or in the outsourcing contracts. Ensure:
Platform as a Service (PaaS) - development platform such as Java, .Net, etc. for developing systems is hosted in the cloud;