T-Systems South Africa understand the strict audit requirements that companies in South Africa can be held too. These companies are either excluded from sharing in the benefits of cloud or need to undergo onerous audit requirements themselves when running their company workload on cloud platforms. This is in line with the T-Systems South Africa approach of offering solutions that conform to global standards to local customers who would like to run their workloads within South Africa without having to sacrifice on the levels of compliance required.
Umesh Shookan, IT Audit Lead at TSSA, says, “Our independent service provider, Deloitte & Touche, was engaged to report on our Cloud-based Dynamic Services for Infrastructure (DSI) platform throughout the period 1 January 2016 to 30 June 2016.”
The ISAE 3402 audit was developed by the International Auditing and Assurance Standards Board (IAASB), to provide an international assurance standard that enables auditors to issue a report for use by ICT service providers and their customers as part of their own annual audits. This report verifies that the general and security controls in place within delivery of an ICT service meet the specified standards.
According to Shookan, TSSA submits to several lengthy audits on their ICT infrastructure and architecture every year, conducted by their customers’ auditors. Engaging with an independent firm means that T-Systems South Africa can offer its customers the benefit of a report on which their own auditors can rely. This means the customer can use fewer resources to audit T-Systems’ cloud-based solutions themselves – a process which often takes months at a time.
T-Systems hosts their customers’ critical production workloads on their private cloud platform which includes ERP solutions like SAP Classic, SAP HANA, Sage ERP, as well as e-mail services where customers are not able to use other popular e-mail services hosted outside of South Africa.
“The ISAE 3402 audit is typically conducted across the traditional physical ICT infrastructure model. However, performing the audit over a Cloud environment is a significant shift which requires the auditors to evaluate a platform that could be used for multiple customers who are running critical production workload,” says Shookan. “The two-and-a-half-month process has resulted in a report which not only stands as fair and unbiased evidence for our customers that our private cloud, on which we build our DSI Infrastructure-as-a-Service offerings, is secure and well controlled, but that we are also invested in driving best practice within our organisation.”
According to Shookan, this audit also serves as a governance check for TSSA to ensure they are striving towards continual compliance and improvement of their services. The report furnished by Deloitte & Touche indicates that the controls tested on T-Systems South Africa’s DSI platform have been both suitably designed and effectively operated throughout the audit period and that no exceptions resulted in the failure of any control objectives.
“It is only recently that international ICT players have begun to carry out ISAE 3402 audits on their cloud platforms. Our audit enables our customers in South Africa to run their critical workloads on a platform that meets the audit requirements that enterprise customers expect. To our knowledge, we are one of the first – if not the first – South African ICT company to have its Cloud environment audited in this manner, and we are proud to be able to offer our customers the best assurance and peace of mind in our cloud platform that this audit provides,” concludes Shookan.