This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Project Report of
Project report of DISA 2.0 Course This is to certify that we have successfully completed the DISA 2.0 course training conducted at: Centre of Excellence, Gachibowli, Hyderabad from 16/12/2017 to 21/01/2018 and we have the required attendance. We are submitting the Project titled: IS Audit of ERP Software
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAWE for the project. We also certify that this project report is the original work of our group and each one of us have actively participated and contributed in preparing this project. We have not shared the project details or taken help in preparing project report from anyone except members of our group.
Mekala Leela Raghavendra Prasad
Santhosh Kumar Sunkara
53515 51258 53500
Signed Signed Signed
Details of Case/Project
Terms and scope of assignment
Logistics arrangements required
Methodologies and Strategy adapted for execution of assignment
Format of Report/Findings and Recommendations
Table of Contents
Project Report Title: IS Audit of ERP Software M/S ABM LIMITED
1. Details of Case Study/Project
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in the Company. The objective of IS audit is to identify areas for improvement of controls by benchmarking against global best practices. Further, any specific risks identified are expected be mitigated by implementing controls as deemed relevant to ensure that SAP implementation is secure and safe and provide assurance to the senior management of ABM.
ABM Limited (ABM) has been using Information Technology as a key enabler for facilitating business process Owners and enhancing services to its customers. The senior management of ABM has been very proactive in directing the management and deployment of Information Technology. Most of the mission critical applications in the company have been computerized and networked. ABM selected SAP Business Suite to bring a more integrated and seamless approach to internal processes. SAP deployment in ABM posed unique challenges arising out of the need to integrate multiple units across different locations, involving extensive procedures and large volumes of data. The family of business applications provides better insight into enterprise-wide analysis based on real time data and key performance indicators, improved quality and on-time delivery, reduction in inventory cost and enhanced customer service.
2. Introduction Client: ABM limited ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi Manufacturing Divisions and Regional Offices spread all over India. ABM operates on three major business verticals for associated equipment manufacturing: Mining & Construction; Defence, and Rail & Metro. In addition to the above there are three Strategic Business Units (SBUs): Technology Division for providing end-to-end engineering solutions; Trading Division for dealing in non-company products and International Business Division for export activities. ABM has eight manufacturing units spread over four locations. ABM’s Mission is to improve competitiveness through organizational transformation and collaboration / strategic alliances / joint ventures in technology. To ensure the same ABM has implemented ERP with effect from October 2010 across the company. ABM has successfully implemented SAP ERP and went live in a quick time span of 12 months. In a first of its kind project in the country, ABM consolidated its operations across multiple locations spread across India, with all units going live simultaneously.
In our Firm we have 23 qualified chartered accountants and 46 semi qualified chartered accountants. Out of the 23 CAs, We have 9 CISA/DISA Qualified. Our firm was providing IS Audit services since 10 years and we have totally 3 Groups 5
We are MSD & Co LLP (“Firm”), a professional firm since 1995 and providing services like Information System Audit (“IS Audit”), Statutory Audit, Internal Audit, Tax Audit, Consultancy for Project Finance and other related services.
Audit Firm: MSD & Co LLP
(Each group 3 CAs having CISA/DISA and 4 Semi Qualified) headed by the following team leaders.
Name of the Team Qualification Leader
CA, CWA, CS, DISA, 10 Years of experience in CISA IS Audit, ERP Audit and Central Bank Audit
CA, DISA, CISA, FAFD, 15 Years of experience in FRM IS Audit, ERP Audit and Forensic Audit
CA. DISA, CISA, CS
9 Years of experience in IS Audit and Other Regular Statutory Audits
The primary objective of the assignment is to conduct Information Systems Audit of SAP implementation and develop related IS Audit checklists for future use, through external consultants by using the globally recognized IS Audit standards and best practices. The IS audit of SAP would be with the objective of providing comfort on the adequacy and appropriateness of controls and mitigate any operational risks thus ensuring that the information systems implemented through SAP provide a safe and secure computing environment. Further, specific areas of improvement would be identified by benchmarking with the globally recognized best IT practices of COBIT framework. The initial assignment could primarily focus on the identified areas of SAP Implementation.
3. Auditee Environment
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in the Company. While the Information Systems Audit to be done covers both audit of ERP System and review of its implementation, the IS Audit is expected to be in compliance with the IS Auditing Standards, Guidelines and Procedures. The proposed IS Audit is further subjected to applicable Auditing Standards of ICAI. The objective is to identify areas for improvement of controls by benchmarking against global best practices. Further, any specific risks identified are expected be mitigated by implementing controls as deemed relevant to ensure that SAP implementation is secure and safe and provide assurance to the senior management of ABM Limited. Further, IS Auditors are expected to develop an IS Audit checklist for future use.
5. Situation Business Model is:
ABM LIMITED BUSINESS: EQUIPMENT MANUFACTURING FOR THE USE IN • Mining & Construction; • Defence; and • Rail & Metro. • Technology Division
• International Business Division
• Production Division has 4 Manufacturing Location Location 4
• Each Location has two manufacturing unit Mfg. 1
• There are 500 SAP users in all.
Problem: ABM Limited is first time integrated all the business units located in different areas in India by adopting SAP-ERP, it may have the following problems Integrating all the Existing data and application in to new SAP-ERP leads loss of data It requires selection and Placing of Technical staff Each location of operations may differ from other location of operations
As the data and services will now provide by the SAP-ERP System, there are many control factors need to be addressed. Authorized access, Data Storage, Segregation of Duties, Migrating data, Maintenance of Central Server, AMC Contracts Etc.
6. Terms and Scope of assignment MSD & Co LLP (“Firm”) have been appointed to conduct Information Systems Audit of SAP implementation and develop related IS Audit Checklists. The IS audit of SAP would be with the objective of providing comfort on the adequacy and appropriateness of controls and mitigate any operational risks thus ensuring that the information systems implemented through SAP provide a safe and secure computing environment. Further, specific areas of improvement would be identified by benchmarking with the globally recognized best IT practices of COBIT framework. These terms of reference are based on the preliminary discussion the assignment team had with the ABM team and is subject to further modification as required. Broadly the scope of review primarily from security\controls and would involve: Access vulnerabilities of the SAP implementation to attacks from within and outside and suggest appropriate counter measures to safeguard against unauthorised use, disclosure or modification, damage or loss To review the processes relating to granting access to systems, verify the logical access controls and assess whether the specified roles and responsibilities are aligned with the business to safeguard against unauthorized use, disclosure or modification, damage or loss To assess that audit trails exist for ensuring effective monitoring of the mission critical systems and processes
Assess the internal control framework in respect of specified SAP application, review of parameter settings and configuration management and suggest improvements so as to ensure that data remains complete, accurate and valid during its input, update and storage
To evaluate data collection, analysis and reporting on resource performance, application sizing and workload demand so as to ensure that adequate capacity is available
To assess and evaluate management system relating to all changes requested and made to the existing production systems so as to minimize the likelihood of disruption, unauthorized alterations, and errors
Review of IT Resources as relevant
Operating Software: Access controls Telecommunications Software: Access Controls RDBMS Database: Access Controls SAP- Major focus area: Configuration of Parameters and Access Controls
Application controls at various stages such as Input, Processing, Output, Storage, Retrieval and transmission so as to ensure Confidentiality, Integrity and Availability of data. Organization structure policies, procedures and practices as mapped in the information systems. Review of policies, procedures and practices as relevant to areas of audit.
7. Logistic arrangements required IS Auditor requires the following tools for audit: a) Hardware: 1) Window based Systems, PDA and Laptops. 2) Printers & other Printing devices. 3) Scanners. 4) Storage media. b) System Software: System software will be selected according to client IT environment, so here auditor has to select the system software according to the IT environment in ABM Ltd. Auditor should use the original licensed version of system software, because it maintains the authenticity of data.
c) CAAT tools : Page
1) Audit Software: a) IDEA Audit Software for data extraction b) Software Used at client site etc. c) Analyzer-Arbutus Software. d) Pivot Tables for using Sampling. 11
e) Benfold’s Law. f) Frequency Analysis. g) Audit log. d) Test data: a) Using Test Packs technique. b) Using Integrated Test Facility.
8. Methodology and Strategy adapted for execution of assignment One of the main challenge faced by companies that has implemented SAP ERP (any ERP) will be to get a clear understanding of the current ERP system. Two or three years after implementation what will be status of the system. The main areas of focus will be;
Whether all the management controls are working fine Whether all the postings are being done as per accounting standards Whether proper documentation is being maintained Whether critical business related activites are done accurately etc.
SAP has provided a very powerful framework in the standard ERP package for conducting Audits, evaluvating them and taking corrective actions. User should have answer for the following questions before starting the Audit procedure; 1. 2. 3. 4.
A lot of practical difficulties arise in doing a ERP post implementation audit. Main challenge is to frame the right set of questions and how to obtain answers for those. From my experience and research, WEhave prepared a question list of more than 500 questions both from the functional and technical side, which drill downs to the minutest level providing all the necessary data required for the audit.
Kind of Audit to be Conducted (Technical or Functional) Number of questions for the Audit Structure of list of Questions (Question drill down level) Valuation type of Questions 12
Question Priorities What kind of Audit Controls to be implemented Audit purpose Audit Type Kind of rating for the questions
First we need to do few configuration changes to tune the audit as per our requirement. Execute transaction SPRO –> SAP reference IMG –> Cross-Application Components –> Audit Management Audit Management is divided into four categories.
Figure 1.0 For setting structure list of questions;
Figure 2.0 Create what kind of Question Profile is required. WE have created “Part-Sub Part-Element-Sub Element-Sub Qu” for the Audit purpose.
Figure 3.0 Once the question profile is created you have to create the drill down level for the profile. Below attached is the pictorial representation of the drill down level for questions WE created.
Figure 6.0 WE have created valuation 8003 Valuation of PRD system. By selecting the created valuation profile double click on the “valuation” icon on the right side. There we need to set the details of valuation and the scores we intend to provide for each.
Figure 5.0 Similarly you can create drill down level according to your requirement. After defining the question hierarchy you have to specify the Valuation Specification and the scores to be awarded for each value.
Figure 7.0 After valuation profile is entered enter question priority.
Audit control / Audit Definition requirements has to be configured.
Figure 9.0 Now all the configuration related to conducting the Audit has been configured. Following are the main objects used for the Audit; 1) Audit Plan The audit plan consists of all audits planned for a particular period of time. For example, all audits that are to be executed in the space of one year are defined in an annual audit plan. There is always only one current version of an audit plan, where all date shifts and the degree of completion for the individual audits can be found.
4) Corrective Actions These are actions that are deemed necessary to eliminate the cause of errors that were determined during the audit and to prevent the recursion of these 17
3) Question List Question lists are multilingual collections of questions that are answered during the execution of the audit . The allowed valuation can be planned for each hierarchy level.
2) Audit An audit, according to DIN EN ISO 9000, is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of the audit have been fulfilled.
errors. The corrective actions to be executed must be appropriate to the effects that the particular error has on the product. 5) Preventive Actions These are actions that are deemed necessary to eliminate the causes of possible errors before they occur. The preventive actions to be executed must be appropriate to the effects that the possible error could have on the product. An audit, according to DIN EN ISO 9000, is a systematic, independent, and documented process used to obtain audit results and to evaluate these results objectively in order to determine to what extent the criteria of the audit have been fulfilled. Execute transaction PLMD_AUDIT, first create the question list required for the audit with the components newly configured.
Figure 10.0 For example purpose WE have created questions up to 15 drill down level
Figure 11.0 Attaching one real scenario from my Audit question list.
Figure 12.0 Once the question list has been created, you have to release the question list.
Figure 14.0 Once the question list is attached to the audit we need to evaluate the questions. Evaluations will be based on the configuration done in SPRO. Evaluation:
Execute transaction PLM_AUDITMONITOR. Select the required fields and execute.
Figure 16.0 The main success factor for any audit depends on the questions used for the audit. Let me add few of the topics under which WE have prepared the question list.
Select the required audit. Click on the Overview button. Click the Validate button for valuation.
The main topics are;
System Overview Security & Access Protection Workbench Organizer Transport System Accessing and Logging DB Tables Job Request Procedure Documentations System Logs Batch Input Interface Master Data Changes Reconciling Posting Data Closing Invoice Checking and Posting Run Business Process Auditing BASIS Audit
Once the audit question list is created / uploaded to SAP\, user must create a sample set of check list to be submitted to the client. The Check list should contain; * All the documents that client has to Submit * All the questions client has to answer.
Every company should run the audit at least twice a year to ensure that the system is working perfectly, no manipulations are done, to ensure 100% management control over the system their by over the employees.
9. Documents reviewed Following things are Reviewed: Policies – Are the management guidelines which should be approved by the Top Management and should be reviewed at least once in each year? Procedure – Are the detailed documents based on the policies set by the top management? Procedures contain the detailed information about the process. All the procedure should be approved by the management and should be reviewed at least once in each year. Flowcharts – Pictures are worth thousand words when it comes to understanding the interaction of various processes and how the transaction flow has the dependencies and branches that run in various directions. Audit logs and Screenshots – Every organisation implements the monitoring control over the processes and the preserves the evidences of the same, in the form of system screenshots and system logs. This gives an added confidence to the Information System Auditor about the monitoring control established by the management. Security Policies related to IT Operations Existing Cost sheet related to IT operations. SAP Implementation documentation. Review of Error logs noted and corrected during the implementation of SAP ERP.
ISO 27001/27002 COBIT 5 WWW.ISACA.ORG WWW.CISCO.COM WWW.BUSINESSOFGOVERNMENT .COM ISA 2.0 COURSE BACKGROUND MATERIAL WWW.BOOZ .COM
10. Deliverables Once SAP is implemented, auditor can rely on the following checklist for monitoring the implementation objectives, security controls, future changes, if any:
Whether methodology for prioritising system change requests from users exists and is in use? EXP Reference:
Whether emergency change procedures are addressed in operation manuals? EXP Reference:
Whether change control is a formal procedure for both user and development groups? EXP Reference:
Whether change control log ensures all changes shown wereReference: resolved? EXP
Whether user is satisfied with turnaround of change requests - timeliness and cost? EXP Reference:
Whether for a selection of changes on the change control log: • that change resulted in programme and operations documentation change • that changes were made as documented • current documentation reflects changed environment EXP Reference:
Whether change process is being monitored for improvements in acknowledgment, responsetime, response-effectiveness and user satisfaction with the process? EXP Reference:
Whether maintenance to Private Branch Exchange (PBX) system is included in the change control EXP Reference: procedures? Whether a service level agreement process is identified by EXPpolicy? Reference:
Response No EXP
Whether user participation in process is required for creation and modification of agreements? 24
Whether responsibilities of users and providers are defined? EXP Reference:
Whether management monitors and reports on the achievement of the specified service performance criteria and all problems encountered? EXP Reference:
Whether regular review process by management exists? EXP Reference:
Whether recourse process is identified for nonperformance? EXP Reference:
Whether service level agreements include, but are not limited to having: • definition of service • cost of service • quantifiable minimum service level • level of support from the IT function • availability, reliability, capacity for growth • continuity planning • security requirements • change procedure for any portion of the agreement • written and formally approved agreement between provider and user of service • effective period and new period review/renewal/nonrenewal • content and frequency of performance reporting and payment for services • charges are realistic compared to history, industry, best practices calculation for charges EXP•Reference: • service improvement commitment Whether IT policies and procedures relating to thirdparty relationships exist and are consistent with organisational EXP Reference:general policies?
Response No EXP
Whether policies exist specifically for addressing need for contracts, definition of content of contracts, owner or relationship manager responsible for ensuring contracts are created, maintained, monitored and renegotiated as required? EXP Reference: 25
Whether interfaces are defined to independent agents involved in the conduct of the project and any other parties, such as subcontractors? EXP Reference:
Whether contracts represent a full and complete record of third-party supplier relationships? EXP Reference:
Whether contracts are established for continuity of services specifically, and that these contracts include contingency planning by vendor to ensure continuous service to user of services? EXP Reference:
Whether contract contents include at least the following: • formal management and legal approval • legal entity providing services • services provided • service level agreements both qualitative and quantitative • cost of services and frequency of payment for services • resolution of problem process • penalties for non-performance • dissolution process • modification process • reporting of service - content, frequency, and distribution • roles between contracting parties during life of contract • continuity assurances that services will be provided by vendor • user of services and provider communications process and frequency • duration of contract • level of access provided to vendor • security requirements • non-disclosure guarantees • right to access and right to audit EXP Reference:
Whether escrow agreements have been negotiated where appropriate? EXP Reference:
Whether potential third-parties are properly qualified through an assessment of their capability to deliver the required service (due diligence)?
Response No EXP
Response No EXP
EXP Reference: 24
Whether time frames and level of service are defined for all services provided by the IT function? EXP Reference:
Whether time frames and service levels reflect user requirements? EXP Reference:
Whether time frames and service levels are consistent with performance expectations of the equipment potentials? EXP Reference:
Whether an availability plan exists, is current and reflects user Reference: requirements? EXP
Whether ongoing performance monitoring of all equipment and capacity is occurring, reported upon, lack of performance addressed by management and performance improvement opportunities are formally addressed? EXP Reference:
Whether optimal configuration performance is being monitored by modeling tools to maximize performance while minimizing capacity to required EXP Reference: levels? Whether both users and operational performance groups are pro-actively reviewing capacity and performance and workload schedule modifications EXP Reference: are occurring? Whether workload forecasting includes input from users on changing demands and from suppliers on new technology or current product enhancements? EXP Reference:
Whether organisational policies require a continuity framework and plan to be part of normal operational requirements for both the IT function and all organisations EXP Reference: dependent on IT resources? Whether IT policies and procedures require: • a consistent philosophy and framework relating to development of continuity plan development • a prioritisation of applications with respect to timeliness of recovery and return •
Response No EXP
safety of all affected staff members ¾ Roles and responsibilities of the IT function, vendors providing recovery services, users of services and support administrative personnel ¾ A recovery framework consistent with long-range plan for continuity ¾ Listing of systems resources requiring alternatives (hardware, peripherals, software) ¾ Listing of highest to lowest priority applications, required recovery times and expected performance norms ¾ Administrative functions for communicating and providing support services such as benefits, payroll, external communications, cost ¾ Specific equipment and supply needs tracking, etc., in event of need to recover are ¾ Various recovery scenarios from minor identified such as high speed printers, to signatures, forms, communications loss of total capability and response to each equipment, telephones, etc., and a source in sufficient detail for step-by-step execution and alternative source defined ¾ Training and awareness of individual and group roles in continuity plan ¾ Testing schedule, results of last test and corrective actions taken based on prior test(s
• risk assessment and insurance consideration for loss of business in continuity situations for the IT function as well as users of resources • outline specific roles and responsibilities with respect to continuity planning with specific test, maintenance and update requirements • formal contract arrangements with vendors to provide services in event of need to recover, including back-up site facility or relationship, in advance of actual need • in each continuity plan minimum content to include: ¾ Emergency procedures to ensure the
Response No EXP
¾ Itemisation of contracted service providers, services and response expectations ¾ Logistical information on location of key resources, including back-up site for recovery operating system, applications, data files, operating manuals and programme/system/user documentation ¾ Current names, addresses, telephone/pager numbers of key personnel ¾ Reconstruction plans are included for rerecovery at original location of all systems resources EXP Reference: ¾ Business resumption alternatives for Whether all regulatory agency requirements with respect to users for are establishing alternative work continuity planning met? EXP Reference: locations once Whether user are developed ¾ IT continuity resources plans are available; i.e., based on system unavailability of physical resources for recovered at alternative site but user performing critical processing EXP Reference: manual building and computerised? burned to the ground and Whetherunavailable the telephone system, VoiceMail, fax and image systems are part of the continuity plan? EXP Reference:
Whether image systems, fax systems, paper documents as well as microfilm and mass storage media are part of continuity plan? EXPthe Reference:
Whether strategic security plan is in place providing centralised direction and control over information system security, along with user security requirements for consistency? EXP Reference:
Whether centralised security organisation is in place responsible for ensuring only appropriate access to system resources? EXP Reference:
Whether data classification schema is in place and being used, that all system resources have an owner responsible for security and content? EXP Reference:
Whether user security profiles are in place representing "least access as required" and profiles are regularly reviewed by management for reEXP Reference: accreditation? Whether employee indoctrination includes security awareness, ownership responsibility and virus protection requirements? EXP Reference:
Whether reporting exists for security breaches and formal problem resolution procedures are in place, and these reports include: • unauthorised attempts to access system (sign on) • unauthorised attempts to access system resources • unauthorised attempts to view or change security definitions and rules • resource access privileges by user ID • authorised security definitions and rule changes • authorised access to resources (selected by user or resource) EXP•Reference: status change of the system security • accesses to operating system security Whether cryptographic parameter tables modules and key maintenance procedures exist, are administered centrally and are Reference: used for all external access and transmission EXP activity? Whether cryptographic key management standards exist for centralised and user activity? EXPboth Reference:
Whether change control over security software is formal and consistent with normal standards of system development EXP Reference:and maintenance?
Whether the authentication mechanisms in use provide one or more of the following features: • single-use of authentication data (e.g., passwords are never re-usable) • multiple authentication (i.e., two or more different authentication mechanisms are used)
Response No EXP
Response No EXP
• policy-based authentication (i.e., ability to specify separate authentication procedures for specific events) • on-demand authentication (i.e., ability to re- authenticate the user at times after the initial authentication) EXP Reference: 49
Whether the number of concurrent sessions belonging to the same user is limited? EXP Reference:
Whether at log-on, an advisory warning message to users regarding the appropriate use the hardware, software or connection logged on? EXP Reference:
Whether a warning screen is displayed prior completing log-on to inform reader that unauthorised access may result in prosecution? EXP Reference:
Whether upon successful session establishment, a history of successful and unsuccessful attempts to access the user's account is displayed to the user? EXP Reference:
Whether password policy includes: • initial password change on first use enforced • an appropriate minimum password length • an appropriate and enforced frequency of password changes • password checking against list of not allowed values (e.g., dictionary checking) • adequate protection of emergency passwords EXP Reference:
Whether formal problem resolution procedures include: • User ID is suspended after 5 repeated unsuccessful log-on attempts • Date, time of last access and number of unsuccessful attempts is displayed to authorised user at log-on • Authentication time is limited to 5 minutes, after which the session is terminated • User is informed of suspension, but not the EXPreason Reference: for it
Whether dial in procedures include dial-back or token based authentication, frequent changes of dialup numbers, software and hardware firewalls to restrict access to assets and frequent changes of passwords and deactivation of former employees' EXP Reference: passwords? Whether location control methods are used to apply additional restrictions at specific locations? EXP Reference:
Whether access to the VoiceMail service and the PBX system are controlled with the same physical and logical controls as for computer systems? EXP Reference:
Enforcement of sensitive position policies occurs, including: • employees in sensitive job positions are required to be away from the organisation for an appropriate period of time every calendar year; during this time their user ID is suspended; and persons replacing the employee are instructed to notify management if any security-related abnormalities are noted • unannounced rotation of personnel in EXPinvolved Reference: sensitive activities is performed from time to timesecurity-related hardware and software, Whether such as cryptographic modules, are protected against tampering or disclosure, and access is limited to a "need to know" basis? EXP Reference:
Whether access to security data such as security management, sensitive transaction data, passwords and cryptographic keys is limited to a need to know basis? EXP Reference:
Whether trusted paths are used to transmit nonencrypted sensitive information? EXP Reference:
Whether to prevent denial of service due to an attack with junk faxes, protective measures are taken such as: • limiting the disclosure of fax numbers outside the organisation to a "need-to-know" basis • fax lines used for solicitation of business are EXPnot Reference: used for other purposes
Response No EXP
Whether preventative and detective control measures have been established by management with respect to computer viruses? EXP Reference:
Whether to enforce integrity of electronic value, measures are taken such as: • card reader facilities are protected against destruction, disclosure or modification of the card information • card information (PIN and other information) is protected against insider disclosure EXP•Reference: counterfeiting of cards is prevented
Whether to enforce protection of security features, measures are taken such as: • the identification and authentication process is required to be repeated after a specified period of inactivity • a one-button lock-up system, a force button or a shut-off sequence can be activated when the terminal is left alone EXP Reference: _ Whether IT function has a group responsible for reporting and issuing chargeback bills to users Procedures are in place that: • develop a yearly development and maintenance plan with user identification of priorities for development, maintenance and operational expenses • allow for a very high level of user determination of where IT resources are spent • generate a yearly IT budget including: ¾ Compliance to organisational requirements in budget preparation ¾ Consistency with what costs are to be allocated by the user departments ¾ Communication of historical costs, assumptions for new costs- for understanding by users of what costs are included in chargeback
Response No EXP
Response No EXP
User sign-off on all budget costs to be allocated by IT function ¾ Frequency of reporting and actual charging of costs to users • track allocated costs of all IT resources of, but not limited to: ¾ Operational hardware ¾ Peripheral equipment ¾ Telecommunications usage ¾ Applications development and support ¾ Administrative overhead ¾ External vendor service costs ¾ Help desk ¾ Facilities and maintenance ¾ Direct/indirect costs ¾ for Fixedregular and variable expenses • reporting to users on Sunk and discretionary performance for the various cost categories costs • report to users on external benchmarks regarding cost effectiveness so as to allow comparison to industry expectations, or user alternative sourcing for services • for timely modification to cost allocations to reflect changing business needs formally approve and accept charges as received • identify IT improvement opportunities to reduce chargebacks or get greater value for EXP Reference: _ chargebacks Whether reports provide assurance that chargeable items are identifiable, EXP Reference: measurable and predictable? _ Whether reports capture and highlight changes in the underlying cost components or allocation algorithm? EXP Reference: _ Whether policies and procedures relating to ongoing security and controls awareness exist? EXP Reference: _ Whether there is an education/training programme focusing on information systems security and control principles? EXP Reference: _ Whether new employees are made aware of security and control responsibility with respect to using and having custody of IT resources? EXP Reference:
Whether there are policies and procedures in effect relating to training and they are current with respect to technical configuration of IT resources?_ EXP Reference: Whether availability of in-house training opportunities and frequency of employee attendance? EXP Reference: _ Whether availability of external technical training opportunities and frequency of employee EXP Reference: attendance? _ Whether a training function is assessing training needs of personnel with respect to security and controls, and translating those needs into in-house or external training opportunities? EXP Reference: _
Whether all employees are required to attend security and control awareness training on an ongoing basis that would include, but not be limited to: • general system security principles • ethical conduct related to IT • security practices to protect against harm from failures affecting availability, confidentiality, integrity and performance of duties in a secure manner • responsibilities associated with custody and use of IT resources EXP•Reference: _ security of information and information systems when used off-site Whether security awareness training includes a policy on preventing the disclosure of sensitive information through conversations (e.g., by announcing the status of the information to all persons taking part in the conversation)? EXP Reference: _ Whether nature of help desk function (i.e., how requests for assistance are processed and assistance is provided) is effective? EXP Reference: _ Whether actual facilities, divisions or departments are performing the help desk function and the individuals or positions responsible for the help desk? EXP Reference: _ Whether level of documentation for help desk activities is adequate and current? EXP Reference:
Response No EXP
Whether actual process for logging or registering requests for service and use of logs exists? EXP Reference:
Whether process for query escalation and management intervention for resolution is sufficient? EXP Reference:
Whether time frame for clearing queries received is adequate? EXP Reference:
Whether procedures for tracking trends and reporting on helpReference: desk activities exist? EXP
Whether performance improvement initiatives formally identified and executed? EXP Reference:
Whether service level agreements and performance standards are being met? EXP Reference:
Whether user satisfaction level is periodically determined and Reference: reported? EXP
process for creating and controlling configuration baselines (the cut-off point in the design and development of a configuration item beyond which evolution does not occur without undergoing configuration control) is EXP Reference:strict appropriate? Whether functions for maintaining configuration baseline exist? EXP Reference: Whether process for controlling status accounting of purchased and leased resources - including inputs, outputs and integration with other processes EXP Reference: - exists? Whether configuration control procedures include: • configuration baseline integrity • programmed access authorisation controls over the change management system • the recovery of configuration items and change requests at any point in time • completion of configuration and reports assessing the adequacy of configuration recording procedures •
Response No EXP
Response No EXP
• periodic evaluations of the configuration recording function • individuals responsible for reviewing configuration control have the requisite knowledge, skills and abilities • procedures exist for reviewing access to software baselines results of reviews are provided _to EXP•Reference: management for corrective action Whether periodic review of configuration with inventory and Reference: accounting records is performed on a regular_ EXP basis? Whether configuration baseline has sufficient history for tracking changes? EXP Reference: _ Whether software change control procedures exist for: • establishing and maintaining licensed application programme library • ensuring licensed application programme library is adequately controlled • ensuring the reliability and integrity of the software inventory • ensuring the reliability and integrity of the inventory of authorised software used and checking for unauthorised software • assigning responsibility for unauthorised software control to a specific staff member • recording use of unauthorised software and reporting to management for EXP Reference: _ corrective action • determining management took Whether process whether for migrating corrective developmental action on violations applications into the testing environment and ultimately into production status interacts with configuration reporting? EXP Reference: _
Whether the software storage process includes: • defining a secure file storage area (library) for all valid software in appropriate phases of the system development life cycle • requiring that software storage libraries are separated from each other and from development, testing and production file storage areas
Response No EXP
• requiring existence within source libraries that allow temporary location of source modules moving into production cycle period • requiring that each member of all libraries has an assigned owner • defining logical and physical access controls • establishing software accountability • establishing an audit trail • detecting, documenting and reporting to management all instances of non-compliance with this procedure determining whether management took corrective action EXP Reference:
Whether library management software is used to: • produce audit trails of program changes • maintain program version numbers • record and report program changes • maintain creation/date information for production modules • maintain copies of previous versions EXP • Reference: control concurrent updates Whether there is a problem management process that ensures all operational events which are not part of standard operations are recorded, analysed and resolved in a timely manner, and incident reports are EXP generated Reference: for significant problems? Whether problem management procedures exist for: • defining and implementing a problem management system • recording, analysing, resolving in a timely manner all non-standard events • establishing incident reports for critical events and reporting to users • identifying problem types and prioritisation methodology allowing for varying resolution efforts based on risk
Whether coordination is occurring among applications development, quality assurance and operations with Reference: respect to updating configuration baseline EXP upon change? Whether software is labeled and periodically inventoried? EXP Reference:
Response No EXP
defining logical and physical control of problem management information distributing outputs on a "need to know" basis • tracking of problem trends to maximise resources, reduce turnaround • collecting accurate, current, consistent and usable data inputs to reporting •
For data preparation: • data preparation procedures ensure completeness, accuracy and validity • authorisation procedures for all source documents exist • separation of duties between origination, approval and conversion of source documents into data is occurring • authorised data remains complete, accurate and valid through source document origination • data is transmitted in a timely manner • periodic review of source documents for proper completion and approvals occurs
notifying appropriate level of management for escalation and awareness • determining if management periodically evaluates the problem management process for increased effectiveness and efficiency • sufficiency of audit trail for system problems • integration with change, availability, management systems and EXPconfiguration Reference: personnel Whether emergency processing priorities exist, are documented and require approval by appropriate program and IT EXP Reference: management? Whether there are emergency and temporary access authorisation procedures which require: • documentation of access on standard forms and maintained on file • approval by appropriate managers • secure communication to the security function • automatic access termination, after a predetermined period of time EXP Reference: _
Response No EXP
• appropriate handling of erroneous source documents • adequate control over sensitive information exists on source documents for protection from compromise • procedures ensure completeness and accuracy of source documents, proper accounting for source documents and timely conversion • source document retention is sufficiently long to allow reconstruction in event of loss, availability for review and audit, litigation inquiries or regulatory requirements EXP Reference: _
For data input: • appropriate source document routing for approval prior to entry • proper separation of duties among submission, approval, authorisation and data entry functions • unique terminal or station codes and secure operator identification • usage, maintenance and control of station codes and operator IDs • audit trail to identify source of input • routine verification or edit checks of inputted data as close to the point of origination as possible • appropriate handling of erroneously input EXPdata Reference: _ clearly assign responsibility for enforcing For • data processing: proper authorisation over data Whether programmes contain error prevention, detection, correction routines: • programmes must test input for errors (i.e., validation and editing) • programmes must validate all transactions against a master list of same • programmes must disallow override of error conditions EXP Reference:
Whether error handling procedures include: • correction and resubmission of errors must be approved • individual responsibility for suspense files is defined 40
Response No EXP
Whether logs of programmes executed and transactions processed/rejected for audit trail exist? EXP Reference:
Whether a control group for monitoring entry activity and investigating non-standard events, along with balancing of record counts and control totals for all dataReference: processed? EXP
Whether that all fields are edited appropriately, even if one field has an error? EXP Reference:
Whether tables used in validation are reviewed on a frequent basis? EXP Reference:
Whether written procedures exist for correcting and resubmitting data in error including a nondisruptive solution to reprocessing? EXP Reference:
Whether resubmitted transactions are processed exactly as originally processed? EXP Reference:
Whether responsibility for error correction resides with original submitting function? EXP Reference:
Whether Artificial Intelligence systems are placed in an interactive control framework with human operators to ensure that vital decisions are EXP Reference: approved? For output, interfacing, and distribution: • Access to output is restricted physically and logically to authorised people • Ongoing review of need for outputs is occurring • Output is routinely balanced to relevant control totals •
• suspense files generate reports for nonresolved errors suspense file prioritisation scheme is available based on EXP ageReference: and type
Response No EXP
• Audit trails exist to facilitate the tracing of transaction processing and the reconciliation of disrupted data • Output report accuracy is reviewed and errors contained in output is controlled by cognisant personnel • Clear definition of security issues during output, interfacing and distribution exist • Communication of security breaches during any phase is communicated to management, acted upon and reflected in new procedures as appropriate • Process and responsibility of output disposal is clearly defined • Destruction is witnessed of materials used but not needed after processing • All input and output media is stored in offsite location in event of later need • Information marked as deleted is changed in such a way that it can no _ EXP Reference: longer be retrieved For media library: • Contents of media library are systematically inventoried • Discrepancies disclosed by the inventory are remedied in a timely manner • Measures are taken to maintain the integrity of magnetic media stored in the library • Housekeeping procedures exist to protect media library contents • Responsibilities for media library management have been assigned to specific members of IT staff • Media back-ups and restoration strategy exists • Media back-ups are taken in accordance with the defined back-up strategyback-ups and usability of back-ups is • Media are securely stored regularlyand verified storage sites periodically
reviewed regarding physical access security and security of data files and other items
Response No EXP
• Retention periods and storage terms are defined for documents, data, programmes, reports and messages (incoming and outgoing) as well as the data (keys, certificates) used for their encryption • In additionand toauthentication the storage of paper
source documents, telephone conversations are recorded and retained - if not in conflict with local privacy laws - for transactions or other activities that are part of the business activities traditionally conducted over telephones • Adequate procedures are in place regarding the archival of information (data and programmes) in line with legal and business requirements and EXP Reference: _ enforcing accountability For information authentication and integrity: and reproducibility • The integrity of the data files is checked periodically • Requests received from outside the organisation, via telephone or VoiceMail, are verified by call- back or other means of authentication • A prearranged method is used for independent verification of the authenticity of source and contents of transaction requests received via fax or image system • Electronic signature or certification is used to verify the integrity of incoming EXP Reference: and authenticity electronic documents
13. Conclusion/Recommendation Recommendation # 1: Implement targeted security monitoring over ERP support staff access in the production environment. Recommendation # 2: Perform a risk assessment/cost benefit analysis over the access and system functions that pose the greatest risks to determine which controls merit the associated expense of generating logs or using personnel's time to regularly review. Automated review, such as the use of scripts to identify certain unauthorized or high risk activity should be used wherever possible to cut back on personnel time and log retention requirements. Recommendation # 3: Critical controls should have an automated trigger or alert such as an email generated from the use of a critical transaction, and sent to the appropriate party for review. Recommendation # 4: Risks, controls implemented/mitigated risk, method of implementation, and frequency of review should be documented in the monitoring portion of the SAP Security Policy. Recommendation # 5:
Recommendation # 6: We recommend the security group clearly document technical roles within the SAP environments and enforce Segregation of Duties between technical roles wherever possible.
Documented reviews of monitoring controls should be performed at least semiannually over the implemented monitoring to ensure that the monitoring defined through this exercise are adequate, effective and consistently in place.
Recommendation # 7: Access for each ERP support department staff should be restricted to only the access that user requires to perform their day to day functions. Recommendation # 8: ERP support department staff access should be reviewed at defined regular intervals on a semi annual basis at a minimum. Recommendation # 9: Additional access beyond standardized support staff roles must be approved by management external to the ERP support department staff, and should be provided through a monitored account such as a Firefighter account. Recommendation # 10: Unmonitored generic accounts should not exist in the production (live financial) environment. Recommendation # 11: Logs generated from monitored accounts (such as firefighter accounts) should be reviewed at defined points and signed off by the supervising manager when they are in use. Simplified automation can be employed such as automating the generation and sending of the log to the manager via email, whose reply can serve as his auditable electronic sign-off. Recommendation # 12: Security logs should be stored in a location where the SAP IT teams do not have access to modify the logs.
Ensure that production client authentication settings meet and continue to meet the Standard authentication requirements defined in the Security Policy.
Recommendation # 14: Management should take precautions to ensure that no user can increase or modify their own access. If it is not feasible to limit this capability to users required to provision access, controls such as monitoring their account permissions for modifications using a standardized methodology should be implemented to mitigate this security risk. Recommendation # 15: To mitigate the control weaknesses related to the vendor database, we have made the following recommendations: Recommendation # 16: Create and run a periodic report across non PO invoices looking for duplicate payments similar to the previous mitigating controls report that was in place prior to the implementation of SAP. Recommendation # 17: Analyse the ABM'S vendor database and remove all duplicate vendor data. Recommendation # 18: Implement a required "unique identifier" for a vendor/business, such as the tax ID, for new vendors and create a process for adding the unique identifier to existing vendors. Recommendation # 19:
Develop a training schedule for specific requirements based on the results of the survey they conducted.
Complete an evaluation for providing centralized continuing education, and ensure that at a minimum, classes addressing the core functions of SAP are provided on a periodic basis, and made available to the appropriate departments.
Recommendation # 21: Make the training schedule available to ABM Employees, using means such as email or the ABM’s intranet site. Further, a method for feedback after each training should be provided, such as a survey, to ensure the trainings remain effective. Recommendation # 22: Ensure enough resources are dedicated to provide on-going training. Recommendation # 23: Ensure that skilled employees have scheduled dedicated time to train users in their respective proficiency. This report is issued upon the request of management and to the best of our knowledge & belief. This report is issued without any prejudice & subject to terms & conditions of the engagement. Thanking & assuring you best of our attention at all points.
PREPARED AND SIGNATURE BY
C.A. MEKALA LEELA RAGHAVENDRA PRASAD, M.NO.237875, ISA NO 53515 C.A. DINAKAR CH, M.NO.237078, ISA NO 51258 C.A. SANTHOSH KUMAR SUNKARA, M.NO 243365, ISA NO 53500