Beruflich Dokumente
Kultur Dokumente
1. Introduction
ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi Manufacturing Divisions
and Regional Offices spread all over India. ABM operates on three major business verticals for
associated equipment manufacturing: Mining & Construction, Defence, and Rail & Metro. In addition to
the above there are three Strategic Business Units (SBUs): Technology Division for providing end-to-end
engineering solutions, Trading Division for dealing in non-company products and International Business
Division for export activities. ABM has eight manufacturing units spread over four locations. ABM is a
recognized leader in the industry and an early-adopter of technology to improve efficiency and
competitiveness. ABM in achieving its Mission of improving competitiveness through organizational
transformation and collaboration / strategic alliances / joint ventures in technology has implemented ERP
with effect from October 2010 across the company. As continuing evidence that Public Sector Entities are
leveraging enterprise technology from the world’s leading business software company ABM has
successfully implemented SAP ERP and went live in a quick time span of 12 months. In a first of its kind
project in the country, ABM consolidated its operations across multiple locations spread across India, with
all units going live simultaneously.
2. Background
ABM Group has been using Information Technology as a key enabler for facilitating business process
Owners and enhancing services to its customers. The senior management of ABM has been very
proactive in directing the management and deployment of Information Technology. Most of the mission
critical applications in the company have been computerized and networked. ABM
selected SAP Business Suite to bring a more integrated and seamless approach to internal processes.
SAP deployment in ABM posed unique challenges arising out of the need to integrate multiple units
across different locations, involving extensive procedures and large volumes of data. The family of
business applications provides better insight into enterprise-wide analysis based on real time data and
key performance indicators, improved quality and on-time delivery, reduction in inventory cost and
enhanced customer service. This implementation has empowered ABM to seamlessly connect all its
vendors, customers and partners to achieve improved business efficiency. SAP-R3 ECC 6.00 Version is
deployed across all of ABM’s financial, payroll and human capital functions. The Modules implemented
are PP, MM, FICO, Quality, PM and HR including Pay Roll. ABM has more than 500 sap users across the
company. By implementing SAP solutions ABM has achieved superior operational excellence and
business agility.
SAP implementation is secure and safe and provide assurance to the senior management of ABM.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.
A. SECURITY AUDIT
OBJECTIVE: Assess vulnerabilities of the SAP implementation to attacks from within and outside and
suggest appropriate counter-measures so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss.
OBJECTIVE: To review the processes relating to granting access to systems, verify the logical access
controls and assess whether the specified roles and responsibilities are aligned with the business,
facilitate effective direction and adequate control so as to ensure that access to systems, data and
programs is restricted to authorized users and that information is safeguarded against unauthorized
use, disclosure or modification, damage or loss.
C. AUDIT TRAILS
OBJECTIVE: To assess that audit trails exist to facilitate the tracing of transaction processing and
reconciliation of data so as to ensure that adequate and appropriate audit trails/logs are developed and
used within the company for ensuring effective monitoring of the mission critical systems and processes.
OBJECTIVE: To assess and evaluate management system relating to all changes requested and made
to the existing production systems in respect of SAP applications, so as to minimize the likelihood of
disruption, unauthorized alterations, and errors.
E. SYSTEMS MONITORING
OBJECTIVE: To evaluate data collection, analysis and reporting on resource performance, application
sizing and workload demand so as to ensure that adequate capacity is available and that best and
optimal use is made of it to meet required performance needs of the business process owners.
OBJECTIVE: Assess the internal control framework in respect of specified SAP application, review of
parameter settings and configuration management and suggest improvements so as to ensure that data
remains complete, accurate and valid during its input, update and storage.
The findings of IS Audit are expected to identify various risks and weakness in the Controls in
ERP and its environment and possible corrective action. It is expected that the various internal
controls, procedures as are in force in the Company will be reviewed for incorporation in ERP and
recommendations made for strengthening the ERP Controls. Also, the IS audit will identify the
areas involving redundancy in internal audit checks for elimination at the same time highlighting
areas requiring risk-based internal audit checks in the ERP environment.
It is expected that a Check list will be developed to enable to Company’s Internal / Statutory /
Govt. Audit to satisfy themselves of the Internal Controls, Securities incorporated into ERP, to
make the Data tamper proof and reliable. The Audit should cover the Operating System, Data
base Management, Server Capacity & suitability, Data Security, Disaster recovery plan, Access
Control, Authorization Procedure & Control, Password Policy, Business Process, customization
& configuration, integration with other Modules, data flow across the Modules, Audit Trial, change
Management issues etc.,
7. Deliverables of project
1. Please prepare a questionnaire to understand the key objectives of the assignment, nature of
business operations, details of IT Resources deployment (Hardware, OS, Database, application
software) and details of overall security and controls as implemented
2. Please prepare list of documentation which is required for performing the assignment.
3. Please prepare list of Infrastructure required and outline strategy for execution of assignment.
4. Please prepare list of audit team members with specific skill-set required for the assignment.
5. Please prepare detailed methodology of execution of assignment covering all phases of audit.
8. Format of deliverables
Please use relevant standards, guidelines and best practices as relevant for IS Audit of SAP, specified
technology deployed, business processes of the organisation and the organisation structure. Please refer
to DISA background material and perform additional research as required. Please provide each of the
above deliverables in standard format.