A comprehensive service level agreement is an essential requirement for
the provision or receipt of any important service. It quite simply defines
the parameters for the delivery of that service, for the benefit of both
The quality of the agreement is therefore a matter of substantial importance. It must be complete, comprehensive and accurate in its coverage. Importantly, both parties must UNDERSTAND the contents and their obligations described within.
An AuditNet user asked me the following question so I decided to pass it on to the AuditNet lists
Do you have examples of service plans and service agreements for Internal Audit departments?
As I was not familiar with service level agreements or SLAs for internal
audit I asked him to explain. The following was his response:
As part of adopting a new "culture" in our organizations, we are preparing business and service plans. As Internal Audit provides a "service" to the enterprise, the service agreement is between us and our major customer/clients. It is somewhat of a "contract" of what we will do. The service plan is a general outline of the department as a whole. It may include a SWOT analysis, balanced scorecard, KPI's etc. The plan is like a brochure or "resume" of the department.
So my question for the group is does anyone use SLA's for your internal audit group and if so could you provide an example for the benefit of others. I would be willing to create a page on AuditNet devoted to SLA's both for internal audit and other departments if there is enough interest.
Apparently there was enough interest as the following are responses received followed by examples of service agreements from AuditNet list subscribers. Thanks to all who responded and even more thanks to those that shared their service agreements for the benefit of all.
This section of AuditNet provides resources and information about SLA's both from the perspective of the auditors review as well as establishing them for an audit department. If you have audit programs, sample SLA's or other information or resources you would like to share please contact us.
As noted below, SLA's are used between a department and its major customers/clients. As internal audit our primary customer is the Audit Committee. We provide an upfront plan to the audit committee which identifies areas of risk and our audit plan to cover those areas. We then provide updates to this during the year. Our KPI's are measured in a few ways, first is the number of deliverables by audit unit (i.e., the number of audit reports issued), the number of issues by business unit and by severity (type 1, type 2, etc), a summary of the audits with needs improvement or unsatisfactory ratings, and we have the responsible officer of the units we audit fill out a survey about the value we've added to them. The last item is something we put together where we list out what we feel was the value added and we provide them with an estimate of what it would have cost them to have the service from outside (basically we take $100 x hours spent) and then they rank us 1-4 on how strongly they agree/disagree we provided that much value.
We call our process a Partnership Agreement between audit and the entities we audit. Likewise, functions that provide a service to audit, i.e. IT have a partnership agreement with us. The attachment is the template we use. For brevity sake, selected division managers meet with the Auditor and discuss their perception of our SWOT and what their basic expectations are from audit. The group agrees upon 5 expectations that they will grade us on during the year. If expectations include greater audit coverage, then this group understands that additional staffing will cause their shared resources costs to go up. All parties sign off on the agreement. The grading is a small factor in my annual bonus. The thing gained through this process is the open dialogue on expectations from audit. I hope this is of some help.
In our organization each Audit Planning Memorandum spells out the Scope, Objectives, Deliverables, Approach etc. It also includes the budgeted ours, cost and is signed by Auditor and Auditee. That is seen as an SLA for each audit done.
Very good question, we do not currently have a SP or SA but I would be very interested in learning more and viewing an example. I think it could be a very good vehicle to (among other things) reiterate that the responsibility for controls rests with management, and how we plan to assist them in achieving their goals via testing and internal consulting. Very timely with SOX coming up.
As we are a public sector organization we use SLA's as a basis for provision of services with our clients as contracts would not be legally binding.
Isn't there already sufficient documentation in the standards and application guides of the institute of internal auditors? See website www.theiia.org for more info. If I understand this well, a Service Level Agreement is about the same as what has to be in the Audit Charter and the Audit Plan.
Service Level Agreement Resources for Internal Auditors