Project Report

of
DISA 2.0 Course
 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course
training conducted at: NAGPUR from 17.04.2015 to 30.04.2015

and we have the required attendance. We are submitting the Project titled:
Evaluation of Proposal of Migrating to Cloud based ERP Solutions

We hereby confirm that we have adhered to the guidelines issued by CIT,

ICAI for the project. We also certify that this project report is the original
work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details
or taken help in preparing project report from anyone except members of
our group.

1. Name : CA Kapil Chandwani DISA No . 44217 Signed…………………….…………

2. Name: CA. Sonakshi Ganguli DISA No 45294 Signed…………………….…………
3. Name: CA. Nikita Tibdewal DISA No 42579 Signed…………………….…………

Place: Nagpur

Date: 11.09.2015
 Table of Contents

Details of Case Study/Project

Project Report
1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
 Project Report

Evaluation of Proposal of Migrating to Cloud

based ERP Solutions

A.Details of Case Study/Project

ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud

Solution (WOCS) - Standard Version’ a robust full suite of ERP
developed using Wilson Virtual Works, a state-of-the-art software
engineering and delivery platform. The Board of directors are concerned
about security of their data and capability of the solution to meet current
and future requirements.

We as IS auditor have been appointed by the management to provide

strategy for deploying the proposed solution. Also the scope of work
includes risk assessment as well as recommendation the controls to be
implemented and cost benefit analysis of the same.
B. Project Report

1. Introduction

A. Introduction of ABC Automobiles:

ABC Automobiles Ltd. (ABC) is a Multi National Automotive

manufacturing company based in South India.

With its corporate office located at Chennai, company has four
branch offices at Mumbai, Pune, Delhi and Bangalore and
employees more than 300 employees.

It has luxury buses manufacturing and assembly plant in
Chennai and Bangalore. Research and development is done at
Chennai centre.

It is well equipped with total infrastructure and has kept in pace
with the changing technology and producing real high quality
buses.

It is considered as one of the top luxury bus brands in India and
has aggressive business growth plans.

Recently Mr. M has taken charge as the MD of the company.
B. Auditors Introduction

M/s XYZ is a Chartered Accountant firm registered with Institute

of Chartered Accountants of India. We are committed to provide
consistent, customized and workable solutions to our clients
and strive to support our services with the highest level of
professionalism, efficiency and technology.

The firm has a team of three Chartered Accountants along with

three support staff and five articles. The firm has been serving
the industry since a decade. The firm has vast experience in
the field of system audit. The team is being led by Mr.X and
Ms.Y are specialised in this field. Mr.X and Ms.Y qualified DISA
course from ICAI and thereby completed CISA course to gain
utmost knowledge in the field of system audit. The firm is
committed to provide full range of high quality services and
excellence to offer value for money for the service we provide.
2. Auditee Environment

The client is a growing bus manufacturer in South India.

They have aggressive growth plans.

It is well equipped with total infrastructure and has kept in pace
with the changing technology and producing real high quality
buses.

The organization has adopted a structure based on the
functions performed by the personnel.

They are currently using stand-alone accounting and inventory
package which has limited functionalities.

The company has more than 300 employees of which Finance
and accounts department has more than 40 employees.

Current software packages of the company are stand-alone,
non-integrated and there is extensive documentation
maintained.

Most of the staff are not computer savvy and have limited
knowledge of using computers.

Given the size of the organization the IT infrastructure lacks
integration owing to which there is a duplication of work and
increase in costs.

Being an Automobile manufacturing unit, it has to adhere to many laws and

regulations including guidelines from Automobile Industry that lists out
policies like:

Industrial Approval Policy

Foreign Investment Policy

Fiscal Policy

Foreign Trade Policy
In additional to the above legal requirements, there is also an internal
Information security policy that can be summarized as under:

The information security policy basically aims to protect the

availability, utility and confidentiality of the critical information in
compliance with legal requirements

The policy follows a risk based approach to ensure appropriate

controls that would mitigate the risks to the lowest possible level.

The key instructions to protect the loss of data are in connection with
the storage of critical information/data, backups, email management
system, protection against hacking, virus, worms and other malware.

The information security policy further confers responsibilities upon

the unit heads/department heads/ senior management to ensure that
the requirements of the policy are adhered to.
3. Background

The Board of directors are concerned about security of their data and
capability of the solution to meet current and future requirements. They
want an independent assurance on the reliability and practical
implementation of the solution in safe and secure manner to achieve
current and future business goals in cost effective manner. They also want
a total review of overall cost of the proposed solution.

The cloud service provider has highlighted various advantages of migrating

to cloud based ERP solution. Wilson Solutions provides a single version of
the product at any point of time. Basically the requirements are market
driven and will prioritized based various criteria like Statutory needs, Best
business practice, key business process etc. WOCS is expected to enable
ABC to reap the benefits of a solution with “built-in best practices” together
with a highly “flexible framework” to ensure solution alignment to “Dynamic
Business Requirements” of ABC.

A series of discussions were held with the IS Audit team. Based on this, the
scope of IS Audit have been defined. The scope of the project includes
implementation of Wilson ERP on Cloud - Standard Version for Legal
Entities of ABC for the specified modules within the available product
features of Wilson ERP on Cloud - Standard Version.
4. Situation

ABC Automobiles Ltd. (ABC) is a Multi National Automotive manufacturing

company based in South India.

Though it is well equipped with total infrastructure and has kept in pace
with the changing technology, they have aggressive business growth plans
and found that the current software solution cannot meet their future
business requirements. Current software packages are stand-alone, non-
integrated and there is extensive documentation maintained. The database
is non-integrated and hence causes serious sync issues at times.
Redundancy of data is also one of the serious issues.

Also the company has more than 300 employees spread across head
office and 4 branch offices. Most of the staff are not computer savvy and
have limited knowledge of using computers The vendor is expected to
provide one week training to employees so that they configure and
implement the solution as per their specific business processes. Also the
user training programs have not been very successful.

As the company is planning for extensive growth, it would be difficult to

manage large amount of data on stand alone and non-integrated system.
With growing amount of data to be managed cost of data management
would also need to be considered.

The company tried to resolve these issues internally but has not managed
to meet customer expectations on this front. The management has realized
that investing more resources, monetary and otherwise on this would take
away the resource investment in its core areas. Owing to these issues, the
company is seriously considering migrating to Cloud based ERP solutions.
5. Terms and Scope of assignment

We have been appointed by ABC Ltd. by letter dated 15th July, 2015 for
the Information System Audit of Cloud based ERP Solution on the scope
and terms mentioned in the engagement are here under.

Perform a risk assessment of the deployment solution

Recommend controls to be implemented covering all critical
operations and transaction processing.

Provide an independent assurance on the reliability and practical
implementation of the solution in safe and secure manner to achieve
current and future business goals in cost effective manner.

Provide a cost benefit analysis to the client as to the present and the
proposed scenario.

Advise on the migration strategy.

Frame specific risk management strategy to be adapted covering
security, performance and business value.

Provide sample list of key controls to be implemented in each of the
modules as relevant to ABC Automobiles.

Other terms and conditions

The report should be submitted latest within three weeks from the
date of offer letter.

The consolidated remuneration shall be Rs.50, 000/- (Rupees Fifty
Thousand Only). It is a package payment and no other travelling or
any other allowance will be paid. However, Service Tax and
Education Cess at applicable rates would be payable subject to
giving undertaking along with the professional bill that the Service
Tax collected would be deposited with Statutory Authorities.

The auditor is not disqualified in under provision of Companies Act,
2013.

The auditor firm or any of its associate firm have never been de-
paneled due to poor performance.

The audit is to be conducted by a CISA, DISA qualified Chartered
Accountant or by a team to be headed by the CISA, DISA qualified
Chartered Accountant.

In case any major ambiguities is noticed or detected, it must be
reported to board by the fastest available mode of communication or
personally, if stationed, locally.
6. Logistic arrangements required

ABC Automobiles have decided to migrate to ‘Wilson’s On Cloud Solution

(WOCS) - Standard Version’.

Wilson Solutions provides the Software as Service (SAS) development

model of Cloud Service. This provides the capability to use the provider’s
applications that run on the cloud infrastructure. The applications are
accessible from various client devices. Users are freed from the possession
and maintenance issues of software and hardware. Data storage,
processing, backup and other IT infrastructure would be handled by the
cloud service provider.

What is most important in such a scenario is the “Service Level Agreement”

where in major terms and conditions are presented. Correct understanding
and consensus on the terms is crucial to the success of the outsourcing.
Hence our major area of work and concern would be to evaluate the
service level agreement.

Confidentiality agreements are also required to be evaluated to see

whether they are appropriate and meet the requirements of the concern.

Back-up procedures to be evaluated to see if they meet the requirements

and whether the same are functional.

The WOCS solution has standard product features which cannot be

modified except based on the methodology followed by Wilson and the
customer has to use the existing product without any changes. Hence we
would also be required to carry out a compatibility test as to if the
application software that Wilson is offering is compatible to the existing
system of the organization.
ABC Ltd., was asked to make the following arrangements for this
assignment:

Computers/Laptops with internet access

LAN connection

Separate User ID and passwords for the audit team

Facilities for discussions amongst our team and company's

designated staff
Various tests conducted by using IDEA - CAAT tools:

Duplicate and Gap Detection Tests

Matching and Comparison Tests

Generalised Audit Software like Interactive Data Extraction
and Analysis

Utility software

Audit Trails
7. Methodology and Strategy adapted for execution of
assignment

Methodology and Strategy adapted for execution of assignment is as

under:

1. Understand the mission

2. Identify the culture.
3. Determine the value.
4. Understand your data.
5. Understand your services
6. Understand your processes.
7. Understand the cloud resources.
8. Identify candidate data.
9. Identify candidate services.
10. Identify candidate processes.
11. Create a governance strategy.
12. Create a security strategy.
13. Bind candidate services to data and processes.
14. Relocate services, processes and information.
15. Implement security.
16. Implement governance.
17. Implement operations.
8. Documents reviewed

Service Level Agreement

Organization Structure

Cloud Vendor’s Policy

Business Continuity Plan of Wilson Solutions

Disaster Recovery Plan of Wilson Solutions

IS Policy

Risk Assessment Report

Network Policy

The most important document when evaluating a cloud computing is the

service level agreement.

In the present case we will base the evaluation of the Service Level
Agreement on the following parameters:

1. Availability
2. Response Time
3. Capacity
4. Capability indicators
5. Support offerings
6. Reversibility and termination process
7. Service reliability
8. Authentication and Authorization’
9. Cryptographic Methods and Algorithms
10. Security incident management and reporting
11. Logging and monitoring
12. Auditing and security verification
13. Vulnerability management
14. Governance
15. Service Changes
16. Data Classification methodologies
17. Customer Data Mirroring, backups and Restore
18. Data Life cycle
19. Data Portability
20. Code of conduct, standards and certification mechanisms
21. Purpose specifications
22. Use, retention and disclosure limitation
23. Openness, transparency and notice
24. Accountability
25. Geographical location of cloud service customer data
9. References

Following references have been used for preparation of the Report

www.cit.icai.org

www.icisa.cag.gov.in

www.isaca.org

Institute of Chartered Accountants of India Publications on
“Information Systems Audit”, “SIA 14, on Internal Audit In Information
Technology Environment”

“ISACA ITAF, 1201 “Engagement Planning”

“Security, Audit and Control Features SAP® ERP, 3rd Edition”

Information Systems Assurance Services of ICAI ISA-2 Reference.

ITAF guidelines for audit of third party IT activities

International Standard on Auditing

Standards for IS audit and assurance issued by ISACA, 1201:
Engagement Planning, 1202: Risk Assessment in Planning, 1204:
Materiality, 1205:Evidence and IS Auditing Guidelines 2201:
Engagement planning, 2202: Risk assessment in audit planning, 2204:
Materiality, 2205: Evidence.

ICAI guidelines

www.isaca.org/cloud

www.cloud-standards.org/wiki/

www.cloudaudit.org

www.cloudsecurity.org
10. Deliverables

As per the management’s requirements in the appointment letter, our

report/findings has been structured into four main areas:

1. Perform a risk assessment of the deployment solution and

recommend controls to be implemented covering all critical
operations and transaction processing.

Limited Functionality and availability

Reduced customisation and integration

Perceived data risk

Organisational resistance

2. Provide sample list of key controls to be implemented in each of the

modules as relevant to ABC Automobiles.

3. Provide strategy for deploying the proposed solution and specific risk
management strategy to be adapted covering security, performance
and business value.

We employed the following methodology customized for each

business function reviewed:

We first determined components within each category to review

based on risk to the implementation completion, intended
functionality, and schedule.

Reviewed component implementation methodology and plans
for sufficiency (such as the strategy for Integration Testing, and
sampled the planned tests to perform)

Observed components implementation and tracked to planned
methodology to ensure that there was no disconnect between
what was planned and documented and the work that was
actually performed

Reviewed - components to be implemented using judgmental
sampling to confirm that the end result came out as planned, or
was appropriately adjusted;

Due to the nature of the ERP implementation, reporting issues
in a timely manner presented unique challenges as compared to
a standard audit. As is the case with system implementation
audits, our reporting process takes into account the fact that
issues are expected to occur during an implementation and do
not necessarily present a risk to the project. Further,
management had several methods available at any given time
during the project to identify and remediate issues. We have
assigned ranks to the risks relating to key controls identified by
us and suggested remediation/recommendations.

4. Provide cost benefit analysis with comparison of Capex and Opex for
the current and proposed solution.
This model provides the capability to use the provider’s applications
running on cloud infrastructure. The applications are accessible from
various client devices through a thin client interface such as a web
browser. This brings in saving to ABC Automobiles as there is no
need to buy licenses for running programs on their own computers.
The software solution is accessible using existing computers.
11. Findings and Recommendations

1. ABC Automobiles Ltd. Board has ultimate responsibility and oversight

over the migrating to ERP cloud.. ABC Automobiles Ltd.`S Senior
Management is responsible for overseeing the MIGRATION process which
inter-alia includes determining how the company will manage and control
identified risks, prioritizing critical business functions, allocating
knowledgeable personnel and sufficient financial resources to implement
the migration..

2. A senior official needs to be designated as the Head of migration

activity/function.

3. There needs to be adequate teams for various aspects of the migration

at Central Office level as well as individual Zonal/Controlling Office and
branch level, as required. Among the various teams that can be
considered, based on need, include incident response team, emergency
action and operations team, team from particular business function,
damage assessment team, IT teams for hardware, software, network
support, supplies team, team for organizing logistics, relocation team,
administrative support team, coordination team

4. People aspect should be an integral part of a ERP migration. Generally,

plans are often too focused on the technical issues, therefore, it is
suggested that a separate section relating to people should be
incorporated, including details on staff welfare, counselling, relocation
considerations, etc. .

5. ERP Migration should be maintained by annual reviews and updates to

ensure their continued effectiveness.

7. There are many applications and services in Company that are highly
mission critical in nature and therefore requires high availability and fault
tolerance to be considered while designing and implementing the solution.
This aspect is to be taken into account especially while designing the data
centre solution and the corporate network solution.
8. A sufficiently large “question bank”, related to security health of the
organisation, should be prepared. A random subset of these queries could
then be given to the company's IT or security teams and related personnel,
for eliciting answers in quick time.

9. All employees and staff shall be briefed on the contents of the ERP and
aware of their individual responsibilities.

12. Summary/Conclusion

Cloud computing is a developing area and is quiet economical for

companies. The “pay as you need” model helps in cost savings. There are
many other benefits of cloud computing. But on the other hand there are
other concerns that may have to be addressed when it comes to adopting
the cloud computing methodology.

Our evaluation of the whole process of Migration helped us understand the

offer of the service provider and also provided us an insight into the
benefits the organisation would accrue from it. The major concerns as to :

a) Backups
b) Storage
c) Confidentiality
d) Downtime management
e) Scalability
f) Flexibility
g) Privacy
h) Data security

Have been taken care of to an extent in the offer terms.

As the cost benefits analysis concludes opting for the Migrating proposal is
in the benefit of the company. Hence we suggest the Migrating to Cloud
based ERP.