PROJECT REPORT

ON

INFORMATION SYSTEMS AUDIT OF ERP SOFTWARE

M/s TPS & CO, LLP 1|Peacock Limited

 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA course2.0 training
conducted at Raipur, CG from 10.08.2019 to 15.09.2019 and we also have the required
attendance. We are submitting the Project titled: “Information Systems Audit of ERP
Software”

We also certify that this project report is the original work of our group and each one of
us have actively/Positively participated and contributed in preparing this project. We
also confirm that we have followed the guidelines issued by the ICAI for the project. We
have not shared the project details or taken help in preparing project report from
anyone except members of our group.

We hereby confirm that we have followed to the guidelines issued by CIT, ICAI for the
project.

NAME MEMBERSH ISA EMAIL ID Signature

IP NUMBER NUMBER
CA Prabhat Tiwari 530749 59529 Prabhat0402@gmail.com
CA Topesh Kumar 417578 59640 Topeshdewangan@gmail.com
CA Siddharth Jain 435800 57238 Siddharth.jain605@gmail.com

PT BATCH ID: RAI1908091

PLACE: RAIPUR

DATE: 15.09.2019

M/s TPS & CO, LLP 2|Peacock Limited

 Table of Contents

Contents

PROJECT REPORT OF DISA 2.0 COURSE 2

1. INTRODUCTION 4

3. LOGISTICS ARRANGEMENTS 8

4. METHODOLOGY AND STRATEGY ADOPTED FOR EXECUTION OF

ASSIGNMENTS 9

5. DOCUMENTS REVIEWED 11

6. REFERENCE 15

7. POLICY ISSUES 15

8. FINDING AND RECOMMANDATIONS 17

9. CONCLUSION 24

M/s TPS & CO, LLP 3|Peacock Limited

 1. Introduction

P EACOCK LIMITED is a Multi-National Company which has chain of super

markets. It is one of the largest retail conglomerates in the India with a diverse
portfolio of retail and hospitality brands. The company provides value-driven product
range for the entire family through an extended portfolio of core retail brands. The
unique value proposition is that it offers a one stop shopping destination by catering to
all the daily needs of a consumer by providing grocery, fruits & vegetables, meat &fish,
wine & spirits, kitchenware, electronics, apparel, health & beauty, furniture &much
more, under one roof. Company has recently implemented an ERP solution which
integrates all the stores across the country. Due to recent spates of errors discovered in
billing and shortage of inventory, the Management is increasingly concerned about the
overall reliability and security of their IT environment.

ABOUT US

We, M/s TPS & CO. LLP, Chartered Accountants established in the year 2012. Our firm
consists of 3 partners having expertise mainly in fields of Management Services and
Information Systems Audit. We are striving to make our clients use best Industry IT
Practices. Our experience in Information Systems Audit & IS Implementation extends to
more than 07 years. We provide our services to the Top MNC’s and help them out to
established best Secure IT system in the organization. We have deployed our core team
of 3 Chartered Accountants (all DISA qualified on our current Assignment due to
sensitivity of assignment along with other three team member which have expert
knowledge in the field of IT. Below are the details of our Team:

1. CA Prabhat Tiwari (Group Leader)

2. CA Topesh Dewangan
3. CA Siddharth Jain
4. Mr. Ram Singh
5. Ms. Ayushi Sharma
6. Ms. Kavita Tripathi

M/s TPS & CO, LLP 4|Peacock Limited

 2. AUDITEE ENVIRONMENT

Platform Servers Applications

Financial Applications

Mainfraime Platform IBM Mainfraime System

Sales Applications

Logistics management
system
ERP System

Stores management
Open System Platform UNIX Servers
system

Other Applications &

database - Payroll
Database

File & Print Services

PC & Terminal Network

Windows Servers Communication Services
Platform

Gateway Services

Workstations OS : Windows 7
Main Data Centre : Bangalore
Backup Data Centre : Delhi
Data Backup Type : Mirror Back up data

M/s TPS & CO, LLP 5|Peacock Limited

  Nature of business: - Peacock Ltd. is a Multi-national Company which has chain
of super markets in retail and hospitality brands.

 Technology deployed: - Company recently implemented an ERP solution which

integrates all the stores across the country. Company has its main data center at
Bangalore and back up data center at Delhi with all critical data and operations
available in the mirrored back up data center. The company has a specialized IT
department with more than 40 IT professionals who are responsible for keeping
IT running in smoothly manner.

 Organization Structure:-Peacock Ltd. is a Multi-national Company which has

chain of super markets. It is one of the largest retail conglomerates in the India
with a diverse portfolio of retail and hospitality brands. Thus, depending upon
the size of business. Peacock Ltd. has a well defined hierarchy of management
which is as follows:

 Hierarchy of Management of Peacock Ltd.

CFO

Chief Information Department

Information
Officer Technical Support Department

Training Group
Board of CEO/Manageing
Director Director HR Department Recruitment Team

Compensation and Benifits

Legal and
Compliances
Advertising Department

Marketing Public Relations

Market Analysis

M/s TPS & CO, LLP 6|Peacock Limited

  Policies and procedure adopted by Peacock Ltd. is as follows:

A. Human Resource policy and procedure

i. Employees Code of conduct
ii. Disciplinary procedure
iii. Working Time Policy
iv. Health and Safety Policy
v. Conflict of Interest Policy
vi. Overtime Compensation

B. Operational Policies
i. Standard Operating Procedures
ii. Market Supplement Policy
iii. Making & Reviewing Policies

C. IT Policies
i. Information Security Policy
ii. Data Protection Policy
iii. Computer Use Policy
iv. Social Networking Policy
v. Auditing Policy
vi. Software Tracking Policy
vii. Software development policy

M/s TPS & CO, LLP 7|Peacock Limited

 3. LOGISTICS ARRANGEMENTS

Logistic Arrangements required by Peacock Ltd. are as follows:

A)Hardware Servers
i. MS SQL server
ii. Email Server
iii. Application Server
iv. Web Server
v. File Server .
vi. other hardware’s
 Client/ Nodal Computers
 Printers, Scanners and Faxes
 Routers and Modems
 UPS
 Hubs and Switches
 Wireless Cards
 Storage devices like Hard drives, Pen Drives, CD ROMs
 LCD Projection Devices
 Security Hardware

B). Software
i. System Software
Windows Server based Operating System
ii. Application Software
ERP integrating following functions
 Purchase
 Sales and Distribution
 Accounts and Financial
 Payroll
 Customer Relation Management

C. Security Software
i. Firewalls
ii. Anti-Virus

M/s TPS & CO, LLP 8|Peacock Limited

 Hardware Security
Software
Servers Software

1. MS SQL Sever
2. Application Server 1. Application
1. Fitrewalls
Software
3. Web Server 2. Anti- Virus
4. File Server 2. System Software
5. E-mail Server

4. METHODOLOGY AND STRATEGY ADOPTED FOR EXECUTION OF

ASSIGNMENTS

The assignment was carried out as pre- planned assignment. We have used the
international accepted standard for IS Audit – COSO 2013, COBIT 5, ISO 31000, a
family of standards relating to risk management codified by the International
Organization for Standardization.

The key tasks of our assignment are highlighted below:

Interviews with business leaders to understand key strategic business.

Business Process owners completed the ICQs
Use of Internal Control questionnaires (ICQs) developed leveraging COSO and
COBIT frameworks.
 Business Process owners completed the ICQs
 Team conducted process walkthrough exercises with each business process
Owner vis a vis policies and SOPs
 Risk assessment was completed through a combination of the following
 Brainstorming with senior management for review of organisation risks

M/s TPS & CO, LLP 9|Peacock Limited

 1.Information
Gathering

6. Customer 2. Revier prior

Satisfaction audit
Evaluation observation

IT
Audit
5. Perform IT 3. Analysis of
Audit Plan Risk Assessment

4. Develop IT
Audit Plan

Objectives

 Review of Key Business objectives

 Key points and risk considerations from the minutes of Board Meetings
 Review of vendor contracts and SLAs with Service Providers
 The team evaluated overall results
 Identified Areas for improvement
 Identified compensating controls
 Assessed overall risks
 Accumulated results
 Issue of draft audit report
 Review of the draft audit report by the business process owners and key
management personnel
 Issue of Final Audit report

M/s TPS & CO, LLP 10 | P e a c o c k L i m i t e d

 5. DOCUMENTS REVIEWED

S. No. Process Evaluated Effectiveness of Controls and

Processes
1 Policy & Procedures & SOP’s Adequate
2 System Access controls and SOD Inadequate , Not Controlled
(Segregation of Duties)
3 Spreadsheets control Not Exist
4 Application Security Inadequate
5 Change Management Requires Improvement
6 Backup and Recovery Adequate
7 Performance Planning and Requires Improvement
Testing
8 Staff Training Requires Improvement
9 Physical Security Requires Improvement
10 Password Controls Requires Improvement
11 Business Continuity Planning Non Existent
Disaster Recovery Mechanism

Reason Supporting above comments given by TPS & Co., LLP:

1. Policy, Procedures & SOP’s – Formal policies and procedures addressing areas such
as process controls, user access, password administration, policy enforcement, and
monitoring practices have been developed, documented and formally communicated to
system users. Standard operating manuals are updated in line with the business process
re-engineering carried out during ERP implementation. Accordingly, the company will
not exposed to mistakes from both internal and external sources.

2. System Access controls and segregation of duties – Access to the financial systems
(including general ledger, accounts payable, accounts receivable, and fixed assets) and
financial reporting systems have been restricted to appropriate users e.g., the finance
division); however, access to individual functions within these systems has not been
restricted based upon the specific business needs of the individual users. Even though
management has appropriately established who should perform certain functions,
preventative access controls in the systems do not restrict who can perform certain
functions. As a result, system users may be able to perform inappropriate or
incompatible functions. The management must establish user access roles in the systems
and restricting access based upon defined business needs.

3. Spreadsheets - End-user computing technologies (e.g., Microsoft Excel, Access,Word,

Power Point) that are used to generate financial data or disclosures in the financial
reports are not subject to a level of control commensurate with other key financial
application systems. Though access to the spreadsheets is restricted to the finance

M/s TPS & CO, LLP 11 | P e a c o c k L i m i t e d

division, the spreadsheets themselves are not subject to an appropriate level of security
or change management control. The file is also not password protected, changes are not
logged, and file versions are not managed. The company must deploy a system to
manage documentation throughout the enterprise. This system must have the ability to
restrict access to specific files and manage software versions so that we can avoid un-
authorized used of confidential documents.

4. Application Security - Controls over access to the ERP application and operating
system are not documented. We recommend user access be compared to job functions
and access rights reconciled. In addition, policies and procedures should be created to
govern the authorization and maintenance of user accounts.

5. Change Management - The change management process in place is not current

within the IT department. There is also a lack of segregation of duties, as the same
individual is responsible for making changes to the ERP system, then testing the
changes, and then implementing the changes in the production environment. IT
management should update the formal change management process, focusing
particularly on the approval of changes to ERP and the implementation of changes in
the production environment.

6. Backup and Recovery - ERP backup tapes are stored in the data center instead of
being stored offsite, and restoration testing is not being performed on a regular basis.
Additionally, formal IT policies regarding system maintenance, restoration, storage and
backup testing have not been adopted or documented. We recommend IT department
to create and document IT policies addressing these topics, moves backup tapes offsite,
and to perform and document restoration testing.

7. Performance, Planning and testing – Patches are uploaded in the live environment
before adequate planning and testing resulting in bugs and consequent operation
failure. The company suffered from delay in deliveries of products and services to
customers as the patch updating to delivery module had bugs which had not been
corrected. We recommend that user sign off be received within every module where a
patch has to be updated.

8. Training - Operations people within the company are accustomed to dealing with
phone calls, faxes, spreadsheets or hunches scrawled on paper, and are resistant to
using the ERP software. The management must convince front-line operations people
that using the software will be worth their time so that they don’t find ways to work
around it. We also recommending the training calendar must be maintain on regular
basis.

9. Physical security - The data center housing the ERP server lacks a climate control
system to regulate temperature, humidity and air quality. We recommend equipment
which monitors and regulates the climate of the data center be installed. In addition,

M/s TPS & CO, LLP 12 | P e a c o c k L i m i t e d

 controls are not in place to limit access to the data center. We recommend limiting
datacenter access to IT personnel through use of swipe cards or other means.

10. Password controls - End users are not forced to change their passwords on a
periodic basis. The functionality for prompting password change must be enabled to
force the user to change passwords on timely basis instead of one password for all time.

11. Business Continuity Plan and Disaster Recovery Plan - Disaster recovery (DR) and
business continuity refers to an organization’s ability to recover from a disaster and/or
unexpected event and resume operations. The Management must consider factors such
as alternate site designation, training of personnel, and insurance issues while
formulating plans for Disaster recovery and business continuity.

The VPN connectivity has its own problems and every SLA signed with the service
provider just cover certain basic clauses which are missing currently.

Following is the list of weaknesses and consequence in the VPN scenario:-

S. Weakness Implications Recommendations Management

No. Comment
1. The SLA does not The IT The SLA with every VPN Issue Under
include servicing of department at service provider must Consideratio
VPN and other day to Head Office is not cover Maintenance and n. Top level
day operational equipped well to roubleshooting VPN management
maintenance and cater VPN issues connectivity issues and has been
monitoring activities to at remote secure tunneling. This informed.
be performed by the branches. It is not service should be
service provider. feasible for the available 24 x 7 to the
company to organization. The fault
deploy an IT response and restoration
trained staff at time required to
every branch to troubleshoot problems
cater to day to (based on criticality
day VPN issues. levels) must be defined in
the SLA
2. Loss on account of lack Absence of a The SLA must provide Issue requires
of VPN connectivity is penalizing clause for service rebates in case lot of capital
not quantified. There is makes the VPN the VPN service is input from
no provision to ISP complacent unavailable for more than both ends.
penalize the VPN ISP in towards “N” no of hours. The Management
cases of persistent and expediting company’s must be and service
prolonged connectivity troubleshooting automatically credited provider are
issues. measures. with the mutually agreed working on
service rebate amount. it.

M/s TPS & CO, LLP 13 | P e a c o c k L i m i t e d

3. VPN (although cost This can result in The SLA must expressly Will cover it
effective high speed breach of data fix responsibility on the in agreement
internet solution) can security and ISP to provide security updation
pose a security risk Confidentiality infrastructure that under
when used with risk. protects the company consideration
wireless devices and from .
across access points. Unauthorized external
access to or broadcast of
the company’s
intellectual property,
proprietary and
confidential data. The ISP
must report to the
company any observed
security breaches and
Suspicious activity
4. In case of connectivity Absence of direct A “VPN Contact” must Corrected.
issues at branch or point of contact be appointed to act as a Head of
Regional level, the between central point of contact branch is
same is reported to the Regional/ branch for seeking any VPN given
head office and the IT office and VPN Support. The SLA must responsibility
team at the head office ISP leads to affix responsibility on the and authority
carries forward all miscommunicatio ISP staff to provide initial to manage
communication with n training to this contact complaint.
the respective ISP. The And delay in and he shall be Not all
responsibility to report troubleshooting of responsible for reporting branch can be
any troubleshooting problems. all VPN Service problems provided ISP
requirements to the ISP Consequently, all to the VPN ISP. staff but the
is not defined in the job provision of work is to be
profile of any employee products and done in
at the Regional or services to the clusters.
branch level customers is
affected for
prolonged periods
of time.
Normalization of
day to day
activities is also
delayed.

M/s TPS & CO, LLP 14 | P e a c o c k L i m i t e d

6. REFERENCE

Specific compliance requirements as per Information Technology Act as amended in

2008 an organization must evaluate its IT processes, Policies and IT supported business
processes to ensure that they are compliant with laws, regulations and contractual
requirements and obtain assurance that the requirements have been identified and
complied with and integrated with IT Governance. The Information Technology Act,
2000 lays down the law with respect to use of information technology for e-business,
digital signatures, information security and confidentiality. The same was amended in
2008 in provide for further security and confidentiality of sensitive personal information
collected by an organization for any purpose. The detailed compliance checklist (as
compiled by the Data Security Council (DSC).

Non-compliance of IT Act, 2000 can bring in financial liabilities to the company and
may even land the CEO or a Director in jail [refer S(85) of IT Act,2000].It is also
necessary for organization to understand that even if any of its employees contravene
the provisions of the Act including committing of such personal offences such as
searching for child pornography using the corporate network, then there could be
vicarious liabilities on the organization and its Directors and Executives.

7. POLICY ISSUES

Password policy parameters to be set as per Security policy

Observation: Password policy is not set. Currently all password policy parameters are
set to default. The current password parameters are:

 Maximum password age: 62 days

 Minimum password length: Permit Blank password
 Minimum password age: Allows changes immediately
 Maintain password history: Do not keep password history
 Password complexity: Simple
 Forcing users to change password on first logon: Not Enabled

Exposure: In absence of comprehensive password controls, it becomes easy to guess

users’ passwords. Once the passwords are known, they may be misused to enter un-
authorized transactions.

Cause: This is due to the lack of documented Information Security policy for
MaxInfoTech.

M/s TPS & CO, LLP 15 | P e a c o c k L i m i t e d

Recommendation: Ensure that password policy parameters are set as:

 Maximum password age: 30 days

 Minimum password length: 8 Characters
 Minimum password age: 3 days
 Maintain password history: Remember last 3 passwords (Not allow
to use last three password)
 Password complexity: Complex
 Forcing users to change password on first logon: Enabled

Management Comment: Will follow the recommendation and implemented soon.

Documented procedure for creating new user-ids to be implemented

Observation: User-ids and profiles are created as and when required. There was no
evidence of any formal and documented procedure/Communication for creation of
user-ids/profiles.

Exposure: Number of users will require a lot of space in the server. Also some
unauthorized user may get into the system and harm the system and organization as
whole.

Cause: This is due to inappropriate user ID control. One employee ID is able to create
multiple users and also Employee ID validation option is not available during creation
of user IDs.

Recommendation: Ensure that User ID Creation are set as:

 One User ID for a employee code.

 Validation of employee ID during creation of User.
 Check on user creation and authorization from senior level.

Management Comment: System is on updating mode already to comply with these
features to control fraud, duplicate User Ids.

S. No. Check point / Particulars Policies Management Remarks

& Procedures Reply
1. Is business continuity plan Documented Proper
documented and implemented? only Implementation
need to be done.
2. Whether the scope and objectives Yes but not all Check
of a BCP are clearly defined in the issues covered. compliance of all

M/s TPS & CO, LLP 16 | P e a c o c k L i m i t e d

 policy document? (Scope to cover the procedures.
all critical activities of business.
Objectives should clearly spell out
outcomes of the BCP)
3. Whether there exist any exceptions No Needs serious
to the scope of BCP i.e. in terms of attention from
location or any specific area, and the management
whether the management has on this issue.
justifications for exclusion of the
same.
4. What is the time limit for such No Strategy It should be kept
exclusion and what is the current at minimum
strategy of covering such level.
exclusions
5. Are the policy and procedure Yes Complied
documents approved by the Top
Management? (Verify signoff on
policy and procedure documents
and budget allocations made by
the management for a BCP)

8. FINDING AND RECOMMANDATIONS

1. Inventory Control and Management

Efficient inventory management is achieved through inventory control and

inventory management. Inventory control involves managing the inventory that
is already in the stockroom, or store. The information about where is it, how
many of them and how much each of it costs. Inventory management involves
determining what, when, whom, and how much to order. It is forecasting of the
future requirements based on current and past trends

S. Internal control Implications Recommendations

No. Weaknesses
1. The Re-Order Level Manual Intervention is The company must adopt a
of Various Material required for placing orders System of Materials
components which can be Easily placed Requirements Planning (MRP)
required has not through the system at the right to provide a clear vision into
been entered within time, resulting in delay in gaps between current
the ERP Software. placing orders. inventory levels and forecasted
2. Minimum Order This is the direct fall out of first demand for each inventory
Quantity and Lead weakness. item. Additionally, MRP

M/s TPS & CO, LLP 17 | P e a c o c k L i m i t e d

 Time for every Raw Absence of an entire system of
Material component Re-Order Level, Minimum
are also not defined. Order Quantity and Lead Time
is leading to delays in
procurement and receipt of
material thereby effecting
production.
3. Inventory The overall average growth
requirement trend as revealed by sales
planning is done is analytics has been 10% per
an over-simplified annum. Thus the company is
manner of1.5 times stocking more than required.
the sales of the same Needless to say, poor
quarter in the last inventory requirement
F.Y. planning results in poor
inventory management
4. The system for Inability to determine a fair
calculating the inventory valuation leads to
landed costs of loss of revenue on account of
inventory does not faulty pricing strategies
consider all
generates alerts and
replenishment orders to keep a
company’s inventory at an
optimal level. This would
enable better control over
material, prevent excessive
stocking and above all, ensure
regular supply of materials for
un-interrupted production.
The Management must make
use of intelligent forecasting
tools, to create an efficient
demand planning process and
achieve optimal planning
accuracy. The individual plans
from the various department
managers including top
executives, sales, marketing,
purchasing managers and
soon, can be integrated into
one valid plan. Forecast
analytics tools provide
decision makers with historical
data and enable the
visualization of market trends
which in turn allow for the
adjustment of demand plans in
real-time.
The CIO together with the
CEO must work on scientific
techniques and reporting
requirements of ERP to fairly
determine the landed cost of
material.

Instances where material dispatched did not reach the end user on time or was
received in damaged condition:-

S.No. Internal control Implications Recommendations

Weaknesses
1. The policy of collecting
postdated cheques is not
followed diligently. The
RMs without express
Increase in bad debts leading to The system must be
financial loss for the company. configured that all direct
Debtors greater than 6 months customer orders at branch
amounted to Rs. 1.64 cr. and the level are logged only when

M/s TPS & CO, LLP 18 | P e a c o c k L i m i t e d

 authority sell goods
without PDCs.
2. The company does not
have a separate channel
marketing manager to
train, educate and address
grievances of the channel
distribution partner
(CDPs). At present the
marketing manager and
his team are responsible
for all marketing activities
whether at company
owned branches or
through CDPs.
3. The company’s
communication with the
CDPs is limited at present
to only stock
requirements, sales,
collections and incentives.
No concerted effort is
being made to train,
motivate and customer
service methods to the
CDP.
company had w/off bad debts to
the tune of 64 lacs during the last
financial year.
Since the company is fast
expanding its distribution network,
the marketing manager alone is ill
equipped to cater to specific
channel distribution requirements.
Channel distribution
Problems can occur when your
channel partners have inadequate
product or market knowledge. The
result is poor service to your
customers and lost sales
opportunities.
Channel partners are
responsible for relationships with
the Customers that the company
does not serve directly. If channel
partners offer poor standards of
service, such as late deliveries,
inaccurate invoicing or delays in
dealing with customer enquiries
customer satisfaction will drop with
an impact on company’s reputation
PDC details have been
entered. Any exception must
be with the approval of a
higher authority.
Appoint a channel marketing
manager and team to work in
collaboration with channel
partners. The manager should
be responsible for
selecting partners, training
and developing partners’ sales
and marketing staff,
and monitoring performance
against agreed targets. By
building and maintaining
relationships with the
distribution channel, the
manager can identify potential
problems and deal with them
before they become serious
A specialised marketing team
can overcome this problem by
providing training programs
and guides that improve
product knowledge.
Also the company must create
a set of customer service
standards and communicate
them to distributor teams

2. Advisory on Risk management strategy

There is an element of risk in any decision or activity and encourages intelligent risk
taking when the risk is appropriately managed. Once identified, a risk must be
analyzed to determine its potential effects. A risk score is developed by assessing
two variables:

1. The likelihood of a risk event or condition occurring and

2. Severity/ Impact of the consequences of that event or condition.

M/s TPS & CO, LLP 19 | P e a c o c k L i m i t e d

Likelihood descriptors were discussed
with the management and following
Conclusions were drawn. Score
1 – Rare
2 – Unlikely
Likelihood Descriptors (as discussed
with the Peacock Ltd Management)
Has not occurred in the last 10 years at
any organization in the industry
Has not occurred in the last 10 years at
Peacock Ltd

3 – Moderate Similar events have occurred in the last

10 years at any organization in this
country
4 – Likely Similar events have occurred at Peacock
Ltd at least once in last 10 years or in the
industry in the last 5 years
5 – Almost Certain Similar events have occurred at
least once every 5 years or in the industry
in the last 2 years

Severity/ Impact descriptors were discussed with the Management and following
Conclusions were drawn

Severity/ Impact descriptors were Severity/ Impact Descriptors (as discussed

discussed with the Management and with the
following conclusions were drawn Management)
Score
1 – Insignificant  No Legal Consequence
 Cost Less than Rs. 5 Lakhs (Absorbed
by current budget)
 Achievement of Strategic Goal delayed
within FY
2 – Minor  Warning on order to comply from
regulatory authorities
 Loss of over Rs.5 Lakhs but less than
Rs. 25 Lakhs
 One or more strategic goals not
attainable or must be revised.
3 – Moderate  Statutory Charge against one ot two
employees
 Financial losses upto 5% of total
annual operating budget
 A key strategic goal underlying
corporate commitment unattainable
without significant revision and delay
over the year.

M/s TPS & CO, LLP 20 | P e a c o c k L i m i t e d

4 – Major  Statutory charges and civil suit against
the company or one or more senior
management
 Financial Losses upto 10% of total
operating budget
 One or more corporate commitments
unattainable in the planned time
frame.
5 – Extreme  Criminal or legal action against the
company or one or more senior
management
 Financial Lossess upto 25% of total
annual operating budget
 One or more corporate committee
achievable

The above numerical scores for likelihood and severity/ impact descriptors must be
multiplied to arrive at a risk score. As per the risk score, the risk treatments must be
identified and implemented. The risk mitigation strategy is explained for each of the
options.

1. Tolerate/Accept the risk. Some risks may be considered minor because theirimpact
and probability of occurrence is low. In this case, consciously accepting the riskas a cost
of doing business is appropriate, as well as periodically reviewing the risk toensure its
impact remains low.

2. Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of
a particular technology, supplier, or vendor. The risk can be eliminated by replacing the
technology with more robust products and by seeking more capable suppliers and
vendors.

3. Transfer/Share the risk. Risk mitigation approaches can be shared with trading
partners and suppliers. A good example is outsourcing infrastructure management. In
such a case, the supplier mitigates the risks associated with managing the IT
infrastructure by being more capable and having access to more highly skilled staff than
the primary organization. Risk also may be mitigated by transferring the cost of realized
risk to an insurance provider.

4. Treat/mitigate the risk. Where other options have been eliminated, suitable controls
must be devised and implemented to prevent the risk from manifesting itself or to
minimize its effects.

5. Turn back. Where the probability or impact of the risk is very low, then management
may decide to ignore the risk.

M/s TPS & CO, LLP 21 | P e a c o c k L i m i t e d

Based on the above policies, the following risk management strategy is advised for
risks with high risk scores as observed during the audit.

Risk Event Impact/ Probability Risk Risk Management

score/ Strategy
Risk
Treatment
Operational
Labour unrest at main RM Impact: Major 12, Eliminate New Vendor identification
Vendor’s manufacturing Probability – and development to
concern Moderate develop alternate sources of
RM

Contractual liability Impact: 12, Treat Work with legal department

in case of “danger Moderate to prepare fully understood
clauses” with Probability – and accepted documents
vendors/ ISP/ CDPs Likely
etc
Inadequate control Impact: Major 16, Treat  Implement document
on business management Probability – generation and distribution
documents and communication Likely mechanisms
channels  Track issue of documents
 Take Minutes and
distribute copies to
relevant attendees
 Avoid verbal advice
without written
confirmation
Lack of Staff/ Impact: Major 12, Treat  Develop skill capability
Professional Probability – matrix
Development Moderate  Identify additional
training requirements
and develop training
plans
 Monitor performance and
catalogue Achievements
Market
Competition Impact: Major 12, Treat  Market awareness and
Increases in Probability – strategy planning
Domestic Markets Moderate Marketing
 Local and National
Market Campaigns
Actions of channel Impact – Major 16, Treat  Communication of
distribution partners Probability – Likely Objectives
(CDPs) inconsistent  Brand Value Creation

M/s TPS & CO, LLP 22 | P e a c o c k L i m i t e d

with business strategy  Brand equity review

External and Regulatory

Ignorance and Non Impact: Extreme 15,  Develop a checklist of
compliance of Probability – Likely Treat relevant codes and
applicable laws and compliances
regulations  Seek Professional help
Reduced growth Impact: Major 12,  Strategic planning and
opportunities due to Probability – Treat Scheduling(Pipeline)
economic downturn Moderate  New Market Due
Diligence
 CDP Environment
Financial
Insolvency of high Impact: Moderate 9, Treat  Research Customer’s
value clients Probability – Likely credit history and
background and
accordingly extend credit
sales

Inadequate collection Impact: Moderate 12,  Maintain tight credit

management and Probability – Almost Treat collection and manage
follow-up on payments credit control (ensuring
PDCs).
 Escalation of reports on
debts greater than3
months

M/s TPS & CO, LLP 23 | P e a c o c k L i m i t e d

9. CONCLUSION

Priority Class Description Implementation Action

1. We recommend limiting data center access to IT Immediate
personnel through use of swipe cards or other
means.
2. The functionality for prompting password Six months
change must be enabled to force the user to
change passwords periodically.
3. The Management must implement/lay down Within Three Month
procedures for BCP/DRP.

As mentioned above several weaknesses and risk present in the internal control& IT
system of the company leaving a lot of room for inefficiencies to arise, as well as the
potential for missed savings and cash leakage resulting in revenue loss. For eliminating
this management needs to work in close co-ordination with the internal audit team and
the IT Team to implement a fully integrated risk management framework both at
enterprise level as well as IT level. This would help facilitate the enhancement of stake
holder value by speeding up communication, reducing time for approvals, eliminating
some of the unnecessary paperwork, decrease in surprise elements and optimized
conformance and performance. Also with arising risk of IT Attacks robust security
needs to be implemented at different levels of enterprise for prevention of data and
availability issue. We are pleased to work with you and happy to provide further
assistance.

Thank You

Team
M/s TPS & Co. LLP
Chartered Accountants

M/s TPS & CO, LLP 24 | P e a c o c k L i m i t e d