Professional Documents
Culture Documents
of
DISA 2.0 Course
1
Page
1
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAWE for
the project. We also certify that this project report is the original work of our group and
each one of us have actively participated and contributed in preparing this project.
We have not shared the project details or taken help in preparing project report from
anyone except members of our group.
Place: HYDERABAD
Date: 06/02/2018
2
Page
2
Table of Contents
1 Details of Case/Project
2 Introduction
3 Auditee Environment
4 Background
5 Situation
9 Documents reviewed
10 References
11 Deliverables
13 Summary/Conclusion
3
Page
3
Project Report
Title: IS Audit of ERP Software
ABM Limited (ABM) has been using Information Technology as a key enabler for
facilitating business process Owners and enhancing services to its customers.
The senior management of ABM has been very proactive in directing the
management and deployment of Information Technology. Most of the mission
critical applications in the company have been computerized and networked.
ABM selected SAP Business Suite to bring a more integrated and seamless
approach to internal processes. SAP deployment in ABM posed unique
challenges arising out of the need to integrate multiple units across different
locations, involving extensive procedures and large volumes of data. The family
of business applications provides better insight into enterprise-wide analysis
based on real time data and key performance indicators, improved quality and
on-time delivery, reduction in inventory cost and enhanced customer service.
4
2. Introduction
ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi
Manufacturing Divisions and Regional Offices spread all over India. ABM
operates on three major business verticals for associated equipment
manufacturing:
In addition to the above there are three Strategic Business Units (SBUs):
We are MSD & Co LLP (“Firm”), a professional firm since 1995 and providing
5
services like Information System Audit (“IS Audit”), Statutory Audit, Internal Audit,
Page
Tax Audit, Consultancy for Project Finance and other related services.
5
(Each group 3 CAs having CISA/DISA and 4 Semi Qualified) headed by the
following team leaders.
3. Auditee Environment
6
4.Background
7
5. Situation
Business Model is:
ABM LIMITED
• Defence; and
8
• There are 500 SAP users in all.
Problem:
ABM Limited is first time integrated all the business units located in different
areas in India by adopting SAP-ERP, it may have the following problems
Integrating all the Existing data and application in to new SAP-ERP leads
loss of data
It requires selection and Placing of Technical staff
Each location of operations may differ from other location of operations
Control Weakness:
As the data and services will now provide by the SAP-ERP System, there are
many control factors need to be addressed. Authorized access, Data Storage,
9
Contracts Etc.
9
6. Terms and Scope of assignment
MSD & Co LLP (“Firm”) have been appointed to conduct Information Systems
Audit of SAP implementation and develop related IS Audit Checklists. The IS
audit of SAP would be with the objective of providing comfort on the adequacy
and appropriateness of controls and mitigate any operational risks thus ensuring
that the information systems implemented through SAP provide a safe and
secure computing environment. Further, specific areas of improvement would
be identified by benchmarking with the globally recognized best IT practices of
COBIT framework. These terms of reference are based on the preliminary
discussion the assignment team had with the ABM team and is subject to further
modification as required.
Broadly the scope of review primarily from security\controls and would involve:
To assess that audit trails exist for ensuring effective monitoring of the
mission critical systems and processes
10
Review of IT Resources as relevant
a) Hardware:
3) Scanners.
4) Storage media.
b) System Software:
c) CAAT tools :
11
1) Audit Software:
Page
c) Analyzer-Arbutus Software.
11
e) Benfold’s Law.
f) Frequency Analysis.
g) Audit log.
d) Test data:
One of the main challenge faced by companies that has implemented SAP
ERP (any ERP) will be to get a clear understanding of the current ERP system.
Two or three years after implementation what will be status of the system.
SAP has provided a very powerful framework in the standard ERP package for
conducting Audits, evaluvating them and taking corrective actions.
12
Page
User should have answer for the following questions before starting the Audit
procedure;
First we need to do few configuration changes to tune the audit as per our
requirement.
Figure 1.0
Figure 2.0
Create what kind of Question Profile is required. WE have created “Part-Sub
13
Part-Element-Sub Element-Sub Qu” for the Audit purpose.
Page
13
Figure 3.0
Once the question profile is created you have to create the drill down level for
the profile. Below attached is the pictorial representation of the drill down level
for questions WE created.
Figure 4.0
14
Page
14
Figure 5.0
Similarly you can create drill down level according to your requirement. After
defining the question hierarchy you have to specify the Valuation Specification
and the scores to be awarded for each value.
Figure 6.0
WE have created valuation 8003 Valuation of PRD system. By selecting the
15
created valuation profile double click on the “valuation” icon on the right side.
Page
There we need to set the details of valuation and the scores we intend to
provide for each.
15
Figure 7.0
After valuation profile is entered enter question priority.
Figure 8.0
16
Page
16
Figure 9.0
Now all the configuration related to conducting the Audit has been configured.
Following are the main objects used for the Audit;
1) Audit Plan
The audit plan consists of all audits planned for a particular period of time. For
example, all audits that are to be executed in the space of one year are
defined in an annual audit plan. There is always only one current version of an
audit plan, where all date shifts and the degree of completion for the individual
audits can be found.
2) Audit
An audit, according to DIN EN ISO 9000, is a systematic, independent, and
documented process used to obtain audit results and to evaluate these results
objectively in order to determine to what extent the criteria of the audit have
been fulfilled. 17
3) Question List
Question lists are multilingual collections of questions that are answered during
Page
the execution of the audit . The allowed valuation can be planned for each
hierarchy level.
4) Corrective Actions
These are actions that are deemed necessary to eliminate the cause of errors
that were determined during the audit and to prevent the recursion of these
17
errors. The corrective actions to be executed must be appropriate to the effects
that the particular error has on the product.
5) Preventive Actions
These are actions that are deemed necessary to eliminate the causes of
possible errors before they occur. The preventive actions to be executed must
be appropriate to the effects that the possible error could have on the product.
Execute transaction PLMD_AUDIT, first create the question list required for the
audit with the components newly configured.
Figure 10.0
For example purpose WE have created questions up to 15 drill down level
18
Page
18
Figure 11.0
Attaching one real scenario from my Audit question list.
Figure 12.0
Once the question list has been created, you have to release the question list.
19
Page
19
Figure 13.0
Figure 14.0
Once the question list is attached to the audit we need to evaluate the
questions. Evaluations will be based on the configuration done in SPRO.
Evaluation:
20
Figure 15.0
Select the required audit. Click on the Overview button. Click the Validate
button for valuation.
21
Figure 16.0
Page
The main success factor for any audit depends on the questions used for the
audit. Let me add few of the topics under which WE have prepared the
question list.
21
The main topics are;
System Overview
Security & Access Protection
Workbench Organizer
Transport System
Accessing and Logging DB Tables
Job Request Procedure
Documentations
System Logs
Batch Input Interface
Master Data Changes
Reconciling Posting Data Closing
Invoice Checking and Posting Run
Business Process Auditing
BASIS Audit
Once the audit question list is created / uploaded to SAP\, user must create a
sample set of check list to be submitted to the client. The Check list should
contain;
Every company should run the audit at least twice a year to ensure that the
system is working perfectly, no manipulations are done, to ensure 100%
management control over the system their by over the employees.
22
Page
22
9. Documents reviewed
Review of Error logs noted and corrected during the implementation of SAP ERP.
References
ISO 27001/27002
23
COBIT 5
WWW.ISACA.ORG
Page
WWW.CISCO.COM
WWW.BUSINESSOFGOVERNMENT .COM
ISA 2.0 COURSE BACKGROUND MATERIAL
WWW.BOOZ .COM
23
10. Deliverables
Once SAP is implemented, auditor can rely on the following
checklist for monitoring the implementation objectives, security controls,
future changes, if any:
system
EXP is included in the change control
Reference:
procedures?
9 Whether a service level agreement process is
identified
by
EXPpolicy?
Reference:
organisational
EXP Reference:general policies?
25
No. Item Response
Yes No EXP
18 Whether interfaces are defined to independent
agents
involved in the conduct of the project and any
other
EXP parties, such as subcontractors?
Reference:
EXP Reference:
27
No. Item Response
Yes No EXP
• risk assessment and insurance consideration
for loss of business in continuity situations for
the IT function as well as users of resources
• outline specific roles and responsibilities
with respect to continuity planning with
specific test, maintenance and update
requirements
• formal contract arrangements with
vendors to provide services in event of need
to recover, including back-up site facility or
relationship, in advance of actual need
• in each continuity plan minimum
content
¾ to include:
Emergency procedures to ensure the
safety
of all affected staff
members
¾ Roles and responsibilities of the IT
function, vendors providing recovery
services, users of services and support
administrative personnel
¾ A recovery framework consistent with
long-range plan for
continuity
¾ Listing of systems resources requiring
alternatives (hardware, peripherals,
software)
¾ Listing of highest to lowest priority
applications, required recovery times
and expected performance
norms
¾ Administrative functions for
communicating and providing support
services such as benefits, payroll,
external communications, cost
¾ Specific equipment and supply needs
tracking, etc., in event of need to recover
are
¾ Various recovery scenarios from minor
identified such as high speed printers,
to
signatures, forms, communications
28
loss of total capability and response to each
equipment, telephones, etc., and a source
in sufficient detail for step-by-step execution
Page
29
No. Item Response
Yes No EXP
41 Whether data classification schema is in place and
being
used, that all system resources have an owner
responsible
EXP for security and content?
Reference:
30
No. Item Response
Yes No EXP
• policy-based authentication (i.e., ability to
specify separate authentication procedures
for specific events)
• on-demand authentication (i.e., ability to
re- authenticate the user at times after the
initial authentication)
EXP Reference:
31
No. Item Response
Yes No EXP
55 Whether dial in procedures include dial-back or
token
based authentication, frequent changes of dial-
up numbers, software and hardware firewalls to
restrict access to assets and frequent changes of
passwords
EXP and deactivation of former employees'
Reference:
passwords?
56 Whether location control methods are used to
apply
additional
EXP restrictions at specific locations?
Reference:
32
No. Item Response
Yes No EXP
63 Whether preventative and detective control
measures
have been established by management with
respect
EXP to computer viruses?
Reference:
be
allocated by the user departments
¾ Communication of historical costs,
assumptions for new costs- for understanding
by users of what costs are included in
chargeback
33
No. Item Response
Yes No EXP
¾ User sign-off on all budget costs to
be
allocated by IT function
¾ Frequency of reporting and actual
charging
of costs to users
• track allocated costs of all IT resources
of, but not limited to:
¾ Operational hardware
¾ Peripheral equipment
¾ Telecommunications usage
¾ Applications development and support
¾ Administrative overhead
¾ External vendor service costs
¾ Help desk
¾ Facilities and maintenance
¾ Direct/indirect costs
• ¾ for
Fixedregular
and variable expenses
reporting to users on
Sunk and discretionary
performance for the various cost categories
• costs
report to users on external benchmarks
regarding cost effectiveness so as to allow
comparison to industry expectations, or user
alternative sourcing for services
• for timely modification to cost
allocations to reflect changing business needs
formally approve and accept charges as received
• identify IT improvement opportunities to
reduce
chargebacks or get greater value for
EXP Reference: _
chargebacks
Whether reports provide assurance that chargeable
67
items
are identifiable,
EXP Reference: measurable and predictable? _
68 Whether reports capture and highlight changes
in the
underlying
EXP Reference:cost components or allocation algorithm? _
69 Whether policies and procedures relating to
ongoing
security and controls awareness exist?
34
EXP Reference: _
70 Whether there is an education/training
Page
programme
focusing on information systems security and
control principles?
EXP Reference: _
71 Whether new employees are made aware of
security and
control responsibility with respect to using and
having
EXP custody of IT resources?
Reference:
34
No. Item Response
Yes No EXP
72 Whether there are policies and procedures in
effect
relating to training and they are current with
respect to technical configuration of IT resources?_
EXP Reference:
73 Whether availability of in-house training
opportunities
and frequency of employee attendance?
EXP Reference: _
74 Whether availability of external technical training
opportunities and frequency of employee
EXP Reference:
attendance? _
75 Whether a training function is assessing training
needs of
personnel with respect to security and controls, and
translating those needs into in-house or external
training
EXP opportunities?
Reference: _
76 Whether all employees are required to attend
security and control awareness training on an
ongoing basis that would include, but not be limited
to:
• general system security principles
• ethical conduct related to IT
• security practices to protect against harm
from failures affecting availability,
confidentiality, integrity and
performance of duties in a secure manner
• responsibilities associated with custody and
use of
IT resources
EXP•Reference:
security of information and information _
77 systems when used off-site
Whether security awareness training includes a
policy on
preventing the disclosure of sensitive
information through conversations (e.g.,
by announcing the status of the information to all
persons
EXP taking part in the conversation)?
Reference: _
78 Whether nature of help desk function (i.e., how
requests
for assistance are processed and assistance is
provided)
EXP is effective?
Reference: _
79 Whether actual facilities, divisions or departments
are
performing the help desk function and the
35
individuals
EXP or positions responsible for the help desk?
Reference: _
Page
35
No. Item Response
Yes No EXP
82 Whether process for query escalation and
management
intervention
EXP for resolution is sufficient?
Reference:
36
No. Item Response
Yes No EXP
• periodic evaluations of the
configuration recording function
• individuals responsible for
reviewing configuration
control have the
requisite knowledge, skills and
abilities
• procedures exist for reviewing access to
software baselines
EXP•Reference:
results of reviews are provided _to
92 management for corrective action
Whether periodic review of configuration with
inventory
and Reference:
EXP accounting records is performed on a regular_
basis?
Whether configuration baseline has sufficient history
93
for
tracking
EXP changes?
Reference: _
94 Whether software change control procedures exist
for:
• establishing and maintaining licensed
application programme library
• ensuring licensed application programme
library is adequately controlled
• ensuring the reliability and integrity of
the software inventory
• ensuring the reliability and integrity of
the inventory of authorised
software used and
checking for unauthorised software
• assigning responsibility for unauthorised
software control to a specific staff member
• recording use of unauthorised software
and reporting to management for
EXP Reference:
corrective action _
95 • determining
Whether process whether
for management took
migrating
corrective
developmental
action on
applications violations
into the testing environment and
ultimately into production status interacts
with configuration reporting?
37
EXP Reference: _
96 Whether the software storage process includes:
Page
38
No. Item Response
Yes No EXP
• defining logical and physical control of
problem management information distributing
outputs on a "need to know" basis
• tracking of problem trends to maximise
resources, reduce turnaround
• collecting accurate, current, consistent and
usable data inputs to reporting
• notifying appropriate level of
management for escalation and awareness
• determining if management periodically
evaluates the problem management
process for increased
effectiveness and efficiency
• sufficiency of audit trail for system problems
• integration with change, availability,
EXPconfiguration
Reference: management systems and
personnel
102 Whether emergency processing priorities exist,
are
documented and require approval
EXP Reference:by appropriate program and IT
management?
103 Whether there are emergency and temporary
access authorisation procedures which require:
• documentation of access on standard
forms and maintained on file
• approval by appropriate managers
• secure communication to the security function
• automatic access termination, after a
predetermined period of time
EXP Reference: _
104 For data preparation:
• data preparation procedures ensure
completeness, accuracy and validity
• authorisation procedures for all source
documents exist
• separation of duties between origination,
39
approval and conversion of source
documents into data is occurring
Page
39
No. Item Response
Yes No EXP
• appropriate handling of erroneous
source documents
• adequate control over sensitive information
exists on source documents for
protection from compromise
• procedures ensure completeness and
accuracy of source documents, proper
accounting for source documents and timely
conversion
• source document retention is sufficiently
long to allow reconstruction in event of loss,
availability for review and audit, litigation
inquiries or regulatory requirements
EXP Reference: _
105 For data input:
• appropriate source document routing for
approval prior to entry
• proper separation of duties among
submission, approval, authorisation and data
entry functions
• unique terminal or station codes and
secure operator identification
• usage, maintenance and control of station
codes and operator IDs
• audit trail to identify source of input
• routine verification or edit checks of inputted
data as close to the point of origination as
possible
• appropriate handling of erroneously input
EXPdata
Reference: _
106 For • clearly
data assign responsibility for enforcing
processing:
proper authorisation over data
Whether programmes contain error prevention,
detection, correction routines:
• programmes must test input for errors
(i.e., validation and editing)
• programmes must validate all transactions
against a master list of same
40
• programmes must disallow override of error
conditions
Page
EXP Reference:
outputs is occurring
• Output is routinely balanced to
relevant control totals
•
41
No. Item Response
Yes No EXP
• Audit trails exist to facilitate the tracing of
transaction processing and the
reconciliation of disrupted data
• Output report accuracy is reviewed and
errors contained in output is controlled by
cognisant personnel
• Clear definition of security issues
during output, interfacing and
distribution exist
• Communication of security breaches
during any phase is communicated to
management, acted upon and reflected
in new procedures as appropriate
• Process and responsibility of output
disposal is clearly defined
• Destruction is witnessed of materials used
but not needed after processing
• All input and output media is stored in off-
site location in event of later need
• Information marked as deleted is
changed in such a way that it can no _
EXP Reference:
longer be retrieved
117 For media library:
• Contents of media library are
systematically inventoried
• Discrepancies disclosed by the inventory
are remedied in a timely manner
• Measures are taken to maintain the
integrity of magnetic media stored in the
library
• Housekeeping procedures exist to
protect media library contents
• Responsibilities for media library
management have been assigned to
specific members of IT staff
• Media back-ups and restoration strategy
exists
42
• Media back-ups are taken in
accordance with the defined back-up
Page
strategyback-ups
• Media and usability of back-ups
are securely stored is
regularlyand
verified
storage sites periodically
reviewed regarding physical access
security and security of data files and
other items
42
No. Item Response
Yes No EXP
• Retention periods and storage terms
are defined for documents,
data, programmes, reports and messages
(incoming and outgoing) as well as the
data (keys, certificates) used for their
encryption
• In additionand
toauthentication
the storage of paper
source documents, telephone
conversations
are recorded and retained - if
not in conflict with local privacy laws - for
transactions or other activities that are
part of the business activities traditionally
conducted over telephones
• Adequate procedures are in place
regarding the archival of information (data
and programmes) in line with legal and
business
EXP Reference: requirements and
_
118 enforcing accountability
For information authentication and integrity:
and reproducibility
• The integrity of the data files is
checked periodically
• Requests received from outside the
organisation, via telephone or VoiceMail,
are verified by call- back or other means
• Aof authentication
prearranged method is used for
independent verification of the
authenticity of source and contents of
transaction requests received via fax or
image system
• Electronic signature or certification is used
to verify the integrity
EXP Reference: and authenticity of incoming
electronic documents
43
Page
43
13. Conclusion/Recommendation
Recommendation # 1:
Implement targeted security monitoring over ERP support staff access in the
production environment.
Recommendation # 2:
Perform a risk assessment/cost benefit analysis over the access and system
functions that pose the greatest risks to determine which controls merit the
associated expense of generating logs or using personnel's time to regularly
review. Automated review, such as the use of scripts to identify certain
unauthorized or high risk activity should be used wherever possible to cut back
on personnel time and log retention requirements.
Recommendation # 3:
Recommendation # 4:
Recommendation # 5:
We recommend the security group clearly document technical roles within the
SAP environments and enforce Segregation of Duties between technical roles
wherever possible.
44
Recommendation # 7:
Access for each ERP support department staff should be restricted to only the
access that user requires to perform their day to day functions.
Recommendation # 8:
Recommendation # 10:
Unmonitored generic accounts should not exist in the production (live financial)
environment.
Recommendation # 11:
Recommendation # 12:
Security logs should be stored in a location where the SAP IT teams do not have
access to modify the logs.
Recommendation # 13:
45
Recommendation # 14:
Recommendation # 15:
Recommendation # 16:
Create and run a periodic report across non PO invoices looking for duplicate
payments similar to the previous mitigating controls report that was in place prior
to the implementation of SAP.
Recommendation # 17:
Analyse the ABM'S vendor database and remove all duplicate vendor data.
Recommendation # 18:
Recommendation # 19:
Recommendation # 20:
46
Develop a training schedule for specific requirements based on the results of the
Page
46
Recommendation # 21:
Make the training schedule available to ABM Employees, using means such as
email or the ABM’s intranet site. Further, a method for feedback after each
training should be provided, such as a survey, to ensure the trainings remain
effective.
Recommendation # 22:
Recommendation # 23:
Ensure that skilled employees have scheduled dedicated time to train users in
their respective proficiency.
This report is issued upon the request of management and to the best of our
knowledge & belief. This report is issued without any prejudice & subject to terms
& conditions of the engagement. Thanking & assuring you best of our attention
at all points.
47
Page
47