| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
IT Vendor Management (Part 2 of 2)
This continuation episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series focuses on governing vendor relationships after the contract is signed. It covers how to gain assurance over a provider’s controls, what changes when services move to the cloud, what good outsourcing governance looks like in practice, how capacity and growth are planned, and how service quality is maintained and improved over time.
What this episode covers
- Third-party audit reports — the types of assurance reports providers submit, how they differ in scope, and the role of benchmarking alongside them.
- Cloud governance challenges — adapting governance when services move to a provider, handling shadow IT purchasing by business units, and retaining ultimate data responsibility.
- Outsourcing governance structure — the roles, agreements, and schedules needed to maintain continuity of service and mutual value in an outsourced relationship.
- Capacity and growth planning — linking technology and staffing capacity to long-term and short-term business plans and folding it into the budgeting process.
- Day-to-day service delivery management — monitoring delivery, reviewing provider reports, holding regular meetings, examining security event records, and reassessing risk when changes occur.
- Service quality improvement — building improvement targets and penalties or rewards into agreements, measuring user satisfaction, and aligning survey intervals with service level periods.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How do third-party audit reports provide assurance over a provider’s controls?
Third-party audit reports are submitted periodically by the provider and come in different types: one focuses on controls over financial reporting, another covers security, availability, and privacy, and a third is a lighter summary of that same ground. Benchmarking against industry standards alongside these reports shows how an arrangement compares with similar ones.
What governance challenges arise when moving services to the cloud?
Cloud shifts previously self-managed services to a provider, requiring governance to adapt across business processes, backups, and visibility into security and incidents. A unique governance headache is that business units can now bypass the technology function entirely and purchase cloud services directly with a credit card, so policies must explicitly cover sourcing and retiring cloud services.
What does good outsourcing governance look like on a day-to-day basis?
Good governance involves monitoring and reviewing what the provider delivers, checking performance against agreed service levels, meeting on a regular cadence, examining records of security events and problems, and resolving any issues found. Changes on either side, including changes of subcontractor, must trigger a risk reassessment.
Why does capacity planning extend beyond hardware to include people?
Capacity covers both technology resources and the qualified staff needed to manage and deliver services. Too few skilled people can delay critical projects and break agreed service levels, and that staffing shortage is itself sometimes the business reason for outsourcing in the first place.
📚 Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in IT Vendor Management (Part 2 of 2).