Project Report of DISA 2.

0 Course
Topic: Information Systems Audit of ERP Software
 CERTIFICATE
Project Report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
Akola from 11th May, 2019 to 9th June, 2019 and we have the required attendance. We are submitting
the Project titled: Information Systems Audit of ERP Software.

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.

We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project details
or taken help in preparing project report from anyone except members of our group.

1. Ms. PRACHI NAONDHAR DISA No.: 58709 Signed

2. Ms. TRUPTI PANDYA DISA No.: 58708 Signed
3. Mr. MARUTI BHOYAR DISA No.: 58713 Signed

Place: Akola
Date: 24th June, 2019

1
 INDEX

1. Introduction

2. Auditee Environement

3. Background

4. Situation

5. Terms and Scope of Assignment

6. Logistic Arrangements Required

7. Methodology and Strategy adapted for execution of assignment

8. Documents reviewed

9. References

10. Deliverables

11. Findings and Recommendations

12. Summary /Conclusion

13. Abbreviations

14. Acknowledgement

2
1. Introduction

Peacock Ltd. is a Multi-national Company

which has chain of super markets. It is one of
the largest retail conglomerates in the India
Grocery
Apparel with a diverse portfolio of retail and hospitality
brands. The company provides value-driven
product range for the entire family through an
Electronics
Fruits & extended portfolio of core retail brands. The
Vegetables
unique value proposition is that it offers a one
stop shopping destination by catering to all the
Kitchenware Meat & Fish daily needs of a consumer by providing
grocery, fruits & vegetables, meat & fish, wine
Wine & & spirits, kitchenware, electronics, apparel,
Spirits
health & beauty, furniture & much more (Refer
diagram 1.1) under one roof.

M T P & Associates, Chartered Accountants,

a professional firm since 1995 and providing
services like Information System Audit (“IS
Audit”), Statutory Audit, Internal Audit, Tax
Audit, Consultancy for Project Finance and
other related services.

We have been appointed to conduct an information systems audit to review and evaluate the current
state of IT controls and provide appropriate recommendations. Audit team consisted of personnel
who have prior experience in information systems audits and possess the necessary expertise in this
field. Ms. P is a tea, leader having more than 18 years of IS Audit experience.

Peacock Ltd. has recently implemented an ERP solution which integrates all the stores across the
country. Due to recent spates of errors discovered in billing and shortage of inventory, the CFO is
increasingly concerned about the overall reliability and security of their IT environment. We have
been asked to conduct an information systems audit to review and evaluate the current state of IT
controls and provide appropriate recommendations.

3
2. Auditee Environment
We have visited corporate location in Akola of the Peacock Ltd. on and understood its nature of
business and organization structure of the company. The corporate IT environment to be consists of
three distinct platforms:

 The Mainframe Platform: Used for primary financial and sales applications which are
maintaining by the recognised IT Company IBM.
 The Open Systems Plat form: UNIX Server system used for the various Application Software
like SAP, Payroll, etc. and Oracle as Database and also applications i.e. a logistics management
system and a stores management system.
 The PC and terminals network platform: Combination of Windows servers are utilized for file
and print services, communication services and gateway services. Mainframe access is granted
through Windows servers and UNIX server accessibility is provided through terminal emulation.

Corporate office is located in Akola containing about 300 employees, the company operates over 5
million square feet of retail space, has over 350 stores across 40 cities in India and employs over
5,000 people.

3. Background
The senior management of Peacock Ltd. and specifically the CIO is concerned about the reliability
and the impact of failure of technology. It therefore proposes to have a comprehensive audit of the
Information Systems (ERP Audit) in the Company. A series of discussions were held with the IS
Audit team. Based on this, the scope of IS Audit have been defined. The Enterprise Security Audit
has to include such tests as considered necessary to evaluate whether selected procedures and policies
are sufficient to provide reasonable assurance that required controls are available, adequate and
appropriate. Based on the overall audit objectives, the IS Auditor has to identify specific control
objectives and procedures to be examined. The IS audit will include compliance and substantive
testing as required, conduct interviews with appropriate stakeholders and perform observations that
are necessary to obtain evidence about the effectiveness of implemented controls so as to confirm
that they are working as designed and envisaged. While the Information Systems Audit to be done
covers both audit of ERP System and review of its implementation, the IS Audit is expected to be in
compliance with the IS Auditing Standards, Guidelines and Procedures. The proposed IS Audit is
further subjected to applicable Auditing Standards of ICAI. The objective is to identify areas for
improvement of controls by benchmarking against global best practices. Further, any specific risks
identified are expected be mitigated by implementing controls as deemed relevant to ensure that
implementation is secure and safe and provide assurance to the senior management of Peacock Ltd.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.

4
4. Situation
Peacock Ltd. is a Multi-national Company which has chain of super markets. It is one of the largest
retail conglomerates in the India with a diverse portfolio of retail and hospitality brands. Recently
implemented ERP Software consists of three distinct platforms having different usage.
Corporate workstations are primarily running Windows 7. The corporate location is home to
approximately 300 employees and the company employs approximately 5,000 people. The Company
has to keep IT running as all the critical business operations of the company are on computers.
Company has kept his main Data Centre in Pune which has become IT Hub where the IT
professionals were available easily and have back up data centre at Noida which is different
symmetric zone with all critical data and operations available in the mirrored back up data centre.
The company has a specialized IT department with more than 50 IT professionals who are responsible
for keeping IT running. It has outsourced maintenance of network and network security to a well-
known IT company.
During the course of internal audit:
 Significant numbers of errors were found in Billing System.
 Shortage of inventory was observed
 Increasing attempts to hack the computer systems and bring down the system through Denial
of Service attack.

The CIO is increasingly concerned about the impact of errors and possibility of frauds. Hence, he
would like to have IS Audit of the overall security and reliability of their IT deployment including
the availability of appropriate business continuity plans.

5. Terms and Scope of assignment

We have been appointed by Peacock Ltd. by letter dated 5thJune, 2019 for the Information System
Audit of ERP Software on the scope and terms mentioned in the engagement are here under.

o To test all key business processes for completeness and accuracy of processing
o To identify all significant weaknesses in the IT security infrastructure
o To assess adequacy of business continuity plans.

The scope and terms of reference of the assignment includes review of the following areas:

A. System Security Controls:

1. Test completeness and accuracy of processing of all application software and their interfaces
2. Identify significant weaknesses by evaluating controls related to ensuring systems security.
3. Evaluate and test password management, user account management and review, and security
of online access to data so as to identify control weaknesses resulting from for easy
unauthorized access and intrusion to valuable information resources.
4. Review existing documented policies and procedures relating to IT security.

5
 5. Perform appropriate tests of procedures to evaluate whether any unauthorized users could
easily gain access to highly private and confidential information.

B. Business Continuity Plan:

1. Review adequacy of BCP.
2. Review whether the disaster recovery plan is documented, communicated, tested and
maintained on a regular basis.
3. Test adequacy of BCP to mitigate all significant risks in the event of an unforeseen disaster.

6. Logistic arrangements required

Peacock Ltd., appointed one coordinator who had been part of the discussion on the work plan initially
and continued to work with our team till the assignment was completed. was asked to make the
following arrangements for this assignment:

 Computers/Laptops with internet access

 LAN connection
 Access to SAP application software, MS Office 2010 Software, Financial Application, Sales
Application, Payroll Application, Inventory Application, Corporate Work Station, Windows
Server – Enterprise used by Peacock Ltd.
 Separate User ID and passwords for the audit team
 Adequate seating space for our audit team and safe storage facility for keeping papers
 Facilities for discussions amongst our team and company's designated staff
 Travelling facility locally and for outstation i.e. Data Centre at Pune, Noida and Selected
Stores and ware houses Akola, Delhi, Hyderabad, Bangalore, Chennai, Kolkata for lodging
and boarding and Travelling facility.

Various tests conducted by using IDEA - CAAT tools:

 Duplicate and Gap Detection Tests

 Matching and Comparison Tests
 Generalised Audit Software like Interactive Data Extraction and Analysis
 Utility software
 Audit Trails

6
7. Methodology and Strategy adapted for execution of
assignment

One of the main challenge faced by companies that has implemented SAPERP (any ERP) will be to
get a clear understanding of the current ERP system. Two or three years after implementation what
will be status of the system.

The main areas of focus will be;

 Whether all the management controls are working fine

 Whether all the postings are being done as per accounting standards
 Whether proper documentation is being maintained
 Whether critical business related activities are done accurately etc.

A lot of practical difficulties arise in doing a ERP post implementation audit. Main challenge is to
frame the right set of questions and how to obtain answers for those. From our experience and research,
we have prepared a question list of both functional and technical side, which drill downs to the
minutest level providing all the necessary data required for the audit.

SAP has provided a very powerful framework in the standard ERP package for conducting Audits,
evaluating them and taking corrective actions.

User should have answer for the following questions before starting the Audit procedure;

1. Kind of Audit to be Conducted (Technical or Functional)

2. Number of questions for the Audit
3. Structure of list of Questions (Question drill down level)
4. Valuation type of Questions
5. Question Priorities
6. What kind of Audit Controls to be implemented
7. Audit purpose
8. Audit Type
9. Kind of rating for the questions

Following are the main objects used for the Audit;

1) Audit Plan:

The audit plan consists of all audits planned for a particular period of time. For example, all audits
that are to be executed in the space of one year are defined in an annual audit plan. There is always
only one current version of an audit plan, where all date shifts and the degree of completion for the
individual audits can be found.

7
2) Audit:

An audit, according to is a systematic, independent, and documented process used to obtain audit
results and to evaluate these results objectively in order to determine to what extent the criteria of the
audit have been fulfilled.

3) Question List:

Question lists are multilingual collections of questions that are answered during the execution of
the audit. The allowed valuation can be planned for each hierarchy level.

4) Corrective Actions:

These are actions that are deemed necessary to eliminate the cause of errors that were determined
during the audit and to prevent the recursion of these errors. The corrective actions to be executed
must be appropriate to the effects that the particular error has on the product.

5) Preventive Actions:

These are actions that are deemed necessary to eliminate the causes of possible errors before they
occur. The preventive actions to be executed must be appropriate to the effects that the possible error
could have on the product.
An audit, is a systematic, independent, and documented process used to obtain audit results and to
evaluate these results objectively in order to determine to what extent the criteria of the audit have
been fulfilled.

Once the question list has been created, you have to release the question list.

The main topics are;

 System Overview
 Security & Access Protection
 Workbench Organizer
 Transport System
 Accessing and Logging DB Tables
 Job Request Procedure
 Documentations
 System Logs
 Batch Input Interface
 Master Data Changes
 Reconciling Posting Data Closing
 Invoice Checking and Posting Run
 Business Process Auditing
 BASIS Audit

8
Once the audit question list is created / uploaded to SAP, user must create a sample set of check list
to be submitted to the client. The Check list should contain;

 All the documents that client has to Submit

 All the questions client has to answer.

Every company should run the audit at least twice a year to ensure that the
system is working perfectly, no manipulations are done, to ensure 100%management control over the
system their by over the employees.

To achieve the audit objectives, we have performed the following:

• obtained access to the Public-Money Financials test system, and verified the capital
projects functionality against published training materials and other relevant
documents;
• conducted interviews with staff from the PBD, ITS, Transportation & Public Works,
and Water departments;
• conducted interviews with the Company’s contracted internal auditors;
• flowcharted the current capital projects process, as outlined in published materials;
• reviewed system-generated reports to verify the accuracy of information reported;
• verified that project funds have been posted accurately;
• reviewed interfaces to the Public-Money Financials system to verify interface
frequency and schedule, and to verify that testing was conducted and completed
prior to go-live;
• reviewed software security set-up and user accounts for proper segregation of duties,
user access, and capabilities; and,
• evaluated internal controls related to capital projects within Public-Money
Financials.

We conducted this audit in accordance with generally accepted government auditing standards. Those
standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to
provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our findings and conclusions based on our
audit objectives.

9
8. Documents reviewed

Documents form critical part of working while carrying out Audit. Reviewing those documents
becomes essential to get to know with the Environment and working culture of the organization. We
reviewed innumerable documents during the course of our assignment. The important documents
reviewed by us are as under:

 Blue Print of the Business

 Scope of Assignment
 Organization Chart outlining, the organization hierarchy and job responsibilities
 Business Case
 User Manuals and Technical Manuals relating to systems and application software currently
in use.
 Various Policies of Organization
o IT Policy
o Business Continuity Policy
o Security Policy
o Accounting Policy
o Outsourcing Policy
o Inventory Policy
o Delivery Policy
o Debtors and Creditors Policy
o Risk Assessment Policy
o Roles and Responsibilities
o Disaster Recovery Policy
 Access to policy statements/ circulars/ guidelines issued to employees
 Vendor Support Documentation
 Accounting Mapping Sheets
 Input Documents Maintained by the company
 Audit Trails and Exception Reports
 Resources Plan and Detailed timelines
 Segregation of Duties and Delegation of Authority
 Previous Year’s audit reports

Apart from this many other documents were reviewed as well to come to a conclusion regarding audit
findings.

10
9. References
Following references have been used for preparation of the Report

 www.cit.icai.org
 www.icisa.cag.gov.in
 www.isaca.org
 Institute of Chartered Accountants of India Publications on “Information Systems Audit”,
“SIA 14, on Internal Audit in Information Technology Environment”
 Sarbanes Oxley compliance - requirements of the section 404 of SOX Act of 2002
 “ISACA ITAF, 1201 “Engagement Planning”
 “Security, Audit and Control Features SAP® ERP, 3rd Edition”
 Information Systems Assurance Services of ICAI ISA-2 Reference.
 ITAF guidelines for audit of third party IT activities
 International Standard on Auditing
 Standards for IS audit and assurance issued by ISACA, 1201: Engagement Planning, 1202:
Risk Assessment in Planning, 1204: Materiality, 1205:Evidence and IS Auditing Guidelines 2201:
Engagement planning, 2202: Risk assessment in audit planning, 2204: Materiality, 2205: Evidence.

10 . Deliverables
As per the management’s requirements in the appointment letter, our report/findings (Point 11. of
this report) has been structured into four main areas:

1. Risk assessment of the deployment solution and recommendation of controls to be implemented

covering all critical operations and transaction processing.
 Unauthorized Access and Password management
 Significant number of errors in Billing System - Item, Prices, Quantity.
 Shortage of inventory due to wrong input in opening inventory, movement, mismatch,
bifurcating slow moving stocks, reconciliation.
 Attempts to hacking of computer systems and System were down due to Denial of Service
attack.
 Impact of errors and possible frauds which can materially/adversely affect Peacock Ltd.

2. Identification of key controls to be implemented in the relevant modules provided by Peacock Ltd.

3. Deployment strategy for the proposed solution and specific risk management strategy to be adapted
covering security, performance and business value.

11
We employed the following methodology customized for each business function reviewed:

 We first determined components within each category to review based on risk to the
implementation completion, intended functionality, and schedule;
 Reviewed component implementation methodology and plans for sufficiency (such as the
strategy for Integration Testing, and sampled the planned tests to perform)
 Observed components implementation and tracked to planned methodology to ensure that
there was no disconnect between what was planned and documented and the work that was
actually performed
 Reviewed - components to be implemented using judgmental sampling to confirm that the
end result came out as planned, or was appropriately adjusted;
 Due to the nature of the ERP implementation, reporting issues in a timely manner presented
unique challenges as compared to a standard audit. As is the case with system implementation
audits, our reporting process takes into account the fact that issues are expected to occur
during an implementation and do not necessarily present a risk to the project. Further,
management had several methods available at any given time during the project to identify
and remediate issues. We have assigned ranks to the risks relating to key controls identified
by us and suggested remediation/recommendations.

Risk Category Definition

High High financial or operational impact, revenue leakage and
loss of revenue.
Medium Medium operational and financial impacts
Low Procedural lapses

Prior to operational testing, it is necessary to check the design effectiveness of the controls for each
process. For this purpose, a walkthrough is conducted in which each step of the process flowchart is
scrutinized and tested to see if the process followed is as documented and expected. We conducted
walkthrough for all process controls and IT controls.

 In order to identify and assess controls inherent within the company’s processes leading to,
creation of documents, the following methodology was implemented:

 Defining Materiality.
 Scoping of accounts to establish materiality of those accounts.
 Mapping material accounts to processes and sub processes.
 Walkthrough for evaluating the design of the controls.
 Identifying risks and controls inherent in the process through Management risk and control
matrix (MRCM) and process flow.
 Testing of controls for evaluating the operating efficiency.
 Identifying control gaps existing in the process and remediation.

12
 The following is the scope for Information Technology General Controls (ITGC) and
substantive testing:

 Application controls - The automated controls which are inbuilt in the financial and the
business application.
 General Computer Controls - The corresponding infrastructure which
supports the applications directly impacting financial statements and the physical environment
in which these applications exist.

 Testing: The testing was done to ensure that there was an operational effectiveness for the
controls identified. The management had decided to conduct the testing at three locations for all the
Processes mapped. The strategy for testing has been as follows:

Serial Steps for Testing Description

No.

1 Identification of In all the processes, certain risks which have a very high material
Controls impact or because of its sheer importance in the context of financial
reporting were chosen and controls mitigating those risks, embedded
in the processes were identified and documented in MRCM of
respective processes; all identified controls were tested for
determining operating effectiveness of the controls.

2 Periodicity of Based on the periodicity of operation of controls that is monthly,

controls weekly or transactional, the number of samples to be tested was
arrived at.

3 Selection of Sample After arriving at the number of samples to be tested for each
individual control based on the periodicity of operation of control,
the sample to be tested were selected to encompass the variability
that could arise in the operation of that particular control.

4 Period for selection of The samples were selected based on the sampling table. The
sample deviation in the sample’s periodicity was allowed only in those cases
where there were no occurrences of such event during that particular
period after obtaining the written confirmation from activity/ control
owner.

5 Method of testing The method of testing adopted for each individual control were
specified in the appendix of the documentation (Test Work Sheets)
for the process but the overall strategy were to use the methods of
observation, inquiry, inspection and re performance.

13
 The following is the scope for Billing and Financial testing:

Test Steps
 Consider the population and refer to population evidence to be collected.
 Consider the sampling table for the number of samples to be tested.
 Choose a sample from the population based on random sampling.
 Test the control according to the test steps outlined in TWS.
 Test whether the control is effective/ ineffective for the selected sample.
 Document the evidence for effective/ineffective controls
 Update the sample details, test results in the TWS(Test Work Sheet)
 In case the sample selected is ineffective-
o In case the sample size is between 1 to 3 and if any 1 or more sample’s control fails
out of sample size while testing the control, then take one additional sample for
testing
o In case two samples are ineffective after taking two additional samples, the control
will be ineffective.

 We have tested the following are the processes and sub processes for Information Technology
General Controls (ITGC). The deficiency if any referred in Para 10 (Deliverables).

 Logical Security
 Change Management
 Computer Operations
 End User Computing
 Service Level Agreements (SLA)
 Physical security
 Business Continuity Plan (BCP)
 Billing - Operation
 Billing – Logical Security
 Access control
 Incident Management
 Development & Maintenance

MIS (Management Information System)

MIS was prepared for the Operating effectiveness and ineffectiveness. Each control was divided
into four quadrants based on the financial statement assertion and the control mechanism. The
following is the chart for ascertaining the quadrant of the control-

14
 Quadrant 3 : (High-Low)
FSAs: 3 or More.
Control Mechanism:
Other than Reconciliation,
SOD, Authorization,
F Configuration, User
Access.
S
Quadrant 1 : (Low-Low)
A FSAs: Less than 3
s Control Mechanism:
Other than Reconciliation,
SOD, Authorization,
Configuration, User
Access.
Quadrant 4 : (High-High)
FSAs: 3 or More.
Control Mechanism:
Reconciliation, SOD,
Authorization,
Configuration, User
Access.
Quadrant 2 : (Low-High)
FSAs: Less than 3
Control Mechanism:
Reconciliation, SOD,
Authorization,
Configuration, User
Access.

Control Mechanisms

The MIS attached highlights the total number of controls, total controls effective and the total
controls which are ineffective both manual and the automated controls.

Risks: The risks considered are based on the following parameters-

 Access risks
 Anti-fraud risk
 Risks affecting financial reporting

15
11. Findings and Recommendations

We have audited the recently implemented ERP Environment of Peacock Ltd. The responsibility of
implementing proper and effective ERP system is general and specifically in terms of operational
policy lies with the Management and to the service providers as per different SLA’s.

The IS Audit method and approach is to express an opinion on the proposal submitted by the service
provider and to recommend applicability along with remedial measures of the service to be provided
as per the proposal in the business structure of your company.
This IS Audit has been conducted to help the management to decide on acceptance of the ERP
Software and identify critical areas. It does not provide an assurance as to the future viability but is
a comment on the present state of affairs. This report is for the use by the management and not for
any external agency.

The report is based on the management request on evaluation of the present ERP System and its
applicability in the areas of security, data privacy, and compliance.

The IS Audit has been conducted as per ISACA ITAF Standards and ICAI SA on audit.
The audit is done as per mentioned standards. The expression of an opinion is subject to inherent
limitation of internal controls. These arise from the fact that implemented controls may fail to
prevent/ detect misstatement due to errors and fraud. Audit is subject to limitation arising from the
fact that audit is done on documents presented, leaving a possibility of errors or fraud going
undetected.
Based on the information, explanations and documents provided for our review, we have stated our
major findings which to our understanding is critical for the objectives for which ERP environment
was established. Further we are presenting our recommendations below which required focus of the
management. MIP (Management Implementation Plan) must be prepared for all the below
recommendations and MIP tracker must be reviewed on monthly basis as per the timeliness set by
the management. Below is the bifurcation based on the criticality of our recommendations:

16
Identification of key controls to be implemented in the relevant modules provided by Peacock
Ltd.:

Business Finding Control Implication Recommendation

Function (Risk
Rating)
Inventory Incorrect Closing Physical inventory High Along with periodic physical
Management Stock is reflected in is checked on a verification, the company
the system periodic basis and should only use system
tallied with the generated GRNs and Issue
book balance notes to capture every
movement of inventory in the
ERP.
Stock issues exceed Safety stock level Medium Reorder of item is
the inventory is set in the automatically initiated which
balance system. has to be approved by the
Inventory Manager
Inventory Value is The inventory High The inventory should be
incorrectly rates are linked to linked to the purchase invoices
reflected the purchase and the issues are made on a
invoices and the FIFO basis.
issues are made on
a FIFO basis.
Unauthorised Changes made in Medium A report should be extracted
changes are made in Bill of Material by where the change and the User
Bill of Materials the official have to ID of the person initiating and
be authorised by authorising the change is
the Inventory reflected.
Manager
Slow-moving and Inventory ageing Medium Inventory Tracking Report
non-moving stock report is generated which is auto-generated
is not detected and studied by the should be used by the
Inventory company.
Manager
Purchase New vendors can be Authorisation for High Management should
Management created or existing creation of new authorized & segregate the
vendors can be vendors or duties & responsibilities of
modified without modification in specific person for customer
authorisation existing data base.
Purchase can be While entering for Medium Purchase can be booked after
booked without purchase details the purchase request is
creation of purchase there should be approved by the Purchase
request data field of PRN Manager
without which

17
 purchase cannot
be placed
Purchase invoice Without linking to High Purchase can be booked after
may not be as per the Purchase the purchase is approved by
Purchase Order Order Number, the Purchase Manager
the Purchase
Invoice should be
booked
Purchase Invoice Establishment of Medium Purchase Invoice should be
booked before Link between booked only after the Goods
actual receipt of GRN & Purchase Received Note is generated
goods Invoice
Accounts Unauthorised Payment is High The system restricts
Payable Payment made to processed after the processing higher payment
Management vendor same is authorised than a particular invoice as per
by the appropriate the Delegation of powers.
authority.
Vendor Reconciliation on Medium The reconciliation should be
reconciliation not a periodic basis. done & exceptions should be
carried out reviewed.
periodically which
may result in
incorrect liability
statement.
Sales and Sales invoice is not Sales order should High Sales invoice can be made
Shipping generated as per be verified with only after linked with
Management customer order customer order by customer order.
authorised
official.
Delay in Dispatch Flashing/Highligh Medium There should be specific report
Process. ting on screen of which generates detail of delay
delay in dispatch in dispatch.
period beyond
normal days
No change in terms Terms & Medium Management should periodic
& conditions of conditions of each review of terms & conditions
sales & same for all parties should be to ensure accuracy
parties changed in
customer master
records.
Sales Unauthorised Only authorised High Password Policy should be
Opportunity access to leads and sales management framed and maintained and all
Management opportunity data. persons are given the staff members are educated
access. about the same.

18
Accounts Customer details Records as to Medium Check the completeness of
Receivable can be incorrectly completeness of details mentioned in the
Management entered in SAP details mentioned Customer Master & Ensure the
in the Customer approval of Master Records
Master. for any changes made.
Long outstanding Timely review of Low Review of Ageing analysis
receivables may not receivables that shows correct picture or
be flashed/ not & follow-up/ action plans
highlighted for timely collections.
Collection are not Put a link between Low On-Account receipt can be
matched against the collection & made only after special
relevant invoice relevant Invoice. approval.
Financial SAP solution has Strategy should be Medium Management have to train the
Accounting standard form of adopted for staff members of the
product. As Adequate training department rigorously and on
compared to old to staff of periodic interval, as all the
accounting system Accounts outcome or performance of the
there are many Department and business is depending on the
processes which training in accounts of the organisation.
need to be periodic intervals Proper training of using the
understood by the for new updates. product will result in to correct
persons who are presentation of state of affairs
involved in the and MIS.
process of Financial
Accounting. As the
staff is not IT-
trained who can
handle the Future
requirement of
accounting need of
business. So the
ultimate outcome of
accounting also is a
matter of concern.
Management Variance Reports The data used for High Projects and planning become
Accounting generated by the projection and the easier when project
system are Trial Balance management integrates with
inaccurate should be properly accounting system. The
linked to the financial and project
Management integration helps in increase
Accounting productivity, efficiency, and
Module. output.
Fixed Asset All asset codes are Physical High Management should monitor
Management not reflected in the verification of the physical verification
Asset Register assets is done and activity periodically.
19
 differences with
the system, if any,
are looked into
and verified.
Depreciation rates Depreciation High Authorised person should be
are not correct. Rates appointed and duties should be
(IT/Company properly allocated.
Law) are entered
in the masters only
by the authorised
persons. Changes
are allowed only
on special
approval.
Assets are Asset addition/ High Maker checker rule to be
added/deleted deletion entry is applied.
without posted only on
authorisation authorisation by
the appropriate
authority.
Capital Work in Work Completion Medium CWIP Ageing Report should
Progress amount is Certificate is be generated by the system.
not transferred to mandatory for
Fixed Assets capitalising asset.
HR & Payroll Unauthorised Tracking the HR High Access should be given to
access to HR data data log periodic authorised employees.
basis.
If implementation Parallel system Medium HR system should be first
of HR module is not should be running. tested with legacy system and
on time and data then brought to go live.
migration from
legacy system is not
completed or in
sink, this would
result in delay in
payroll cycle,
financial cycle and
vendor payments.
Service Service enquiry The enquiry Medium Open enquiry report is
Management may go unanswered remains open till generated on a daily basis.
the official does
not enter the
details of service
rendered. Service
calls are recorded.
20
 Invoice is not The cases in the High Reconciliation should be made
generated for service register between service cases closed
service rendered should tally with and invoices raised
the number of
invoices
generated.

12. Summary/Conclusion
Peacock Ltd. has remediated certain General conrols which were reported as control gaps.
 Creation of local/global strategy/policy documents for information security
 Delegations of authority wherever not present.
 Monitoring of various masters.
 Maker and Checker controls for WFMS application.
 Review evidence preserved.
 Reconciliations for some of the activities.
 Password policy implemented for various applications

Peacock Ltd. has remediated certain IT Policy conrols which were reported as control gaps.

 The Organisation IT Policy and an Information Security and Monitoring Policy have not
been approved by the board.
 As there are no standard IT management practices in the company, we strongly recommend
that the policies and procedures be implemented across the organisation and the practices should be
monitored.
 As pointed out in the report, business continuity and disaster recovery measures are required
to be in place in the existing infrastructure. The same should be looked into by the management as
this is a very crucial area.
 Peacock Ltd. will have to include in the Service Level Agreement (SLA) a detailed list of
controls based on security, operational and business risks to ensure that they are complied.
 Since WINSAP team (SAP and ERP Consultants) are providing training for a week to all the
concerned staff members. It is recommended that the vendor should be extend their training period
for a longer duration to a selected team of members from the staff of Peacock Ltd. who would be
able to guide other staff members in the future.
 All the controls enlisted above should be implemented by Peacock Ltd. in order to mitigate
the probable risks in the various modules offered by WINSAP and the recommendations should be
taken into consideration. This is necessary to avoid any material misstatements and
prevent/detect/correct any errors and frauds. The management should focus on the high risk areas
first followed by medium and low risk areas. Timelines should be set for the implementing controls
for mitigating the risks. High risk areas may be resolved within a month. Medium risk and low risks
should be resolved within three and six months’ time respectively.

21
 Integration of the two systems (Barcoding & Inventory Application and Chain Store
Management) had not been tested adequately
 Delay shipments of appliances to distributors and retailers. One major problem of Peacock
Ltd. is the coordination of technical and business expertise. Peacock Ltd. ignored the cautionary
advice from the consultant and chose to go live.
 Excess Shipment resulting from incorrect order and costing the company millions of dollars.
The company failed because of inadequate risk management and change management.
 Lack of clear goal, focus and scope as changes needs to be able to be made quickly in
ordering, manufacturing and other systems, but it cannot be done in a highly integrated system.
 Hard to incorporate ERP to existing systems
 Hired in new SAP trainers (Professionals and Staff) lead to major issues in operation and
also lacked background information on the business.

Logical Security
Risk Actual Control Mitigation Mechanism
Unauthorized The password policy is defined on The password policy should be
access to various Information Systems including defined for all systems and
organization's Domain, (i.e. windows, UNIX) application as per the
confidential Applications, Database(i.e. oracle Information security policies
information/Dat Server,). and procedures defined by the
a. > Minimum password length is 8 company
alphanumeric characters.
> Account should be locked in 3
unsuccessful login attempts.
>Maximum password expiry duration
is 120 days
Unauthorized The user access control matrix are The user access control matrix
access to critical defined and entitlements are reviewed should be reviewed
system and data. periodically by the appropriate periodically
authority.
Organization's The Firewall, routers and IDS are The Firewall, routers and IDS
network is not installed and properly configured toshould be installed and
protected from protect the network perimeter from properly configured to protect
external attack potential external attack from Internet
the network perimeter from
or worm. and audit trail is enabled on the firewall
potential external attack from
to detect external attack. Internet. The audit trail should
enabled on the firewall to
detect external attack.
Critical systems The firewall and IDS audit log The firewall and IDS audit log
and data remain reviewed periodically by appropriate should be reviewed
unprotected. authority. Escalation of exception logs periodically by appropriate
is done in timely manner. authority and escalation of
exception logs should be done
in timely manner.

22
Unauthorized The audit trail is enabled on various The audit trail should be
changes to Information Systems like Domain, enabled on various
critical system Unix, Database and application. The Information Systems like
and data. Audit logs recording exceptions, Domain, Unix, Database and
creation/modification and access application. The Audit logs
violation are produced and kept for recording exceptions,
investigation and access control creation/modification and
monitoring. access violation should be
produced and kept for
investigation and access
control monitoring.
Unauthorized Sensitive User ID such as Sensitive User ID such as
changes to administrators, super user are administrators, super user
critical systems monitored using user monitoring tool should be monitored to use as
and data done and activity logs are captured. user monitoring tool and
without activity logs .
detection.
Information Patch management procedure is Patches should be updated
system is established. The OS, firewall and regularly.
vulnerable. routers patches are updated regularly.
Loss due to The SLA clearly clarified the The SLA should clearly
leakage of requirements for confidentiality or non clarified the requirements for
information & disclosure agreements reflecting the confidentiality or non
Inability to need for protection of information. disclosure agreements
recover reflecting the need for
damages from protection of information.
the perpetrator

Change Management
RISK Actual Control Mitigation Mechanism
Development/ 1. Documented Change Management IT policy should cover
acquisition or procedures exists. Technology standards such as
change is not 2.Technology standards are developed • Architecture
aligned with the and maintained in line with the • Open Database standards
objectives of the objectives of the organization. • Interfaces and API
organization. 3. Technology standards covers Standards
• Architecture • Security Standards
• Open Database standards
• Interfaces and API Standards
• Security Standards
23
 Physical Security
RISK Actual Control Mitigation Mechanism
Unauthorized 1) All critical systems are residing in
access and PEACOCK LTD. data center (DC). 1) Access to Data Center
damage to should be restricted through
computer 2) Access to Data Center for Access Control Card only
systems. regular/contractual employees is
provided on need basis through
Access Control card after due
approval from department head.

3) For temporary visitors / vendors ,

approval is given by department head
and is escorted by person.

4) The security person is posted at

entrance of the Data Centre. All
entries of persons visiting Data Center
are recorded in logbook.
Environmental The Data Centre environment is CCTV should be installed in
controls are not furnished with the following Data center to protect IT
implemented environmental controls to protect the equipments
which may IT equipment.
contribute to - Raised False flooring
permanent - Air conditioning with Constant
damage of humidity control.
application - Smoke Detector
systems , data - Fire Alarm
and backup - Fire Suppression (FM200)
media - Fire Extinguishers
- CCTV
Unavailability The facility has separate and The facility should have
of Information independent power supply/backup separate and independent
System process. generator. power supply/backup
generator. The record of the
same to be maintained
periodically (monthly)

Computer Operations
RISK Actual Control Mitigation Mechanism

24
IT operation are Copy of documented roles
not aligned with Management has established, and responsibilities should be
business documented standard procedure for IT defined in policy,along with
objective. operations including job scheduling the list of scheduled jobs and
and monitoring and responding to person authorized to run jobs
security, availability and processing and their Signoff sheet by the
integrity event. operator for successful
completion of the jobs
Unauthorized The Audit log is enabled on various The Audit log should be
jobs can be system like Unix server, Windows enabled on various system
executed. server, Database server, Application like Unix server, Windows
server and same has been checked server, Database server,
based on criticality. Application server and same
The Audit log is reviewed periodically has to be checked based on
by the process owner and exception criticality.
logs are escalated to appropriate The Audit log should be
authority reviewed periodically by the
process owner and exception
logs should be escalated to
appropriate authority
Unauthorized The Archive log, syslog and windows The Security administrator
jobs can be security log stored on safe custody and should be appointed to review
executed. read-only access are given to security all type logs defined in the
administrator. system
The jobs are not Online monitoring procedure on the Online monitoring procedure
monitored for systems and applications are on the system and application
completeness. established. In case of failure of the should be established and
job owner is required to follow up Incase of failure of the job
and fix the problem identified and owner is required to follow up
escalate the issues to appropriate and fix the problem identified
authority. and escalate the issues to
appropriate authority as per
escalation matrix
Risk of The third party services (such as The third party services (such
undelivery and network scanning, vulnerabilities,) as network scanning,
failure on part reports etc. are regularly monitored vulnerabilities,) reports etc.
of thirdparty. and reviewed periodically. should be regularly monitored
and reviewed periodically.

End User Computing

RISK Actual Control Mitigation Mechanism

25
End-user The end-user computing policies and The end-user computing
computing procedures are properly documented. policies and procedures
policies and The policies and procedures are well should be properly
procedures communicated to end-users. documented and
concerning to communicated to end-users.
security,
availability and
integrity are not
documented.
No appropriate 1) The procedure is established Any document being
check on wherein the management verifies the maintained outstide the
transaction accuracy and completeness of system or local drive at end
completeness information processed and reported user should be verified by the
and accuracy. from user-developed systems. user.
2) There is a procedure for approval of
outputs from user-developed systems
prior to their submission for further
processing or final reporting.

Access Control
RISK Actual Control Mitigation Mechanism
Unauthorized Authorised access control matrix is Authorised access control
Access to reviewed periodically for all matrix ishould be reviewed
information, applications and systems. periodically for all
information applications and systems.
processing
facilities, and
business
processes
- Misuse of Access rights for the systems is Access rights for the systems
privileged reviewed half yearly Also system should be reviewed
access going administrators for Operating systems, periodically and audit trail
undetected Networks and databases are different should be enabled
- Inappropriate entities.
usage of system
administrator
privileges can
be a major cause
for system
failures and / or
breaches
Unauthorized Screen-saver passwords are enabled on Screen-saver passwords
user access, and all machines. Unix based machines are should be enabled on all
compromise or machines. Unix based

26
theft of controlled using session control for machines should be controlled
information and short period. using session control for short
information period.
processing
facilities
Unauthorized Access rights are given to authorised Access rights should be given
and insecure person for network services. to authorised person for
connections to network services.
network
services
Unauthorised Unique IDs are given to every user. Unique IDs are not given to
access to every user.
systems, which
could result in
data theft /
deletion /
alteration and
modification to
system
configurations
Unauthorised Complex passwords are implemented Passwords in all applications
access to in all applications. should be implemented as per
systems, which password policy defined by
could result in the company
data theft /
deletion
/alteration and
modification to
system
configurations

Billing Logical
RISK Actual Control Mitigation Mechanism
Authorized ID’s IDs and passwords are constructed and Passwords in Billing should
can be minimum password length control is be implemented as per
discovered and enabled as per password policy. password policy defined by
used by the company
someone other
than the rightful
owner.
Authorized ID’s Password changes are automatically Password changes should be
can be enforced on a regular basis. automatically enforced on a
discovered and regular basis.
used by

27
someone other
than the rightful
owner.
User account Access control list is established for Access control list should be
are properly controlling user access to critical established for controlling
protected from directory containing system files and user access to critical
the non- database files. directory containing system
designated user. files and database files.
The access to In case of both Billing, automatic In case of both Billing should
sensitive lockouts are enabled at the platform be enabled at the platform
application level for a specified number of level for a specified number
system and consecutive unsuccessful login of consecutive unsuccessful
database is attempts to the application. login attempts to the
properly application as per policy
monitored.

BCP/DRP
RISK Actual Control Mitigation Mechanism
No PEACOCK LTD. has a formal PEACOCK LTD. should have
policy/procedur documented BCP/DRP plan that a formal documented
e in place to addresses all core processes, BCP/DRP plan that addresses
ensure timely technology (e.g., applications, Critical all core processes, technology
recovery of servers, backup sites). .
business in case All employees involved in plan have All employees involved in
of disaster. adequate training and knowledge of plan should be given adequate
the BCP/DRP plan. training and knowledge of the
BCP/DRP plan.

Improper Maps and Exit signs is located Mock drill and training to be
knowledge of a throughout the site distinctly given to employees for
Infrastructure indicating exit routes in the event of emergency exits across the
plan is fatal for an evacuation. Emergency exits across PEACOCK LTD. sites
employee life. the PEACOCK LTD. sites are present periodically to ensure safety
and tested of employees during disaster.

Recovery is not 1. The role and responsibility clearly 1.The role and responsibility
ensured in defined in the BCP/DRP. should be clearly defined in
absence of The following team are aware their the BCP/DRP.
Crisis roles and responsibility The following team should be
Management 1· Administration Coordinator aware of their roles and
Team. 2· Computer Support Coordinator responsibility such as
3· Network Leader 1· Administration Coordinator
2· Computer Support
Coordinator
28
 4-Facility Coordinator 3· Network Leader
5-Inventory Coordinator 4 Facility Coordinator
5.Inventory Coordinator

Loss of assets, PEACOCK LTD. has insurance policy PEACOCK LTD. insurance
business which cover critical business policy should cover critical
interruptions are interruptions, loss of human life and business interruptions, loss of
not transferred. loss of assets incurred due to disaster. human life and loss of assets
incurred due to disaster.

Observation and Recommendations for Supply Chain :

Supply chain problem IT solution

Linear sequence of processing is too slow. Parallel processing, using workflow software.

Waiting times between chain segments are
excessive.
Existence of non-value added activities.
Slow delivery of paper documents.
Repeat process activities due to wrong
shipments, poor quality, etc.
Batching; accumulate work orders between
supply chain processes to get economies of
scale; e.g. save on delivery).
Learn about delays after they occur, or learn
too late.
Excessive administrative controls such as
approvals (signatures). Approvers are in
different locations.
Identify reason and expedite communication and
collaboration (Intranets, groupware).
Value analysis, simulation software.
Electronic documents and communication
system.
Electronic verifications (software agents),
automation; eliminating human errors, electronic
control systems.
Software analysis, digitize documents for online
delivery
Tracking systems, anticipate delays, trend
analysis, early detection (intelligent systems).
Parallel approvals (workflow), electronic approval
system. Analysis of need.

29
Lack of information, or too slow flow. Internet/intranet, software professionals for
monitoring and alert. Bar codes, direct flow from
POS terminals.
Lack of synchronization of moving materials. Workflow and tracking systems. Synchronization
by software professionals.
Poor coordination, cooperation and Groupware products, constant monitoring, alerts,
communication. collaboration tools.
Delays in shipments from warehouses. Use robots in warehouses, use warehouse
management software.
Redundancies in the supply chain. To many Information sharing via the Web creating teams of
purchasing orders, too many handling and collaborative partners supported by IT.
packaging.
Obsolescence of stocks and obsolete stock Reducing inventory levels by information sharing
that stay too long in storage. internally and externally, using intranets and
groupware.

30
13. Abbreviations

CAAT Computer Assisted Audit Techniques

ITGC Information Technology General Controls
ERP Enterprise Resource Planning
GRN Goods Received Note
HR Human Resources
IT Information Technology
PRN Purchase Requisition Note
SLA Service Level Agreement
SQL Structured Query Language
IDEA Interactive Data Extraction and Analysis
LAN Local Area Network
TWS Test Work Sheet

14. Acknowledgement
We would like to thank the Financial Management Services, Performance & Budget, and IT Solutions
Departments for their cooperation and assistance during this audit.

31