Project Report

of
DISA 2.0 Course
CERTIFICATE
Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted
at the UDUPI BRANCH OF SIRC OF ICAI from 05-01-2019 to 03-02-2019 and we have the
required attendance. We are submitting the Project titled “EVALUATION OF SOFTWARE
DEVELOPMENT PROJECT”. We hereby confirm that we have adhered to the guidelines
issued by CIT, ICAI for the project. We also certify that this project report is the original work
of our group and each one of us have actively participated and contributed in preparing this
project. We have not shared the project details or taken help in preparing project report from
anyone except members of our group.

1. Name: SOWMYA KAMATH M DISA No 56738 Signed

2. Name: SUSHMITHA PRABHU DISANo. 56333 Signed

3. Name: ANAND TEERTHA DISANo. 55418 Signed

4. Name: ROY SUDEEP D’SOUZA DISANo. 54118 Signed

Place: UDUPI

Date: 17.02.2019
 Project Report

Evaluation of Software
Development Process
1
2/17/19
Table of Contents

1. Introduction................................................................................ 3

2. Auditee Environment................................................................ 7

3. Background& Situation.............................................................10

4. Scope and Terms of assignment...............................................15

5. Logistic arrangements required...............................................17

6. Methodology and Strategy adopted for the Audit................18

7. Documents Reviewed ...............................................................34

8. References....................................................................................36

9. Deliverables.................................................................................37

10. Format of Report/ Findings......................................................40

11. Summary / Conclusion............................................................ .44

2
 1. INTRODUCTION

With a vision to fulfil the expectations of the Government, the Dakshina Vidyuth
Distribution Company Limited (A subsidiary of Govt. of Karnataka), came into
being on 2nd June 2005, with an objective of distributing electricity to the people
at an affordable price. It was initially established to cater the needs of consumers
in Dharwad district, but has slowly expanded its reach to nearby districts. It has
helped the people of north Karnataka to have good and continuous power supply
with minimum interruption.

3
Presently, its headquarters is situated at Hubli, a major industrial town of
Karnataka. The DVDCL is built in a huge area of 15 acres in the outskirts of the city
and encompasses 5 districts of Northern Karnataka which includes Belagavi,
Gadag, Haveri, Koppal and Bagalkot. As on today, DVDCL caters to the power
requirements of 1.5 crore consumers. It has a vast infrastructure facility in its
operating area with 1,504 Nos. of 33/11 KV substations 2,942 Nos. of power
transformers, 1,102 Nos. of 33 KV feeders 6,609 Nos. of 11 KV feeders and around
3,84,477 Nos. of distribution transformers of various capacities.

Having electrified 6,489 villages , 5,600 general hamlets, 2,059 tribal hamlets, 12,105
Dalit wadas and 5,806 weaker sections colonies, DVDCL is looking forward to
meet many challenges with promise to deliver quality customer services through
innovative programmes.

4
 Vision
1. Customer Satisfaction through service excellence.
2. To become one of the most efficient power Generation companies Globally
3. To build, operate and maintain an efficient power transmission system.

Mission
1. To drive for efficiency and reliability in our operations by providing
excellent service driven by innovation, excellence and knowledge.
2. To use best Technology in communication and best practices in Power
Sector
3. To provide reliable and quality power at competitive cost.
4. To reach global standard in reducing distribution losses.

The growing customer needs and more importantly the emergence of new players in
the power sector has driven the DVDCL to aim at providing superior experience and
value to its customers. The Company intends to smoothen out the process of
registrations of new applicants and improve the system of billing, accepting payments
and resolving customer grievances.

DVDCL intends to achieve the above stated objectives by renewing the existing
software. However, due to quality and interoperability issues & failure of adherence
to functional specifications, the task of developing and implementation of the new
software has had a persisting delay.

To overcome the difficulties in the current software development process, the DVDCL
has appointed M/s ARS & Co., a Firm of Chartered Accountants, to identify areas of
control weaknesses and provide suitable recommendations for improvements & best
practices that can be adopted in the software development model.

5
THE AUDIT ENGAGEMENT TEAM

Our approach to selecting the right people for a project is to bring together the
necessary skills and experience for a particular assignment from the rich mix of skills
and experience available. The assignment will be executed by M/s ARS & Co under
the personal supervision and lead by Ms.X.

M/s ARS & Co is one of the leading practitioner in the area of IS audit, comprising of
the following main team members:

1. Ms X – Team leader (DISA & CISA qualified, having an experience of over 15

years in IS audit).

She has worked on 30+ SAP Engagements across different industries like
FMCG, Telecom, Heavy Engineering, Automotive, Media, Chemicals, Oil &
Gas, Professional Services, Insurance etc., performing key leadership roles of
Program/Project Management.

She has extensive experience & comprehensive understanding of processes

involved in SAP Financials, SAP Costing including Material Ledger Actual
Costing, India Localization, Treasury Management, and SAP Cross Modular
Integration.
2. Mr Y, Mr Z, Ms K, Ms L – Team members (All of the team members are DISA
qualified and are experts in the field of audit of software development projects
for a period of 5-8 years and have worked on various Global Rollout Projects in
India with specific focus in providing SAP solutions around tax and other
statutory compliances

The said team has handled various other projects concerning IS audits and have been
into consultation of Software Development Life Cycle, Migration Audits, Business
Continuity Management etc.

6
 2. AUDITEE ENVIRONMENT

About the Auditee

The DVDCL is a public sector entity which is owned by the Government of Karnataka
with its headquarters in Hubli. It was incorporated in the year 2005 considering the
surge in demand of power as a result of growth in economy. It is poised for a multi-
fold growth in the generations to come. The Company currently is catering to the
power needs of 5 districts of Northern Karnataka and is planning to venture into
power supply in the other districts in the forthcoming years.

Nature of Business:

The DVDCL is into the business of supply of power and caters to the needs of both
business organisations as well as retail customers.

The Key duties of the DVDCL includes:

A. Laying and operating of such electric line, sub-station and electrical plant that
is primarily maintained for the purpose of distributing electricity in the area of
supply of ‘DVDCL ‘, notwithstanding that such line, sub-station or electrical
plant are high pressure cables or overhead lines or associated with such high
pressure cables or overhead lines; or used incidentally for the purpose of
transmitting electricity for others, in accordance with Electricity Act. 2003 or
the Rules framed there under.
B. Operating and maintaining the existing generating stations and shall establish,
operate and maintain generating stations, tie-lines, sub-stations and dedicated
transmission lines connected there with as per the provisions of the Act and the
Rules framed there under
C. Arranging, in-coordination with the Generating Companies operating in
outside the State, for the supply of electricity required within the State and for
the distribution of the same in the most economical and efficient manner;
D. Supplying electricity, as soon as practicable to any person requiring such
supply, within its competency to do so under the said Act;

7
 E. Preparing and carrying out schemes for distribution and generally for
promoting the use of electricity within the State.

ORGANIZATIONAL STRUCTURE OF THE DVDCL

Technology Infrastructure
Hardware used:

The DVDCL is currently using desktops as well as laptops, which is sourced to them
by a vendor called M/s CompNext Solutions Private Limited. An annual maintenance
contract (AMC) has been entered into with the said vendor and accordingly the
servicing, repairs and replacements are done by them as per the terms of the AMC.

8
System Software:

Currently, DVDCL uses Windows 7 as the Operating System across its entire area of
operations.

Application Software:

Until recently, DVDCL had been using a general purpose software called ‘Electronic
Billing Software’ (EBS) which was developed & provided by M/s NextGen Software.
However, as the said software lacks a lot of features and is unable to handle the
growing business needs, DVDCL has decided to scrap off the same and adopt a new
software as designed by Bharath Software Services Private Limited.

Network:

DVDCL offices are connected through a remote connection accessible via validation
checks. Employees are provided with a 6 digit security codes (which changes every 60
seconds) and can connect to the network remotely via such dynamic codes.

Users:

DVDCL has a workforce of 1,257 people out of which 430 people are engaged in back
end operations and the rest are on-field employees. The employees engaged in the
main operations of systems are trained on the basic use of computer and system
software only at the time of initial recruitment.

A number of new IT initiatives for improving the quality supply of power were
introduced by DVDCL

1. Electronic Spot Billing

2. Online Bill Payment

3. Web Enabled Computer Service Stations

4. Tie up with e-Seva Centres for Bill Payment

5. EBS,MATS,CAT

6. Vidyut Sadassus, Sub-station wise Meeting

9
 3. BACKGROUND & SITUATION (Project Case Study)

The DVDCL felt a need to revamp its existing customer process (like Billing Process
and customer facing connections) in order to improve the Efficiency and Effectiveness
and develop an automated process of its business functions. They approached Bharath
Software Services Pvt Ltd to develop a Programme to renew their Information
Systems. However the IT solutions delivered by the programme (Bharath Bill Pay)
did not completely meet the requirement as specified by the management of the
DVDCL and therefore the entire process of Meter Reading, Billing, Customer
Relationship and various other Technological interventions could not be redesigned
in an effective and efficient manner. Functional specifications were created, but
developers Bharath Software Services Pvt Ltd deviated from those without
appropriate approval or feedback which resulted in improper and incorrect decision
making that had a huge impact on its consumer service and Governance .The
additional work and inefficiencies in service development also caused delays on the
deliveries, exceeding costs on IT and on the provider’s services, and lower service
quality to the customers, e.g., from incomplete information for customer service and
support staff. The delay of 2 years and the excess of 100 % of the project costs also
show the lack of performance and efficiency in the programme As a result the
management of The DVDCL were concerned about the delay caused by the New
software team and impact it had on the entire business process and thus approached
our firm M/s ARS & Co to conduct an independent Information Systems Audit on
the Software Development process to identify current areas of control weaknesses and
provide recommendations for improvement

10
The audit team conducted a detailed study of the existing system followed by The
DVDCL and arrived at the following conclusion.
a) IT Department charged with the responsibility of IT projects did not have a
structured approach wherein most of the processes were not documented and
were ad hoc in nature.
Therefore after an extensive review of the Software development process
documentation and interaction with key members of the IT department, Ms X the
engagement leader and her team identified some of the key issues in Project
implementation.

Key Issues in Project Implementation

1. Planned Improvement on efficiency was not achieved and delayed- The specific
requirements provided by the management of the DVDCL was interpreted wrongly
by Bharath software services Limited, thus leading to deviation in most of the required
areas. And all the decisions were taken by the chairman, there was lot of delay for
approval of any proposal. This eventually led to development of an inefficient
software loaded with lot of quality issues in various domains of the DVDCL which
included the customer billing information, connection details of new customers ,
measurement of clients energy consumption to name a few.

2. Other Initiatives had to be postponed due to the delay and the corresponding
information systems could not be planned accordingly- Since the software
implementation was delayed by a 2 year period, many other planned initiatives like,
process re-engineering, Metering and Billing, enabling online payment of bills
monitoring customer care units had to be postponed as effective Information System
could not be established which effected work environment.

3. Delayed Delivery of Project Results- Since the software implementation period

underwent an overshoot of 24 months, the company and consumer databases were

11
not updated with the appropriate source data. Few key issues like meter reading
details, Billing, new connection requests were not designed precisely which also
lacked technological interventions and therefore delayed the delivery of required
results.

4.Overrun On Budgets- Due to improper and weak communication between the

management of DVDCL and the software company, lots of technical issues arised
which also led to investment of additional personnel. The additional work and hiring
of additional engineers in the service development had a tremendous impact on the
cost thereby having an increase in 100% of the project cost that was earlier budgeted.
In addition to the above costs, there were huge loss of revenue in the following areas
-
a. The software was not able to detect delay in payment of electricity bills and
therefore the company suffered a lot of losses in the interest to be received on
delayed payments
b. Faulty Meters that could not detect to leakage of power supply had a huge
impact on revenue.

5. Incomplete Functionality Of The Applications Delivered And Undetected

Errors In The System Due To Weak Testing- The entire business process was
redefined to improve efficiency in the system, but most of the domains were
not designed properly as per the requirements stated by the management.
Another key issue was the staff were very rigid and not ready to accept the
changes made to the existing process. There was no sufficient training given to
the employees to understand the need and requirements from the new system
because most of the applications developed were not considered in the initial
program and had to be run in parallel and therefore there was incomplete
functioning of the applications delivered and many errors went undetected due
to weak testing of the systems by the employees of DVDCL. This led to a lot of

12
 errors in the areas of Databases, meter reading details, Billing, new connection
requests

6. . Incomplete/Inaccurate Information that is provided to Customer Service,

Support and Customers- Since the software did not work as per the
requirements stated, most of the information generated from that software was
incorrect and inaccurate. It lacked a control to monitor the customer
relationship management. There were a lot of control weaknesses found in
these areas
a. There was no proper system of registering the complaints received from
the customers
b. There was no separate field in the software where the customers could
specify their nature of complaints and therefore the company could not
properly understand the nature of complaint
c. There was high downtime in the existing software as a result complaints
were not registered on real time basis.
d. There was no system to track whether the complaints were addressed
and appropriate customer feedback was received in return

7. Delays On Service Provision To The End Customers (Ex: Connecting new

customers) Due To Incorrect/ Inaccurate Information- There was no adequate
system in process to monitor and review the release of new connections to
customers. As a result, weaknesses were detected in these areas -
a. There were no proper documents or records available to verify
the issuance of new connections which thereby led the company
to delay the process in issuing new connections due to inaccurate
information.
b. The customer requests were kept pending because there was no
real time tracker to monitor the status of new requests and status
of the request given by the customers

13
 c. There was delay in the verification process for issuing new
connections and there was lack of authorization controls to
identify the correct user

8. Information Security Problems- One of the major issue was, the DVDCL failed
to align the IT security with that of the business. The reason for this was they
were not able to develop new security systems and procedures that were
responsive to the improving technology and also to recognise threats and
attacks and there was no proper configuration of the IT products correctly.
There were major weaknesses identified in these areas –
a. Security Technologies, Networking Devices and configuration Options
were not upgraded.
b. Absence of Firewalls, Intrusion Detection Systems and Virtual Private
Networks that could provide protection to system from malicious
attacks.
c. No Information Security Professionals were hired to ensure that the
evolving network architectures do not compromise information
security capabilities.
d. There was no proper system to monitor the database on real time basis
to identify any unauthorized or suspicious activity that compromised
the privacy and integrity of trusted information in data centre

14
 4. Terms and Scope of Engagement

Scope of Audit
The audit conducted shall primarily cover our review of Implementation and Post
implementation effectiveness of Software implemented by DVDCL (“the Company”).
This shall contain the following Scope:
1. Understanding the Current business position, the processes involved and the
software to implement the same
2. Understanding the issues faced by the Company in the current scenario
3. Understanding the requirement of the Company towards re-defining the
customer process and to renew the underlying information system
4. Develop framework and communication structure of Information Technology
implementation
5. Analysis of existing vendor contracts and its implementation
6. Identify changes required in the existing IT resources for smooth functioning
of business
7. Review of the contacts entered with the new vendor for providing IT resources
8. Identifying the Cost Benefit analysis for choosing the vendor and implementer
regarding the underlying software provided
9. Testing of the software to be implemented to analyse the desired outcome of
that case
10. Providing draft report on the key issues identifying areas of control weakness
in the software development process with recommendations for improvement.
11. Providing final recommendations after discussion with the IT department with
confirmation of findings and agreed plan of action.
12. Providing specific recommendations on software development model and best
practices which can be adapted by the enterprise.
13. Post implementation report regarding effectiveness of the software
implemented

15
Terms of engagement:

For the effective conduct of the audit, the following terms has been agreed upon
by the management:

a. The management shall make available all the information, policy documents to
the auditors as and when it is required to be examined.
b. It shall provide the Audit team with an unrestricted access for the systems, data
storage and to take any information or to deploy a test package thereon from
or into the system.
c. Audit team may also contact the present Vendors of system and software to
gain any additional information about the present structure
d. Audit team may question or interview any level users of the system on a prior
intimation to gain the feedback and expectation.
e. The assignment is conducted only to recommend the Management with regard
to software development model and best practices which can be adapted by the
enterprise.

16
 5. Logistic Arrangements Required
Infrastructure required:
It will be necessary for DVDCL to appoint one co-ordinator who will be the part of the
discussion on the work plan initially and will continue to work with the team till the
assignment is complete. The appointment of such a co-ordinator will help in quick
execution of the assignment and will erase out the possibility of delay in access to
certain information/requirements.
DVDCL will make available the necessary computer time, software resources and
support facilities necessary for the timely completion of the assignment. It is requested
that DVDCL communicates to the respective IT personnels/developers about the
conduct of the assignment so as to facilitate full-fledged co-operation from the
respective personnel. We will require the following infrastructure for executing the
assignment:
 Four Nodes with Read only access to the software under development
 2 laptops with Windows 7/Microsoft Office 2013
 Access to printers for printing reports as required
 Adequate seating and storage space for the audit team
 Facilities for discussion amongst our team and your designated co-ordinator

Documentation required:
 Contracts/Service level agreements with M/s Bharath Software Services Pvt
Ltd
 Organisation structure which outlines the hierarchy and job responsibilities
 IS Security policy of DVDCL
 User manuals/technical manuals as prepared by M/s Bharath Software
Services Pvt Ltd
 Any circular/guidelines issued to employees on the usage of software
 Documents relating to software implementation by M/s Bharath Software
Services Pvt Ltd
 Any other document as identified by us as required for the assignment

17
 6. Methodology and Strategies Adopted:

Based on our study of present conditions and requirements of various users, for
further improvement of the Company to achieve its organisational goals, we the
auditors have considered the adoption of the following methodologies:
1. Creation of Strategic team in the management: A strategic team should be
created comprising the key governance personnel of business and
information systems. This team shall steer all the decisions to achieve the
needs and future of the Organisation. It shall have the following duties:
a. Decide whether proposed IT solution will deliver business value to
the organisation through the IT enabled investments.
b. Decide the exact time line within which all the necessary software
development to be completed and executed
c. Decide the security requirements of the software when implemented
d. Cost benefit analysis of the implementation
e. Compatibility of the software for the future initiatives like metering
and billing, online payment, etc
f. Identification of risk and the tolerance limit of the same

2. Preparation of Requirement Document: The old software implementer

The Bharath Software Services Pvt Limited mainly made errors in
interpretation of requirement which caused the present problem. So, the
strategic team has to analyse the actual requirement which should be
properly documented so that the earlier issue shall not be repeated. The
Document shall consist of information regarding:
a. The Operational functions of DVDCL which can be automated
through IT resources
b. The requirement of compatibility of the software for future
initiations of operations
c. The number of users of the software to determine the hardware
requirements

18
 d. Designing framework for the better understanding to users
e. The expectation of the stake holders from the Company
These requirements should be gathered from the end users who are the
employees and in some cases the customers. From employees it can be
collected by providing questionnaire or through interviews. From
customers it can be collected through survey. These requirements shall be
analysed from the technology perspective and necessarily documented.

3. Selection of Vendors: The company shall acquire software based on the

above requirements. Since DVDCL is involved in electricity operations it
has to acquire the software and customise according to the needs. To select
the vendor it can adopt various means like:
a. Presentations
b. Questionnaire
c. Point scoring analysis
d. Public evaluation reports
e. Benchmarking solutions
Once the software is selected the Company may invite request for proposal
from the selected vendors.
Request should be prepared with the following parameters:

19
4. Service Level Agreements with the vendors: The company has to enter into
a contract with the vendor. It shall contain all the necessary terms
depending upon the requirements. Some of the terms can be:
a. Specific description of services, deliverables and their costs
b. Commitments for data migration
c. Arrangement for a software escrow agreement or deliverables of
source code and system documentation
d. Description of the support to be provided during
installation/customisation
e. Criteria for user acceptance
f. Reasonable Acceptance test before purchase
g. Confidentiality clauses
h. Data protection clauses

20
 i. Terms of software maintenance

Testing of Software: The company has to test the software as customised

by the vendor to determine whether it is as per the requirements or not. The
process of testing has to be done during defining the requirements for better
understanding of its effectiveness. Testing should systematically uncover
different classes of errors in a minimum amount of time with a minimum
amount of efforts. The data collected through testing can also provide an
indication of the software's reliability and quality. The methods of testing
which company can follow shall be

Unit Integration System Final

Testing Testing Testing Testing
Functional Tests
Quality
• Postive Test Bottom Up
Recovery Testing Assurance
• Negative Test Integration
Testing

Performance Top Down User Acceptance

Security Testing
Test Integration Testing

Stress or Volume
Stress Test
Testing

Performance
Structural Test
Testing

Parallel Test

21
Unit test shall determine the work of a single program. A unit is the smallest
functional part of an application often called as module. It can be done by Static
testing or dynamic testing. Under this the following tests shall be performed:
Functional Test To check whether programs performs their required tasks
Performance Test To check the expected performance from the program
Stress Test To test the stability of the program
Structural Test To check the internal process logic of the software
Parallel Test To verify the results from existing software to new one

Integration testing is performed to check the ability of modules working

together to achieve objectives of information system. It can be done through
following approaches:
Bottom Up Integration Integrate the components of a software starting
from the smallest module to the complete
program
Top Down Integration Integrate from the User login till the end
subordinate functions of the software

System testing is the process in which software and other system elements are
tested as a whole. System testing begins either when the software as a whole is
operational or when the well-defined subsets of the software's functionality
have been implemented. This shall contain
Recovery Testing To check the recovery of software after
crashes
Security Testing To check the protection of the data and
maintaining functionality
Volume Testing To check the stability when there is data
growth
Performance testing To check the internal hardware usage

22
Final Testing is conducted when all the other test provides satisfactory results
and the software is ready for implementation. Here the whole system is tested
and compared with the requirement analysis.
DVDCL has to perform any or all the above testing process so that there shall
be smooth functioning of IT resources to achieve business objectives.

5. Implementation: In order to finally deploy or implement the new system

in the operating environment, several activities are undertaken. A fully
functional as well as documented system is a prerequisite for
implementation to begin. Organisation can adopt one of the four strategies:

a. Direct Implementation: With this strategy, the changeover is done in

one operation, completely replacing the old system in one go. Direct
Implementation, which usually takes place on a set date, often after
a break in production or a holiday period so that time can be used to
get the hardware and software for the new system installed without
causing too much disruption.

b. Phased Implementation: With this strategy, implementation can be

staged with conversion to the new system taking place gradually.
This is done based on business operations. If a phase is successful
then the next phase is started, eventually leading to the final phase
when the new system fully replaces the old one.

c. Pilot Changeover: With this strategy, the new system replaces the old
one in one operational area or with smaller scale. Any errors can be
rectified and new system is stabilized in pilot area, this stabilized
system is replicated in operational areas throughout the whole
system.

23
 d. Parallel Changeover: The new systems is implemented, however the
old system also continues to be operational. The output of new
system is regularly compared with old system. If results matches
over period of time and issues observed with new system are taken
care of, the old system is discontinued.

During implementation, necessary training must be provided to the

employees for better usage of the software.

6. Compliance with Internal control for Users of the software: The Company
has to prepare a document which shall create awareness and specify the
roles and responsibilities of the Users for better implementation of the
software

7. Post implementation contracts: The company shall have necessary

contracts with the vendor after implementation of the software. Here two
aspects shall be evaluated:
a. The system is operating as expected without operational issues.
b. The user is satisfied with service delivered by the information system
If any of the evaluation criteria is not reached then necessary changeover
shall be made to achieve the desired outputs

The above methodologies can be summarised as follows:

24
For the methodology the software to be implemented we have considered the best
practices as prescribe in COBIT which is specified as under:
Application controls objectives: COBIT provides best practices for application
controls which can be used as a benchmark for implementing or evaluating
application controls. The COBIT 4.1 control objectives and control practices provides
the best collection of controls which are generic and can be customised and used as
benchmark for implementation or used as assessment criteria for any application
audit. COBIT defines six control objectives for application controls:
1. Source Data Preparation and Authorisation: Ensure that source documents are
prepared by authorised and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the
origination and approval of these documents. Errors and omissions can be
minimised through good input form design. Detect errors and irregularities so
they can be reported and corrected.
2. Source Data Collection and Entry: Ensure that data input is performed in a
timely manner by authorised and qualified staff. Correction and resubmission
of data that were erroneously input should be performed without
compromising original transaction authorisation levels. Where appropriate for

25
 reconstruction, retain original source documents for the appropriate amount of
time.
a. Accuracy, Completeness and Authenticity Checks: Ensure that transactions
are accurate, complete and valid. Validate data that were input, and edit or
send back for correction as close to the point of origination as possible.
b. Processing Integrity and Validity: Maintain the integrity and validity of
data throughout the processing cycle. Detection of erroneous transactions
does not disrupt the processing of valid transactions.
c. Output Review, Reconciliation and Error Handling: Establish procedures

and associated responsibilities to ensure that output is handled in an

authorised manner, delivered to the appropriate recipient and protected
during transmission; verification, detection and correction of the accuracy
of output occur; and information provided in the output is used .
d. Transaction Authentication and Integrity: Before passing transaction data
between internal applications and business/operational functions (within
or outside the enterprise), check the data for proper addressing, authenticity
of origin and integrity of content. Maintain authenticity and integrity
during transmission or transport
Control practices
Source data preparation and authentication:
1. Design source documents in a way that they increase accuracy with which data
can be recorded, control the workflow and facilitate subsequent reference
checking. Where appropriate, include completeness controls in the design of
the source documents
2. Create and document procedures for preparing source data entry, and ensure
that they are effectively and properly communicated to appropriate and
qualified staff. These procedures should establish and communicate required
authorization levels
3. Ensure that the function responsible for data entry maintains a list of
authorised personnel, including their signatures.

26
 4. Ensure that all source documents include standard components, contain proper
documentation and are authorised by management
5. Automatically assign a unique and sequential identifier to every transaction
6. Return documents that are not properly authorised or are incomplete to the
submitting originators for correction, and log the fact that they have been
returned. Review logs periodically to verify that corrected documents are
returned to originators in a timely fashion, and to enable pattern analysis and
root cause review.
Source Data collection and entry
1. Define and communicate criteria for timeliness, completeness and accuracy of
source documents. Establish mechanisms to ensure that data input is
performed in accordance with the timeliness, accuracy and completeness
criteria.
2. Use only pre-numbered source documents for critical transaction.
3. Define and communicate who can input, edit, authorize, accept and reject
transaction, and override errors. Implement access controls and record
supporting evidences to establish accountability in line with the role and
responsibility definitions.
4. Define procedures to correct errors, override errors and handle out-of-balance
conditions as well as to follow up, correct, approve and resubmit source
documents and transactions in a timely manner.
5. Generate error messages in a timely manner as close to the point of origin as
possible. The transactions should not be processed unless errors are corrected
or appropriately overridden or bypassed. Error logs should be reviewed and
acted upon within a specified and reasonable period of time
6. Ensure that errors and out of balance reports are reviewed by appropriate
personnel, followed up and corrected within a reasonable period of time and
where necessary, incidents are raised for more senior-level attention.
Automated monitoring tools should be used to identify, monitor and manage
errors.

27
 7. Ensure that source documents are safe-stores for a sufficient period of time in
line with legal, regulatory or business requirements
Accuracy, completeness and authenticity checks
1. Ensure that transaction data are verified as close to the data entry point as
possible and interactively during online sessions. Wherever possible, do not
stop transaction validation after the first error is found. Provide
understandable error messages immediately to enable efficient remediation
2. Implement controls to ensure accuracy, completeness, validity and
compliance to regulatory requirement of data input. Controls may include
sequence, limit, range, validity, reasonableness, table look-ups key
verification, duplicate and logical relationship checks and time edits.
Validations criteria and parameters should be subject to periodic reviews
and confirmation
3. Establish access controls and role and responsibility mechanisms so that
only authorised persons input, modify and authorised data
4. Define requirements for segregation of duties for entry, modification and
authorization of transaction data as well as for validation rules. Implement
automated controls and role and responsibility requirements
5. Report transactions failing validation and post them to a suspense file.
Report all errors in a timely fashion and do not delay processing of valid
transactions
6. Ensure that transactions failing edit and validation routines are subject to
appropriate follow up until errors are remediated. Ensure that information
on processing failures is maintained to allow for root cause analysis and
help adjust processed and automated controls.
Processing integrity and validity
1. Establish and implement mechanisms to authorise initiation of transaction
processing and to enforce that only appropriate ad authorised applications
and tools are used.
2. Routinely verify that processing is completely and accurately performed
with automated controls where appropriate. Controls may include checking

28
 for sequence and duplication errors, transaction/record counts, referential
integrity checks, control and hash totals, range checks and buffer overflows.
3. Ensure that transactions failing validation routines are reported and posted
to a suspense file. Where a file contains valid and invalid transactions,
ensure that the processing of valid transactions is not delayed and all errors
are reported in a timely fashion. Ensure that information on processing
failure is kept to allow for root cause analysis and help adjust procedures
and automated controls, to ensure early detection or prevention of errors.
4. Ensure that transactions failing validation routines are subject to
appropriate follow-up until errors are remediated or the transaction is
cancelled.
5. Ensure that the correct sequence of jobs has been documented and
communicated to IT operations. Job output should include sufficient
information regarding subsequent jobs to ensure that data are not
inappropriately added, changed or lost during processing.
6. Verify the unique and sequential identifier to every transaction
7. Maintain the audit trail of transactions processed. Include date and time of
input and user identification for each online or batch transaction. For
sensitive data, the listing should contain before and after images and should
be checked by the business owner for accuracy and authorization of changes
made.
8. Maintain the integrity of data during unexpected interruptions in data
processing with system and database utilities. Ensure that controls are in
place to confirm data integrity after processing failures or after use of
system or database utilities to resolve operational problems. Any changes
made should be reported and approved by the business owner before they
are processed.
9. Ensure that adjustments, overrides and high-value transactions are
reviewed promptly in detail for appropriateness by a supervisor who does
not perform data entry
10. Reconcile file totals. Identify report and act upon out of balance conditions

29
Output review, reconciliation and error handling
1. When handling and retaining output from IT applications, follow defined
procedures and consider privacy and security requirements. Define, communicate
and follow procedures for the distribution of output
2. At appropriate intervals, take a physical inventory of all sensitive output, such as
negotiable instruments, and compare it with inventory records. Create procedures
with audit trails to account for all exceptions and rejections of sensitive output
documents
3. Match control totals in the header and/or trailer records of the output to balance
with the control totals produced by the system at data entry to ensure
completeness and accuracy of processing. If out of balance control totals exist,
report them to the appropriate level of management.
4. Validate completeness and accuracy of processing before other operations are
performed. If electronic output is reused, ensure that validation has occurred prior
to subsequent uses.
5. Define and implement procedures to ensure that the business owners review the
final output for reasonableness, accuracy, and completeness, and output is handle
in line with the applicable confidentiality classification. Report potential errors, log
them in an automated, centralised logging facility, and address errors in a timely
manner.
6. If the application produces sensitive output, define who can receive it, label the
output so it is recognizable by people and machines, and implement distribution
accordingly. Where necessary, send it to special access-controlled output devices.

Transaction authentication and integrity

1. Where transactions are exchanged electronically, establish an agreed upon
standard of communication and mechanisms necessary for mutual
authentication, including how transactions will be represented, the
responsibilities of both parties and how exception conditions will be handled.
2. Tag output transaction processing applications in accordance with industry
standards to facilitate counterparty authentication, provide evidence of non-

30
 repudiation and allow for content integrity verification upon receipt by the
downstream application.
3. Analyse input received from other transaction processing applications to
determine authenticity of origin and the maintenance of the integrity of content
during transmission

In order to ensure that our review of the SDLC was complete and to formalise our
roles and practices, a master checklist was prepared by our team. The remarks column
in the checklist have been filled by our team members based on their understanding
of the SDLC process in your Company and was further confirmed by the co-ordinator
as appointed by you. The said checklist helped our team in getting a basic
understanding of the software development process carried out by the vendor and
served as a supplement in providing our recommendations.
We have reproduced the same below, for your quick reference:
Sl Checkpoints Remark
No
1 Whether the information system software On the basis of the review
development policy and procedure of the software
documented? development policy
documentation, it has
been observed that the
documentation is not
updated on a regular
basis.
2 Whether the software development policy and It is observed that the
procedure approved by the Management before Management approval
kickstarting the project? has not been taken for the
policy and procedure.
3 Whether the policy and procedure cover the following:
Issues Remarks

31
 Problems in the existing software Yes. But a lot of Weightage must
and the need for replacement be given to the areas not
covered in the initial software
Functionality of new software Yes
Security needs Proper policies and procedures
must be framed
Proposed roles & responsibilities It is covered. However it must
be clearly defined
Migration to new IS Yes
Post Implementation Review Yes
Maintenance arrangements Need to be ensured

4 Whether the organisation has evaluated the

requirement and functionalities of proposed Yes
application?
5 Whether the organisation has carried out
financial, operational and technical feasibility? Yes
6 Whether the organisation has considered the
following things while choosing the vendor:
 Evaluation of alternative vendors
 Specification on service levels & Yes
deliverables
 Penalty for delays
 Customisation
 Support & Maintenance
7 Whether the testing of software includes:
 Confirms the compliance to functional
requirements

32
  Confirms compatibility with IT Yes
infrastructures
 Identified bugs and errors and addresses
them by analysing root causes
8 Whether there is adequate documentation for:
 Preserving test results for future reference Yes
 Preparation of manuals like system
manual, installation manual and user
manual
 Obtaining user sign-off/ acceptance
9 Whether the implementation covers the
following?
 User training
 Acceptance training Yes

 Role of vendor and period of support

 Risk involved and actions to mitigate risk
 Migration plan
10 Whether a process exists for measuring vendors’
performance against the agreed service levels? Yes
11 Whether the post implementation review results No. The company must
are documented? keep sufficient
documentation regarding
the post implementation
review results

33
 7. Documents reviewed

1. Contract Models/Service Level Agreement

A record portraying the specialized interface to a framework or part of a framework.
Review the obligations and duties as referred in the Service Level agreements
2. Design Decisions
A synopsis of basic choices relating to structure and engineering that the group made
all through the development
3. Vision Statement
A meaning of the vision for the framework and an outline of the present cost
appraisals, anticipated advantages, risks, staffing gauges, and booked achievements.
This record is ordinarily used to pick up subsidizing and backing for the product
improvement venture just as give announcements to the stakeholders who may not
be effectively included with the task on an everyday basis

4. Project Overview and Source Code Listing

A synopsis of basic data, for example, the vision for the framework, essential client
contacts, advancements and instruments used to manufacture the framework, and the
basic working procedures (some appropriate to development , for example, how to
build the system and some pertinent to production, for example, how to back up
information ). Additionally gives references to basic venture ancient rarities, for
example, the source code (the task name in the source code control system is regularly
adequate), where the lasting models relating to the system (assuming any) are, This
document supports as a beginning stage for anybody new to the group, including
support engineers, since it answers essential inquiries that they are probably going to
have.

5. Support Documentation
This documentation incorporates preparing materials explicit to help staff; all client
documentation to use as reference when taking care of issues; a troubleshooting guide;

34
acceleration procedure for taking care of troublesome issues; and a rundown of
contact focuses inside the upkeep group.
6. Security Rules/Regulations
Security policy statement so as to give a fair view of various rules, policies and
procedures regarding the security measures taken by the company to safeguard the
information assets

35
 8. References

While carrying on our assignment, these were the references we made.

a. ICAI Material for Information System Audit 2.0 Course

b. COBIT 5

c. CAAT Tools as described in the institute material for Information System Audit
2.0 Course

d. Technical Guide on Information Systems Audit by ICAI

e. www.isaca.org and cit@icai.org

f. www.google.com

g. icisa.cag.gov.in

36
 9. Deliverables

Summary of Testing
OFFICIAL SUMMARY: The DVDCL had implemented the Bharath Bill Pay software
after a delay of 2 years from the pre-decided date in order to ease the generation of
bills, meter reading details and give better client interface to their current and eminent
customers. Due to the lack of communication and misinterpretation of the
requirements specified by the management, the software was not designed as per the
needs of the company. There were continuous issues as both the software had to be
applied in parallel. This lead to loss of time, additional man power and costs. All such
issued added up over a period of time which needed an immediate attention.
Therefore the company decided to get software application audited and appointed
our firm M/s ARS & Co to conduct a detailed review and testing of the software. With
a request from the management to conduct the audit of their Software Application,
our engagement team has successfully completed the audit procedures and we are
submitting a detailed findings of the same.

Findings

a. Centralised approach in taking Decisions: The decision taking

authority vested with the chairman and there was no decisions taken at
the intermediate level. There were lot of technical issues which popped
up which needed immediate attention and these got delayed during the
absence of the chairman. All the decisions to be implemented had to
require Chairman’s interference which consumed a lot of time.

b. Delay in workflow: Since approval had to be received from the

Chairman, there was delay in direction of work to the employees
causing overall delay in the business process. When chairman was on

37
 leave or on professional industrial visits, the approvals would remain
pending which also meant lot of time being wasted.

c. Delay in Implementation of software: The software was implemented

after a delay of 2 years from the date it was planned to be implemented.
There was lack of communication between the management and
Software Company, which had to be one of the major reasons in work
delay. Most of the functionalities were improper since the Bharath
Software Company had deviated from the requirements specified by the
DVDCL.

d. Lack of Training to staff and assistants: As discussed earlier, the staff

members were rigid and did not accept the newly introduced software.
At the same time there was inadequate training given to the staff to
understand the need and requirements from the new system. Most of
the applications developed were not considered in the initial program
and had to be run in parallel and therefore the system was not tested
properly for undetected errors. Further human Interference from data
transfer from meter to billing software increased chances of error.

e. IT Security policies and procedures were not framed properly: The

management had not properly framed the IT security policies regarding
the security of the IT assets, data security and also security of the
software. Since the cybersecurity strategies were not framed, there was
every risk of other organizations/individuals hacking company assets
like computers, networks and data.

f. Absence of Segregation of duties: Every level of manager (like the lead

engineer, programmer, and business analyst) in the company had access
to all the data and information, roles and responsibilities were not
properly defined. If the data and work was distributed to different levels

38
 of people in the organization, the data and information could have been
more secure.
g. Data backup plans were not appropriate: Even though policies were
framed for periodically checking the backups of the data, neither the
backup tests were tried occasionally nor were any logs kept up in
support of such test checks. This was an extreme level of risk since there
was every chance of the data being lost had one of the storage servers
being damaged.
h. Lack of disaster management policies: The chairman and the company
management had not considered having a proper disaster management
policy had there been any data theft or any data loss due to natural
calamities. This could have led to abrupt loss of business.
i. Software was not properly tested: Since the software was delivered
after a delay of 2 years, the company without doing a thorough check,
directly implemented it. This led to a lot of errors which generated from
the software and the company could not rectify these.

j. Customer relationship control : There were a lot of control weaknesses

in the customer relationship domain since there were a lot of issues that
directly affected the management of customers, some of them being ;
The complaints not getting registered, insufficient feedback to the
customers, delay in rendering of service , no proper system to monitor
the new connections.

39
 10. Report to the Management

To,
The Chairperson,
DVDCL,
Hubli.

Objectives of the Assignment:

The primary objective of this Information Systems Audit assignment was to audit the
software development process and to identify current areas of control weakness of the
program ‘Bharath Bill Pay’ provided by Bharath Software Services Pvt. Ltd. and to
provide recommendations to improve the customer process followed by DVDCL
which involves customer facing connection, billing etc.,

Scope of Review/Terms of Reference:

The audit conducted primarily covered our review of Implementation and Post
implementation effectiveness of Software implemented by DVDCL (“the Company”).
This audit specifically included the testing of Bharath Bill Pay (Software) with regard
to customer interface, customer billing and other customer related activities and to
provide recommendations for improving the existing system or for implementing a
new system if necessary. Our testing also covered to find out the reasons for the
problems existing in the system and to find a possible solution to rectify it. However,
our testing and audit did not cover hardware and other related components of the
information system.

We have used following documents at the time of testing:

1. Contract Models/Service Level Agreements
2. Design Decisions
3. Executive Overview/Vision Statement

40
 4. Project Overview and Source Code Listing
5. Support Documentation
6. Security Rules and Regulations

Approach/Methodology Followed:
The audit was carried out as pre-planned Audit Plan and program, which was
discussed with the senior management of DVDCL. We have used the international
accepted standard for IS Audit – COBIT (Control Objectives for Information and
Related Technology, issued by the Information Systems Audit and Control
Associations, USA for this review. The key tasks of our audit plan are highlighted
below:
 Discussions with the IT Department and user management
 Review of the circulars issued by DVDCL regarding the IT Related activities
 Examination of processing controls
 Review of Information Security Policies
 Review of ‘Bharath Bill Pay’ and user manuals
 Observation of users and the system in operation
 Review of reports and audit logs in system software and ‘Bharath Bill Pay’
Package

Audit Environment:
We have conducted IS Audit at the IT department of DVDCL in a simulated
environment using a Windows 7 as the operating System which are connected to
servers. Our team as discussed earlier comprised of Chartered Accountants having
experiences in the field of IS Audit

Audit Reports:
We issued a draft report outlining our issues and recommendations and obtained
feedback from the IT Department. Further, a meeting was held with IT department
represented by Mr. AA, AGM (IT) and Mr. AB, AGM (Finance and Accounts) where

41
the issues and recommendations were discussed in detail. The IT Department has
been very proactive in incorporating our suggestions. The report incorporates all the
issues, which have been agreed and confirmed.

Overall Conclusions:
Based on our review our overall recommendations on specific areas are:
a. Proper Decision making policy:
In DVDCL, since all the major requirement approval or change approval is decided
by the chairman, this leads to a big delay as well as less work outcome. There is no
delegation of duties or segregation of duties to the lower level managers/engineers to
take any decision. It takes a very lengthy period which has to be rectified by assigning
some responsibilities and by giving authorities to the manager level personnel to take
decisions. This will help in control the unnecessary delay of any event which is the
biggest problem at present. Only important policy level decisions must be taken the
top level management.

b. Training to Employees:
A new software implies a new change in the company and it has be ensured that the
software knowledge reaches to all the required staff. All the employees who are
required to work on the system must be properly and adequately trained so that the
employees will be having knowledge about the modules available to them to work
and to facilitate correct usage of it.

c. Password Policy:
The organization has to define a password policy for the employees and it should be
properly monitored. The employees must be given awareness about the necessity of
following it and importance of password policy. The policy must be reviewed
regularly and must be updated accordingly. This will help in fixing responsibility and
also the employees can be given access to only those data or information which they
are required to know.

42
d. Proper BCP and DRP:
The DVDCL has to define a proper Business Continuity Plan (BCP) and Disaster
Recovery Plan (DRP) so that in case of any disaster the system will not be interrupted
and smooth running will be carried on. The BCP and DRP should be reviewed at
regular time and should be updated accordingly.

e. Proper Software testing:

Once the software is developed, it has to be tested properly involving the technical
staff of both Bharath Software services Pvt Limited and DVDCL technical staff. Any
issues or lack of understanding can be resolved first hand before the software is put
for use.

f. Proper Reporting:
The system must have a reporting mechanism of complaints raised by customers and
there should be a follow up procedure for resolving it. Policy like 4+2 days should be
implemented and unresolved grievances must be recorded with reason for not
resolving within time prescribed so that it can be verified by top level management.

Udupi For M/s ARS & Co.

14-02-2019 Chartered Accountants

(Sd/-)
CA. X
Partner, MRN: -----

43
 11. Summary and Conclusion

The DVDCL had appointed our firm to conduct a detailed audit of their application
software, since there were a lot of issues with the existing Bharath Bill Pay Software
which in turn affected the customer relationship as well as the growth prospects of
the company. There were lots of risks and control weaknesses in the process which
could not be avoided with the existing software.

Risks though being a part of the growth process of any entity, it is always wise to keep
it in check. The company must have the right policy, procedures, organization
structure in place. Redundancy must be as avoided as far as possible. Back up plans,
risk mitigation strategies should be well documented and all involved must be
educated and trained in this process.

Based on the findings and observations arrived at, through our audit procedure ,
recommendations have been provided to the DVDCL by our team to overcome the
loopholes and discrepancies in the software in order to improve their efficiency and
effectiveness in their business process and meet their quality assurance standards

44