Title: Audit Review of Vendor Proposal of Saas Services
A. Details of Case Study/Project (Problem)
Brand com has decided to move its key business application to cloud services to a renowned vendor considering the increased functionality and cost saving. However the Company has not done comprehensive study of the appropriateness of the proposed IT Services. The Company’s Internal audit department has reviewed the vendor proposal and has provided their findings and recommendations but these were ignored as IT Department which enjoys a good reputation has convinced CEO about the need to outsource considering the cost savings. The Matter was given to us for independent review of vendor proposal, we find following Key Issues relating to data, Security, Privacy and Potential Compliance issues noticed by us during our review are given below :
- A Process for review the third –party compliance requirements is non-existent, it is very serious for concern and without that proposal is not viable for Concern.
- On contacting Customers Vendor, They were informed to us when the Cloud Services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue. The impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts.
- The usage of the current enterprise environment and business processes, as well as the enterprises strategy and future objectives were not considered in selecting the cloud services.
- The external environment of the enterprise (Industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud Services).
- Before finalising the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered.
- The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management.
- Business case for cloud service was not prepared. There is no process to identify, Priorities, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution.
B. Project Report (solution)
B. Our Firm K.V. and Associates is established in 1997 and working in the field of Taxation, Auditing and Consultancy on taxes matters and our firm having 10 qualified chartered accountants out of them 6 are FCA and DISA and CISA Qualified and rest 4 are ACA. We have 5 IT Expert in our firm who have well knowledge about Software Developments and Information Technology. Main object of our firm is Provide Services to Clients best for their business and we always try to give suggestion to our client after auditing and analyzing current business scenario and requirements/expectations from new proposal and future prospective of the enterprise.
Brandcom Ltd. Is Working in the field of Telecommunication Services like internet, Mobile and Other BPO Services in Mumbai. Currently 300 Employee are working in company out of which 40 employees (active users) are working in Accounts and 25 in Marketing Department at different locations. Company’s organizational structure is
All Departments work under CEO (Chief Executive Office) and he is directly accountable for Board of Directors of the Company and Responsible for all other department of Company,
CIO (Chief Information Officer) is making all Policies for Company Information Technologies related issues for purchase of software and information
CAO (Chief Accounts Officer) is Chartered Accountant of Company to hold all accounts related work of company,
CMO (Chief Marketing Officer) is responsible for marketing of company products,
HR Head is responsible for requirement of Employees of the Company and provide better environment to Employee for achieving company goals
CPO (Chief Service Officer) he is responsible for Purchase and giving services to customers.
Primary object of this audit was to express independent review by us on appropriateness of proposed IT services of renowned vendor. Since our Client Brandcom Ltd has decided to move its key business applications to cloud services to a renowned vendor considering the increased functionality and cost saving .company wants independent review by us on appropriateness of proposed IT services of renowned vendor.
We have conducted information system audit of Brand com LTD. Primary object of this audit is to have an independent review on proposed IT system to be implemented by company. Implementation of proposed system is the responsibility of company our responsibility is to report significant audit results and recommendations about proposed system.
Presently company is working in an application Taly ERP. All data are stored at head office server located at Andheri, all backup are taken and stored at head office. Present Tally ERP software fulfils all regulatory compliance like vat calculations, service tax calculations etc All data entry work is divided among all departments and a user ID and password is provided to each user and restricted access to information is provided to all employees on the basis of work assigned to them. But due to large area coverage and near future plans it is very difficult to store data at one place in present application system.
Company is well known for its services and in future expansion of its business activities in all other states will be planned which requires a a well managed ERP system to store data effectively and efficiently and instantly made available to all users at different locations in different states and advanced server and hardware facilities. Which will require heavy investments to implement big servers, wan network, hardware facilities and data security aspects.
Terms and Scope of assignment
We have been appointed as IS auditor to review the vendor proposal of cloud services considering the findings and recommendations of internal audit department and to provide our final recommendations on acceptance of the proposal and remedial measures to be taken to ensure successful outsourcing, if recommended. Our scope is to review key factors like
Availability of data
Compliance as applicable to company are to be met,
Cloud provider policies and procedures
Data protection leakage
Methodology and Strategy adapted for execution of assignment
Summary/Conclusion/ Executive summary
Considering future external and internal factors we recommend company should move to ERP system to have updated and integrated data from different locations as and when required.
Based on our findings in Brand com LTD’s SAAS audit we conclude before moving to proposed system for data security matter security audit report SAS-70 is to be reviewed to verify that it meets requirements of the organisation and a proper review internal and external environmental factors should be considered, all legal and compliance requirements are to be fulfilled.
Brand com has some of it unique functionalities so a proper customised ERP model is required to met all requirements from proposed system instead of standard ERP Package provided by vendor.
In proposed system 9 regular and 1 lite user is allowed instead of 40 existing users which is not sufficient it should be at least 25 users so as to make data entry and availability as and when required.
In proposed system which is cloud based so dependency on bandwidth will be at most, so proper arrangements are required to me met so that no connectivity issue arise.