System Development controls when Developement is outsourced 1115

  • Hi all,
    We are trying to write a process flow and Risk Control Matrix for IT Development Process controls as part of SOX. In case of our organization most part of Software Development Lifecycle is outsourced to our preferred third parties/vendors. We in the IT department are limited in our role to the initial phase of requirement analysis, Overall IT relationship/Impact assessment and during implementation, for supervising the Delivery.
    How do we go about this. Like should we ask the prefrred vendor to do it for us( (thru SAS70??).If we dont have the process and we dont even have our own SDLC how do we go about this (we dont have our SDLC as we we have vendors who use their own SDLC for dev). I am confused. Does anybody has any suggestions???

  • Although the vendor doing the development for you has their own SDLC, they should be able to share this with you. Most SDLC methodologies have built in reviews of deliverables, acceptance criteria, and go/no-go decisions that allow progression to the next phase. Your IT staff is probably involved in the reviews of key deliverables in each phase and decisions to proceed to the next phase. Each of these reviews/signoffs and decisions (defined in the SDLC) are potential controls and are probably documented. The vendor probably requires signoff at each phase and on key deliverables.
    I have seen that the ‘acceptance’ (signoff) of deliverables being tied to payment for services in the contract with the service provider. Each major phase and deliverable is spelled out and tied to a specific payment amount for a fixed priced contract.
    If you are not finding any of this with your current vendor then I would be concerned because they are not giving you the opportunity to review, provide feedback, and signoff on key deliverables. You have outsourced the work but not the responsibility so there should be some checkpoints along the way.

  • Thanks Ugogirl,
    That was a really helpful reply and I was thinking on the similar line. Though we dont have Phases and their respective deliverables tied to the payment as such but its a nice idea to have.
    We do review the deliverables on an informal basis and vendors have shared their SDLC too but i see we really dont have much controls over there.
    Thanks again for reply.

  • We do review the deliverables on an informal basis and vendors have shared their SDLC too but i see we really dont have much controls over there
    It sounds like it may be possible to formalize your review of deliverables and have a management signoff as part of your controls. This is a change to what you are currently doing.
    If the deliverables produced by your vendor does not meet your requirements or quality criteria then there is no signoff until the issues you have identified are fixed or resolved in some way. This review could be iterative.
    When the review of the deliverables confirms that your requirements and quality criteria have been met, then IT management and/or business management would ‘signoff’ on the deliverables. Then you file the ‘signoff’ in the project binder or a repository which can be used later as evidence that this control is operating effectively.

Log in to reply