ISA 3.0 Project Report

Evaluation Of Outsourcing It Operations

A. Details of Case Study/Project (Problem)

Delta Limited has been facing economic pressures due to the downturn which has resulted in reduction in turnover and profits. The management has decided to cut the IT outlays and is exploring outsourcing of IT operations using the cloud computing model. However, the CIO is concerned about key issues which need to be resolved while selecting the right vendor.

ISA 3.0 Video Lectures & Question Bank


₹6,165.00


Limited Time Offer get 40% discount
Coupon “rajat40”


Courses Included


✔ ISA 3.0 Video Lecture

✔ ISA 3.0 Module Wise and Topic Wise Quiz

✔ Complete course in 1 Week

✔ Course Duration 6 Months


 

Information Systems Audit (ISA 3.0) – Video Lectures & Question Bank

B. Project Report (solution)

1. Introduction

A. Understanding of Business:

Recession created a mess in the entire economy and Delta Limited became a victim of this financial turmoil. The situation has plunged the sales revenues and profits of the company into a decline. The company started cutting back on hiring new employees in an effort to cut costs and improve the business performance. It also stopped buying new equipment, conducting research and development and stopped producing or coming up with new products. The smooth operations of the organisation are greatly affected. During the course of reviewing various options for cost cutting measures senior management has decided to cut the IT outlays and outsource IT operations using the cloud computing model. The management has considered same on the grounds of Cost savings, improvement of process performance, Reduction of fixed costs, increased flexibility and the possibility to focus on core competencies and strategic business operations. However the CIO is concerned about certain issues not only in outsourcing the operations but also while selecting the right vendor. The company’s internal audit department has reviewed several vendors’ proposal and provided their findings and recommendations but these were ignored as IT department which enjoys a good reputation has convinced CIO about the need to outsource considering the cost savings. The matter was escalated to the audit committee and it has been decided to have an independent review by IS Auditor.

B. Auditor Information:

AVP & Associates is a reputed Chartered Accountants Firm in India, actively engaged in a full service, multi-disciplinary practice under four core services verticals – Taxation, Regulatory, Transaction Advisory and Audit & Assurance. The Firm has immense experience rendering diverse professional services to an extensive base of national & international clients and is an established name in its field. Our endeavour is to provide qualitative, expert professional services rendered efficaciously, sagaciously and with keen attention to details to match clients’ requirements. We provide services pragmatically, innovatively along with due care & diligence. We have an extensive team of professionals with sound regulatory & professional knowledge and strong business acumen. Our resource pool consists of Chartered Accountants, MBA’s, Company Secretaries, Lawyers and Financial Management experts having in-depth experience in providing multi-disciplinary services in a wide range of areas including Valuations, Mergers & Acquisitions, Business set up and Corporate Finance.
Our commitment towards the Clients has encouraged us to obtain ISO 1994:2000 in the year 2000. The Firm has successfully upgraded the same to ISO 9001:2000 in the year 2005.

Partner’s Profile:

Mr. Ajay Jadeja – Managing Partner

Mr. Ajay Jadeja is the managing partner of AVP & Associates. He has more than 22 years of experience on advising companies on the business, strategic and financial matters. He is a qualified information systems auditor with more than 10 years of experience in advising companies about IT strategies, implementation etc.

Mr. Varun Dhawan – Partner

Mr. Varun Dhawan is the fellow member of ICAI with more than 12 years of experience in Bank audit, IT advisory, etc. He is tech savvy and has successfully carried on assignments in designing internal control systems and analysis.

Mr. Parthiv Patel – Partner

Mr. Parthiv Patel leads the consulting division at AVP & Associates. He works in the domains of financial valuation, due diligence, investment banking and strategic planning for banks. He undertakes financial valuation assignments on behalf of acquirers / investors or sellers / investees before any M&A / PE / foreign investment activity. He has worked with private equity funds and corporate clients in undertaking financial / tax / business due diligences on acquisition and investment opportunities, both inbound as well as outbound. He is also involved in strategic planning assignments for banks.

2. Auditee Environment:

Delta Limited is a well-known company in online retail grocery market has an office at Cannaught Place, New Delhi with employee strength of more than 100 professional which includes IT, Accounts and Finance and Management people. The employees are highly as well as average skilled, IT trained & have adequate financial and management background. Everyone knows their respective roles, responsibilities rights, authority and the risk of working in the segment and the vulnerabilities.

 

3. Background and Situation-

Delta Limited has decided to move its key business application to cloud services to a renowned vendor considering the increased functionality and cost savings. Currently they are working on MARG Retail software for their existing line of business. The decision to move was taken because the IT department convinced the CEO of the company about the need to outsource considering the cost savings, enhanced features and improved technology in cloud computing and accordingly increased business productivity.
Accordingly they have decided to go on for Outsourcing IT Operations cloud computing environment to hire and use the services of cloud service provider in this regard. However the company has not done a comprehensive study of the appropriateness of proposed outsourcing arrangement.
The company’s internal audit department has reviewed the proposal and provided their findings and recommendations. After being escalated to the audit committee, the committee has decided to get the proposal reviewed by independent auditor.

 

4. Terms and scope of assignment:

Scope of work

a) Review of Current Business Processes, Technology and Personnel Utilisation
b) Business value assessment (Existing position Vs. Proposed Outsourcing Scenario)
c) Risk Assessment of IT Outsourcing, Recommendations to mitigate same
d) Selection of Services / Vendors based on Cost-benefit analysis and associated risk

Terms and condition

  1. Deliverables
    • Recommendations based on risk assessment of vendors of cloud computing.
    • Recommendations on controls to be implemented to mitigate risk of outsourcing.
    • Report to management with cost benefit analysis and risk mitigation strategy.
  2. Time Frame

The estimated time for completing the assignment is 2 weeks subject to availability of the logistics such as computers, visit to vendor site, printers, seating arrangement and all the necessary documents that are required from time to time to complete the audit.

 

5. Logistics arrangements required

To conduct the audit efficiently we would require the following infrastructure and documentation to complete the review within the time frame:
We would require the access to the current software with read only rights to check the current functionality of the application.
Also we would like management to arrange live demonstration of selected cloud computing vendors in order to have comparative analysis on functional aspects.

Further the following facilities will be required:-

  1. Findings of the internal audit department.
  2. Two consoles with read only right to the software.
  3. User manual for generating reports.
  4. Access to the printer.
  5. Adequate seating space for working and space for discussion among our team and with any of your staff is need arises.
  6. We would require an employee of your organization to be a coordinator to liaise between the audit team and the organization.
  7. Draft copy of the proposal with vendor of Cloud Computing.
  8. Any other documents that may be found relevant during the course of the assignment.
  9.  

6. Methodology and Strategy adapted for execution of assignment

  1. Ensuring contractual viability through continuous review, improvement and benefit gain to both parties.
  2. Management of the relationship to ensure that contractual obligations are met through service level agreements (SLAs), operating level agreements (OLAs), service credit regimes and gainshare.
  3. Identification and management of all stakeholders, their relationships and expectations.
  4. Establishment of clear roles and responsibilities for decision making, issue escalation, dispute management, demand management and service delivery.
  5. Allocation of resources, expenditure and service consumption in response to prioritised needs.
  6. Continuous evaluation of performance, cost, user satisfaction and effectiveness.
  7. Ongoing communication across all stakeholders.
  8. Reference to COBIT components which includes;
    • a) Framework: Organizes IT governance objectives and good practices by IT domains and processes and link them to business requirements.
    • b) Process descriptions: A reference process model and common language for everyone in an organization. The processes map to responsibility areas of plan, build, run, and monitor.
    • c) Control objectives: Provides a complete set of high-level requirements to be considered by management for effective control of each IT process.
    • d) Management guidelines: Helps assign responsibility, agree on objectives, measure performance, and illustrate interrelationship with other processes.
    • e) Maturity models: Assesses maturity and capability per process and helps to address gaps.

COBIT for Enterprises with a Primary Interest in Cloud Computing

outsourcing it operations ISA2

Based on following parameters, the company has selected Software-as-a-Service (SaaS) cloud computing model as appropriate for its business.

Intuitive User Experience – Matured SaaS / PaaS vendors provide templates, tools, widgets and several advance features to create rich and interactive user experience and also handle customer support operations.

Integration with disparate internal / external systems – Access to applications with advance capabilities and latest business and technology trends. Provide anytime, anywhere access that can be consumed through multi-device clients – helps in implementing multi-channel support

Performance, Scalability and Availability – Cloud service providers working under strict SLA ensure the agreed level of performance. On demand Scalability / Elasticity to support large number of customers, especially during the holidays/events. Cloud service providers working under strict SLA ensure the agreed level of availability.

IT Support and Dependency – Free up organization resources to focus on their core business. Low skills requirements for customization of the site Security and Compliance – Cloud service providers working under strict SLA ensure the agreed level of security.

Total Cost of Ownership (TCO) – No IT infrastructure and upfront CAPAX for network, servers, database, storage and backup.

 

7. Documents reviewed

Following documents have verified by us:

  • Functional Gap analysis, (Point Scoring Analysis)
  • Public Evaluation report
  • Proof of Concept (Benchmarking Solutions)
  • Acceptability by end users
  • Service level agreements (SLAs), Operating level agreements (OLAs)
  • Copies of Documents like licenses, sample batch report, liability insurance etc.
  • Accreditation status, if applicable
  • QA documentation received from site
  •  

8. References

  • Information systems audit 2.0 modules
  • Delta Limited organisation structure
  • BCP plan
  • Information security policy of the company
  • User manual of the software
  • Exception reports generated
  • Access control manual
  • Vendor proposal
  • Internal audit findings
  • www.isaca.org
  • cit.icai.org
  • Various personnel of vendor and the Organisation
  •  

9. Deliverables

To,
The Directors,
Delta Limited,
New Delhi.

Please find herewith our report on vendor proposal for Outsourcing of IT Operations.

Objective of the assignment

The main objective is to provide the management with an independent review of the vendor proposals.

Audit environment

The review was conducted at the head office of the organisation and the vendor situated at New Delhi.

Observations:-

Some of the major observations noticed in the proposal are as below:

  1. A process for reviewing the third-party compliance requirements is non-existent, and the decision has been imposed by IT.
  2. On contacting customers of vendor, we were informed that when the cloud services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue, the impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts.
  3. The usage of the current enterprise environment and business processes, as well as the enterprise strategy and future objectives were not considered in selecting the cloud services.
  4. The external environment of the enterprise (industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud services).
    Before finalizing the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered.
  5. The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management.
  6. Business case for cloud service was not prepared. There is no process to identify, prioritize, specify and agree on business information, functional, technical and control
  7. requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution.

Further we would inform you that the above mentioned observations are over and above the findings of the internal audit department.
Format of Report/Findings and Recommendations

 

10. Format of Report/Findings and Recommendations

1 Observations :
A process for reviewing the third-party compliance requirements is non-existent, and the decision has been imposed by IT.
Risk :
Compliance risk
Recommendations :
Clause should be incorporated in the agreement so as to avoid compliance and regulatory risks
2 Observations :
On contacting customers of vendor, we were informed that when the cloud services were used, they have detected data leakage in critical information and unknown areas of data. Due to this severe issue, the impact to business reputation was severely damaged and had the potential to drive the company out of business, by losing future service contracts
Risk :
Reputation risk
Recommendations :
Data leakage of the customer can put the reputation of the organization at stake and it may create a fear in the mind of the existing customer about their data hence the company should severely look into the matter and get it sorted out before the outsourcing is done.
3 Observations :
The usage of the current enterprise environment and business processes, as well as the enterprise strategy and future objectives were not considered in selecting the cloud services
Risk :
Operation risk
Recommendations :
Suitable clause to be incorporated in the agreement
4 Observations :
The external environment of the enterprise (industry drivers, relevant regulations, basis for competition) have not been documented or considered in selecting cloud services).
Risk :
Operation risk, Market risk
Recommendations :
Suitable clause to be incorporated in the agreement
5 Observations :
Before finalising the service agreements with the service provider, the service catalogues and business process requirements and internal operational agreements were not considered.
Risk :
Operation risk
Recommendations :
Suitable clause to be incorporated in the agreement
6 Observations :
The company does not have policy for monitoring service levels, to report on achievements and identify trends. The SLA should provide the appropriate management information to aid performance management.
Risk :
Operation risk may lead to reputation risk
Recommendations :
Suitable clause to be incorporated in the agreement
7 Observations :
Business case for cloud service was not prepared. There is no process to identify, prioritise, specify and agree on business information, functional, technical and control requirements covering the scope/understanding of all initiatives required to achieve the expected outcomes of the proposed IT-enabled business solution
Risk :
This could have resulted in extra outgo of money which would have resulted in financial loss.
Recommendations :
Cost benefit analysis should be done.
8 Observations :
Brochure of Cloud service vendor states: “Clients need to be clear on what they want. They should know whether they simply want to enhance their current systems or move to a new system. They should know how much of re-architecting would be required, the legal and compliance issues involved and whether the cloud would affect their audits”. The proposal does not provide these details. An impact assessment study of proposed solution on Delta Limited has to be done to ensure that the proposed solution provides the required business advantages which is sought to be achieved.
Risk :
Operational risk
Recommendations :
Suitable clause to be incorporated in the agreement
9 Observations :
The proposal provides implementation plan and suggested training requirements. What is the number of users who need to access and what are the current skill levels and how it is to be enhanced has to be assessed so that they can use the proposed solution. The training requirements have to be assessed in detail to confirm whether it meets requirements.
Risk :
Operational risk
Recommendations :
Suitable clause to be incorporated in the agreement
10 Observations :
The data migration from existing software to proposed solution is a major challenge in any cloud software implementation. The proposal is silent on what the current platform is and how the data migration is expected to be. This has to be correctly assessed as it will impact the success of the proposed solution.
Risk :
Operational risk
Recommendations :
Suitable clause to be incorporated in the agreement
11 Observations :
Cost benefit analysis of the proposed solution and the specific benefits to Delta Limited are not clearly highlighted in the proposal. The management has to be aware of the benefits and have to obtain independent confirmation about the envisaged benefits
Risk :
Financial risk
Recommendations :
Suitable clause to be incorporated in the agreement
12 Observations :
References of solutions implemented for enterprises with business of similar nature as Delta Limited may be obtained to validate and confirm that the solution meets the requirements. As migration to a new solution increases the dependency on new vendor, it is important to be assured about adequacy and appropriateness of the solution.
Risk :
Operational risk
Recommendations :
Suitable clause to be incorporated in the agreement

11. Summary/Conclusion

The review noted the terms of the proposal and internal audit findings. Clauses as recommended above should be incorporated in the agreement.
However given the scope of the assignment, the proposed agreement if not modified accordingly as per the recommendations mentioned above then the gaps may present high risk to the management.
The auditors would like to thank management and staff for the cooperation and timely assistance provided to the audit team throughout this engagement.

DISA 3.0 Project Report on:

 

1.       IS Audit of Banking Application
2.       Migrating to cloud based ERP solution
3.       Security control review of railway reservation system
4.       Review of cyber security policies and procedure
5.       Security and control risk assessment of toll bridge operations
6.       System audit of a hospital automation system
7.       Review of vendor proposal for SaaS services
8.       Information Systems audit of a mutual fund systems
9.       Audit of outsourced software development
10.   Network security audit of remote operations including WFH
11.   Infrastructure audit of a Bank data Centre
12.   Conducting vulnerability assessment and penetration testing
13.   Auditing Business continuity plan for Manufacturing system
14.   Assessing risk and formulating policy for mobile computing
15.   Auditing robotic process automation system
16.   Implementation of adequate governance in hotel management system
17.   Outsourced migration audit of merger of Banks
18.   Audit of an E-Commerce web site
19.   Audit of Online booking system for a hotel chain
20.   Audit of Business Continuity Planning of a financial institution
21.   Audit of online brokerage firm
22.   Audit of Security Operation Centre of a Bank
23.   Audit of Cyber Security Framework of a PSB
24.   EVALUATION OF OUTSOURCING IT OPERATIONS
25.   Auditing SWIFT operations in a Bank
26.   Project Report Template and Guidelines on Project Report Submission
27.   Information Systems Audit of ERP Software
28.   Implementing Grc As Per Clause 49 Listing Requirements
29.   Review of IT Security Policies and Procedures in audit
30.   Evaluation Of Software Development Project
31.   Auditing Business Continuity Plan
ISA 3.0 Video Lectures & Question Bank


₹6,165.00


Limited Time Offer get 40% discount
Coupon “rajat40”


Courses Included


✔ ISA 3.0 Video Lecture

✔ ISA 3.0 Module Wise and Topic Wise Quiz

✔ Complete course in 1 Week

✔ Course Duration 6 Months


 

Information Systems Audit (ISA 3.0) – Video Lectures & Question Bank