Beruflich Dokumente
Kultur Dokumente
of
DISA 2.0 Course
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
BHOPAL from 18-05-2019 to 16-06-2019 and we have the required attendance. We are
submitting the Project titled IS AUDIT OF ERP SOFTWARE
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
TEAM NO 12
1. ROHIT KUMAR PATEL DISA No 59498 Signed
2. ANKIT DIXIT DISA No 59477 Signed
3. PAWAN KUMAR SINGH DISA No 59632 Signed
Place: BHOPAL
Date: 25/06/2019
Table of Contents
(B) Auditors
We are RAN & Co. LLP (“Firm”), a professional firm since 2000 and providing services like
Information System Audit (“IS Audit”), Statutory Audit, Internal Audit, Tax Audit, GST Audit,
Consultancy related to company matters, Consultancy for Project Finance and other related
services.
In our Firm we have 15 qualified chartered accountants and 8 semi qualified chartered
accountants. Out of the 15 CAs, We have 5 CISA/DISA Qualified.
We have an experienced IT /IS Audit team which comprises of 5-8 people depending upon the
requirements of the audit assignment. Our firm was providing IS Audit services since 10 years.
2) Auditee Environment
Organizational Structure
ABM operates on three major business verticals for associated equipment manufacturing
Mining & Construction
Defence
Rail & Metro
In addition to the above there are three Strategic Business Units (SBUs)
Technology Division for providing end-to-end engineering solutions
Trading Division for dealing in non-company products
International Business Division for export activities.
ABM has eight manufacturing units spread over four locations.
Technology Deployed
ABM has deployed SAP-R3 ECC 6.00 Version (SAP ERP Central Component)
SAP R/3: Three-Tier Architecture
Presentation Servers
Application Servers
Application servers include specialized systems with multiple CPUs and a vast amount of RAM.
Database Servers
Database servers contain specialized systems with fast and large hard-drives.
Three-Tier Architecture
SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll and human
capital functions. The Modules implemented are
Production Planning (PP)
Material Management (MM),
Financial Accounting Controlling (FICO),
Quality Management (QM)
Plant Maintenance (PM)
Human Resources (HR) including Pay Roll.
PP
HR MM
SAP
PM FI
QM CO
Regulatory Requirements
AMB is required to comply with following rules and regulations of
Information Technology Act, 2008 as prevailing in India.
Indian Contract Act, 1932
Companies Act, 2013
Direct and Indirect Taxation laws.
Few Specific Requirements are
1) Taxation: GST, TDS, TCS, Excise Duty, Service Tax, VAT, PF, ESI etc
2) Control Related: As enumerated under Sec 134(5) of Companies Act, 2013(“Act”) the
Directors Responsibility Statement shall include a declaration from Director that internal
financial controls to be followed by the company and that such internal financial controls are
adequate and were operating effectively.
3) Accounting Standard related: Accounting standards prescribing the accounting guidance
to transactions. It is important that the business applications used are in compliance with
the applicable accounting standards.
4) Compulsory Internal Audit: Prescribed companies to have an Internal Auditor. This
provision makes it more important for company to implement proper controls in
business application used. (Section 138).
The company must ensure compliance with laws and the terms of contracts.
Component of Security Policy
Security Definition – All security policies should include a well-defined security vision for the
organization. The security vision should be clear and concise and convey to the readers the intent of
the policy.
Enforcement – This section should clearly identify how the policy will be enforced and how security
breaches and/or misconduct will be handled. The Chief Information Officer (CIO) and the
Information Systems Security Officer (ISSO) have the primary responsibility for implementing the
policy and ensuring compliance
User Access to Computer Resources - This section should identify the roles and responsibilities of
users accessing resources on the organization’s network. This should include information such as: ·
Procedures for obtaining network access and resource level permission;
Policies prohibiting personal use of organizational computer systems;
Passwords;
Procedures for using removal media devices;
Procedures for identifying applicable e-mail standards of conduct;
Specifications for both acceptable and prohibited Internet usage;
Guidelines for applications; ·
Restrictions on installing applications and hardware; ·
Procedures for Remote Access;
Guidelines for use of personal machines to access resources (remote access);
Procedures for account termination;
Procedures for routine auditing;
Procedures for threat notification
Security awareness training;
Security Profiles - A security policy should include information that identifies how security
profiles will be applied uniformly across common devices (e.g., servers, workstations,
routers, switches, firewalls, proxy servers, etc.).
The policy should clearly state the requirements imposed on users for passwords. Passwords
should not be any of the following: ·
Same as the username
Password
Any personal information that a hacker may be able to obtain (e.g., street address,
social security number, names of children, parents, cars, boats, etc.)
A dictionary word
Telephone number
E-mail – An email usage policy is a must. Several viruses, Trojans, and malware use email as
the vehicle to propagate themselves throughout the Internet.
Internet – The World Wide Web was the greatest invention, but the worst nightmare from a
security standpoint. The Internet is the pathway in which vulnerabilities are manifested.
Therefore, the Internet usage policy should restrict access to these types of sites and should
clearly identify what, if any, personal use is authorized.
Anti-Virus - Anti-virus software is a ‘must’ in the detection and mitigation of viruses. The
policy should identify the frequency of updating the virus definition files. The policy should
also identify how removable media, attachments to email, and other files should be scanned
before opening.
Auditing - All security programs should be audited on a routine and random basis to assess
their effectiveness.
3) Background
ABM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. ABM has successfully
implemented SAP ERP and went live in a quick time span of 12 months. ABM proposes to
have a comprehensive audit of the Information Systems (ERP Audit) in the Company. While
the Information Systems Audit to be done covers both audit of ERP System and review of its
implementation, the IS Audit is expected to be in compliance with the IS Auditing Standards,
Guidelines and Procedures.
Strategic
Business Unit
International
Technology Trading
Manufacturing Business
Division Division
Division
Eqiupment
Manufacturing
Mining &
Rail & Metro Defence
Construction
Department LOCATION UNIT
Unit 1
Unit 2
Unit 3
Location1
Unit 4
Loction 2
Production
Unit 5
Unit
Location 3
Unit 6
Location 4
Unit 7
Unit 8
Problem:
ABM has successfully implemented SAP ERP and went live in a quick time span of 12
months. ABM consolidated its operations across multiple locations spread across India,
with all units going live simultaneously. Implementation in quick spam and all units
simultaneously may have the following problems:
Integrating all the Existing data and application in to new SAP-ERP leads loss
of data.
It requires selection and Placement of Technical staff to handle operations.
Control Weakness:
As the data and services will now provide by the SAP-ERP System, there are many
control factors need to be addressed.
Authorized access,
Data Storage,
Segregation of Duties,
Migrating data,
Maintenance of Central Server,
AMC Contracts Etc.