Beruflich Dokumente
Kultur Dokumente
ON
This is to certify that we have successfully completed the DISA course2.0 training
conducted at Raipur, CG from 10.08.2019 to 15.09.2019 and we also have the required
attendance. We are submitting the Project titled: “Information Systems Audit of ERP
Software”
We also certify that this project report is the original work of our group and each one of
us have actively/Positively participated and contributed in preparing this project. We
also confirm that we have followed the guidelines issued by the ICAI for the project. We
have not shared the project details or taken help in preparing project report from
anyone except members of our group.
We hereby confirm that we have followed to the guidelines issued by CIT, ICAI for the
project.
PLACE: RAIPUR
DATE: 15.09.2019
Contents
1. INTRODUCTION 4
3. LOGISTICS ARRANGEMENTS 8
5. DOCUMENTS REVIEWED 11
6. REFERENCE 15
7. POLICY ISSUES 15
9. CONCLUSION 24
ABOUT US
We, M/s TPS & CO. LLP, Chartered Accountants established in the year 2012. Our firm
consists of 3 partners having expertise mainly in fields of Management Services and
Information Systems Audit. We are striving to make our clients use best Industry IT
Practices. Our experience in Information Systems Audit & IS Implementation extends to
more than 07 years. We provide our services to the Top MNC’s and help them out to
established best Secure IT system in the organization. We have deployed our core team
of 3 Chartered Accountants (all DISA qualified on our current Assignment due to
sensitivity of assignment along with other three team member which have expert
knowledge in the field of IT. Below are the details of our Team:
Financial Applications
Sales Applications
Logistics management
system
ERP System
Stores management
Open System Platform UNIX Servers
system
Gateway Services
Workstations OS : Windows 7
Main Data Centre : Bangalore
Backup Data Centre : Delhi
Data Backup Type : Mirror Back up data
CFO
Training Group
Board of CEO/Manageing
Director Director HR Department Recruitment Team
Market Analysis
B. Operational Policies
i. Standard Operating Procedures
ii. Market Supplement Policy
iii. Making & Reviewing Policies
C. IT Policies
i. Information Security Policy
ii. Data Protection Policy
iii. Computer Use Policy
iv. Social Networking Policy
v. Auditing Policy
vi. Software Tracking Policy
vii. Software development policy
A)Hardware Servers
i. MS SQL server
ii. Email Server
iii. Application Server
iv. Web Server
v. File Server .
vi. other hardware’s
Client/ Nodal Computers
Printers, Scanners and Faxes
Routers and Modems
UPS
Hubs and Switches
Wireless Cards
Storage devices like Hard drives, Pen Drives, CD ROMs
LCD Projection Devices
Security Hardware
B). Software
i. System Software
Windows Server based Operating System
ii. Application Software
ERP integrating following functions
Purchase
Sales and Distribution
Accounts and Financial
Payroll
Customer Relation Management
C. Security Software
i. Firewalls
ii. Anti-Virus
1. MS SQL Sever
2. Application Server 1. Application
1. Fitrewalls
Software
3. Web Server 2. Anti- Virus
4. File Server 2. System Software
5. E-mail Server
The assignment was carried out as pre- planned assignment. We have used the
international accepted standard for IS Audit – COSO 2013, COBIT 5, ISO 31000, a
family of standards relating to risk management codified by the International
Organization for Standardization.
IT
Audit
5. Perform IT 3. Analysis of
Audit Plan Risk Assessment
4. Develop IT
Audit Plan
Objectives
1. Policy, Procedures & SOP’s – Formal policies and procedures addressing areas such
as process controls, user access, password administration, policy enforcement, and
monitoring practices have been developed, documented and formally communicated to
system users. Standard operating manuals are updated in line with the business process
re-engineering carried out during ERP implementation. Accordingly, the company will
not exposed to mistakes from both internal and external sources.
2. System Access controls and segregation of duties – Access to the financial systems
(including general ledger, accounts payable, accounts receivable, and fixed assets) and
financial reporting systems have been restricted to appropriate users e.g., the finance
division); however, access to individual functions within these systems has not been
restricted based upon the specific business needs of the individual users. Even though
management has appropriately established who should perform certain functions,
preventative access controls in the systems do not restrict who can perform certain
functions. As a result, system users may be able to perform inappropriate or
incompatible functions. The management must establish user access roles in the systems
and restricting access based upon defined business needs.
4. Application Security - Controls over access to the ERP application and operating
system are not documented. We recommend user access be compared to job functions
and access rights reconciled. In addition, policies and procedures should be created to
govern the authorization and maintenance of user accounts.
6. Backup and Recovery - ERP backup tapes are stored in the data center instead of
being stored offsite, and restoration testing is not being performed on a regular basis.
Additionally, formal IT policies regarding system maintenance, restoration, storage and
backup testing have not been adopted or documented. We recommend IT department
to create and document IT policies addressing these topics, moves backup tapes offsite,
and to perform and document restoration testing.
7. Performance, Planning and testing – Patches are uploaded in the live environment
before adequate planning and testing resulting in bugs and consequent operation
failure. The company suffered from delay in deliveries of products and services to
customers as the patch updating to delivery module had bugs which had not been
corrected. We recommend that user sign off be received within every module where a
patch has to be updated.
8. Training - Operations people within the company are accustomed to dealing with
phone calls, faxes, spreadsheets or hunches scrawled on paper, and are resistant to
using the ERP software. The management must convince front-line operations people
that using the software will be worth their time so that they don’t find ways to work
around it. We also recommending the training calendar must be maintain on regular
basis.
9. Physical security - The data center housing the ERP server lacks a climate control
system to regulate temperature, humidity and air quality. We recommend equipment
which monitors and regulates the climate of the data center be installed. In addition,
10. Password controls - End users are not forced to change their passwords on a
periodic basis. The functionality for prompting password change must be enabled to
force the user to change passwords on timely basis instead of one password for all time.
11. Business Continuity Plan and Disaster Recovery Plan - Disaster recovery (DR) and
business continuity refers to an organization’s ability to recover from a disaster and/or
unexpected event and resume operations. The Management must consider factors such
as alternate site designation, training of personnel, and insurance issues while
formulating plans for Disaster recovery and business continuity.
The VPN connectivity has its own problems and every SLA signed with the service
provider just cover certain basic clauses which are missing currently.
Non-compliance of IT Act, 2000 can bring in financial liabilities to the company and
may even land the CEO or a Director in jail [refer S(85) of IT Act,2000].It is also
necessary for organization to understand that even if any of its employees contravene
the provisions of the Act including committing of such personal offences such as
searching for child pornography using the corporate network, then there could be
vicarious liabilities on the organization and its Directors and Executives.
7. POLICY ISSUES
Observation: Password policy is not set. Currently all password policy parameters are
set to default. The current password parameters are:
Cause: This is due to the lack of documented Information Security policy for
MaxInfoTech.
Observation: User-ids and profiles are created as and when required. There was no
evidence of any formal and documented procedure/Communication for creation of
user-ids/profiles.
Exposure: Number of users will require a lot of space in the server. Also some
unauthorized user may get into the system and harm the system and organization as
whole.
Cause: This is due to inappropriate user ID control. One employee ID is able to create
multiple users and also Employee ID validation option is not available during creation
of user IDs.
Instances where material dispatched did not reach the end user on time or was
received in damaged condition:-
There is an element of risk in any decision or activity and encourages intelligent risk
taking when the risk is appropriately managed. Once identified, a risk must be
analyzed to determine its potential effects. A risk score is developed by assessing
two variables:
Severity/ Impact descriptors were discussed with the Management and following
Conclusions were drawn
The above numerical scores for likelihood and severity/ impact descriptors must be
multiplied to arrive at a risk score. As per the risk score, the risk treatments must be
identified and implemented. The risk mitigation strategy is explained for each of the
options.
1. Tolerate/Accept the risk. Some risks may be considered minor because theirimpact
and probability of occurrence is low. In this case, consciously accepting the riskas a cost
of doing business is appropriate, as well as periodically reviewing the risk toensure its
impact remains low.
2. Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of
a particular technology, supplier, or vendor. The risk can be eliminated by replacing the
technology with more robust products and by seeking more capable suppliers and
vendors.
3. Transfer/Share the risk. Risk mitigation approaches can be shared with trading
partners and suppliers. A good example is outsourcing infrastructure management. In
such a case, the supplier mitigates the risks associated with managing the IT
infrastructure by being more capable and having access to more highly skilled staff than
the primary organization. Risk also may be mitigated by transferring the cost of realized
risk to an insurance provider.
4. Treat/mitigate the risk. Where other options have been eliminated, suitable controls
must be devised and implemented to prevent the risk from manifesting itself or to
minimize its effects.
5. Turn back. Where the probability or impact of the risk is very low, then management
may decide to ignore the risk.
As mentioned above several weaknesses and risk present in the internal control& IT
system of the company leaving a lot of room for inefficiencies to arise, as well as the
potential for missed savings and cash leakage resulting in revenue loss. For eliminating
this management needs to work in close co-ordination with the internal audit team and
the IT Team to implement a fully integrated risk management framework both at
enterprise level as well as IT level. This would help facilitate the enhancement of stake
holder value by speeding up communication, reducing time for approvals, eliminating
some of the unnecessary paperwork, decrease in surprise elements and optimized
conformance and performance. Also with arising risk of IT Attacks robust security
needs to be implemented at different levels of enterprise for prevention of data and
availability issue. We are pleased to work with you and happy to provide further
assistance.
Thank You
Team
M/s TPS & Co. LLP
Chartered Accountants