1 Source: www.knowledgeleader.

com
 Table of Contents
SERVICE-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 1..................................................................3
SERVICE-LEVEL CONTROLS AUDIT WORK PROGRAM: SAMPLE 2..................................................................8

2 Source: www.knowledgeleader.com
 SERVICE-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 1

PROJECT TEAM (LIST MEMBERS)

Project Timing Date Comments

Planning

Fieldwork

Report Issuance (Local)

Report Issuance (Worldwide)

AUDIT OBJECTIVES
A service-level agreement (SLA) describes specific types of service levels or performance objectives that an IT
provider is committed to comply with or exceed during the time covered by the agreement. The terms of the SLA
can define such things as acceptable response times for processing individual transactions or identifying and
resolving various types of computing and telecommunication operating and effectiveness problems. It should
stipulate the penalties for the supplier’s failure to achieve one or more service or quality levels. The purpose of
this audit work program is to assess the controls specific to an SLA. In doing so, Company X will:
• Determine high-level business requirements of Service Provider X.
• Identify Service Provider X’s framework and methods to deliver on these business requirements.
• Identify key performance indicators (KPIs), controls and critical success factors used to ensure Service
Provider X’s ability to deliver on these business requirements.

Time Project Work Step Initial Index

Planning

Conduct a planning meeting to discuss the scope, approach and timing.

Determine the appropriate audit contact.

Obtain sufficient understanding of the audit area:

• Determine if an audit of this area has been done in the past when it occurred.
Utilize any previous work products for training and development of the current
audit plan.
• Obtain and review the policy and procedures for service-level activities.
• Work with the auditee on the scope, approach and timing of the audit and detailed
document request.
• Identify the key contact for audit areas.
• Obtain and document an understanding of the overall operating organization
structure. Consider the following areas:
− Personnel: Organization charts, total number of personnel, divisions, job

3 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

descriptions, etc.
− Transactions: The volume/value of various transaction types processed.
− Systems: Application modules, interfaces, tracking systems and related
management reporting.
− “Customers”: Who are the key external and internal customers for the
process?
• Review any known best practices for service-level controls and incorporate them
into the audit work and audit report, if appropriate.

Fieldwork

Conduct an entrance meeting establishing an understanding of the scope and timing

of the review.
• Establish a schedule for status meetings and open-communication protocols.
• Inquire from management sponsor of any known scheduling conflicts such as
meetings, vacation and planned absences that may affect the committed client
personnel, etc.

Interview the following individuals and document the results of the interview:
• CIO, Director Service Provider X Development, Director Service Provider X
Infrastructure, VP Purchasing, VP Controller, Director Accounting, VP Operations,
Director Regional Operations, Finance Development Manager, Senior Manager
Payroll Operations and VP Team Member Resources

Obtain organizationwide policies and procedures related to provider/user

relationships.

Obtain the following IT policies and procedures:

• Service-level agreements
• Operational reporting content, timing and distribution
• Performance tracking methods from Service Provider X directors
• Corrective action activities

Obtain the following IT documentation:

• Service-level performance reports or currently available metrics
• Chargeback algorithms and methodology for calculating charges
• Budgets and spending priorities from business users
• Service improvement programs from Service Provider X directors and what is
expected from Service Provider X from the business users
• Recourse resulting from nonperformance
• Service-level agreements with third-party providers
• Service-level agreements between internal Service Provider X departments
• Corporate strategic plans
• Service Provider X strategic plan
• Business impact analysis for continuity

4 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

For a sample of past and in-process service-level agreements, confirm that the
content includes the following:
• Definition of service
• Cost of service
• Quantifiable minimum service level
• Level of support from the IT function
• Availability, reliability and capacity for growth
• Change procedures for any portion of the agreement
• Continuity planning
• Security requirements
• Written and formally approved agreement between provider and user of service
• Effective period and new period review/renewal/nonrenewal
• Content and frequency of performance reporting and payment for services
• Charges are realistic compared to history, industry and best practices
• Calculation for charges
• Service improvement commitment
• Both user and provider formal approval

Test that appropriate users are aware of and understand service-level agreement
processes and procedures.

Test the users’ level of satisfaction with the current service-level process and that the
actual agreement is sufficient.

Test that the service provides records to ascertain reasons for nonperformance and
to ensure that a performance improvement program is in place.

Test that the accuracy of actual charges matches the agreement content.

Test that historical performance against prior service improvement commitments is

tracked.

Test that reports on achievement of the specified service performance are

appropriately used by management to ensure satisfactory performance.

Test that reports of all problems encountered are appropriately used by management
to ensure that corrective actions are taken.

Interview the following individuals and document the results of the interview:
• Senior service provider X help desk.
• Help desk team leader.

Obtain the following documents:

• Organization-wide policies and procedures relating to IT user support.
• IT charter, mission, organization chart, and policies and procedures relating to

5 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

help desk activities.

• Reports relating to user queries, resolution of queries, and performance statistics
of the help desk.
• Any performance standards for help desk activities.
• Service-level agreements between IT function and various users.
• Personnel files outlining experiential and professional credentials of help desk
staff.

Ensure that policies and procedures for help desk activities are current and accurate.

Test that service-level commitments are being kept and that variances are explained.

Test that clearing of queries is occurring in a timely manner.

Test that trend analysis and reporting achieve the following goals:
• Produce and act upon trends for improved service.
• Include specific problems, trend analyses and response times.
• Ensure delivery to a responsible individual with the authority to resolve problems.

For a sample of help requests, test confirmation of accuracy, timeliness, and

sufficiency of response.

Test that user satisfaction-level inquiries exist and are acted upon.

Final Reporting

Reporting: Draft
• Prepare a preliminary draft of the audit report using the standard format. Ensure
that an appropriate auditee reviews the draft and that any action items have been
discussed with the auditee.

Reporting: Issuing Draft

• Issue the preliminary report to management. At this point, management/the
auditee should agree on the timing for implementing any action items identified
and agreed to in the report. Responsibility for implementation should also be
assigned.
• Validate the accuracy of all audit report content. Evaluate current practices by
benchmarking the organization’s practices against known best practices.
Document these evaluations in the best practice section of the report.

Other Administrative

Compile test work and key support data into a work paper binder. Include a binder
index of key information.

Include a copy of the final report in the work paper binder.

Discuss job scheduling, timing, and related opportunities for improvement with the
internal audit manager, as necessary.

6 Source: www.knowledgeleader.com
 Time Project Work Step Initial Index

Follow up on client/satisfaction surveys (if utilized).

Submit the report to the internal audit report database.

File work papers in the internal audit file room.

7 Source: www.knowledgeleader.com
 SERVICE-LEVEL CONTROLS AUDIT WORK PROGRAM:
SAMPLE 2

PROJECT TEAM (LIST MEMBERS)

• (Insert Name)
• (Insert Name)
• (Insert Name)
• (Insert Name)
• (Insert Name)
• (Insert Name)

Project Timing Date Comments

Planning (Date) Approval on the scoping document was received.

Fieldwork (Date) Fieldwork was completed.

Report Issuance (Local) (Date) The draft report was sent to the chief financial officer (CFO)
(Name) and the chief information officer (CIO) (Name).

Report Issuance (Worldwide) (Date) This draft report was originally set for (Date) and was
moved back due to a rescheduled local review with the
CFO and CIO.

Project Objectives Initial Achieved/Except

Determine the high-level business requirements (Initials) Achieved: Met with business unit leaders to
of a management information system (MIS). identify requirements.

Identify an MIS framework and methods to (Initials) An information technology infrastructure

deliver on these business requirements. library (ITIL) framework and methods are
recommended without using the term ITIL.

Identify key performance metrics and critical (Initials) Implement potential key performance
success factors to track MIS’s ability to deliver on indicators (KPI) and common security
these business requirements. frameworks (CSF) in audit recommendations
because none of these currently exist.

8 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

Planning

• Planning a meeting: Audit team

− Conduct a planning meeting to
discuss the scope, approach, and
timing.
− Determine the appropriate auditee
contact.

• Obtain a sufficient understanding of

the audit area.
− Determine if an internal audit of
this area has been done
previously. Utilize any previous
work products for the training and
development of the current plan.
− Obtain and review the policies and
procedures for service-level
activities.

• Work with the auditee on the scope,

approach and timing of the audit and
a detailed document request.

• Identify key contacts for audit areas.

• Obtain and document an

understanding of the overall operating
organization structure. Consider the
following areas:
− Personnel: Organization charts,
total number of personnel,
divisions, job descriptions, etc.
− Transactions: The volume/value
of various transaction types
processed.
− Systems: Application modules,
interfaces, tracking systems and
related management reporting.
− “Customers”: Who are the key
external and internal customers for
the process?

• Review any known best practices for

service-level controls and incorporate
them into the audit work and audit
report, if appropriate.

Fieldwork

• Conduct an entrance meeting re-

establishing the understanding of the

9 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

scope and timing of the review.

− Establish a schedule for status
meetings and open-
communication protocols.
− Ask the management sponsor
about any known scheduling
conflicts such as meetings,
vacations and planned absences
that may affect the committed
client personnel.

DS1.1 – DS1.7

• Interview the following individuals and

document:
− CIO: (Name)
− Director of MIS Development:
(Name)
− Director of MIS Infrastructure:
(Name)
− Director of Restaurant Systems:
(Name)
− VP of Purchasing: (Name)
− VP Controller: (Name)
− Director of Accounting: (Name)
− VP of Operations: (Name)
− Director of Regional Operations:
(Name)
− Finance Development Manager:
(Name)
− Senior Manager of Payroll
Operations: (Name)
− VP of Team Member Resources:
(Name)

• Obtain organizationwide policies and

procedures related to provider/user
relationships.

• Obtain IT policies and procedures

related to:
− Service-level agreements
− Operational reporting content,
timing and distribution
− Performance tracking methods
from MIS directors
− Corrective action activities

• Obtain IT documentation related to:

10 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

− Service-level performance reports

or currently available metrics
− Chargeback algorithms and
methodologies for calculating
charges
− Budgets and spending priorities
from business users
− Service-improvement programs
from MIS directors and what is
expected of MIS from business
users
− Recourse resulting from
nonperformance
− Service-level agreements with
third-party providers
− Service-level agreements between
internal MIS departments
− Corporate strategic plans
− MIS strategic plans
− Business impact analysis for
continuity

• For a sample of past and in-process

service-level agreements, test if the
content includes the following:
− The service definition
− The service cost
− A quantifiable minimum service
level
− A level of support from the IT
function
− Availability, reliability and capacity
for growth
− Change procedures for any
portion of the agreement
− Continuity planning
− Security requirements
− A written and formally approved
agreement between the provider
and user of the service
− An effective period and new period
review/renewal/nonrenewal
− The content and frequency of
performance reporting and
payment for services
− Realistic charges compared to
history, industry, and best
practices

11 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

− Calculations for the charges

− A service improvement
commitment
− Both the user and the provider’s
formal approval

• Test that appropriate users are aware

of and understand service-level
agreement processes and
procedures.

• Test whether users’ level of

satisfaction with current service-level
processes and actual agreements is
sufficient.

• Test that the service provides records

to ascertain reasons for
nonperformance and ensure that a
performance improvement program is
in place.

• Test that the accuracy of actual

charges matches the agreement
content.

• Test that historical performance

against prior service-improvement
commitments is tracked.

• Test that reports on achievement of

the specified service performance are
appropriately used by management to
ensure satisfactory performance.

• Test that reports of all problems

encountered are appropriately used
by management to ensure that
corrective actions are taken.

• Interview and document the following

individuals:
− Senior MIS Help Desk
(Corporate): (Name)
− Help Desk Team Leader
(Location): (Name)

• Obtain the following documents:

− Organizationwide policies and
procedures related to IT user
support
− IT charter, mission, organization
chart, and policies and procedures

12 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

related to help desk activities

− Reports related to user queries,
resolution of queries and help
desk performance statistics
− Any performance standards for
help desk activities
− Service-level agreements between
IT functions and various users
− Personnel files outlining
experiential and professional
credentials of the help desk staff

• Test that policies and procedures

related to help desk activities are
current and accurate.

• Test that service-level commitments

are followed, and variances are being
explained.

• Test that queries are cleared in a

timely manner.

• Test that trend analysis and reporting

achieve the following goals:
− Produce and act upon trends for
improved service.
− Include specific problems, trend
analyses and response times.
− Ensure delivery to a responsible
individual with the authority to
resolve problems.

• For a sample of help requests, test

the confirmation of accuracy,
timeliness and sufficiency of the
response.

• Test that user satisfaction-level

inquiries exist and are acted upon.

Final Reporting

• Reporting: Draft
− Prepare a preliminary draft of the
audit report using the standard
format. Ensure that appropriate
auditee reviews are drafted and
that any action items have been
discussed with the auditee.

• Reporting: Issuing a draft

13 Source: www.knowledgeleader.com
 Performed Reviewed Issues
Project Work Step WP Ref. Comments
By: By: Noted:

− Issue a preliminary report to

management. At this point,
management or the auditee
should agree upon the timing for
implementing any action items
identified and agreed upon in the
report. Responsibility for
implementation should also be
assigned.

• Validate the accuracy of all audit

report content. Evaluate current
practices by benchmarking the
organization’s practices against
known best practices. Document
these evaluations in the best
practices section of the report.

Other Administrative

• Compile test work and key support

data into a work paper binder. Include
a binder index of key information.

• Include a copy of the final report in

the work paper binder.

• Discuss job scheduling, timing and

related opportunities for improvement
with the internal audit manager, as
necessary.

• Follow up on client/satisfaction
surveys (if utilized).

• Submit a report to the internal audit

report database.

• File work papers in the internal audit

file room.

14 Source: www.knowledgeleader.com