ISA Project Report by Group No 9 Final
ISA Project Report by Group No 9 Final
of
DISA 2.0 Course
Prepared by:
CA Lakshman Sharma
CA khushboo Bansal
CA Kuldeep Sharma
(Group No. 9 of Batch No JAI1712121)
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training
conducted by The Institute of Chartered Accountants of India at Jaipur Branch from
02/12/2017 to 30/12/2017 & have the required attendance. We are submitting the
Project titled:
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for
the project. We also certify that this project report is the original work of our group
and each one of us have actively participated and contributed in preparing this
project. We have not shared the project details or taken help in preparing project
report from anyone except members of our group.
Place: Jaipur
Date:
INDEX
1. Introduction 4
2. Auditee Environment 5
3. Background 6
4. Situation 7
7. Documents reviewed 15
8. References 26
9. Deliverables 28
12. Conclusion 36
Details of Case Study/Problem
(Review of vendor proposal of SaaS services)
Brandcom (Client) has decided to move its key business application to cloud services to a
renowned vendor considering the increased functionality and cost savings. However, the
company has not done comprehensive study of the appropriateness of the proposed IT
services. The company’s internal audit department has reviewed the vendor proposal and
has provided their findings and recommendations. Extract of findings & recommendations
of the internal auditor’s are as follows:-
1. The proposal is for a standard offering of ERP Software on cloud with no modifications.
Brandcom is a company with its own unique business processes. Hence, it is important
to study the existing processes (as is study) and map it to ERP (To Be State) and have a
confirmation on does the proposed ERP solution meet the business requirement and
what is the value addition by migrating to the proposed solution. If the study has been
done, this may be collected to review whether it covers effective migration of all key
processes and the value addition offered by such migration.
2. On outsourcing of IT services, the usability of current IT infrastructure including the
hardware, operating system, and Database and application software have been
considered by the IT department. The impact of proposed solution on existing
structure has also to be studied before taking a decision.
3. Brochure of Cloud service vendor states: “Clients need to be clear on what they want.
They should know whether they simply want to enhance their current systems or
move to a new system. They should know how much of re-architecting would be
required, the legal and compliance issues involved and whether the cloud would affect
their audits”. The proposal does not provide these details. An impact assessment study
of proposed solution on Brandcom has to be done to ensure that the proposed
solution provides the required business advantages which is sought to be achieved.
4. The proposal provides brief of overview of the module details and process coverage.
However, it is not clear whether all the modules are applicable and how this would be
configured as per requirements of Brandcom. Further, the cloud service vendor has
option to extend the capabilities of providing customization by adding additional
functionalities as required at extra cost. However, the proposal does not provide any
information on this. It cannot be assumed that the current modules offered by cloud
services meet all the business requirements. There is no study done to cover these key
aspects. It is advisable to have a statement of work which clearly outlines the solution
by Cloud service provider as applicable to Brandcom so that there is clarity on what is
available and how it will fit and meet requirements of the current/future business
processes.
5. The proposal provides implementation plan and suggested training requirements.
What is the number of users who need to access and what are the current skill levels
and how it is to be enhanced has to be assessed so that they can use the proposed
solution. The training requirements have to be assessed in detail to confirm whether it
meets requirements.
Page 1
6. The data migration from existing software to proposed solution is a major challenge in
any ERP implementation. The proposal is silent on what the current platform is and
how the data migration is expected to be. This has to be correctly assessed as it will
impact the success of the proposed solution.
7. The proposal provides cost estimate for 9 regular users and 1 Lite user. Whether this is
sufficient to take care of the current number of users is not clear. This may be assessed
to correctly understand the impact. The actual number of users is 40 whereas only the
model implementation with 10 users is considered for cost benefit analysis.
8. Cost benefit analysis of the proposed solution and the specific benefits to Brandcom
are not clearly highlighted in the proposal. The management has to be aware of the
benefits and have to obtain independent confirmation about the envisaged benefits.
9. Any ERP migration and especially one on the cloud have implications of risk in terms of
being tied up to one vendor and data being available on the cloud and dependency on
bandwidth for access. A risk management should be done to ensure that all key risks
are identified and effective risk mitigation strategy has been adapted.
10. It is advisable to have demo of the ERP solution as applicable to Brandcom to
understand how the proposed solution provides envisaged benefits. Based on this, the
final decision regarding migration to new solution has to be taken considering
suitability, training and cost savings.
11. References of solutions implemented for enterprises with business of similar nature as
Brandcom may be obtained to validate and confirm that the solution meets the
requirements. As migration to a new solution increases the dependency on new
vendor, it is important to be assured about adequacy and appropriateness of the
solution.
12. It is also advisable to have independent review of the proposed solution to ensure that
all the required assessments of the requirements is done and the proposed solution
meets the current/future requirements.
13. Before taking a final decision on the proposal, it is important to consider the following
key aspects in evaluation of the cloud services proposal:
Current and future business processes,
Organization structure especially pertaining to IT and number of users of the IT
systems,
Current IT infrastructure including hardware, network, Operating systems,
database and application software.
Internal control systems, extent of documented processes.
Number of IT users and key personnel and their skill levels
However in excess of above findings some of the key issues relating to data, security, privacy
and potential compliance issues noticed by us during our review are given below:-
A process for reviewing the third-party compliance requirements is non-existent,
and the decision has been imposed by IT.
On contacting customers of vendor, you were informed that when the cloud
services were used, they have detected data leakage in critical information and
unknown areas of data. Due to this severe issue, the impact to business reputation
Page 2
was severely damaged and had the potential to drive the company out of business,
by losing future service contracts.
The usage of the current enterprise environment and business processes, as well as
the enterprise strategy and future objectives were not considered in selecting the
cloud services.
The external environment of the enterprise (industry drivers, relevant regulations,
basis for competition) have not been documented or considered in selecting cloud
services).
Before finalizing the service agreements with the service provider, the service
catalogues and business process requirements and internal operational agreements
were not considered.
The company does not have policy for monitoring service levels, to report on
achievements and identify trends. The SLA should provide the appropriate
management information to aid performance management.
Business case for cloud service was not prepared. There is no process to identify,
priorities, specify and agree on business information, functional, technical and
control requirements covering the scope/understanding of all initiatives required to
achieve the expected outcomes of the proposed IT-enabled business solution.
However company’s IT department wanted to go ahead with this and sees no issue in
this current proposal. The matter was escalated to the audit committee and it has been
decided to have an independent review by IS Auditor.
Page 3
Project Report (The solution)
Introduction
A. Software as a Service (SaaS) refers to the cloud computing model where complete
application software are sold on a subscription model for a specific period: Examples
of software provided through SaaS model are CRM, ERP, E- mail, Calendar, Internet
File Stores, Spam filters, etc. The SaaS model provides the capability to use the
provider’s applications running on cloud infrastructure. The application software is
accessible from various client devices through a thin client interface such as a web
browser (e.g., web-based e-mail). SaaS saves customers the cost of buying licenses
and running programs on their own computers. SaaS is one of the most popular
cloud computing services and is being extensively used.
B. This Audit is conducted by "ABC & Co, Chartered Accountants". This team is a good
mix of experience and knowledge.
Name Team Qualification Experience
Khoshboo Bansal Lead CA,B.com
Lakshman Sharma Member CA,B.com 1.5 Years
Kuldeep Sharma Member CA, B.Com 3 Year
Page 4
Auditee Environment
Brandcom is a company with its own unique business processes. For this particular project
they are considering their ERP system to put in cloud based SaaS Model. In current scenario
Brandcom is using physical hardware and customized software to fulfill their ERP
requirements and this ERP like software is very specific to Brandcom and their business. This
ERP system is maintained by Brandcom IT department. All this system works under
company’s regulatory guidelines.
Brandcom’s ERP system is consumed by company internal system i.e. internal email,
inventory systems etc.
Brandcom company’s Internal control department put down some issues & findings which
have to be considered while transferring the key processes to SaaS Services which can be
prone to company’s internal control system and their confidentiality.
However auditee’s IT department which has a good reputation in the organisation already
convinced CEO about the need of such outsourcing for cost savings but key issues found by
internal control department have a great impact on such transfer of key processes under
SaaS.
Page 5
Background
Brandcom has decided to move its key business application to cloud services to a renowned
vendor considering the increased functionality and cost savings. Software as a Service (SaaS)
refers to the cloud computing model where complete application software are sold on a
subscription model for a specific period: Examples of software provided through SaaS model
are CRM, ERP, E-mail, Calendar, Internet File Stores, Spam filters, etc. The SaaS model
provides the capability to use the provider’s applications running on cloud infrastructure.
The application software is accessible from various client devices through a thin client
interface such as a web browser (e.g., web-based e-mail). SaaS saves customers the cost of
buying licenses and running programs on their own computers. SaaS is one of the most
popular cloud computing services and is being extensively used.
The company is having the knowledge that Information System Audit will not only provide
assurance to the management about the accuracy of existing security & control practices but
also will fill the clients with confidence about the safety of their data. Also IS Audit will not
only lead to safeguarding of assets and improved data integrity but also will enhance
system’s efficiency and effectiveness.
The auditor will review IT principles, policies & framework. The company wants the control
deficiencies to be identified & reported to the management. Also it will help to monitor
controls, review business process controls effectiveness, and perform control self-
assessment.
Page 6
Situation
Brandcom has decided to move its key business application to cloud services to a renowned
vendor considering the increased functionality and cost savings. However, the company has
not done comprehensive study of the appropriateness of the proposed IT services. The
company’s internal audit department has reviewed the vendor proposal and has provided
their findings and recommendations. Extract of findings & recommendations of the internal
auditor’s are as follows:-
Availability of standard Application and less Customization
Wrong analysis of user needs
Less clarity in Vendor Proposal
Training requirement issue is not considered
Migration issues are not considered
Public image of vendor is not considered
Analysis of External environment is not proper
Now the management wants that IS auditor should conduct a Tradeoff between Saas based
ERP and client’s present ERP system.
Some SaaS applications are free to the user, with revenue being derived from alternate
sources such as advertising, or upgrade fees for enhanced functionality. Examples of free
SaaS applications include large players such as Gmail and Google Docs, as well as smaller
providers like Wave Accounting and Fresh books.
SaaS providers generally price applications on a per-user basis and/or per business basis,
sometimes with a relatively small minimum number of users and often with additional fees
for extra bandwidth and storage. SaaS revenue streams to the vendor are therefore lower
initially than traditional software license fees, but are also recurring, and therefore viewed as
more predictable, much like maintenance fees for licensed software.
Page 7
Risks:
4. Data Security
One company data co-mingled with other businesses' data
Page 8
Terms and Scope of the Assignment
1. The Auditors are required to verify for compliance status (Follow up) of the previous Audit
Reports for which Audits were conducted by company IS auditors under comprehensive
information security system as mandated by various standards.
2. Auditors should follow Risk Based approach in all areas. IS auditors should have identify
all the risks that are present in the cloud computing environment.
3. To ensure that Data Integrity across various systems is maintained. An auditor has to give
assurance to management that information is accurate and reliable and has not been
subtly changed or tempered by an unauthorized access.
5. Operational Security Controls including troubleshooting / help desk Request for Proposal
for IS Audit/Review
10. Audit the Services of all Service Provider to ensure they adhere to the contracted levels of
services set out in the Service Level Agreement(SLA)
11. Audit the compliances by the service providers to various regulatory and statutory
requirements.
13. Business Continuity plans / Disaster Recovery Plans/ Backup and data restoration plans.
Deliverables
Draft Report including executive summary of their suit of their view along
with the recommendations of finding & recommendations with risk
analysis of findings
Final report incorporating Management Comment & agreed priority plan
Page 9
of action based on exposure analysis
Soft or hard copy of checklist used for the audit
Soft or hardcopy of Audit Methodology and documentation
Time Frame
The elapsed time for the assignment is approximately 4 weeks. We would require lead time
of two weeks for commencing the assignment. The availability of coordinating team, user
involvement, availability of resources and information by the audited would also impact the
audit duration and time schedule, which we would be communicating to you in advance
Fees
The fees for this assignment is Rs. 8 lakhs to be paid as follows -
25% Advance with order
50% on submission of Interim Report
25% on presentation of Final Report
Page 10
Methodology and Strategy
adopted for execution of the assignment
Assignment Team
Our approach to selecting the right people for a project is to bring together the necessary
skills and experience for a particular assignment from the rich mix of skills and experience
available. The assignment would be executed under the personal supervision and lead by
Mr. Mahendra. The team would be a blend of professionals with extensive experience. The
team includes Chartered Accountant, IT Professionals, Management Consultants and
certified Information System Auditors. The senior member of the team is:
Piyus Jain
Lokesh Jain
Nikita Gupta
Defining
Risk Assessment Analysis
Evaluting
Detailed and critical analysis of controls already prevalent
Audit Evidence
Collection of audit evidence through substantive and compliance
procedures
Reporting
Reporting on the basis of evidence collected
Planning
INTEGRITY
CONFIDENTIALITY
AVAILABILITY
SA 315 - Risk identification and assessment requires auditor to assess the risk that is a
part of business environment and internal control system
SA 320 - Audit Materiality - to report all findings having impact on decision making.
AUDIT RISK - It is the risk that auditor may issue unqualified report due to auditors
Page 12
failure to detect material misstatement either due to error or fraud.
The three types of audit risk are:
r is k is h ig h .
in h e r e n t
th a t th e
c o n c lu d e
t h is a ll
c o n t r o ls ,
In t e r n a l
ig n o r in g
e xp o su re ,
r is k
e of r is k
d e t e c ti o n
co n seq u en c
th e
R IS K and
h ig h e r is
lik e lih o o d
REN T A u d it o r ,
h ig h
IN H E by th e IS
rI fi s kt h e r e i s a
d e t e c ti o n
xa s d e t e c ti o n
n o na - w h o l e
co op ne tr raotil o nr iss k
le v e l of
R IS K rb i us ks i n e s s x
H ig h e r th e
ionf h e ree nn tit t y ’ s
N r i su kd i t r i s k =
A
on account
C T IO c o n t r o lla b le
Sn yt s twe hm i c h i s
D ETE r is k o r t h e
m oanntar o
C g el m e
in h e r e n t
O yv e rI na tl le Rr ni sakl
b
d e te ct th e
co rre cte d
n o t a b le t o
R IS K and
w h e n h e is
TRO L o r d e te c te d
IS A u d it o r
p re v e n te d
CO N R is k o f t h e
w ill n o t b e
le v e l and
t o le r a b le
e xce e d s th e
th a t r is k
asse ssm en t
a u d it
M e a su re o f
Scope is defined as the boundaries of audit which is listed in Audit engagement Letter. After
the definition of audit objectives IS AUDIT CHARTER will be prepared, the following
standards are to be used for audit charter-
The IS Audit & Assurance shall document the audit function appropriately in an audit
charter, indicating purpose, responsibility, authority and accountability.
The IS Audit & Assurance shall have the audit charter agreed upon and
approved at an appropriate level within the enterprise.
Page 13
Evidence Collection and Evaluation
As per standard 3(e) in chapter -iii of auditing standards of SAI India states -
“Competent, relevant and responsible evidence should be obtained to support the auditors
judgment and conclusions regarding the organizations, programmer, activity or function
under audit.”
Now after evaluation of all evidences a draft audit report is prepared which is drafted in
below sections.
“Planning does not guarantee execution.
Continuous follow up is required for effective implementation”
Audit Plan
The Audit plan would cover the following activities- Discussions with the
IT Department
Internal Audit department recommendations.
Systems / Implementation Teams
Users and Users Management
Review of Security policies manual
Examination of Access Rights
Observation of users
Review of Access Control-physical and logical
Review of SLA agreement and its viability.
Data Service Solutions IT department
Page 14
Documents reviewed
An extensive list of documents need to be reviewed, such as information security policy,
organization structure, vendor contracts or SLA, access matrix, audit findings, risk matrix etc.
These documents will be the basis of review and can be used for identifying control
weaknesses and providing recommendations.
The documents reviewed are:-
Organizational policy - Basic objectives and understanding of purpose and
business objectives is mandatory for any audit
Information security policy - to gain a basic understanding of controls
prevalent and to define the need and gap between the controls in existence
Organizational Hierarchical structure-to gets basic understanding of roles and
responsibility of the officials and to establish authority and accountability.
Basic documents relating to business, technology and control environment
Agreement with Data Service solutions for the terms and conditions.
The Backup plans and DRP’s of Data service solutions as well as of Brandcom
Audit Trails and logs taken out from system to analyses the gap analysis
Management Representations
Page 15
CHECKLIST FOR THIS AUDIT:-
We as IS Auditors have done SaaS ERP tradeoffs with risks and benefits which it has if
implemented which are as follows:-
SaaS-based ERP also comes with tradeoffs. Initial cost savings may eventually evaporate.
"When you look out longer term -- five to seven years -- the cost-benefit tends to be
somewhat of a illusion, and SaaS may actually end up being more expensive than an on-
premises application. It's like leasing a car; those monthly payments never go away for the
life of the lease." Organization has to consider following issues before implementing Saas
based proposal:-
1. Will a move to the cloud require complex integrations with in-house applications?
"Our ERP solution integrates with about 50 other programs. These applications must
exchange data with each other, so in addition to creating dozens of interfaces,
Organization would need enough network bandwidth to keep latency low between the
data center to the cloud.
2. Is the application business critical?
"ERP is used widely across our organization -- for accounting, purchasing, HR, capital
asset management -- so it's a very critical business application. that means to move into
the cloud, we would have to buy additional disaster recovery and a high-availability
service to make sure it doesn’t go down.
3. Does the application contain proprietary information whose public exposure would
damage an individual or the organization?
The ERP platform stores Social Security information for employees as well as the tax IDs
for vendors the utility uses. "There's definitely a lot of sensitive information
4. How costly will it be to move to the cloud?
Expenses for enhanced bandwidth and personnel resources for custom integrations
represented added SaaS costs compared to the current platform. Initially, the cloud
would be costly versus cost effective
5. Can the application be moved to the cloud in a manageable amount of time that doesn't
negatively impact business operations?
It is estimated that testing, integration and other activities would require months of
work. In contrast, the new capabilities in the on-premises upgrade would be available to
end users much sooner.
1. Safeguarding of Assets:
The IS auditors will require concentrating on the following areas to ensure that the
Information Systems Assets of the organization are safeguarded:
A. Environmental Security
B. Data
C. Uninterrupted Power Supply
D. Electrical Lines
E. Data Cables & Networking Products
F. Fire Protection
Page 16
G. Insurance of Assets
H. Annual Maintenance Contract
I. Logical Security & Access Control-Operating System Level
J. Logical Security & Access Control–Application System Level
The IS auditor shall be required to verify/inspect the following points in respect of the areas
mentioned above.
A. Environmental Security:
The IS auditors should verify whether:
I. There is separate room for the server.
II. Server room has adequate space for operational requirements.
III. Server room is visible from a distance, but is not easily accessible.
IV. Server room is away from the basement, water/drainage systems.
V. Server room can be locked and the key being under the custody of the authorized
persons (System Administrator) only. Entry doors are protected by biometric/PIN or
proximity key card access verification. Any failed attempts or system tampering as
also unscheduled movement in restricted areas, glass breakage or the opening of
doors will require be logging and immediately reporting to the Control Staff at the
site. The biometric system will require storing all attempts at access.
VI. To access any equipment in the Data Centre, one has to pass through (preferably) a
minimum of two separate security doors, utilizing biometric/PIN and/or proximity
key card access verification facilities.
VII. Server is not in close proximity to the UPS room.
VIII. Access to server room is restricted to authorized persons and activities in the server
room are monitored.
IX. Air-conditioning system provides adequate cooling.
X. Storage devices to keep stationary and other such items are not kept inside the
server room.
XI. All the walls with potential access will require to be heavily reinforced.
XII. Humidity and heat measuring instruments like (Thermometer and Hygrometer) are
installed in the server room.
XIII. Temperature readings are taken throughout the raised floor and equipment areas,
power rooms, basement, diesel fuel storage area, and roof, generator, cooling
towers, waiting and display areas.
XIV. Smoking, eating and drinking are prohibited in the server room to prevent spillage of
food or liquid into sensitive computer equipment.
XV. Brief cases, handbags and other packages are restricted from the server room, tape
library and other sensitive computer area to prevent unauthorized removal of data
held on removable media as also to prevent entry of unacceptable material into the
area.
XVI. Server room is neat and clean to ensure dust free environment.
XVII. Scanners are kept in safe custody and access is restricted.
XVIII. Floppy disk drives on the nodes can be disabled, if necessary for better security.
Page 17
XIX. Data Centre to be so chosen to have police protection and fire prevention services
within a very short time, say, 5-10minutes.
C. Electrical lines:
The IS auditors should verify whether:
I. There is a separate dedicated electrical line for the computer equipment.
II. Power supply to computer equipment is through UPS system only.
III. The electrical wiring looks concealed and is not hanging from ceiling or nodes.
IV. The circuit breaker switches exist in locked condition only.
D. Data Cables:
The IS auditors should verify whether:
I. A map of the cable lay out is kept in a secure place with proper authority .This is
helpful in timely and fast repairs of LAN cable faults.
II. Cabling is properly identified and recorded as fiber optic, co-axial, unshielded twisted
pair (UTP) or Shielded Twisted Pair (STP).
III. Electrical cable and data cable do not cross each other to avoid possible disturbance
during data transfer within the network.
E. Fire Protection:
The IS auditors should verify whether:
I. Fire alarm system is installed.
II. Smoke detectors are provided in the server room and in the other areas of computer
installations.
III. Smoke detectors are tested on a regular basis to ensure that they work.
IV. Gas type (Carbon dioxide, Halon etc.) fire extinguishers are installed at strategic
places like server room, UPS room and near the nodes and printers.
V. Dry powder or foam type extinguishers should not be used as they tend to leave
deposits.
Page 18
VI. Staff knows how to use the fire extinguishers.
VII. Fire extinguishers are regularly refilled /maintained.
VIII. An evacuation plan is documented and rehearsed at regular intervals for taking
immediate action in the case of the outbreak of fire.
F. Insurance:
The IS auditors should verify whether:
I. All the computer equipment’s are covered under the appropriate electronic
equipment insurance policy with a reputed insurance firm.
II. A record of the original policy is maintained with the detailed list of the equipment’s
covered under the policy.
III. Information regarding shifting of computer equipment to or from or within the
department/office is conveyed to the insurance firm.
IV. Adequacy of the insurance cover should be verified as per the policy of the
organization.
Page 20
2. Data Integrity:
The IS auditor will require addressing, among others, the following areas under IS auditing:
A. Data Input Controls
B. Data Processing Controls
C. Patch Programs
D. Purging of Data Files
E. Backup of data
F. Restoration of Data
G. Business Continuity Planning
H. Output Reports
I. Version Control
J. Virus Protection
C. Patch Programs:
The IS auditors should verify whether:
I. The application programs are exactly identical with the standard list of approved
programs in respect offile name, file size, date and time of compilation.
II. Only approved programs have been loaded in the system.
III. There are programs other than the approved ones.
IV. There is record of the patch programs used and the reason there of under
authentication.
E. Back up of Data:
The IS auditors should verify whether:
I. All the floppies/CDs/tapes, purchased, pertaining to the OS software, application
software and utility programs, drivers etc. are recorded in a register and properly
stored.
II. Hardware, software, operating system, printer manuals are properly labeled and
maintained.
III. Latest user manuals of the application software and other end-user packages
running on the system are available for guidance.
IV. Daily/weekly/monthly and quarterly back-up of data is taken without fail and is
available (as per requirement).
V. Backup tapes are properly labeled and numbered.
VI. Proper storage procedures and facilities are in place for backup copies.
VII. There is offsite storage of one set of the backup data.
VIII. Backup tapes are verified / tested periodically by restoring the data and record
maintained.
IX. Backup media is verified periodically for readability.
X. Record is available in respect of such verification.
XI. Backup media are phased out of use after a specified period.
XII. Backup register is maintained where in all the events pertaining to the backup
Page 22
including the procedure of backup are recorded.
XIII. Physical and fire protection is provided to back up media.
F. Restoration of Data:
The IS auditors should verify whether:
I. The Instructions for restoration of the back-up data have been compiled.
II. The data integrity is verified after the restoration work is over.
III. Activities carried out during the restoration work are recorded indicating date,
time, reason for restoration and size of the data restored.
H. Output Reports:
The IS auditors should verify whether:
I. The audit trail report generates the user ID of the operator and the official for any
addition/ modification/ deletion of the transaction data effected in the database.
II. Audit trail report is generated daily. Entries are scrutinized and verified.
III. Audit trail report indicates the evidence/information of unauthorized access
outside application menu.
IV. List of the cancelled entries is scrutinized and reasons for cancellation are recorded.
I. Version Control:
The IS auditors should verify whether:
I. The computer system has Authorized Version of an OS, Authorized Version of anti-
virus software with its latest updates.
II. There exist the documentary evidence/information about the authenticity and the
right to use the copy of the OS software, OS system utility, third party software, the
run time system of specified language or database in use and the anti-virus
software.
III. Legally licensed copies of the software are used for computerized operations and
the licenses are currently in force.
IV. Changes made to the application software with the approval from the controlling
office/department.
Page 23
J. Virus Protection:
The IS auditors should verify whether:
V. Anti-virus software is loaded in the system.
VI. Anti-virus software is regularly updated to covers often are updates against the
latest viruses.
VII. All extraneous floppies are checked for virus including the floppies carried by the IS
auditors.
3. System effectiveness:
The IS auditors should verify whether:
I. Computerized operations provide better customer service in terms of time and
quality.
II. Staff serves a larger number of customers during the day than prior to the
introduction of online operations.
III. Customer information is provided timely and accurately.
IV. The system reflects any improvement in the overall quality of products and services
offered.
V. System has improved the tasks accomplishment capacity of its users by enabling
them to be more productive.
VI. Users are satisfied with the performance of the system.
VII. System is user friendly and takes less effort.
VIII. The users are putting the software to frequent use, which requires less effort and is
easier to use and the users are satisfied with the performance of the software.
4. System Efficiency:
The IS auditors should verify whether:
I. Department/Office ensures the use of every computer asset.
II. Department/Office utilizes every computer asset to its optimum capacity.
III. Periodical maintenance of the hardware asset ensures its uninterrupted service.
IV. The online operations help complete day’s workload on the same day consuming
less time than the time taken for the respective manual operations.
V. The online operations provide accurate, complete and consistent data at each stage
of processing.
VI. Department/Office takes consistency check of balances daily to aid in the detection
of errors or fraud.
VII. Department/Office uses the hardware peripherals such as printers, nodes etc.
efficiently.
5. Organization and Administration:
The IS auditors should verify whether:
I. There is an Information Systems Security Programmer for the entire organization,
approved by the Board of Directors.
II. There is a Corporate Information Systems Security Policy, well defined and
documented and implemented including Information Systems Awareness
Programmer.
Page 24
III. There is an established hierarchy in the organization with a Senior Executive in
charge of the implementation of the Corporate Security Policy with Information
Systems Security Officials at various levels in an Office.
IV. Identified System Administrator for each computerized Office/Department, as
required.
V. Job description for each level is prepared and implemented (including System
Administrator).
VI. Training is imparted to all staff members in turn for better results and output.
VII. The entire staff is involved /motivated for working in the online environment.
VIII. The department allots online jobs to staff members accessing performance
parameters like willingness, aptitude, expertise, skill, experience and knowledge.
IX. Record is maintained showing details of the work assigned, period of assignment,
rotation, training imparted, login name and acknowledgement obtained.
X. The functions of initiating, authorizing, inputting, processing and checking of the
data are separated to ensure that no person has complete control over a particular
function. Therefore, abuse of that functionis not possible without collusion
between two or more individuals.
XI. Rotation of duties is carried out at regular intervals.
XII. System Administrator is supervised and controlled with respect to the creation of
user ids at the OS level and Application Software level.
XIII. There are at least 2persons for key functions of online operations to take care of
absenteeism.
XIV. Department/Office ensures to bring up the servers into operation readiness
sufficiently in advance before the commencement of the business hours.
XV. Computers are covered to keep them free from dust, rain water etc.
XVI. Clear communication from the Management of the organization to the effect that
each member of the staff is responsible for maintaining security in the organization,
as per the Security Policy
Page 25
References
Following standards has been referred for the audit assignment
SA 315 - Risk identification and assessment requires auditor to assess the risk
that is a part of business environment and internal control system
SA 330 - It require IS Auditors to review whether management has designed
and implemented appropriate risk remediation measures and provide
recommendations.
SA 402 – It requires auditor to consider audit considerations relating to entities
using service organizations.
ISO 27001- Information Security Management Standard - It is the international
best practice and standard for an information security management system
(ISMS). It is a systematic approach to managing confidential or sensitive
information, so that it remains secure.
ISO 27002 is an auxiliary standard which provides more details on how to
implement security controls specified in27001.
ISO 27005 - it describe a risk assessment procedures in more details
BS-25999-2-It gives the detailed description of Business Continuity Management
COBIT - It is an IT Governance framework and supporting toolset that allows
mangers to bridge the gap between control requirements, technical issues and
business risks. It emphasizes regulatory compliance, helps organization to
increase the value attained from IT, enables alignment, and simplifies
implementation of COBIT Framework. COBIT Principles are:
Page 26
Systrust and Webtrust - these are two specific services developed by AICPA that
are based on the trust service principles and criteria. Systrust engagements are
designed for the provision for advisory services and assurance for reliability of
system. Webtrust engagements relate to assurance or advisory services on an
organization’s system related to e-commerce.
The Security Rule - The security lays down three types of security safeguards
required for compliance : administrative , physical and technical
Information Technology Act2000 (Amended in 2008)
Under Sec 43A of (Indian) Information Technology Act 2000, a body
corporate who is processing , dealing or maintaining any sensitive personal
data is negligent in implementing and maintaining reasonable security
practices resulting in wrongful loss or gain to any person , then such body
shall be liable to pay damages to the person affected
The act also recognize and punishes offences by companies and individual
(employee) actions
Sec72A,disclosure of information , knowingly and intestinally , without the
consent of person concerned and in breach of the lawful contract has been
made punishable
ITAF ( Information Technology Assurance Framework) - ISACA has issued ITAF
which is a comprehensive and good practice setting reference model that
Establish standards that address audit and assurance professional roles
and responsibilities , knowledge and skills , and diligence , conduct and
reporting requirements
Defining terms and concepts specific to IS Assurance
Provide Guidance and tools and techniques on Planning , design , conduct
and reporting of IS Audit and Assurance Assignments
SA 402 (Revised) - Audit considerations relating to an entity using service
organizations. This SA deals with auditor responsibility when the entity uses the
service of other entity
Extra References-
Chapter8 of ICAI Knowledge gate way of Information Security
IT Process & Methodology Issued by office of Comptroller & Auditor
General of India.
IT Audit manual issued by Reserve Bank of India.
Page 27
Deliverables
Draft Report including executive summary of their suit of their view along
with the recommendations of finding & recommendations with risk
analysis of findings
Final report incorporating Management Comment & agreed priority plan
of action based on exposure analysis
Soft or hard copy of checklist used for the audit
Soft or hardcopy of Audit Methodology and documentation
A PPT Presentation before board of directors
Page 28
IS Audit Report
Objectives of the Assignment -
The primary objective of this Information System Audit assignment was to provide assurance
to the management of Brandcom for the vendor proposal of cloud services considering the
findings and recommendations of internal audit department and provide our final
recommendations on acceptance of the proposal and remedial measures to be taken to
ensure successful outsourcing, if recommended. The implied security, data privacy and
compliance as applicable such as: Sensitive personal data information (SPDI), cloud provider
policies and procedures and data protection leakage are also to be reviewed.
Page 29
customizations and so on) in a standardized format through an automated export
function.
If the answer from your potential provider is, "Sure, just call us, and we'll do it," then
further investigation is required, since that helpful attitude might change during a
contract dispute or if the company fails.
2: How does the support process hold up in your trial runs?
Every vendor -- SaaS providers included -- has 'world class' support during the sales
process, but the story can suddenly change once you become a paying customer.
Create a trial account that doesn't indicate your company affiliation, since you may
receive preferential support if there's a big name attached to a test account. Submit a
support request and assess the quality of the support you receive.
For a larger SaaS deployment, research the support model. Will your help desk be
responsible for 'Tier 1' support, or will users call the SaaS provider directly? How will
your internal support organization communicate with the SaaS provider's support?
3: What migration and training assistance options are available?
A major challenge with any new software deployment is migration to the new
platform and subsequent end user training. Check if your potential SaaS provider can
assist with these challenges through data migration tools, premade training tools, or
consulting assistance on either front. For a large SaaS deployment, these can be
points of leverage in contract negotiations, since it's in everyone's interest to make
the migration as fast and painless as possible.
4: Can you test in parallel?
As you consider a SaaS provider, investigate whether you can migrate a single
department or a small group of users to utilize the SaaS application in parallel to
whatever it's replacing. During this time period, you can gather user feedback, test
the support process, and validate the business case for moving to SaaS. You'll also
have an opportunity to test the migration tools to and from the SaaS platform in a
relatively low-risk manner.
5: How does functionality compare to maturity?
It's easy to get excited by the flashy functionality and compelling cost savings of a
SaaS delivery model, and start obsessing about getting the latest, bleeding-edge
capabilities; however, innovative functionality is often the domain of the newest and
least mature players in the SaaS market. While the functionality may be compelling,
other areas like support, disaster recovery, and ultimately corporate funding may be
lacking.
Temper excitement around features and functions with an honest assessment of the
company's maturity and ability to support your organization in the long run. In some
areas, an upstart may provide such compelling advantages that the risks are
worthwhile. Ultimately, you must understand the risks and rewards, and plan to
mitigate the former.
6: What's the backup plan?
It's vital that you understand how your data are protected, and what redundancies
are available should your SaaS provider have an outage. Too often SaaS providers
point to their backend infrastructure provider (Amazon or Microsoft's Azure) as
"unsinkable." While these platforms obviously have various redundancies, make sure
your provider maintains its own readily accessible backups to prevent unforeseen or
human errors, or provides an interface for you to perform your own backups.
Page 30
7: What's the pricing model?
A major attraction of SaaS is the simplified pricing model. In some cases, there are
hidden charges, or pricing that varies based on metrics ranging from user counts, to
transactions, to bandwidth. If the sales process glosses over these provisions, engage
the assistance of your purchasing or legal department to wade through the fine print
and confirm that you understand what might trigger a significant price increase.
8: What integration options are available?
Rarely do our applications exist in silos, and as soon as your new SaaS tools gain
traction there will be demands to integrate their data and functionality into other
applications and reports. While many SaaS vendors provide a great portfolio of APIs
and data sharing, make sure your people have the skills to access these interfaces,
and that the data and functionality you might need to integrate are available.
9: Are your current and future user environments supported?
This may seem like an odd concern for SaaS-provided software since it's usually
delivered by a web browser, but as any web designer will tell you, all browsers are
not created equally. Browsers such as Google Chrome are the darlings of many SaaS
providers, and their software may not function correctly with corporate stalwart
Internet Explorer -- especially some of the older versions that are standard at some
companies.
In addition, consider whether your SaaS provider offers mobile apps or mobile
browser support if users will require access to the SaaS applications on the go. Users
like those who work on the shop floor or in field sales may end up using their phones
and tablets as the primary means for accessing the app, so ensure appropriate
mobile support is provided.
Review of Negotiating Term with vendor:-
Review the vendor's service history, obtain customer references and ask them about
their experiences with the vendor's concern for privacy, reliability and security
vulnerabilities.
Be certain that application and infrastructure security requirements are written into your
contract with any SaaS provider. Include an audit clause whereby you or a third-party
can periodically verify that the required controls are in place.
Get a solid service level agreement. An SLA requires that the vendor provide a specified
level of system reliability. A good vendor will strive for performance that meets Six Sigma
levels of service quality (eg, 99.9997% of security patches made within a set number of
hours, not days, after public disclosure).
Do not accept a policy of making silent fixes to their service.
Insist that the vendor's own software development process adheres to a robust software
development life cycle model that includes tollgates that check for secure coding
standards.
Carefully examine the vendor's policies for data recovery and find out how long it will
take to retrieve your data if you decide to terminate the contract as well as how long it
will take them to make it inaccessible online.
Maintain strong encryption standards and key management for data transmission
between your site and the vendor site.
Page 31
Be certain that your users are not the weak link in the security chain. Specify which web
browsers can be used to access services, and stay on top of browser security issues and
updates.
If possible, be certain that they must first login to your network to access corporate
information on the SaaS vendor site.
Always maintain ownership of domain names and control domain access when services
can be access.
Our Methodology
The Audit was carried out as pre planned Audit Plan and Program, which was discussed with
the statutory auditors and Brandcom senior management. We have used the international
accepted standard for IS audit - COBIT ( Control Objectives for Information and Related
Technology, issued by the Information System Audit and Control Association , USA) and
other relevant standards for the review.
Structured Methodology
The above mentioned objectives were achieved through following structured methodology:
Obtained understanding of IT Resources deployment at Brandcom
Obtained understanding of IT security policies and controls system at Brandcom
Identification and documentation of IT security related circulars issued by
Brandcom
Identification and documentation of organization structure and information
architecture
Identificationanddocumentationofexistingpolicies,proceduresandpractices
Application of COBIT for formulating IT best security practices and policies and
procedure of Brandcom
Discussion with IT Department
Review of Environmental Access & Physical Access & logical Access security
controls.
Examination of Access rights
Observation of the users and the system in operation
Review of reports and audit logs in system software
Examination of processing controls using test data
Examination of access profiles and parameter setting
Discussion with IT Department of Data Service Solutions
Policies and manuals and agreements to be entered with Data Service Solutions.
Audit Environment
We have conducted IS audit at the IT Department of Brandcom in a simulated environment
using a Windows 7 computer connected to server. We have also reviewed the functioning of
four branches at Chennai, Ahmedabad, Bangalore and Hyderabad.
Audit Reports
We issued a draft report outlining our issues and recommendation and obtained feedback
from the IT Department & Internal Audit Department. Further a meeting was held with IT
Department represented by Mr.Rajendra, DGM (IT) and Ms. Rashmi Sharma, AGM (Internal
Audit) where the issues and recommendations were discussed in detail. The issues rectified
so far are given separately in Annexure for the purpose of the record.
Page 32
Information System Audit
Key Issues and Finding / Recommendations
We have reviewed the outsourcing policies & procedure of Brandcom. Our special findings
and recommendations with agreed action plan are given below-
Recommendation
Vendor should be changed and if it is not possible then identify the reasons
of such data leakage by discussing with the vendor.
Service level agreement should be made for compensation in case of such
data leakage etc.
Management Comment: -Agree to solve out such problem by meeting with the
vendor and an appropriate SLA should be made for it.
Recommendation
Current enterprise environment and business processes, as well as the
enterprise strategy and future objectives should be considered.
A detailed analysis should be made organization future goals & objectives.
Management Comment: - Agree to solved out
Page 33
3. External environment of the enterprise (industry drivers ,relevant
regulations ,basis for competition) have not been documented or considered in
selecting cloud services:-
Issue: - Current enterprise environment and business processes, as well as the
enterprise strategy and future objectives have not been considered.
Implication – Medium
Such non consideration will lead to organisation under legal actions and
will impact to business reputation and had the potential to drive the
company out of business, by losing future service contracts.
Recommendation
External environment of the enterprise should be documented and
considered in selecting cloud services
A team should be formatted to understanding the external environment.
Management Comment: - Agree to solved out
4. Process for reviewing the third-party compliance requirements is non-existent:-
Issue:- Policy for reviewing compliances required by third party is having no
existence and such decision have been imposed by IT.
Implication – High
The security concern can be affected as there are chances of legal actions
and loss of reputation.
Recommendation
Policy should be made for reviewing the compliances required by third party.
The duties and responsibilities regarding this should be assigned to a team
having knowledge of compliance requirements.
Management Comment:- Agree to implement policy for reviewing such third party
compliances and for it a proper team shall be constituted.
Implication – High
Such non consideration will lead to organisation on dissatisfaction of
employees & customer and will lose reputation
Recommendation
Page 34
Before finalising the service agreements with the service provider, the
service catalogues and business process requirements and internal
operational agreements should be considered
A team should be formatted to incorporating such requirements.
Management Comment:- Agree to solved out
6. oes not have policy for monitoring service levels, to report on achievements and
identify trends:-
Issue: - Policy for monitoring service levels, to report on achievements and
identifying trends does not exist.
Implication – Medium
Organisation is not able to plan its future trends.
Recommendation
The SLA should provide the appropriate management information to aid
performance management .
Management Comment:- Agree to solved out
7. usiness case for cloud service was not prepared:-
Issue: - There is no process to identify priorities, specify and agree on business
information, functional, technical and control requirements covering the scope/
understanding of all initiatives required to achieve the expected outcomes of the
proposed IT-enabled business solution.
Implication – Medium
Organization is not able to plan its future trends and proper evaluation of
organization needs cannot be ascertained
Recommendation
A process should be made to meet out such problems. .
Management Comment:- Agree to solved out
Page 35
Conclusions
Further Action
We consider that the recommendation given in this report will be very useful
for facilitating business process controls of Brandcom and will aid in
improving the effectiveness of security controls.
We would like to affirm that the matters included in this audit report are
those which came to our notice during our review by following normal
Information System Security audit complying with globally accepted
Information System Auditing Standards, guidelines and procedures that
apply specifically to Information System Auditing issued by ISACA, USA and
COBIT.
Further, on account of limitations of scope and time, we have used sample
test and test check approach. Hence, certain areas, which are outside the
scope of this review, are not covered.
Page 36