0% found this document useful (0 votes)
248 views39 pages

ISA Project Report by Group No 9 Final

The document discusses a case study where a company is considering moving its key business applications to cloud services provided by a vendor. It outlines findings from an internal audit review of the vendor proposal, including that a comprehensive study of business requirements and processes, impact on existing IT infrastructure, cost-benefit analysis, security, privacy and compliance considerations is needed before selecting the cloud services.

Uploaded by

sharikahmad12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
248 views39 pages

ISA Project Report by Group No 9 Final

The document discusses a case study where a company is considering moving its key business applications to cloud services provided by a vendor. It outlines findings from an internal audit review of the vendor proposal, including that a comprehensive study of business requirements and processes, impact on existing IT infrastructure, cost-benefit analysis, security, privacy and compliance considerations is needed before selecting the cloud services.

Uploaded by

sharikahmad12
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 39

Project Report

of
DISA 2.0 Course

Prepared by:
CA Lakshman Sharma
CA khushboo Bansal
CA Kuldeep Sharma
(Group No. 9 of Batch No JAI1712121)
CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training
conducted by The Institute of Chartered Accountants of India at Jaipur Branch from
02/12/2017 to 30/12/2017 & have the required attendance. We are submitting the
Project titled:

Review of vendor proposal of SaaS services

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for
the project. We also certify that this project report is the original work of our group
and each one of us have actively participated and contributed in preparing this
project. We have not shared the project details or taken help in preparing project
report from anyone except members of our group.

Name DISA No. Signature

Khoshboo Bansal 53289

Lakshman Sharma 53270

Kuldeep Sharma 53235

Place: Jaipur
Date:
INDEX

Particulars Page No.

Details of Case Study/Problem 1

Project Report (solution)

1. Introduction 4

2. Auditee Environment 5

3. Background 6

4. Situation 7

5. Terms and Scope of Assignment 9

6. Methodology and Strategy adopted for execution of the assignment 11

7. Documents reviewed 15

8. References 26

9. Deliverables 28

10. IS Audit Report 29

11. Key Issues and Findings and Recommendations 33

12. Conclusion 36
Details of Case Study/Problem
(Review of vendor proposal of SaaS services)

Brandcom (Client) has decided to move its key business application to cloud services to a
renowned vendor considering the increased functionality and cost savings. However, the
company has not done comprehensive study of the appropriateness of the proposed IT
services. The company’s internal audit department has reviewed the vendor proposal and
has provided their findings and recommendations. Extract of findings & recommendations
of the internal auditor’s are as follows:-
1. The proposal is for a standard offering of ERP Software on cloud with no modifications.
Brandcom is a company with its own unique business processes. Hence, it is important
to study the existing processes (as is study) and map it to ERP (To Be State) and have a
confirmation on does the proposed ERP solution meet the business requirement and
what is the value addition by migrating to the proposed solution. If the study has been
done, this may be collected to review whether it covers effective migration of all key
processes and the value addition offered by such migration.
2. On outsourcing of IT services, the usability of current IT infrastructure including the
hardware, operating system, and Database and application software have been
considered by the IT department. The impact of proposed solution on existing
structure has also to be studied before taking a decision.
3. Brochure of Cloud service vendor states: “Clients need to be clear on what they want.
They should know whether they simply want to enhance their current systems or
move to a new system. They should know how much of re-architecting would be
required, the legal and compliance issues involved and whether the cloud would affect
their audits”. The proposal does not provide these details. An impact assessment study
of proposed solution on Brandcom has to be done to ensure that the proposed
solution provides the required business advantages which is sought to be achieved.
4. The proposal provides brief of overview of the module details and process coverage.
However, it is not clear whether all the modules are applicable and how this would be
configured as per requirements of Brandcom. Further, the cloud service vendor has
option to extend the capabilities of providing customization by adding additional
functionalities as required at extra cost. However, the proposal does not provide any
information on this. It cannot be assumed that the current modules offered by cloud
services meet all the business requirements. There is no study done to cover these key
aspects. It is advisable to have a statement of work which clearly outlines the solution
by Cloud service provider as applicable to Brandcom so that there is clarity on what is
available and how it will fit and meet requirements of the current/future business
processes.
5. The proposal provides implementation plan and suggested training requirements.
What is the number of users who need to access and what are the current skill levels
and how it is to be enhanced has to be assessed so that they can use the proposed
solution. The training requirements have to be assessed in detail to confirm whether it
meets requirements.

Page 1
6. The data migration from existing software to proposed solution is a major challenge in
any ERP implementation. The proposal is silent on what the current platform is and
how the data migration is expected to be. This has to be correctly assessed as it will
impact the success of the proposed solution.
7. The proposal provides cost estimate for 9 regular users and 1 Lite user. Whether this is
sufficient to take care of the current number of users is not clear. This may be assessed
to correctly understand the impact. The actual number of users is 40 whereas only the
model implementation with 10 users is considered for cost benefit analysis.
8. Cost benefit analysis of the proposed solution and the specific benefits to Brandcom
are not clearly highlighted in the proposal. The management has to be aware of the
benefits and have to obtain independent confirmation about the envisaged benefits.
9. Any ERP migration and especially one on the cloud have implications of risk in terms of
being tied up to one vendor and data being available on the cloud and dependency on
bandwidth for access. A risk management should be done to ensure that all key risks
are identified and effective risk mitigation strategy has been adapted.
10. It is advisable to have demo of the ERP solution as applicable to Brandcom to
understand how the proposed solution provides envisaged benefits. Based on this, the
final decision regarding migration to new solution has to be taken considering
suitability, training and cost savings.
11. References of solutions implemented for enterprises with business of similar nature as
Brandcom may be obtained to validate and confirm that the solution meets the
requirements. As migration to a new solution increases the dependency on new
vendor, it is important to be assured about adequacy and appropriateness of the
solution.
12. It is also advisable to have independent review of the proposed solution to ensure that
all the required assessments of the requirements is done and the proposed solution
meets the current/future requirements.
13. Before taking a final decision on the proposal, it is important to consider the following
key aspects in evaluation of the cloud services proposal:
 Current and future business processes,
 Organization structure especially pertaining to IT and number of users of the IT
systems,
 Current IT infrastructure including hardware, network, Operating systems,
database and application software.
 Internal control systems, extent of documented processes.
 Number of IT users and key personnel and their skill levels

However in excess of above findings some of the key issues relating to data, security, privacy
and potential compliance issues noticed by us during our review are given below:-
 A process for reviewing the third-party compliance requirements is non-existent,
and the decision has been imposed by IT.
 On contacting customers of vendor, you were informed that when the cloud
services were used, they have detected data leakage in critical information and
unknown areas of data. Due to this severe issue, the impact to business reputation
Page 2
was severely damaged and had the potential to drive the company out of business,
by losing future service contracts.
 The usage of the current enterprise environment and business processes, as well as
the enterprise strategy and future objectives were not considered in selecting the
cloud services.
 The external environment of the enterprise (industry drivers, relevant regulations,
basis for competition) have not been documented or considered in selecting cloud
services).
 Before finalizing the service agreements with the service provider, the service
catalogues and business process requirements and internal operational agreements
were not considered.
 The company does not have policy for monitoring service levels, to report on
achievements and identify trends. The SLA should provide the appropriate
management information to aid performance management.
 Business case for cloud service was not prepared. There is no process to identify,
priorities, specify and agree on business information, functional, technical and
control requirements covering the scope/understanding of all initiatives required to
achieve the expected outcomes of the proposed IT-enabled business solution.

However company’s IT department wanted to go ahead with this and sees no issue in
this current proposal. The matter was escalated to the audit committee and it has been
decided to have an independent review by IS Auditor.

Page 3
Project Report (The solution)

Introduction

A. Software as a Service (SaaS) refers to the cloud computing model where complete
application software are sold on a subscription model for a specific period: Examples
of software provided through SaaS model are CRM, ERP, E- mail, Calendar, Internet
File Stores, Spam filters, etc. The SaaS model provides the capability to use the
provider’s applications running on cloud infrastructure. The application software is
accessible from various client devices through a thin client interface such as a web
browser (e.g., web-based e-mail). SaaS saves customers the cost of buying licenses
and running programs on their own computers. SaaS is one of the most popular
cloud computing services and is being extensively used.

B. This Audit is conducted by "ABC & Co, Chartered Accountants". This team is a good
mix of experience and knowledge.
Name Team Qualification Experience
Khoshboo Bansal Lead CA,B.com
Lakshman Sharma Member CA,B.com 1.5 Years
Kuldeep Sharma Member CA, B.Com 3 Year

Page 4
Auditee Environment

Brandcom is a company with its own unique business processes. For this particular project
they are considering their ERP system to put in cloud based SaaS Model. In current scenario
Brandcom is using physical hardware and customized software to fulfill their ERP
requirements and this ERP like software is very specific to Brandcom and their business. This
ERP system is maintained by Brandcom IT department. All this system works under
company’s regulatory guidelines.

Brandcom’s ERP system is consumed by company internal system i.e. internal email,
inventory systems etc.

Brandcom’s ERP system details:


Software: Brandcom ERP system2.0
Hardware: UNIX server and thin client based model.

Brandcom has put in place a comprehensive information security system as mandated by


ISO27001 & ISAE3402 type-I standards. Its security system is subject to audit by independent
ISO auditors. It provides assurance to its customers that data are well protected in its data
center.

The key security & control practices of the company are:


 Login access control
 Physical access monitoring
 Physical access control
 Internal theft
 Data transport over internet
 Fire & natural calamities
 Privacy
 Firewall
 Audit Trail

Brandcom company’s Internal control department put down some issues & findings which
have to be considered while transferring the key processes to SaaS Services which can be
prone to company’s internal control system and their confidentiality.

However auditee’s IT department which has a good reputation in the organisation already
convinced CEO about the need of such outsourcing for cost savings but key issues found by
internal control department have a great impact on such transfer of key processes under
SaaS.

Page 5
Background

Brandcom has decided to move its key business application to cloud services to a renowned
vendor considering the increased functionality and cost savings. Software as a Service (SaaS)
refers to the cloud computing model where complete application software are sold on a
subscription model for a specific period: Examples of software provided through SaaS model
are CRM, ERP, E-mail, Calendar, Internet File Stores, Spam filters, etc. The SaaS model
provides the capability to use the provider’s applications running on cloud infrastructure.
The application software is accessible from various client devices through a thin client
interface such as a web browser (e.g., web-based e-mail). SaaS saves customers the cost of
buying licenses and running programs on their own computers. SaaS is one of the most
popular cloud computing services and is being extensively used.

The company is having the knowledge that Information System Audit will not only provide
assurance to the management about the accuracy of existing security & control practices but
also will fill the clients with confidence about the safety of their data. Also IS Audit will not
only lead to safeguarding of assets and improved data integrity but also will enhance
system’s efficiency and effectiveness.

On recommendation of IT department organization wants to assess whether the benefits to


be arised on implementation of such SaaS services are over & above the risk and loss to be
arised on such failure. For it the implied security, data privacy and compliance as applicable
such as: Sensitive personal data information (SPDI), cloud provider policies and procedures
and data protection leakage are also to be reviewed.

The auditor will review IT principles, policies & framework. The company wants the control
deficiencies to be identified & reported to the management. Also it will help to monitor
controls, review business process controls effectiveness, and perform control self-
assessment.

Page 6
Situation

Brandcom has decided to move its key business application to cloud services to a renowned
vendor considering the increased functionality and cost savings. However, the company has
not done comprehensive study of the appropriateness of the proposed IT services. The
company’s internal audit department has reviewed the vendor proposal and has provided
their findings and recommendations. Extract of findings & recommendations of the internal
auditor’s are as follows:-
 Availability of standard Application and less Customization
 Wrong analysis of user needs
 Less clarity in Vendor Proposal
 Training requirement issue is not considered
 Migration issues are not considered
 Public image of vendor is not considered
 Analysis of External environment is not proper
Now the management wants that IS auditor should conduct a Tradeoff between Saas based
ERP and client’s present ERP system.

SaaS characteristics include:


 Activities managed from central locations rather than at each customer's site,
enabling customers to access applications remotely via the Web.
 Network-based access to, and management of, commercially available software.
 Centralized feature updating, which obviates the need for end-users to download
patches and upgrades.
 Application delivery typically closer to a one-to-many model (single instance, multi-
tenant architecture) than to a one-to-one model, including architecture, pricing,
partnering, and management characteristics.

Some SaaS applications are free to the user, with revenue being derived from alternate
sources such as advertising, or upgrade fees for enhanced functionality. Examples of free
SaaS applications include large players such as Gmail and Google Docs, as well as smaller
providers like Wave Accounting and Fresh books.

SaaS providers generally price applications on a per-user basis and/or per business basis,
sometimes with a relatively small minimum number of users and often with additional fees
for extra bandwidth and storage. SaaS revenue streams to the vendor are therefore lower
initially than traditional software license fees, but are also recurring, and therefore viewed as
more predictable, much like maintenance fees for licensed software.

In addition to characteristics mentioned above, SaaS sometimes provides:


 More feature requests from users, since there is frequently no marginal cost for
requesting new features.
 Faster new feature releases, since the entire community of users benefits
 Embodiment of recognized best practices, since the user community drives the
software publisher to support best practice.

Page 7
Risks:

1. Lack of federated identity management


Due to multiple identities of employees at multiple SaaS providers, an
employee's access cannot be shut off automatically, following termination of
an employee.

2. Lack of strong service level agreements (SLAs) and contracts that


hold people accountable should something happen.

3. Lack of interoperability among vendors (VendorLock-in)


Puts companies at risk if SaaS provider goes out of business or acquired by a
competitor. Switching costs could be high.

4. Data Security
One company data co-mingled with other businesses' data

5. Web Application and Infrastructure Vulnerabilities

Page 8
Terms and Scope of the Assignment

1. The Auditors are required to verify for compliance status (Follow up) of the previous Audit
Reports for which Audits were conducted by company IS auditors under comprehensive
information security system as mandated by various standards.

2. Auditors should follow Risk Based approach in all areas. IS auditors should have identify
all the risks that are present in the cloud computing environment.

3. To ensure that Data Integrity across various systems is maintained. An auditor has to give
assurance to management that information is accurate and reliable and has not been
subtly changed or tempered by an unauthorized access.

4. Logical Security controls, User Management Process, Systems Administration, Access


Control Measures

5. Operational Security Controls including troubleshooting / help desk Request for Proposal
for IS Audit/Review

6. To ensure compliance of Information Technology (IT) Act 2000, Information Technology


(Amendment) Act-2008 and other Information System related guidelines

7. Physical Security controls for the relevant servers / production environment

8. People in terms of establishing proper Segregation of duties and other administrative


controls

9. Cloud vendor’s Policy on Vulnerability Assessment and Penetration testing wherever


applicable

10. Audit the Services of all Service Provider to ensure they adhere to the contracted levels of
services set out in the Service Level Agreement(SLA)

11. Audit the compliances by the service providers to various regulatory and statutory
requirements.

12. Adequacy of audit trail, history of access to database, Monitoring Mechanism

13. Business Continuity plans / Disaster Recovery Plans/ Backup and data restoration plans.

14. The adequacy and effectiveness of internal control systems

Deliverables
 Draft Report including executive summary of their suit of their view along
with the recommendations of finding & recommendations with risk
analysis of findings
 Final report incorporating Management Comment & agreed priority plan
Page 9
of action based on exposure analysis
 Soft or hard copy of checklist used for the audit
 Soft or hardcopy of Audit Methodology and documentation

Time Frame
The elapsed time for the assignment is approximately 4 weeks. We would require lead time
of two weeks for commencing the assignment. The availability of coordinating team, user
involvement, availability of resources and information by the audited would also impact the
audit duration and time schedule, which we would be communicating to you in advance

Fees
The fees for this assignment is Rs. 8 lakhs to be paid as follows -
 25% Advance with order
 50% on submission of Interim Report
 25% on presentation of Final Report

Out of Pocket Expenses


Travelling, Boarding, Lodging and conveyance expenses to be reimbursed on actual in case of
outstation travel.

Page 10
Methodology and Strategy
adopted for execution of the assignment

Assignment Team
Our approach to selecting the right people for a project is to bring together the necessary
skills and experience for a particular assignment from the rich mix of skills and experience
available. The assignment would be executed under the personal supervision and lead by
Mr. Mahendra. The team would be a blend of professionals with extensive experience. The
team includes Chartered Accountant, IT Professionals, Management Consultants and
certified Information System Auditors. The senior member of the team is:

 Piyus Jain
 Lokesh Jain
 Nikita Gupta

For conducting IS Audits we would adopted following methodology:


Planning
Initial Planning of audit activities

Defining
Risk Assessment Analysis

Evaluting
Detailed and critical analysis of controls already prevalent

Audit Evidence
Collection of audit evidence through substantive and compliance
procedures

Reporting
Reporting on the basis of evidence collected

Planning

 We have made a separate IT audit team for conduct of the IS audit of


Brandcom. As per the SA 210 - “Agreeing the terms of Audit Engagement”.
 Preliminary Knowledge of the working operations of Brandcom - It consists of
the basic knowledge of IT infrastructure , organizational Structure,
organizational hierarchy, , Critical business functions , Hardware and software
Page 11
used , Nature and extent of risk affecting the critical business

Sources used to Prior Study


gather Observation
knowledge Interview

Risk Assessment to define Audit Objective:

 Risk Management is an essential requirement of modern IT System where


security is important. It can be defined as a process of identifying risk, assessing
risk, and taking steps to reduce risk to an acceptable level, where risk is the net
negative impact of the exercise of vulnerability, considering both the
probability and impact of occurrence.

The Three Security goals of information of any organization are:

INTEGRITY

CONFIDENTIALITY

AVAILABILITY

Standards for auditing used :

SA 315 - Risk identification and assessment requires auditor to assess the risk that is a
part of business environment and internal control system

SA 320 - Audit Materiality - to report all findings having impact on decision making.

SA 330 - It require IS Auditors to review whether management has designed and


implemented appropriate risk remediation measures and provide recommendations.

SA 402 – It requires auditor to consider audit considerations relating to entities using


service organisations.

AUDIT RISK - It is the risk that auditor may issue unqualified report due to auditors

Page 12
failure to detect material misstatement either due to error or fraud.
The three types of audit risk are:
r is k is h ig h .
in h e r e n t
th a t th e
c o n c lu d e
t h is a ll
c o n t r o ls ,
In t e r n a l
ig n o r in g
e xp o su re ,
r is k
e of r is k
d e t e c ti o n
co n seq u en c
th e
R IS K and
h ig h e r is
lik e lih o o d
REN T A u d it o r ,
h ig h
IN H E by th e IS
rI fi s kt h e r e i s a
d e t e c ti o n
xa s d e t e c ti o n
n o na - w h o l e
co op ne tr raotil o nr iss k
le v e l of
R IS K rb i us ks i n e s s x
H ig h e r th e
ionf h e ree nn tit t y ’ s
N r i su kd i t r i s k =
A
on account
C T IO c o n t r o lla b le
Sn yt s twe hm i c h i s
D ETE r is k o r t h e
m oanntar o
C g el m e
in h e r e n t
O yv e rI na tl le Rr ni sakl
b
d e te ct th e
co rre cte d
n o t a b le t o
R IS K and
w h e n h e is
TRO L o r d e te c te d
IS A u d it o r
p re v e n te d
CO N R is k o f t h e
w ill n o t b e
le v e l and
t o le r a b le
e xce e d s th e
th a t r is k
asse ssm en t
a u d it
M e a su re o f

Audit Objective and Scope


Based on the risk assessment, audit objectives need to be designed. They are in consent with
the scope of audit of the security controls as laid in engagement letter.
The audit objectives include audit of -
 Internal Theft
 Physical Access Control
 Physical Access Monitoring
 Logical Access Control
 Audit Trail
 Data Transportation over Internet
 Firewall
 Business Recovery Plans and Disaster Recovery Plans
 Privacy

Scope is defined as the boundaries of audit which is listed in Audit engagement Letter. After
the definition of audit objectives IS AUDIT CHARTER will be prepared, the following
standards are to be used for audit charter-
 The IS Audit & Assurance shall document the audit function appropriately in an audit
charter, indicating purpose, responsibility, authority and accountability.
 The IS Audit & Assurance shall have the audit charter agreed upon and
approved at an appropriate level within the enterprise.
Page 13
Evidence Collection and Evaluation
As per standard 3(e) in chapter -iii of auditing standards of SAI India states -
“Competent, relevant and responsible evidence should be obtained to support the auditors
judgment and conclusions regarding the organizations, programmer, activity or function
under audit.”

Observed process and existence of


physical items
Evidence Documentary Audit Evidences
Collection
Analytical Procedures
Questionnaires

Now after evaluation of all evidences a draft audit report is prepared which is drafted in
below sections.
“Planning does not guarantee execution.
Continuous follow up is required for effective implementation”

Audit Plan
The Audit plan would cover the following activities- Discussions with the
 IT Department
 Internal Audit department recommendations.
 Systems / Implementation Teams
 Users and Users Management
 Review of Security policies manual
 Examination of Access Rights
 Observation of users
 Review of Access Control-physical and logical
 Review of SLA agreement and its viability.
 Data Service Solutions IT department

Page 14
Documents reviewed
An extensive list of documents need to be reviewed, such as information security policy,
organization structure, vendor contracts or SLA, access matrix, audit findings, risk matrix etc.
These documents will be the basis of review and can be used for identifying control
weaknesses and providing recommendations.
The documents reviewed are:-
 Organizational policy - Basic objectives and understanding of purpose and
business objectives is mandatory for any audit
 Information security policy - to gain a basic understanding of controls
prevalent and to define the need and gap between the controls in existence
 Organizational Hierarchical structure-to gets basic understanding of roles and
responsibility of the officials and to establish authority and accountability.
 Basic documents relating to business, technology and control environment

 Agreement with Data Service solutions for the terms and conditions.

 The Backup plans and DRP’s of Data service solutions as well as of Brandcom

 Staff Training Policy & Programmed to get a basic understanding of training


given to them for maintaining security
 Previous Reports of any professionals or audit findings on Information
security.
 All documents relating to Legal compliances

 Audit Trails and logs taken out from system to analyses the gap analysis

 Any report by Third Party Experts and Peer Review

 Management Representations

 Inquiry and questionnaire relevant for the security purpose

 Audit evidences collected by CAAT methods

 Agreements entered between Brand command Customers

 Agreements entered between Brandcom and Payment authorizing agents

 Documentary evidence for the payment and authorization process

 List of employees with job responsibilities assigned to them

 Video of CCTV footage to confirm the working of all CCTV

 Evidences of logical security access controls like - List of Persons authorized


to log in and the list of persons who logged in within aweek
 Weekly reports from Data Service solutions of data storage on a test basis

 Proposal documents from different Vendors

Page 15
CHECKLIST FOR THIS AUDIT:-
We as IS Auditors have done SaaS ERP tradeoffs with risks and benefits which it has if
implemented which are as follows:-
SaaS-based ERP also comes with tradeoffs. Initial cost savings may eventually evaporate.
"When you look out longer term -- five to seven years -- the cost-benefit tends to be
somewhat of a illusion, and SaaS may actually end up being more expensive than an on-
premises application. It's like leasing a car; those monthly payments never go away for the
life of the lease." Organization has to consider following issues before implementing Saas
based proposal:-
1. Will a move to the cloud require complex integrations with in-house applications?
"Our ERP solution integrates with about 50 other programs. These applications must
exchange data with each other, so in addition to creating dozens of interfaces,
Organization would need enough network bandwidth to keep latency low between the
data center to the cloud.
2. Is the application business critical?
"ERP is used widely across our organization -- for accounting, purchasing, HR, capital
asset management -- so it's a very critical business application. that means to move into
the cloud, we would have to buy additional disaster recovery and a high-availability
service to make sure it doesn’t go down.
3. Does the application contain proprietary information whose public exposure would
damage an individual or the organization?
The ERP platform stores Social Security information for employees as well as the tax IDs
for vendors the utility uses. "There's definitely a lot of sensitive information
4. How costly will it be to move to the cloud?
Expenses for enhanced bandwidth and personnel resources for custom integrations
represented added SaaS costs compared to the current platform. Initially, the cloud
would be costly versus cost effective
5. Can the application be moved to the cloud in a manageable amount of time that doesn't
negatively impact business operations?
It is estimated that testing, integration and other activities would require months of
work. In contrast, the new capabilities in the on-premises upgrade would be available to
end users much sooner.

1. Safeguarding of Assets:
The IS auditors will require concentrating on the following areas to ensure that the
Information Systems Assets of the organization are safeguarded:
A. Environmental Security
B. Data
C. Uninterrupted Power Supply
D. Electrical Lines
E. Data Cables & Networking Products
F. Fire Protection
Page 16
G. Insurance of Assets
H. Annual Maintenance Contract
I. Logical Security & Access Control-Operating System Level
J. Logical Security & Access Control–Application System Level
The IS auditor shall be required to verify/inspect the following points in respect of the areas
mentioned above.

A. Environmental Security:
The IS auditors should verify whether:
I. There is separate room for the server.
II. Server room has adequate space for operational requirements.
III. Server room is visible from a distance, but is not easily accessible.
IV. Server room is away from the basement, water/drainage systems.
V. Server room can be locked and the key being under the custody of the authorized
persons (System Administrator) only. Entry doors are protected by biometric/PIN or
proximity key card access verification. Any failed attempts or system tampering as
also unscheduled movement in restricted areas, glass breakage or the opening of
doors will require be logging and immediately reporting to the Control Staff at the
site. The biometric system will require storing all attempts at access.
VI. To access any equipment in the Data Centre, one has to pass through (preferably) a
minimum of two separate security doors, utilizing biometric/PIN and/or proximity
key card access verification facilities.
VII. Server is not in close proximity to the UPS room.
VIII. Access to server room is restricted to authorized persons and activities in the server
room are monitored.
IX. Air-conditioning system provides adequate cooling.
X. Storage devices to keep stationary and other such items are not kept inside the
server room.
XI. All the walls with potential access will require to be heavily reinforced.
XII. Humidity and heat measuring instruments like (Thermometer and Hygrometer) are
installed in the server room.
XIII. Temperature readings are taken throughout the raised floor and equipment areas,
power rooms, basement, diesel fuel storage area, and roof, generator, cooling
towers, waiting and display areas.
XIV. Smoking, eating and drinking are prohibited in the server room to prevent spillage of
food or liquid into sensitive computer equipment.
XV. Brief cases, handbags and other packages are restricted from the server room, tape
library and other sensitive computer area to prevent unauthorized removal of data
held on removable media as also to prevent entry of unacceptable material into the
area.
XVI. Server room is neat and clean to ensure dust free environment.
XVII. Scanners are kept in safe custody and access is restricted.
XVIII. Floppy disk drives on the nodes can be disabled, if necessary for better security.

Page 17
XIX. Data Centre to be so chosen to have police protection and fire prevention services
within a very short time, say, 5-10minutes.

B. Uninterrupted Power Supply:


In addition to the availability of the Generator facility at the site, the IS auditor should
verify whether:
I. There is a separate enclosure and lock in arrangement for the UPS.
II. Maintenance agency provides battery service regularly.
III. There is a regular contract for maintenance of the UPS and the preventive
maintenance is carried as per the contract.
IV. There cord of the tests undertaken is maintained to verify the satisfactory
functioning of the UPS.
V. UPS cabin has adequate ventilation to take care of acid fumes emitted by the Lead
Acid batteries.
VI. Capacity of the UPS system is sufficient to take care of the electricity load required
for computers installed.
VII. UPS is free of the electricity load relating to the tube-lights, fans, water coolers etc.
VIII. UPS functions properly when electricity fails.

C. Electrical lines:
The IS auditors should verify whether:
I. There is a separate dedicated electrical line for the computer equipment.
II. Power supply to computer equipment is through UPS system only.
III. The electrical wiring looks concealed and is not hanging from ceiling or nodes.
IV. The circuit breaker switches exist in locked condition only.

D. Data Cables:
The IS auditors should verify whether:
I. A map of the cable lay out is kept in a secure place with proper authority .This is
helpful in timely and fast repairs of LAN cable faults.
II. Cabling is properly identified and recorded as fiber optic, co-axial, unshielded twisted
pair (UTP) or Shielded Twisted Pair (STP).
III. Electrical cable and data cable do not cross each other to avoid possible disturbance
during data transfer within the network.

E. Fire Protection:
The IS auditors should verify whether:
I. Fire alarm system is installed.
II. Smoke detectors are provided in the server room and in the other areas of computer
installations.
III. Smoke detectors are tested on a regular basis to ensure that they work.
IV. Gas type (Carbon dioxide, Halon etc.) fire extinguishers are installed at strategic
places like server room, UPS room and near the nodes and printers.
V. Dry powder or foam type extinguishers should not be used as they tend to leave
deposits.

Page 18
VI. Staff knows how to use the fire extinguishers.
VII. Fire extinguishers are regularly refilled /maintained.
VIII. An evacuation plan is documented and rehearsed at regular intervals for taking
immediate action in the case of the outbreak of fire.

F. Insurance:
The IS auditors should verify whether:

I. All the computer equipment’s are covered under the appropriate electronic
equipment insurance policy with a reputed insurance firm.
II. A record of the original policy is maintained with the detailed list of the equipment’s
covered under the policy.
III. Information regarding shifting of computer equipment to or from or within the
department/office is conveyed to the insurance firm.
IV. Adequacy of the insurance cover should be verified as per the policy of the
organization.

G. Annual Maintenance Contract:


The IS auditors should verify whether:
I. Stamped agreements for maintenance contract are executed and available.
II. Activities carried out during maintenance have been reported in there glisters and
duly authenticated.
III. Contract renewal rates are maintained in the register.
IV. Access for maintenance purpose is granted only on verifying the identity of the
serviceperson.
V. The maintenance staff support is available in time.

H. Logical Security & Access Control–Operating System Level:


The IS auditors should verify whether:
I. Access to the systems is only through password protected user IDs.
II. Operating System (OS) allots unique user identity (ID) for all users.
III. OS provides for different levels of access rights to volumes, directories and files.
IV. OS prompts for change of the user password after the lapse of specified periods.
V. OS ensures secrecy and security of the user passwords and the access rights granted
to a user.
VI. Unrestricted access to the systems is provided only to the System Administrator.
VII. Administration level access is restricted to authorized and limited persons.
VIII. All the security features available in the OS are enabled/taken advantage of as far as
possible for ensuring better security.
IX. Administration access should not be available to the officials who are under notice
period , retiring shortly, under disciplinary action etc.
X. OS provides for loading of virus prevention software and is implemented.
XI. Record is maintained and authenticated regarding the installation of the Operating
System, its up- gradation, re-installation and maintenance.
XII. A register is maintained in respect of all the OS level users, giving the details such as
Page 19
the date of creation, suspension, cancellation, access rights granted, purpose of
creation etc.
XIII. Users created for audit/maintenance purpose are disabled immediately after the
work is over.
XIV. The department reviews the number of the OS level users periodically.

I. Logical Security &Access Control – Application System Level:


The IS auditors should verify whether:
I. System provides for unique user IDs and password for all users.
II. System provides for different levels of access.
III. System prompts for change of user password after lapse of specified period.
IV. System ensures secrecy and security of the user passwords and the access rights
granted to users.
V. Unrestricted access to the entire application system menus is provided only to a
Super User.
VI. Application makes use of all the security features available at the Application System
level.
VII. Super User access in application level is not given to staff who is under notice period,
retiring shortly, under disciplinary action etc.
VIII. The application system user list is periodically reviewed.
IX. The access privileges granted in the system are in accordance with the
designation/duties performed.
X. None of the staff members has multiple level or duplicate access ID in the system.
XI. Allocation of the suspended, disabled user ID to new users is a voided.
XII. Active user IDs of the transferred, retired, suspended or dismissed employees are not
present in the system.
XIII. There is no dummy user ID created in the system.
XIV. The user ID of staff on long leave, training etc. is suspended.
XV. System logs out automatically if the user is inactive for a specified time (or user co
seriously logs out when he/she leaves a terminal).
XVI. System does not allow concurrent log in to a single user ID from different nodes.
XVII. Users, created for maintenance purpose, are cancelled on completion of the job.
XVIII. The system does not allow user to cancel his/her own user ID. s) Authority
periodically reviews the user login status report.
XIX. Users do not share their passwords.
XX. Passwords of alphanumeric characters are used.
XXI. Users do not write their passwords on wall, desk diary etc. and are aware of the need
for the secrecy of their passwords.
XXII. System automatically locks the user ID after unsuccessful log in attempts.
XXIII. User log indicating date, time, node, user ID, transactions performed etc. are
generated by the system and evaluated by the System Administrator.

Page 20
2. Data Integrity:
The IS auditor will require addressing, among others, the following areas under IS auditing:
A. Data Input Controls
B. Data Processing Controls
C. Patch Programs
D. Purging of Data Files
E. Backup of data
F. Restoration of Data
G. Business Continuity Planning
H. Output Reports
I. Version Control
J. Virus Protection

A. Data Input Controls:


The organizations in the banking and financial sector undertake diverse activities
relating to the receipt of deposits, advancement of credit, investment of funds etc.
Further, the areas of operation and the level of economic activities could also be
different. All these activities, the transactions resulting there from, the data inputs
required therefore including the data input controls to be in place in the organization
will require to be judiciously addressed.
However, illustratively, such data input controls may relate to the following areas of
activity and the IS auditors will require to verify the same.
I. History of signatures scanned is available in the system.
II. The entire stock of cheques is fed to the system.
III. The cheque books is used are entered and confirmed in the system on day-to-day
basis.
IV. The data fed into various accounts including the customer accounts is accurate and
correct.
V. Clear administrative guide lines exist regarding the access to live data.
VI. Clear guidelines exist for on-line transactions including those put through the
INTERNET by the Customers.
VII. Data Administration is a part of System Administration. However, Database
Administration is separate from System Administration.
VIII. Data Owner (DA) and Database Administrator (DBA) are independent of both the
systems development and operational activities.
IX. The roles of DA and DBA are clearly defined in respect of , among others, (i)
definition, creation & retirement of data, (ii) database availability to Users, (iii)
information and services to Users, (iv) maintenance of database integrity and (v)
monitoring and performance.

B. Data Processing Controls:


The IS auditor should verify whether:
I. The designated/authorized officials do start-of-day process.
II. The operating staff pay attention to the error messages displayed on the screen and
initiates corrective action.
III. Entries are cancelled only by the appropriate authority.
IV. Cash entries are not deleted from the system
Page 21
V. Prescribed reports are generated at the end-of-day process.
VI. Print outs are scrutinized and preserved.
VII. Proper record is maintained in respect of the corrections made in database under
authentication.
VIII. Master data printouts are preserved carefully
IX. Input to the system through floppy is monitored and controlled.
X. Use of the scanner is monitored and controlled.

C. Patch Programs:
The IS auditors should verify whether:
I. The application programs are exactly identical with the standard list of approved
programs in respect offile name, file size, date and time of compilation.
II. Only approved programs have been loaded in the system.
III. There are programs other than the approved ones.
IV. There is record of the patch programs used and the reason there of under
authentication.

D. Purging of Data Files:


The IS auditors should verify whether:
I. Purging activity is recorded and maintained in a register.
II. Purged backup media is kept properly under safe custody.
III. Access to purged data is restricted.

E. Back up of Data:
The IS auditors should verify whether:
I. All the floppies/CDs/tapes, purchased, pertaining to the OS software, application
software and utility programs, drivers etc. are recorded in a register and properly
stored.
II. Hardware, software, operating system, printer manuals are properly labeled and
maintained.
III. Latest user manuals of the application software and other end-user packages
running on the system are available for guidance.
IV. Daily/weekly/monthly and quarterly back-up of data is taken without fail and is
available (as per requirement).
V. Backup tapes are properly labeled and numbered.
VI. Proper storage procedures and facilities are in place for backup copies.
VII. There is offsite storage of one set of the backup data.
VIII. Backup tapes are verified / tested periodically by restoring the data and record
maintained.
IX. Backup media is verified periodically for readability.
X. Record is available in respect of such verification.
XI. Backup media are phased out of use after a specified period.
XII. Backup register is maintained where in all the events pertaining to the backup
Page 22
including the procedure of backup are recorded.
XIII. Physical and fire protection is provided to back up media.

F. Restoration of Data:
The IS auditors should verify whether:
I. The Instructions for restoration of the back-up data have been compiled.
II. The data integrity is verified after the restoration work is over.
III. Activities carried out during the restoration work are recorded indicating date,
time, reason for restoration and size of the data restored.

G. Business Continuity Planning(BCP):


The IS auditors should verify whether:
I. Business continuity plan has been documented.
II. BCP covers all levels of disaster from partial to total destruction off activities and
contains guidelines to help determine the level of recovery necessary.
III. A copy of the plan is securely stored offsite.
IV. Detailed restart procedure has been documented in the plan.
V. BCP has been tested and is regularly tested to assess its effectiveness.
VI. There is awareness among the staff members about the BCP and the modalities of
its execution in case of an emergency.
VII. Ready or alternate source of hardware/software is there to resume business
activity within the shortest possible time after disruption.
VIII. A reliable backup of data and software is available all the times for restoration.

H. Output Reports:
The IS auditors should verify whether:
I. The audit trail report generates the user ID of the operator and the official for any
addition/ modification/ deletion of the transaction data effected in the database.
II. Audit trail report is generated daily. Entries are scrutinized and verified.
III. Audit trail report indicates the evidence/information of unauthorized access
outside application menu.
IV. List of the cancelled entries is scrutinized and reasons for cancellation are recorded.

I. Version Control:
The IS auditors should verify whether:
I. The computer system has Authorized Version of an OS, Authorized Version of anti-
virus software with its latest updates.
II. There exist the documentary evidence/information about the authenticity and the
right to use the copy of the OS software, OS system utility, third party software, the
run time system of specified language or database in use and the anti-virus
software.
III. Legally licensed copies of the software are used for computerized operations and
the licenses are currently in force.
IV. Changes made to the application software with the approval from the controlling
office/department.

Page 23
J. Virus Protection:
The IS auditors should verify whether:
V. Anti-virus software is loaded in the system.
VI. Anti-virus software is regularly updated to covers often are updates against the
latest viruses.
VII. All extraneous floppies are checked for virus including the floppies carried by the IS
auditors.
3. System effectiveness:
The IS auditors should verify whether:
I. Computerized operations provide better customer service in terms of time and
quality.
II. Staff serves a larger number of customers during the day than prior to the
introduction of online operations.
III. Customer information is provided timely and accurately.
IV. The system reflects any improvement in the overall quality of products and services
offered.
V. System has improved the tasks accomplishment capacity of its users by enabling
them to be more productive.
VI. Users are satisfied with the performance of the system.
VII. System is user friendly and takes less effort.
VIII. The users are putting the software to frequent use, which requires less effort and is
easier to use and the users are satisfied with the performance of the software.
4. System Efficiency:
The IS auditors should verify whether:
I. Department/Office ensures the use of every computer asset.
II. Department/Office utilizes every computer asset to its optimum capacity.
III. Periodical maintenance of the hardware asset ensures its uninterrupted service.
IV. The online operations help complete day’s workload on the same day consuming
less time than the time taken for the respective manual operations.
V. The online operations provide accurate, complete and consistent data at each stage
of processing.
VI. Department/Office takes consistency check of balances daily to aid in the detection
of errors or fraud.
VII. Department/Office uses the hardware peripherals such as printers, nodes etc.
efficiently.
5. Organization and Administration:
The IS auditors should verify whether:
I. There is an Information Systems Security Programmer for the entire organization,
approved by the Board of Directors.
II. There is a Corporate Information Systems Security Policy, well defined and
documented and implemented including Information Systems Awareness
Programmer.
Page 24
III. There is an established hierarchy in the organization with a Senior Executive in
charge of the implementation of the Corporate Security Policy with Information
Systems Security Officials at various levels in an Office.
IV. Identified System Administrator for each computerized Office/Department, as
required.
V. Job description for each level is prepared and implemented (including System
Administrator).
VI. Training is imparted to all staff members in turn for better results and output.
VII. The entire staff is involved /motivated for working in the online environment.
VIII. The department allots online jobs to staff members accessing performance
parameters like willingness, aptitude, expertise, skill, experience and knowledge.
IX. Record is maintained showing details of the work assigned, period of assignment,
rotation, training imparted, login name and acknowledgement obtained.
X. The functions of initiating, authorizing, inputting, processing and checking of the
data are separated to ensure that no person has complete control over a particular
function. Therefore, abuse of that functionis not possible without collusion
between two or more individuals.
XI. Rotation of duties is carried out at regular intervals.
XII. System Administrator is supervised and controlled with respect to the creation of
user ids at the OS level and Application Software level.
XIII. There are at least 2persons for key functions of online operations to take care of
absenteeism.
XIV. Department/Office ensures to bring up the servers into operation readiness
sufficiently in advance before the commencement of the business hours.
XV. Computers are covered to keep them free from dust, rain water etc.
XVI. Clear communication from the Management of the organization to the effect that
each member of the staff is responsible for maintaining security in the organization,
as per the Security Policy

Page 25
References
Following standards has been referred for the audit assignment
 SA 315 - Risk identification and assessment requires auditor to assess the risk
that is a part of business environment and internal control system
 SA 330 - It require IS Auditors to review whether management has designed
and implemented appropriate risk remediation measures and provide
recommendations.
 SA 402 – It requires auditor to consider audit considerations relating to entities
using service organizations.
 ISO 27001- Information Security Management Standard - It is the international
best practice and standard for an information security management system
(ISMS). It is a systematic approach to managing confidential or sensitive
information, so that it remains secure.
 ISO 27002 is an auxiliary standard which provides more details on how to
implement security controls specified in27001.
 ISO 27005 - it describe a risk assessment procedures in more details
 BS-25999-2-It gives the detailed description of Business Continuity Management
 COBIT - It is an IT Governance framework and supporting toolset that allows
mangers to bridge the gap between control requirements, technical issues and
business risks. It emphasizes regulatory compliance, helps organization to
increase the value attained from IT, enables alignment, and simplifies
implementation of COBIT Framework. COBIT Principles are:

1. Meeting Stakeholder Needs

2. Covering Enterprise End to End

3.Applying a single Integrated Framework

4.Enabling a holistic Approach

5. Separating Governance from management

 IITIL ( IT Infrastructure Library ) - It is a set of practices for IT Service Management


that focuses on aligning IT services with the needs of business

Page 26
 Systrust and Webtrust - these are two specific services developed by AICPA that
are based on the trust service principles and criteria. Systrust engagements are
designed for the provision for advisory services and assurance for reliability of
system. Webtrust engagements relate to assurance or advisory services on an
organization’s system related to e-commerce.
 The Security Rule - The security lays down three types of security safeguards
required for compliance : administrative , physical and technical
 Information Technology Act2000 (Amended in 2008)
 Under Sec 43A of (Indian) Information Technology Act 2000, a body
corporate who is processing , dealing or maintaining any sensitive personal
data is negligent in implementing and maintaining reasonable security
practices resulting in wrongful loss or gain to any person , then such body
shall be liable to pay damages to the person affected
 The act also recognize and punishes offences by companies and individual
(employee) actions
 Sec72A,disclosure of information , knowingly and intestinally , without the
consent of person concerned and in breach of the lawful contract has been
made punishable
 ITAF ( Information Technology Assurance Framework) - ISACA has issued ITAF
which is a comprehensive and good practice setting reference model that
 Establish standards that address audit and assurance professional roles
and responsibilities , knowledge and skills , and diligence , conduct and
reporting requirements
 Defining terms and concepts specific to IS Assurance
 Provide Guidance and tools and techniques on Planning , design , conduct
and reporting of IS Audit and Assurance Assignments
 SA 402 (Revised) - Audit considerations relating to an entity using service
organizations. This SA deals with auditor responsibility when the entity uses the
service of other entity
 Extra References-
 Chapter8 of ICAI Knowledge gate way of Information Security
 IT Process & Methodology Issued by office of Comptroller & Auditor
General of India.
 IT Audit manual issued by Reserve Bank of India.

Page 27
Deliverables
 Draft Report including executive summary of their suit of their view along
with the recommendations of finding & recommendations with risk
analysis of findings
 Final report incorporating Management Comment & agreed priority plan
of action based on exposure analysis
 Soft or hard copy of checklist used for the audit
 Soft or hardcopy of Audit Methodology and documentation
 A PPT Presentation before board of directors

Page 28
IS Audit Report
Objectives of the Assignment -
The primary objective of this Information System Audit assignment was to provide assurance
to the management of Brandcom for the vendor proposal of cloud services considering the
findings and recommendations of internal audit department and provide our final
recommendations on acceptance of the proposal and remedial measures to be taken to
ensure successful outsourcing, if recommended. The implied security, data privacy and
compliance as applicable such as: Sensitive personal data information (SPDI), cloud provider
policies and procedures and data protection leakage are also to be reviewed.

Scope of Review / Terms of Reference


Based on understanding of Broadcom’s needs for conducting IS audit of Security, it was
decided to primarily focus on reviewing recommendations made by Internal Audit
department & organization’s security controls & data privacy policies & procedures . The
review of security controls was with the objective of providing Availability, Confidentiality
and Integrity of the data process so as to mitigate the security risk and ensure that the
security controls are implemented so as to provide a safe and secure computing
environment. The detailed scope of review /methodology was also agreed to. Broadly the
overall scope of review involved the following:
Recommendations made by internal audit department have been reviewed as follows:-
 Assumptions taken by internal audit department.
 Impact of findings on organization’s data privacy & their key processes migration.
 Impact of outsourcing of IT services, the usability of current IT infrastructure
including the hardware, operating system, and Database and application
software have been considered by the IT department, and their impact of
proposed solution on existing structure has also to be studied before taking a
decision.
Scope also includes reviewing selection process of vendor as well as term of negotiation
with vendor.

Review of selection Process of vendor:-


 Selecting Software as a Service (SaaS) vendor can be challenging. In some cases, the
'selection process' consists of entering corporate credit card information and
agreeing to a dozen pages of unread terms and conditions; in other situations, it may
be part of a lengthy procurement process. Here are some items to consider as you
embark on selecting a SaaS.
1: What happens to your data if you sever ties with the vendor?
 It may seem a bit unsavory to start considering your 'divorce' from a SaaS provider
before you've even officially coupled, but you don't want your data to be held
hostage should the provider fails, be acquired, or not work out. In the best case,
you'll be able to export all your data (including user account information, logs,

Page 29
customizations and so on) in a standardized format through an automated export
function.
 If the answer from your potential provider is, "Sure, just call us, and we'll do it," then
further investigation is required, since that helpful attitude might change during a
contract dispute or if the company fails.
2: How does the support process hold up in your trial runs?
 Every vendor -- SaaS providers included -- has 'world class' support during the sales
process, but the story can suddenly change once you become a paying customer.
Create a trial account that doesn't indicate your company affiliation, since you may
receive preferential support if there's a big name attached to a test account. Submit a
support request and assess the quality of the support you receive.
 For a larger SaaS deployment, research the support model. Will your help desk be
responsible for 'Tier 1' support, or will users call the SaaS provider directly? How will
your internal support organization communicate with the SaaS provider's support?
3: What migration and training assistance options are available?
 A major challenge with any new software deployment is migration to the new
platform and subsequent end user training. Check if your potential SaaS provider can
assist with these challenges through data migration tools, premade training tools, or
consulting assistance on either front. For a large SaaS deployment, these can be
points of leverage in contract negotiations, since it's in everyone's interest to make
the migration as fast and painless as possible.
4: Can you test in parallel?
 As you consider a SaaS provider, investigate whether you can migrate a single
department or a small group of users to utilize the SaaS application in parallel to
whatever it's replacing. During this time period, you can gather user feedback, test
the support process, and validate the business case for moving to SaaS. You'll also
have an opportunity to test the migration tools to and from the SaaS platform in a
relatively low-risk manner.
5: How does functionality compare to maturity?
 It's easy to get excited by the flashy functionality and compelling cost savings of a
SaaS delivery model, and start obsessing about getting the latest, bleeding-edge
capabilities; however, innovative functionality is often the domain of the newest and
least mature players in the SaaS market. While the functionality may be compelling,
other areas like support, disaster recovery, and ultimately corporate funding may be
lacking.
 Temper excitement around features and functions with an honest assessment of the
company's maturity and ability to support your organization in the long run. In some
areas, an upstart may provide such compelling advantages that the risks are
worthwhile. Ultimately, you must understand the risks and rewards, and plan to
mitigate the former.
6: What's the backup plan?
 It's vital that you understand how your data are protected, and what redundancies
are available should your SaaS provider have an outage. Too often SaaS providers
point to their backend infrastructure provider (Amazon or Microsoft's Azure) as
"unsinkable." While these platforms obviously have various redundancies, make sure
your provider maintains its own readily accessible backups to prevent unforeseen or
human errors, or provides an interface for you to perform your own backups.

Page 30
7: What's the pricing model?
 A major attraction of SaaS is the simplified pricing model. In some cases, there are
hidden charges, or pricing that varies based on metrics ranging from user counts, to
transactions, to bandwidth. If the sales process glosses over these provisions, engage
the assistance of your purchasing or legal department to wade through the fine print
and confirm that you understand what might trigger a significant price increase.
8: What integration options are available?
 Rarely do our applications exist in silos, and as soon as your new SaaS tools gain
traction there will be demands to integrate their data and functionality into other
applications and reports. While many SaaS vendors provide a great portfolio of APIs
and data sharing, make sure your people have the skills to access these interfaces,
and that the data and functionality you might need to integrate are available.
9: Are your current and future user environments supported?
 This may seem like an odd concern for SaaS-provided software since it's usually
delivered by a web browser, but as any web designer will tell you, all browsers are
not created equally. Browsers such as Google Chrome are the darlings of many SaaS
providers, and their software may not function correctly with corporate stalwart
Internet Explorer -- especially some of the older versions that are standard at some
companies.
 In addition, consider whether your SaaS provider offers mobile apps or mobile
browser support if users will require access to the SaaS applications on the go. Users
like those who work on the shop floor or in field sales may end up using their phones
and tablets as the primary means for accessing the app, so ensure appropriate
mobile support is provided.
Review of Negotiating Term with vendor:-
 Review the vendor's service history, obtain customer references and ask them about
their experiences with the vendor's concern for privacy, reliability and security
vulnerabilities.
 Be certain that application and infrastructure security requirements are written into your
contract with any SaaS provider. Include an audit clause whereby you or a third-party
can periodically verify that the required controls are in place.
 Get a solid service level agreement. An SLA requires that the vendor provide a specified
level of system reliability. A good vendor will strive for performance that meets Six Sigma
levels of service quality (eg, 99.9997% of security patches made within a set number of
hours, not days, after public disclosure).
 Do not accept a policy of making silent fixes to their service.
 Insist that the vendor's own software development process adheres to a robust software
development life cycle model that includes tollgates that check for secure coding
standards.
 Carefully examine the vendor's policies for data recovery and find out how long it will
take to retrieve your data if you decide to terminate the contract as well as how long it
will take them to make it inaccessible online.
 Maintain strong encryption standards and key management for data transmission
between your site and the vendor site.

Page 31
 Be certain that your users are not the weak link in the security chain. Specify which web
browsers can be used to access services, and stay on top of browser security issues and
updates.
 If possible, be certain that they must first login to your network to access corporate
information on the SaaS vendor site.
 Always maintain ownership of domain names and control domain access when services
can be access.
Our Methodology
The Audit was carried out as pre planned Audit Plan and Program, which was discussed with
the statutory auditors and Brandcom senior management. We have used the international
accepted standard for IS audit - COBIT ( Control Objectives for Information and Related
Technology, issued by the Information System Audit and Control Association , USA) and
other relevant standards for the review.
Structured Methodology
The above mentioned objectives were achieved through following structured methodology:
 Obtained understanding of IT Resources deployment at Brandcom
 Obtained understanding of IT security policies and controls system at Brandcom
 Identification and documentation of IT security related circulars issued by
Brandcom
 Identification and documentation of organization structure and information
architecture
 Identificationanddocumentationofexistingpolicies,proceduresandpractices
 Application of COBIT for formulating IT best security practices and policies and
procedure of Brandcom
 Discussion with IT Department
 Review of Environmental Access & Physical Access & logical Access security
controls.
 Examination of Access rights
 Observation of the users and the system in operation
 Review of reports and audit logs in system software
 Examination of processing controls using test data
 Examination of access profiles and parameter setting
 Discussion with IT Department of Data Service Solutions
 Policies and manuals and agreements to be entered with Data Service Solutions.

Audit Environment
We have conducted IS audit at the IT Department of Brandcom in a simulated environment
using a Windows 7 computer connected to server. We have also reviewed the functioning of
four branches at Chennai, Ahmedabad, Bangalore and Hyderabad.
Audit Reports
We issued a draft report outlining our issues and recommendation and obtained feedback
from the IT Department & Internal Audit Department. Further a meeting was held with IT
Department represented by Mr.Rajendra, DGM (IT) and Ms. Rashmi Sharma, AGM (Internal
Audit) where the issues and recommendations were discussed in detail. The issues rectified
so far are given separately in Annexure for the purpose of the record.

Page 32
Information System Audit
Key Issues and Finding / Recommendations

We have reviewed the outsourcing policies & procedure of Brandcom. Our special findings
and recommendations with agreed action plan are given below-

1. Data leakage in critical information and unknown areas of data:-


Issue: -Customers of vendor have faced leakage of data having critical information
and there are unknown areas of data.
Implication – High
 The security concern can be affected as due to this severe issue, the impact
to business reputation was severely damaged and had the potential to drive
the company out of business, by losing future service contracts.

Recommendation
 Vendor should be changed and if it is not possible then identify the reasons
of such data leakage by discussing with the vendor.
 Service level agreement should be made for compensation in case of such
data leakage etc.
Management Comment: -Agree to solve out such problem by meeting with the
vendor and an appropriate SLA should be made for it.

2. Non- Consideration of usage of the current enterprise environment and business


processes, as well as the enterprise strategy and future objectives
Issue:- Current enterprise environment and business processes, as well as the
enterprise strategy and future objectives have not been considered.
Implication – Medium
 The enterprise will not be able to achieve future goals and it can be possible
that after some time period the cloud service shall become useless for the
organization.

Recommendation
 Current enterprise environment and business processes, as well as the
enterprise strategy and future objectives should be considered.
 A detailed analysis should be made organization future goals & objectives.
Management Comment: - Agree to solved out

Page 33
3. External environment of the enterprise (industry drivers ,relevant
regulations ,basis for competition) have not been documented or considered in
selecting cloud services:-
Issue: - Current enterprise environment and business processes, as well as the
enterprise strategy and future objectives have not been considered.
Implication – Medium
 Such non consideration will lead to organisation under legal actions and
will impact to business reputation and had the potential to drive the
company out of business, by losing future service contracts.

Recommendation
 External environment of the enterprise should be documented and
considered in selecting cloud services
 A team should be formatted to understanding the external environment.
Management Comment: - Agree to solved out
4. Process for reviewing the third-party compliance requirements is non-existent:-
Issue:- Policy for reviewing compliances required by third party is having no
existence and such decision have been imposed by IT.
Implication – High
 The security concern can be affected as there are chances of legal actions
and loss of reputation.

Recommendation
 Policy should be made for reviewing the compliances required by third party.
 The duties and responsibilities regarding this should be assigned to a team
having knowledge of compliance requirements.
Management Comment:- Agree to implement policy for reviewing such third party
compliances and for it a proper team shall be constituted.

5. Service catalogues and business process requirements and internal operational


agreements were not considered:-
Issue: - Before finalising the service agreements with the service provider, the
service catalogues and business process requirements and internal operational
agreements were not considered.

Implication – High
 Such non consideration will lead to organisation on dissatisfaction of
employees & customer and will lose reputation
Recommendation
Page 34
 Before finalising the service agreements with the service provider, the
service catalogues and business process requirements and internal
operational agreements should be considered
 A team should be formatted to incorporating such requirements.
Management Comment:- Agree to solved out
6. oes not have policy for monitoring service levels, to report on achievements and
identify trends:-
Issue: - Policy for monitoring service levels, to report on achievements and
identifying trends does not exist.
Implication – Medium
 Organisation is not able to plan its future trends.

Recommendation
 The SLA should provide the appropriate management information to aid
performance management .
Management Comment:- Agree to solved out
7. usiness case for cloud service was not prepared:-
Issue: - There is no process to identify priorities, specify and agree on business
information, functional, technical and control requirements covering the scope/
understanding of all initiatives required to achieve the expected outcomes of the
proposed IT-enabled business solution.

Implication – Medium
 Organization is not able to plan its future trends and proper evaluation of
organization needs cannot be ascertained

Recommendation
 A process should be made to meet out such problems. .
Management Comment:- Agree to solved out

Page 35
Conclusions

Based on our Review our overall conclusions on specific areas are-

Security & Access Controls


Our review of security and access controls at the IT environment as
reviewed by us and implemented in Brandcom & Data Service solutions
confirms that appropriate security and access controls have not been
implemented by using related functions and features. Our test checks
have revealed that systems of security and controls are not reliable.
Where controls need to be strengthened are given in the annexure

Data Storage Controls


Our review of business processes and data integrity controls covering all
the core functions of Brandcom & Data Service Solutions confirms that all
the related data have been fully captured and stored with adequate back
up facilities. Back up plans are adequately tested and it has been assured
that regular back up is taken. The issues, which have come to our notice
during the process of our review, are given in annexure.

Further Action
We consider that the recommendation given in this report will be very useful
for facilitating business process controls of Brandcom and will aid in
improving the effectiveness of security controls.
We would like to affirm that the matters included in this audit report are
those which came to our notice during our review by following normal
Information System Security audit complying with globally accepted
Information System Auditing Standards, guidelines and procedures that
apply specifically to Information System Auditing issued by ISACA, USA and
COBIT.
Further, on account of limitations of scope and time, we have used sample
test and test check approach. Hence, certain areas, which are outside the
scope of this review, are not covered.

Page 36

You might also like