IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY

DELTA LIMITED

PROJECT REPORTJBFSUDNBJKUJ PROJECTPP

PROJECT REPORT

EVALUATION OF OUTSOURCING
OF IT OPERATIONS

By:-
CA Sukanya Tambole
CA Surbhi Lunia
CA Rashika Jain

1|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

PREPARED BY

RSS & ASSOCIATES

CHARTERED ACCOUNTANTS
RAIPUR, CHHATTISGARH – 492 001

COMPANY NAME

DELTA LIMITED
A-36,BAJIRAO ROAD
PUNE, MAHARASHTRA – 411002

2|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

CERTIFICATE

Project Report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 Course training conducted at:

RAIPUR BRANCH OF CIRC OF ICAI, from 10th August, 2019 to 14th September, 2019 and we have
the required attendance. We are submitting the Project titled:

Evaluation Of Outsourcing Of It Operations

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing the project report from anyone except members of our group.

S. NO. NAME DISA NO. MEMBERSHIP SIGNATURE

NO.
1. CA SUKANYA TAMBOLE 60464 436245

2. CA SURBHI LUNIA 60450 443397

3. CA RASHIKA JAIN 60443 442728

Place : Raipur
Date : 21/09/2019

3|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

Table Of Contents

Contents Page
No.
Details of Case Study/Project (Problem)
Project Report (solution)
1. Introduction 5
2. Auditee Environment 7
3. Background 8
4. Situation 9
5. Terms and Scope of assignment 10
6. Logistic arrangements required 11
7. Methodology and Strategy adapted for execution of
assignment 12
8. Documents reviewed 16
9. References 17
10. Deliverables 18
11. Format of Report/Findings and Recommendations 22
12. Summary/Conclusion 23

4|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

Introduction

About Auditee FIRM

Delta Limited is one of the leading management solution service provider. In

such growing competition ,Delta Limited has been facing economic pressures
due to the downturn which has resulted in reduction in turnover and profits.
The management has decided to cut the IT outlays and is exploring
outsourcing of IT operations using the cloud computing model. However, the
CIO is concerned about key issues which need to be resolved while selecting
the right vendor who has a good reputation in the market and can make your
requirements & performance parameters clear to them up front.
Through Outsourcing Firms can bring with them a sound knowledge of
Industry Process , Tools, & Technologies . Use of such best industry practices
will enhance operational efficiency for Delta Limited which in turn will
increase their productivity.
The Company has its Registered Office situated at Pune.

The regular enhancement of technology has increase the intensity of

competition between organizations whose operations or core competence is
based on information technology.

Consequently this has force them to decide to either outsource or in-source in

order to survive in such growing competition in society.

5|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

About Audit Firm

RSS & Associates (Chartered Accountants), 03, Walfort Ozone, Raipur,

Chhattisgarh, is Partnership firm of Chartered accountants and comprises 9
Partners. RSS & Associates was established in 1998 with 3 partners CA.
Rashika Jain, CA. Surbhi Lunia & CA. Sukanya Tambole. The firm has its head
office at Raipur and two branch offices at Bhilai and Bilaspur. The team
comprises of 18 articles and 7 paid assistants.

The firm has qualified Audit personnel. The firm also has domain experts
available, as when required. The firm has been involved in providing IS
assurances services for all sectors in India and abroad. The clients of the firm
include IT companies, Stock brokers, banks and public sector companies.

Experience of the Firm: The firm is working in the field of various

types of IS Assurances services. The firm was established in February 1998.
We are a partnership concern having experience of more than 20 Years. We
are providing high quality Business Support Services in the field of Taxation,
Information System Auditing, Information System development and
Consultancy & other advisory services. The firm is having a team consists
DISA professionals, CISA professionals, IT professionals. The firm is capable of
handling big & complex assurances services related to the field of IS audits,
physical access controls, logical access controls in india and also in abroad.

We have been appointed by Delta Ltd. as IS Auditor for conducting the review.
The purpose of this review is to describe and analyze the reason for IT
outsourcing, the factors to consider before outsourcing, how to manage a
successful IT outsourcing and the impact of IT outsourcing on Delta Limited
which consists of the advantages (benefits) and disadvantages (risks) of IT
outsourcing.

6|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

Auditee Environment

Delta Limited, has been using Information technology as a key enablers for
facilitating its Business process and enhancing services to its customer. Delta
Limited serves more than 1,500 corporate clients including around 30
Fortune 500 Corporations. There are reasons for outsourcing of IT
Operations to service providers, including expertism, cost reduction, capacity
management, and risk management; however, user entity management
retains responsibility for the control activities and operational results.

ORGANISATION STRUCTURE:

PRESIDENT
OPERATION HEADS
VICE PRESIDENT 1. Hr
1. Project 2. Systems &
EXECUTIVE
2. Adminstration ASSISTANT processes
3. General Management 3. Staff
4. Finance management
4. Design

TECHNICAL
MANAGERS OF EACH
SPECIALISTS
DEPARTMENTS AND
1. Databases
ITS EMPLOYEES
2. Web research
billing, legal,
3. Web projects
scheduling,
4. Content
Finance,security etc.
management

7|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED


BACKGROUND

As has been discussed in foregoing para, there is a growing need for

organizations to interact and integrate with their customers, suppliers and
business partner in order to gain competitive advantage. Achieving this
interaction and integration without losing sight on the core competence of the
organization is very difficult. Information technology outsourcing is consider
as one of the viable way for firms to save cost, provide service quality, reduce
lagging IT performance in order to keep pace with the IT trend and access
appropriate skills while allowing the organization to concentrate on the core
competence of the business . Below stated model which company thinking to
adopt.

GENERAL OUTSOURCING MODEL TO IDENTIFY THE COMPONENTS

INVOLVED IN OUTSOURCING.

8|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

SITUATION

IT outsourcing has a lot of benefits but before that Delta Limited has to
consider a number of things such as why outsource in the first place, and
what are involve in managing a successful IT outsourcing. Furthermore, the it
is needed to evaluate and identify the strengths, weaknesses, and the basic
needs of its IT department in comparison to the strategic benefits they can
achieve through outsourcing.
Few points to be consider before adopting IT outsourcing, they should which
are stated below :
• There is a need for an organization to evaluate its current processes or
needs from a fresh perspective in order to decide what to outsource and
what not to outsource.

• Finding a suitable service provider is time- consuming, complex process

and requires a thorough knowledge of the vendor landscape, including
capabilities, delivery processes, quality of work, and ability to innovate.

• Seven stages are often experienced while outsourcing of IT operations :

1. Strategic fit and sourcing evaluation.

2. Decision-making process and business case.
3. Tender process and contracting.
4. Implementation and transition.
5. Monitoring and reporting.
6. Renegotiation.
7. Reversibility.

After gaining an understanding of the need of Delta Limited, it was concluded

that an independent review was to be conducted for exploring outsourcing of
IT operations using the cloud computing model. To ensure delivery of current
and future services and increase employee productivity.

9|P ag e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

TERMS AND SCOPE OF ASSIGNMENT

In terms of our engagement letter dated , scope of the project was to

review the following:-

1. To understand the organization, current business processes, the

technology used in the organization and personnel utilization.

2. To consider the cost and utilization of the existing resources and

proposed IT outsourcing and assess the business value.

3. To assess the risks of IT outsourcing and provide appropriate

recommendations to mitigate risks as required.

4. To review and facilitate outsourcing by selecting right services/vendors

considering cost benefit analysis and relevant risks.

5. To provide independent assurance regarding the security of the IS

assets installed

6. To provide independent assurance regarding the access controls to

Intellectual property

7. Provide the independent opinion regarding the process and methods

that prevent unauthorised access, mishandling and damage to any of the
assets

8. To validate the process and methods against available norms and

standards wherever applicable.

10 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

LOGISTICS ARRANGEMENT REQUIRED

With the help of computer aided audit tools and techniques (CAAT), an
IS audit becomes more scientific and meaningful. There are five basic
approaches, as under, for testing the application controls using CAAT
(Computer Aided Audit Tools and Techniques).

1.Test Data Method

2.Base Case System Evaluation

3.Tracing.

4.Integrated Test Facility.

The key tasks of our assignment are highlighted below:

 Interviews with business leaders to understand key strategic

business.
 Business Process owners completed the ICQs
 Use of Internal Control questionnaires (ICQs)
developed leveraging COSO and COBIT
frameworks.
 Business Process owners completed the ICQs
 Team conducted process walkthrough
exercises with each business process Owner
vis a vis policies and SOPs
 Risk assessment was completed through a combination of
the following
 Brainstorming with senior management for review of
organisation risks

11 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

METHODOLOGY AND STRATEGY ADAPTED

FOR EXECUTION OF ASSIGNMENT

Methodology
The primary objective of the assignment is to provide assurance to
DELTA LIMITED that the intellectual property are adequately secured
and methods adopted by Delta Limited to safeguard unauthorised
access, mishandling of any assets . Further the objective include the
checking of adequacy Disaster recovery plan and procedures

 Identified cloud services and model as appropriate for Delta Ltd.

 Identified cloud service providers who provide required solution.

 Identified appropriate vendors based on cost and quality of service

 To Perform risk assessment of each of the vendors considering

quality and cost of service.

 Identify best practices to be used for the assignment.

 Identify the migration strategy for outsourcing.

 Obtain understanding of IT resources and assets .

 Obtain understanding of control systems and procedures.

 Identification and documentation of IT related Circulars,

Organisation structure and Information architecture.

12 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

 Application of COBIT and ITAF for formulating IT best practices for

the policy and procedures related to security of intellectual
property .

 Formulation of Draft report on our findings.

 Presentation of Final report with agreed action plan based on the

feedback of management of Delta Limited .

The IS audit work includes :

1.Information
Gathering

6. Customer 2. Revier prior

Satisfaction audit
Evaluation
observation
IT
Audit
5. Perform IT 3. Analysis of Risk
Audit Plan Assessment

4. Develop IT
Audit Plan

13 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

The model proposed in this is presented through the framework of the Figure.
The steps of this model should be followed so as to obtain an evaluation of
IT/IS outsourcing projects and, then, to choose the one that would be best for
the enterprise to invest in.

14 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

IS AUDIT ASSIGNMENT

Following is the diagrammatic representation of steps

performed during an IS Audit Assignment:-

Organize & Plan Control Assessment Issue report

 Meet with  Understand  Perform Overall

management and accounting and Evaluation
understand the reporting activities
business  Form an Audit
 Evaluate, Design Opinion
 Perform risk and Implementation
assessment of Controls  Issue a
procedures and Management Letter
identify risks  Assess Control risk

 Prepare an audit
planning
memorandum and
audit programs

15 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

DOCUMENTS REVIEWED

List of documents reviewed during the process of audit. This

includes internal as well as external documentary evidences
obtained:-

 Organization Structure Diagram.


 List of Hardware, Software and application
software currently used by the client.

 Service Offer Agreement.

 Details of Services to be offered.

 Audit report of the vendors to know the financial
stability of the vendor.

 Certificate from Vendor for having being
secured environment for providing services.

 Feasibility Study report

 Internal Control & Policies adopted.

 IT department’s recommendations for accepting the
proposal.

16 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

REFERENCES

Our audit was planned and performed in accordance with the

following Information Technology / Information Systems
Standards for audit, governance and security:-

 Information Technology Audit and Assurance

Standards and Guidelines issued by the Information
Systems Audit and Control Association (ISACA);

 ISO 27000 family of standards dealing with

Information Security Management issued by the
International Organization for Standardization (ISO)
and the International Electro technical Commission
(IEC);

 Technical Guide to Information System Audit;

 Control Objectives for Information and related

Technology (COBIT) issued by the IT Governance
Institute;

These standards enabled us to provide best decision for the company

and widely accepted best practices within the IT sector

17 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

DELIVERABLES

Audit Report on Identified Controls

This audit report is for the management of “DELTA LIMITED”

regarding its outsourcing of IT Operations .They wants a
reasonable assurance from us that Identified controls as
relevant are in place. Further the Disaster Recovery and
Business Continuity Plans are adequate so as to meet any such
situation.

1.Background:

The Auditee i.e Delta Limited ensuring the availability, performance,

and recovery of business-critical applications through outsourcing of
its IT Operations.

Delta Limited has supplied its IT infrastructure for these

services and has also recruited required personnel .
Delta Limited wants an independent assurance on the security
and usage of the technology as also protection of the IPR of
Delta Limited.

18 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

2.Objective & Scope of Audit

OBJECTIVES

The objectives of the IS assurance service desired by

the Delta Limited were as follows:-

 Review the process and methods so as to provide

assurance to that there are adequate and
appropriate safeguards and procedures that prevent
unauthorized access, mishandling and damage to any
of the assets;

 Review whether all the facilities provided are being

used for the purposes of operations by personnel
authorised or assigned

 Validate the process and methods against available

norms and standards wherever available.

 Review the adequacy of Disaster Recovery Plan so as

to make aware from any potential losses that might
occur due to non availability of Disaster Recovery Plan.

 Review of Key Business objectives, key points & Risk

considerations

 Review of vendor contracts and SLAs with Service

Providers

19 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

SCOPE OF AUDIT

An independent review to be conducted on the process and

methods so as to provide assurance that there are adequate
and appropriate safeguards and procedures that prevent
unauthorized access, mishandling and damage to any of the
assets and all the facilities provided are being used for the
business purposes

Standards Referred

While conducting the audit of evaluation of IT Operation of Delta

Limited, we referred to following standards:
a. COBIT 5
b. ITAF
c. Standards of Auditing issued by ICAI

Non-compliance of IT Act, 2000 can bring in financial liabilities to the

company and may even land the CEO or a Director in jail [refer S(85)
of IT Act,2000].It is also necessary for organization to understand
that even if any of its employees contravene the provisions of the Act
including committing of such personal offences.

20 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

REPORT/FINDINGS AND RECOMMENDATION

A. Findings related to Physical Access controls

i) Temporary passes are also used to grant access to

employees whose cards are to be received from the
manufacturer after capture of relevant details.

ii) The door for the first floor lab does not automatically lock
itself after it has been opened. If a user is not careful in ensuring
the door is locked after he/she enters or leaves the lab there
could be opportunities for unauthorised users to enter the lab
without using the keypad device.

B. Findings related to Logical Access controls

i) All users, who work on a common project and require a similar

set of permissions for testing the software no individual logins
have been created.

ii) The users are classified into various groups for each of the
projects they work on. Based on this grouping the users create a
group login at the root level in the OS

21 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

RECOMMENDATIONS

We recommend the following corrective measures to the management

in order to have a reasonable assurance regarding relevant controls
and disaster recoveries

Physical Access controls

1.Facility of temporary cards should exclusively be disallowed. It should

not be used at all since such temporary cards when used create same
danger to the facilities as if No cards are used. for maintaining a high
level of confidentiality and securing intellectual property this process
should be discontinued.

2.The door at the first floor Lab needs to be taken care of since as
unidentified personnel could enter if the employees at the Lab don’t
take proper care to close it once they enter. This should automatically
be locked once a person enters.

Logical Access controls

1.For users, who work on a similar nature of project, different set of

permissions and rights must be given as per their role to a particular
project. Not all rights should be given to everyone and their individual
logins should be created in order to identify the person in case of any
malpractice has been carried out by any individual. That will discourage
any malpractice as person will be afraid of individual identification.

2.Group Logins should be avoided. Individual logins should be a must at

all levels. Only leader should be able to see what the group is doing, not
others to maintain data secrecy at higher levels.

22 | P a g e
 IS AUDIT REPORT ON OUTSOURCING OF IT OPERATIONS BY
DELTA LIMITED

SUMMARY AND CONCLUSIONS

Based on the scope and objective of our audit as discussed earlier in this
report and subject to our findings and recommendations discussed
earlier, we would like to conclude as under:-

 That the Intellectual property including assets and access to such

assets (hardware, software, manuals, media etc.) used at the are
adequately secured (Physically and logically) from unauthorised
and inappropriate use through adequate and appropriate
physical, environmental and logical access control except a few
findings which are discussed earlier, which too can be removed
by the management by implementing some additional controls.

 That the process and methods to avoid unauthorised access,

mishandling and damage to assets; in place are adequate and
appropriate subject to our findings.

 That the available norms and standards were properly

implemented and followed.

 That the current Disaster Recovery Plan will not allow the
company to work seamless during the occurrence of any disaster.
This plan needs proper rethinking and revision.

23 | P a g e