2.1.a : Outsourcing Quiz (Doshi) Flashcards
Which of the following clauses in outsourcing contract help MOST to improve service level and minimize the costs?
A. use of latest O/S and hardware
B. Gain-sharing performance bonuses
C. Penalties for noncompliance
D. training to outsourced staff
B. Gain-sharing performance bonuses
Other clauses are important and must be in an outsourcing agreement but element of bonus will provide a financial incentive to go beyond stated terms of the agreement.
An organization has outsourced some of its IS processes. What is the MOST important function to be performed by IS management in such scenario?
A. Ensuring that outsourcing charges are paid as per SLA.
B. Training to staffs of outsourced vendors.
C. Levy of penalty for non-compliance
D. Monitoring the outsourcing provider’s performance
D. Monitoring the outsourcing provider’s performance
Though other parameters are important, the most important function of IS management is to monitor the performance of vendors. It is critical the outsourcing provider’s performance be monitored to ensure that services are delivered to the company as required
IS auditor observed that outsourcing vendors have been appointed without formal written agreements? The IS auditor should recommend that management:
A. obtains independent assurance of the third-party service providers.
B. sets up a process for monitoring the service delivery of the third party.
C. ensures that formal contracts are in place.
D. appointment of outsourcing vendors to be revoked.
C. ensures that formal contracts are in place.
It is difficult to enforce the terms of contract in absence of formal written agreement. Written agreements would assist management in ensuring compliance with contractual requirements.
An organization has outsourced IT support service. A probable advantage of outsourcing is that:
A. reliance can be placed on expertise of outsourcing vendors.
B. more control can be exercised over IT processing.
C. organization can transfer their accountability in terms of privacy laws.
D. employee satisfaction may increase
A. reliance can be placed on expertise of outsourcing vendors.
Through outsourcing arrangement, service of an expert can be obtained in absence of in-house expertise. No organization can transfer their accountability through outsourcing.
An organization has outsourced designing of IT security policy. Which of the following function cannot be outsourced?
A. Accountability for the IT security policy
B. Benchmarking security policy with other organization in industry
C. Implementing the IT security policy
D. User awareness for IT security policy
A. Accountability for the IT security policy
In no circumstance, accountability can be transferred to external parties. Other functions can be outsourced as long as accountability remains within the organization.
An organization has outsourced IT support service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor?
A. Legal jurisdiction can be questioned.
B. Increase in overall cost.
C. Delay in providing service due to time difference.
D. Difficult to monitor performance of outsourced vendor due to geographical distance
A. Legal jurisdiction can be questioned.
Here main concern is legal jurisdiction. In absence of proper clarification there can be compliance as well as legal issues. The other choices are not as relevant as legal jurisdiction. Also, even if service provider is in different country, that not necessarily indicate delay in service or difficulty in monitoring. Generally, outsourcing to other countries is done to save cost.
An IS auditor reviewing an outsourcing contract of IT facilities. He should be MOST concerned if which of the following clause is not included in contract:
A. types of hardware
B. software configuration
C. ownership of intellectual property
D. employee training policy
C. ownership of intellectual property
Clause with respect to ownership of intellectual property is a must in an outsourcing contract. The contract specifies who owns the intellectual property. Ownership of intellectual property will have a significant cost and is a key aspect to be defined in an outsourcing contract. Other choices though important may not have that much significance as compared to intellectual property clause
An organization has outsourced data operations service to a provider in another country. Which of the following conclusions should be the main concern of the IS auditor?
A. Communication issues due to geographical differences.
B. Scope creep due to cross-border differences in project implementation.
C. Privacy laws could prevent cross-border flow of information.
D. Dissatisfaction of in-house IT team.
C. Privacy laws could prevent cross-border flow of information.
Main concern will be regulatory issue that can prohibit flow of information.
An IS auditor is reviewing request for proposal (RFP) floated by IT department to procure services from independent service provider. Inclusion of which of the below clause is MOST important while floating such RFP?
A. Details about Maintenance plan
B. Details about Proof of Concept (POC)
C. References from other customers.
D. Details about BCP
C. References from other customers
Reference from other customers will help IT department to get idea about performance level of service provider. Checking references is a means of obtaining an independent verification that the vendor can perform the services it says it can. Other options are important and needs to be understood before awarding contracts. However, most important clause will be references from other customers.
An organization has outsourced IT support service to an independent service provider. Which of the following clause would be the best to define in the SLA to control performance of service provider?
A. Total number of users to be supported
B. Minimum percentage of incidents solved in the first call
C. Minimum percentage of incidents reported to the help desk
D. Minimum percentage of agents answering the phones
B. Minimum percentage of incidents solved in the first call
Since it is about service level (performance) indicators, the percentage of incidents solved on the first call is the most relevant control. It helps to control performance of the service provider. Other options are not relevant.
An organization is in process of entering into agreement with outsourced vendor. Which of the following should occur FIRST?
A. Deciding periodicity of contract
B. Approval from compliance team.
C. Decide the level of penalties.
D. Finalize the service level requirements.
D. Draft the service level requirements.
Out of options given, very first step should be finalizing the service level requirements. This SLR will form part of SLA. Other options are performed once the service level requirements are finalized.
Which of the following document will serve the purpose for vendor performance review by an IS Auditor?
A. Market Feedback of the vendor.
B. Service level agreement (SLA)
C. Penalty levied reports
D. Performance report submitted by vendor.
B. Service level agreement (SLA)
A Service Level Agreement (SLA) is considered as most independent document for performance review of the vendor.
An IS auditor has been asked to recommend effective control for providing temporary access rights to outsourced vendors. Which of the following is the MOST effective control?
A. Penalty clause in service level agreement (SLA).
B. User accounts are created as per defined role (least privilege) with expiration dates.
C. Full access is provided for a limited period.
D. Vendor Management to be given right to delete Ids when work is completed.
B. User accounts are created as per defined role (least privilege) with expiration dates
(1) Creation of need-based user ID and automated revocation of IDs as per expiration date will serve as most effective control under the given scenario and options.
(2) Penalty clause in SLA may act as a deterrent control but automated revocations of Ids are more effective method of control.
(3) Providing full access is a risky affair.
(4) Control in terms of providing rights to vendor management for deletion of IDs may not be reliable.
Which of the following is the GREATEST concern in reviewing system development approach?
A. User manages acceptance testing.
B. A quality plan is not part of the contracted deliverables.
C. Application will be rolled out in 3 phases.
D. Compliance with business requirements are done through prototyping.
B. A quality plan is not part of the contracted deliverable.
A quality plan is critical element to be included in contracted deliverable. It is critical that the contracted supplier be required to produce such a plan. Other areas are not point of concerns.
An IS Auditor is reviewing process of acquisition of application software. Which of the following is MOST important consideration?
A. documented operating procedure to be available.
B. a backup server be loaded with all the relevant software and data.
C. training to staff.
D. escrow arrangement for source code.
D. escrow arrangement for source code.
Source code escrow is the deposit of the source code of software with a third-party escrow agent. The software source code is released to the licensee if the licensor files for bankruptcy or otherwisE fails to maintain and update the software as promised in the software license agreement. Escrow arrangement is very important in such cases. This will ensure that the purchasing company will have the opportunity to modify the software should the vendor cease to be in business