Information Technology Reference
In-Depth Information
which have been accomplished. The IS auditor should keep in mind that the documentation
being collected should be reviewed so that appropriate conclusions and recommendations
can be made.
e) Does the enterprise have service-level agreements (SLA) with vendors who im-
plemented the application systems?
Service-level agreements are contracts between an enterprise which has purchased or im-
plemented an application system and a vendor who supplied the software. The SLA tries to
ensure that the vendor provides services according to agreed parameters and standards. If
the vendor does not adhere to the provisions of the agreement, the vendor suffers penalties
as outlined in the agreement.
It is likely that IT management would say yes, they do have SLAs with all or some of the
vendors. In the event that there are no SLAs, the IS auditor would recommend to manage-
ment to consider putting in place SLAs to support the application systems. The IS auditor
should seek further information whether the SLAs have been implemented and are being
observed in terms of performance. The SLA documents should also be duly signed by both
parties.
The IS auditor may interview managements in both the client and vendor organisations in
order to find out how the SLAs are performing. The IS auditor may also review the SLA
agreements in order to find out if the agreement protects the enterprise.
The IS auditor would collect SLA agreements, performance reports, and notes from inter-
views with management. These documents should be reviewed by the IS auditor in order to
extract information which can be used to make conclusions and recommendations to man-
agement.
f) Do you have change management and security policies to support application sys-
tems in use?
Change management policies and procedures ensure that all changes are tested, approved,
and documented before being deployed into production. Change management helps reduce
risks which might result from making changes such as upgrades, applying patches, and
fine-turning systems.
Information security policies are implemented in order to secure data and information re-
sources from accidental or deliberate damage by hackers or internal users. Security in-
volves various other procedures such as access controls, protection of information assets,
disaster recovery, and network security.
Enterprises should have change management and security policies in order to guide how
changes and information security is implemented. IS auditors can request for policy, pro-
cedure documents, and various operational reports which can be reviewed in order to as-
Search WWH ::




Custom Search