Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1.

Slides:



Advertisements
Similar presentations
EMS Checklist (ISO model)
Advertisements

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
ORGANIZATION. 2 Problem scenario  Develop an organizational chart for your laboratory showing lines of authority from the head of the organization to.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Department of Transportation Support Services Branch ODOT Procurement Office Intergovernmental Agreements 455 Airport Rd. SE, Bldg K Salem, OR
Management of IT Environment (5) LS 2012/ Martin Sarnovský Department of Cybernetics and AI, FEI TU Košice ITIL:Service Design IT Services Management.
1 Outsourcing Contract and Service Level Issues Sharon O’Bryan Week 5 November 2, 2004.
Service Design / SLA Architecture “Services are a means of delivering value to customers by facilitating outcomes customers want to achieve without the.
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Sarbanes-Oxley Compliance Process Automation
EMS Auditing Definitions
Developing a Records & Information Retention & Disposition Program:
IS Audit Function Knowledge
Date: 03/05/2007 Vendor Management and Metrics. 2 A.T. Kearney X/mm.yyyy/00000 AT Kearney’s IT/Telecom Vendor Facts IT/Telecom service, software and equipment.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Office of Inspector General (OIG) Internal Audit
NIST framework vs TENACE Protect Function (Sestriere, Gennaio 2015)
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
Purpose of the Standards
Session 3 – Information Security Policies
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
B O N N E V I L L E P O W E R A D M I N I S T R A T I O N 1 Network Operating Committee (NOC) June 12 th, 2014.
Environmental Impact Assessment (EIA): Overview
Overview of Systems Audit
Atlanta, GA October 7-9, 2013 Postcards from the Edge of United Way’s Grant World Things you really need to know before you take on that grant Financial.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Information ITIL Technology Infrastructure Library ITIL.
Chapter 07 Internal Control McGraw-Hill/IrwinCopyright © 2014 by The McGraw-Hill Companies, Inc. All rights reserved.
INTERNAL CONTROL OVER FINANCIAL REPORTING
Internal Control in a Financial Statement Audit
©2010 Prentice Hall Business Publishing, Auditing 13/e, Arens/Elder/Beasley Internal and Governmental Financial Auditing and Operational Auditing.
Roles and Responsibilities
Internal Control in a Financial Statement Audit
The University of California UC Financial Management Jim Corkill Controller, Accounting Services & Controls University of California, Santa Barbara November,
Service Transition & Planning Service Validation & Testing
Brette Kaplan, Esq. Erin Auerbach, Esq. Brustein & Manasevit, PLLC Spring Forum 2013
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
Strategic Planning Workshop  Presented by: Jason P Aubee.
Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill/Irwin 6-1 Chapter Six Internal Control in a Financial Statement Audit.
Auditing Internal Control Studies & Risk Assessment Chapter 9 Internal Control Studies & Risk Assessment Chapter 9.
SACHRP PANEL: HOLDING EXTERNAL IRBS ACCOUNTABLE David L. Wynes, Ph.D. Vice President for Research Administration Emory University July 21, 2009.
ISO/IEC 27001:2013 Annex A.8 Asset management
Copyright © 2007 Pearson Education Canada 23-1 Chapter 23: Using Advanced Skills.
Chapter 8 Auditing in an E-commerce Environment
Municipal Research and Services Center How Interlocal Agreements Can Work for Public Hospitals Local Government Partnerships Municipal Research.
ISO DOCUMENT CONTROL. ISO Environmental Management Systems2 Lesson Learning Goals At the end of this lesson you should be able to: 
Copyright © 2007 Pearson Education Canada 9-1 Chapter 9: Internal Controls and Control Risk.
OSAE sets the PACE: Premier Auditing Consulting and Evaluations! American Recovery and Reinvestment Act (ARRA) Readiness Review.
The NIST Special Publications for Security Management By: Waylon Coulter.
Information Security Office: Function, Alignment in the Organization, Goals, and Objectives Presentation to Sacramento PMO March 2011 Kevin Dickey.
Veterans Integrated Service Network GEMS Coordinator Roles and Responsibilities.
INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.
COMMUNITY-WIDE HEALTH INFORMATION EXCHANGE: HIPAA PRIVACY AND SECURITY ISSUES Ninth National HIPAA Summit September 14, 2004 Prepared by: Robert Belfort,
Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.
1 Auditing Your Fusion Center Privacy Policy. 22 Recommendations to the program resulting in improvements Updates to privacy documentation Informal discussions.
McGraw-Hill/Irwin © The McGraw-Hill Companies 2010 Internal Control in a Financial Statement Audit Chapter Six.
Chapter 6 Internal Control in a Financial Statement Audit McGraw-Hill/IrwinCopyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
Information ITIL Technology Infrastructure Library ITIL.
Review of IT General Controls
Government Auditing Standards
Auditing Cloud Services
Internal and Governmental Financial Auditing and Operational Auditing
ITIL:Service Design IT Services Management Martin Sarnovský
IS4680 Security Auditing for Compliance
Managing Federal grants
How to conduct Effective Stage-1 Audit
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Presentation transcript:

Audit Considerations of Data Center Consolidation Jon Ingram Audit Manager Information Technology Audits Florida Auditor General 1

Florida’s Data Center Consolidation Agency IT systems being transferred to three primary data centers (PDCs) – “as is.” Transition of custodial responsibilities for IT equipment. Standardization of IT services and infrastructure to occur later. Agencies can use more than one PDC – and some do. Agencies keep most application support functions. PDCs and customers required by law to negotiate service level agreements. Audit impact – need for clear auditor understanding of division of PDC and customer responsibilities. 2

Primary Data Center Audits Some IT controls that are now the responsibility of the PDC are relevant to multiple customers. Efficiencies have been gained by auditing the PDCs vs. just auditing as part of audits of customer systems. Audits of PDCs to be done on periodic cycle. 3

Considerations for Audits of Customer Systems Determine which PDC(s) the customer is using. Understand the division of responsibilities between the PDC and the customer for the controls relevant to your audit objectives. Determine if the PDC has been recently audited and if the controls tested in the PDC audit are relevant to your audit objectives for the customer system. Determine if a service level agreement exists between the auditee and the PDC. 4

Service Level Agreements (SLAs) Florida law requires the PDCs and their customers to execute SLAs. SLA governs the relationship between the PDC and the customer. SLA should define the roles, responsibilities, and expectations of both parties. SLA should define the IT services to be provided by the PDC. SLA is a responsibility of both parties - the PDC and the customer. 5

Service Level Agreements (SLAs) Audit Considerations SLA is a good source of information on services to be provided by the PDC and the responsibilities of the customer. Lack of SLA is a potential compliance issue for both parties and could be relevant in audits of both parties. If no SLA, more difficult for auditor to determine what IT services and other expectations have been agreed upon by both parties. Lacking or poorly written SLA may increase risk that significant responsibilities are not met. 6

Information Security – Both PDC & Customer Are Responsible Data custodian now organizationally separate from data owner. Customer reliant on PDC for certain aspects of information security. Customer retains responsibility for other aspects of information security. 7

Information Security Audit Considerations Have customer security requirements and expectations been clearly communicated and agreed upon in writing? Likewise for PDC security requirements and expectations? Do customer and PDC security risk assessments and security plans appropriately address the division of responsibilities? 8

Logical Access Controls PDC may act as access administrator for the customer. For example, mainframe-level access privileges or rules in packages such as RACF or ACF2. 9

Logical Access Controls Audit Considerations Does an appropriate process exist for notifying PDC of changes in access requirements, especially terminations? Does PDC provide the customer appropriate reports for reviews of access? From whom should auditor request records of access privileges – the customer or the PDC? Possible impact on separation of duties and appropriateness of access? 10

Physical Access Controls at PDC During transition, some customers still own and retain responsibilities for operating and maintaining their IT equipment. Customer employees are granted access to PDC facilities. 11

Physical Access Controls Audit Considerations Is there a process for customer to authorize who can access their IT equipment being housed at the PDC? Does customer review physical access listing on regular basis? Does an appropriate process exist for removing physical access of former or reassigned customer employees? Is access to IT equipment of other customers appropriately restricted? 12

Network Controls Division of network responsibilities between PDC and customer. Each responsible for their own network infrastructure. Division of responsibilities may differ depending on nature of application infrastructure and services provided by PDC to the customer you are auditing. Audit consideration - where is the point of demarcation? 13

Change Controls Application change control staying with customers. Audit consideration – what is the division of responsibilities between customer and PDC for non-application change management? For example, what about IT infrastructure configuration management? 14

Disaster Recovery Audit Considerations Has customer ensured that the SLA sufficiently addresses disaster recovery services to be provided by the PDC? If not explicitly defined in the SLA, is customer in a position to rely on PDC for needed backup and recovery services? 15

Cost Allocation and Billing Audit Considerations Is there an agreed-upon methodology? Is it consistent, equitable, and documented? Does it adequately cover the PDC’s near-term cost? How are long-term PDC capital requirements addressed? Does it accommodate external cost reporting requirements of customers (e.g., Federal cost allocation requirements)? 16

Future Audit Considerations Revisit audit procedures as full service transfer is completed. Impact on customers of PDC movement toward standardized services and infrastructure. Capacity planning of PDCs. – Floor space. – Power. – Environmental controls (e.g., cooling). 17

Questions? 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.