1. Home
  2. Lainnya

Provision of IT services

Provision of IT services

Organizations that structure their IT operations to reflect the services they perform or offer to users—whether those users are service consumers internal or external to the organization that provides IT services—often conduct IT auditing to support the measurement and achievement of internal objectives related to governance or operational effectiveness. Such organization may also seek certification of their IT service management capabilities against standards such as ISO 20000 [10] . For pur- poses of implementing, operating, or improving IT services, many organizations rely on externally developed service management frameworks such as the ITIL or relevant aspects of COBIT. ISO/IEC 20000 certification requirements are consist- ent with the practices organizations adopt when they implement IT service manage- ment frameworks; while it is not required that organizations commit to an external service management models, following such frameworks can facilitate achieving certification. Auditing IT processes or services present some potential challenges compared to examinations of other types of IT controls, as it may be impractical for auditors to directly observe the full execution of processes executed or services delivered by an organization. Audits of IT processes and services are performed by

100 CHAPTER 5 Types of Audits

both external and internal auditors whose qualifications may include general audit- ing credentials such as CPA or IIA in addition to IT domain certifications or spe- cialized subject matter expertise.

Organizations implementing IT services management certification such as ISO/ IEC 20000 or acquiring services provided by such organizations should be aware that framework-specific certifications like ITIL and COBIT can only be attained by individuals (including IT auditors), not by organizations. Whether or not they adopt or publicize their adherence to formally specified service management frameworks like ITIL, only certifications like ISO/IEC 20000 or SOC designa- tions are relevant organization-level qualifications for service providers.

In many organizations, IT operations comprise a wide range of IT processes and services performed on behalf of business units or process owners outside the IT function. Services delivered in this model commonly include application manage- ment and monitoring, systems operation and maintenance, and network, telecom- munications, and infrastructure services. The technical capabilities, of personnel, and physical resources needed to deliver these and other IT services are typically consolidated in dedicated data center facilities or dedicated areas of more general- purpose facilities. The “customers” served by IT may include other parts of the same organization or service users in external organizations. With the advent of IT outsourcing, software-as-a-service delivery models, cloud computing, and other forms of externally hosted systems and infrastructure, the field of IT auditing increasingly needs to address IT services. Data center operators and cloud comput- ing vendors are specialized types of IT service providers whose internal controls are audited using available SSAE and related guidance on preparing reports on ser- vice organization controls [31,32] . As illustrated in Figure 5.3 , the control reports resulting from external audits of service providers are often directed both at internal and external audiences with an interest in the effectiveness of the service provider’s controls. For example, SOC reports have different numerical designations indicat- ing both the scope of the underlying audit and the intended use of the report, where SOC 2 reports are intended for internal use by service providers and SOC 3 reports are available to external audiences, including prospective users of the providers’ services. The information in SOC 3 reports may be reviewed by an organization prior to using an external provider and by the user organization’s auditor as part of examining the full set of controls applicable to the user organization.

Information systems controls

Organizations focus significant IT audit attention on information systems and the different types of controls implemented to help ensure the efficient, effective,

IT-specific Audits 101

User organization

Provider auditor Implement

User auditor

Service provider

Implement

Audit provider controls Determine outsourcing need

SOC reports Identify

Review

SOC 2 report

service provider

Publish

Review

SOC 3 report

SOC 3 report Select

service provider

Audit user controls

Produce

Review

audit report

audit report

FIGURE 5.3

External providers of hosting or other outsourced IT services are subject to specialized IT control audits and reports used by both service providers and service consumers.

and secure operation of their systems. System-level audits are commonly per- formed as part of internal auditing, often in support of IT governance, risk man- agement, or information security programs. The opposite is true in commercial organizations in some industries and public sector organizations such as govern- ment agencies, which are subject to external system audits by government over- sight agencies. For instance, external IT audit guidance from the FFIEC applies to banks and other financial institutions under the supervisory authority of regula- tors such as the Federal Deposit Insurance Corporation (FDIC) or the Consumer Finance and Protection Bureau (CFPB). Many organizations in industries, not oth- erwise addressed by regulations on audits, may nonetheless face audits related to investigations by the U.S. Federal Trade Commission or European Commission. Government agencies are subject to laws and regulations that do not apply to non- government entities, including many that mandate IT management practices, infor- mation security provisions, and privacy protections. Maintaining compliance with these requirements drives substantial internal IT auditing activity in government agencies, in addition to external audits performed by authorized oversight bodies, such as the U.S. GAO. Public sector audits of information systems in the United States and many other countries follow specific procedures and methodologies

102 CHAPTER 5 Types of Audits

such as those specified in the Federal Information System Controls Audit Manual (FISCAM) [33] and the Information System Security Review Methodology pub- lished by the International Organization of Supreme Audit Institutions [34] .

Dokumen yang terkait

Food and Nutritional Toxicology

0 1 308

POTENSI EKSTRAK DAUN PINUS (Pinus merkusii Jungh. et de Vriese) SEBAGAI BIOHERBISIDA PENGHAMBAT PERKECAMBAHAN Echinochloa colonum L. DAN Amaranthus viridis. ( Potencies of Pine leaf Extract (Pinus merkusii Jungh. et de Vriese) as Bioherbicides for Geminat

0 0 9

Chapter 4 The Study of Chemical Reactions

0 0 44

TUGAS 9 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS IT “CARA PENYUSUNAN INSTRUMEN EVALUASI MEDIA DAN CONTOH ANGKET MEDIA PEMBELAJARAN” OLEH VEFRA YULIANI (14175036) KELAS A DOSEN PEMBIMBING: PROF. DR. FESTIYED, MS DR. USMELDI, M.PD PENDIDI

0 0 14

TUGAS 3 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS IT “TEORI PEMBUATAN MEDIA PRESENTASI YANG KREATIF, EFEKTIF, EFISIEN, MENARIK SERTA INTERAKTIF UNTUK PEMBELAJARAN” OLEH KELOMPOK 5 VEFRA YULIANI (14175036) DOSEN PEMBIMBING: PROF. DR. FEST

0 1 25

TUGAS 2 MATA KULIAH PENGEMBANGAN MEDIA PEMBELAJARAN FISIKA BERBASIS ICT “PERKEMBANGAN PEMBELAJARAN BERBASIS IT TERKINI” OLEH KELOMPOK 4 VEFRA YULIANI (14175036) DOSEN PEMBIMBING: Prof. Dr. Festiyed, MS Dr. Usmeldi, M.Pd PENDIDIKAN FISIKA PROGRAM PASCA SAR

0 0 26

PUSAT PENELITIAN OSEANOGRAFI LIPI CORAL REEF REHABILITATION AND MANAGEMENT PROGRAM (COREMAP) Phase II Coral Reef Information and Training Centers (CRITC)

0 0 79

OPTIMALISASI JUMLAH PEMBERIAN KONSENTRAT PADA PROGRAM PENGGEMUKAN SAPI PERANAKAN ONGOLE (PO) The optimum amounts of concentrate applied on the feedlot program of the male Ongole Cattle (MOC) Hybrid

0 0 7

LOGICAL Type and Variables

0 0 48

The elements and principles of graphic design used in desktop publishing

0 0 65