Internal Audit Tales: Five Additional Audit Tips for IT Spend

By Ralph Villanueva CISA CISM CIA CFE

Introduction

Last week, I published Five Valuable Audit Tips for IT Spend, and it got so much attention and impressions. Hence, I believe that an encore is in order. I always believe that a rising tide lifts all ships, and I hope that sharing my revenue – oriented audit insights will lift the game of every audit professional who reads my articles. So without further ado, here’s the next five.

Unused SLA hours

This is the flipside of my previous article, which calls for revisiting the maintenance and other fees in a typical software or third party MSP (Managed Service Provider) of IT services during renewal. Almost all contracts have a certain number of hours that are set in stone the moment the ink dries on the contract. These hours are from 10 to 40 or more per year, and runs from mere remote consulting to actual work onsite. In my years in internal audit, and IT audit and compliance, I have run across countless SLA (Service Level Agreements) contracts which mentions X number of hours as part of the agreement. At the same time and in the same company, I have seen invoices for related IT services which were rendered by another vendor. Sadly, it is for the same application that was covered by the SLA.

My advice for both internal and IT auditors – look into unused SLA hours, then correlate with payments for similar services for the same service, hardware or application. If there are remaining unused SLA hours, emphasize to the IT department leadership and the application or service business owner to use the SLA hours first before going to another vendor. Considering that the average company uses 130 applications, this could mean a substantial savings for the company and kudos for your audit department.

SME Travel Expenses

This refers to the vendor or third party SME’s (Subject Management Expert) who travels to do some work in your premises or data center. Almost all SLA contracts have provisions for vendor SME travel. Of course, in a SAAS (Software As A Service) environment, this is all but unnecessary. However, a lot of companies still have their hardware on premises, or in a colocation or data center. Periodically, these need firmware upgrades. Or perhaps a software update which cannot be done remotely, or a trouble shooting engagement which requires an SME or consultant to get the job done onsite. Hence, the need to travel to the company’s premises as per the SLA contract.

This is where auditors can find potential cost recoveries. Some of these contracts have travel provisions that cover travel expenses from the time the SME or consultant leaves his or her house until the time he or she returns, and all other travel expenses in between. Others stipulate only the coverage of coach class airline tickets and budget hotel accommodations. Every time I review these travel reimbursements from vendors, I always find something to recover, whether it is the difference between a first class and coach class plane ticket, allowable per diem or difference between actual hotel room rate versus allowed room rate.

Agreed Upon Services

This refers to the SOW (Statement of Work) contract for certain types of engagements which are primarily project – based. For instance, your company commissioned a penetration test of the external facing IT environment. The SOW stipulates that X number of IP addresses, servers and applications be part of an unauthenticated test. However, not all the IP addresses, servers and applications were tested. Worse, the final report was delivered two months after the agreed upon date in the contract.

Or your company commissioned a table top exercise that calls for twenty incident scenarios, and the vendor only comes up with ten. Or a tailor fit IT security policy with sub-policies for change management, data backups and so on, and the vendor merely copied those from one of their clients, and passed it on as a tailor made original.

Most of these types of contracts have penalties for non-fulfillment of agreed upon services. Should such an event occur, is there an opportunity for recovery of payment due to non-performance of agreed upon services? Time for the auditors to read the fine print and proactively advice the project owners.

Outsourced Services

Almost all major companies outsource part of their IT functions. This is to enable them to scale up or scale down capacity as needed, save on employee benefit costs and free them to focus on their core business. For instance, the IT Support Services is being handled by a third party in another country which charges a lower rate than if a full time employee does it in the US. Every time an employee has a problem with application access, the 1-800 number he or she dials or the URL that he or she clicks into, connects him or her to someone who can reset his or her password, or fix his or her VPN connection. Or the IT SOC (Security Operations Center) function is done by a dedicated team of network security experts employed by another company. Part of their work involves isolating endpoints with potential IOCs (Indicators of Compromise). Or the backups for the entire IT ecosystem is done through a hundred magnetic tapes which are picked up by a third party vendor every week for storage in their secure location.

This is where reading the fine print of the contract with these third parties comes in as well – and where auditors can find something to bring back to the company. Just like with agreed upon services’ contracts, there are penalties with a monetary component which can be beneficial to the company, but only if someone keenly looks into in.

Add Ons

This particular provision in the contract refers to the option to upgrade or add on an additional module to the ones you already have. Say for instance, you have the basic endpoint anti-malware solution, but then the contract allows your company to add on a DLP (Data Loss Prevention) module to prevent confidential files from leaving your secure files servers – and all for a decent discount than if it was acquired from a reseller. Yet what if the company forgot about the optional add on and instead decided to purchase the DLP module from a reseller at a substantial markup? Auditing the acquisition decisions of the very department that controls your IT access, and the purchasing department who determines the work equipment that you use will not be easy, but there are substantial cost recoveries that can be made.

I hope this and the previous week’s article have sparked ideas which can help your audit function shine and your company thrive. As a fellow internal audit, and IT audit and compliance professional, I wish you all nothing but success in this most important but often overlooked profession. As the third and ultimate line of defense, our audit and consulting work is all that stands between a company’s success and oblivion. Stay tuned for more valuable ideas and insights next week.

Ralph Villanueva is currently an IT security and compliance professional for a global vacation ownership company, and has relevant professional certifications earned from over ten years protecting his stakeholders from IT security and compliance risks. In his previous professional life, he was an internal auditor for a decade, earned relevant certifications as well, and has protected his employers from fraud and financial risks due to weak internal controls and weaker company leaders. He also recovered tens of thousands of dollars through his audits. Though he is happy where he is right now, he is nevertheless waiting for the day when he can fuse these two magnificent professions into something that can generate enormous value to whoever makes it happen. Think Taylor Swift’s Eras and Beyoncé’s Renaissance tours, Oppenheimer and Barbie, Predator and Alien, Godzilla and King Kong, Freddy and Jason or Batman and Superman (sorry Robin). Yes, these are extreme analogies, but I’m sure you get the message. © Ralph Villanueva. All rights reserved.