Project Report

of
DISA 2.0 Course

1
Page

1
 Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:

Centre of Excellence, Gachibowli, Hyderabad from 16/12/2017 to 21/01/2018 and we

have the required attendance. We are submitting the Project titled: IS Audit of ERP
Software

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAWE for
the project. We also certify that this project report is the original work of our group and
each one of us have actively participated and contributed in preparing this project.
We have not shared the project details or taken help in preparing project report from
anyone except members of our group.

Mekala Leela DISA No. Signed

1. Name: 53515
Raghavendra Prasad
2. Name: Dinakar Ch DISA No. 51258 Signed

Santhosh Kumar DISA No. Signed

3. Name: 53500
Sunkara

Place: HYDERABAD

Date: 06/02/2018
2
Page

2
 Table of Contents

1 Details of Case/Project

2 Introduction

3 Auditee Environment

4 Background

5 Situation

6 Terms and scope of assignment

7 Logistics arrangements required

8 Methodologies and Strategy adapted for

execution of assignment

9 Documents reviewed

10 References

11 Deliverables

12 Format of Report/Findings and

Recommendations

13 Summary/Conclusion
3
Page

3
 Project Report
Title: IS Audit of ERP Software

M/S ABM LIMITED

1. Details of Case Study/Project

ABM Limited (ABM) has been using Information Technology as a key enabler for
facilitating business process Owners and enhancing services to its customers.
The senior management of ABM has been very proactive in directing the
management and deployment of Information Technology. Most of the mission
critical applications in the company have been computerized and networked.
ABM selected SAP Business Suite to bring a more integrated and seamless
approach to internal processes. SAP deployment in ABM posed unique
challenges arising out of the need to integrate multiple units across different
locations, involving extensive procedures and large volumes of data. The family
of business applications provides better insight into enterprise-wide analysis
based on real time data and key performance indicators, improved quality and
on-time delivery, reduction in inventory cost and enhanced customer service.

ABM proposes to have a comprehensive audit of the Information Systems (ERP

Audit) in the Company. The objective of IS audit is to identify areas for
improvement of controls by benchmarking against global best practices.
Further, any specific risks identified are expected be mitigated by implementing
4

controls as deemed relevant to ensure that SAP implementation is secure and

Page

safe and provide assurance to the senior management of ABM.

4
2. Introduction

Client: ABM limited

ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi
Manufacturing Divisions and Regional Offices spread all over India. ABM
operates on three major business verticals for associated equipment
manufacturing:

 Mining & Construction;

 Defence, and
 Rail & Metro.

In addition to the above there are three Strategic Business Units (SBUs):

 Technology Division for providing end-to-end engineering solutions;

 Trading Division for dealing in non-company products and
 International Business Division for export activities. ABM has eight
manufacturing units spread over four locations.

ABM’s Mission is to improve competitiveness through organizational

transformation and collaboration / strategic alliances / joint ventures in
technology. To ensure the same ABM has implemented ERP with effect from
October 2010 across the company. ABM has successfully implemented SAP ERP
and went live in a quick time span of 12 months. In a first of its kind project in
the country, ABM consolidated its operations across multiple locations spread
across India, with all units going live simultaneously.

Audit Firm: MSD & Co LLP

We are MSD & Co LLP (“Firm”), a professional firm since 1995 and providing
5

services like Information System Audit (“IS Audit”), Statutory Audit, Internal Audit,
Page

Tax Audit, Consultancy for Project Finance and other related services.

In our Firm we have 23 qualified chartered accountants and 46 semi qualified

chartered accountants. Out of the 23 CAs, We have 9 CISA/DISA Qualified. Our
firm was providing IS Audit services since 10 years and we have totally 3 Groups

5
(Each group 3 CAs having CISA/DISA and 4 Semi Qualified) headed by the
following team leaders.

S.no Name of the Team Qualification Experience

Leader

1 Mr. M CA, CWA, CS, DISA, 10 Years of experience in

CISA IS Audit, ERP Audit and
Central Bank Audit

2 Mr.S CA, DISA, CISA, FAFD, 15 Years of experience in

FRM IS Audit, ERP Audit and
Forensic Audit

3 Mr.D CA. DISA, CISA, CS 9 Years of experience in

IS Audit and Other
Regular Statutory Audits

3. Auditee Environment

The primary objective of the assignment is to conduct Information Systems

Audit of SAP implementation and develop related IS Audit checklists for future
use, through external consultants by using the globally recognized IS Audit
standards and best practices. The IS audit of SAP would be with the objective of
providing comfort on the adequacy and appropriateness of controls and
mitigate any operational risks thus ensuring that the information systems
implemented through SAP provide a safe and secure computing environment.
Further, specific areas of improvement would be identified by benchmarking
with the globally recognized best IT practices of COBIT framework. The initial
6

assignment could primarily focus on the identified areas of SAP Implementation.

Page

6
4.Background

ABM proposes to have a comprehensive audit of the Information Systems (ERP

Audit) in the Company. While the Information Systems Audit to be done covers
both audit of ERP System and review of its implementation, the IS Audit is
expected to be in compliance with the IS Auditing Standards, Guidelines and
Procedures. The proposed IS Audit is further subjected to applicable Auditing
Standards of ICAI. The objective is to identify areas for improvement of controls
by benchmarking against global best practices. Further, any specific risks
identified are expected be mitigated by implementing controls as deemed
relevant to ensure that SAP implementation is secure and safe and provide
7
Page

assurance to the senior management of ABM Limited. Further, IS Auditors are

expected to develop an IS Audit checklist for future use.

7
5. Situation
Business Model is:

ABM LIMITED

BUSINESS: EQUIPMENT MANUFACTURING FOR THE USE IN

• Mining & Construction;

• Defence; and

• Rail & Metro.

• Production • Technology • Trading • International

Division Division Division Business
Division
8
• Production Division has 4 Manufacturing Location
Page

Location 1 Location 2 Location 3 Location 4

• Each Location has two manufacturing unit

Mfg. 1 Mfg. 2 Mfg.3 Mfg.4 Mfg.5 Mfg. 6 Mfg. 7 Mfg. 8

8
 • There are 500 SAP users in all.

Problem:

ABM Limited is first time integrated all the business units located in different
areas in India by adopting SAP-ERP, it may have the following problems

 Integrating all the Existing data and application in to new SAP-ERP leads
loss of data
 It requires selection and Placing of Technical staff
 Each location of operations may differ from other location of operations

Control Weakness:

As the data and services will now provide by the SAP-ERP System, there are
many control factors need to be addressed. Authorized access, Data Storage,
9

Segregation of Duties, Migrating data, Maintenance of Central Server, AMC

Page

Contracts Etc.

9
6. Terms and Scope of assignment

MSD & Co LLP (“Firm”) have been appointed to conduct Information Systems
Audit of SAP implementation and develop related IS Audit Checklists. The IS
audit of SAP would be with the objective of providing comfort on the adequacy
and appropriateness of controls and mitigate any operational risks thus ensuring
that the information systems implemented through SAP provide a safe and
secure computing environment. Further, specific areas of improvement would
be identified by benchmarking with the globally recognized best IT practices of
COBIT framework. These terms of reference are based on the preliminary
discussion the assignment team had with the ABM team and is subject to further
modification as required.

Broadly the scope of review primarily from security\controls and would involve:

 Access vulnerabilities of the SAP implementation to attacks from within

and outside and suggest appropriate counter measures to safeguard
against unauthorised use, disclosure or modification, damage or loss

 To review the processes relating to granting access to systems, verify

the logical access controls and assess whether the specified roles and
responsibilities are aligned with the business to safeguard against
unauthorized use, disclosure or modification, damage or loss

 To assess that audit trails exist for ensuring effective monitoring of the
mission critical systems and processes

 To assess and evaluate management system relating to all changes

requested and made to the existing production systems so as to
minimize the likelihood of disruption, unauthorized alterations, and
errors

 To evaluate data collection, analysis and reporting on resource

performance, application sizing and workload demand so as to ensure
that adequate capacity is available
10

 Assess the internal control framework in respect of specified SAP

Page

application, review of parameter settings and configuration

management and suggest improvements so as to ensure that data
remains complete, accurate and valid during its input, update and
storage

10
  Review of IT Resources as relevant

 Operating Software: Access controls

 Telecommunications Software: Access Controls
 RDBMS Database: Access Controls
 SAP- Major focus area: Configuration of Parameters and Access Controls
 Application controls at various stages such as Input, Processing,
Output, Storage, Retrieval and transmission so as to ensure
Confidentiality, Integrity and Availability of data.

 Organization structure policies, procedures and practices as mapped

in the information systems.
 Review of policies, procedures and practices as relevant to areas of
audit.

7. Logistic arrangements required

IS Auditor requires the following tools for audit:

a) Hardware:

1) Window based Systems, PDA and Laptops.

2) Printers & other Printing devices.

3) Scanners.

4) Storage media.

b) System Software:

System software will be selected according to client IT environment, so here

auditor has to select the system software according to the IT environment in
ABM Ltd. Auditor should use the original licensed version of system software,
because it maintains the authenticity of data.

c) CAAT tools :
11
1) Audit Software:
Page

a) IDEA Audit Software for data extraction

b) Software Used at client site etc.

c) Analyzer-Arbutus Software.

d) Pivot Tables for using Sampling.

11
 e) Benfold’s Law.

f) Frequency Analysis.

g) Audit log.

d) Test data:

a) Using Test Packs technique.

b) Using Integrated Test Facility.

8. Methodology and Strategy adapted for execution of assignment

One of the main challenge faced by companies that has implemented SAP
ERP (any ERP) will be to get a clear understanding of the current ERP system.
Two or three years after implementation what will be status of the system.

The main areas of focus will be;

 Whether all the management controls are working fine

 Whether all the postings are being done as per accounting standards
 Whether proper documentation is being maintained
 Whether critical business related activites are done accurately etc.

A lot of practical difficulties arise in doing a ERP post implementation audit.

Main challenge is to frame the right set of questions and how to obtain answers
for those. From my experience and research, WEhave prepared a question list
of more than 500 questions both from the functional and technical side, which
drill downs to the minutest level providing all the necessary data required for the
audit.

SAP has provided a very powerful framework in the standard ERP package for
conducting Audits, evaluvating them and taking corrective actions.
12
Page

User should have answer for the following questions before starting the Audit
procedure;

1. Kind of Audit to be Conducted (Technical or Functional)

2. Number of questions for the Audit
3. Structure of list of Questions (Question drill down level)
4. Valuation type of Questions
12
 5. Question Priorities
6. What kind of Audit Controls to be implemented
7. Audit purpose
8. Audit Type
9. Kind of rating for the questions

First we need to do few configuration changes to tune the audit as per our
requirement.

Execute transaction SPRO –> SAP reference IMG –> Cross-Application

Components –> Audit Management

Audit Management is divided into four categories.

Figure 1.0

For setting structure list of questions;

Figure 2.0
Create what kind of Question Profile is required. WE have created “Part-Sub
13
Part-Element-Sub Element-Sub Qu” for the Audit purpose.
Page

13
 Figure 3.0
Once the question profile is created you have to create the drill down level for
the profile. Below attached is the pictorial representation of the drill down level
for questions WE created.

Figure 4.0

14
Page

14
 Figure 5.0
Similarly you can create drill down level according to your requirement. After
defining the question hierarchy you have to specify the Valuation Specification
and the scores to be awarded for each value.

Figure 6.0
WE have created valuation 8003 Valuation of PRD system. By selecting the
15
created valuation profile double click on the “valuation” icon on the right side.
Page

There we need to set the details of valuation and the scores we intend to
provide for each.

15
 Figure 7.0
After valuation profile is entered enter question priority.

Figure 8.0

Audit control / Audit Definition requirements has to be configured.

16
Page

16
 Figure 9.0

Now all the configuration related to conducting the Audit has been configured.
Following are the main objects used for the Audit;

1) Audit Plan
The audit plan consists of all audits planned for a particular period of time. For
example, all audits that are to be executed in the space of one year are
defined in an annual audit plan. There is always only one current version of an
audit plan, where all date shifts and the degree of completion for the individual
audits can be found.

2) Audit
An audit, according to DIN EN ISO 9000, is a systematic, independent, and
documented process used to obtain audit results and to evaluate these results
objectively in order to determine to what extent the criteria of the audit have
been fulfilled. 17
3) Question List
Question lists are multilingual collections of questions that are answered during
Page

the execution of the audit . The allowed valuation can be planned for each
hierarchy level.

4) Corrective Actions
These are actions that are deemed necessary to eliminate the cause of errors
that were determined during the audit and to prevent the recursion of these

17
errors. The corrective actions to be executed must be appropriate to the effects
that the particular error has on the product.

5) Preventive Actions
These are actions that are deemed necessary to eliminate the causes of
possible errors before they occur. The preventive actions to be executed must
be appropriate to the effects that the possible error could have on the product.

An audit, according to DIN EN ISO 9000, is a systematic, independent, and

documented process used to obtain audit results and to evaluate these results
objectively in order to determine to what extent the criteria of the audit have
been fulfilled.

Execute transaction PLMD_AUDIT, first create the question list required for the
audit with the components newly configured.

Figure 10.0
For example purpose WE have created questions up to 15 drill down level

18
Page

18
 Figure 11.0
Attaching one real scenario from my Audit question list.

Figure 12.0
Once the question list has been created, you have to release the question list.
19
Page

19
 Figure 13.0

Figure 14.0

Once the question list is attached to the audit we need to evaluate the
questions. Evaluations will be based on the configuration done in SPRO.

Evaluation:

Execute transaction PLM_AUDITMONITOR. Select the required fields and

execute.
20
Page

20
 Figure 15.0

Select the required audit. Click on the Overview button. Click the Validate
button for valuation.

21
Figure 16.0
Page

The main success factor for any audit depends on the questions used for the
audit. Let me add few of the topics under which WE have prepared the
question list.

21
The main topics are;

 System Overview
 Security & Access Protection
 Workbench Organizer
 Transport System
 Accessing and Logging DB Tables
 Job Request Procedure
 Documentations
 System Logs
 Batch Input Interface
 Master Data Changes
 Reconciling Posting Data Closing
 Invoice Checking and Posting Run
 Business Process Auditing
 BASIS Audit

Once the audit question list is created / uploaded to SAP\, user must create a
sample set of check list to be submitted to the client. The Check list should
contain;

* All the documents that client has to Submit

* All the questions client has to answer.

Every company should run the audit at least twice a year to ensure that the
system is working perfectly, no manipulations are done, to ensure 100%
management control over the system their by over the employees.

22
Page

22
9. Documents reviewed

Following things are Reviewed:

 Policies – Are the management guidelines which should be approved

by the Top Management and should be reviewed at least once in
each year?

 Procedure – Are the detailed documents based on the policies set by

the top management? Procedures contain the detailed information
about the process. All the procedure should be approved by the
management and should be reviewed at least once in each year.

 Flowcharts – Pictures are worth thousand words when it comes to

understanding the interaction of various processes and how the
transaction flow has the dependencies and branches that run in
various directions.

 Audit logs and Screenshots – Every organisation implements the

monitoring control over the processes and the preserves the
evidences of the same, in the form of system screenshots and system
logs. This gives an added confidence to the Information System
Auditor about the monitoring control established by the management.

 Security Policies related to IT Operations

 Existing Cost sheet related to IT operations.

 SAP Implementation documentation.

Review of Error logs noted and corrected during the implementation of SAP ERP.

References
 ISO 27001/27002
23
 COBIT 5
 WWW.ISACA.ORG
Page

 WWW.CISCO.COM
 WWW.BUSINESSOFGOVERNMENT .COM
 ISA 2.0 COURSE BACKGROUND MATERIAL
 WWW.BOOZ .COM

23
10. Deliverables
Once SAP is implemented, auditor can rely on the following
checklist for monitoring the implementation objectives, security controls,
future changes, if any:

No. Item Response

Yes No EXP
1 Whether methodology for prioritising system
change
requests from users exists and is in use?
EXP Reference:

2 Whether emergency change procedures are

addressed in
operation manuals?
EXP Reference:

3 Whether change control is a formal procedure for

both
user and development groups?
EXP Reference:

4 Whether change control log ensures all changes

shown
wereReference:
EXP resolved?

5 Whether user is satisfied with turnaround of

change
requests
EXP - timeliness and cost?
Reference:

6 Whether for a selection of changes on the change

control log:
• that change resulted in programme and
operations documentation change
• that changes were made as documented
• current documentation reflects
changed environment
EXP Reference:

7 Whether change process is being monitored for

improvements in acknowledgment, response-
time, response-effectiveness and user satisfaction
with the process?
EXP Reference:
24
8 Whether maintenance to Private Branch Exchange
(PBX)
Page

system
EXP is included in the change control
Reference:
procedures?
9 Whether a service level agreement process is
identified
by
EXPpolicy?
Reference:

10 Whether user participation in process is required

for
creation and modification of agreements?
24
 EXP Reference:

No. Item Response

Yes No EXP
11 Whether responsibilities of users and providers are
defined?
EXP Reference:

12 Whether management monitors and reports on

the
achievement of the specified service performance
criteria
EXP and all problems encountered?
Reference:

13 Whether regular review process by management

exists?
EXP Reference:

14 Whether recourse process is identified for non-

performance?
EXP Reference:

15 Whether service level agreements include, but

are not limited to having:
• definition of service
• cost of service
• quantifiable minimum service level
• level of support from the IT function
• availability, reliability, capacity for growth
• continuity planning
• security requirements
• change procedure for any portion of the
agreement
• written and formally approved agreement
between provider and user of service
• effective period and new
period review/renewal/non-
renewal
• content and frequency of performance
reporting and payment for services
• charges are realistic compared to history,
industry, best practices
EXP•Reference:
calculation for charges
• service improvement commitment
16 Whether IT policies and procedures relating to third-
25
party
relationships exist and are consistent with
Page

organisational
EXP Reference:general policies?

17 Whether policies exist specifically for addressing

need
for contracts, definition of content of contracts,
owner or relationship manager responsible for
ensuring contracts are created, maintained,
monitored
EXP and renegotiated as required?
Reference:

25
No. Item Response
Yes No EXP
18 Whether interfaces are defined to independent
agents
involved in the conduct of the project and any
other
EXP parties, such as subcontractors?
Reference:

19 Whether contracts represent a full and complete

record of
third-party
EXP supplier relationships?
Reference:

20 Whether contracts are established for

continuity of
services specifically, and that these contracts
include contingency planning by vendor to ensure
continuous
EXP service to user of services?
Reference:

21 Whether contract contents include at least the

following:
• formal management and legal approval
• legal entity providing services
• services provided
• service level agreements both
qualitative and quantitative
• cost of services and frequency of
payment for services
• resolution of problem process
• penalties for non-performance
• dissolution process
• modification process
• reporting of service - content, frequency,
and distribution
• roles between contracting parties during
life of contract
• continuity assurances that services will
be provided by vendor
• user of services and provider
communications process and frequency
• duration of contract
• level of access provided to vendor
• security requirements
26
• non-disclosure guarantees
• right to access and right to audit
Page

EXP Reference:

22 Whether escrow agreements have been negotiated

where
appropriate?
EXP Reference:

23 Whether potential third-parties are properly

qualified
through an assessment of their capability to
deliver the required service (due diligence)?
26
No. Item Response
Yes No EXP
EXP Reference:

24 Whether time frames and level of service are

defined for
all services
EXP provided by the IT function?
Reference:

25 Whether time frames and service levels reflect user

requirements?
EXP Reference:

26 Whether time frames and service levels are

consistent
with performance expectations of the
equipment potentials?
EXP Reference:

27 Whether an availability plan exists, is current and

reflects
user Reference:
EXP requirements?

28 Whether ongoing performance monitoring of all

equipment and capacity is occurring, reported
upon, lack of performance addressed by
management and performance improvement
opportunities are formally addressed?
EXP Reference:

29 Whether optimal configuration performance is

being
monitored by modeling tools to maximize
performance
EXP Reference:while minimizing capacity to required
levels?
30 Whether both users and operational performance
groups
are pro-actively reviewing capacity and
performance
EXP Reference:and workload schedule modifications
are occurring?
31 Whether workload forecasting includes input from
users
on changing demands and from suppliers on
new technology or current product enhancements?
EXP Reference:

32 Whether organisational policies require a

continuity
framework and plan to be part of normal
operational requirements for both the IT
33 EXP Reference: function and all organisations
dependent on IT resources?
27
34 Whether IT policies and procedures require:
• a consistent philosophy and framework
Page

relating to development of continuity plan

development
• a prioritisation of applications with respect
to timeliness of recovery and return
•

27
No. Item Response
Yes No EXP
• risk assessment and insurance consideration
for loss of business in continuity situations for
the IT function as well as users of resources
• outline specific roles and responsibilities
with respect to continuity planning with
specific test, maintenance and update
requirements
• formal contract arrangements with
vendors to provide services in event of need
to recover, including back-up site facility or
relationship, in advance of actual need
• in each continuity plan minimum
content
¾ to include:
Emergency procedures to ensure the
safety
of all affected staff
members
¾ Roles and responsibilities of the IT
function, vendors providing recovery
services, users of services and support
administrative personnel
¾ A recovery framework consistent with
long-range plan for
continuity
¾ Listing of systems resources requiring
alternatives (hardware, peripherals,
software)
¾ Listing of highest to lowest priority
applications, required recovery times
and expected performance
norms
¾ Administrative functions for
communicating and providing support
services such as benefits, payroll,
external communications, cost
¾ Specific equipment and supply needs
tracking, etc., in event of need to recover
are
¾ Various recovery scenarios from minor
identified such as high speed printers,
to
signatures, forms, communications
28
loss of total capability and response to each
equipment, telephones, etc., and a source
in sufficient detail for step-by-step execution
Page

and alternative source defined

¾ Training and awareness of individual
and
group roles in continuity
plan
¾ Testing schedule, results of last test
and
corrective actions taken based on prior
test(s 28
No. Item Response
Yes No EXP
¾ Itemisation of contracted service
providers,
services and response
expectations
¾ Logistical information on location of
key
resources, including back-up site for
recovery operating system,
applications, data files,
operating manuals and
programme/system/user documentation
¾ Current names, addresses,
telephone/pager
numbers of key
personnel
¾ Reconstruction plans are included for
re-
recovery at original location of all systems
resources
EXP Reference:
¾ Business resumption alternatives for
35 Whether
all regulatory agency requirements with
respect to
users
continuity
EXP for are
planning
Reference: establishing
met? alternative work
locations once
36 Whether
¾ user
IT continuity
resources plans are developed
are available; i.e.,
based on
system
unavailability of physical resources for
recovered
EXP Reference: at alternative
performing site but
critical processing - user
manual building
and computerised?
burned to the ground and
37 Whetherunavailable
the telephone system, VoiceMail, fax and
image
systems
EXP are part of the continuity plan?
Reference:

38 Whether image systems, fax systems, paper

documents as
well as microfilm and mass storage media are part
of
EXPthe continuity plan?
Reference:

39 Whether strategic security plan is in place

providing
centralised direction and control over information
29
system security, along with user security requirements
for consistency?
EXP Reference:
Page

40 Whether centralised security organisation is in

place
responsible for ensuring only appropriate
access to system resources?
EXP Reference:

29
No. Item Response
Yes No EXP
41 Whether data classification schema is in place and
being
used, that all system resources have an owner
responsible
EXP for security and content?
Reference:

42 Whether user security profiles are in place

representing
"least access as required" and profiles are
regularly
EXP reviewed by management for re-
Reference:
accreditation?
43 Whether employee indoctrination includes security
awareness, ownership responsibility and virus
protection requirements?
EXP Reference:

44 Whether reporting exists for security breaches and

formal problem resolution procedures are in place,
and these reports include:
• unauthorised attempts to access system (sign
on)
• unauthorised attempts to access system
resources
• unauthorised attempts to view or change
security definitions and rules
• resource access privileges by user ID
• authorised security definitions and rule
changes
• authorised access to resources (selected by
user or resource)
EXP•Reference:
status change of the system security
• accesses to operating system security
45 Whether cryptographic
parameter tables modules and key
maintenance
procedures exist, are administered centrally and
are Reference:
EXP used for all external access and transmission
activity?
46 Whether cryptographic key management
standards exist
for
EXPboth centralised and user activity?
Reference:

47 Whether change control over security software is

formal
and consistent with normal standards of system
development
EXP Reference:and maintenance?
30

48 Whether the authentication mechanisms in use

Page

provide one or more of the following features:

• single-use of authentication data (e.g.,
passwords are never re-usable)
• multiple authentication (i.e., two or more
different authentication mechanisms are
used)

30
No. Item Response
Yes No EXP
• policy-based authentication (i.e., ability to
specify separate authentication procedures
for specific events)
• on-demand authentication (i.e., ability to
re- authenticate the user at times after the
initial authentication)
EXP Reference:

49 Whether the number of concurrent sessions

belonging to
the same
EXP user is limited?
Reference:

50 Whether at log-on, an advisory warning message to

users
regarding the appropriate use the hardware,
software
EXP or connection logged on?
Reference:

51 Whether a warning screen is displayed prior to

completing log-on to inform reader that
unauthorised access may result in prosecution?
EXP Reference:

52 Whether upon successful session establishment, a

history
of successful and unsuccessful attempts to
access the user's account is displayed to the user?
EXP Reference:

53 Whether password policy includes:

• initial password change on first use enforced
• an appropriate minimum password length
• an appropriate and enforced
frequency of password changes
• password checking against list of not
allowed values (e.g., dictionary checking)
• adequate protection of emergency passwords
EXP Reference:

54 Whether formal problem resolution procedures

include:
• User ID is suspended after 5 repeated
unsuccessful log-on attempts
31
• Date, time of last access and number of
Page

unsuccessful attempts is displayed to

authorised user at log-on
• Authentication time is limited to 5 minutes,
after which the session is terminated
• User is informed of suspension, but not the
EXPreason
Reference:
for it

31
No. Item Response
Yes No EXP
55 Whether dial in procedures include dial-back or
token
based authentication, frequent changes of dial-
up numbers, software and hardware firewalls to
restrict access to assets and frequent changes of
passwords
EXP and deactivation of former employees'
Reference:
passwords?
56 Whether location control methods are used to
apply
additional
EXP restrictions at specific locations?
Reference:

57 Whether access to the VoiceMail service and the

PBX
system are controlled with the same physical and
logical
EXP controls as for computer systems?
Reference:

58 Enforcement of sensitive position policies

occurs, including:
• employees in sensitive job positions are
required to be away from the
organisation for an appropriate
period of time every calendar year; during this
time their user ID is suspended; and persons
replacing the employee are instructed to
notify management if any
security-related abnormalities are noted
• unannounced rotation of personnel
EXPinvolved
Reference:in
sensitive activities is performed from time to
59 timesecurity-related hardware and software,
Whether
such as
cryptographic modules, are protected against
tampering or disclosure, and access is limited to a
"need
EXP to know" basis?
Reference:

60 Whether access to security data such as security

management, sensitive transaction data,
passwords and cryptographic keys is limited to a
need
EXP to know basis?
Reference:

61 Whether trusted paths are used to transmit non-

encrypted
sensitive
EXP information?
Reference:
32
62 Whether to prevent denial of service due to an
Page

attack with junk faxes, protective measures are

taken such as:
• limiting the disclosure of fax numbers outside
the organisation to a "need-to-know" basis
• fax lines used for solicitation of business are
EXPnot
Reference:
used for other purposes

32
No. Item Response
Yes No EXP
63 Whether preventative and detective control
measures
have been established by management with
respect
EXP to computer viruses?
Reference:

64 Whether to enforce integrity of electronic

value, measures are taken such as:
• card reader facilities are protected
against destruction, disclosure or
modification of the card information
• card information (PIN and other
information) is protected against insider
disclosure
EXP•Reference:
counterfeiting of cards is prevented

65 Whether to enforce protection of security

features, measures are taken such as:
• the identification and authentication
process is required to be repeated after a
specified period of inactivity
• a one-button lock-up system, a force button
or a
shut-off sequence can be activated
when the terminal is left alone
EXP Reference: _
66 Whether IT function has a group responsible for
reporting
and issuing chargeback bills to users
Procedures are in place that:
• develop a yearly development and
maintenance plan with
user identification of priorities for
development, maintenance and operational
expenses
• allow for a very high level of user
determination of where IT resources are spent
• generate a yearly IT budget including:
¾ Compliance to organisational
requirements
33
in budget preparation
¾ Consistency with what costs are to
Page

be
allocated by the user departments
¾ Communication of historical costs,
assumptions for new costs- for understanding
by users of what costs are included in
chargeback

33
No. Item Response
Yes No EXP
¾ User sign-off on all budget costs to
be
allocated by IT function
¾ Frequency of reporting and actual
charging
of costs to users
• track allocated costs of all IT resources
of, but not limited to:
¾ Operational hardware
¾ Peripheral equipment
¾ Telecommunications usage
¾ Applications development and support
¾ Administrative overhead
¾ External vendor service costs
¾ Help desk
¾ Facilities and maintenance
¾ Direct/indirect costs
• ¾ for
Fixedregular
and variable expenses
reporting to users on
Sunk and discretionary
performance for the various cost categories
• costs
report to users on external benchmarks
regarding cost effectiveness so as to allow
comparison to industry expectations, or user
alternative sourcing for services
• for timely modification to cost
allocations to reflect changing business needs
formally approve and accept charges as received
• identify IT improvement opportunities to
reduce
chargebacks or get greater value for
EXP Reference: _
chargebacks
Whether reports provide assurance that chargeable
67
items
are identifiable,
EXP Reference: measurable and predictable? _
68 Whether reports capture and highlight changes
in the
underlying
EXP Reference:cost components or allocation algorithm? _
69 Whether policies and procedures relating to
ongoing
security and controls awareness exist?
34
EXP Reference: _
70 Whether there is an education/training
Page

programme
focusing on information systems security and
control principles?
EXP Reference: _
71 Whether new employees are made aware of
security and
control responsibility with respect to using and
having
EXP custody of IT resources?
Reference:

34
No. Item Response
Yes No EXP
72 Whether there are policies and procedures in
effect
relating to training and they are current with
respect to technical configuration of IT resources?_
EXP Reference:
73 Whether availability of in-house training
opportunities
and frequency of employee attendance?
EXP Reference: _
74 Whether availability of external technical training
opportunities and frequency of employee
EXP Reference:
attendance? _
75 Whether a training function is assessing training
needs of
personnel with respect to security and controls, and
translating those needs into in-house or external
training
EXP opportunities?
Reference: _
76 Whether all employees are required to attend
security and control awareness training on an
ongoing basis that would include, but not be limited
to:
• general system security principles
• ethical conduct related to IT
• security practices to protect against harm
from failures affecting availability,
confidentiality, integrity and
performance of duties in a secure manner
• responsibilities associated with custody and
use of
IT resources
EXP•Reference:
security of information and information _
77 systems when used off-site
Whether security awareness training includes a
policy on
preventing the disclosure of sensitive
information through conversations (e.g.,
by announcing the status of the information to all
persons
EXP taking part in the conversation)?
Reference: _
78 Whether nature of help desk function (i.e., how
requests
for assistance are processed and assistance is
provided)
EXP is effective?
Reference: _
79 Whether actual facilities, divisions or departments
are
performing the help desk function and the
35
individuals
EXP or positions responsible for the help desk?
Reference: _
Page

80 Whether level of documentation for help desk

activities
is adequate
EXP Reference: and current?

81 Whether actual process for logging or registering

requests for service and use of logs exists?
EXP Reference:

35
No. Item Response
Yes No EXP
82 Whether process for query escalation and
management
intervention
EXP for resolution is sufficient?
Reference:

83 Whether time frame for clearing queries received is

adequate?
EXP Reference:

84 Whether procedures for tracking trends and

reporting on
helpReference:
EXP desk activities exist?

85 Whether performance improvement initiatives are

formally identified and executed?
EXP Reference:

86 Whether service level agreements and

performance
standards
EXP are being met?
Reference:

87 Whether user satisfaction level is periodically

determined
and Reference:
EXP reported?

88 Whether process for creating and

controlling
configuration baselines (the cut-off point in the
design and development of a configuration item
beyond which evolution does not occur without
undergoing
EXP Reference:strict configuration control) is
appropriate?
89 Whether functions for maintaining configuration
baseline
exist?
EXP Reference:

90 Whether process for controlling status

accounting of
purchased and leased resources - including
inputs,
EXP outputs and integration with other processes
Reference:
- exists?
91 Whether configuration control procedures include:
• configuration baseline integrity
• programmed access authorisation controls
over the change management system
• the recovery of configuration items and
36
change requests at any point in time
• completion of configuration and reports
Page

assessing the adequacy of

configuration recording procedures
•

36
No. Item Response
Yes No EXP
• periodic evaluations of the
configuration recording function
• individuals responsible for
reviewing configuration
control have the
requisite knowledge, skills and
abilities
• procedures exist for reviewing access to
software baselines
EXP•Reference:
results of reviews are provided _to
92 management for corrective action
Whether periodic review of configuration with
inventory
and Reference:
EXP accounting records is performed on a regular_
basis?
Whether configuration baseline has sufficient history
93
for
tracking
EXP changes?
Reference: _
94 Whether software change control procedures exist
for:
• establishing and maintaining licensed
application programme library
• ensuring licensed application programme
library is adequately controlled
• ensuring the reliability and integrity of
the software inventory
• ensuring the reliability and integrity of
the inventory of authorised
software used and
checking for unauthorised software
• assigning responsibility for unauthorised
software control to a specific staff member
• recording use of unauthorised software
and reporting to management for
EXP Reference:
corrective action _
95 • determining
Whether process whether
for management took
migrating
corrective
developmental
action on
applications violations
into the testing environment and
ultimately into production status interacts
with configuration reporting?
37
EXP Reference: _
96 Whether the software storage process includes:
Page

• defining a secure file storage area (library)

for all valid software in appropriate phases of
the system development life cycle
• requiring that software storage libraries are
separated from each other and from
development, testing and production file
storage areas
37
No. Item Response
Yes No EXP
• requiring existence within source libraries
that allow temporary location of source
modules moving into production cycle period
• requiring that each member of all libraries
has an assigned owner
• defining logical and physical access controls
• establishing software accountability
• establishing an audit trail
• detecting, documenting and reporting to
management all instances of non-compliance
with this procedure
determining whether management took corrective
EXP Reference: action
97 Whether coordination is occurring among
applications
development, quality assurance and operations
with Reference:
EXP respect to updating configuration baseline
upon change?
Whether software is labeled and periodically
98
inventoried?
EXP Reference:
99 Whether library management software is
used to:
• produce audit trails of program changes
• maintain program version numbers
• record and report program changes
• maintain creation/date information for
production modules
• maintain copies of previous versions
EXP
• Reference:
control concurrent updates
100 Whether there is a problem management
process that
ensures all operational events which are not part of
standard operations are recorded, analysed and
resolved in a timely manner, and incident reports
are
EXP generated
Reference: for significant problems?
101 Whether problem management procedures exist for:
• defining and implementing a problem
38
management system
• recording, analysing, resolving in a timely
Page

manner all non-standard events

• establishing incident reports for critical events
and reporting to users
• identifying problem types
and prioritisation methodology allowing
for varying resolution efforts based on risk

38
No. Item Response
Yes No EXP
• defining logical and physical control of
problem management information distributing
outputs on a "need to know" basis
• tracking of problem trends to maximise
resources, reduce turnaround
• collecting accurate, current, consistent and
usable data inputs to reporting
• notifying appropriate level of
management for escalation and awareness
• determining if management periodically
evaluates the problem management
process for increased
effectiveness and efficiency
• sufficiency of audit trail for system problems
• integration with change, availability,
EXPconfiguration
Reference: management systems and
personnel
102 Whether emergency processing priorities exist,
are
documented and require approval
EXP Reference:by appropriate program and IT
management?
103 Whether there are emergency and temporary
access authorisation procedures which require:
• documentation of access on standard
forms and maintained on file
• approval by appropriate managers
• secure communication to the security function
• automatic access termination, after a
predetermined period of time
EXP Reference: _
104 For data preparation:
• data preparation procedures ensure
completeness, accuracy and validity
• authorisation procedures for all source
documents exist
• separation of duties between origination,
39
approval and conversion of source
documents into data is occurring
Page

• authorised data remains complete,

accurate and valid through source
document origination
• data is transmitted in a timely manner
• periodic review of source documents for
proper completion and approvals occurs

39
No. Item Response
Yes No EXP
• appropriate handling of erroneous
source documents
• adequate control over sensitive information
exists on source documents for
protection from compromise
• procedures ensure completeness and
accuracy of source documents, proper
accounting for source documents and timely
conversion
• source document retention is sufficiently
long to allow reconstruction in event of loss,
availability for review and audit, litigation
inquiries or regulatory requirements
EXP Reference: _
105 For data input:
• appropriate source document routing for
approval prior to entry
• proper separation of duties among
submission, approval, authorisation and data
entry functions
• unique terminal or station codes and
secure operator identification
• usage, maintenance and control of station
codes and operator IDs
• audit trail to identify source of input
• routine verification or edit checks of inputted
data as close to the point of origination as
possible
• appropriate handling of erroneously input
EXPdata
Reference: _
106 For • clearly
data assign responsibility for enforcing
processing:
proper authorisation over data
Whether programmes contain error prevention,
detection, correction routines:
• programmes must test input for errors
(i.e., validation and editing)
• programmes must validate all transactions
against a master list of same
40
• programmes must disallow override of error
conditions
Page

EXP Reference:

107 Whether error handling procedures include:

• correction and resubmission of errors must
be approved
• individual responsibility for suspense files is
defined
40
No. Item Response
Yes No EXP
• suspense files generate reports for non-
resolved errors
suspense file prioritisation scheme is available based
on
EXP
ageReference:
and type

108 Whether logs of programmes executed and

transactions
processed/rejected
EXP Reference: for audit trail exist?

109 Whether a control group for monitoring entry

activity
and investigating non-standard events, along with
balancing of record counts and control totals for all
dataReference:
EXP processed?

110 Whether that all fields are edited appropriately,

even if
one field has an error?
EXP Reference:

111 Whether tables used in validation are reviewed on a

frequent basis?
EXP Reference:

112 Whether written procedures exist for correcting

and
resubmitting data in error including a non-
disruptive
EXP solution to reprocessing?
Reference:

113 Whether resubmitted transactions are processed

exactly
as originally
EXP Reference:processed?

114 Whether responsibility for error correction resides

with
original
EXP submitting function?
Reference:

115 Whether Artificial Intelligence systems are placed in

an
interactive control framework with human
operators
EXP to ensure that vital decisions are
Reference:
approved?
116 For output, interfacing, and distribution:
• Access to output is restricted physically
41
and logically to authorised people
• Ongoing review of need for
Page

outputs is occurring
• Output is routinely balanced to
relevant control totals
•

41
No. Item Response
Yes No EXP
• Audit trails exist to facilitate the tracing of
transaction processing and the
reconciliation of disrupted data
• Output report accuracy is reviewed and
errors contained in output is controlled by
cognisant personnel
• Clear definition of security issues
during output, interfacing and
distribution exist
• Communication of security breaches
during any phase is communicated to
management, acted upon and reflected
in new procedures as appropriate
• Process and responsibility of output
disposal is clearly defined
• Destruction is witnessed of materials used
but not needed after processing
• All input and output media is stored in off-
site location in event of later need
• Information marked as deleted is
changed in such a way that it can no _
EXP Reference:
longer be retrieved
117 For media library:
• Contents of media library are
systematically inventoried
• Discrepancies disclosed by the inventory
are remedied in a timely manner
• Measures are taken to maintain the
integrity of magnetic media stored in the
library
• Housekeeping procedures exist to
protect media library contents
• Responsibilities for media library
management have been assigned to
specific members of IT staff
• Media back-ups and restoration strategy
exists
42
• Media back-ups are taken in
accordance with the defined back-up
Page

strategyback-ups
• Media and usability of back-ups
are securely stored is
regularlyand
verified
storage sites periodically
reviewed regarding physical access
security and security of data files and
other items

42
No. Item Response
Yes No EXP
• Retention periods and storage terms
are defined for documents,
data, programmes, reports and messages
(incoming and outgoing) as well as the
data (keys, certificates) used for their
encryption
• In additionand
toauthentication
the storage of paper
source documents, telephone
conversations
are recorded and retained - if
not in conflict with local privacy laws - for
transactions or other activities that are
part of the business activities traditionally
conducted over telephones
• Adequate procedures are in place
regarding the archival of information (data
and programmes) in line with legal and
business
EXP Reference: requirements and
_
118 enforcing accountability
For information authentication and integrity:
and reproducibility
• The integrity of the data files is
checked periodically
• Requests received from outside the
organisation, via telephone or VoiceMail,
are verified by call- back or other means
• Aof authentication
prearranged method is used for
independent verification of the
authenticity of source and contents of
transaction requests received via fax or
image system
• Electronic signature or certification is used
to verify the integrity
EXP Reference: and authenticity of incoming
electronic documents

43
Page

43
13. Conclusion/Recommendation

Recommendation # 1:

Implement targeted security monitoring over ERP support staff access in the
production environment.

Recommendation # 2:

Perform a risk assessment/cost benefit analysis over the access and system
functions that pose the greatest risks to determine which controls merit the
associated expense of generating logs or using personnel's time to regularly
review. Automated review, such as the use of scripts to identify certain
unauthorized or high risk activity should be used wherever possible to cut back
on personnel time and log retention requirements.

Recommendation # 3:

Critical controls should have an automated trigger or alert such as an email

generated from the use of a critical transaction, and sent to the appropriate
party for review.

Recommendation # 4:

Risks, controls implemented/mitigated risk, method of implementation, and

frequency of review should be documented in the monitoring portion of the SAP
Security Policy.

Recommendation # 5:

Documented reviews of monitoring controls should be performed at least semi-

annually over the implemented monitoring to ensure that the monitoring
defined through this exercise are adequate, effective and consistently in place. 44
Recommendation # 6:
Page

We recommend the security group clearly document technical roles within the
SAP environments and enforce Segregation of Duties between technical roles
wherever possible.

44
Recommendation # 7:

Access for each ERP support department staff should be restricted to only the
access that user requires to perform their day to day functions.

Recommendation # 8:

ERP support department staff access should be reviewed at defined regular

intervals on a semi annual basis at a minimum.

Recommendation # 9: Additional access beyond standardized support staff

roles must be approved by management external to the ERP support
department staff, and should be provided through a monitored account such
as a Firefighter account.

Recommendation # 10:

Unmonitored generic accounts should not exist in the production (live financial)
environment.

Recommendation # 11:

Logs generated from monitored accounts (such as firefighter accounts) should

be reviewed at defined points and signed off by the supervising manager when
they are in use. Simplified automation can be employed such as automating
the generation and sending of the log to the manager via email, whose reply
can serve as his auditable electronic sign-off.

Recommendation # 12:

Security logs should be stored in a location where the SAP IT teams do not have
access to modify the logs.

Recommendation # 13:

Ensure that production client authentication settings meet and continue to

meet the Standard authentication requirements defined in the Security Policy.
45
Page

45
Recommendation # 14:

Management should take precautions to ensure that no user can increase or

modify their own access. If it is not feasible to limit this capability to users
required to provision access, controls such as monitoring their account
permissions for modifications using a standardized methodology should be
implemented to mitigate this security risk.

Recommendation # 15:

To mitigate the control weaknesses related to the vendor database, we have

made the following recommendations:

Recommendation # 16:

Create and run a periodic report across non PO invoices looking for duplicate
payments similar to the previous mitigating controls report that was in place prior
to the implementation of SAP.

Recommendation # 17:

Analyse the ABM'S vendor database and remove all duplicate vendor data.

Recommendation # 18:

Implement a required "unique identifier" for a vendor/business, such as the tax

ID, for new vendors and create a process for adding the unique identifier to
existing vendors.

Recommendation # 19:

Complete an evaluation for providing centralized continuing education, and

ensure that at a minimum, classes addressing the core functions of SAP are
provided on a periodic basis, and made available to the appropriate
departments.

Recommendation # 20:
46

Develop a training schedule for specific requirements based on the results of the
Page

survey they conducted.

46
Recommendation # 21:

Make the training schedule available to ABM Employees, using means such as
email or the ABM’s intranet site. Further, a method for feedback after each
training should be provided, such as a survey, to ensure the trainings remain
effective.

Recommendation # 22:

Ensure enough resources are dedicated to provide on-going training.

Recommendation # 23:

Ensure that skilled employees have scheduled dedicated time to train users in
their respective proficiency.

This report is issued upon the request of management and to the best of our
knowledge & belief. This report is issued without any prejudice & subject to terms
& conditions of the engagement. Thanking & assuring you best of our attention
at all points.

PREPARED AND SIGNATURE BY

C.A. MEKALA LEELA RAGHAVENDRA PRASAD, M.NO.237875, ISA NO 53515

C.A. DINAKAR CH, M.NO.237078, ISA NO 51258
C.A. SANTHOSH KUMAR SUNKARA, M.NO 243365, ISA NO 53500

47
Page

47