33
BAB 6 Third Party Service Provider
BAB 6
Third Party Service Provider
Session objectives
To reviewlhe use of third party service
providers end-the impact on the external
financial oudltor.
To identify controls thotthe auditor could
reasonably expect to see ln-ploce when a
client receives IT services frotn third party
suppliers
Third party services
, -, What are the benefits ?
Why use third party services ?
Cost
Cashflow
Staffing
Scheduling
Benefits
Speclcllsts
Experience,and expertise
Faster system implementation
Accountability
Different client / different approach
Clients.who use third party IT services
Clients who ar~ themselves third party
service suppliers'<.
OR
Internal Audit Access Rights
Undersfond the systems of internal control'
Impractical for auditors to audit a service supplier
Direct access may be required
Cause for concern (I)
processing errors
System secuaty ssurances as to system integrity,
Qilability and confidentenitility
Dependence on the service provider
Cause for concern
Process in error
System security lossurncesnas to
system integrity dqubility and
confidentiality
Dependence on the service
provider
)
Cause for concern (III)
Loss.o! in-house expertise
> Speclnllst staff unavailable
> Disadvant~ed in negotiations
> Reliance on consuttonts or supplier
Staff resistance
> Change in job
> Change in conditions
> Staff morale
> Disgruntled staff
Contracts
Co trocts are important
They mcvneed to be reviewed by
specialists, e.g>l~wyer
Contracts can be complex and
~----- incorporate many clauses" CONTRAC
Contract clauses
Examples of contract clauses
are :-
Duraction of contract
Termination Rignts
Audit Acess
Limitation of liability
Indemnities
In tellectual propety rights
Contract clauses
Ownership Of data
Hcondover Arragments
Security Standard
Services Levels
Charges,control in touching
Change control
Moduler Acceptence test
Final Acceptance Test
Contract Monitoring Auditor should check if :
Implementation is as per contract
Monitoring by client over SP’s
performance exist
Regular report ‘s UBQ to client
Regular meeting between Service
provider and client to discuss services
Proper prosedeur to settle disput
Contoh LoI dan Kriteria •. -,
'.
@ LoL,
> Konk9k
@ Kriteria ""
> Adakcah kerana karaktor yang dilantik merupakan Kontraktor utama?
> Adakah terdapat subkontraktor Iain ycng terlibat?' -,
"',
> Adakah skop kerja dinyatakan dengan
jelas?',
" ... -, -. , ... , ... Q
' .... ,
Service Level Agreement
SLA hould either exist:
Within the contract, or
By itself
Formal agreement between 2 parties
A contract that exists between
customers & service providers or
between service providers
Service Level Agreement
SLA sould record:-
General provlslon
Description- of services ( common understanding
about services)
Working hours
Services Availability
User sport
performance
Contingency
Security
restriction
SLA should record:-
Ploritles
Responsibility
Guarentees (also called service level guaranty)
Maxsimum downtime accepted
Maxsimum uptime to
Default in services level be locatted
Rebate from contract
Service Level Agreement
In short a SLA should cover these
4 aspect:-
Switch a vilamty
Service desk available
Network performance
Incidence management
SLA
SwitcR: Avaiiability concerns the Switch Uptime
of all switches
the time aH.switches are functional and available
for use per qU-Cl~er = 99.5%
Service Desk Avdllobility concerns the availability
of the Service Desk to attend all calls received.
Answer after max 5 rings ~·98.%
Network Performance concernsthe time taken for a
roundtrip test and packet success rate
Roundtrip time measured < or = 50 m
Packet Success % measured every 30 mln'sy/c)
85%
SLA Inciment management resolvese an
incidentto restore normal services
Incident resolution time is set by priority
of the problem
There should perincident differs for both
application software and network
SLG should be spelled Jearly and
attached to SLA for rebates orpenclty claim
againt downtime of all 4 aspects
SEKIAN TERIMA KASIH
