Please answer the following:

1. List the seven basic steps of a software acquisition process.

The system acquisition process should include the identification and analysis of alternative solutions that
are each compared with the established business requirements. In general, the acquisition process
consists of the following:

• Defining system requirements

• Identifying alternatives

• Performing a feasibility analysis

• Conducting a risk analysis

• Carrying out the selection process

• Procuring selected software

• Completing final acceptance

2. Describe the supplier selection process. What are the basic components of an RFP?

A RFP is a document that specifies the minimally acceptable requirements (functional, technical, and
contractual), as well as the evaluation criteria used in the selection process. A RFP offers flexibility to
respondents to further define or explore the requested requirements. RFPs may lead to a purchase or
continued negotiation. Potential suppliers are supplied with copies of the RFP and are requested to
submit proposals by a specified date. After a supplier has submitted a proposal, the response cannot be
changed. The RFP should be communicated to as many prospective bidders as possible. It should contain
the selection criteria that will be used. The criteria should be written with enough detail that it prevents
any misunderstanding or misinterpretation. Any specific criterion that will influence the selection must
appear in the RFP. The RFP should also describe the members of the selection committee. All questions
from bidders should be answered in writing and made available to all bidders. Verbal answers to
questions should be avoided. All questions should be received with enough time before the deadline so
that answers can be incorporated in the proposal. Public meetings such as “bidder conferences” are
used as a means to receive and respond to questions from all prospective bidders. The basic
components of a RFP are:

• Background information about the company, business problem, and the computing environment. It
may also include results of any needs assessment performed.

•Schedule of important dates, such as when the supplier’s RFP response is due, when the decision is
expected, when the actual purchase is expected, and when implementation is expected.

•Contact names and sources for answering questions for the RFP.

•Instructions for formatting the response to the RFP. Some RFPs include an explicit description of what
the supplier should and should not include in their response.

•Specific requirements being sought.

•Technical requirements for the system, such as specifications for an operating system or a network
environment.

•List of documents required as attachments, such as sample reports and standard contract language.

•Additional requirements for the selection process, such as supplier presentations, supplier
demonstrations, or on-site installation and testing.

3. Explain what a service-level agreement is. Briefly describe the common types of service-level
agreements.

An SLA is a formal agreement between a customer requiring services and the organization that is
responsible for providing those services. Below are basic defined terms related to SLAs.

 Service. A set of deliverables that passes between a service provider and a service consumer.
 Level. The measurement of services promised, services delivered, and the delta between the
two.
 Agreement. Contract between two entities—the one providing the service and the recipient.

SLAs should include a definition of the services, the expected quality level, how service will be
measured, the planned capacity, the cost of the service, the roles and responsibilities of the parties, and
a recourse process for nonperformance. For an internal service agreement, performance can be tied to
compensation (e.g., bonuses, etc.). External agreements may involve payment of a penalty or
compensation for poor performance. It is important to engage the customer in the service-level
definition process to help gain agreement and buy-in. Organization management will make trade-offs
between service quality and cost. These decisions must be communicated across the organization to set
expectations at all levels. Otherwise, customer satisfaction results may reflect unreasonable
expectations versus agreed IT service levels. SLAs can be made between IT and its customers, operations
and application groups, and between suppliers and IT. A customer service-level agreement (CSLA)
encompasses all of the subservices being provided both internally and externally to deliver the services
needed by the customer as defined earlier. An operating-level agreement (OLA) between operations and
application groups defines the underlying operating services required to deliver projects and
applications to the customer under the CSLA. Supplier SLAs define the services required by operations,
applications, or end users to deliver in accordance with the CSLA.

4. There are many tools available to assist organizations in implementing service management
processes. Tools are needed to capture performance, usage metrics from the various platforms, and to
consolidate and report on all of this information. Describe common examples of service management
tools.

There are many tools available to assist organizations in implementing service management processes.
Tools are needed to capture performance, usage metrics from the various platforms, and to consolidate
and report on all of this information. Automation is required to deliver an efficient measurement and
reporting process. Many of the performance management tools used by systems programmers,
operations, and network administrators can also be used to measure service delivery. Common
examples of service management tools include: Customer Satisfaction Surveys and Benchmarking.

A customer satisfaction survey is a good example of an important tool used to measure the quality of
the services provided by IT. There may be multiple customer satisfaction surveys for different services.
Senior management may be asked questions on the value of IT, and end users may be asked questions
on satisfaction with the service desk and application availability. Senior management satisfaction should
be measured separately as there will be different objectives and questions. Senior management will be
more focused on the value delivered by IT. This may include project delivery, IT is understanding of
business needs, application delivery and support, cost effectiveness, service quality, and overall
satisfaction. Customer satisfaction surveys may include the time to provision requests, time for the
service desk to answer a call, satisfaction with issue resolution, and system response time. Using
customer satisfaction surveys to measure system response time in addition to using technical measures
helps to determine if there is an expectation gap. This information can then be used in discussions with
the organization management to either increase the expected service level or improve communication
to the user population. Along with reporting survey results, a follow-up process is needed to respond to
issues raised in the survey. This is an important communication tool and can also help boost customer
satisfaction. Customer satisfaction is partly a result of expectations and just active listening can boost
results. That is another reason why customer satisfaction may have more to do with communication and
the IT/organization relationship than with actual service issues.

Benchmarking services attempt to align costs and services by using standard definitions of service and
cost elements. This makes benchmarking a time-consuming and costly task as financial information and
service structures must be restated to align to the benchmark. Even with the restatement of services
and costs, benchmarking will have limited value as there may be valid reasons for cost difference from
the benchmark. For example, an organization may have lower automation and a higher unit cost offset
by efficient manual operations. The opposite could be true, high automation with low unit cost
combined with inefficient manual operations. The bottom line is no one data point can provide
conclusive information on the efficiency or effectiveness of IT services. Another issue that reduces the
value of benchmarking information is that the results will not be the same services that user
organizations are familiar with. This makes it difficult to confirm and communicate that the unit cost
charged to individual user functions compares favorably to the benchmark. The advantage of using
external benchmark information is the independent source of comparison data. The information
provided to the benchmark provider must be auditable to ensure the credibility of the results. Having
internal audit validate the submission may also be a good way to validate the results. Benchmarking can
be a useful tool in evaluating the design, quality, and cost of IT services. However, because of
limitations, benchmarking should be considered as an input into evaluating the underlying cost of IT
services rather than the end result. Exhibit 13.4 shows the cyclical nature of the service management
process just discussed.

5. Distinguish between outsourcing and off-shoring.

Outsourcing can provide increased flexibility by leveraging the resources of a third party to ramp-up or
ramp-down resources for a variable workload. In some organizations, it is very difficult to reduce the
labor force due to legislation or union agreements. Outsourcing allows an organization to transfer this
responsibility to a third party. A global supplier can transfer resources to other engagements eliminating
the need for labor force reductions and providing individuals with better career opportunities. Off-
shoring can increase productivity if sequential work or services can be provided 24 × 7 with resources in
different time zones. Help desk support is a good example of a service that can be outsourced to a third
party in multiple time zones to provide customers with around the clock service. Outsourcing to a
mature service provider can enable an organization to leverage the technology and processes of the
third party. For example, a large desktop support supplier will already have mature processes and
technology for deployment, support, security, and refresh that can be implemented in the target
organization.

6. Name and summarize control areas that the IT auditor should include in his or her review when
examining a software acquisition.

The control areas that the IT auditor should include in his/her review when examining a software
acquisition should include:

 Alignment with the company’s business and IT strategy- The business requirements associated
with the solution being sought should link to goals and objectives identified in the company’s
business and IT strategy.
 Definition of the Information Requirements- System and information requirements should be
evaluated to determine if they are current and complete
 Feasibility Studies- should be reviewed to ensure that the selected solution not only meets the
requirements but also is compared and contrasted with the feasibility of the other solutions.
 Identification of Functionality, Operational, and Acceptance Requirements- should include the
internal functionality of the system with consideration for operational and acceptance
requirements.
 Conformity with Existing Information and System Architectures- This control area is directly
correlated with the evaluation of technical feasibility and the business’s information elements.
 Adherence to Security and Control Requirements- A complete understanding of the company’s
security and control requirements is needed to ensure that the selected solution is appropriate.
 Knowledge of Available Solution- Often, system development and acquisition efforts become
more focused on a specific solution due to the knowledge or experience of the participants.
 Understanding of the Related Acquisition and Implementation Methodologies- Acquisition
methods of an organization can be very specific or general based on a variety of factors like
government regulations
  Involvement and Buy-In from the User- User involvement and buy-in is critical. Without user
involvement, requirements will be missed and they will not support new systems. There is an
increased awareness of the criticality of user support and buy-in.
 Supplier Requirements and Viability- The acquisition process should ensure that the selected
supplier meets the supplier requirements of the organization as outlined in the proposal.

7. As stated in the e-textbook that you've read, outsourcing refers to the transfer of service delivery to
a third party, allowing companies to concentrate on core competencies. As the IT Audit Manager, your
client asks for advice on outsourcing, specifically whether they should outsource their main financial
accounting system. You are well aware of both benefits and risks of outsourcing. Would you advise
your client to go ahead and outsource their main financial accounting system? Yes? No? Explain your
position.

The term "outsourcing" refers to the transfer of a service delivery to a third party, which has its own set
of benefits and drawbacks, particularly in terms of risk. As an IT Audit Manager, I would urge my client
to outsource their financial accounting system so that they may maintain a continuous flow of business
without worrying about accounting issues. Outsourcing their major financial accounting system will
ensure that information is delivered on a timely basis and that data is shared without hesitation. As a
result, the firm will be able to benefit efficiently and effectively from outsourcing, as the third party will
be able to assist them with advantageous technologies and keep them up to date in the financial
accounting system. The standard of the client's needs will be met as a result of the business/IT
alignment, resulting in a smooth flow of company activities.

8. Using an Internet web browser, search for AICPA’s Statement on Standards for Attestation
Engagements (SSAE) No. 18, and perform the following:

a. Explain the relevance of SSAE 18 and what does it report on.

Statement on Standards for Attestation Engagements (SSAE) is an acronym for Statement on Standards
for Attestation Engagements. As a result, it is important since it puts more emphasis on how
organizations evaluate and report on their third-party contractors. In general, it requires businesses to
apply the same risk assessment standards to all vendors with whom they do business, both directly and
indirectly. When an organization hires a vendor to deliver a service, that vendor may subcontract
portions of that service to another vendor. SSAE 18 specifies how organizations report on their various
compliance measures and is overseen by the American Institute of Certified Public Accountants (AICPA).
The information needed to effectively analyze the risks associated with outsourced suppliers is usually
provided in the form of a Service Organization Control (SOC) report. These reports serve as attestations
of compliance while evaluating data center certifications.

b. Identify advantages of SSAE 18 to auditors.

The Statement on Standards for Attestation Engagements 18 (SSAE 18) is a standard that auditors can
use to review the controls of technology vendors and other service providers so that businesses that use
those vendors can be confident that the vendors' controls—particularly those related to cybersecurity—
will not pose a risk to their own business. The System and Organization Controls (SOC) reports that
vendors generate, usually to persuade prospective customers that the vendor's data security controls
and third-party governance are effective, are based on these SSAE 18 requirements. As a result, the
auditors are in a wonderful position to offer some ideas and recommendations to help enhance and
guarantee that everything runs smoothly.

c. Contrast18 (as appropriate) with SSAE 16.

SSAE 18 replaces SSAE 10 through 17 and requires service auditors to improve their risk assessment
methods around the reported subject matter by clarifying and bringing together many of the previous
auditing standards. As a result, SSAE 16 was limited to SOC 1 reports, which deal with the controls at a
service organization that affect the financial reporting of the service organization's customers. SSAE 18,
on the other hand, refers to a wide range of attestation reports, not just SOC 1 reports. Complementary
user-entity controls were defined in the former SSAE-16 Standard as controls at user-entity
organizations that were both necessary and superfluous to meet control objectives expressed in
management's description. Complementary user-entity controls are currently described as those
controls that are only required to meet the control objectives mentioned in management's description,
according to the SSAE 18 Standard.