Technical Guide

on
IT Migration Audit

Committee on Information Technology

The Institute of Chartered Accountants of India
(Setup by an Act of Parliament)
New Delhi
© The Institute of Chartered Accountants of India

All rights reserved. No part of this publication may be reproduced, stored in a

retrieval system, or transmitted, in any form, or by any means, electronic,
mechanical, photocopying, recording, or otherwise without prior permission, in
writing, from the publisher.

Edition : January, 2010

Committee/ : Committee on Information Technology

Department

E-mail : [email protected]

Website : www.icai.org, http://cit.icai.org

Price : Rs. 70/-

ISBN : 978-81-8441-299-4

Published by : The Publication Department on behalf of the Institute of

Chartered Accountants of India, ICAI Bhawan, Post Box No.
7100, Indraprastha Marg, New Delhi - 110 002.

Printed by : Sahitya Bhawan Publications, Hospital Road, Agra 282 003.

January / 2010/1,000 Copies
 FOREWORD
Information Technology is the prime business driver for enterprises
encompassing all facets of its operations. It is impossible today to visualize an
organization without any element of Information Technology initiatives. As
organizations evolve and grow, it is imperative that IT also keeps pace with the
evolution and growth of the organization by migrating to more efficient and
effective IT systems considering increasing requirements and technology
evolution. The oft repeated phrase today is – “Successful organizations manage
their IT successfully”.
Managing IT successfully is a challenge not just from organizational change
perspective, but also from the change that happens within IT itself. A wide array
of IT resources such as software, hardware resources, IT facilities and so on are
used by organizations. These need to be updated to keep in tune with emerging
requirements and technological innovations to service increasing informational
requirements. Also, new vulnerabilities and threats develop on existing IT
infrastructure and hence the need for updates or enhancements is essential from
a security point of view also.
Organizations therefore, periodically transit from one IT environment to another
either from an efficiency or security point of view. This transition or in other words
migration, is a part and parcel of any IT management function today.

IS Auditors -D.I.S.A. (ICAI), are the guardians of controls in IT Infrastructure and

have an important role in ensuring the effectiveness, security, availability and
reliability of such infrastructure. The role of IS Auditors becomes very critical in IT
migration projects and there is an emerging need need to be updated in this
area.
The Committee on Information Technology of the Institute has brought out this
Technical Guide on IT Migration Audit to provide detailed guidance on the scope
and coverage of an IT Migration Audit. I am sure that this guide will address the
professional expectations and requirements of IS Auditors involved in migration
audits.
I believe that this publication is a laudable effort and a necessary step in the right
direction as it attempts to provide guidance on IT migration audit related issues to
the members and various stakeholders to such an exercise. I am confident that
this guide would be well received by the profession and the industry.
I complement the Committee on Information Technology and its Chairman, CA.
K.Raghu and Committee members for doing valuable work in bringing out this
technical guide and the Committee Secretariat in promptly coming releasing the
same.

CA. Uttam Prakash Agarwal

President
January 21, 2010
New Delhi
 PREFACE
IT migration has become a very critical function in IT management today. The
risks that arise from such migration exercises and the controls that should be
implemented during such an exercise are very important and should be clearly
understood, to ensure that the migration activity is in line with expected
deliverables.
The Committee on Information Technology has been at the forefront in equipping
Institute members on the latest developments and best audit practices. An IT
migration exercise is a key milestone event in any IT management process, and
this technical guide makes an earnest effort to brings forth the critical areas that
need to be checked by auditors during migration audits.
This guide covers major migration events such as data center migration,
database migration, ERP migration, application migration, OS migration, server
migration etc apart from the detailing the controls to be adhered in pre migration
and post migration exercise.
While the primary audience of this guide is our member fraternity, I would also
request our members to discuss this guide with CIO/CTO’s so that organizations
undergoing migration can ensure compliance to control requirements.
I hope this guide will not only enhance the professional knowledge of members in
undertaking migration audits, but also attempts to provide the IT management
and governance functions considering the compliance expectation of migration
process.
I am indeed very thankful to CA. Uttam Prakash Agarwal, President and CA.
Amarjit Chopra, Vice President for the guidance and support in coming out with
this Technical Guide. I would like to record my deep appreciation for the
guidance and support of the members of the Committee on Information
Technology in coming out with this guide. I appreciate the efforts put in by Mr.
Ravi K. Arora, Jt. Director and the officials of the Committee Secretariat for their
contribution in timely releasing this Technical Guide
I place on record my sincere thanks to CA B Mahesh Balan, CA V Vijayakumar,
CA N Swameshwar and CA Suresh Rangarajan for their inputs in preparing this
technical guide. I am also thankful to CA N Venkatakrishnan Special Invitee of
the Committee on Information Technology for his valuable contribution in
finalizing the Guide. I am also thankful to members of the Committee on
Information Technology for their valuable contribution in finalizing the Guide.

CA. K. Raghu
Chairman
Committee on Information Technology
Place: New Delhi
Date: 21st January 2010
 CONTENTS
Foreword ............................................................................................................iii
Preface................................................................................................................. v
1. Introduction.................................................................................................... 1
2. Migration Lifecycle......................................................................................... 3
3. Objectives of Migration Audit......................................................................... 7
4. Pre-Migration Audit........................................................................................ 9
5. Post-Migration Audit .................................................................................... 13
6. Audit Procedures–Migration Events ............................................................ 15
6.1 Data Centre Migration....................................................................... 15
6.2 Database Migration........................................................................... 22
6.3 ERP Migration................................................................................... 24
6.4 E-Mail Migration................................................................................ 31
6.5 Server Hardware Migration ............................................................... 34
6.6 Operating System Migration ............................................................. 36
7. Case Studies ............................................................................................... 39
A Migration in a Bank............................................................................... 39
B Sap Migration ....................................................................................... 46
Annexures
1. Bank Branch Level CBS Migration Audit – Sample Checklist ........... 53
2. Database Migration Audit – Sample Checklist................................... 56
3. Useful Website Links for IT Migration Audit....................................... 58
 1
Introduction
Information technology has been growing rapidly in recent years. This has led to
a huge growth in data generation and storage for better information processing.
Newer technologies are being introduced in the Information Technology
spectrum for businesses to arrive at better informed decisions. Organizations are
constantly revamping their information technology architecture to take advantage
of these new developments. This includes introducing new ERP applications,
moving to state of the art data centers, implementing better and more secure
operating systems, and installing faster storage devices and servers. There could
also be other business reasons for a data migration like mergers and acquisitions
of new businesses. This means migration of existing data in legacy or disparate
applications, operating system, storage devices, etc to a new environment.
Definition of IT Migration
According to the Webster dictionary migration means “to move into or come to
live in a region or community especially as part of a large-scale and continuing
movement of population”.
Extending this meaning, IT Migration can be defined as a “process of movement
of any one or a group of IT Assets from one state of existence to another”.
It is important to understand what constitutes IT Assets, before understanding IT
Migration. IT Assets comprise hardware, software, data, people and related
infrastructure. A successful migration project requires business impact analysis
to mitigate risks, detailed planning and excellent project management skills.
Types of Migration Events
With rapid technological innovations, migration events happen in every touch-
point in an IS environment. The major migration events are of six types:
A. Application Migration (ERP, Email, CRM, Web Applications)
This involves migration from a legacy application to new-breed applications,
from one vendor application to another vendor application or from an
application written in an old programming language to a new one.
Technical Guide on IT Migration Audit

B. Operating System Migration

OS migration involves migration from one vendor OS to another vendor OS
or an upgrade from an old version of OS to another version of the same OS.
C. Database Migration
This includes migrating from one vendor database to another vendor
database, from one version of a database to another version of the same
database, or consolidation of different databases into one database.
D. Hardware Migration
Hardware migration includes migration from one server to another server,
consolidation of servers, migration from one storage device to another
device, and migration from one network device to another device.
E. Datacenter Migration
Data center migration includes migration of existing information processing
facilities to third party data centers and consolidation of multiple data
centers.
F. Service Provider Migration
With new technologies like SaaS (Software as a Service) and cloud
computing, almost all the IT activities can be outsourced. In such a scenario,
migrating from in-house IT processing facility to a third party or moving from
one third party to another third party can be categorized under service
provider migration.
This technical guide gives the IS auditor an overview of the IS migration
lifecycle and the activities to be performed in the pre- and post-migration
audits. It also deals with procedures for audit of each type of migration
event.

2
 2
Migration Lifecycle
The major activities in a typical migration project are scoping, planning, pre-
migration audit, actual migration event and post-migration audit. Each of these
activities is briefly explained below.
1. Scoping and Planning
A preliminary analysis of the current environment is undertaken to determine
the scope of the migration and its requirements. The following details are
gathered in this phase:
i. Type of migration event
ii. Quantity of data to be migrated
iii. Details of existing applications, OS, and hardware that are being
migrated
iv. Estimated downtime for Application/IT infrastructure downtime that is
proposed to be migrated
v. Performance Impact
vi. If available, a working plan from a similar migration event.
Based on the above, a detailed plan with migration design and timelines is
prepared, which details the following:
i. Migration type
ii. Details of the current hardware, data center, applications, data, etc
iii. Details of the new environment
iv. Tools to be used for the migration
v. Testing methodologies to be followed
vi. Resource plan and detailed timelines
vii. Vendor support documentation and co-ordination
Technical Guide on IT Migration Audit

Risk assessment of the migration project is done in this phase to find out
what can go wrong, how to prevent it and how to mitigate the impact of a
failed migration.
In the planning phase, migration scripts are developed if the migration is
planned to be automated using scripts for upload of data into the new
hardware / database. Load tests are conducted to test the migration process
as well as the capacity of the new environment to take in data as per the
planned migration throughput rates.
2. In the planning phase, a detailed business continuity plan is also
designed to overcome a situation of failed or delayed migration.
This plan has to be tested before the migration event. Pre-
migration audit
Before the actual migration event happens, it is advisable for organizations
to conduct a pre-migration audit. The Information System Auditor should be
engaged for the purpose. For this, the auditor will have to check the
following:
i. Infrastructure review
ii. Audit of migration scripts
iii. Load tests review
iv. Compatibility Checks
v. Business Continuity Plan review
vi. Legal compliance and checks
The above activities are explained in detail in the chapter “Pre-migration
Audit”.
Though it is desirable to conduct a pre-migration audit in every migration
exercise, it is generally done for large scale events such as data center
migration and ERP migration.
3. Actual migration event
Migration event, which is carried out as per the plan, involves the following
activities:
i. Backup of data being migrated is taken and tested.

4
 Migration Lifecycle

ii. If the migration is a data migration, then data is cleansed for duplication,
deterioration, errors and missing fields.
iii. Data throughput rates are monitored to find out any deviation of actual
throughput rates from the estimated throughput rates. If any deviations
are noticed, the migration methodology and plan are modified to
achieve a successful migration.
iv. Data integrity checks are conducted by the migration team to check for
completeness and accuracy of data.
v. Sign-off is obtained from the end users for the completion of the
migration process.
vi. Decommissioning of the original source of data.
4. Post-migration audit
Information systems auditors are also involved in this final phase of the
migration audit. The auditor performs the following audit checks to confirm
that the migration has been successfully accomplished.
i. Data integrity checks
ii. Log Analysis for errors and mitigation
iii. Performance review
The above activities are explained in detail in the chapter “Audit of Actual
Migration Event”.

5
 3
Objectives of Migration Audit
Like any other audit, migration audit too has its objectives. The audit should be
planned and executed to realize these objectives, which should be in line with the
expectations from the migration event. The major objectives that each migration
audit should cover are:
i. Integrity
The first and foremost objective of a migration audit is to ensure that the
data in the new migrated environment qualifies the integrity and reliability
tests. This applies to all types of migration events. If any errors or mistakes
are identified, suitable counter measures should be recommended to
mitigate their impact.
ii. Control adequacy
Auditors should verify that adequate control framework has been established
for migration. This can be in terms of project documentation, project team
definition, backup plans, vendor support, test documentation, etc. IS auditors
should assure the management that migration plan and controls have been
adhered to.
iii. Business Continuity
The Information systems auditor should ensure that the migration team has
taken adequate security measures for the migration event so that major
business disruptions do not happen during the process of migration.
iv. Effectiveness
As part of the migration audit, the IS auditor should review the migration
processes and methodology, to ensure compliance of the original budget
and schedule and identify deviations and (inefficiencies or deficiencies). He
also needs to find out whether appropriate migration tools and software were
used for the migration. For this he may obtain end-user feedback and
suggest opportunities for improvement.