Professional Documents
Culture Documents
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training conducted at
Nasik Branch of WIRC from 11/01/2020 to 16/02/2020 and we have the required attendance. We
are submitting the Project titled Evaluation of Outsourcing of IT Operations.
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We
also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Abhishek Kshatriya
1 188908 61769
(Head)
Place: Nashik
Date: ……….
INDEX
CONTENT PAGE NO
PROJECT REPORT
PROJECT REPORT
TITLE: EVALUATION OF OUTSOURCING OF IT OPERATIONS
Tara Jewels Ltd has been facing economic pressures due to the downturn, which
has resulted in reduction in turnover and profits. To overcome this from scenario
the management has decided to cut the IT outlays and is exploring outsourcing of
IT operations by the use of cloud computing model. The management is concern
about selection of right vendor for such outsourcing considering the cost benefit
analysis. More or less the basic objective of the management is to ensure the
delivery of current and future services and to enhance productivity of the
employee. They are also concerned about the risk of outsourcing IT operations and
wants an independent assurance on the prospective IT outsourcing.
1.1 Auditee:
CEO
Chief
Chief Chief Chief IT Officer
Compliance
Financial Information (CTO) Officer (CCO)
Officer (CFO) Officer (CIO)
Income MCA
HR Marketing GST
Production Sales
Tax
Tara Jewels Limited uses a software as which is exclusively used for their company.
The hardware consists of laptops, servers with windows operating system, printers,
scanners and all the network connecting devices. All the systems of zones, regions
and outlay points are connected via Wide Area Network (WAN).
a. For data processing and its storage, company itself has maintained servers.
b. The company purchases laptops given to various staff members as per their
designation and need and all the maintenance carried out internally.
c. Backup taken once in a week and stored on separate backup servers at alternate
location.
d. CIO gives access to information according to designation with authorization of
CEO.
e. System administrator is responsible for system user logs.
f. All the Purchased software kept in the custody of CIO and access allowed only
on the approval of user department’s head.
g. Information and Technology policies framed for uses. They are advised to go
through it.
ARN & Associates is a well-trained and highly qualified team of technical and
system auditors comprising of three partners namely;
BACKGROUND
Tara Jewels limited has been facing economic pressure due to the downturn; this
has laid to reduction in turnover & profit of the company. This has happened due to
Government decision to stop the production and sales of BS-III engine vehicles to
control air pollution. They have mandatorily to switch over to BS-IV vehicles
productions as the compliances and industry need, though their BS-III vehicles
were not so much air polluting.
The Tara Jewels limited has the wide network over the country through it zonal and
regional offices, the requirement of minimization of cost and optimization of
benefits as automobile company is ut must. The automobile sector company needs
to highly adhere on aggressive technology development and comply with the
changing and challenging global regulations in a timely and perfect manner. The
cost and security requirements are most important drivers of automobile industry.
Company had best infrastructure of production of BS-III bikes and it is not utmost
feasible to start their production house of BS-IV bikes along with the IT services that
are required for compliances of their day-to-day operations. Considering all these
facts the management has decided to outsource to IT services.
SCENARIO
The senior decision making management of Tara Jewels Limited has decided to
outsource their IT operations using the cloud-computing model. Managing IT
infrastructure might not be a core competence of a company. This is a constant
challenge faced by Tara Jewels Limited.
The basic and prime objective of company behind this is to increase the
productivity of employee. They require an independent assurance on the proposed
IT outsourcing. In this, the management is concerned about the various aspects,
which are to be taken in to consideration while selecting and finalizing the vendors
for proposed outsourcing.
SCOPE OF ASSIGNMENT
The scope of the audit addresses the adequacy of controls designed to manage
internal and external risks related to outsourcing of the IT services to the
organization and the service provider environment in a steady state.
LOGISTIC REQUIREMENT
Audit Strategy:
To understand the business processes and review how those are mapped in
information systems by tracing the modules with top down approach.
e. Identify cloud services and model as appropriate for Tara Jewels Ltd.
f. Identify cloud service providers who provide required solution.
g. Identify appropriate vendors based on cost and quality of service.
DOCUMENTATION
5. Non-disclosure agreements
REFERENCES
3. Information System Audit Module 1 Chapter No. 3, Part 1.2 Cloud Computing.
4. http://www.cloud-standards.org
AUDIT REPORT
Our audit report includes the recommendations based on the best judgment for
outsourcing. It also includes the risk assessment of outsourcing the IT services and
that of prospective vendors of cloud computing.
It also includes controls to be assigned to mitigate the risk of outsourcing. Over and
above, it contains the cost benefit analysis and risk mitigation strategy.
In the Cloud Architecture, the front end includes the client's computer (or computer
network) and the Client application required to access the cloud computing system.
This could be a Web browser or unique applications that provide network access to
clients.
On the back end of the system are the various computers, servers and data storage
systems that create the "cloud" of computing services. In theory, a cloud computing
system could include practically any computer program we can imagine, from data
processing to video games. Usually, each application will have its own dedicated
server. Any mid-sized business like cooperative banks, Regional Rural Banks or any
Marketing company would be benefited by cloud services as their needs could be
met by services offered by the Cloud Service providers.
There is no specific definition that defines that cloud which was used in the IT
although it has been described as a service rather than a product.
needed.
2. Network Access: Network should be accessible anywhere by any device -
time.
5. Measured Services: Capability to monitor resource usage for each process and
client.
4 Multi-sharing: Multiple users and applications can work more efficiently with
cost reductions by sharing common infrastructure.
1. Public Cloud: Refers to service providers that offer their cloud based services
to the public.
2. Private Cloud: Refers to use of cloud computing concepts use within the
confines of a private network. Some businesses like private cloud computing
because it provides more control over infrastructure and security than public cloud
computing.
3. Hybrid Cloud: Businesses may decide to combine public cloud and private
cloud services to create a hybrid cloud.
4. Community Cloud: Several businesses share cloud-computing resources.
2. Software as a Service (SaaS): This provides the capability to use the provider’s
applications that run on the cloud infrastructure. The applications are accessible
from various client devices. Users are free from the possession and maintenance
issues of software and hardware.
3. Globalize your workforce on the cheap: People worldwide can access the
cloud, provided they have an Internet connection.
4. Streamline processes: Get more work done in less time with less people.
6. Improve accessibility: You have access anytime, anywhere, making your life so
much easier.
7. Monitor projects more effectively: Stay within budget and ahead of completion
cycle times.
9. Minimize licensing new software: Stretch and grow without the need to buy
expensive software licenses or programs.
10. Improve flexibility: You can change direction without serious “people” or
“financial” issues at stake.
requirements, make sure your cloud provider understands what they are and so
they can meet them.
provider makes the cloud provider’s disaster recovery capabilities vitally important
to your company’s disaster recovery plans
The Automobiles industry is evolving while grappling with several socio- economic
and technological challenges along with the need to drive down IT costs. A solution
to this problem could sought by moving to the Cloud.
Cloud computing is one of the most disruptive forces facing the industry.
According to the Bain & Company research report “The Changing Faces of the
The change is not cosmetic but radical in all aspects and could be truly
transformational as it will power and define business processes and supply chains.
These are companies genuinely trying to change everything: from the way their
structure is managed to the products they sell.
Additional services can be added to allow for the development of modular and
reusable services for integration.
2. Mobility Services – Applications for ride sharing and mobility services require
geo-location services to monitor vehicles and fleets in real time. There may be
additional components necessary to communicate with consumers, emergency
vehicles, and intelligent highway terminals in the future. The automotive cloud can
also track maintenance requirements, user interactions, and delivery status.
location, data privacy and security often arise along with those concerning
reliability. It’s worth noting that mobility services will also be used by people who
are not experts in vehicle or cloud computing technologies and there may be
requirements to further secure information between the automotive cloud,
connected vehicles, and applications.
of system components and analysis of interactions that take place within the
automotive cloud network.
requires querying multiple vendors for the best price and availability. With
Automotive Cloud Technology, the vehicles themselves will communicate the parts
that must be replaced, thus requiring these parts to be machine coded – i.e. parts-
specific codes suited for the vehicle.
6. Security: ISO 27001, the reluctance to adopt technology is starting being tobe
addressed and adoption is getting traction. Let’s bear in mind also that many of the
security features required for data protection are addressed by the service
providers, therefore relieving the healthcare organizations from tedious and
complex security frameworks.
many health organizations, and the cloud allows providers to save money by
minimizing in-house storage needs. The information also becomes more accessible
from various locations, and even if something happens on-site, the data is still
preserved.
Cloud Adoption
Automobile industry in very much fragile stage of industrial life to adopt the cloud
computing. A clear challenge in formulating cloud policy is dealing with these
conflicts inherent in the features of cloud computing and achieving a balance
between the enabling and constraining functions of governance. The other set of
challenges involve striking balance among conflicting interests of different
stakeholders such as cloud service providers, copyright owners, clients, end users,
and government.
Current trends indicate that the Private Cloud is a preferred model for the
industry. Automobiles Companies who are used to using third --party software
would be most comfortable with SaaS applications andIaaS.
Utility style costing: the service can be accessed on demand and theclient only
pays for the resource that they actually use.
Easily accessible: The service can usually be accessed from any location as long
as there is an internet connection and the security protocol of the cloud allows it.
Considering the need of the organization and above benefits, we are of the opinion
that the best model suited to the company would be Infrastructure as a Service
(Iaas).
Iaas provides basic computing resources which can be used by Tara Jewels Ltd. to
run software (both operating systems and applications) and to store data. IaaS
allows the customer to transfer an existing workload to the cloud with minimal, if
any, change needed.
The company need not manage or control the underlying cloud infrastructure, but
remains responsible for managing the OS and applications. IaaS removes the need to
buy, house and maintain the physical servers. It can provide the ability for an
organization to respond quickly to ever changing demands. We have identified the
following Service providers –
ANNEXURE 1
3. Data protection: cloud computing poses several data protection risks for cloud
customers and providers. In some cases, it may be difficult for the cloud
customer (in its role as data controller) to effectively check the data handling
practices of the cloud provider and thus to be sure that the data is handled in a
lawful way. This problem is exacerbated in cases of multiple transfers of data,
e.g., between federated clouds. On the other hand, some cloud providers do
baseline, have skills that go beyond basic operating system maintenance and
availability management. While selecting, consider skill levels related to managing
change, virtualization, high availability, middleware and databases, multiple
3. Alignment with industry best practices and ITIL standards: A key toachieving a
replicated across multiple delivery centres. Also important is the means by which
the services provider gives you visibility into the health of your infrastructure and
the performance of your managed services.
services is that responsibility for performance rests with the services provider. Your
focus should be on what the services provider delivers rather than how the service
performed— which enables the provider to innovate, improve service delivery and
reduce costs for mutual benefit. In turn, the services provider should be willing to
commit contractually to meeting your service level requirements—and back up
those commitments with financial penalties or other recompense if those service
level agreements are not met.
We have, as a part of our assignment, carried out the risk and vulnerability
assessment of the above selected vendors. The risk and vulnerability assessment is
carried out taking into consideration the points system, where the score are allotted
taking into consideration the Risk associated along-with the likelihood of the event
occurring and its impact on the business operation.
optimum.
0 No Risk
IT Services to be outsourced:
As mentioned earlier, Tara Jewels Ltd must opt for Infrastructure as service
model. In this view Tara Jewels Ltd can outsource following services-
1. Tara Jewels Ltd can opt for operating systems & applications provided by
2. Tara Jewels Ltd can obtain a data storage facility provided by Amazon Web
Services
3. Tara Jewels Ltd. Can also obtain data processing facility & Network services.
It is very important for Company to; take into account the Recommendations on
controls to be implemented to mitigate risk of Outsourcing. The control to be
implemented is described in below table:
One of the main reasons for shifting to cloud is cost reduction. Below mentioned
points describes the benefits of cloud in terms of cost.
Strategic outsourcing can deliver savings and a reduced total cost of ownership
(TCO) for the organization in a number of ways.
Outsourcing allows the costs associated with IT to shift from the capital
expenditure (CapEx) budget to the operational expense (OpEx) budget, financially
positioning IT as an essential cost of doing business alongside other core costs of
sales.
Outsourced partners offer a way to reduce daily operational costs. The best
providers allow companies to scale IT operations, so they can control how much
spent in high or low times.
Businesses can “pay as they go” with outsourcing providers. Such flexibility allows
companies to move from fixed to variable costs.
- Competitive pricing
SUMMARY/CONCLUSION:
After performing, the risk and vulnerability assessment of vendors we are of the
opinion that Amazon web services is the best service provider as the risk
involved is lower compared to other vendors.
Tara Jewels Limited can start by first introducing cloud computing into routine
processes, with small amount of capital expenditures, and then increase usage as
necessary
36 | P a g e