APPENDIX IV— DELIVER AND SUPPORT (

DS)

P R O C ESS A SSU R A N C E STEP S

DS1 Define and Manage Service Levels
Effective communication between IT management and business customers regarding services required is enabled by a documented definition of and agreement on IT services
and service levels. This process also includes monitoring and timely reporting to stakeholders on the accomplishment of service levels. This process enables alignment
between IT services and the related business requirements.

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

DS1.1 Service Level Management Framework • C larified IT service responsibilities • G aps between ex pectations and
D efine a framework that provides a formalised service level management and IT objectives aligned with capabilities, leading to disputes
process between the customer and service provider. The framework should business objectives • C ustomers and providers not
I T

maintain continuous alignment with business requirements and priorities and • Improved communication and understanding their responsibilities
facilitate common understanding between the customer and provider(s). The understanding between business • Inappropriate priority given to
G
O V E R N A N C E

framework should include processes for creating service requirements, service customers and IT service providers different services provided
definitions, S L A s, O L A s and funding sources. These attributes should be • C onsistency promoted in service • Inefficient and costly operational
organised in a service catalogue. The framework should define the organisational levels, service definitions, and service service
structure for service level management, covering the roles, tasks and delivery and support
responsibilities of internal and ex ternal service providers and customers.
I
N S T I T U T E

T e s t th e C o n tro l D e s ig n
• Inspect S L A policies and procedures for the alignment of S L A objectives and performance measures with business objectives and IT strategy.
• Enquire whether and confirm that policies ex ist for the alignment of S L A objectives and performance measures with business objectives and IT strategy.
• Inspect the service catalogue and verify that it incorporates service requirements, service definitions, S L A s, O L A s and funding sources.
• Enquire of staff members accountable for S L A escalation and resolution to determine whether the procedures or methods established reasonable service levels in
responding to issues.
• Inspect a sample of relevant changes and verify that changes were implemented in accordance with the change management process.
• Inspect the design of the service improvement programme for standards to measure performance.

APPENDI
XIV
153
154
DS1 Define and Manage Service Levels (co nt.)

I
T ASSURANCE GUI
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS1.2 Def inition of Services • IT service objectives aligned with • Inappropriately delivered services
B ase definitions of IT services on service characteristics and business business objectives • Incorrect priority for provided services
requirements. Ensure that they are organised and stored centrally via the • IT operational service based on • M isunderstood impact of incidents,
implementation of a service catalogue portfolio approach. correct requirements and priorities leading to slow response and
• Incidents linked to services they significant business impact
impact, enabling incident response to • D ifferent interpretations and
be effectively prioritised misunderstanding of IT services
provided

T e s t th e C o n tro l D e s ig n

DE:
• Enquire whether and confirm that a process ex ists for developing, reviewing and adjusting the service catalogue or portfolio of services.
• C onfirm the ex istence of a management process to ensure that the service catalogue or portfolio is available, complete and up to date.

USI
• Inspect the service catalogue or portfolio process to verify that it is reviewed on a regular basis.
I T

NG COBI
G

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

O V E R N A N C E

DS1.3 Service Level A greements • S ervice responsibilities and IT • F ailure to meet customer service
D efine and agree to S L A s for all critical IT services based on customer objectives aligned with business requirements
requirements and IT capabilities. This should cover customer commitments; objectives • Inefficient and ineffective use of

T
service support requirements; quantitative and qualitative metrics for measuring • S ervice quality enhanced due to service delivery resources
the service signed off on by the stakeholders; funding and commercial proper understanding and alignment • F ailure to identify and respond to
I
N S T I T U T E

arrangements, if applicable; and roles and responsibilities, including oversight of of service delivery critical service incidents
the S L A . C onsider items such as availability, reliability, performance, capacity • S ervice efficiency increased and costs
for growth, levels of support, continuity planning, security and demand reduced due to efficient deployment of
constraints. IT services based on real needs and
priorities

T e s t th e C o n tro l D e s ig n
• Enquire whether and confirm that stakeholders agree to, record and communicate the S L A , and what is included in the format and contents.
• Inspect the format of the S L A ’s content to verify that it includes ex clusions, commercial arrangements and O L A s.
• Inspect the S L A management process to verify that it measures S L A s (qualitative and quantitative) and monitors the S L A objectives.
• Inspect S L A ’s for approval and appropriate signatures.
• O bserve and review the S L A review process to evaluate its adequacy.
• V erify that the process for improvements or adjustments to S L A s is based on performance feedback and changes to customer and business requirements.
• Enquire of key staff members whether services are being rendered that are not documented in the S L A .
 DS1 Define and Manage Service Levels (co nt.)
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS1.4 O p erating Level A greements • O perational services aligned with • F ailure of the provided services to
D efine O L A s that ex plain how the services will be technically delivered to S L A s and, therefore, to business needs meet the business requirements
support the S L A (s) in an optimal manner. The O L A s should specify the • O ptimisation of operational resources • G aps in technical understanding of
technical processes in terms meaningful to the provider and may support several by standardisation and alignment with services leading to incidents
S L A s. service requirements • Inefficient and costly use of
• C ost reduction by optimised use of operational resources
resources and fewer service incidents

T e s t th e C o n tro l D e s ig n
• Enquire whether and confirm that a process has been defined to develop, manage, review and adjust O L A s.
• Inspect the S L A (s) and confirm that the O L A supports the technical requirements of the respective S L A (s).
• O btain a representative sample of O L A s and evaluate whether the O L A s contain operable and optimal definitions of delivery of services.
I T
G

C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs

O V E R N A N C E

DS1.5 Monitoring and R ep orting of Service Level A ch ievements • U sers able to monitor service level • L ack of defined measures important
C ontinuously monitor specified service level performance criteria. R eports on performance based on reliable to the organisation
achievement of service levels should be provided in a format that is meaningful information • U nidentified underlying service
to the stakeholders. The monitoring statistics should be analysed and acted upon • The values of IT services problems and issues
to identify negative and positive trends for individual services as well as for communicated within the enterprise • D issatisfied users due to lack of
I
N S T I T U T E

services overall. • C onsistent communication between information, irrespective of quality of

relevant parties service

T e s t th e C o n tro l D e s ig n
• Through interviews with key staff members responsible for monitoring service level performance, determine reporting criteria.
• O btain samples of S L A performance reporting, and verify distribution.
• Inspect reviews for forecast and trends in service level performance.

APPENDI
XIV
155
156
DS1 Define and Manage Service Levels (co nt.)

I
T ASSURANCE GUI
C o n tro l O b je c tiv e V a lu e D riv e rs R is k D riv e rs
DS1.6 R eview of Service Level A greements and C ontracts • D elivered IT services aligned with • C ommercial and legal requirements
R egularly review S L A s and underpinning contracts (U C s) with internal and changing business needs not met due to out-of-date contracts
ex ternal service providers to ensure that they are effective and up to date and that • W eaknesses in ex isting service • S ervices not meeting changed
changes in requirements have been taken into account. agreements identified and corrected requirements
• F inancial losses and incidents due to
misaligned services

T e s t th e C o n tro l D e s ig n
• Inspect the S L A s, compare the U C s, and determine effectiveness and currency of changes.
• O btain a walk-through of S L A documentation requirements.

DE:
• R eview S L A s and U C s, and confirm that alignment with business objectives is evaluated on a regular basis.

USI
I T

NG COBI
G
O V E R N A N C E

T
I
N S T I T U T E
 APPENDI
XIV

Take the following steps to test the outcome of the control objectives:
• Enquire of senior management, representing the business and IT functions, about their involvement in the design and approval of
the S L A framework.
• Enquire of key staff members if performance critieria have been formalised to support and measure achievement of S L A
objectives, and if a process is in place to monitor and report the attainment of the objectives.
• Inspect the internal and ex ternal performance S L A s, and compare actual results for alignment with the ex pected S L A requirements.
• C onfirm that the IT service objectives align with business objectives, and formally define ex pectations and performance
measurements.
• Inspect service records to ascertain reasons for non-performance, and validate that a performance improvement programme
is in place.
• A nalyse the historical performance records, and determine that results are tracked against prior service improvement commitments.
• Enquire of key staff members whether stakeholders agree to, record and communicate the S L A and what is included in the format
and contents.
• Inspect the format of contents of the S L A s to verify that they include ex clusions, commercial arrangements and O L A s.
• F or a sample of past and in-process S L A s, determine that content includes:
– D efinition of service
– C ost of service
– Q uantifiable minimum service level
– L evel of support from the IT function
– A vailability, reliability and capacity for growth
– C hange procedure for any portion of the agreement
– C ontinuity planning
– S ecurity requirements
– W ritten and formally approved agreement between the provider and user of the service
– Effective period and new period review/renewal/non-renewal
– C ontent and frequency of performance reporting and payment for services
– R ealistic charges compared to history, industry and best practices
– C alculation for charges
– S ervice improvement commitment
– F ormal approval of the user and provider
• C onfirm that appropriate users are aware and understand S L A processes and procedures.
• Inspect S L A s to verify that the O L A s and U C s support the technical requirements of the S L A s and are delivered in an
optimal manner.
• S elect a sample of S L A s, and confirm that resolutions procedures for inappropriate service delivery, specifically non-performance,
are included and being met.
• Inspect the service catalogue and ascertain that all services are defined properly.
• Enquire whether and confirm that distinct IT services to which costs will be allocated have been defined and documented.
• A scertain whether business process owners have knowledge of those IT services that support their business process.
• Inspect any documentation available that identifies business processes and their supporting infrastructure or IT services, and
determine whether the mapping is accurate and complete. This can be accomplished, for ex ample, by comparing the mapping to
the organisational chart, lines of business, etc.
• Enquire of business process owners and IT service owners whether they have agreed on a mapping of IT services to business
processes.
• Enquire of business process owners and users regarding their degree of satisfaction with IT services provided to identify potential
weak areas. S uch enquiries may be conducted in person or via an anonymous survey.
• Inspect documentation that relates to the mapping between IT service areas and business processes to determine if the operational
aspects of the mapping are in place (e.g., S L A s should be ex amined for appropriateness).

Take the following steps to document the impact of the control weaknesses:
• B enchmark S L A s against similar organisations or appropriate international standards/recognised industry best practices.
• D etermine the ex istence of gaps between service level ex pectations and delivered services through inquiry and review of
documented disputes and fee discounts.
• D etermine if services result in frequent fee surcharges and base fee overruns.
• D etermine if service level failures were escalated and resolved in a timely manner.
• D etermine if the service catalogue is up to date and aligned with business goals.
• A ssess the adequacy of proposed service improvements in comparison with the cost-benefit analysis.
• D etermine that gaps in ex pected services are appropriately prioritised and address control requirements for managing services
based on service characteristics and business requirements.
• A ssess the adequacy of the provision, describing, co-ordinating and communicating the relationship between the provider and user
of information services.

I T G I
O V E R N A N C E N S T I T U T E
157
 I
T ASSURANCE GUI
DE:USI
NG COBI
T

• A ssess the adequacy of the provider’s ability to meet improvement commitments in the future.
• Enquire of key management staff members whether service level framework provides assurance that S L A s and contracts are
current and aligned with business objectives.
• D etermine whether reports on achievement of the specified service performance are appropriately used by management to ensure
satisfactory performance.
• D etermine whether reports of all problems encountered are appropriately used by management to ensure that corrective actions are
taken.
• A ssess the services provided to determine whether operational agreements align with S L A s.
• F or selected categories of reported S L A information, determine the ex istence of inconsistency of service delivery.
• A ssess users’ satisfaction levels with the current service level process and actual agreements.
• A ssess the service level measurement criteria, and determine the effectiveness of the communication flow between all
relevant parties.
• R eview S L A s to determine qualitative and quantitative provisions confirming that obligations are defined and being met.
• A ssess management’s ongoing review of and corrective action for service level reporting.
• D etermine whether financial losses incurred are reflective of insufficient service quality.
• V erify the service catalogues’ completeness by reviewing and reconciling change requests, network plans, server documentation,
incident records, timesheets and other means of communication
• Enquire of IT service leaders regarding daily duties and responsibilities to ascertain whether those duties provide sufficient
coverage of IT infrastructure.
• C orroborate outcomes of discussions with outputs of data centre tours, asset registries, network diagrams or other infrastructure
inventories, and identify infrastructure not linked to an IT leader.
• Inspect asset registries, network diagrams or other infrastructure inventories, and ascertain the percentage of assets that are not
assigned to an IT service area.
• D ocument the criticality of those assets in light of the service provided.
• Inspect documentation identifying IT services and business processes, and ascertain the degree of unallocated IT service areas.
• D ocument the criticality of those service areas in light of the affected business processes.

158 I T G O V E R N A N C E I N S T I T U T E