2. ii
TABLE OF CONTENTS
Certificate 3
Details of Case Study / Project Prob. 4
Project Report – Introduction 5
Auditee Environment 6
Background 8
Situation 9
Terms and Scope of Assignment 11
Logistic Arrangements Required 12
Methodology and Strategy Adapted for
Execution of Assignment
14
Documents Reviewed 22
References 23
Deliverables 24
Format of Report/Findings and
Recommendations
27
Summary/Conclusion 28
3. Project Report ISA 2.0
Migrating to Cloud based ERP solution
3
CERTIFICATE
This is to certify that we have successfully completed the ISA 2.0 course training conducted at:
Hotel Pride Plaza, Bodakdev Cross Road, Ahmedabad from 1st Feb 2020 to 29th April 2020
and we have the required attendance. We are submitting the Project titled: Migrating to Cloud
based ERP solution
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
1. Name : CA Dhaval Limbani (ISA No. 62188)
2. Name : CA Manoj Jajodia (ISA No. 62682)
3. Name : CA Ashish Mehta (ISA No. 62810)
Place : Ahmedabad
Date : 30-04-2020
4. Project Report ISA 2.0
Migrating to Cloud based ERP solution
4
DETAILS OF CASE STUDY / PROJECT PROB.
ABC Infrastructure Ltd. (Auditee) provides Gas Pipeline Services and distribution, EPC Projects,
Cross Country Pipeline Layering, Horizontal Directional Drilling across India. It is Well Equipped
with total infrastructure and has kept in pace with the changing technology and construction team
focused on Safety, Quality and Efficiency with cost effective project executed within time and
budget. They are currently using stand-alone accounting and inventory package which has
limited functionality. They have an aggressive business growth plans and found that the current
software solution cannot meet their future requirements.
ABC Infrastructure Ltd have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)-
Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state-of-
the-art software engineering and delivery platform. WOCS is expected to enable ABC to reap
the benefits of the solutions with “Built in Best Practices” together with a highly “Flexible
Framework” to ensure solution alignment to “dynamic business requirements” of ABC.
The WOCS solution has standard product features which cannot be modify except based on the
methodology followed by Wilson and the customer has to use the existing product without any
changes. As a part of the software as service (SAS)development model, WOCS will not make
any changes in the data entry screens/ Processes as per individual customers need.
5. Project Report ISA 2.0
Migrating to Cloud based ERP solution
5
1. PROJECT REPORT - INTRODUCTION
ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across
India, having adequate infrastructure of technology with respect to changing environment.
Company is having four branch office and more than 300 employees including at branches. Out
of 300 employees, more than 40 employees are engaged in finance and accounts departments.
At present company is maintaining a non-integrated and stand-alone accounting software, which
require maintaining huge documentation.
Now with the changing environment and future business growth company board decided to
migrate ‘Wilson’s On Cloud Solution (WOCS) an ERP software from existing non-integrated
software. The new ERP software will provide all business process function start from Project
execution, marketing, purchase management to payroll and inventory management, financial
and management accounting etc. to know the real time business information.
ABC Infrastructure Ltd (auditee) appointed M/s MAD & Associates (Chartered Accountants
known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having 3
years’ experience in conducting IS Audit. Firm is having 3 partner (CAs), 2 system auditor (ISA)
and 3 other technical staff all having good knowledge and experience in their respective domain.
S.NO
TEAM MEMBER
NAME
QUALIFICATION DESIGNATION
1 Mr. Dhaval Limbani FCA, ISA Team Leader
2 Mr. Manoj Jajodia FCA Co-Team Leader
3 Mr. Ashish Mehta FCA Co-Team Leader
4 Mr. Pranav Pandya FCA, ISA Team Member
5 Mr. Mihir Pandya M.Tech, Phd (IT), BE (Software) Software Engineer
6 Mr. Dhaval Chikani M.Tech, BE (Software) Software Engineer
7 Mr. Darshan Panchal Phd (IT-Hardware Engineer) Hardware Engineer
6. Project Report ISA 2.0
Migrating to Cloud based ERP solution
6
2. AUDITEE ENVIRONMENT
ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across
India. Since company is engaged in business of heavy infrastructure projects for Governments
and big infrastructure companies.
Company board consists of 7 directors, one Managing Director (CEO), one Finance Director
(CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office
(CIO), 2 Executive directors. Board sets policy and procedure and laid down the strategy to
complete business task, which will be executed and implemented by managerial and operational
staff, which consists of each individual department head to operational level staff member.
At present company is following a non – integrated accounting software which will no longer
useful looking to changing business technology and growing changes in technology
environment. At present company infrastructure is well equipped. But company is not following
any ERP Software to integrate its all business function via one single platform. But MD is
confident of the view that by providing adequate training we can train finance and accounts
departments to cloud based ERP acquaintance. This will eliminate the need to purchase the
necessary server and hardware storage, i.e. reduction in OPEX.
Except respective tax laws, corporate law, labour law etc., IT Act 2000 company is not bound by
any other legal compliance like RBI, SEBI, Banking Regulation, IRDA etc. The company has a
compliance department which looks into matter relating to compliance the same is reviewed by
internal auditor function. For effective operation of compliance department company have
standard policies, procedure and guidance that defines regulatory standard requirement that
apply to company.
7. Project Report ISA 2.0
Migrating to Cloud based ERP solution
7
Information Security Policy
S.NO POINTS DESCRIPTION
1 Acceptable Use Policy
Company has defined acceptable use of computer
devices, equipments and employee security measure to
protect organization resources.
2 Clean Desk Policy
Company has defined minimum requirement to be fulfilled
a clean desk policy such as sensitive or critical
information of company, employees, customers,
intellectual property to be secured in locked area.
3 Encryption Policy
Company has defined the acceptable encryption
algorithms for system security and protection from
unauthorized access.
4
Digital Signature
Acceptance Policy
Company has defined when “Digital Signature” is
considered acceptance means of validating the identity of
a signer in electronic communications/ documents.
5 Password Policy
Company has defined different high-level configuration
password for system access, email access for security of
information and identity. Further there is policy of
changing password within 90 days.
6
Network Security
Policy
Company has defined overall network access such as
remote access policy (use of software for use of remote
access), wireless communication policy to connect
company network, standard for minimum security
configuration of routers and switches inside computer
network.
7 Server Security Policy
Company has defined requirement around installation of
third-party software and security configuration for servers.
Further, company has defined proper requirement for
disposal of equipment such as hard drive, USB, CD Rom
etc.
8
Business Continuity
Management Policy
Company has defined requirement to ensure continuity of
critical business operation. It is designed to minimize the
impact of unforeseen event to facilitate business to
normal levels.
8. Project Report ISA 2.0
Migrating to Cloud based ERP solution
8
3. BACKGROUND
Since Company decided to change its accounting tool from traditional to cloud based ERP
(WOCS) in that, the most important thing for company is to migrate data first on ERP system.
This can be done via batch processing under which data will upload first and then another person
will approve these transactions. Once these data processed the next critical operation to
reconcile these data with traditional data to check whether all data have been compiled and in
proper way in which they require. In Cloud ERP system, system is hosted on cloud and ERP
service provider takes care hosting of ERP system. This is based on Software as a Service
(SaaS) module, wherein company will access the software, whereas service provider will
manage software including operating system and execution environment.
Now to check all these critical operation company wants an independent auditor function to
check all these critical operation task. Auditor (MAD & Associates) will audit these function starts
from beginning mapping of codes, ledgers, groups, data uploading, reconciliation, report
spooling, trade checking to know functioning of all ERP Module whether or not data of vendor,
inventory management, financial accounting, sales and purchase, payroll system etc. are
working effectively and efficiently on cloud site as provided by cloud service provider. Auditor
will also look system effect of one data entry on another ERP utility is proper and correct.
For this purpose, auditor will thoroughly check the system configuration and settings are
manipulated or modified. Further auditor will check IT Infrastructure configuration like operating
system, servers, networking devices tool and security control thereof to check whether CIA
(confidentially, integrity or availability) via unauthorized access, data manipulation etc., which
may be big threat to organization as well. In addition to this, auditor will check whether vendor
is responsible for maintaining hardware & software such as patches, upgrades, refreshes.
9. Project Report ISA 2.0
Migrating to Cloud based ERP solution
9
4. SITUATION
The Auditee is currently using an ERP system which provides stand-alone accounting and
inventory packages which has limited functionalities. The company has aggressive growth plans
for which the current software solution is not enough. The company’s finance and accounts
department has more than 40 employees and current software packages are stand-alone and
non-integrated and extensive documentation is maintained. So, it has been decided by the
management to migrate to cloud based ERP.
The proposed Wilson’s solution provides a single version of the product at any point of time. All
product feature upgrades and updates shall be made available as a part of the standard offering.
Basically, the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. There are 14 modules
included in the scope such as sales & shipping management, accounts receivable, purchase,
HR & Payroll, etc.
Moreover, the current staff is not computer savvy and have limited knowledge of using
computers but the young MD has taken charge of training employees and the cost consideration
based on model implementation of 10 user license shows cost benefit analysis and justification
for the investment. So, seeing these current problems and the benefits of the cloud-based
solution it has been decided by the management to migrate to cloud based ERP. The proposed
solution also provides complete applications which are sold on a subscription model for a specific
period. This model provides the capability to use the provider’s applications running on cloud
infrastructure. The applications are accessible from various client devices through a thin client
interface such as a web browser. This brings in saving to ABC Infrastructure Ltd as there is no
need to buy licenses for running programs on their own computers. The software solution is
accessible using existing computers.
10. Project Report ISA 2.0
Migrating to Cloud based ERP solution
10
S.
NO
AREA OF RISK RISK FOCUSED AREA
1 Access Control
Is there appropriate ingress or egress filtering?
Are there ACLs that segment the environment from other
resources?
2 Virtualization
Is there a protected environment?
How are host systems secured?
Are resources utilized and released as expected?
How are virtual resource interconnected?
3
Data Management and
Data Storage
Cloud provider may not be able to match in-house IT
service availability, recovery time objectives (RTO), and
recovery point objectives (RPO).
Cloud providers may drastically change business model
or discontinue cloud services.
Due to technical architecture complexity and potential
restrictions by the cloud provider, replicating data back to
the enterprise or to another provider may be difficult.
4
Communication
Channels
What communication protocols are used to communicate
with other data centers?
Are there any clear text administration protocols used?
Can you monitor communication in and out of the cloud
as well as within the cloud?
Are there any end user devices that can download data
from the cloud?
5
Cloud
Supporting
Infrastructure
Utilize ISO2700 and SOC2 / SOC3 (Assurance Reports
on Controls at a Third-Party Service Organization)
Trust Principles – Security, Availability, Processing
Integrity, Confidentiality, Privacy
Will administrators have “access” to the virtual data?
6
Software as a Service
(SaaS)
Examine tools used for usage tracking and licensing
Examine accuracy of reporting
Separation from other applications
New risks may exist as cloud computing can expand and
shorten the SDLC cycle.
11. Project Report ISA 2.0
Migrating to Cloud based ERP solution
11
5. TERMS AND SCOPE OF ASSIGNMENT
Auditor’s Terms & Scope
How much security is enough?
Who is responsible for data security?
Criticality of application being sent to cloud.
Control issue specific to cloud service provider.
Identify internal control and regulatory deficiencies that would affect the organization.
Identify information security control concerns that could affect the reliability, accuracy and
security of enterprises data due to weaknesses in the package solutions offered by the
vendor.
Outsourcer’s Experience with SLA and vendor management
Review contractual compliance between cloud service provider and customer i.e.
auditee.
Cloud Vendor’s policy on vulnerability management – reporting, commitment to following
up, promptly responding to reports etc.
Provide management with an assessment of impact by implementation of Wilsons on
cloud solutions, security policy and procedures and their operating effectiveness.
Information systems audit of all/any aspect of security policy, business continuity,
environmental excess, physical excess, logical excess and application security.
What is impact on auditor when client has used “Cloud ERP System” and how data will
be audited on cloud service provider.
Compliance with enterprises policy, procedures, Standards and practices as relevant.
Compliance with regulations as applicable.
12. Project Report ISA 2.0
Migrating to Cloud based ERP solution
12
6. LOGISTIC ARRANGEMENTS REQUIRED
Auditor requires following Hardware, Software (application and system), Information, and
System Configuration documentation.
S. NO POINTS DESCRIPTION
1 Hardware
Auditor (MAD & Associates) need 7 laptop, 3 desktop,
networking cables, data cable, power backup equipments
for execution of the assignment. All hardware must be
configured in such a manner to be compatible with
software.
2
Software
(Application as
well as System)
We need licensed software to be installed in all desktop,
laptop so as to work in auditee IT environment with high
bandwidth of internet speed.
3 Information
We need the information to be audited that may be data,
audio, video, electronic form data, images etc.
4
System
Configuration
Documents
We need system configuration documentation from
supplier or vendor of hardware, software, source code to
understand technical things clearly.
It is systematic approach to manage sensitive company information to maintain the same
in secure mode. It includes people, processes and IT System by applying a risk
management process. Company (auditee) has taken certificate from ISO organization
stating that it meets objectives of ISO 27001. The aim is to provide confidence and
assurance to clients and customers that it follows best accepted business practices.
In order to obtain assurance that the data processed by the system is complete, valid and
accurate and is giving the desired results, computer assisted audit techniques (CAAT)
shall be used. Computer Assisted Audit Technique (CAATs) are computer-based tools,
which help us in carrying out various automated tools to evaluate an IT system or data.
These are very useful, where a significant volume of auditee data is available in electronic
format. CAATs provide greater level of assurance as compared to other techniques,
especially manual testing methods.1
13. Project Report ISA 2.0
Migrating to Cloud based ERP solution
13
Use of CAAT Tools (Computer Aided Audit Techniques):- The use of CAAT tools
improves the audit process and help in data extraction and analyzing software. Following
are the techniques:-
S. NO POINTS DESCRIPTION
1
Generalized Audit
Software
This tool is effective & efficient for IS audit. In this
method Access Control List (ACL) is table under
which data is lock down as read only to prevent
inadvertently changing data. In this method organization
define access right to each system users. Every user
has different right such as read only, read and
modification, approval etc.
2 Utility Program
These programs are used to perform common data
processing function such as sorting, creating and
printing files. This utility doesn’t contain feature such as
automatic record counts or control totals.
3 Test Data
Test data involve the auditors using a sample set of data
to assess whether logic errors exist in a program and
program meets organization objectives. It provides
information about internal control and weakness if any
exist.
4
Audit Expert
System
In this technique, auditor perform tests details of
transaction and balance, analytical review procedure,
compliance test IS general control, compliance test IS
application control and vulnerability testing.
14. Project Report ISA 2.0
Migrating to Cloud based ERP solution
14
7. METHODOLOGY AND STRATEGY
ADAPTED FOR EXECUTION OF
ASSIGNMENT
ISACA Cloud Computing Audit Program – Areas
Planning and Scoping the Audit:
Define the audit/assurance objectives
Define the boundaries of review
Identify and document risks
Define the change process
Define assignment success
Define the audit/assurance resources required
Define deliverables
Communications
Governing the Cloud:
Governance and Enterprise Risk Management (ERM)
Legal and Electronic Discovery
Compliance and Audit
Portability and Interoperability
Operating in the Cloud:
Incident Response, Notifications
Application security
Data Security and integrity
Identity and Access management
Virtualization
15. Project Report ISA 2.0
Migrating to Cloud based ERP solution
15
Audit Program under COBIT Framework:
S. No COBIT Control Objective Audit Procedure
1
Benefit Management (Acquire,
Plan and Organize)
Review process for developing metrics for
measuring benefits. E.g. Guidance from domain
expert, industry analyst.
2
Supplier Contract
Management (Acquire and
Implement)
Confirm through interviews with key staff
members that the policies and standards are in
place for establishing contracts with suppliers.
E.g. Legal contract, financial contract,
intellectual property contract etc.
3
Supplier Performance
Monitoring (Deliver, Service
and Support)
Inspection of supplier service report to
determine supplier performance is in alignment
with pre-defined SLAs and supplier contract.
4
Identity Management (Deliver,
Service and Support)
Every user has unique and generic id and
access right to system is as per documentary
business process framework.
5
Network Security (Deliver,
Service and Support)
Confirm with organization that there is network
security policy has been established and
maintained in organization. Further confirm that
all network components are updated regularly
such as routers, VPN switches etc.
6
Information Exchange (Deliver,
Service and Support)
Confirm with organization that proper encryption
policy in place to exchange information outside
the organization.
7
Contract Compliance (Monitor
and Evaluate)
Review policies and procedure to ensure that
contracts with third party service provider for
compliance with applicable laws, regulation and
contract commitments.
8
Data Integrity (Deliver, Service
and Support)
Determine that a policy has been defined and
implemented to protect sensitive information
from unauthorized access, have authentication
codes and encryption.
9 Governance
Review organizational strategy and risk
appetite, roles and responsibilities, insurance,
and governance tasks
16. Project Report ISA 2.0
Migrating to Cloud based ERP solution
16
Monitor usage of cloud services through
vendor provided dashboards or logging
information available to the client.
Address issues promptly based on
governance requirements and defined
roles/responsibilities.
10 Data Management
Perform a data flow and privacy assessment
by reviewing the data throughout its life cycle.
Is it vulnerable at any point?
Ask for an overview of the dedicated, single-
tenant and shared (multi-tenant) cloud
services provided by the CSP.
Review data transfer to the CSP.
Data segregation: Review shared
environments for data segregation, logical
separation, and security in a multi-tenancy
environment or utilize separate servers.
Data recovery: Review if the CSP can do a
complete restoration in the event of a disaster
or if they have data replication capabilities
available for an alternate data location.
Review where that alternate location is in
addition to its recoverability capabilities.
11 Data Environment
Where are the data centers located? Can the
CSP can commit to specific privacy
requirements?
Review the applications and operating
systems utilized. Use a data life cycle
approach regarding what is stored and where.
Provide a description of how often are
infrastructure components are updated, such
as hardware and software.
12 Cyber Threat
What are patch and vulnerability management
program practices? How does CSP ensure
these program practices do not create a
security risk for client infrastructure?
What is the vulnerability remediation process?
17. Project Report ISA 2.0
Migrating to Cloud based ERP solution
17
Review security monitoring processes utilized
by the CSP.
Are there established application-level
reviews, a defined Software Development Life
Cycle process, and change notification and
release management?
13 Infrastructure
Is there restricted and monitored access to
assets all of the time?
How is an employee or third-party access to
client data controlled?
Are staff background checks employed? How
extensive are these background record
reviews and are they reoccurring?
Vulnerability management: Patch
vulnerabilities in virtual machine templates
and offline virtual machines.
Network management. Secure network traffic
between distributed cloud components.
Detection for defense against attacks
originating from within the cloud environment.
Review the perimeter for exposure to
distributed denial-of-service attacks against
public-facing cloud interfaces.
System security: Review where there may be
vulnerable end-user systems interacting with
cloud-based applications.
Discuss how the CSP handles secure intra-
host communications among multiple virtual
machines.
Who controls encryption keys? How are the
encryption keys monitored? What is their
storage and backup locations? Review
encryption certifications and determine what
they apply to, and test them.
14 Logs and Audit Trail
How long are logs and audit trails kept?
How does the CSP provide for tamper
proofing of logs and audit trails?
18. Project Report ISA 2.0
Migrating to Cloud based ERP solution
18
Is there dedicated storage for logs and audit
trails?
Can the CSP provide timely forensic
investigations; e.g., eDiscovery and system
analysis?
15 Availability
The client should review Service Level
Agreement (SLA) uptime tolerance levels and
check for “additional subtractions” disclaimers
for the stated level
Does the CSP have resiliency (e.g., cluster
systems, redundancy, and failover
capabilities) and tests these abilities after
changes or system updates?
Does the CSP test restores, and what actions
require additional fees? Where is the location
of the backups (e.g., on-site, off-site,
replicated to another location)?
What file and directory versioning is available?
Does the CSP have an incident response plan
and can the CSP describe it?
What measures are employed to guard
against threat and errors, use of multiple
CSPs and denial of service (DoS) protection?
When do peaks in demand occur, and does
the CSP have the capacity to handle such
maximum load?
What service level guarantee does the CSP
offer under Disaster Recovery/Business
Continuity conditions?
16
Identity and Access
Management
Provide information regarding authentication,
restriction of access, or implementation of
segregation of duties (SOD) for cloud provider
staff.
Provide a description of the physical security
measures in place within the CSP data
centers, including server areas and access to
host/network systems.
19. Project Report ISA 2.0
Migrating to Cloud based ERP solution
19
Review the types of access available: single-
sign-on (SSO), authentication using the client
identity management software, or two-factor
authentication.
Does the client have administrative privileges
and controls, and over which system
components, software, and/or client users?
17 Encryption
Understand the environment for the service
boundary, including the connection points to
and from the data with encryption utilized for
data in transit, data at rest, and the type of
encryption.
Ensure that the CSP provides SSL from an
established Certificate Authority (CA) and the
SSL CA has its practices audited annually by
a trusted third-party auditor; e.g., Symantec
Webtrust audit or AICPA Webtrust Audit
requirements.
SSL should provide a minimum of 128-bit,
256-bit optimum, encryption based on the
2048-bit global root. Determine the type of
encryption.
Is there any encryption utilized for data at rest?
For data in storage, how are encryption keys
stored? For data backups that are data
encrypted in transit or at rest? How are keys
managed?
18 Privacy
How are digital identities and credentials
protected in cloud applications? What client
data is stored and used, and what is its
disposal process?
Under what conditions might third parties
(including government agencies) have access
to confidential data?
Is there a guarantee that third party access to
shared logs and resources will not reveal
critical, sensitive information?
20. Project Report ISA 2.0
Migrating to Cloud based ERP solution
20
19 Regulatory Compliance
What are the compliance requirements of the
vendor or third party?
The provider should demonstrate financial
viability requirements.
Review vendor’s commitment to their and any
third party utilized service to remain in such
compliance.
Discuss the CPS’s commitment to maintaining
the described level of security compliance and
the interval of conformity updates.
20 Legal
Ensure that there is an engagement
agreement: The right to audit and physically
inspect; timely removal of data and its
destruction; change control notifications;
intellectual property; cloud staff hiring
requirements; and training, confidentiality,
backups, outsourced services to other
vendors, certifications, and their maintenance
renewal intervals. Ensure provider guarantees
storage of the organization’s data in a
particular location based on the contractual
agreement.
What notification arrangements are in place
for the cloud provider to notify the customer
organization in the event of a suspected
breach?
What forensic investigation tools and cloud
provider staff training are in place for logging
and preserving evidence of an alleged
violation?
Agreed upon recourse needs to in place for
security incidents, data breach, or failure to
meet SLA’s.
Records management: Review the life cycle in
terms of preservation, retention, eDiscovery,
and disposal policies based on organization
requirements.
21. Project Report ISA 2.0
Migrating to Cloud based ERP solution
21
Review rights to data by ensuring that the
client organization is the data owner for all
data and applications, including replicated
copies, with the right to delete all customer
information if instructed with assurance
documentation and promptly as agreed to by
the client and CSP.
Update the cloud contract over time to reflect
operating changes.
Specify if there are any additional fees for
termination of services, delivery, or erasure of
data.
22. Project Report ISA 2.0
Migrating to Cloud based ERP solution
22
8. DOCUMENTS REVIEWED
We have reviewed following document during
execution of this assignment for identifying control
and weakness thereof.
User Manuals and Technical Manuals relating to System Software and ERP.
Organization chart outlining the organization hierarchy and job responsibilities.
Access to circulars & guidelines issued to employees.
Access to user manuals and documentation relating to ERP Implementation by ABC
Infrastructure Ltd
Any other documentation as identified by us as required for the assignment Security policy
document relating to system.
Auditor has read and understand all the terms and conditions of SLA. Any terms which is
harmful for the company, the same has been discussed with management in order to
secure stakeholder interest.
Audit findings documents.
23. Project Report ISA 2.0
Migrating to Cloud based ERP solution
23
9. REFERENCES
Best practices relating to international accepted standard for IS Audit — COBIT (Control
Objectives for Information and Related Technology, issued by the Information Systems
Audit and Control Association, USA, COSO framework etc.
Information Systems Audit and Control Association- IS Auditing Guidelines.
Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1- Cloud and
Mobile Computing.
Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit in
Phases.
ISACA Audit Program and CAAT Tools.
ISO Standard 27001.
Deloitte (2010); Heiser (2015); Lehigh (2016); O’Hanley & Tiller (2013).
24. Project Report ISA 2.0
Migrating to Cloud based ERP solution
24
10. DELIVERABLES
The following table summarizes the review area and relevant finding, auditor suggestion
and risk rating.
S.
No
Auditor’s Findings
Auditor’s Recommendation /
Suggestions
Risk
Rating
1
Technology Selection:-
Before moving to cloud
organization (auditee) did not
performed cost benefit analysis.
NIL Low
2
Physical Access Control:-
Accessibility of data should be
allowed to person authorized
only. Since data may be sensitive
to its stakeholder.
Organization should apply biometric
devices so that history can be saved.
Organization should adopt maker
and checker rule.
Use Audit trail to check, who access
the data previously and user activity.
Use Clean Desk policy in order to
secure sensitive data in paper form.
Medium
3
Login Access Control :-
In this scenario every user have
unique login access control and
they can access data for which
they have permitted for
transactions.
This concept helps to prevent any
unauthorized data accessibility. No
user can approve or authenticate
data. E.g. Login id password, using
network monitoring and using access
control.
Medium
4
Audit Trail:-
In this scenario we can identify
who last logged in, user activity
and time spent by previous
users.
With the help of this concept, user
don’t work within the rights assigned
to them in order to maintain data
security and integrity, even if
anybody attempts to work beyond
rights to his/her. The same is
traceable. User personal
accountability also exists.
Medium
5
Firewall:-
Any data coming or going outside
the organization boundary is
filtered in firewall system. The
Firewall act as a security between
public and private network and
checks any data packets coming
from outside world into private
network, since it checks data packets
Medium
25. Project Report ISA 2.0
Migrating to Cloud based ERP solution
25
system in which firewall is
installed is called Beston Host.
for authentication and authorization
etc. Organization should install all
firewall namely proxy server, network
level, application level and stateful
inspection.
6
System Backup:-
When the back-ups are taken of
the system and data together,
they are called total system’s
back-up.
Organization should have proper
back up plan which specifies type of
back up to be kept, frequency of the
backup, location of back up etc.
Following back up plan may be
selected,
Full Back up, Incremental Back up,
Differential Back up, Mirror Back up.
Medium
7
Service Level Agreement :-
Any terms and condition which is
harmful for auditee organization
such as block out, disruption in
service.
Organization and CSP should meet
in order to resolve the conflict and let
them know about alternates sites by
which service will be provided in case
of emergency failure of main sites.
Medium
8
Data Privacy and
confidentiality:-
Accessibility of customer data is
restricted to respective
organization and its authorized
personnel, not to be shared with
other organization or other
personnel.
Organization should establish policy
in such a manner to maintain data
privacy with other service receiver
with same cloud service provider.
High
9
Natural Disaster Events:-
Organization should consider
natural events such as
earthquake, tsunami, flood, fire
etc.
Organization should have one
additional BCP site with wholly IT
Infrastructure in case of natural
disaster so as to continuity of normal
business function without disruption.
High
10
Alternate Processing Facility
Arrangements
Security administrators shall have
either of the arrangement with Cloud
service provider regarding alternate
processing facility arrangement.
Cold site, Hot Site, Warm Site,
Reciprocal Agreement.
Further the contract must include the
following
High
26. Project Report ISA 2.0
Migrating to Cloud based ERP solution
26
how soon the site will be made
available subsequent to a
disaster;
the number of organizations that
will be allowed to use the site
concurrently in the event of a
disaster;
the priority to be given to
concurrent users of the site in the
event of a common disaster;
what controls will be in place and
working at the off-site facility.
Implication of High, Medium and Low:-
High:- The issue representing a finding that organization exposed to significant risk and
require immediate resolution.
Medium:- The issue representing a finding that organization exposed to risk that require
resolution in near future.
Low:- The issue represents a finding, which don’t require action from organization.
27. Project Report ISA 2.0
Migrating to Cloud based ERP solution
27
11. FORMAT OF REPORT/FINDINGS AND
RECOMMENDATIONS
As mentioned in Point No 10.
28. Project Report ISA 2.0
Migrating to Cloud based ERP solution
28
12. SUMMARY/CONCLUSION
Cloud computing is increasingly assuming a prominent and leading role in businesses for the
purpose of operational efficiency and cost reduction. In spite of the numerous benefits, users
remain anxious about data protection and dependency on CSP for business continuity. As per
the discussion held with the management, the BOD of the company has initiated corrective steps
to overcome the “high implication findings” in observed in the audit and those, which have
medium implication; BOD would take corrective action as soon as possible. Since the company
has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer
technological environment perfectly by organization as a whole. However, the management is
optimistic about future guidance with respect to adoption of technological changes and impact
thereof on the organization.