PAF KARACHI INSTITUTE OF

ECONOMICS AND TECHNOLOGY

FINAL PROJECT REPORT

IS/ERP AUDIT

PREPARED BY: TABASSUM MUJEEB (56529)

AREEBA ASLAM (56353)

SUBMIT TO: SIR AMJAD ALI

 ACKNOWLEDGEMENT
All praises be to ALLAH and thanks to Almighty ALLAH. The Lord and Creator of
this universe with power and glory all good things are accomplished. He is the most Merciful,
who bestowed on us the potential, ability and an opportunity to work on this project.

We have taken efforts in this project. However, it would not have been possible
without the kind support and guidance of our respected teacher SIR AMJAD ALI. We would
like to extend our sincere thanks to him.

Our thanks and appreciations also go to our fellow friends in developing the project
and people who have willing helped us out with their abilities.

IS/ERP Audit Page 2

 TABLE OF CONTENTS
ACKNOWLEDGEMENT ...................................................................................................................... 2

INTRODUCTION OF IS- AUDIT ......................................................................................................... 5

ORGANISATIONAL IMPACTS OF INFORMATION SYSYTEM AUDITING ................................ 5

AUDIT OBJECTIVE .............................................................................................................................. 5

COLGATE-PALMOLIVE ..................................................................................................................... 6

DATA CENTER ..................................................................................................................................... 7

DATA CENTER MOVE CHECKLIST: DOCUMENTS AND PROCEDURES .................................. 8

DATA CENTER PROGRAME RECOMMENDED IN COLGAT PALMOLIVE ............................... 8

DATACENTER PROVIDES ................................................................................................................. 9

BENEFITS .......................................................................................................................................... 9

CUTTING COST CONSOLIDATING DATA CENTER .................................................................... 10

LEARNING POINTS ........................................................................................................................... 10

COLGATES’S SAP AUDIT DATACENTER MANAGEMENT APPLICATIONS .......................... 11

EOHS ................................................................................................................................................ 11

Factory Performance and Reliability ................................................................................................ 11

Quality .............................................................................................................................................. 11

Supplier Management ....................................................................................................................... 11

KEY FUNCTIONALITY ..................................................................................................................... 11

COLGATE–PALMOLIVE AUDIT BUSINESS PROCESS ............................................................... 12

PLANNING ...................................................................................................................................... 12

AUDITING ....................................................................................................................................... 12

REPORTING .................................................................................................................................... 13

CORRECTION ACTION ................................................................................................................. 13

FOLLOW-UP ................................................................................................................................... 14

AUDIT MANAGEMENT TERMS ...................................................................................................... 14

PRIMARY SERVER ............................................................................................................................ 14

SECENDARY SERVER (BACK-UP) ................................................................................................. 14

IS/ERP Audit Page 3

DATA BASE ADMINISTRATOR (DBA) ROLE ............................................................................... 15

RESPONSIBILITIES ........................................................................................................................... 15

DATA ADMINISTRATOR ................................................................................................................. 16

COLGATE P ALMOLIVE3rd PARTY/ OUTSOURCE SUPPLIERS ................................................ 16

OUTSOURCING SERVICES .............................................................................................................. 16

COLGATE CUSTOMER EXPECTATIONS AND SATISFACTION WITH 3PL ACHIEVEMENTS

.............................................................................................................................................................. 16

OTHER OUTSOURCE ........................................................................................................................ 17

QUESTIONNAIRE .............................................................................................................................. 18

CONCLUSION ..................................................................................................................................... 33

IS/ERP Audit Page 4

 INTRODUCTION OF IS/ERP AUDIT
The effectiveness of an information system’s controls is evaluated through an
information systems audit. An audit aims to establish whether information systems are
safeguarding corporate assets, maintaining the integrity of stored and communicated data,
supporting corporate objectives effectively, and operating efficiently. It is a part of a more
general financial audit that verifies an organization’s accounting records and financial
statements. Information systems are designed so that every financial transaction can be
traced.

ORGANISATIONAL IMPACTS OF
INFORMATION SYSYTEM AUDITING
Systems provide support for business operations; for individual and group decision
making; for new product development; for relationships with customers, suppliers, and
partners; for pursuit of competitive advantage; and, in some cases, for the business model
itself. Information systems bring new options to the way companies interact and compete, the
way organizations are structured, and the way workplaces are designed. In general, use of
Web-based information systems can significantly lower the costs of communication among
workers and firms and cost-effectively enhance the coordination of supply chains or webs.
This has led many organizations to concentrate on their core competencies and to outsource
other parts of their value chain to specialized companies. The guidance is applicable to
Information System (IS) audits that are performed by internal, external or government
auditors, although the emphasis that is placed on report content may vary depending on the
type of audit engagement and by whom it was performed. Guidance is also provided on
report organization, writing, review and editing, and presentation.

AUDIT OBJECTIVE
The audit’s objective is to determine whether risk management, control, and
governance processes over the Management Information System (MIS) provide reasonable
assurance that: • Security and confidentiality of data and information is appropriate. Quality
and Integrity of the data processed ensures accurate and complete management reporting.

IS/ERP Audit Page 5

Availability of information for the users is consistent with Service Level Agreement (SLA)
requirements.

COLGATE-PALMOLIVE
Colgate-Palmolive Company manufactures and markets consumer products
worldwide. It offers oral care products, including toothpaste, toothbrushes, and mouth rinses,
as well as dental floss and pharmaceutical products for dentists and other oral health
professionals; personal care products, such as liquid hand soap, shower gels, bar soaps,
deodorants, antiperspirants, shampoos, and conditioners; and home care products comprising
laundry and dishwashing detergents, fabric conditioners, household cleaners, bleaches,
dishwashing liquids, and oil soaps.

Colgate's long history of strong performance comes from absolute focus on our core
global businesses: Oral Care, Personal Care, Home Care and Pet Nutrition. Around the world,
Colgate has consistently increased gross margin while at the same time reducing costs in
order to fund growth initiatives, including new product development and increases in
marketing spending. These, in turn, have generated greater profitability.

Colgate managers around the world are dedicated to increasing market shares in all
our core businesses. Colgate has achieved global leadership in toothpaste, hand dishwashing
liquid, liquid hand soap and specialty pet food. The Company’s oral care products include
Colgate Total, Colgate Sensitive Pro-Relief, Colgate Max Fresh, Colgate Optic White and
Colgate Luminous White toothpastes, Colgate 360° and Colgate Slim Soft manual
toothbrushes and Colgate Optic White, Colgate Total and Colgate Plax mouthwash. The
Company’s oral care business includes dental floss and pharmaceutical products for dentists
and other oral health professionals. The Company sells its personal care products under the
Palmolive, Porte and Soft-soap brands. The Company’s personal care products also include
Palmolive, Sanex and Soft-soap brand shower gels, Palmolive, Irish Spring and Protex bar
soaps and Speed Stick, Lady Speed Stick and Sanex deodorants and antiperspirants.

The Company manufactures and markets an array of products for the Home Care,
including Palmolive and Ajax dishwashing liquids, Fabulous and Ajax household cleaners
and Murphy’s Oil Soap.

IS/ERP Audit Page 6

 DATA CENTER
A data center (sometimes spelled datacenter) is a centralized repository, either
physical or virtual, for the storage, management, and dissemination of data and information
organized around a particular body of knowledge or pertaining to a particular business.

Large-scale computer systems have been around for a while, and many people are
already familiar with the term data center. In the 1940s, computers were so large that
individual rooms had to be specially set aside to house them. Even the steady miniaturization
of the computer did not initially change this arrangement because the functional scope
increased to such an extent that the systems still required the same amount of space.

IS/ERP Audit Page 7

 DATA CENTER MOVE CHECKLIST
DOCUMENTS AND PROCEDURES
Business cases (why undertake the move, reference cases, profitability estimates) and
cost models that take contingencies into account. Don't forget that this move affects the
whole company.

 Discovery processes: Inventory of hardware, applications, databases, firewalls, load

balancers, storage, etc. Don't expect this to be easy.
 Create contract templates for all third parties. Secure vendor agreements that
warranties and service contracts are valid post-move.
 Project plan: This includes a high-level timeline and action plan, budget, and
communications strategy and change management plan. It should also cover the skills
required to move the data center, architectural information on the new site, a risk
management plan and quality assurance policies, and methods of procedure to migrate
hardware and applications (swing applications from old to new equipment, or lift and
shift the hardware?).
 Load tests and failure tests at the new site prior to full production operations.
 Plan for vacated space: Will it be used as additional capacity, renovated or left empty?
Will it be sold?
 Tracking and reporting tools and dashboards. Application performance, network
latency and other benchmarks met or improved.

DATA CENTER PROGRAME RECOMMENDED

IN COLGAT PALMOLIVE
 Data centre managers who want to identify areas where enhancements can be done to
achieve energy savings and increase availability.
 Companies who need proof points to plan their IT infrastructure initiatives and
support their budget requests.
 Data centre managers who want to get objective insight on the status and health of
their data centre infrastructure

IS/ERP Audit Page 8

 DATACENTER PROVIDES
 Highest level of availability – maximize efficiency and uptime of your data center;
avoid equipment shutdown due to power interruptions
 Energy efficiency – optimize the utilization of your power and cooling infrastructure
by identifying hot spots and other risks to the data center
 Flexibility – effectively configure your computing and infrastructure equipment to
meet future needs
 Low total cost of ownership – reduce operating costs of computer support equipment

BENEFITS
 Reduce unplanned downtime
 Lower overall maintenance costs
 Improve system reliability
 Prevent problems before they occur
 Extend life of equipment
 Ensure personnel safety

IS/ERP Audit Page 9

 CUTTING COST CONSOLIDATING DATA
CENTER
By far our biggest cost cutting measure was around the consolidation of our data
center. We needed to do that for two reasons. One is, although we are a global company, for a
long time we were dealing in many markets globally, however we managed the business as
divisions. That was fine for a long time, but as we started to globalize our functions, for
example IT and supply chain, it became even more important for us to integrate between the
divisions so that we could get work done across borders. We started off with over fifty data
centers around the world. A data center is anything from a small server room to a very large
data center that people are particularly familiar with. Today we have one global data center
that runs the entire world. So over time, over the last 10 years, we've consolidated to what we
have today, which is now one data center. With this data center, for each year, we've saved
over $10 million dollars in terms of spend. Now today we're in a situation where, with this
one global data center, we have a much better handle on our disaster recovery situation We
don't have 50 data centers around the world where we have people manning those data
centers, doing the work around that. We're much better able to leverage our scale and our
size. We leverage that in terms of negotiating pricing

LEARNING POINTS
 Review Audit Management Hierarchy Design to understand the flexibility in the
scoring and evaluation that SAP provides out of the box.
 See how Colgate developed a web based interface to enable multiple auditors to enter
data in a user friendly environment.
 Learn how Adobe Interactive Forms provided an offline interface to conduct an audit
as well has record facility corrective action follow-up.

IS/ERP Audit Page 10

 COLGATES’S SAP AUDIT DATACENTER
MANAGEMENT APPLICATIONS
EOHS:
Ensure compliance with environmental, health and safety rules and regulations. The
health and safety of our customers, our employees and the communities in which we
operate must be paramount in all we do.

Factory Performance and Reliability:

For Colgate factories to measure and plan continuous improvement toward
Manufacturing Effectiveness & Efficiency by establishing global practices

Quality:
Ensure we meet Global Colgate Quality Standards in the design, manufacturing, and
distribution of our products as well as meet or exceed all government requirements and
consumer expectations

Supplier Management:
To ensure direct materials and finished goods suppliers meet the quality standards,
expected service, and cost.

Key Functionality:
 Common audit application and set of reports across business groups.
 Single Audit planning workbench to ensure a reasonable audit schedule per site
 Web based interface to conduct audits and manage the facility follow-up action plan.
 Offline auditing for supplier audits

IS/ERP Audit Page 11

 COLGATE–PALMOLIVE AUDIT BUSINESS
PROCESS

Audit Management is comprised of 5 activities

PLANNING
 Set expectations in Question Lists
 Audits are scheduled by creating them in the SAP GUI.
 Audit Description
 Audit Object with customized fields
 Proposed and Actual dates
 Texts Tab
 Custom list of long texts
 Text Editor. Can double click to switch to MS Word
 Participant Tab
 Custom list of Roles – Influences Security
 Business Partners assigned to Audit

AUDITING
 Observations are entered into the audit
 Findings are evaluated for severity
 Planning Auditing Reporting Corrective Action Follow-up Performance Expectation
Shown for reference

IS/ERP Audit Page 12

  Finding Valuation on Basic Data Tab (Not shown
 Long texts areas include both standard and custom types

REPORTING
 Reports are generated on a specific audit
 Daily Progress Report
 Audit Report
 Preliminary Findings
 Executive Summary
 Paper Protocol

CORRECTION ACTION
 Actions to address findings are tracked
 Schedule for resolution
 Current Status
 Text description of action
 Milestone tracking

IS/ERP Audit Page 13

FOLLOW-UP
 Reports are generated Across Audits
 Corrective Action Timely Closure
 Findings By Category or Division
 Audit Participants
 Summary of Findings
 Summary of Actions
 Used to identify of trends in findings

AUDIT MANAGEMENT TERMS

 Audit: The questions associated with the evaluation of a facility or process at a given
place and time
 Question List: a collection of questions organized in a Hierarchy (“Tree Structure”)
Question: An object in an audit that can record Headings, Requirements, and/or
Findings
 Valuation: an assessment given to a question
 Rating: a score computed based on the Valuations or related questions

PRIMARY SERVER
A primary server is a server that acts as the first source for Domain Name System
(DNS) data and responds to queries. It can be contrasted to the secondary server, which acts
like the primary server but does not have the same access to data. This can be explained with
a simple metaphor showing how a secondary server might support a primary server. If the
primary server is temporarily busy, the secondary server can act as a backup resource.

SECENDARY SERVER (BACK-UP)

DNS design specifications recommend that at least two DNS servers be used to host
each zone. For standard primary-type zones, a secondary server is required to add and
configure the zone to appear to other DNS servers in the network. For directory-integrated
primary zones, secondary servers are supported but not required for this purpose.

IS/ERP Audit Page 14

 Traffic in areas of the network where a zone is heavily queried and used.
Additionally, if a primary server is down, a secondary server can provide some name
resolution in the zone until the primary server is available. Secondary server, try to locate it
as close as possible to clients that have a high demand for names used in the zone. Also,
consider placing secondary servers across a router, either on other subnets (if you use a
routed LAN) or across WAN links. This provides a good use of a secondary server as a local
backup in cases where an intermediate network link becomes the point of failure between
DNS servers and clients that use the zone.

DATA BASE ADMINISTRATOR (DBA) ROLE

Develop and test database tools, processes and customizations which secure, automate
and integrate database auditing output with enterprise Security Event and Incident
Management (SEIM) platform. The candidate will work closely with the Database, Server
and Security engineering teams to gather requirements and turn them into effective alerting
and reporting solutions.

RESPONSIBILITIES
 Perform tradition DBA activities in support of security and auditing project.
 Understand the existing database and SEIM landscape lab and POC environments.
 Implement DB Auditing and maintenance products on Database platforms and
integrate into Security Event and Incident Management (SEIM) system.
 Work with Application owners and DBAs to assess database performance impact of
tested technology.
 Work with technology Engineering teams to define and document the end-to-end
management process, alerting, reporting, actions, etc.
 Document test plans, approach, implementation, operational procedures
 Implementation and migration plan update installation checklists and necessary
documentation, per project plan
 Retain all output from implementation, configuration, and testing.

IS/ERP Audit Page 15

DATA ADMINISTRATOR
With the rise of data warehouses and data marts has come an increasing awareness of
the strategic value of corporate metadata. Without good metadata, users and IS shops find it
nearly impossible to compare data from different systems. Metadata is becoming the next
battleground between database firms. Naturally, someone needs to be in charge of metadata
the data administrator. Identifying and empowering a formal data administrator will shorten
data warehouse project time lines and will improve the quality of data flowing through the
organization.

COLGATE P ALMOLIVE3rd PARTY/

OUTSOURCE SUPPLIERS
The main activities of outsourcing logistics services of Colgate-Palmolive are: stock
transfer, warehousing, distribution to customers, co-packing. The services have all been
assigned to a specific 3PL provider applying an "overall single responsibility" model building
a partnership based on continuous improvements and economies of scale. According to the
interviewees the structure of the Colgate-Palmolive Company in Greece is made up of the
following departments: Economics, Marketing, Customer Development, Customer Service &
Logistics, IT, Manufacturing and Legal Department.

OUTSOURCING SERVICES
“Unclear goals and unrealistic expectations, internal sabotage by managers of the
firms engaging in outsourcing, and flaws in the contractual agreements linking the parties
involved”.

COLGATE CUSTOMER EXPECTATIONS AND

SATISFACTION WITH 3PL ACHIEVEMENTS
According to the 3PL coordinator of Colgate-Palmolive, the outsourcing of logistics
service providers should have critical mass where the 3PL business activity acquired self-
sustaining viability. Also, of equal importance is the capability of providers to maintain

IS/ERP Audit Page 16

flexibility for handling peaks and valleys, while capitalizing on synergies to achieve
efficiency and effectiveness.

According to the 3PL coordinator, Colgate-Palmolive outsources its inbound logistics

to many suppliers. The company has only one supplier in logistics areas such as warehousing,
co-packing and outbound. Regarding the basis of segmentation, in the majority of cases the
Company divides 3PL by geography and also by category segment.

The 3PL Coordinator describes the relationship between Colgate Company and its
3PL providers as a successful which is based on a win-win philosophy which has been
adopted in their common projects. Also the 3PL coordinator considers that openness and full
transparency are necessary to maintain productive collaboration. a good relationship helps
undertaking common projects that drive efficiency, effectiveness and result in better service
at lower cost.

OTHER OUTSOURCE
“Together we will develop specific, time bound and cost effective action plans for the
different challenges in sourcing commodities like palm oil, soya, beef, paper and board in a
sustainable fashion. We will also work with other stakeholders NGOs, Development Banks,
Governments etc to create funding mechanisms and other practical schemes that will
incentivize and assist forested countries to conserve their natural assets and enable them to
achieve the goal of zero net deforestation, whilst at the same time meeting their goals for
economic development.”

IS/ERP Audit Page 17

 QUESTIONNAIRE
S. No DESCRIPTION Yes No N/A
1 ACCESS CONTROLS Yes
Access controls are comprised of those policies and procedures
that are designed to allow usage of data processing assets only
in accordance with management’s authorization. Protection of
these assets consists of both physical and logical access
controls that prevent or detect unauthorized use, damage, loss,
or modifications. The data processing resources to be protected
include the system software, application programs and tables,
transaction detail and history files, databases, documentation,
hardware, and tape or cartridge libraries. Access to these
resources should be limited to those individuals authorized to
process or maintain a particular system.
PHYSICAL SECURITY
1 Does the organization maintain written procedures relating to Yes
controls over the physical security of the computer equipment?
2 Is the physical location of the computer/server/storage/training Yes
rooms appropriate to ensure security?
3 Are physical access devices (i.e., card-key or combination lock Yes
systems) used to restrict entrance to the computer room?
4 Obtain documentation listing all individuals with access to the No
computer room a. Are only those with a legitimate need
included?
b. Are terminated or transferred employees' access codes
cancelled in a timely manner?
5 Does the organization have any policies for temporary access Yes
by employees, visitors, or outside vendors? (e.g., are these
individuals guided during their activities, or are ID pins or
sign-in logs used?)
6 Does the organization utilize monitoring software linked to the Yes
physical access device to electronically monitor computer room

IS/ERP Audit Page 18

 entrances?
a. Are access reports generated?
b. Are these reports reviewed by appropriate IT management?
7 Does the organization use plate glass or other techniques (e.g., No
surveillance cameras) to visually monitor computer room
access?
8 Does the organization utilize procedures and devices to secure Yes
sensitive equipment and storage media from the risk of
environmental damage, such as:
a. Hand held fire extinguishers?
b. Smoke and heat sensors?
c. Water detectors and humidity controls?
d. Temperature controls and dedicated air conditioning units?
e. An uninterruptible power supply (UPS), diesel or gas
generators, or power generators?
9 For any other sensitive areas, are access controls to these areas Yes
adequate? Examples of sensitive areas (besides the computer
room) would include communications closets, any UPS
equipment, and tape libraries.
LOGICAL ACCESS
1 Does the organization maintain written policies or procedures Yes
related to the security controls over access to the system?
2 Does the organization utilize various levels of security products No
(e.g., security software, application and database security)?
3 Determine the types of controls that are in place over the Yes
issuance, maintenance, and termination of passwords. Do such
controls include?
a. A security administrator designated to control password
security?
b. Informing employees of proper password security through
training or signed security statements?
c. Unique passwords?
d. Passwords changed on a periodic basis?

IS/ERP Audit Page 19

 e. Passwords cancelled or access rights modified in a timely
manner upon an employee's termination or transfer?
4 Are reports generated by the system's security software? Yes
a. Are these reports regularly reviewed by the security
administrator?
b. Are procedures in place to follow up on these reports?
5 Is sensitive data protected by restricted access or other No
controls?
1 PROGRAM CHANGE CONTROLS
Program change control is the process of the programmer
making changes to computer programs based upon requests
from users or due to general computer maintenance
requirements. The change process involves authorization and
approval procedures, audit trail of the requests, program
testing, and segregation of duties and documentation of the
process.`
2 Does the organization maintain written procedures for Yes
controlling program changes through IT management and
programming personnel?
3 Do program change authorization forms or screens prepared by Yes
the user (usually called a Request for Services) include:
a. Authorizations by user management before proposed
program changes are made?
b. Testing program changes?
c. IT management and user personnel review and approval of
testing methodology and test results?
4 Does the organization use library control software or other Yes
controls to manage source programs and object programs,
especially production programs?
5 Does the organization have procedures for emergency program Yes
changes (or program files)?
1 BACKUP AND RECOVERY CONTROLS
Backup and recovery controls are the provisions to provide

IS/ERP Audit Page 20

 reasonable assurance that an organization will be able to
recover from loss or destruction of data processing facilities,
hardware, software, or data. These continuation provisions
include the retention of copies of data files and software,
arrangements for access to backup hardware on short notice
and tested recovery plans.
2 Are critical files and programs regularly copied to tapes or Yes
cartridges or other equivalent medium to establish a generation
of files for audit trail purposes and removed to off-site storage
to ensure availability in the event of a disaster?
3 Is a periodic inventory taken to verify that the appropriate Yes
backup files are being maintained?
4 Are controls in place at the off-site storage location to ensure Yes
that it is fireproof and secure?
DISASTER RECOVERY PLAN
1 Does the organization have a documented disaster recovery
plan for processing critical jobs in the event of a major
hardware or software failure?
a. Has the disaster recovery plan been updated on a regular
basis?
b. Has the recovery plan been tested?
2 Is the disaster recovery plan maintained off-site and updated Yes
when changes occur?
3 Does the backup and recovery plan include the following? Yes
a. Personnel assigned to disaster teams with operating
procedures and emergency phone numbers to reach them?
b. Arrangements for a designated physical facility?
c. A risk analysis identifying the critical applications, their
exposures, and an assessment of the impact on the entity?
d. Arrangements with vendors to support the needed hardware
and software requirements?
e. Forms or other control documents to use in case of a
disaster?

IS/ERP Audit Page 21

1 SYSTEM DEVELOPMENT AND ACQUISITION
CONTROLS
Systems development is the process of creating new
computerized applications in-house (i.e., within the
organization). The development life cycle consists of several
phases. Each phase has objectives, processes, products and
reviews. The reviews provide a mechanism for determining at
each phase whether user needs are being met and whether cost,
control, and audit objectives are being achieved. Systems
acquisition is the process of purchasing and implementing an
Application that has been developed by a third-party software
vendor. The effective implementation of purchased applications
also requires the entity to adopt a formal methodology to
control the process. This methodology closely resembles that of
in-house developed systems.
2 Interview IT management to determine whether any new No
financial applications were either: 1.) developed in-house or
acquired from a vendor or 2.) Are being planned or investigated
during the current audit period.
If no planning related to the development or acquisition of new
financial systems was performed during the audit period, do not
complete this control module.
3 Yes
Did the organization’s procedures for developing new
applications include?
a. System requirements analysis?
b. System specifications?
c. Technical design?
d. Technical procedure development?
e. User procedure development?
f. System and acceptance testing?
g. Transition?
4 Were user personnel involved in new systems development Yes

IS/ERP Audit Page 22

 (acquisition), particularly during design, development, testing,
and conversion?
5 Were audit and security concerns considered during the initial No
analysis phase? (If organization has an internal audit staff, were
internal auditors involved in new systems development
(acquisition)?)
6 Did IT management adequately document? Yes
a. Systems documentation?
b. Program documentation?
c. Operations documentation?
d. Users documentation?
1 COMPUTER OPERATIONS CONTROLS
Computer operations controls are designed to ensure that
systems continue to function consistently, as planned. They
include controls over the use of the correct data, programs, and
other resources, and the proper performance of this function by
operators, particularly when a problem occurs.
2 . Does the organization maintain general operational Yes
documentation relating to the following procedures for which
the operations staffs are responsible?
a. System start-up procedures
b. Backup assignments
c. Emergency procedures
d. System shutdown procedures
e. Error message debugging instructions
f. System and job status reporting instructions
3 Does the organization maintain application-specific Yes
operational instructions including?
a. Definitions of input sources, input data, and data formats?
b. Descriptions of restart procedures and checkpoints?
c. Descriptions of data storage requirements?
d. Types of console message instructions?
e. Copies of system flowcharts?

IS/ERP Audit Page 23

4 Are operating logs maintained, retained and reviewed on an Yes
ongoing basis?
5 Are workloads properly managed by using manual or No
automated processing schedules to ensure that all jobs are
processed and that deadlines and priorities are considered?
1 DATABASE CONTROLS
A database is a collection of related data organized in a manner
intended to be accessed by multiple users for varied purposes.
Database controls are designed to ensure that activities related
to the security, integrity, accountability and recoverability of
the database are controlled.
2 Does the organization have a Database Administrator (DBA)? Yes
Is the DBA responsible for managing the entity’s databases,
including the following:
a. Design and implementation?
b. Monitoring and availability?
c. Integrity and security?
3 Are Database Management Systems (DBMS) security features Yes
used to protect data against unauthorized access or
manipulation?
4 Are DBMS utilities and commands restricted to those Yes
responsible for the maintenance of the DBMS (usually a
designated DBA)?
5 For change control procedures for the Data Dictionary and Yes
DBMS:
a. Is proper authorization obtained prior to modification?
b. Are modifications tested?
c. Are modifications reviewed and approved?
d. Are changes documented?
6 Are the database and its data backed-up on a regular basis, and No
are backups secured off-site?
1 COMMUNICATION CONTROLS
Communication controls relate to the risk and control

IS/ERP Audit Page 24

 considerations for the transmission media, hardware and
software that compose a communication system, as well as the
management of a communication system. Complete this section
only if the organization processes material financial activity
using this technology.
2 Does the organization have written communication policies and Yes
procedures? Do policies and procedures include?
a. Methodology to implement communication projects
(hardware and software)?
b. Construction and software change management controls?
c. Security controls?
d. Problem/incident reporting?
e. Contingency planning?
3 Has communication software been defined to the access control Yes
software and is access restricted to only authorize users?
4 Is communication equipment physically secured and Yes
adequately protected from environmental concerns?
5 Are data transmissions logged to provide for an audit trail and Yes
to provide the ability to recover all activity, which may have
failed to be properly sent or received?
6 Are data transmission errors reported to management for
problem analysis and corrective action?
7 Is there a process of data communications change management No
(e.g., changes in configuration)?
8 Do requests for changes in the communications configuration Yes
include:
a. Proper authorization prior to the change?
b. Testing of changes?
c. Review and approval of changes?
d. Documentation of changes?
9 Are there recovery procedures for a failure of data Yes
communications equipment or software?
10 Do the back-up and recovery procedures include? No

IS/ERP Audit Page 25

 a. Back-up copies of communications software?
b. Alternate line/carrier facilities (public or private)?
c. Multiple paths to critical sites on the network?
d. Responsive reconfiguration procedures?
1 NETWORK CONTROLS
Network controls address the threats and risks to sensitive and
critical data that are accessed and transmitted through
networks. Network controls ensure proper security performance
and reliability of all network components. Complete this
section only if the organization processes material financial
activity using this technology.
2 Do the LAN administrator's responsibilities include support Yes
for?
a. User training?
b. Policies and procedures?
c. Security?
3 Is the physical security adequate for the: Yes
a. File server?
b. Cabling?
c. Modems?
d. Any external devices?
4 Do individual users have unique identification on the LAN? Yes
(e.g., user sign-on, password)?
5 Are there methods to prevent unauthorized access by other Yes
groups into individual files and department-shared files?
6 Are there procedures for limiting access to LAN and network No
operating software?
7 Are there procedures for obtaining and securing modem dial-up Yes
access to the network?
a. Confidential modem telephone numbers
b. Change modem telephone numbers periodically
c. Automatic “call back” system
d. Modem disconnect policy

IS/ERP Audit Page 26

8 If the LAN file server logs network activity, is this information No
periodically reviewed by the LAN administrator?
9 Does the organization adequately backup files and software? Yes
(Consider its location, security, and that the proper files are
being retained.)?
10 Are there procedures to prevent and detect computer viruses, yes
including:
a. Anti-virus or virus-detection software?
b. Guidelines on using shareware, bulletin boards, personal
diskettes/CD/jump drives/ and other data medium?
c. Awareness training on computer viruses?
11 Are there procedures to ensure compliance with the provisions Yes
of software licenses?
1 PERSONAL COMPUTER AND END-USER
COMPUTING (EUC) CONTROLS
The term personal computer, or PC, refers to a small computer
equipped with all the system, utility, and application software,
and the input/output devices and other peripherals that are
needed to perform one or more tasks. End-user computing
(EUC) is any development, programming, or other activity
where the end-users create or maintain their own systems or
applications, usually on their own personal computers. These
systems function outside the traditional information systems
controls and, therefore, need close scrutiny. EUC controls at
the organizational level would include strategic planning by
management, policies and procedures regarding traditional
general control activities, and technical support and training. At
the organizational level the auditor would typically interview
IT management. Complete this section only if the university
processes material financial activity using this technology.
PERSONAL COMPUTERS
1 Does the organization maintain written policies and procedures Yes
relating to:

IS/ERP Audit Page 27

 a. PC security (including virus protection)?
b. User-developed, commercial, or shareware software?
c. Maintaining PC software?
d. Backup and recovery?
2 Does the organization provide physical security over PCs by Yes
using such controls as:
a. Locked doors?
b. Cables?
c. Anchor pads?
d. Alarms?
e. Keyboard locks?
3 Does control over storage media include? No
a. Using write-protecting and read-only properties
b. Using secured storage?
4 Determine whether access control software is used. If not, what Yes
other controls prevent misuse of critical data and applications?
If used, are the security features of the package being utilized
for?
a. Passwords?
b. Directory locking/restricting?
c. Restricted access to operating system command prompts?
d. Boot protection?
5 Is appropriate hardware backup available? Yes
6 Are duplicate copies of PC software and documentation No
maintained off-location?
7 Are users receiving adequate technical support and training? No
8 Is the use of external modems restricted? Yes
9 Is the use of remote access software restricted? Yes
END-USER COMPUTING (EUC)
1 For critical PC applications, is there a documentation Yes
describing data, programs, hardware, and system requirement?
2 Is a disciplined approach taken in acquiring or developing new Yes
applications in a environment? Do procedures include?

IS/ERP Audit Page 28

 a. Cost/benefit analysis?
b. Design?
c. Testing?
d. Controls
3 Are there procedures for controlling end-user changes to
applications? Are the following conditions performed?
a. Changes authorized by user management?
b. Changes tested?
c. Changes identified to show an audit trail?
d. Documentation modified to reflect any changes?
4 If upload/download PC software is available, do procedures Yes
require the following?
Question Yes No N/A Remarks
a. Authorization and approvals?
b. Virus detection/prevention?
1 INTERNET & ELECTRONIC COMMERCE CONTROLS
The Internet is an enormous system of world-wide linked
computer networks that facilities data communication services
such as remote login, electronic mail, the World Wide Web and
file transfer. Electronic commerce (e-commerce) on the
Internet generally includes the electronic exchange of
payments, invoices, orders and other documents. The security
exposures of the Internet and the risks of electronic transactions
require control techniques that ensure data is transmitted,
translated, and passed to financial systems in a secure, accurate
manner. Complete this section only if the organization
processes material financial activity using this technology.
INTERNET
1 Does the organization maintain written policies or procedures Yes
related to the security controls over access to the Internet, use
of Internet resources (e.g., electronic mail), etc.?
If the organization maintains a Web site, then continue with
Step 2; otherwise continue with Electronic Commerce section.

IS/ERP Audit Page 29

2 Does management provide guidance for the development and Yes
maintenance of a Web site?
3 Does the organization utilize various levels of security to Yes
control activity on the Web site and to prohibit access to the
host computer from the site (e.g. firewall)?
4 Are these policies and procedures requiring Web site review, Yes
approval and testing by an independent person?
5 Are updates to the Web site independently reviewed, approved Yes
and tested?
6 Are the contents of the Web site backed-up to ensure an orderly No
recovery if the site is corrupted?
ELECTRONIC COMMERCE
1 If the organization conducts financial transactions on the Yes
Internet, then continue with Step 1, otherwise skip this section.
2 Does the organization have a methodology for developing an Yes
electronic commerce application to conduct internet business?
3 Does the organization utilize various levels of security to Yes
control access to sensitive information (e.g., encryption)?
4 Is transaction approval adequately controlled, preferably using Yes
electronic signatures?
5 Are there controls in place to ensure the accuracy, Yes
completeness, and timeliness of transactions?
6 Are there guidelines established for the retention of data? Yes
7 Does the organization have alternative processing procedures to Yes
rely on in case of processing disruptions?
8 Does the organization have trading partner agreements? If so, Yes
review for the following provisions:
a. Error detection and correction
b. Security breaches
c. Processing disruptions
9 What would you classify your data centers as? Yes
a. Tier 1
b. Tier 2

IS/ERP Audit Page 30

 c. Tier 3
d. Tier 4
10 Approximately how often do you test your data center to verify Yes
it meets the industry established tier requirements?
a. Once a day
b. Once a week
c. Once a month
d. Once a year
e. Never
11 Do you have a current electrical / mechanical One-line Yes
diagram?
12 Do you have a current floor plan? Yes
13 Do you currently measure the performance of your data center? Yes
If yes, please explain how.
No, it is just an expense of our data center
14 What limiting factors are preventing you from adding new No
equipment?
a. Floor space
b. Head load
c. Electricity
d. Budget
15 What is the information technology environment? No
16 Give a brief description of the equipment. Yes
17 Has a map of the installation been prepared? Otherwise, obtain Yes
one.
18 What are the operating systems in use? Yes
19 What are the communications systems in use? Yes
20 What are the various applications which have been No
computerized?
ORGANIZATION CONTROLS
1 Prepare or obtain an organizational chart of information Yes
technology department.
2 Determine job title, job descriptions and names of the persons Yes

IS/ERP Audit Page 31

 in IT department.
3 Are the duties of computer operators periodically related? Yes
4 Are there well-documented operating procedures? Yes
5 Are the operating functions being properly supervised Yes
according to programmed operating procedures?
6 Are there clear segregating of duties within the IT department? No
7 Are there separations of duties between IT department and user Yes
departments?
8 What are the procedures regarding access to data within the Yes
computer system?
9 Password management: Yes
a. Access to corporate data base;
b. Access to application programs.
OPERATIONAL CONTROLS
1 Whether the following reports are taken and scrutinized by the Yes
appropriate officials?
i) Exceptional Transactions Report.
ii) Rejected Transactions Report.
iii) Access Log
iv) Audit Trail, if any (non-financial transactions).
v) GL affected balances
vi) Active Users
2 Whether the interest charged in the accounts is being Yes
checked/verified by the authorized official?
3 Whether the interest rate revision is timely incorporated and Yes
authorized in the system. In case of delay, whether the
differential interest for the intervening period is being
appropriated.
4 Whether morning checking is being done as per the Bank’s Yes
guidelines.
5 Whether the non-financial transactions e.g. limit enhancement, No
limit reduction, DP maintenance etc. are properly incorporated
and authorized by the authorized officials of the organization.

IS/ERP Audit Page 32

6 Review the controls over the procedures adopted for data Yes
upload through external media e.g. salary credit through floppy
etc. Whether such floppies are checked for viruses before using
for processing? What are the controls for checking that the data
is not entered more than once? Are compensatory controls in
place in the form of checking of transaction by authorized
officials?
7 Whether the original Operating System, RDBMS & other No
software packages are kept in a fireproof cabinet?
8 Give package-wise details of bugs/deficiencies reported along Yes
with the steps taken for their removal. Whether these are
recorded in Software Problem Register? Whether
compensatory controls are put in place to ensure correct and
valid output?
(Attach separate sheet, if required)

CONCLUSION
Project report on “IS/ERP AUDITING SYSTEM and its Performance in COLGATE
PALMOLIVE COMPANY” is the topic for my study. It is a brief study of understanding
about the IS Audit functions of the organization. From the report it can be well identified that
the organization has adopted a well and distinguish IS Audit functions. The IS department
working independently and reporting to the Audit Committee in a regular basis. We have felt
that the company has come forward to apply new skills and techniques in order to improve
the Functions of IS Audit. The project work is very beneficial for us and the guidance and
support receive from all during the course of my project was very encourage.

IS/ERP Audit Page 33