Beruflich Dokumente
Kultur Dokumente
(MSEI)
(formerly known as MCX Stock Exchange Ltd.)
Contents
Slide 2
1.
2.
Scope of work
3.
4.
Executive summary
5.
Detailed observations
6.
Disclaimer
BUSINESS CONTEXT
TIMELINES
Audit Coverage
29 April 2015
12 June 2015
18 September 2015
Slide 4
Towards this end, we , Haribhakti & Co. LLP, Chartered Accountants were awarded the above
mentioned contract and had submitted the detailed report on 12 June 2015. We carried out the follow
up audit in the month of September 2015 and are privileged to present the report to the Management.
Slide 5
SCOPE OF WORK
Slide 7
Slide 8
Slide 9
Slide 10
Slide 11
Slide 12
Slide 13
General Controls
Policy and Procedures
User Management
Physical and
Environmental Controls
Slide 15
Incident Management
Change Management
Controls
Review the policies and procedures for the areas of information security for
coverage, approvals, communication, implementation and benchmark against the
leading security standards.
Walkthrough of the user management process for users of applications, servers,
network and network security devices, third party vendors as applicable.
Review the users from application/Servers/Firewalls/ Database against the
corresponding data received from the HR department and check the alignment of
the process with respect to documented policy and procedure.
Review the Password policy
Review the exceptions, Segregation of Duties and allocation of Sensitive Access
Review of user access against the documented authorization matrix
Take a walkthrough of the premises and sensitive areas like server room, data
centers to inspect the controls for maintaining the recommended environmental
conditions like temperature, humidity, Controls implemented for detecting fire
Review the physical and environmental controls implemented for Access Controls.
3, 5,
9, 10
Data Communication /
Network Controls , DMZ
and Network
Architecture Design
Review, VPN
Configuration Review,
Performance Audit
Security Controls
General office
Infrastructure
(Vulnerability Assessment
Penetration Testing)
Slide 16
VAPT Contd
Review of Business
Continuity / Disaster
Recovery Plan and
Process
IT Asset Management and
IT Support
Review the Business Continuity and Disaster Recovery Plan for Business impact
Analysis, Risk assessment & DR process
Review DRS installations and Drills
11
12
E-Mail system
Slide 17
EXECUTIVE SUMMARY
Risk rating
Observation rating
The observation rating criteria and risk rating criteria are as per our pre-defined
parameters, as follows:
Slide 19
Process
deficiency
PD
Operational
inefficiencies
OI
System
limitation
SL
Major
Nonconformity
Significant / major control gap which may result into severe financial impact
or major violation of laws and regulations.
Minor
Nonconformity
Observation
SUMMARY OF COMPLIANCE
#
Risk Rating
Total
Major
NC
Current Status
Minor
NC
Observa
tion
Closed
Open
General Controls
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
Security
Controls
Infrastructure
16
--
15
16
--
Performance Audit
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
Slide 20
General
office
SUMMARY OF COMPLIANCE
#
Risk Rating
Total
Major
NC
Current Status
Minor
NC
Observa
tion
Closed
Open
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
--
10
11
E-Mail system
--
--
--
--
--
--
12
--
--
--
Total
18
--
16
18
--
--
Slide 21
18
16
14
12
10
8
15
Observation
Minor Noncompliance
Major Noncompliance
4
2
0
Slide 22
1
0
0
1
Implementation
Status
Observation
Software license & Maintenance agreement dated 25Aug-2008 established between MCX-SX and outsourced
vendor was not updated as per the present service
delivery mode
Closed
Closed
Slide 24
Closed
In Process
Auditors Remarks
The points mentioned in the
observation are mutually
agreed between MSEI and the
outsourced vendor viz.
Financial Technologies (FT)
and a consensus is provided
by them via letter dated
12/12/2014 from FT to Sushil
Limbulkar VP IT Signed by
Mehmood Vaid Head
Exchange Technology)
confirmed on behalf of MSEI
by the director, Mr. Suniel
Vichare.
MSEI has given the draft
agreement covering these
points to FT for finalization.
The organization is in a
process of negotiating with
the identified vendor for
escrow arrangements at the
time of follow up audit.
Recommendation
Software license & Maintenance agreement dated 25Aug-2008 established between MCX-SX and outsourced
vendor was not updated as per the present service
delivery model.
Detailed Finding
As informed by MCX-SX and review of Software license &
Maintenance agreement dated 25-Aug-2008 established
between MCX- SX and outsourced vendor, out of 73
activities listed in Schedule III only 24 activities were
being performed by the outsourced vendor.
These changes to procured services were not updated in
the agreement.
Further during our review, it was noted that Hardware
asset management was performed by the outsourced
vendor, but the same was not listed as a part of the
outsourced service in the "Software license &
Maintenance agreement" dated 25-Aug-2008.
Risk
Slide 25
Recommendation
Detailed Finding
Through the review of 'Software license & Maintenance
agreement' between MCX-SX and outsourced vendor
dated 25- Aug-2008 it was noted that the outsourced
vendor has agreed to provide upgradation and
maintenance of DOME and C&S software and related
services with respect to all segments as per Schedule I
and in subsequent schedules.
Related services mentioned in Schedule III included
administration of Exchange application, data backup
management, System administration and management,
database management, network management, security
and technical help desk.
Slide 26
Recommendation (Contd)
Network management
Maintenance report of Data center should include but
not limited to
Physical and logical access controls; and
Environmental controls.
Periodic inspection report of structured network
cabling;
Periodic report of maintenance services conducted for
MDF for LL termination;
Re-conciliation of member request to actual
configuration performed on member router for leased
connectivity;
Periodic report s from NMS tool including details on
usage of WAN and internet links with uptime; and
Periodic reports on analysis conducted for on internet
traffic to various servers at Datacenter & VSNL IDC.
This should mention if any suspicious activities were
noticed and the same shall be reported.
a)Database management
i)Health check - DBCC commands execution;
ii)License upgrades.
b)Network management
i)Services for maintenance of Data center;
ii)Services for maintenance of structured network
cabling;
iii)Services for maintenance of MDF for LL termination;
iv)Configuration of member router for leased
connectivity;
v)Monitoring of WAN and internet links with the help of
NMS tool to generate uptime and utilization reports; and
vi)Analysis of the internet traffic to various servers at
Datacenter & VSNL IDC.
Slide 27
Security
Firewall and IDS monitoring and log analysis report
should include but not be limited to:
Recommendation (Contd)
Slide 28
Recommendation (Contd)
audit
by MCX-SX
on
Risk
Absence of critical components in the agreement may
result in unstructured service delivery and accountability
issues. This will further result in disruption of services
and may result in revenue loss.
Slide 29
Recommendation
Detailed Finding
Through review of approved Change Management
Procedure defined in MCXSX Exchange IT procedure v1.5
the following discrepancies were noted:
The existing change management forms were
categorized as ' Major' or 'Minor' changes. However, the
guidelines for these change categories were not defined
and documented in the approved procedure document;
Guideline for change priority was not defined,
documented and implemented;
The service level agreements for the existing change
categories i.e. Major, Minor and Emergency changes were
not defined and documented in the approved change
management procedure. Also, the existing legal contract
i.e. 'Software License and Maintenance' agreement dated
August 25, 2008 did not include suitable clauses for
mandating the service level agreements for change
management process; and
Slide 30
Recommendation (Contd)
Slide 31
Recommendation
(Contd)
Partially closed
Software license & Maintenance agreement dated 25Aug-2008 not yet amended.
Deloitte team has not been informed of a target date of
completion for this point.
We observed that change Management procedure has
been amended by defining following points
The change categories were defined as Critical, Major
and Minor;
Priority for implementing a change were defined as
Emergency, High, Medium and Low;
Escalation matrix for application related changes was
defined as below:
o Level 1- MCX-SX Systems team - contact numbers and
mail ids provided;
o Level 2-PMG (Mr. Kundan Zamvar)-contact details and
email ids;
o Level 3-Mr. Sushil Limbulkar and Mr. Mehul Chandecontact details and emails ids;
Slide 32
Risk
Slide 33
Recommendation
Detailed Finding
Slide 34
Risk
In the event of a legal dispute, absence of an escrow
agreement may lead to termination of the services
rendered by the service provider or failure of software
vendor to provide requisite support and services in
future resulting to revenue loss, reputational loss and
huge capital outflow to the exchange.
Recommendation
It is recommended to define, document and implement a
software escrow agreement on an immediate basis with
trusted third party and outsourced service provider for
the core "DOME and CnS software".
Slide 35
Slide 36
DETAILED OBSERVATIONS
CURRENT AUDIT
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
Detailed Finding
The RDP server stores a hard-coded RSA private key in
the mstlsapi.dll library. Any local user with access to this
file (on any Windows system) can retrieve the key and
use it for this attack.
Risk
Remediated
Slide 38
Management Response
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
Detailed Finding
NLA uses the Credential Security Support Provider
(CredSSP)
protocol
to
perform
strong
server
authentication either through TLS/SSL or Kerberos
mechanisms, which protect against man-in-the-middle
attacks. In addition to improving authentication, NLA
also helps protect the remote computer from malicious
users and software by completing user authentication
before a full RDP connection is established.
It was observed that the Remote Terminal Services
doesn't use Network Level Authentication (NLA) for the
RDP Host.
Management Response
Remediated
The remote desktop has been disabled
Implementation Date : 18-03-2015
Risk
As remote terminal service is not configured to us NLA,
the host may remain vulnerable to the man in the
middle attack.
Slide 39
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
Detailed Finding
It was observed that the user access review have not
been carried out for the following users of the server
ECMDB1.
ECMTRADE_OLD
RO
Risk
Remediated
User Review has been carried out at ECMDB1
Slide 40
Management Response
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
SL
Recommendation
by
Detailed Finding
It was observed that the weak/default password is used
for the following Routers:
BKC-CANMS-RTR#XXX.XXX.XXX.XX
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XX
MCXSX-VSAT-DC-R1#XXX.XX.X.XX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
NOS-PRI-RTR-PRI#XXX.XXX.XXX.XXX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#XXX.XXX.XXX.XXX
NOS-SW-PRI#XXX.XXX.XXX.XXX
NOS-SW-SEC#XXX.XXX.XXX.XXX
SX-DMZ-2960#XXX.XXX.XXX.XXX
Risk
Management Response
Remediated
Slide 41
Risk Rating
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
5
PD
OI
Control Description
The access to the system should be controlled
implementing vendor specific hardening guidelines.
Risk Rating
SL
Recommendation
by
Detailed Finding
It was observed that the connections were not
configured with secure connection timeout periods for
the following routers/devices.
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Equity_Feed_Inside_SW1#XXX.XXX.XXX.XXX
Extranet_PRI#XXX.XXX.XXX.XX
MCXSXEQ_Monitoring_NOS#XXX.XXX.XXX.XXX
NOS-SW-PRI#XXX.XXX.XXX.XXX
NOS-SW-SEC#XXX.XXX.XXX.XXX
OPS-MGMT-SW-2#XXX.XXX.XXX.XX
VIBGYOR_PRI_SW1#XXX.XXX.XXX.XXX
OPS-MGMT-SW-1#1XXX.XXX.XXX.XXX
Management Response
Remediated
Session time out has been configured as per requirement
Implementation Date : 27-03-2015
Risk
An attacker who is able to gain access to a connection
that had not expired, would be able to continue using
that connection. A connection could be a console port
on the device that was not correctly terminated or a
remote administrative connection.
(Privileged and Confidential)
Slide 42
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation
by
Detailed Finding
Management Response
Remediated
Risk
Slide 43
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation
by
Detailed Finding
It was observed that the IP source routing was enabled
on following routers :
IDC-Equity-Feed-R2#XXX.XXX.XXX.X
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XX
MCXSX-ETCC-10Mb#XXX.XXX.XXX.XX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
Management Response
Remediated
IP source routing has been disabled
Risk
Slide 44
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation
by
Detailed Finding
It was observed that the ICMP redirect were not disabled
on following routers:
IDC-Equity-Feed-R1#1XXX.XXX.XXX.X
IDC-OPS-ROUTER-PRI#XXX.XXX.XXX.XXX
IDC-OPS-ROUTER-SEC#XXX.XXX.XXX.XXX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
NOS-PRI-RTR-PRI#XXX.XXX.XXX.XXX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#1XXX.XXX.XXX.XXX
VIB-DC-PRI#XXX.XXX.XXX.XX
VIB-DC-SEC#XXX.XXX.XXX.XX
Management Response
Remediated
ICMP redirect has bee disabled.
Implementation Date : 27-03-2015
Risk
An attacker could use ICMP redirect messages to route
network traffic through their own router, possibly
allowing them to monitor network traffic.
Slide 45
Responsibility : -Timeline : --
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
Risk Rating
SL
Recommendation
by
Detailed Finding
It was observed that the ARP request proxying was not
disabled for following routers:
IDC-Equity-Feed-R1#XXX.XXX.XXX.X
IDC-OPS-ROUTER-PRI#XXX.XXX.XXX.XXX
IDC-OPS-ROUTER-SEC#XXX.XXX.XXX.XXX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
NOS-PRI-RTR-PRI#XXX.XXX.XXX.XXX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#XXX.XXX.XXX.XXX
VIB-DC-PRI#XXX.XXX.XXX.XXX
Risk
A router that acts as a proxy for ARP requests will extend
layer two access across multiple network segments,
breaking perimeter security.
Slide 46
Management Response
Remediated
Proxy ARP has been disabled.
Implementation Date : 27-03-2015
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
10
Risk Rating
SL
Recommendation
by
Detailed Finding
It was observed that the IP unreachable have not been
disabled for following routers:
IDC-Equity-Feed-R1#1XXX.XXX.XXX.X
IDC-OPS-ROUTER-PRI#XXX.XXX.XXX.XXX
IDC-OPS-ROUTER-SEC#XXX.XXX.XXX.XXX
MCXSX_CTCL_ACTIVE#1XXX.XXX.XXX.XX
NOS-PRI-RTR-PRI#XXX.XXX.XXX.XXX
NOS-PRI-RTR-SEC#XXX.XXX.XXX.XXX
Terminal_Server_DC#XXX.XXX.XXX.XXX
VIB-DC-PRI#XXX.XXX.XXX.XXX
Management Response
Remediated
IP unreachables has been disabled.
Implementation Date : 27-03-2015
Risk
An attacker who was performing network scans to
determine what services were available would be able to
scan a device more quickly.
Slide 47
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
11
SL
Recommendation
by
Management Response
Detailed Finding
It was observed that the Insufficient logging was
configured for following routers:
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XXX
MCXSX-VSAT-DC-R2#XXX.XX.X.XXX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
COLO-SW2#XXX.XX.XXX.X
COLO_SW1#XXX.XX.XXX.X
MCXSXEQ_Monitoring_NOS#XXX.XXX.XXX.XXX
Remediated
Syslogging have been configured on the mentioned
devices/Servers
Implementation Date : 27-03-2015
Risk
An attacker could attempt to map and bypass any
configured ACL or to gain access to the Cisco Router
without network administrators being alerted to the
attempts. Furthermore, after an unauthorised intrusion
into the network had been detected, it would be more
difficult for an investigation to identify the source of the
attack or the entry point without access to logs.
Slide 48
Risk Rating
Responsibility : -Timeline : --
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
12
Risk Rating
SL
Recommendation
by
device
Detailed Finding
It was observed that the NTP server is not been
configured for following router:
MCXSX-CCIL-RTR1#XXX.XXX.XXX.XX
MCXSX-VSAT-DC-R2#1XXX.XX.X.XX
MCXSX_CTCL_ACTIVE#XXX.XXX.XXX.XX
Risk
Management Response
Remediated
NTP has been configured
Slide 49
should
be
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
Control Description
13
by
Detailed Finding
It was observed that the switch was running the out of
date software Internet Operating System (IOS) version.
Equity_Feed_Inside_SW1#XXX.XXX.XXX.XXX
Equity_Feed_Outside_SW1#XXX.XXX.XXX.XXX
Extranet_BKP#XXX.XXX.XXX.XX
Extranet_PRI#XXX.XXX.XXX.XX
MCXSXEQ_Monitoring_NOS#XXX.XXX.XXX.XX
NOS-SW-PRI#XXX.XXX.XXX.XX
NOS-SW-SEC#XXX.XXX.XXX.XX
OPS-MGMT-SW-2#XXX.XXX.XXX.XX
SERVERFARM-A#XXX.XXX.XXX.XX
SERVERFARM-P#XXX.XXX.XXX.XX
SX-DMZ-2960#XXX.XXX.XXX.XXX,
VIBGYOR_PRI_SW1#XXX.XXX.XXX.XXX
OPS-MGMT-SW-1#XXX.XXX.XXX.XXX
Risk
Slide 50
exploit
OI
SL
Recommendation
An attacker could
vulnerabilities.
PD
Risk Rating
known
Management Response
Switches will be configured with latest IOS.
software
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
14
SL
Recommendation
by
Management Response
Detailed Finding
It was observed that the clear-text remote web-based
administration was enabled using HTTP for following
devices.
MCX-SX-Cash-L3-A#XXX.XXX.XXX.XXX
MCX-SX-Cash-L3-P#XXX.XXX.XXX.XXX
MCXSX_CASH_DMZ_A#XXX.XXX.XXX.XXX
MCXSX_CASH_DMZ_P#XXX.XXX.XXX.XX
MCXSX_CASH_SF_A#XXX.XXX.XXX.XXX
MCXSX_CASH_SF_P#XXX.XXX.XXX.XXX
Server_Farm_FNO_Active#XXX.XXX.XXX.XX
Server_Farm_FNO_Passive#XXX.XXX.XXX.XX
OPS-MGMT-SW-1#XXX.XXX.XXX.XX
Remediated
HTTP service has been disabled
Implementation Date : 27-03-2015
Risk
The HTTP server allows remote management of switch.
It uses simple HTTP authentication which sends
passwords in the clear. This could allow unauthorized
access if the password is sniff.
Slide 51
Risk Rating
Responsibility : -Timeline : --
SECURITY CONTROLS
Category
Root Cause
Minor Noncompliance
PD
OI
Control Description
15
Risk Rating
SL
Recommendation
by
Detailed Finding
Management Response
Remediated
Telnet disabled and SSH access has been configured.
Implementation Date : 27-03-2015
Risk
Telnet protocol transmits all information, including login
credentials in clear text. To prevent password stealing,
SSH should be used for remote administration, as SSH
encrypts all the traffic between the device and the SSH
client.
Slide 52
SECURITY CONTROLS
Category
Root Cause
Observation
PD
OI
Control Description
16
Risk Rating
SL
Recommendation
by
Management Response
Detailed Finding
It was observed that the Login banner has not been
configured on following router:
MCXSX-VSAT-DC-R1#XXX.XX.X.XX
MCXSX-VSAT-DC-R2#XXX.XX.X.XX
Remediated
Login Banners have been configured as suggested.
Implementation Date : 08-05-2015
Risk
Attackers who have gained access to a device could
avoid legal action if no banner is configured to warn
against unauthorised access.
Slide 53
Category
Root Cause
Observation
PD
OI
Risk Rating
SL
Control Description
Recommendation
17
Detailed Finding
It is a practice to maintain the updated version of the
BCP related documents on a local machine accessible
from DR location. However, it was observed that the
current version of Business continuity Plan (Version 4
dated 09 , 2015) , Disaster Recovery Plan ( Version 2.0
Feb 9 2015) were not available in a physical form at the
DR site.
Risk
Management Response
Remediated
Updated BCP /DRP plans were kept at central
repository. Updated physical copies have been kept in DR
Box at DR Site.
Implementation Date : 24-03-2015
Slide 54
HUMAN RESOURCES
Category
Root Cause
Minor Noncompliance
PD
OI
Risk Rating
SL
Control Description
Recommendation
Detailed Finding
Management Response
18
Remediated.
Induction training is conducted for the new joinee on
June 10, 2015.
Risk
If the regular trainings and workshops are not conducted,
the preparedness of the employees to carry out their
duties during the disaster/disaster like situations may
not be ensured.
Slide 55
Responsibility : -Timeline : --
Tabletop Exercise
A periodic tabletop exercise for BCP is suggested for the staff members of the BCP team at the DR location to ensure
that they are prepared to handle the challenging situation in an efficient and effective manner.
It is suggested that tabletop testing should be carried out on half yearly basis for HR and Admin Fire & Emergency
Evacuation and Power Outage
The BMT members should also carry out the tabletop test for declaration of the disaster
Slide 56
DISCLAIMER
DISCLAIMER
1.As it is practically not possible to study all aspects of a process in its entirety thoroughly during the limited time period of an review, based on
our methodology for conducting self assessment of a system , we conducted a review of the system and held discussions with the
process/application owners and other key people in the process during the planning stage of audit which helped us in identifying specific areas
where control weaknesses & process gaps may exist or opportunities for improvement may exist. Our subsequent test work, study of issues in
detail and developing action plans are directed towards the issues identified. Consequently this report may not necessarily comment on all the
function / process related matters perceived as important by the management.
2.The issues identified in this report are based on our discussions with the people engaged in the process, review of relevant documents/records
and our physical observation of the activities in the process/application. We made specific efforts to verify the accuracy and authenticity of the
information gathered only in those cases where it was felt necessary. The work carried out and the analysis thereof is based on the interviews
with the personnel and the records provided by them.
3.The identification of the issues in the report is mainly based on the review of process/application and records, sample verification of
documents / transactions and physical observation of the events. As the basis of sample selection is purely judgmental in view of the time
available, the outcome of the analysis may not be exhaustive and representing all possibilities, though we have taken reasonable care to cover
the major eventualities.
4.This report does not comment upon any change/development taken place in the process/ application and functioning of processes after the
last date of our field work i.e.6 April 2015.
5. Configurations of Network Devices, Network Security Devices and Operating System were checked as per assessment dates.
6.This report is meant for the management of
without our prior written consent.
MSEI, the Board and the regulatory authorities only and should not be quoted or referred to
Limitation of Liability
In no event shall Haribhakti & Co. LLP & its Directors and its employees be liable for consequential, special, incidental or positive loss, damage or
expenses (including limitation, lost profits, opportunity cost, indemnification etc.) even if we have been advised of their possible existence.
Circulation of Report
The above report is solely for the benefit of the management and the audit committee, related regulatory bodies and associations as mentioned
in the distribution list. Any circulation beyond the intended audience requires prior written permission from Haribhakti & Co. LLP
Slide 58
THANK YOU
Slide 59