PROJECT REPORT

ISA 2.0
Migrating to
Cloud based ERP
solution
 TABLE OF CONTENTS

Certificate 3

Details of Case Study / Project Prob. 4

Project Report – Introduction 5

Auditee Environment 6

Background 8

Situation 9

Terms and Scope of Assignment 11

Logistic Arrangements Required 12

Methodology and Strategy Adapted for 14

Execution of Assignment

Documents Reviewed 22

References 23

Deliverables 24

Format of Report/Findings and 27

Recommendations

Summary/Conclusion 28

ii
Project Report ISA 2.0
Migrating to Cloud based ERP solution

CERTIFICATE

This is to certify that we have successfully completed the ISA 2.0 course training conducted at:

Hotel Pride Plaza, Bodakdev Cross Road, Ahmedabad from 1st Feb 2020 to 29th April 2020

and we have the required attendance. We are submitting the Project titled: Migrating to Cloud
based ERP solution

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

1. Name : CA Dhaval Limbani (ISA No. 62188)

2. Name : CA Manoj Jajodia (ISA No. 62682)
3. Name : CA Ashish Mehta (ISA No. 62810)

Place : Ahmedabad
Date : 30-04-2020

3
Project Report ISA 2.0
Migrating to Cloud based ERP solution

DETAILS OF CASE STUDY / PROJECT PROB.

ABC Infrastructure Ltd. (Auditee) provides Gas Pipeline Services and distribution, EPC Projects,
Cross Country Pipeline Layering, Horizontal Directional Drilling across India. It is Well Equipped
with total infrastructure and has kept in pace with the changing technology and construction team
focused on Safety, Quality and Efficiency with cost effective project executed within time and
budget. They are currently using stand-alone accounting and inventory package which has
limited functionality. They have an aggressive business growth plans and found that the current
software solution cannot meet their future requirements.

ABC Infrastructure Ltd have decided to migrate to ‘Wilson’s On Cloud Solution (WOCS)-
Standard Version’ a robust full suite of ERP Developed using Wilson Virtual works, a state-of-
the-art software engineering and delivery platform. WOCS is expected to enable ABC to reap
the benefits of the solutions with “Built in Best Practices” together with a highly “Flexible
Framework” to ensure solution alignment to “dynamic business requirements” of ABC.

The WOCS solution has standard product features which cannot be modify except based on the
methodology followed by Wilson and the customer has to use the existing product without any
changes. As a part of the software as service (SAS)development model, WOCS will not make
any changes in the data entry screens/ Processes as per individual customers need.

4
Project Report ISA 2.0
Migrating to Cloud based ERP solution

1. PROJECT REPORT - INTRODUCTION

ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across
India, having adequate infrastructure of technology with respect to changing environment.
Company is having four branch office and more than 300 employees including at branches. Out
of 300 employees, more than 40 employees are engaged in finance and accounts departments.
At present company is maintaining a non-integrated and stand-alone accounting software, which
require maintaining huge documentation.

Now with the changing environment and future business growth company board decided to
migrate ‘Wilson’s On Cloud Solution (WOCS) an ERP software from existing non-integrated
software. The new ERP software will provide all business process function start from Project
execution, marketing, purchase management to payroll and inventory management, financial
and management accounting etc. to know the real time business information.

ABC Infrastructure Ltd (auditee) appointed M/s MAD & Associates (Chartered Accountants
known as auditor) to conduct the Cloud ERP System Audit of auditee. Auditor firm is having 3
years’ experience in conducting IS Audit. Firm is having 3 partner (CAs), 2 system auditor (ISA)
and 3 other technical staff all having good knowledge and experience in their respective domain.

TEAM MEMBER
S.NO QUALIFICATION DESIGNATION
NAME
1 Mr. Dhaval Limbani FCA, ISA Team Leader
2 Mr. Manoj Jajodia FCA Co-Team Leader
3 Mr. Ashish Mehta FCA Co-Team Leader
4 Mr. Pranav Pandya FCA, ISA Team Member
5 Mr. Mihir Pandya M.Tech, Phd (IT), BE (Software) Software Engineer
6 Mr. Dhaval Chikani M.Tech, BE (Software) Software Engineer
7 Mr. Darshan Panchal Phd (IT-Hardware Engineer) Hardware Engineer

5
Project Report ISA 2.0
Migrating to Cloud based ERP solution

2. AUDITEE ENVIRONMENT

ABC Infrastructure Ltd is provider of Gas Pipeline Services and distribution, EPC Projects across
India. Since company is engaged in business of heavy infrastructure projects for Governments
and big infrastructure companies.

Company board consists of 7 directors, one Managing Director (CEO), one Finance Director
(CFO), Sales & Marketing Director, Chief Operational Director (COO), Chief Information Office
(CIO), 2 Executive directors. Board sets policy and procedure and laid down the strategy to
complete business task, which will be executed and implemented by managerial and operational
staff, which consists of each individual department head to operational level staff member.

At present company is following a non – integrated accounting software which will no longer
useful looking to changing business technology and growing changes in technology
environment. At present company infrastructure is well equipped. But company is not following
any ERP Software to integrate its all business function via one single platform. But MD is
confident of the view that by providing adequate training we can train finance and accounts
departments to cloud based ERP acquaintance. This will eliminate the need to purchase the
necessary server and hardware storage, i.e. reduction in OPEX.

Except respective tax laws, corporate law, labour law etc., IT Act 2000 company is not bound by
any other legal compliance like RBI, SEBI, Banking Regulation, IRDA etc. The company has a
compliance department which looks into matter relating to compliance the same is reviewed by
internal auditor function. For effective operation of compliance department company have
standard policies, procedure and guidance that defines regulatory standard requirement that
apply to company.

6
Project Report ISA 2.0
Migrating to Cloud based ERP solution

Information Security Policy

S.NO POINTS DESCRIPTION

Company has defined acceptable use of computer
1 Acceptable Use Policy devices, equipments and employee security measure to
protect organization resources.
Company has defined minimum requirement to be fulfilled
a clean desk policy such as sensitive or critical
2 Clean Desk Policy
information of company, employees, customers,
intellectual property to be secured in locked area.
Company has defined the acceptable encryption
3 Encryption Policy algorithms for system security and protection from
unauthorized access.
Company has defined when “Digital Signature” is
Digital Signature
4 considered acceptance means of validating the identity of
Acceptance Policy
a signer in electronic communications/ documents.
Company has defined different high-level configuration
password for system access, email access for security of
5 Password Policy
information and identity. Further there is policy of
changing password within 90 days.
Company has defined overall network access such as
remote access policy (use of software for use of remote
Network Security access), wireless communication policy to connect
6
Policy company network, standard for minimum security
configuration of routers and switches inside computer
network.
Company has defined requirement around installation of
third-party software and security configuration for servers.
7 Server Security Policy Further, company has defined proper requirement for
disposal of equipment such as hard drive, USB, CD Rom
etc.
Company has defined requirement to ensure continuity of
Business Continuity critical business operation. It is designed to minimize the
8
Management Policy impact of unforeseen event to facilitate business to
normal levels.

7
Project Report ISA 2.0
Migrating to Cloud based ERP solution

3. BACKGROUND

Since Company decided to change its accounting tool from traditional to cloud based ERP
(WOCS) in that, the most important thing for company is to migrate data first on ERP system.
This can be done via batch processing under which data will upload first and then another person
will approve these transactions. Once these data processed the next critical operation to
reconcile these data with traditional data to check whether all data have been compiled and in
proper way in which they require. In Cloud ERP system, system is hosted on cloud and ERP
service provider takes care hosting of ERP system. This is based on Software as a Service
(SaaS) module, wherein company will access the software, whereas service provider will
manage software including operating system and execution environment.

Now to check all these critical operation company wants an independent auditor function to
check all these critical operation task. Auditor (MAD & Associates) will audit these function starts
from beginning mapping of codes, ledgers, groups, data uploading, reconciliation, report
spooling, trade checking to know functioning of all ERP Module whether or not data of vendor,
inventory management, financial accounting, sales and purchase, payroll system etc. are
working effectively and efficiently on cloud site as provided by cloud service provider. Auditor
will also look system effect of one data entry on another ERP utility is proper and correct.

For this purpose, auditor will thoroughly check the system configuration and settings are
manipulated or modified. Further auditor will check IT Infrastructure configuration like operating
system, servers, networking devices tool and security control thereof to check whether CIA
(confidentially, integrity or availability) via unauthorized access, data manipulation etc., which
may be big threat to organization as well. In addition to this, auditor will check whether vendor
is responsible for maintaining hardware & software such as patches, upgrades, refreshes.

8
Project Report ISA 2.0
Migrating to Cloud based ERP solution

4. SITUATION

The Auditee is currently using an ERP system which provides stand-alone accounting and
inventory packages which has limited functionalities. The company has aggressive growth plans
for which the current software solution is not enough. The company’s finance and accounts
department has more than 40 employees and current software packages are stand-alone and
non-integrated and extensive documentation is maintained. So, it has been decided by the
management to migrate to cloud based ERP.

The proposed Wilson’s solution provides a single version of the product at any point of time. All
product feature upgrades and updates shall be made available as a part of the standard offering.
Basically, the requirements are market driven and will prioritized based various criteria like
Statutory needs, Best business practice, key business process etc. There are 14 modules
included in the scope such as sales & shipping management, accounts receivable, purchase,
HR & Payroll, etc.

Moreover, the current staff is not computer savvy and have limited knowledge of using
computers but the young MD has taken charge of training employees and the cost consideration
based on model implementation of 10 user license shows cost benefit analysis and justification
for the investment. So, seeing these current problems and the benefits of the cloud-based
solution it has been decided by the management to migrate to cloud based ERP. The proposed
solution also provides complete applications which are sold on a subscription model for a specific
period. This model provides the capability to use the provider’s applications running on cloud
infrastructure. The applications are accessible from various client devices through a thin client
interface such as a web browser. This brings in saving to ABC Infrastructure Ltd as there is no
need to buy licenses for running programs on their own computers. The software solution is
accessible using existing computers.

9
Project Report ISA 2.0
Migrating to Cloud based ERP solution

S.
AREA OF RISK RISK FOCUSED AREA
NO
Is there appropriate ingress or egress filtering?
1 Access Control Are there ACLs that segment the environment from other
resources?
Is there a protected environment?
How are host systems secured?
2 Virtualization
Are resources utilized and released as expected?
How are virtual resource interconnected?
Cloud provider may not be able to match in-house IT
service availability, recovery time objectives (RTO), and
recovery point objectives (RPO).
Data Management and Cloud providers may drastically change business model
3
Data Storage or discontinue cloud services.
Due to technical architecture complexity and potential
restrictions by the cloud provider, replicating data back to
the enterprise or to another provider may be difficult.
What communication protocols are used to communicate
with other data centers?
Are there any clear text administration protocols used?
Communication
4 Can you monitor communication in and out of the cloud
Channels
as well as within the cloud?
Are there any end user devices that can download data
from the cloud?
Utilize ISO2700 and SOC2 / SOC3 (Assurance Reports
Cloud on Controls at a Third-Party Service Organization)
5 Supporting Trust Principles – Security, Availability, Processing
Infrastructure Integrity, Confidentiality, Privacy
Will administrators have “access” to the virtual data?
Examine tools used for usage tracking and licensing
Examine accuracy of reporting
Software as a Service
6 Separation from other applications
(SaaS)
New risks may exist as cloud computing can expand and
shorten the SDLC cycle.

10
Project Report ISA 2.0
Migrating to Cloud based ERP solution

5. TERMS AND SCOPE OF ASSIGNMENT

Auditor’s Terms & Scope

 How much security is enough?

 Who is responsible for data security?

 Criticality of application being sent to cloud.

 Control issue specific to cloud service provider.

 Identify internal control and regulatory deficiencies that would affect the organization.

 Identify information security control concerns that could affect the reliability, accuracy and
security of enterprises data due to weaknesses in the package solutions offered by the
vendor.

 Outsourcer’s Experience with SLA and vendor management

 Review contractual compliance between cloud service provider and customer i.e.
auditee.

 Cloud Vendor’s policy on vulnerability management – reporting, commitment to following

up, promptly responding to reports etc.

 Provide management with an assessment of impact by implementation of Wilsons on

cloud solutions, security policy and procedures and their operating effectiveness.

 Information systems audit of all/any aspect of security policy, business continuity,

environmental excess, physical excess, logical excess and application security.

 What is impact on auditor when client has used “Cloud ERP System” and how data will
be audited on cloud service provider.

 Compliance with enterprises policy, procedures, Standards and practices as relevant.

 Compliance with regulations as applicable.

11
Project Report ISA 2.0
Migrating to Cloud based ERP solution

6. LOGISTIC ARRANGEMENTS REQUIRED

 Auditor requires following Hardware, Software (application and system), Information, and
System Configuration documentation.

S. NO POINTS DESCRIPTION
Auditor (MAD & Associates) need 7 laptop, 3 desktop,
networking cables, data cable, power backup equipments
1 Hardware for execution of the assignment. All hardware must be
configured in such a manner to be compatible with
software.

Software We need licensed software to be installed in all desktop,

2 (Application as laptop so as to work in auditee IT environment with high
well as System) bandwidth of internet speed.
We need the information to be audited that may be data,
3 Information
audio, video, electronic form data, images etc.

System We need system configuration documentation from

4 Configuration supplier or vendor of hardware, software, source code to
Documents understand technical things clearly.

 It is systematic approach to manage sensitive company information to maintain the same

in secure mode. It includes people, processes and IT System by applying a risk
management process. Company (auditee) has taken certificate from ISO organization
stating that it meets objectives of ISO 27001. The aim is to provide confidence and
assurance to clients and customers that it follows best accepted business practices.

 In order to obtain assurance that the data processed by the system is complete, valid and
accurate and is giving the desired results, computer assisted audit techniques (CAAT)
shall be used. Computer Assisted Audit Technique (CAATs) are computer-based tools,
which help us in carrying out various automated tools to evaluate an IT system or data.
These are very useful, where a significant volume of auditee data is available in electronic
format. CAATs provide greater level of assurance as compared to other techniques,
especially manual testing methods.1

12
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Use of CAAT Tools (Computer Aided Audit Techniques):- The use of CAAT tools
improves the audit process and help in data extraction and analyzing software. Following
are the techniques:-

S. NO POINTS DESCRIPTION
This tool is effective & efficient for IS audit. In this
method Access Control List (ACL) is table under
which data is lock down as read only to prevent
Generalized Audit
1 inadvertently changing data. In this method organization
Software
define access right to each system users. Every user
has different right such as read only, read and
modification, approval etc.
These programs are used to perform common data
processing function such as sorting, creating and
2 Utility Program
printing files. This utility doesn’t contain feature such as
automatic record counts or control totals.
Test data involve the auditors using a sample set of data
to assess whether logic errors exist in a program and
3 Test Data program meets organization objectives. It provides
information about internal control and weakness if any
exist.
In this technique, auditor perform tests details of
Audit Expert transaction and balance, analytical review procedure,
4
System compliance test IS general control, compliance test IS
application control and vulnerability testing.

13
Project Report ISA 2.0
Migrating to Cloud based ERP solution

7. METHODOLOGY AND STRATEGY

ADAPTED FOR EXECUTION OF
ASSIGNMENT

ISACA Cloud Computing Audit Program – Areas

 Planning and Scoping the Audit:

 Define the audit/assurance objectives

 Define the boundaries of review
 Identify and document risks
 Define the change process
 Define assignment success
 Define the audit/assurance resources required
 Define deliverables
 Communications

 Governing the Cloud:

 Governance and Enterprise Risk Management (ERM)

 Legal and Electronic Discovery
 Compliance and Audit
 Portability and Interoperability

 Operating in the Cloud:

 Incident Response, Notifications

 Application security
 Data Security and integrity
 Identity and Access management
 Virtualization

14
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Audit Program under COBIT Framework:

S. No COBIT Control Objective Audit Procedure

Review process for developing metrics for
Benefit Management (Acquire,
1 measuring benefits. E.g. Guidance from domain
Plan and Organize)
expert, industry analyst.
Confirm through interviews with key staff
Supplier Contract members that the policies and standards are in
2 Management (Acquire and place for establishing contracts with suppliers.
Implement) E.g. Legal contract, financial contract,
intellectual property contract etc.
Supplier Performance Inspection of supplier service report to
3 Monitoring (Deliver, Service determine supplier performance is in alignment
and Support) with pre-defined SLAs and supplier contract.
Every user has unique and generic id and
Identity Management (Deliver,
4 access right to system is as per documentary
Service and Support)
business process framework.
Confirm with organization that there is network
security policy has been established and
Network Security (Deliver,
5 maintained in organization. Further confirm that
Service and Support)
all network components are updated regularly
such as routers, VPN switches etc.
Confirm with organization that proper encryption
Information Exchange (Deliver,
6 policy in place to exchange information outside
Service and Support)
the organization.
Review policies and procedure to ensure that
Contract Compliance (Monitor contracts with third party service provider for
7
and Evaluate) compliance with applicable laws, regulation and
contract commitments.
Determine that a policy has been defined and
Data Integrity (Deliver, Service implemented to protect sensitive information
8
and Support) from unauthorized access, have authentication
codes and encryption.
 Review organizational strategy and risk
9 Governance appetite, roles and responsibilities, insurance,
and governance tasks

15
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Monitor usage of cloud services through

vendor provided dashboards or logging
information available to the client.
 Address issues promptly based on
governance requirements and defined
roles/responsibilities.
 Perform a data flow and privacy assessment
by reviewing the data throughout its life cycle.
Is it vulnerable at any point?
 Ask for an overview of the dedicated, single-
tenant and shared (multi-tenant) cloud
services provided by the CSP.
 Review data transfer to the CSP.
 Data segregation: Review shared
10 Data Management environments for data segregation, logical
separation, and security in a multi-tenancy
environment or utilize separate servers.
 Data recovery: Review if the CSP can do a
complete restoration in the event of a disaster
or if they have data replication capabilities
available for an alternate data location.
Review where that alternate location is in
addition to its recoverability capabilities.
 Where are the data centers located? Can the
CSP can commit to specific privacy
requirements?
 Review the applications and operating
11 Data Environment systems utilized. Use a data life cycle
approach regarding what is stored and where.
 Provide a description of how often are
infrastructure components are updated, such
as hardware and software.
 What are patch and vulnerability management
program practices? How does CSP ensure
12 Cyber Threat these program practices do not create a
security risk for client infrastructure?
 What is the vulnerability remediation process?

16
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Review security monitoring processes utilized

by the CSP.
 Are there established application-level
reviews, a defined Software Development Life
Cycle process, and change notification and
release management?
 Is there restricted and monitored access to
assets all of the time?
 How is an employee or third-party access to
client data controlled?
 Are staff background checks employed? How
extensive are these background record
reviews and are they reoccurring?
 Vulnerability management: Patch
vulnerabilities in virtual machine templates
and offline virtual machines.
 Network management. Secure network traffic
between distributed cloud components.
Detection for defense against attacks
originating from within the cloud environment.
13 Infrastructure
 Review the perimeter for exposure to
distributed denial-of-service attacks against
public-facing cloud interfaces.
 System security: Review where there may be
vulnerable end-user systems interacting with
cloud-based applications.
 Discuss how the CSP handles secure intra-
host communications among multiple virtual
machines.
 Who controls encryption keys? How are the
encryption keys monitored? What is their
storage and backup locations? Review
encryption certifications and determine what
they apply to, and test them.
 How long are logs and audit trails kept?
14 Logs and Audit Trail  How does the CSP provide for tamper
proofing of logs and audit trails?

17
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Is there dedicated storage for logs and audit

trails?
 Can the CSP provide timely forensic
investigations; e.g., eDiscovery and system
analysis?
 The client should review Service Level
Agreement (SLA) uptime tolerance levels and
check for “additional subtractions” disclaimers
for the stated level
 Does the CSP have resiliency (e.g., cluster
systems, redundancy, and failover
capabilities) and tests these abilities after
changes or system updates?
 Does the CSP test restores, and what actions
require additional fees? Where is the location
of the backups (e.g., on-site, off-site,
replicated to another location)?
15 Availability
 What file and directory versioning is available?
Does the CSP have an incident response plan
and can the CSP describe it?
 What measures are employed to guard
against threat and errors, use of multiple
CSPs and denial of service (DoS) protection?
 When do peaks in demand occur, and does
the CSP have the capacity to handle such
maximum load?
 What service level guarantee does the CSP
offer under Disaster Recovery/Business
Continuity conditions?
 Provide information regarding authentication,
restriction of access, or implementation of
segregation of duties (SOD) for cloud provider
Identity and Access staff.
16
Management  Provide a description of the physical security
measures in place within the CSP data
centers, including server areas and access to
host/network systems.

18
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Review the types of access available: single-

sign-on (SSO), authentication using the client
identity management software, or two-factor
authentication.
 Does the client have administrative privileges
and controls, and over which system
components, software, and/or client users?
 Understand the environment for the service
boundary, including the connection points to
and from the data with encryption utilized for
data in transit, data at rest, and the type of
encryption.
 Ensure that the CSP provides SSL from an
established Certificate Authority (CA) and the
SSL CA has its practices audited annually by
a trusted third-party auditor; e.g., Symantec
Webtrust audit or AICPA Webtrust Audit
17 Encryption
requirements.
 SSL should provide a minimum of 128-bit,
256-bit optimum, encryption based on the
2048-bit global root. Determine the type of
encryption.
 Is there any encryption utilized for data at rest?
For data in storage, how are encryption keys
stored? For data backups that are data
encrypted in transit or at rest? How are keys
managed?
 How are digital identities and credentials
protected in cloud applications? What client
data is stored and used, and what is its
disposal process?
 Under what conditions might third parties
18 Privacy
(including government agencies) have access
to confidential data?
 Is there a guarantee that third party access to
shared logs and resources will not reveal
critical, sensitive information?

19
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 What are the compliance requirements of the

vendor or third party?
 The provider should demonstrate financial
viability requirements.
 Review vendor’s commitment to their and any
19 Regulatory Compliance
third party utilized service to remain in such
compliance.
 Discuss the CPS’s commitment to maintaining
the described level of security compliance and
the interval of conformity updates.
 Ensure that there is an engagement
agreement: The right to audit and physically
inspect; timely removal of data and its
destruction; change control notifications;
intellectual property; cloud staff hiring
requirements; and training, confidentiality,
backups, outsourced services to other
vendors, certifications, and their maintenance
renewal intervals. Ensure provider guarantees
storage of the organization’s data in a
particular location based on the contractual
agreement.
 What notification arrangements are in place
20 Legal for the cloud provider to notify the customer
organization in the event of a suspected
breach?
 What forensic investigation tools and cloud
provider staff training are in place for logging
and preserving evidence of an alleged
violation?
 Agreed upon recourse needs to in place for
security incidents, data breach, or failure to
meet SLA’s.
 Records management: Review the life cycle in
terms of preservation, retention, eDiscovery,
and disposal policies based on organization
requirements.

20
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 Review rights to data by ensuring that the

client organization is the data owner for all
data and applications, including replicated
copies, with the right to delete all customer
information if instructed with assurance
documentation and promptly as agreed to by
the client and CSP.
 Update the cloud contract over time to reflect
operating changes.
 Specify if there are any additional fees for
termination of services, delivery, or erasure of
data.

21
Project Report ISA 2.0
Migrating to Cloud based ERP solution

8. DOCUMENTS REVIEWED

We have reviewed following document during

execution of this assignment for identifying control
and weakness thereof.

 User Manuals and Technical Manuals relating to System Software and ERP.

 Organization chart outlining the organization hierarchy and job responsibilities.

 Access to circulars & guidelines issued to employees.

 Access to user manuals and documentation relating to ERP Implementation by ABC

Infrastructure Ltd

 Any other documentation as identified by us as required for the assignment Security policy
document relating to system.

 Auditor has read and understand all the terms and conditions of SLA. Any terms which is
harmful for the company, the same has been discussed with management in order to
secure stakeholder interest.

 Audit findings documents.

22
Project Report ISA 2.0
Migrating to Cloud based ERP solution

9. REFERENCES

 Best practices relating to international accepted standard for IS Audit — COBIT (Control
Objectives for Information and Related Technology, issued by the Information Systems
Audit and Control Association, USA, COSO framework etc.

 Information Systems Audit and Control Association- IS Auditing Guidelines.

 Information Systems Audit 2.0 Course – Volume I- Module 1- Chapter-3 Part-1- Cloud and
Mobile Computing.

 Information Systems Audit 2.0 Course – Volume 1 – Module 2 – Chapter 2 – IS Audit in

Phases.

 ISACA Audit Program and CAAT Tools.

 ISO Standard 27001.

 Deloitte (2010); Heiser (2015); Lehigh (2016); O’Hanley & Tiller (2013).

23
Project Report ISA 2.0
Migrating to Cloud based ERP solution

10. DELIVERABLES

 The following table summarizes the review area and relevant finding, auditor suggestion
and risk rating.

S. Auditor’s Recommendation / Risk

Auditor’s Findings
No Suggestions Rating
Technology Selection:-
Before moving to cloud
1 NIL Low
organization (auditee) did not
performed cost benefit analysis.
Organization should apply biometric
devices so that history can be saved.
Physical Access Control:-
Organization should adopt maker
Accessibility of data should be
and checker rule.
2 allowed to person authorized Medium
Use Audit trail to check, who access
only. Since data may be sensitive
the data previously and user activity.
to its stakeholder.
Use Clean Desk policy in order to
secure sensitive data in paper form.
Login Access Control :- This concept helps to prevent any
In this scenario every user have unauthorized data accessibility. No
unique login access control and user can approve or authenticate
3 Medium
they can access data for which data. E.g. Login id password, using
they have permitted for network monitoring and using access
transactions. control.
With the help of this concept, user
don’t work within the rights assigned
Audit Trail:-
to them in order to maintain data
In this scenario we can identify
security and integrity, even if
4 who last logged in, user activity Medium
anybody attempts to work beyond
and time spent by previous
rights to his/her. The same is
users.
traceable. User personal
accountability also exists.
Firewall act as a security between
Firewall:-
public and private network and
Any data coming or going outside
5 checks any data packets coming Medium
the organization boundary is
from outside world into private
filtered in firewall system. The
network, since it checks data packets

24
Project Report ISA 2.0
Migrating to Cloud based ERP solution

system in which firewall is for authentication and authorization

installed is called Beston Host. etc. Organization should install all
firewall namely proxy server, network
level, application level and stateful
inspection.
Organization should have proper
back up plan which specifies type of
System Backup:-
back up to be kept, frequency of the
When the back-ups are taken of
backup, location of back up etc.
6 the system and data together, Medium
Following back up plan may be
they are called total system’s
selected,
back-up.
Full Back up, Incremental Back up,
Differential Back up, Mirror Back up.
Service Level Agreement :- Organization and CSP should meet
Any terms and condition which is in order to resolve the conflict and let
7 harmful for auditee organization them know about alternates sites by Medium
such as block out, disruption in which service will be provided in case
service. of emergency failure of main sites.
Data Privacy and
confidentiality:-
Accessibility of customer data is Organization should establish policy
restricted to respective in such a manner to maintain data
8 High
organization and its authorized privacy with other service receiver
personnel, not to be shared with with same cloud service provider.
other organization or other
personnel.
Natural Disaster Events:- Organization should have one
Organization should consider additional BCP site with wholly IT
9 natural events such as Infrastructure in case of natural High
earthquake, tsunami, flood, fire disaster so as to continuity of normal
etc. business function without disruption.
Security administrators shall have
either of the arrangement with Cloud
service provider regarding alternate
Alternate Processing Facility processing facility arrangement.
10 High
Arrangements Cold site, Hot Site, Warm Site,
Reciprocal Agreement.
Further the contract must include the
following

25
Project Report ISA 2.0
Migrating to Cloud based ERP solution

 how soon the site will be made

available subsequent to a
disaster;
 the number of organizations that
will be allowed to use the site
concurrently in the event of a
disaster;
 the priority to be given to
concurrent users of the site in the
event of a common disaster;
 what controls will be in place and
working at the off-site facility.

Implication of High, Medium and Low:-

High:- The issue representing a finding that organization exposed to significant risk and
require immediate resolution.
Medium:- The issue representing a finding that organization exposed to risk that require
resolution in near future.
Low:- The issue represents a finding, which don’t require action from organization.

26
Project Report ISA 2.0
Migrating to Cloud based ERP solution

11. FORMAT OF REPORT/FINDINGS AND

RECOMMENDATIONS

As mentioned in Point No 10.

27
Project Report ISA 2.0
Migrating to Cloud based ERP solution

12. SUMMARY/CONCLUSION

Cloud computing is increasingly assuming a prominent and leading role in businesses for the
purpose of operational efficiency and cost reduction. In spite of the numerous benefits, users
remain anxious about data protection and dependency on CSP for business continuity. As per
the discussion held with the management, the BOD of the company has initiated corrective steps
to overcome the “high implication findings” in observed in the audit and those, which have
medium implication; BOD would take corrective action as soon as possible. Since the company
has migrated to “Cloud based ERP System”, so initially it will be difficult to adopt the newer
technological environment perfectly by organization as a whole. However, the management is
optimistic about future guidance with respect to adoption of technological changes and impact
thereof on the organization.

28