Project of DISA 2.

0 Course CIT of ICAI

IS Audit of ERP Software

1. Introduction
ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi Manufacturing Divisions
and Regional Offices spread all over India. ABM operates on three major business verticals for
associated equipment manufacturing: Mining & Construction, Defence, and Rail & Metro. In addition to
the above there are three Strategic Business Units (SBUs): Technology Division for providing end-to-end
engineering solutions, Trading Division for dealing in non-company products and International Business
Division for export activities. ABM has eight manufacturing units spread over four locations. ABM is a
recognized leader in the industry and an early-adopter of technology to improve efficiency and
competitiveness. ABM in achieving its Mission of improving competitiveness through organizational
transformation and collaboration / strategic alliances / joint ventures in technology has implemented ERP
with effect from October 2010 across the company. As continuing evidence that Public Sector Entities are
leveraging enterprise technology from the world’s leading business software company ABM has
successfully implemented SAP ERP and went live in a quick time span of 12 months. In a first of its kind
project in the country, ABM consolidated its operations across multiple locations spread across India, with
all units going live simultaneously.

2. Background
ABM Group has been using Information Technology as a key enabler for facilitating business process
Owners and enhancing services to its customers. The senior management of ABM has been very
proactive in directing the management and deployment of Information Technology. Most of the mission
critical applications in the company have been computerized and networked. ABM
selected SAP Business Suite to bring a more integrated and seamless approach to internal processes.
SAP deployment in ABM posed unique challenges arising out of the need to integrate multiple units
across different locations, involving extensive procedures and large volumes of data. The family of
business applications provides better insight into enterprise-wide analysis based on real time data and
key performance indicators, improved quality and on-time delivery, reduction in inventory cost and
enhanced customer service. This implementation has empowered ABM to seamlessly connect all its
vendors, customers and partners to achieve improved business efficiency. SAP-R3 ECC 6.00 Version is
deployed across all of ABM’s financial, payroll and human capital functions. The Modules implemented
are PP, MM, FICO, Quality, PM and HR including Pay Roll. ABM has more than 500 sap users across the
company. By implementing SAP solutions ABM has achieved superior operational excellence and
business agility.

3. Need for IS audit of SAP

ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in the Company.
While the Information Systems Audit to be done covers both audit of ERP System and review of its
implementation, the IS Audit is expected to be in compliance with the IS Auditing Standards, Guidelines
and Procedures. The proposed IS Audit is further subjected to applicable Auditing Standards of ICAI. The
IS Auditor is expected to have through knowledge in SAP ECC 6.00 version. The objective is to identify
areas for improvement of controls by benchmarking against global best practices. Further, any specific
risks identified are expected be mitigated by implementing controls as deemed relevant to ensure that

Private and Confidential (for use by participants of DISA 2 Course) Page 1

Project of DISA 2.0 Course CIT of ICAI

SAP implementation is secure and safe and provide assurance to the senior management of ABM.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.

4. Scope and terms of reference of the assignment

The primary objective of the assignment is to conduct Information Systems Audit of SAP implementation
and develop related IS Audit checklists for future use, through external consultants by using the globally
recognized IS Audit standards and best practices. The IS audit of SAP would be with the objective of
providing comfort on the adequacy and appropriateness of controls and mitigate any operational risks
thus ensuring that the information systems implemented through SAP provide a safe and secure
computing environment. Further, specific areas of improvement would be identified by benchmarking with
the globally recognized best IT practices of COBIT framework. The initial assignment could primarily
focus on the identified areas of SAP Implementation. The proposed scope of review and the terms of
reference as laid down in the following paragraphs are given in annexure. These terms of reference are
based on the preliminary discussion the assignment team had with the ABM team and is subject to further
modification as required. Broadly the scope of review primarily from security\controls and would involve:

A. Review of IT Resources as relevant

a. Operating Software: Access controls
b. Telecommunications Software: Access Controls
c. RDBMS Database: Access Controls
d. SAP - Major focus area: Configuration of Parameters and Access Controls
e. Application controls at various stages such as Input, Processing, Output, Storage,
Retrieval and transmission so as to ensure Confidentiality, Integrity and Availability of
data.
B. Organization structure policies, procedures and practices as mapped in the information systems.
C. Review of policies, procedures and practices as relevant to areas of audit.

5. Specific areas of Audit

The IS Audit of SAP deployment would be conducted at IT department at corporate office at Bangalore.
The proposed phases and areas of audit are outlined below.

A. SECURITY AUDIT

OBJECTIVE: Assess vulnerabilities of the SAP implementation to attacks from within and outside and
suggest appropriate counter-measures so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss.

B. USER AUTHENTICATION AND AUTHORIZATION

OBJECTIVE: To review the processes relating to granting access to systems, verify the logical access
controls and assess whether the specified roles and responsibilities are aligned with the business,
facilitate effective direction and adequate control so as to ensure that access to systems, data and
programs is restricted to authorized users and that information is safeguarded against unauthorized
use, disclosure or modification, damage or loss.

C. AUDIT TRAILS

OBJECTIVE: To assess that audit trails exist to facilitate the tracing of transaction processing and
reconciliation of data so as to ensure that adequate and appropriate audit trails/logs are developed and
used within the company for ensuring effective monitoring of the mission critical systems and processes.

Private and Confidential (for use by participants of DISA 2 Course) Page 2

Project of DISA 2.0 Course CIT of ICAI

D. CHANGE MANAGEMENT (PRODUCTION SYSTEM INTEGRITY)

OBJECTIVE: To assess and evaluate management system relating to all changes requested and made
to the existing production systems in respect of SAP applications, so as to minimize the likelihood of
disruption, unauthorized alterations, and errors.

E. SYSTEMS MONITORING

OBJECTIVE: To evaluate data collection, analysis and reporting on resource performance, application
sizing and workload demand so as to ensure that adequate capacity is available and that best and
optimal use is made of it to meet required performance needs of the business process owners.

F. BUSINESS PROCESS CONFIGURATION

OBJECTIVE: Assess the internal control framework in respect of specified SAP application, review of
parameter settings and configuration management and suggest improvements so as to ensure that data
remains complete, accurate and valid during its input, update and storage.

The audit plan would cover the following activities:

1. Discussions with the identified personnel, as required:

 Internal Audit, systems and implementation Team
 Business Process Owners, Users and user management
 Review of Operating Systems (OS) documentation
 Examination of OS access rights
 Review of Oracle\SAP Manuals
 Examination of selected Modules access profiles
 Observation of the Users and the systems in operation
 Review of access controls over Computers as relevant
 Review of Parameter settings and configuration management process
 Review of Change management process
 Examination of computerized processing controls incorporated within the selected modules.

6. Expectations and deliverables from Information Systems Audit of SAP

Expectations from IS Audit

The expectations as outlined in the letter outlining scope of proposed Audit are given below:

 The findings of IS Audit are expected to identify various risks and weakness in the Controls in
ERP and its environment and possible corrective action. It is expected that the various internal
controls, procedures as are in force in the Company will be reviewed for incorporation in ERP and
recommendations made for strengthening the ERP Controls. Also, the IS audit will identify the
areas involving redundancy in internal audit checks for elimination at the same time highlighting
areas requiring risk-based internal audit checks in the ERP environment.
 It is expected that a Check list will be developed to enable to Company’s Internal / Statutory /
Govt. Audit to satisfy themselves of the Internal Controls, Securities incorporated into ERP, to
make the Data tamper proof and reliable. The Audit should cover the Operating System, Data
base Management, Server Capacity & suitability, Data Security, Disaster recovery plan, Access
Control, Authorization Procedure & Control, Password Policy, Business Process, customization

Private and Confidential (for use by participants of DISA 2 Course) Page 3

Project of DISA 2.0 Course CIT of ICAI

& configuration, integration with other Modules, data flow across the Modules, Audit Trial, change
Management issues etc.,

7. Deliverables of project
1. Please prepare a questionnaire to understand the key objectives of the assignment, nature of
business operations, details of IT Resources deployment (Hardware, OS, Database, application
software) and details of overall security and controls as implemented
2. Please prepare list of documentation which is required for performing the assignment.
3. Please prepare list of Infrastructure required and outline strategy for execution of assignment.
4. Please prepare list of audit team members with specific skill-set required for the assignment.
5. Please prepare detailed methodology of execution of assignment covering all phases of audit.

8. Format of deliverables
Please use relevant standards, guidelines and best practices as relevant for IS Audit of SAP, specified
technology deployed, business processes of the organisation and the organisation structure. Please refer
to DISA background material and perform additional research as required. Please provide each of the
above deliverables in standard format.

Private and Confidential (for use by participants of DISA 2 Course) Page 4