Table of Contents

Details of Project (Case Sudy/Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report and Recommendations
12. Conclusion
 PROJECT REPORT
Audit of Outsourced Software Development

A. Details of Project ( Case Study/Problem)

AMG Software (AMG) is the world's leading provider of management

solutions that ensure the availability, performance, and recovery of business-
critical applications.

DLF Software (DLF) is focused on providing Offshore Development Services

(ODS) to Global Clients based at Bangalore, India with offices in USA, Europe,
South East Asia and Japan.

AMG has outsourced software development through Offshore Development

Services (ODS) mode to DLF.

The need for IS Assurance services for conducting IS audit with the objective
of providing assurance on protection of Intellectual property\security audit was
communicated by AMG to AAA, CA Firm and the same had been appointed by
AMG for providing assurance services on protection of Intellectual
property/security audit.

The primary objectives for the work assigned to AAA as follows:

• Provide assurance to AMG that the intellectual property of AMG including assets
and access to such assets (hardware, software, manuals, media, etc.) used at
the AMG labs at DLF in Bangalore are adequately secured (physically and
logically) from unauthorised and inappropriate use through adequate and
appropriate physical, environmental and logical access controls;
• Review the process and methods in place at AMG labs at DLF so as to provide
assurance to AMG that there are adequate and appropriate safeguards and
procedures that prevent unauthorized access, mishandling and damage to any of
the assets of AMG at AMG labs at DLF;
• Review whether all the facilities provided by AMG are being used for the
purposes of AMG's operations by personnel authorised or assigned for AMG's
operations only at DLF;
• Validate the process and methods at AMG labs at BLF against available norms
and standards of AMG wherever available
We, AAA, the CA Firm, hereby appointed to:

• Provide IS Audit report to management of AMG with reasonable assurance

that Identified controls as relevant are in place at the AMG Labs at DLF;

• Provide detailed report covering findings for each of significant control

weaknesses and advise management of AMG on corrective actions to be
initiated. Include management comment from DLF on audit findings and
recommendations with agreed action plan.
 B. Project Report (Solution)

1. Introduction

AMG Software is the world’s leading provider of Management Solutions. It

ensures the availability, performance and recovery of business critical
applications to its customers.

AMG Software is among the world's largest independent software vendors, a

Forbes 500 Company and the member of S&P 500, with revenues of $2.3
billion in the last 12 months. It is headquartered in Houston, Texas with offices
worldwide.

AMG has outsourced software development through ODS mode to DLF

(provider of Offshore Development services) in Bangalore.

Abraham and Associates (AAA) is a practicing CA firm based at Bangalore

and offers IS Assurance services with a team of DISAs and IT security
professionals. The need for IS Assurance services for conducting IS audit with
the objective of providing assurance on protection of Intellectual property\
security audit was communicated by AMG to AAA, CA Firm. Based on the
detailed discussions between Mr. Ben Crocker of AAA and Mr. Bentley,
Manager, OEM of AMG after a visit to the AMG Labs at DLF, the primary
objectives of the assignment of Security Audit are finalized.

2. Auditee Environment

AMG Software (AMG) has outsourced software development through ODS

mode to DLF. AMG has supplied IT infrastructure for these services and has
also recruited required personnel who work at DLF for the software projects of
AMG. AMG wanted an independent assurance on the security and usage of
the technology as also protection of the IPR of AMG.

AMG is the world's leading provider of management solutions that ensure the
availability, performance, and recovery of business-critical applications. AMG
calls this application service assurance and it means that the applications its
customers rely on most stay up and running, around the clock. For more than
20 years, the largest and most successful companies have relied on AMG
 Software. AMG Software is among the world's largest independent software
vendors, a Forbes 500 company and a member of the S&P 500, with
revenues of $2.3 billion in the last 12 months.

DLF Software (DLF) is the Auditee Company to whom AMG has outsourced
its software development wherein AMG labs have been set up wherein all the
facilities provided by AMG are being used for the purposes of AMG's
operations by personnel authorized or assigned for AMG's operations only at
DLF allocated work site.

DLF is focused on providing Offshore Development Services (ODS) to Global

Clients which includes 25 of the Fortune 500 corporations of the world. With a
penchant for working closely with clients and organizing work according to the
client's needs, DLF believes in working with the customer as its Partner in
Progress and participating in mutual growth both quantitatively and
qualitatively. From its inception, DLF has been one of the fastest growing
major software companies in India and is rated amongst the top 10 software
export houses in India. DLF is headquartered in Bangalore and is represented
through offices in the USA, Europe, South East Asia and Japan.

3. Background

AMG has outsourced software development through ODS mode to DLF. AMG
has supplied IT infrastructure for these services and has also recruited
required personnel who work at DLF for the software projects of AMG. AMG
wanted an independent assurance on the security and usage of the
technology as also protection of the IPR of AMG.

Leading to the proposal, Mr. Bentley, Manager, OEM of AMG appointed

Abraham and Associates (AAA), a practicing CA firm based at Bangalore and
offers IS Assurance services with a team of DISAs and IT security
professionals finalized scope, objectives, fees and deliverables for the project
in relation to its intellectual property that it is adequately safeguarded and
secured at AMG Labs at DLF, Bangalore.
4. Situation

The need of AMG was understood to be the requirement of an assurance that

the intellectual property including assets and access to such assets
(hardware, software, manuals, media, etc.) of AMG used at the AMG labs at
DLF in Bangalore are adequately secured (physically and logically) from
unauthorized and inappropriate use through adequate and appropriate
physical, environmental and logical access controls.

Hence, an independent review was to be conducted on the process and

methods in place at AMG labs at DLF so as to provide assurance that there
are adequate and appropriate safeguards and procedures that prevent
unauthorized access, mishandling and damage to any of the assets of AMG at
AMG labs at DLF and all the facilities provided by AMG are being used for the
purposes of AMG's operations by personnel authorized or assigned for AMG's
operations only at DLF allocated work site.

5. Scope of assignment

Based on the detailed discussions with Mr. Ben Crocker and visit to the AMG
Labs at DLF, the primary objectives of the assignment of Intellectual Property
Security Audit are finalized as follows:

• To provide assurance to AMG that the intellectual property of AMG including

assets and access to such assets (hardware, software, manuals, media, etc.)
used at the AMG labs at DLF in Bangalore are adequately secured (physically
and logically) from unauthorized and inappropriate use through adequate and
appropriate physical, environmental and logical access controls;

• To review the process and methods in place at AMG labs at DLF so as to

provide assurance to AMG that there are adequate and appropriate
safeguards and procedures that prevent unauthorized access, mishandling
and damage to any of the assets of AMG at AMG labs at DLF;

• To review whether all the facilities provided by AMG are being used for the
purposes of AMG's operations by personnel authorized or assigned for AMG's
operations only at DLF;

• To validate the process and methods at AMG labs at DLF against

available norms and standards of AMG wherever available.
6. LOGISTIC ARRANGEMENT REQUIRED

We want an all time attendant for assisting and providing time to time
information about system & policies adopted by company. We need Service
Level Agreement with DLF. And we also need Information Security Policies of
company. We need high speed internet facility with other IT related supports.

7. Methodology and Strategy

Control over the process of managing third-party services that satisfy the
business requirement to ensure that roles and responsibilities of third parties
are clearly defined, adhered to and continue to satisfy requirements is enabled
by control measures aimed at the review and monitoring of existing contracts
and procedures for their effectiveness and compliance with organization
policy.

Functional Objectives

Data integrity, availability, confidentiality in accordance with business needs

are determined by senior management via policy and are maintained and
contractually supported in any outsource arrangement.

Asset protections requirements are clearly defined and understood by the

principals in any outsource agreement. Data and information custodial
responsibilities are well defined and complied with.

Service levels are acceptable (When considering Outsourcing, COBIT‟s

process DS1 Define and manage Service Levels is important). Therefore,
reference and content should be included in the Internal Control
Questionnaire.

Step One : Risk Assessment

While it may seem obvious that as part of a risk assessment organizations

need to create an inventory of their applications that are being developed or
maintained by an outsourcing provider. With the advent of low cost offshore
development, it is common to see application “sprawl” as individual groups or
Business units may have contracted work that previously would have required
higher capital costs and formal approvals. Thereafter organizations need to
understand the risk that the application poses to the business. This can be
achieved through the assignment of an assurance level for each application
based on business risk factors such as: reputation damage, financial loss,
operational risk, sensitive information disclosure, personal safety, and legal
violations. Assurance levels are used to determine the extent of testing
methods (e.g. higher assurance levels may be tested using multiple
techniques) and the overall acceptance criteria (e.g. a lower assurance level
application may be accepted with a lower security scores as they do not pose
a significant risk to the business). The following chart from NIST provides
guidance on selecting an assurance level based on business risk:

Step Two: Embed Security Metrics and SLAs into Outsourcing Contracts

Outsourced software development contracts typically emphasize features,

quality, time and costs. Thus, the burden and risks of application security has
fallen solely on the enterprise. Organizations need to establish clear metrics
and SLAs surrounding application security with their outsourcing partners as
part of the procurement and contract processes. This benefits both the
enterprise and the offshore provider by explicitly defining the goals and
objectives around software security so both parties know what is expected.
Security metrics and SLAs should be separated from functional or operational
testing requirements and need to address the following areas:

o Security Testing Methods (i.e. static, dynamic, manual, etc…)

o Security Providers and/or Tools (i.e. who will conduct testing, or
what products will be used)
o Security Score – What scoring method will be used and what score
will be deemed acceptable
o Vulnerabilities – What types of vulnerabilities need to be included in the
assessment (i.e. OWASP Top 10, PCI 6.5, etc…) Vera code has
created a “Recommended Outsourced Software Development Security
Contract Language” which organizations can use as part of their
development contracts and it is available as Annex A of this document.

Step Three: Conduct Independent Application Security Testing

Application security testing is mandatory for all outsourced development and

maintenance. However, until now, true testing of outsourced software has
been difficult due to the high cost and effort required to conduct manual code
reviews and the difficulty in obtaining access to of source code. Because of
these issues, more than half of companies that outsource application
development conduct no testing at all, and those that do test for security are
only able to address a small sub-segment of their highest risk applications.10
Given the current threat landscape, it is imperative that organizations test all
of their outsourced applications, ideally using a third party to obtain
Independent Verification and Validation (IV&V). New technologies and testing
methodologies, e.g. automated security testing services offered by companies
such as Veracode, now enable organizations to independently test all of their
outsourced applications before they are accepted and deployed by the
enterprise.

Step Four: Set Acceptance Thresholds

Enterprises can leverage software security ratings to decide which

applications are secure enough to be accepted or deployed and which
applications need remediation by the outsourcing provider before software
acceptance.

To demonstrate setting acceptance thresholds, we will use Veracode‟s

Security Review service as an example. Application testing with various
testing techniques, combined with a scoring system based on the Common
Vulnerability Scoring System (CVSS) and the Common Weakness
Enumeration (CWE) standards, a Security Quality Score (SQS) is derived for
each application.

The assurance levels the enterprise selected in Step 1 (above) is then applied
to incorporate business risk and the output is normalized to an easy to
understand letter grade (A, B, C, etc…). Thus, enterprises can set an
acceptable grade – “A” for example and outsourcing providers know they must
achieve that grade for the application to be accepted.

Setting thresholds and using standard based scoring removes the subjectivity
and “gray-area” on what constitutes acceptance and clarifies the process for
both the enterprise and provider. Below is a chart that demonstrates how
organizations can use assurance levels, quality scores and testing methods to
achieve an overall rating:
 Step Five: Outsource Applications to Providers with Security
Certifications

Application security expertise should become a key element in the evaluation

of outsourced application partners. As part of their selection process,
enterprises should ensure that they work only with partners that implement
security into all phases of development. Enterprises should look for
certifications such as:

• ISO 27001
• System Security Engineering-Capability Maturity Model (SSE-CMM)
• CMM/Capability Maturity Model Integration (CMMI)

While the above are high-level quality and development programs are a good
indicator of supplier trustworthiness, they do not guarantee application security
expertise and do not replace independent security testing. Organizations
should also look for application security specific testing and certifications that
have been formally validated by an independent quality seal of approval such
as Veracode‟s “Verified by Veracode” assurance program.

Summary of Steps:

Security

Review outsourcer’s contingency plans and back-up procedures for adequacy

Review outsourcer’s access control practices as they relate to our information
assets
Review termination procedures for vendors, contractors and subcontractors.
Determine access is cut off when appropriate
Review access control processes for applicable:
- Operating System
- Application System(s)
- Networks
- Remote Access
Review assignment of technology inventory to contractors at the outsourcer location (s) Review
physical security controls including access issuance, administration and maintenance.
Administrative

Review billings, payables and disbursements for accuracy and compare to

budget noting significant variances
Review internal procedures to monitor outsourcer’s
performance Review outsourcer’s purchase options
Prior Audit/Examination Report Follow Up
Review prior report and verify completion of any agreed-upon corrections.
Note remaining deficiencies Perform benchmarking of third party services.

Preliminary Audit Steps

Review outsourcing policies and contract Requirements

Obtain a list of all current third party contracts and compare to vendor list.
Determine scope of our review and select contract(s) for testing.
Review organization-wide procedures relating to purchased services and third party
vendor relationships.

Detailed Audit Steps

Management and Planning for each contract selected.

Review contract content for all requirements (see Internal Control Questionnaire ICQ)
Review transition plans for completeness and involvement from all affected areas.
Assure that a baseline analysis was performed to support the need for outsourcing.
Review organizational and vendor constraints
Review any risk assessment methodology used in deciding to
outsource Review the vendor selection process
Review project plans for completeness against existing project
management standards
Review costing and payment processes

8. Documents reviewed

a. Information security policy,

b. Organization structure of AMG Software
c. Vendor contract of DLF and
d. Service Level Agreement with DLF
 9. References

IS Audit standards provide audit professionals a clear idea of the minimum

level of acceptable performance essential to discharge their responsibilities
effectively. Therefore, while performing the assignment, we have referred
some specific standards. Chart of specific standards or other references used
in performing the assignment is as follows:

ISO 27001 – (BS 7799:

PART II) –
INFORMATION
SECURITY
MANAGEMENT
STANDARD (ISMS):
To address assets to be
protected, organization
approach to risk
management, control
objectives and control,
and degree of
assurance required.
CMM – CAPABILITY
AREAS OF FOCUS OF ISMS:
MATURITY
MODEL: The CMM
presents sets of
Security Policy recommended
practices in a number
of key process areas
that have been
Organizational Security
shown to enhance
Asset Classification and Control software process
Personnel Security capability. The CMM
Physical and Environmental Security was designed to
guide software
Communications and Operations
organizations in
Management
selecting process
improvement
Access Control strategies by
Systems Development and determining current
Maintenance process maturity and
identifying the few
issues most critical to
Business Continuity Management software quality and
process
Compliance improvement.

THE FIVE LEVELS OF CONTROL OBJECTIVES FOR The COBIT

SOFTWARE INFORMATION RELATED framework allows :
PROCESS MATURITY: TECHNOLOGY (COBIT):
 Management to
benchmark the
Level 1 – The
security and control,
Initial Level
practices of IT
The ISACA developed COBIT. environments.
COBIT is a trademark of generally
applicable information systems
security and control practices for IT
controls. COBIT, which consolidates
standards from 36different sources
Level 2 – Auditors to
into a single framework, is having a
The Repeatable substantiate their
big impact on the information
opinions on internal
systems profession.
Level 3 – The control and to advice
Defined Level on IT security and
control matters.
Level 4 – The Auditors to
Managed Level substantiate their
opinions on internal
Level 5 - control and to advice
The Optimizing Level on IT security and
control

COBIT AND OTHER

IT RESOURCES: IT PROCESSES/THE COBIT STANDARDS:

COBIT and ISO

Data Monitoring 17799 (BS 7799)
COBIT and Sarbanes
Technology Delivery and Support Oxley
People Acquisition and Implementation COSO and COBIT
Application systems Planning and Organization
COCO: The “Guidance
on Control report,
known colloquially as
CoCo, was produced by
The Canadian Institute
of Chartered
Accountants. CoCo It use the same three categories of Concepts about
does not cover any objectives: “control”:
aspect of information
assurance per se. It is
concerned with control
in general. CoCo can
be said to be a concise
superset of COSO.
Control is affected by
People throughout the
Organization. People
who are accountable
for
Achieving objectives
should also be
accountable for the
Compliance with applicable laws and effectiveness of
Control. Organizations
regulations
are
Constantly interacting
and adapting Control
can be expected to
Provide only
reasonable
Assurance and
Not absolute
assurance
Effectiveness of operations

Efficiency of operations

Reliability of financial reporting

ITIL (IT
INFRASTRUCTURE EIGHT BOOKS:
LIBRARY):
The IT Infrastructure
Library (ITIL) isso The IT Service Management sets
named as it originated relating to:
as a collection of books
(standards) each
covering a specific
„practice‟ within IT
management.
Service Delivery

Service Support

Other operational guidance relating

to:

ICT Infrastructure Management

Security Management

The Business Perspective

Application Management

Software Asset Management

Planning to Implement Service
Management

SYSTRUST AND
Principles and Criteria: Broad Areas:
WEBTRUST:
SysTrust engagements Communicates
are designed for the Security Procedures and also
provision or advisory Monitors it.
services or assurance
on the reliability of a · Availability Policies
system WebTrust
· Processing integrity Communications
engagements relate
toassurance or advisory · Confidentiality Procedures
services on an
organisation‟s system · Online privacy Monitoring
related toe-commerce
SERVICE
HIPAA: The Health SAS 70 – STATEMENT OF
AUDITOR’S
Insurance AUDITING
REPORTS:
Portability and
Accountability Act were
service auditor’s examination is
enacted by the
widely recognized, because it
U.S.Congress for Type I report
represents that a service organization
Protection of health
has been through an in-depth audit of
insurance coverage for
their control activities, which
workers and their
generally include controls over
families when they
information technology
change or lose their Type II report
jobs.

We have referred following SA’s issued by ICAI in conducting the Audit

Number of the
Title of the Standard Standard
Basic principles governing an Audit SA 200
Objectives and scope of the Audit of
financial statements SA 200A
Term of audit engagement SA 210
Quality control for Audit work SA 220
Documentation SA 230
The Auditor's responsibility to consider
fraud and error in an Audit of financial
statement SA 240

Communication of Audit matters with

those charged with governance SA 260
Audit planning SA 300
Knowledge of the business SA 310
Audit materiality SA 320

Risk assessment and Internal control SA 400

Audit in a computer information systems
environment SA 401

Audit considerations relating to entities

using service organizations SA 402
Audit Evidence SA 500
Representations by Management SA 580
Using the work of an Expert SA 600
The Auditor's report on financial
statements SA 700
 We referred following sites for our assistance:

www.icai.org;
www.cit.icai.org;
www.isaca.in;
www.caclubindia.in

10. Deliverables
Findings
• While conducting our Audit we have observed that AMG software
does not have any security policy regarding authorized use of
infrastructure and man power skills provided by AMG software so
that it can be ensured that its facilities are not used for other
assignments by DLF in AMG Labs.
• The door for the first floor lab does not automatically lock itself
after it has been opened. If a user is not careful in ensuring the
door is locked after he/she enters or leaves the lab there could be
opportunities for unauthorised users to enter the lab without using
the keypad device.
• No individual logins have been created since all the users have
to work on a common project.
• There are no back-up systems available for the systems supplied
by AMG.
• The documented generic disaster recovery plan is the same is applicable
to DLF as a whole and is not customised to AMG labs.There is no
Disaster recovery plan for the systems that are supplied by AMG and
the communication capabilities of the labs.
• Alternative processing capabilities for the systems supplied by AMG
are not identified.
• No annual maintenance contracts exist for AMG supplied
machines.

Recommendations
• AMG software should draft security policy for authorised access of
resources.
• It leads to piggybacking. There must be auto locking of door after
an entry of a person within a fraction of seconds.
• Each and every person shall have their separate login (User Name
and passwords) and all have access on the basis of “Need to do ,
 Need to know” else it would be a threat to Company against
disgruntled employees.
• There must be backup systems available at DLF which shall be
compatible to the existing applications.
• Disaster Recovery Plan should be separate for AMG Software as
per the system requirement.
• Alternate Processing capabilities should also be provided by the
AMG Management.
• There must be AMC Contract with the Third party vendors to ensure
smooth functioning.

11. Format of Report and Recommendations:

To
The Board of Directors
AMG Software
Houston, Texas
USA

We have audited AMG Software internal controls in relation to Outsourcing the

Software Development in order to express an opinion about the intellectual
property of AMG including assets and access to such assets (hardware,
software, manuals, media, etc.) used at the AMG labs at DLF in Bangalore are
adequately secured (physically and logically) from unauthorized and
inappropriate use through adequate and appropriate physical, environmental
and logical access controls and the process and methods in place at AMG
labs at DLF so as to provide assurance to AMG that there are adequate and
appropriate safeguards and procedures that prevent unauthorized access,
mishandling and damage to any of the assets of AMG at AMG labs at DLF,
whether all the facilities provided by AMG are being used for the purposes of
AMG's operations by personnel authorized or assigned for AMG's operations
only at DLF. The process and methods at AMG labs at DLF against available
norms and standards of AMG wherever available.
Our audit has been conducted in accordance with AUS 404 “Audit Implications
Relating to Entities Using Service Entities” and other Australian Auditing
Standards applicable to performance audits and accordingly included such
tests and procedures as we considered necessary in the circumstances.
These procedures have been undertaken to form an opinion whether in all
material respects, the internal controls in relation to [subject matter] were
adequately designed and operated effectively based on the criteria referred to
above.

Inherent Limitations

Because of inherent limitations in any internal control structure, fraud, error, or

non-compliance with laws and regulations may occur and not be detected.
Also, projections of any evaluation of the internal controls to future periods are
subject to the risk that the internal control may become inadequate because of
changes in conditions, or that the degree of compliance with the control
procedures may deteriorate.

The audit opinion expressed in this report has been formed on the above
basis.

Findings
• While conducting our Audit we have observed that AMG
software does not have any security policy regarding authorized
use of infrastructure and man power skills provided by AMG
software so that it can be ensured that its facilities are not used
for other assignments by DLF in AMG Labs.
• The door for the first floor lab does not automatically lock itself after
it has been opened. If a user is not careful in ensuring the door is
locked after he/she enters or leaves the lab there could be
opportunities for unauthorised users to enter the lab without using
the keypad device.
• No individual logins have been created since all the users have to
work on a common project.
• There are no back-up systems available for the systems supplied by
AMG.
• The documented generic disaster recovery plan is the same is applicable
to DLF as a whole and is not customised to AMG labs.There is no
Disaster recovery plan for the systems that are supplied by AMG and the
communication capabilities of the labs.
• Alternative processing capabilities for the systems supplied by AMG are
not identified.
• No annual maintenance contracts exist for AMG supplied machines.
Recommendations
• AMG software should draft security policy for authorised access of
resources.
• It leads to piggybacking. There must be auto locking of door after an
entry of a person within a fraction of seconds.
• Each and every person shall have their separate login (User Name
and passwords) and all have access on the basis of “Need to do ,
Need to know” else it would be a threat to Company against
disgruntled employees.
• There must be backup systems available at DLF which shall be
compatible to the existing applications.
• Disaster Recovery Plan should be separate for AMG Software as
per the system requirement.
• Alternate Processing capabilities should also be provided by the
AMG Management.
• There must be AMC Contract with the Third party vendors to ensure
smooth functioning.

Audit Opinion

In our opinion, AMG Software, outsourcing entity maintained in all material

respects the control procedures included in the accompanying description,
which were suitably designed to provide reasonable, but not absolute,
assurance that the internal control objectives were achieved and the control
procedures operated subject to the abovementioned findings.
For AAA & Co.
Chartered Accountants

Dated: 14.01.2019
Place: CHANDIGARH
CA Ben Crocker
M. No. 000000
Partner