Title: Audit Review of Vendor Proposal of Saas Services

A. Details of Case Study/Project (Problem)

Brand com has decided to move its key business application to cloud services to a renowned vendor considering the increased functionality and cost saving. However the Company has not done comprehensive study of the appropriateness of the proposed IT Services. The Company’s Internal audit department has reviewed the vendor proposal and has provided their findings and recommendations but these were ignored as IT Department which enjoys a good reputation has convinced CEO about the need to outsource considering the cost savings. The Matter was given to us for independent review of vendor proposal, we find following Key Issues relating to data, Security, Privacy and Potential Compliance issues noticed by us during our review are given below :

A Process for review the third –party compliance requirements is non-existent, it is very serious for concern and without that proposal is not viable for Concern.
On contacting Customers Vendor, They were informed to us when the Cloud Services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue. The impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts.
The usage of the current enterprise environment and business processes, as well as the enterprises strategy and future objectives were not considered in selecting the cloud services.
The external environment of the enterprise (Industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud Services).
Before finalising the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered.
The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management.
Business case for cloud service was not prepared. There is no process to identify, Priorities, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution.

B. Project Report (solution)

http://lenderperformance.com/wp-content/uploads/2015/08/SaaS-business.png

Introduction

A. As we understand the Problem Brandcom Company want to select the Vendor Proposal of Saas Services is very quick and Company is not make any study about their business internal and external environment before consider above vendor proposal. As we know as detail study of Proposal third-party, requirement is not existent in company and also they have not finalizing the Service Level Agreements with service Provider which is essential for effective and efficient completion of the Project. Second Part of implementation of the Project is Hardware Configuration of the Company and Right to Audit Data, Security aspect and staff training for successful implementation of Saas in the Concern is also not considered by company , Company is considering only Cost Saving Aspect it is not good for Company to run this services to betterment of business for long time, create severe problem to Company about his Data, Security, Privacy and Potential Compliance of the concern and hardly impact company data Confidentiality, Availability and Integrity. So above problems indicate Company have no proper policies and procedure, technology infrastructure for acceptance and implementation of above project. Information Systems Audit ( DISA ICAI )

B. Our Firm K.V. and Associates is established in 1997 and working in the field of Taxation, Auditing and Consultancy on taxes matters and our firm having 10 qualified chartered accountants out of them 6 are FCA and DISA and CISA Qualified and rest 4 are ACA. We have 5 IT Expert in our firm who have well knowledge about Software Developments and Information Technology. Main object of our firm is Provide Services to Clients best for their business and we always try to give suggestion to our client after auditing and analyzing current business scenario and requirements/expectations from new proposal and future prospective of the enterprise.

Auditee Environment

Brandcom Ltd. Is Working in the field of Telecommunication Services like internet, Mobile and Other BPO Services in Mumbai. Currently 300 Employee are working in company out of which 40 employees (active users) are working in Accounts and 25 in Marketing Department at different locations. Company’s organizational structure is

All Departments work under CEO (Chief Executive Office) and he is directly accountable for Board of Directors of the Company and Responsible for all other department of Company,

CIO (Chief Information Officer) is making all Policies for Company Information Technologies related issues for purchase of software and information

CAO (Chief Accounts Officer) is Chartered Accountant of Company to hold all accounts related work of company,

CMO (Chief Marketing Officer) is responsible for marketing of company products,

HR Head is responsible for requirement of Employees of the Company and provide better environment to Employee for achieving company goals

CPO (Chief Service Officer) he is responsible for Purchase and giving services to customers.

Information Systems Audit ( DISA ICAI )

Object

Primary object of this audit was to express independent review by us on appropriateness of proposed IT services of renowned vendor. Since our Client Brandcom Ltd has decided to move its key business applications to cloud services to a renowned vendor considering the increased functionality and cost saving .company wants independent review by us on appropriateness of proposed IT services of renowned vendor.

We have conducted information system audit of Brand com LTD. Primary object of this audit is to have an independent review on proposed IT system to be implemented by company. Implementation of proposed system is the responsibility of company our responsibility is to report significant audit results and recommendations about proposed system.

Situation

Presently company is working in an application Taly ERP. All data are stored at head office server located at Andheri, all backup are taken and stored at head office. Present Tally ERP software fulfils all regulatory compliance like vat calculations, service tax calculations etc All data entry work is divided among all departments and a user ID and password is provided to each user and restricted access to information is provided to all employees on the basis of work assigned to them. But due to large area coverage and near future plans it is very difficult to store data at one place in present application system.

Company is well known for its services and in future expansion of its business activities in all other states will be planned which requires a a well managed ERP system to store data effectively and efficiently and instantly made available to all users at different locations in different states and advanced server and hardware facilities. Which will require heavy investments to implement big servers, wan network, hardware facilities and data security aspects.

Terms and Scope of assignment

We have been appointed as IS auditor to review the vendor proposal of cloud services considering the findings and recommendations of internal audit department and to provide our final recommendations on acceptance of the proposal and remedial measures to be taken to ensure successful outsourcing, if recommended. Our scope is to review key factors like

Implied security

Availability of data

Data privacy,

Compliance as applicable to company are to be met,

Cloud provider policies and procedures

Data protection leakage

Methodology and Strategy adapted for execution of assignment

We utilise “Caseware”, a state of the art and well maintained audit software, for our audit and financial reporting needs. The software is fully compliant with the Australian Audit Standards. SAAS Audit utilises the most up to date cloud technology providing our clients with efficient and timely communication and flexibility and security in managing data. For data security matter security audit report SAS-70 is to be reviewed to verify that it meets requirements of the organisation For internal control within the user consideration section of the SSAE 16 report is to be reviewed. Contact to customers of vendor to be made A thorough analysis o internal and external environment carried Information Systems Audit ( DISA ICAI )

Deliverables

The audit has been conducted during 01/10/2015, 02/10/20105 and 03/10/2015. The key issues relating to data, security, privacy and potential compliance issues noticed by us during our review are given below:- For data security matter security audit report SAS-70 is to be reviewed to verify that it meets requirements of the organisation it was observed that a process for reviewing the third-party compliance requirements is non-existent, and the decision has been imposed by IT. On contacting customers of vendor, we were informed that when the cloud services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue, the impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts. The usage of the current enterprise environment and business processes, as well as the enterprise strategy and future objectives were not considered in selecting the cloud services. Before migrating it should be considered thoroughly so that all requirement of future are met as and when needed. The external environment of the enterprise (industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud services). Before finalising the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered. For internal control within the user consideration section of the SSAE 16 report is to be reviewed. The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management. Business case for cloud service was not prepared. There is no process to identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution. As we know Brandcom has some of it unique functionalities so a proper customised ERP model is required to met all requirements from proposed system instead of standard ERP Package provided by vendor. Before moving to proposed system a proper training programme should be organised to train staff for proper understanding of staff so that all advantages of proposed system can b taken. A proper care should be taken while data migration, Data migration audit should be done so that it is ensured that data migrated is complete or no data integrity is lost. In proposed system 9 regular and 1 lite user is allowed instead of 40 existing users which is not sufficient it should be atleast 25 users so as to make data entry and availability as and when required. In proposed system which is cloud based so dependency on bandwidth will be at most, so proper arrangements are required to me met so that no connectivity issue arise.

http://www.optenet.com/en-us/img/solutions-saas-providers-graphic.png

Summary/Conclusion/ Executive summary

Considering future external and internal factors we recommend company should move to ERP system to have updated and integrated data from different locations as and when required.

Based on our findings in Brand com LTD’s SAAS audit we conclude before moving to proposed system for data security matter security audit report SAS-70 is to be reviewed to verify that it meets requirements of the organisation and a proper review internal and external environmental factors should be considered, all legal and compliance requirements are to be fulfilled.

Brand com has some of it unique functionalities so a proper customised ERP model is required to met all requirements from proposed system instead of standard ERP Package provided by vendor.

In proposed system 9 regular and 1 lite user is allowed instead of 40 existing users which is not sufficient it should be at least 25 users so as to make data entry and availability as and when required.

In proposed system which is cloud based so dependency on bandwidth will be at most, so proper arrangements are required to me met so that no connectivity issue arise.