Project Report

of
DISA 2.0 Course
 CERTIFICATE
Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:

Ranchi from 28.05.2016 to19.06.2016 and we have the required attendance. We are submitting
the Project titled:Information Systems Audit of ERP Software

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

Group No:12

1. Name……BRIJ KISHORE ….……DISA No:48426 Signed…………………….…………

2. Name……MAYUR SARDA………..DISA No:48431 Signed…………………….…………

3. Name……VIVEK KHOWAL………DISA No:48437 Signed…………………….…………

Place:RANCHI

Date: 13.07.2016
 Table of Contents

Details of Case Study/Project(Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
 Project Report
Title: Information Systems Audit of ERP Software

A. Details of Case Study/Project (Problem)

B. Project Report (solution)

1. Introduction

Peacock Ltd. is A Multi-national Company which has chain of super markets. It is one of the
largest retail conglomerates in the India with a diverse portfolio of retail and hospitality brands.
The company provides value-driven product range for the entire family through an extended
portfolio of core retail brands. The unique value proposition is that it offers a one stop shopping
destination by catering to all the daily needs of a consumer by providing grocery, fruits &
vegetables, meat & fish, wine & spirits, kitchenware, electronics, apparel, health & beauty,
furniture & much more, under one roof.  It has recently implemented an ERP solution which
integrates all the stores across the country. Due to recent spates of errors discovered in billing
and shortage of inventory, the CFO is increasingly concerned about the overall reliability and
security of their IT environment.

The following are the policies and procedures implemented by the company and reviewed by us
during the course of our audit:

1. Data Classification
2. Acceptable use of Information Assets
3. Physical access and Information Security
4. Asset Management Policy
5. Business continuity Management Policy
6. Network Security and Password Policy
Excellence, Integrity and Independence, the Motto of our Institute of Chartered Accountants of
India, is the ultimate objective of the Firm in all its professional commitments.

XYZ & Associates is focused on creating sustainable value growth to its client through
innovative solutions and unique pathways. It is our firm belief that we grow when we see our
client’s growth. Our values are at the heart of our business reputation and are essential to our
continued success. We encourage an environment to infuse these values in every aspect of our
organization.

 Customer first
 Corporate Relationship
 Professionalism
 Commitment
 Quality Priority

XYZ & Associates is a professionally managed concern with a competent team of

professionals from various disciplines Having Branches all over India our firm is committed to
provide the whole range of management consultancy services including Valuations, Taxation,
Specialised Audits, Information System Audit, Risk Advisory and Corporate Training services.
We integrate our capabilities with those of our client’s to drive business process effectiveness
with the objective to increase efficiencies and improve business outcomes. We see our
relationships with clients as strategic, long term, and enduring. We are constantly striving to
uphold the highest professional standards, provide sound advice and rigorously maintain our
independence. Our Core values help its team to work together in most effective and fulfilling
way.

Our team consist of following members with their qualification and experience in their respective
field. Our Team Leader is the founder member of the firm:

Name : CA. X
Designation : Founder and Senior Partner in XYZ & Associates

Year of
: 2007(C.A)
Completion

Qualification : B.Com (H), FCA,

 Work Experiences : Statutory Audits, Internal Audits, Taxation, Consultancy, Financial Project,
Matters relating to Companies, ROC Filing, TDS, E-Filing etc.

Social Activities : Member of Rotary Club (South), active in government departments.

Name : CA. Y
Designation : Senior Partner in XYZ & Associates

Year of
: 2008(C.A)
Completion

Qualification : B.Com (H), FCA, CISA, DIRM, CIMA(US),

Work Experiences : ISA, Statutory Audits, Internal Audits, Financial Project, Matters relating to
Companies, ROC Filing, TDS, E-Filing etc.

Social Activities : Member of Banking Commitee

Member of Rotary Club (South), active in government departments.

Name : CA. Z
Designation : Senior Partner in XYZ & Associates

Year of
: 2010(C.A)
Completion

Qualification : B.Com (H), ACA, ACS, L.L.B, CFA (US), CFA (INDIA),

Work Experiences : Statutory Audits, Internal Audits, Taxation, Consultancy, Financial Project,
Matters relating to Companies, ROC Filing, TDS, E-Filing etc.

2. Auditee Environment

Peacock Ltd. is A Multi-national Company which has chain of super markets. It is one of the
largest retail conglomerates in the India with a diverse portfolio of retail and hospitality brands.
There operations can be classified as:
The corporate IT environment to be audited consists of three distinct platforms. The mainframe
platform: an IBM mainframe system which provides the primary financial and sales applications.
The open systems platform consists of UNIX servers, running a variety of applications and
databases, including SAP /Payroll on an Oracle database, a logistics management system, and
a stores management system. The PC and terminals network platform comprises of a
combination of Windows servers utilized for file and print services, communication services, and
gateway services. Mainframe access is granted through Windows servers, and UNIX server
accessibility is provided through terminal emulation.

Corporate workstations are primarily running Windows 7. The corporate location is home to
approximately 300 employees and the company employs approximately 5,000 people. IT
Services are critical to the company as all the critical business operations are reliant on
computers. The company has its main data centre at Pune and back up data centre at Noida
with all critical data and operations available in the mirrored back up data centre. The company
has a specialized IT department with more than 50 IT professionals who are responsible for
keeping IT running. It has outsourced maintenance of network and network security to a well-
known IT company. It has specific documented policy and procedures for all key areas of IT
operations and business processes but these are not integrated.

The following are the policies and procedures implemented by the company and reviewed by us
during the course of our audit:
1. Data Classification
2. Acceptable use of Information Assets
3. Physical access and Information Security
4. Asset Management Policy
5. Business continuity Management Policy
6. Network Security and Password Policy
7. Information Security Policy
Regarding Information Security Policy, It is a business issue and needs to be properly
integrated into the organizations overall business goals and objectives because security issues
can negatively affect the resources an organization depends upon. The objectives of information
securities are to provide CIA.

3. Background

Accordingly Information Systems Audit and Security cell prepare Information Systems Audit
policy. The fundamental principle is that risk and controls are continuously evaluated by the
owners,where necessary, with the assistant of IS Audit function.It has now become impossible
to separate information Technology from any business.There isa need for focused attention of
the issues of the corporate governance of the information systems in computerized environment
and the security controls to safeguard informationand information systems. The developments
in Information Technology have atremendous impact on auditing. Well-planned and structured
audit is essential for riskmanagement and monitoring and control Information systems in any
organization.The senior management of the company and specifically the CIO is concerned
about the reliability and the impact of failure of technology. A series of discussions were held
with the IS Audit team. Based on this, the scope of IS Audit have been defined. The Enterprise
Security Audit has to include such tests as considered necessary to evaluate whether selected
procedures and policies are sufficient to provide reasonable assurance that required controls
are available, adequate and appropriate.

1.2 Audit Objectives

Auditing is a systematic and independent examination of information systemsenvironment to

ascertain whether the objectives, set out to be achieved, have been metor not. Auditing is also
described as a continuous search for compliance. The objectiveof the IS audit are to identify
risks that an organization is exposed to in the computerizedenvironment. IS audit evaluates the
adequacy of the security controls and informs themanagement with suitable conclusions and
recommendations. IS audit is anindependent subset of the normal audit exercise. Information
systems audit is anongoing process of evaluating controls; suggest security measures for the
purpose ofsafeguarding assets/resources, maintaining data integrity, improve system
effectivenessand system efficiency for the purpose of attaining organization goals. Well-
planned andstructured audit is essential for risk management and monitoring and control of
information systems in any organization.

1.2.1 Safeguarding IS assets

The Information systems assets of the organization must be protected by a system ofinternal
controls. It includes protection of hardware, software, facilities, people, data,technology, system
documentation and supplies. This is because hardware can bedamaged maliciously, software
and data files may be stolen, deleted or altered andsupplies of negotiable forms can be used for
unauthorized purposes. The IS auditor willbe require to review the physical security over the
facilities, the security over thesystems software and the adequacy of the internal controls. The
IT facilities must beprotected against all hazards. The hazards can be accidental hazards or
intentionalhazards.

1.2.2 Maintenance of Data Integrity

Data integrity includes the safeguarding of the information against unauthorized

addition,deletion, modification or alteration. The desired features of the data are described
hereunder:

a. Accuracy: Data should be accurate. Inaccurate data may lead to wrong decisionsand
thereby hindering the business development process.

b. Confidentiality: Information should not lose its confidentiality. It should beprotected from
being read or copied by anyone who is not authorized to do so.
c. Completeness: Data should be complete

d. Reliability: Data should be reliable because all business decision are taken onthe basis of
the current database.

e. Efficiency: The ratio of the output to the input is known as efficiency. If output ismore with the
same or less actual input, system efficiency is achieved, or elsesystem is inefficient. If
computerization results in the degradation of efficiency,the effort for making the process
automated stands defeated. IS auditors areresponsible to examine how efficient the application
in relation to the users andworkload.

4. Situation

We found management was generally quick and proactive in identifying and addressing risks in
project management, integration testing, and data conversion, cut-over, and retiring legacy
systems. However, while the company made improvements in security, the company remains at
risk. Furthermore, we found additional improvements are needed in payment controls and the
company requires more focus on employee training in order to fully utilize the company’s
significant investment in the system.

5. Terms and Scope of assignment

The primary objective of the assignment is to conduct Information Systems Audit of ERP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of ERP would be with the objective of providing comfort on the adequacy and appropriateness
of controls and mitigate any operational risks thus ensuring that the information systems
implemented through ERP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified
areas of ERP Implementation. The proposed scope of review and the terms of reference as laid
down in the following paragraphs are given in annexure.

A. Review of IT Resources as relevant

a. Operating Software: Access controls

b. Telecommunications Software: Access Controls
c. RDBMS Database: Access Controls
d. SAP - Major focus area: Configuration of Parameters and Access Controls
e. Application controls at various stages such as Input, Processing, Output,
Storage, Retrieval and transmission so as to ensure Confidentiality, Integrity and
Availability of data.
B. Organization structure policies, procedures and practices as mapped in the information
systems.

C. Review of policies, procedures and practices as relevant to areas of audit.

2. Audit in Computerized Environment

2.1. Understanding Computerized Environment

In this section we explain how a computerized environment changes the way business
isinitiated, managed and controlled. Information technology helps in the mitigation and better
control of business risks, and at the same time brings along technology risks. Computerized
information systems have special characteristics, which require different types of controls.
Technology risks are controlled by General IS controls and business risks are controlled using
Application controls. Even though the controls are different, the objectives of the audit function
do not change whether information is maintained in the computerized environment or amanual
environment; the tools and techniques are different.

The changes in control and audit tools as well as techniques have resulted in newmethods of
audit. The internal controls are mapped onto the technology. These controlsand their mapping
need to be understood as also methods to evaluate and test thesecontrols. The requires new
skills to work effectively in a computerizedenvironment. These new skills are categorized in
three broad areas:

First, understanding of computer concepts and system design;

Second, understanding the functioning of Accounting Information System (AIS),an ability to

identify new risks and understand how the internal controls aremapped on to the computers to
manage technology and business risks.

Third, knowledge of use of computers in audit.

2.2 . Accounting Information Systems in Computerized Environment

In this section we bring out the fact that Accounting Information System in the manualand
computerized environment is not the same.In the computerized environment accounting records
are kept in computer files, whichare of three types, namely master file, parameter file and
transaction file. Thisclassification is not based on the types of records but on the basis of need
andfrequency of updation and level of security required. File and record security isimplemented
using the facilities provided by the operating system, database andapplication software.

With the increasing use of information systems, transaction-processing systems play avital role
in supporting business operations. And many a times, a TPS is actually AIS.Every transaction
processing system has three components—input, processing andoutput. Since Information
Technology follows the GIGO principle, it is necessary thatinput to the system be accurate,
complete and authorized. This is achieved byautomating the input. A large number of devices
are now available to automate the inputprocess for a TPS. There are two types of TPS—Batch
processing and On-lineprocessing. The documents, control and security implementation is
different for eachsystem.

COBIT (Control Objectives for Information Technology) is an internal control

frameworkestablished by ISACA for an information system. COBIT can be applied to
theAccounting Information System. To apply the COBIT framework an organization should

Define the information system architecture

Frame security policies
Conduct technology risk assessment
Take steps to manage technology risks like

2.4. Concept of Security

In this section we discuss the concept of security in detail. IS resources are vulnerable tovarious
types of technology risks and are subject to financial, productivity and intangiblelosses.
Resources like data actually represent the physical and financial assets of theorganization.
Security is a control structure established to maintain confidentiality,integrity and availability of
data, application systems and other resources.

Few principles need to be followed for effective implementation of information security.These

are: Accountability, which means clear apportionment of duties, responsibilitiesand
accountability in the organization; Creation of security awareness in theorganization; Cost-
effective implementation of information security; Integrated efforts toimplement security;
Periodic assessment of security needs; and Timely implementationof security.Information
security is implemented using a combination of General IS controls andapplication controls.
General IS controls include implementation of security policy,procedures and standards,
implementation of security using systems software, businesscontinuity plan and information
systems audit.

6. Methodologyand Strategy adapted for execution of assignment

Linkage to Standards

Standard 060 (Performance of Audit Work) states "During the course ofthe audit, we obtain
sufficient, reliable and relevantevidence to achieve the audit objectives. The audit findings and
conclusions areto be supported by appropriate analysis and interpretation of this evidence."

Standard 050 (Planning) states "As per the standard we plan theinformation systems audit
coverage to address the audit objectives and tocomply with applicable laws and professional
auditing standards."

Standard 030 (Professional Ethics and Standards) states "We exercise due professional care,
including observance of applicableprofessional auditing standards."
 7. Documents reviewed

During our audit period relating to Information system, we verified the following document :

1. Conceptualization of SDLC.

2. SAP ERP modules

3. Policies and Procedures of Information Security of the company

4. Licenses of Software are implemented in the company.

5. Vendors Contracts

6. Biometric Devices Reports

7. AMC Contracts

8. Business Continuity Policies

9. Disaster Recovery Policies of the company.

10. Physical Access Control Policy

11. Logical Access Policy

12. Hardware Breakdown Register

13. Errors and Omission Registers

14. AMC Registers

8. References

1. Compendium of Standards on internal Audit

2. System Development Life Cycle (Module 5, Section 2)
3. COBIT Standards
4. ISO 27001, ISO 38500, ISO 31000
5. www.bsa.org
6. www.itassetsmanagement.net
7. www.google.com
8. www.isaca.org
9. www.businessdicitionary.com

Deliverables
1 Environmental Controls:
  Compliance Status Remarks

Yes / No
Whether Switch/ Router cabinet is YES  
inaccessible to unauthorized users.
Switch/Router is housed in a separate YES  
enclosure with proper locking facilities.

Adequate movement space is YES  

available for maintenance function in
computer room.
Check whether the printer has YES  
separated from computer room or kept
in separate room / enclosure.
Fans, Air conditioners are not YES  
connected to the UPS outlets to which
computer systems are connected
Proper earthing is provided to UPS & YES  
Computers. Date of last inspection
should be noted.
Batteries of UPS are kept away from YES  
UPS.
UPS backup supports maximum YES  
possible uninterrupted power supply.
Check whether branch has tested the YES  
performance / functioning of UPS and
proper record is maintained.

Redundant / alternate power supply YES  

(Generator etc.) is provided

Check whether electric wiring is YES  

concealed and is not hanging from
ceiling or nodes.
All LAN points are labeled as per YES  
points from SWITCH / HUB

Data cable diagram / map is obtained YES  

from the vendor and kept in secure
place.
Check whether electric cable and data YES  
cable do not cross each other to avoid
possible disturbance during data
transfer with in the network

Smoking, drinking and eating near YES  

computer systems is prohibited

Appropriate fire alarms, smoke YES  

detections systems and fire
extinguishers are provided in Branch.

Proper training on the use of fire YES  

extinguishers is provided to staff.

Check whether branch has tested the YES  

smoke detector.

Annual Maintenance contracts are in YES  

force with the vendors for Hardware,
Software.

2 Physical access controls:

  Compliance Status Remarks

Yes / No
Whether the Information System YES  
facility is located in least accessible
area or / and access is limited to
approved personnel only?

Whether the access and YES  

authorization policies on the
following adequate for entering /
leaving, escort, registration, visitor
passes, surveillance cameras.

Whether the physical access control YES  

procedures are adequate for
employees, vendors, auditor,
equipment and facility maintenance
staff?

Whether periodic review of access NO  

profiles is carried out?

Whether revocation, response and YES  

escalation process in the event of
security breach appropriate?

Appropriate holidays and vacation are YES  

availed by the IT staff and all the staff
members in general
Whether appropriate access controls YES  
like password, swipe card, bio-metric
devices etc. are in place and adequate
controls exist for storing the data /
information on them?

3 Logical access controls:

  Compliance Status Remarks

Yes / No
Check whether confidentiality of NO Confidentiality
passwords maintained among various should exist for
users. data integrity. 

Does the software force the User to YES  

change the password at set periodical
intervals?

Whether transferred/ unauthorized YES  

user are not present in the particular
SOL.

Confirm whether user is not allotted YES  

more than one USER_ID in the
company(None of the staff members
has multiple level or duplicate access
ID in the system)
Invalid log-in attempts log YES  
Exceptional transactions, are
scrutinized regularly and kept
under dual custody

Confirm that creation /deletion of user YES  

is authorized by authorized persons.

Confirm that there is no dummy user YES  

ID existing in the system

Apart from the approved request YES  

forms, the company should be
maintaining a user profile register with
details such as, Employee Name,
Designation, Employee Number,
Date of joining the company, Date of
creation of user ID, Date of deletion of
user ID, Signature of the user, Initials
of the authorized officer.
Verify whether the above mentioned YES  
register is maintained. All the entries
in the register should be accounted for
in the list of active user IDs obtained
from the operating system and
Relievers’ user ids are disabled when
not in use.

Verify who can do the User Profile YES  

Maintenance? Does the system
give facility to users other than
officersto do user profile
maintenance?

Whether the parameter to control NO It was set to 5

maximum validity period of days 
password is set to 14 days. If not,
what is the validity period?

4 Operating system controls:

  Compliance Status Remarks

Yes / No
Whether the company holds the YES  
original license for using the operating
system software/ application software
other than centralized software?

Whether the original Operating YES  

System Media supplied by the vendor
is available in the company?
Verify all the manuals and user guides YES  
provided by the vendor are recorded
at the time of supply of the system and
ensure whether all are physically
available.

System configuration like memory, YES  

hard disk size, operating system
version as per terms stipulated by
H.O., at the time of procurement.

Latest version / patches released are NO  

updated on the system including anti-
virus

5 Application Software controls:

5.1 Input controls:

  Compliance Status Remarks

Yes / No
Whether each transaction is YES  
recorded in such a way that it can
be subsequently established that it
has been input (e.g., Tran ID on
Vouchers etc)?
Control procedures to ensure that YES  
all recorded transactions are,
· Input to the system and accepted
once and only once. · If
transactions are deleted, they are
reported as deleted.

Data input in a batch mode is YES  

reconciled as per the controls
provided

Maker / checker and exception YES  

recording is in place

Consistency/concurrency of user YES  

inputs, if two users are accessing
the same record at the same time

5.3 Output controls:

  Compliance Status Remarks

Yes / No
Format, content, accuracy and utility YES  
of the reports generated by the system
are verifiable
Outputs cannot be generated by all YES  
users. It should be on ‘need to know’
basis

Application is keeping adequate YES  

controls over computer generated
outputs lying in print queue

Output contain key control information YES  

necessary to validate the accuracy
and completeness of information
contained in the report.

YES  
All the important reports are with page
No, date, time stamp and who has
generated the report.

END