Project Report

of
DISA 2.0 Course
 CERTIFICATE
Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:

BHOPAL from 18-05-2019 to 16-06-2019 and we have the required attendance. We are
submitting the Project titled IS AUDIT OF ERP SOFTWARE

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

TEAM NO 12
1. ROHIT KUMAR PATEL DISA No 59498 Signed
2. ANKIT DIXIT DISA No 59477 Signed
3. PAWAN KUMAR SINGH DISA No 59632 Signed

Place: BHOPAL

Date: 25/06/2019
 Table of Contents

(A) Details of Case Study/Project(Problem)

ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi
Manufacturing Divisions and Regional Offices spread all over India..
ABM in achieving its Mission of improving competitiveness through organizational
transformation and collaboration / strategic alliances / joint ventures in technology has
implemented ERP with effect from October 2010 across the company. ABM has successfully
implemented SAP-R3 ECC 6.00 Version and went live in a quick time span of 12 months.
In a first of its kind project in the country, ABM consolidated its operations across multiple
locations spread across India, with all units going live simultaneously.
SAP deployment in ABM posed unique challenges arising out of the need to integrate multiple
units across different locations, involving extensive procedures and large volumes of data.
Now ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the company with an objective;
 To identify areas for improvement of controls by benchmarking against global best
practices.
 Mitigation of risk by implementing controls to ensure that SAP implementation is secure
and safe and provides assurance to the senior management of ABM.

(B) Project Report (solution)

1. Introduction
(A) ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi
Manufacturing Divisions and Regional Offices spread all over India. ABM operates on
three major business verticals for associated equipment manufacturing
 Mining & Construction
 Defence
 Rail & Metro
In addition to the above there are three Strategic Business Units (SBUs)
 Technology Division for providing end-to-end engineering solutions
 Trading Division for dealing in non-company products
 International Business Division for export activities.
ABM in achieving its Mission of improving competitiveness through organizational
transformation and collaboration / strategic alliances / joint ventures in technology has
implemented ERP with effect from October 2010 across the company. ABM has successfully
implemented SAP-R3 ECC 6.00 Version and went live in a quick time span of 12 months.
SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll and human
capital functions. The Modules implemented are PP, MM, FICO, Quality, PM and HR including
Pay Roll. ABM has more than 500 sap users across the company. By implementing SAP
solutions ABM has achieved superior operational excellence and business agility.

(B) Auditors
We are RAN & Co. LLP (“Firm”), a professional firm since 2000 and providing services like
Information System Audit (“IS Audit”), Statutory Audit, Internal Audit, Tax Audit, GST Audit,
Consultancy related to company matters, Consultancy for Project Finance and other related
services.
In our Firm we have 15 qualified chartered accountants and 8 semi qualified chartered
accountants. Out of the 15 CAs, We have 5 CISA/DISA Qualified.

We have an experienced IT /IS Audit team which comprises of 5-8 people depending upon the
requirements of the audit assignment. Our firm was providing IS Audit services since 10 years.

2) Auditee Environment
Organizational Structure

ABM operates on three major business verticals for associated equipment manufacturing
 Mining & Construction
 Defence
 Rail & Metro
In addition to the above there are three Strategic Business Units (SBUs)
 Technology Division for providing end-to-end engineering solutions
 Trading Division for dealing in non-company products
 International Business Division for export activities.
ABM has eight manufacturing units spread over four locations.
Technology Deployed
ABM has deployed SAP-R3 ECC 6.00 Version (SAP ERP Central Component)
SAP R/3: Three-Tier Architecture

SAP based the architecture of R/3 on a three-tier client/server structure:

 1. Presentation Layer (GUI)
2. Application Layer
3. Database Layer

Presentation Servers

Presentation servers contain systems capable of providing a graphical interface.

Application Servers

Application servers include specialized systems with multiple CPUs and a vast amount of RAM.
Database Servers

Database servers contain specialized systems with fast and large hard-drives.

Three-Tier Architecture
 SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll and human
capital functions. The Modules implemented are
 Production Planning (PP)
 Material Management (MM),
 Financial Accounting Controlling (FICO),
 Quality Management (QM)
 Plant Maintenance (PM)
 Human Resources (HR) including Pay Roll.

PP
HR MM

SAP
PM FI

QM CO

Regulatory Requirements
AMB is required to comply with following rules and regulations of
 Information Technology Act, 2008 as prevailing in India.
 Indian Contract Act, 1932
 Companies Act, 2013
 Direct and Indirect Taxation laws.
Few Specific Requirements are
1) Taxation: GST, TDS, TCS, Excise Duty, Service Tax, VAT, PF, ESI etc
2) Control Related: As enumerated under Sec 134(5) of Companies Act, 2013(“Act”) the
Directors Responsibility Statement shall include a declaration from Director that internal
financial controls to be followed by the company and that such internal financial controls are
adequate and were operating effectively.
 3) Accounting Standard related: Accounting standards prescribing the accounting guidance
to transactions. It is important that the business applications used are in compliance with
the applicable accounting standards.
4) Compulsory Internal Audit: Prescribed companies to have an Internal Auditor. This
provision makes it more important for company to implement proper controls in
business application used. (Section 138).

Organisation’s Information Security Policy

Information Security Policy (ISP) is a set of rules enacted by an organization to ensure that all users
or networks of the IT structure within the organization’s domain abide by the prescriptions regarding
the security of data stored digitally within the boundaries the organization stretches its authority.
Organisation’s Information Security Policy sets out requirements and recommendations,
relating to how:

 Confidential information must be protected from unauthorised access.

 The integrity of information and information systems must be protected.
 Appropriate measures must be taken to manage risks to the availability of information.

The company must ensure compliance with laws and the terms of contracts.
Component of Security Policy
Security Definition – All security policies should include a well-defined security vision for the
organization. The security vision should be clear and concise and convey to the readers the intent of
the policy.
Enforcement – This section should clearly identify how the policy will be enforced and how security
breaches and/or misconduct will be handled. The Chief Information Officer (CIO) and the
Information Systems Security Officer (ISSO) have the primary responsibility for implementing the
policy and ensuring compliance
User Access to Computer Resources - This section should identify the roles and responsibilities of
users accessing resources on the organization’s network. This should include information such as: ·
Procedures for obtaining network access and resource level permission;
 Policies prohibiting personal use of organizational computer systems;
 Passwords;
 Procedures for using removal media devices;
 Procedures for identifying applicable e-mail standards of conduct;
 Specifications for both acceptable and prohibited Internet usage;
 Guidelines for applications; ·
 Restrictions on installing applications and hardware; ·
 Procedures for Remote Access;
 Guidelines for use of personal machines to access resources (remote access);
 Procedures for account termination;
 Procedures for routine auditing;
 Procedures for threat notification
 Security awareness training;
Security Profiles - A security policy should include information that identifies how security
profiles will be applied uniformly across common devices (e.g., servers, workstations,
routers, switches, firewalls, proxy servers, etc.).

Passwords - Passwords are a critical element in protecting the infrastructure.

The policy should clearly state the requirements imposed on users for passwords. Passwords
should not be any of the following: ·
 Same as the username
 Password
 Any personal information that a hacker may be able to obtain (e.g., street address,
social security number, names of children, parents, cars, boats, etc.)
 A dictionary word
 Telephone number

E-mail – An email usage policy is a must. Several viruses, Trojans, and malware use email as
the vehicle to propagate themselves throughout the Internet.

Internet – The World Wide Web was the greatest invention, but the worst nightmare from a
security standpoint. The Internet is the pathway in which vulnerabilities are manifested.
Therefore, the Internet usage policy should restrict access to these types of sites and should
clearly identify what, if any, personal use is authorized.

Anti-Virus - Anti-virus software is a ‘must’ in the detection and mitigation of viruses. The
policy should identify the frequency of updating the virus definition files. The policy should
also identify how removable media, attachments to email, and other files should be scanned
before opening.

Back-up and Recovery – A comprehensive back-up and recovery plan is critical to

mitigating incidents.

Auditing - All security programs should be audited on a routine and random basis to assess
their effectiveness.

The policy also contains the following in detail:

Information Security Policy

 The purpose, scope, and structure of the security policy documentation in detail.
 Information committee responsibility for information security policy.
 Information Security Policy applies to all staff personnel.
 Heads of Department are responsible for applying the organisation Information
Security Policy to their departmental information systems.
 Compliance Policy
 It is the responsibility of each individual to ensure that they do not break the law.
 Staff must not cause a breach of the terms of contracts between the company and
other organisations.
 Information is provided to help staff to avoid breaking Indian & global information
laws though lack of awareness.

Outsourcing and Third Party Access

 Outsourced IT arrangements, which are not the subject of a formal contract, should
not normally be used or depended upon for working with confidential information or
for processing the personal data of third parties.
 Any access to information systems provided to external organisations must be
correctly risk managed and where appropriate covered by a formal agreement.
 A risk assessment should be made and appropriate controls used (such as
supervision), where external parties (such as contractors), are given physical access to
areas where confidential information is stored or processed.

Software Management Policy

 Software is to be patched as soon as possible to remove security vulnerabilities.
 Use of software which tests or attempts to break organisations system or network
security is prohibited unless the Director of IT Services has been notified and given
authorisation.
 Software found on organisations systems which incorporates malware of any type is
liable to automated or manual removal or deactivation.
 Software that is not licence compliant must be brought into compliance promptly or
uninstalled.

3) Background
ABM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. ABM has successfully
implemented SAP ERP and went live in a quick time span of 12 months. ABM proposes to
have a comprehensive audit of the Information Systems (ERP Audit) in the Company. While
the Information Systems Audit to be done covers both audit of ERP System and review of its
implementation, the IS Audit is expected to be in compliance with the IS Auditing Standards,
Guidelines and Procedures.

Reasons / Objectives of Assignment

 To identify areas for improvement of controls by benchmarking against global best

practices.
 Mitigation of any specific risk identified implementing controls
 To develop an IS Audit checklist for future use.
4) Situation
ABM business model is

Strategic
Business Unit

International
Technology Trading
Manufacturing Business
Division Division
Division

Eqiupment
Manufacturing

Mining &
Rail & Metro Defence
Construction
 Department LOCATION UNIT

Unit 1

Unit 2

Unit 3
Location1
Unit 4
Loction 2
Production
Unit 5
Unit
Location 3
Unit 6
Location 4
Unit 7

Unit 8

Problem:
ABM has successfully implemented SAP ERP and went live in a quick time span of 12
months. ABM consolidated its operations across multiple locations spread across India,
with all units going live simultaneously. Implementation in quick spam and all units
simultaneously may have the following problems:
 Integrating all the Existing data and application in to new SAP-ERP leads loss
of data.
 It requires selection and Placement of Technical staff to handle operations.

Control Weakness:
As the data and services will now provide by the SAP-ERP System, there are many
control factors need to be addressed.
 Authorized access,
 Data Storage,
 Segregation of Duties,
 Migrating data,
 Maintenance of Central Server,
 AMC Contracts Etc.