AgriSETA, a public entity regulated under Schedule 3 Part A of the PFMA, had undertaken a series of cloud migrations — lifting Sage X3 and Sage 300 to Microsoft Azure, and migrating its Learner Management System to the Odoo ERP platform. As part of its approved risk-based internal audit plan, the Internal Audit Function required an independent, evidence-backed cloud security audit of the Azure environment.
The engagement needed to produce findings that were technically rigorous, risk-rated against internationally recognised standards, and suitable for formal presentation to the Audit and Risk Committee — all within the constraints of a PFMA-regulated public sector environment with POPIA compliance obligations.
Project Details
A Six-Domain Azure Security Assessment
All assessments were conducted from the Azure portal, Microsoft Defender for Cloud, and automated cloud security posture management tooling — covering six control domains across the full Azure tenant.
CIS Benchmark Posture Assessment
Automated posture assessment using Prowler, mapped to the CIS Microsoft Azure Foundations Benchmark across the full Azure tenant. Findings prioritised by risk rating for remediation tracking.
Microsoft Defender for Cloud
Secure score analysis, active recommendations review, and Defender plan coverage assessment across the tenant — identifying gaps in protection coverage for each workload.
Identity & Access Management
Review of Entra ID configuration, RBAC role assignments, privileged account controls, MFA enforcement, and service principal permissions — assessing the full identity layer of the Azure environment.
Network Security & Hybrid Connectivity
Review of Network Security Group rules, firewall configurations, and VPN Gateway settings governing the hybrid on-premise to Azure connectivity boundary — assessed from the Azure portal.
Workload Configuration & Audit Report
Azure-side control review for each in-scope workload: Sage X3, Sage 300, Docuvision, Linux application server, and Veeam backup appliance — covering subnet placement, NSG assignment, Defender for Servers coverage, patch management, and backup configuration. All findings delivered in a risk-rated audit report mapped to ISO 27001 and CIS, with an Executive Summary and ARC presentation deck.
The Impact
Delivered a fully evidenced Azure cloud security audit report that met the Internal Audit Function’s requirements for independent assurance, with findings structured for formal ARC and MANCO presentation — all within the PFMA and POPIA compliance framework.
- Produced a risk-rated cloud security audit report mapped to ISO 27001 and the CIS Microsoft Azure Foundations Benchmark — suitable for direct submission to the Audit and Risk Committee.
- Identified critical control gaps across identity and access management, network segmentation, and logging and monitoring, with prioritised remediation recommendations for each workload.
- Provided the Internal Audit Function with independent, technical assurance over the organisation’s migrated cloud environment, meeting all PFMA governance and POPIA data protection obligations.