Posted by: SAS70ExPERT
Auditing, CIO, Compliance, SAS 70, Security, Third-party services
What’s your plan as a new CIO to make IT operations a success? Consider Jack Ben, newly appointed CIO. In his new role, he assumes the management and performance of the financial statement application and has to complete a SAS70 audit in six months.. This application has been in use for over 7 years, and much of the customization, reporting, and user access management is performed by a third party vendor. What roadblocks do you face to meeting strategic objectives and making your bonus plan?
Consider the following:
1) If your vendor performs customization, then the specialized knowledge to maintain new software upgrades, enhancements and reports remain at the vendor. This could wrestle your CIO title to the ground, unless you require the vendor to supply you with instruction manuals, executive level briefing and/or detailed on-line help features.
2) In addition, is the software code in escrow? In your vendor contract, you should have a requirement that your vendor maintain the source code in a safe and secure lockbox. Even if your vendor doesn’t survive the economy, your source code will! In addition, you could hire your vendor’s coders to work for you.
In a SAS70 audit, if your sole operating system application is managed by an outsourced vendor, the auditor will request that they have a SAS70 audit performed. In addition, they will require that controls that secure your control of the application. What steps have you put in place to manage your outsourced systems? Do you have a comprehensive SLA? Do you have a project leader that monitors your outsourced vendor and your application? firstname.lastname@example.org