Course Information
Auditing the IT Outsourced Environment
Parking for SAO, Professional Development courses is in Garage B (1511 San Jacinto Blvd.). The Garage signage may read 1511 San Jacinto or Garage B. The elevator in Garage B is not reliable. If you are unable to walk the stairs, please contact the professionaldevelopment@sao.texas.gov for alternate parking arrangements. Handicapped parking is free at the meters around the downtown area.
A course coordinator will Email you a parking permit prior to the course start date. A permit must be displayed or you will be ticketed.
Course Description
Most organizations have adopted some form of outsourcing. Whether it includes outsourcing IT operations, application maintenance, systems development, applications services, information security, or networking, they all constitute outsourcing. The advent of the “cloud” has added another dimension to outsourcing.
The process and results are fraught with risks, but also have rewards. As an auditor, it is essential to understand how outsourcing affects the controls environment and the audit universe and how to apply it.
Course Objectives
Upon completion of this course, participants will be able to:
• Understand the benefits and risks of outsourcing
• Identify the specific risks and controls for the various outsourced environments
• Describe how to use a Third-Party Report as an audit tools
• Identify common issues that have arisen in both the process of outsourcing and how to audit the outsourced business processes
Course Outline
Defining Outsourcing
• Outsourcing concepts/terms
• Outsource scope - Applications
- Infrastructure
- Development
• Cloud Computing
• Comparing Company and Vendor Motivation of Outsourcing
General Risks
• Company risks - Strategic
- Financial
- Operational
- Organizational
• Vendor risks
• Additional risks with Cloud Computing
Organizational Changes Required to Manage Outsourcing
• Issue Management
• Delivery Management
• Relationship Management
Contracts
• Considerations in the New Contract - Intellectual Property
- Auditability
- SLAs
• Managing Audits with In-Force Contracts
• Regulatory Compliance
• Governance
Auditing the Outsourced Environment
• The effect on the audit universe
• Planning
• Scoping the audit to satisfy audit requirements
• Understanding the your limits in auditing the vendor
• Overcoming compliance issues
• Using Third-Party Reports - Understanding the Benefits and Limitations of the Third-Party Reports
- SSAE16
- SOC 1/2/3
• Performing the audit - Gap analysis
- Internal gap remediation
- Vendor gap reporting and remediation
- Auditing contract and service level compliance
- Solving vendor/company differences
- Auditing contract and service level compliance
• Relationship management
Instructors
Norm Kelson is a 30 year veteran with extensive experience in IT assurance and governance as a consultant with a Big 4 firm and an internal audit boutique, internal auditor executive, and industry advocate. He has been responsible for building and disseminating best practices to internal audit and governance stakeholders.
Previously, he was Director of IT Audit for the Dutch retailer Ahold, and was responsible for IT Audit services for the Stop & Shop, Giant (Maryland and Pennsylvania), Tops, and Peapod grocery chains. He was a key member of the internal audit professional practices and standards and the global information security committees.
Norm was Vice President of Internal Audit Services and National IT Audit Practice Director for CBIZ Harborview Partners, where he was responsible for establishing an Internal Audit/Corporate Governance practice. He was Managing Director of IT Audit and Technical Seminars for MIS Training Institute. During his 12 year tenure he was responsible for creation, and all curriculum development, of its global IT Audit training portfolio focusing on best practices in risk-based auditing.
He had managed KPMG's New England Region IT Auditing practice, and held positions in IT Audit management with Fannie Mae, CIGNA, and Loews Corporation. He began his career as a financial auditor with Laventhol and Horwath.
As a member of both the Institute of Internal Auditors (IIA) and the Information Systems Audit and Control Association (ISACA), Norm is a frequent speaker and subject matter expert at their conferences. He is a former Executive Vice President of the New England ISACA Chapter, and recipient of the John Beveridge Achievement Award, conferred by the New England Chapter of ISACA to an individual "who has, over and beyond the norm, contributed his or her efforts to their Profession and ISACA."
Norm graduated Boston University with a Bachelor of Science in Business Administration and received an MBA from the Wharton School at the University of Pennsylvania. He is a CPA, CISA (Certified Information Systems Auditor), and CGEIT (Certified in the Governance of Enterprise Information Technology).
Additional Information
If you are making travel plans to come to Austin, we recommend making "refundable" air and hotel reservations or waiting until 14 days before the class to actually book your reservations. Courses are occasionally canceled or rescheduled due to low enrollment. We determine whether a course has enough participants 16 days prior to the course date. If we cancel or reschedule, we will email the participant and his or her billing contact no later than 14 days before the original class date.
The course coordinator will contact you with parking information. Handicapped parking is free at the meters around the downtown area.
Vending machines with Coca-Cola products and various snack items are available. There is also a refrigerator and microwave in our coffee bar area. Feel free to bring in your own drinks and food if you prefer.
You might want to bring a light sweater or jacket, as room temperatures vary.
To see answers to our Frequently Asked Questions, visit http://www.sao.texas.gov/training/faq.html.