IT Contract Audit Checklist and 23 Simple Tips and Guidance


The IT Contract and Request For Proposal Audit Checklist at least should cover:

1. The organization’s policy on information security

2. The organization’s policies about asset protection including:
– procedures that it has in place to protect organizational assets, including information, hardware and software;
– procedures that will be used to identify whether or not any asset has been lost or compromised;
– controls that are designed to ensure the return or destruction of information and assets at the end of, or at an agreed point within, the contractual relationship;
– procedures to ensure integrity and availability of information;
– restrictions on copying or disclosing information.

3. A description of the service that the third party is to provide – which should be written in clear Englsh and which both parties should agree is a comprehensive description of the service. Where there may be an issue as to what is and is not included in the service, there should be a statement along the lines of: ‘For the avoidance of doubt, [activity] is not included in the service to be provided.’

4. The target level of service and a definition of unacceptable service. These should be both meaningful and reasonable; some flexibility should be built in to allow for the unexpected or simply to accommodate the vicissitudes of the real world.

5. Verifiable performance criteria, and a clear statement on the process for monitoring and reporting. Again, these should be cost-effective and practical, and should allow room for the service to operate. If the performance criteria are too tight or the monitoring regime excessive, the costs to both the organization and the third party of maintaining the agreement may exceed the benefits that they are getting from it.

6. The prospective liabilities of the parties to the agreement; the host organization will be particularly interested in identifying those of the third party and, if possible, avoiding their being capped.

7. Legal responsibilities (eg data protection legislation). These clauses must take into account the possibility that different countries will have different legislation around these issues.

8. Intellectual property rights, copyright and protection of rights in any collaborative work.

9. The right to audit contractual responsibilities or to have a third party carry out such an audit.

10. The escalation process for dispute resolution. A dispute resolution process, possibly including binding arbitration, may be more costeffective than to resort to the law courts.

11. Most contracts should also include, as appropriate to the circumstances of the contract and the service that is to be provided, one or more of the following:

12. Provision for the transfer of staff, and associated costs, where appropriate.

13. Protection against the poaching of staff, particularly where staff have skills or knowledge that is critical to the organization.

14. Access control agreements covering:
– permitted access methods, control and use of passwords, user IDs, etc and the process by which these are surrendered at the end of the contract;
– the authorization process for user access and privileges;
– a requirement that the third party maintains an up-to-date list of which personnel have been given what level of authorizations.

15. The right of the host organization to monitor user activity and revoke user rights.

16. Responsibilities regarding hardware and software installation and maintenance.

17. The reporting structure and reporting formats, so that third-party staff know who within the organization is responsible for what and how they have to report on those issues for which they have been retained – for example, on attendance, or absence, or project progress, say.

18. The specified change management process; this is particularly relevant to software and hardware projects, where it is vitally important that the organization should be able to trace and audit changes to the original specification on the basis of which the third-party contract was drawn up

19. Any physical controls that are required

20. Training that is required in respect of methods, procedures and security. This section should specify who is responsible for providing the training, who pays for it, what steps must be taken to maintain the identified skill or competency and what evidence is necessary to demonstrate that it exists.

21. Controls against malicious software and viruses

22. Procedures for reporting security incidents

23. Involvement with any other subcontractors.


Bookmark/Search this post with:
  • Delicious
  • Digg
  • StumbleUpon
  • Propeller
  • Reddit
  • Magnoliacom
  • Google
  • Yahoo
  • Technorati

Trackback URL for this post:

http://www.desktopauditing.com/trackback/159

User login

Who's new

  • allhadrs
  • Shumpfume
  • assommito
  • fatsqueette
  • iloveu

Who's online

There are currently 0 users and 1 guest online.