Summary

A DoD Agency Program Office responsible for overseeing information systems critical to the Agency’s financial statement audit contracted with a cloud managed service provider (MSP) vendor, but overlooked including requirements to support the Agency’s annual audit effort as part of its vendor agreement. As a result, following transition of the Agency’s information systems to the cloud environment, neither the Program Office nor the MSP were able to produce critical documentation required by the Agency’s auditor, impacting the Agency’s ability to successfully complete their mandatory audit. 

Challenge

A DoD Agency Program Office responsible for overseeing information systems critical to the Agency’s financial statement audit contracted with a cloud managed service provider (MSP) vendor, but neglected to include requirements to support the Agency’s annual audit effort as part of its vendor agreement.

Due to the urgent impact on the Agency’s financial audit, the Program Office engaged Alta Via Consulting to investigate and identify risks to the ongoing Agency audit and state of the MSPs readiness to address future audit requirements.  Our investigation reported that no preparations were made to document MSP processes and associated internal controls relevant to audit and services provided by the MSP.

Additionally, our investigation found that clear and structured coordination between information systems in scope for financial statement audit was lacking.  As a result, Alta Via was asked to develop a strategy to address audit and compliance concerns and to develop a longer-term solution and roadmap to track future auditability compliance for the Agency and its related business units.

Approach

Alta Via developed an agile strategy to leverage existing processes, tools, and capabilities to best meet the Program Office’s needs from its MSP. This was presented as a roadmap to help the Program Office achieve longer-term success during future audits.

  1. Scope assessment:
    1. Document the scope of audit controls inherited by the MSP
    2. Coordinate with the system audit leads and leverage existing RACI and internal control catalog documents.
  2. Reconcile and disseminate policies and procedures
    1. Reconcile existing policies and procedures to ensure internal controls managed by MSP are documented
    2. Develop a document identifying roles and responsibilities between service provider and Program Office business systems.
    3. Identify internal control gaps and develop plan of action to update process and procedures to close control gap.
    4. Standardize MSP’s internal control designs to meet compliance requirements for al customers, via an enterprise methodology
  3. Prepare and anticipate
    1. Coordinate with business system audit leads to establish timelines, audit expectations, and documentation review
    2. Establish and participate in audit prep trial runs to fine tune documentation and process.
  4. Centralized risk management framework
    1. Recommend the MSP establish a central risk, control, and document repository to coordinate a single audit for services provided
    2. Leverage framework to provide visibility of control status, central documentation management, and creation of risk and controls catalog, yielding more engagement with Leadership for a clearer path towards success

Results

Alta Via Consulting helped the Agency gain visibility into the opportunities for improvement with its vendors and support entities, allowing for organization to ready for future Agency-wide audits. Alta Via continues to engage with the Program Office and MSP to provide improvement opportunities and recommendations.