Service org deliveries monitored for performance - no SLAs 1100



  • Have you had to test any controls related to ‘Service organization deliveries monitored for performance’?
    If you did, what kind of evidence or proof did you provide? was there an SLA and what metrics were gathered and reported?
    We don’t have SLAs but the external auditor wants us to test controls around it. We need to find proof or evidence of:

    • Service levels exist in the contracts for the ‘key’ vendors.
      -Service levels are monitored on a regular basis (i.e. by event,monthly, quarterly, and annually) by a standard IT process.
      -Service level measurements for ‘key’ vendors are included in the IT metrics dashboard or some other method of documentation.
    • Regular follow-up actions are taken with ‘key’ vendors who do not meet their contractual service level agreements.
      We have contracts with key vendors but they are support contracts with no SLA. There are no measurements and no evidence. It is pretty informal how vendors are managed, which is a long way from best practice. I’d welcome any suggestions on alternatives since we have to give a shot rather than just failing out of the gate.


  • What types of services are being performed by your vendors? We use vendors to handle desktop and workstation issues but do not have any coverage of this in our SOX work. If you can help us to understand how the vendors performance impacts your systems, then maybe we can provide some guidance as to what controls to look for or establish.



  • I appreciate your willingness to help.
    The types of vendors we consider key provide standard maintenance and support for infrastructure (hardware/severs, network devices) and software (operating systems, compilers, ERP, etc.) only. Nothing is outsourced and most of the applications are custom developed. There are 3 technology platforms Microsoft, Unix, and mainframe.
    We have not yet been able to tie a vendor’s performance directly to the systems for SOX. The hardware and software environment have been stable. The vendors are rarely contacted. Usually if it is time to renew a contract or to puchase more then the vendor is contacted.



  • First identify the controls that should be in place around your systems (assume that you use in-house staff to execute these controls). Now, identify which of these controls are being outsourced. You are responsible for having adequate controls whether or not the work is outsourced. I doubt that there is much that will fall within SOX scope unless your vendor manages job scheduling, security admin or physical and environmental controls (if your hardware is offsite).
    I will look to see if I can find our IT controls list for more examples (I am not our SOX IT expert, but have some vision into what they do here).



  • Thanks for the feedback.
    We have already tested 50 other IT general controls around physical security, environmental controls, logical access controls, user access to data, change management, etc…
    Nothing is outsourced. Data centers and all operations are manged by IT.
    The contracts with vendors are for ongoing hardware or software support and maintenance. That is what is making this so challenging.



  • It sounds like you have things well under control. I will check with my IT folks here, but this sounds like our scenario as well. To the best of my knowledge, the vendor support of hardware and related SLAs are not within our SOX scope.


Log in to reply