Internal Control, Information Technology and Internal … · By CA Huzeifa I. Unwala, Partner, NMAH...
-
Upload
doannguyet -
Category
Documents
-
view
214 -
download
0
Transcript of Internal Control, Information Technology and Internal … · By CA Huzeifa I. Unwala, Partner, NMAH...
By CA Huzeifa I. Unwala,
Partner, NMAH & Associates, Chartered Accountants
Internal Control, Information Technology and Internal
Audit/ Audit under ERP System
November 23, 2013
Topics for discussion
• Truth or False
• Concept of Internal Controls in IT environment
• Case Studies
• Example of Risk & Control Matrix
• ERP initiative should be owned by IT department as there is a lot of
technology involved
True or False
• Trade secrets/ IP/ Breach of Sensitive data
• Direct business losses on account of IT/ Computer
environment related errors, IT investments
• Growth dampener/ hurdle/ pace of growth
• Attract and retain good talent
• Inefficient business processes
• Fraud risks
Key Note:
In today’s environment, financial reporting processes are
driven by IT systems. Such systems, whether ERP or
otherwise, are deeply integrated in initiating, authorizing,
recording, processing and reporting financial transactions.
As such, they are inextricably linked to the overall financial
reporting process and need to be assessed, along with
other important processes.
WHY Control Technology?
HOW to Control Technology [COBIT Framework]?
BUSINESS AND IT CONTROLS
The enterprise’s system of internal controls impacts IT at three levels:
• Executive Management Level:
Business objectives are set, policies are established and decisions are made on how to deploy and manage the resources
of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the
board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives
and policies.
• Business Process Level:
Controls are applied to specific business activities. Most business processes are automated and integrated with IT
application systems, resulting in many of the controls at this level being automated as well. These controls are known as
application controls. However, some controls within the business process remain as manual procedures, such as
authorisation for transactions, separation of duties and manual reconciliations. Therefore, controls at the business process
level are a combination of manual controls operated by the business and automated business and application controls. Both
are the responsibility of the business to define and manage, although the application controls require the IT function to
support their design and development.
• Support Level:
IT provides IT services, usually in a shared service to many business processes, as many of the development and
operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common
service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are
known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on
application controls. For example, poor change management could jeopardise (accidentally or deliberately) the reliability of
automated integrity checks.
• IT Governance Mechanisms
• Appropriate authority structure
• IT Risk Assessment – identification of points o f failure/ what can go wrong
• Consistent Preventive, Corrective, Monitoring Actions
• De-risk vendor dependence
• Not to tamper with source codes/ abap/ programming languages
• Hire or acquire relevant competencies
Learning to Control Technology?
ERP Application Modules
ERP System and Configuration
DBM System
Operating Systems
Oth
er
Inte
rnal S
yste
ms L
inkag
es
Oth
er E
xte
rnal S
yste
ms L
inkag
es
ERP environment
Risks in an ERP Environment
• Poor implementation
• Go live becomes Go leave
• Incorrect master creation and maintenance
• Conflicting roles/ duties
• Unauthorised access
• Cascading of errors (Domino effect of errors)
• Repetition of errors
• Incorrect entry of data
• Inadequate security practices
• Over reliance on vendors
• Remote access
• Access to sensitive codes/ transactions
Illustrative
Usual Internal Control Deficiencies
• Sharing of user id and passwords
• Duplicate vendors
• Unreconciled intermediate accounts
• Final statements outside the system
• Out of book valuations and adjustments
• Excess credit limits
• Duplicate customer codes
• Incomplete masters
• Poor audit trails as relevant customizations lacking
• Data integrity issues
Illustrative
• Value lies in monitoring of readiness and preparedness to protect
organisations from collateral damage
True or False
INTERNAL CONTROL IS DEFINED
Is a process, effected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• Effectiveness and efficiency of operations
• Reliability of reporting
• Compliance with applicable laws and
regulations
A process consisting of on-going tasks and activities. Policies
and procedures exist to effect control.
Effected by people.
Able to provide reasonable assurance, not absolute assurance.
Geared to the achievement of objectives in a one or more
separate but overlapping categories. The categories are:
- Effectiveness and efficiency of Operations Reliability of
Reporting (internal, external and non-financial)
- Adherence to laws and regulations
Adaptable to the entity structure. IC can be applied as per
management’s decision in the context of legal requirement,
operating model, entity structure or combination of these.
Understanding Internal Control
Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
1
2
3
4
5
The 5 Components of IC
Control Environment (Principles)
1. Organization demonstrates a commitment
to integrity and ethical values
2. Board demonstrates independence
3. Management establishes oversight,
reporting lines and authority structure
4. Organization demonstrates a commitment
to attract, develop and retain competent
individuals
5. Individual accountability for IC
responsibilities
Risk Assessment (Principles)
Risk specific objectives
Risk identification and analysis
Consider the potential for fraud
Identify and assess changes that could
significantly impact the system of internal
control
Control Activities (Principles)
Organization selects and develops
control activities that contribute to the
mitigation of risks
Organization selects and develops
general control activities over
technology that contribute to the
mitigation of risks
Organization deploys control activities
as manifested in policies that establish
what is expected and in relevant
procedures to effect the policies
Information and Communication (P)
Information generation and use
Internal communications
External communications
Monitoring Activities (Principles)
Organization selects, develops and performs on going and/or separate
evaluations to ascertain whether the components of IC exists and
function
Communicates IC deficiencies
Components of Internal Control / System of IC
Information and Communication (P)
Information generation and use
Internal communications
External communications
Components of Internal Control / System of IC
Control Activities – 3 Principles and 16 attributes
► Select and Develops Control Activities : The organization selects and
develops control activities that contribute to the mitigation of risks to the
achievement of objectives to acceptable levels.
Integrates with Risk Assessment
Determines Relevant Business Processes
Considers Entity-Specific Factors
Evaluates a Mix of Control Activity Types
Considers at What Level Activities Are Applied
Addresses Segregation of Duties
► Selects and Develops General Controls over Technology : The
organization selects and develops general control activities over
technology to support the achievement of objectives.
Determines Dependency between the Use of Technology in Business
Processes and Technology General Controls
Establishes Relevant Technology Infrastructure Control Activities
Establishes Relevant Security Management Process Control Activities
Estimates Significance of Risks Identified
Establishes Relevant Technology Acquisition, Development, and Maintenance
Process Control Activities
Control Activities (Principles)
► Select and Develops Control Activities
► Selects and Develops General Controls over
Technology
► Deploys through Policies and Procedures
Source Data Preparation and Authorisation Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate
segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form
design. Detect errors and irregularities so they can be reported and corrected.
Source Data Collection and Entry Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously
input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source
documents for the appropriate amount of time.
Accuracy, Completeness and Authenticity Checks Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of
origination as possible.
Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of
valid transactions.
Output Review, Reconciliation and Error Handling Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient,
and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the
output is used.
Transaction Authentication and Integrity Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper
addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport.
Business Application Controls
• To identify customized programs that have not been assigned to an
authorization group
Run report RSUSR002 through Table TRDIR
using T-Code > SE16
• Check that “Duplication Check” is activated in customer master data T-Code > OBB2
• Check that “Duplication Check” is activated in vendor master data T-Code > OBB3
• For incomplete customer accounts in Financial Accounting (FI) Run Report RFDKAG00 using T-Code > SE38
• For incomplete accounts in Sales & Distribution (SD) Run Report RFDKAG00 using T-Code > SE38
• For incomplete vendor accounts in Financial Accounting (FI) Run Report RFKKAG00 using T-Code > SE38
• For incomplete accounts in Material Management (SD) Run Report RFKKAG00 using T-Code > SE38
• To view changes to all customer master records Run Report RFDABL00 using T-Code > SE38
• To view changes to all vendor master records Run Report RFKABL00 using T-Code > SE38
• Changes made to General Ledgers in Company code segment can
be identified
T-Code > FSS4
• Changes made to General Ledgers in Chart of Accounts segment
can be identified.
T-Code > FSP4
• Monitoring of one time vendor activity T-Code > F40 and T-Code > FBL2N.
• Activating the “Chk double inv” indicator on the Payments in
Accounting screen in the vendor master
T-Code > FK02
Useful Internal Control related displays in SAP environment Illustrative
• To display Changes made to Credit management Run REPORT-RFDKLIAB using T-Code > SE38
• To Change Customer Master Data (FI) T-CODE > FD02
• To Change Customer Master Data(SD) T-CODE > VD02
• To Change Customer Master Data (Centrally) T-CODE > XD02
• List of customers for which no credit limit has been entered. T-Code > F.32
• The Customer Open Item Analysis (days overdue analysis) report Run Report - RFDOPR10 using T-Code > SA38
• Extract manual journal entries T-Code > SE38> RFBELJ00
• Used to extract the list of adjustments passed in consolidation T-Code > CX58
• Identify slow moving stock T-CODE > MC46
• Identify slow dead stock (stock that has not been used for a certain
period of time)
T-CODE > MC50
• Outstanding purchase orders T-CODE > ME2L
• Goods receipt against purchase orders not known T-CODE > MB0A
Useful Internal Control related displays in SAP environment Illustrative
Case Study – Project Audit in ERP Environment
Background: Client was assigned to provide Detailed Engineering, Supply, Installation, Testing, Commissioning and
handing over of Electrical Works as per the specifications, Bill of Quantities and Terms and conditions of the
LOI for one of the new Airport facilities.
The scope involved project auditing in ERP environment. Review of Project Site, Procurement, Labour, Time /
Cost Escalations from Budgets, Cash Expenditure and Custody Controls, Claims and Liabilities, Project
Invoicing and Collections, Quality, Project Management and Site Assets / Equipment. The overall objective of
the project audit was to determine the effectiveness of key controls as identified with Management and
walkthrough of processes relating to the operations and to identify any improvement opportunities.
The client had implemented SAP.
1
Sr No. Details of Observation Number Unit Amount
Involved
1 Change in BOQ 29 Times
2 Difference in quantity on
comparison of BOQ & PO items 59 Instances
3 Difference in rate on
comparison of BOQ & PO items 17 Instances
4 Non BOQ items – Approval
taken from Principal Contractor 1165 Items
BOQ creation Process
Process & Control Weaknesses in ERP Environment
2
Purchase Requisition
Sr No. Details of Observation Number Unit Delay Amount
Involved
1 Open PR 4 Instances
2 PR release before PR
creation – SAP STD Bug 6 Instances
Range of 11-
69 days
3
Vendor Selection Process
Sr No. Details of Observation Number Unit Amount
Involved
1
Awarding orders to vendors who
provided higher quote than
available vendors with lower
quote.
4 Instances
zz
zz 4
Purchase Ordering Process
Sr No. Details of Observation Number Unit Delay Amount
Involved
1 Delay between PR release and PO creation 77 Instances Upto 198
days
2
Another PO raised inspite of open PO
available for same vendor and for same
materials
12 Instances
3 PO creation before PR release – SAP STD
Bug 10 PO
Range of
1-149
days
5
Project Site Observation
Sr No. Details of Observation Number Unit Delay Amount
Involved
1 Date of Delivery not mentioned on the GRN 9 Instances Out of 10 sample
selection
2 GRN not available with Debit Note 7 Instances Out of 12
3 GRN not available with Invoice 3 Invoices Out of 10 sample
selection
4 No authorization on GRN 11 Instances Out of 11 sample
selection
5 Delay in preparation of GRN and sending the
same to HO
Sr
No. Details of Observation Number Unit Delay
1 Time Lag in preparation of
MIR 18 Instances
Out of 22 sample
selection
2 Maintenance of Fire
Extinguishers and Physical
Security
4 Instances
3 Approval of Consultant not
available 7 Instances
Out of 22 sample
selection
6
GRN Process
zz
Case Study – Outsourced Account Payable Process in ERP
Background:
Payment process review (for Non: Edible Material Packing Materials and Non-Capital expenditure categories only) We
assessed the adequacy of the control environment for both PO and non-PO based payments. The review included following
sub processes:
Invoice verification by the users (availability of evidence of procurement of service/materials, system interface)
Payment processing by the outsourced service provider (basis for processing, authorizations, etc.)
Payment authorization by the Central office
Transactions’ review: We reviewed the following aspects of the payment transactions:
Existence of order/contract in the system with requisite terms
Supporting for receipt of goods / services
Evidence of the quality/quantity of receipt
GRN / service entry
3 way match (order, GRN and invoice)
Authorization for payments
Control over payments – correct vendor and correct amount
Sr. No. Control Weakness Business Risks
1
• PO raised during the period under scope are not authorized as there is no
release strategy defined in SAP for any of the spend categories except
Edible Material (EM), Packing Material (PM), Capex (CT) & Engineering
Goods (EG)
• Signature on PO has not been verified by the Outsourced Account Payable
Vendor under the assumption that all POs are raised through released
strategy.
• There is no process defined to raise purchase requisition before raising PO
for all the spend categories except EM, PM, CT & EG.
• Unauthorized procurement &
payment of goods / services
• Risk of payment for services not
procured/not received.
• Ordering of materials / services
which may not be required
2
• Payments for the invoices pertaining to and booked by locations are made
by Outsourced Account Payable Vendor based on Excel sheets details
provided by (plant) locations without verifying the actual invoices.
• Following are the control weaknesses in the process:
There is no authorized personnel identified at location to send invoice
details to the service provider for payment.
There is no check/control defined from HO on the payment made through
excel files.
There is no limit defined for making payment through excel files.
Credit period is not considered while making these payments.
• Unauthorized payments made
for location purchases
• Inadequate controls over
payment, if the payments are
made based on the excel sheet
details and not based on
verifying the scanned invoices/
supporting
Case Study – Outsourced Account Payable Process in ERP
Sr. No. Control Weakness Business Risks
3
• Outsourced Account Payable Vendor has made the payments
without VPF for non-PO based transaction and not parked
aside the invoices separately in SAP (as held for payment).
This is in non-compliance with the specific instruction to
Outsourced Account Payable Vendor for paying non-PO based
transactions only through VPF.
• Risk of payment without appropriate
authorizations.
4
• SAP Application controls not in place to disallow the duplicate
code creation for the vendors based on the PAN number /
other details like Vendor name / similar name.
• There is no preventive manual control in place to detect the
existence of similar vendor names in the Master records.
• Risk of making duplicate payments in the
existing scenarios where POs are made based
on Invoice after the receipt of invoice
• Risk of not detecting duplicate payments if any
made using SAP's duplicate-invoice checking
mechanism as the invoice has been paid
under a different vendor code.
5 • PO has been generated after the receipt of invoices. • Risk of duplicate payments if more than one
PO prepared for the same invoice.
6
• Absence of process / application control to identify and detect
the same invoice number for same vendors in SAP.
• Improper ASL structure wherein same receipt of same service
can be authorized by two persons. Person performing the
back-up role in the absence of the another person is however
allowed.
• Risk of Duplicate payments (5 Duplicate
payments amounting to Rs. xx lacs have been
identified for the period under audit)
Case Study – Outsourced Account Payable Process in ERP
Sr.
No. Activity Risk
Risk
Category Existing Control
1 Creation of new user ID
Risk of creating user
ID without
appropriate approval
High There is a Creation policy in place which states the procedure of creation
of user ID. A form for creation of User ID (SAP User ID Management and
Authorisation Form) is available on which approvals of the concerned
HOD, Business Process Owner, Role Owner are taken. The role in SAP
as per the designation and functions to be performed is also mentioned
on the form. Based on the information provided on the form, the
technical team processes the request, creates a SAP User ID and
assigns roles to the same.
2
User codes are not created
with critical SAP profiles like
SAP_ALL / SAP_NEW which
allows user to perform almost
all activities in SAP.
Risk of granting
access rights not
matching with users
roles &
responsibilities
High
3 Granting Access controls to
users
Risk of granting
access rights not
matching with users
roles &
responsibilities
High Roles are assigned to the User ID based on the approval of the BPO /
Role Owner on the creation form.
4
Display roles are created /
extended to users strictly for
viewing and data retrieval
purpose and not data
manipulation Xns. are
attached with such roles.
Risk of granting
access rights not
matching with users
roles &
responsibilities
High
Roles are assigned to the User ID based on the approval of the BPO /
Role Owner on the creation form and as per needs of the business. If a
screen is available to the role, then viewing rights are being given.
Existing IDs containing display rights will have 'DISPLAY' stated in the
description column. By SAP T-Code, rights assigned viz. creation,
amendment, approval, display etc. can be easily identified. Activities can
also be assigned codes 001, 002, 003 through which ids can be
controlled.
5
Review of controls for
creation of user ID for
outsourced/temporary staff
Risk of creating user
ID without
appropriate approval
High
Approval of CFO and CIO are taken. The HOD decides the role in SAP
as per the designation. Approval of role owner and Business Process
Owner (BPO) is taken for creation of User ID. Also, the minimum validity
of the User ID created is 6 months.
RCM – Access Control Review
Sr. No. Activity Risk Risk
Category Existing Control
6
Redundant user codes without use
for a specific time gap are monitored
on regular basis and reported to CIO
for necessary action.
Risk of
mis-use of
user IDs
High
There is a Password Policy which states that User must change the password
on first use and every 30 days, system level passwords to be changed every 60
days, Locking of Account after 5 unsuccessful logins, General password
construction guidelines etc. Dialog User ids which have not been logged in for
30 days gets blocked and not logged in for 60 days gets de-activated. The user
will have to approach the IT Help Desk Team to unbloch the ID. In case of de-
activated id, the user will have to follow the same procedure as creation for
subsequent re-activation.
7
Process exists to lock / delete user
codes of separated / job rotated
employees to guard against
unauthorized alteration of data. (If
yes, specify the mechanism in brief)
Risk of
usage of
user ID for
separated
employee
High
In case of amendment, Ids are usually changed for plant personnel. Plant
specific ids, in case of amendment, undergo deletion and subsequent creation.
In case of change in the designation of a person, approval of the Business Head
is taken. Also, Virsa Rules takes care of Maker - Checker conflict.
In case of deletion, there is a deletion policy in place which states the procedure
of deletion. The process note on User ID Management states that for permanent
and temporary employees, a scheduled background job will automatically delete
their ids on deactivation in HR Master Record. For off-roll associates, the SAP
User ID Management and Authorisation Form is to be filled and the approval of
HOD and BPO to be taken for further processing of deletion of user ID. As per
the deletion policy, deletion should take place within 2 days of the form
submission.
8
MIS reporting and regular monitoring
exists to identify duplicate / idle user
codes in SAP for necessary action
against them to pre-empt misuse.
(Share documented evidences of
regular monitoring of duplicate / idle
user codes and action taken report.)
Risk of
mis-use of
user IDs
Medium
The system has been configured to check for duplication of user ids. In case of
outsourced employee joining in as a permanent employee, the user id will have
to be deleted and a new user id with the applicable logic will be created.
Sr. No. Activity Risk
Risk
Categor
y
Existing Control
9
Formal authorized to authorize list
of BPOs / business owners is
available for approving access to
Telcon users including 3rd parties
Risk of creating user
ID without appropriate
approval
High
The activity of SAP User ID management has been outsourced to xx
Vendor. As the information systems is owned by the company, the
agreement has been entered into by the company with outsourced vendor.
10
User types of SAP user codes like
dialogue, service, system,
communication etc. are not altered
without written approval from
designated authority. (If changed,
share copies of approval.)
Risk of amendment
without proper
approval or against
norms
High
In case of amendement, Ids are usually changed for plant personnel. Plant
specific ids, in case of amendment, undergo deletion and subsequent
creation. In case of change in the designation of a person, approval of the
Business Head is taken. Also, Virsa Rules takes care of Maker - Checker
conflict. There is a role modification form available in case of assigment of
roles to User IDs on which appropriate approvals are to be taken. Also, if a
specific role is created for a defined set of users / dept., a Role creation
form is available for the same.
11
Mechanism exists to prevent
creation of duplicate user codes in
SAP. If yes, specify the
mechanism.
Risk of mis-use of user
IDs Medium
System checks for duplication. In case of outsourced employee joining in as
a permanent employee, the user id will have to be deleted and a new user
id with the applicable logic will be created.
Sr. No. Activity Risk
Risk
Categor
y
Existing Control
1 Access logs record monitoring Risk of mis-use of
user IDs High Record of Access logs are available
2
Documented, updated and approved policies / procedures are
available for logical access to SAP and communicated to all
concerned users.
Risk of non-
adherence to
documented
procedure
Medium
At the time of Creation of User ID, the form,
filled by the user, bears an undertaking w.r.t
access, password sharing, password security,
confidentiality, adherence to policies etc.
3
Following points are included in the policy / procedure documents.
(a) Maintenance and use of default super-users (e.g. SAP*, DDIC
etc.).
(b) User master creation, maintenance and administration.
(c) Allocation of user licences.
(d) Activation / deactivation of SAP user codes particularly in view of
separation / job rotation.
(e) Naming convention to be followed for creation / amendment of
user master.
(f) Setting of control parameters and password management etc.
(g) Use of firefighter IDs.
(h) Regular monitoring / locking of redundant user codes /
authorizations granted to users.
Medium
Policies pertaining to Creation, Deletion,
Password Management, Creation and Usage
of fire-fighter ids are in place.
4 Standard forms are available / used for approval and granting access
authorization by administrator to all users.
Risk of granting
access rights
without
appropriate
approval
Medium
SAP User ID Management and Authorisation
Form is available containing various details
for creation of User IDs on which appropriate
approvals as per the Approval Authority
Matrix are taken. Approvals are also taken for
amendment in SAP rights.
Sr.
No. Activity Risk
Risk
Category
6
SoD violation is checked using automated tool for each user code while granting any privilege and
approved documented evidences are preserved. (Share evidences of regular SoD checking and approval
reports) Review of access rights
given vis-à-vis roles of the
user
High
7 Mitigating control(s) are defied / approved by designated authority for all users granted authorizations with
SoD conflicts and updated in system.
8
All approved user code creation / deletion forms, evidences of SoD checking and related documents, if any
are preserved for future reference. (Share copies of latest 10 user code creation / deletion forms as
evidence)
Medium
9 Amendments of rights for user
Risk of amendment without
proper approval or against
norms
High
10 Firefighter IDs are created and extended to users with approval from designated authorities. Risk of misusing firefighters
ID High
11 Usage logs of Firefighter IDs are preserved and reviewed after every use to oversee any misuse of system
or posting of abnormal transactions. (If yes, share 5 log files of Firefighter IDs used in recent past.)
12 Super user IDs access review Risk of misusing super user
ID 13 Default super users are deactivated and used only with written approval from designated authority.
14 Automatic expiry of passwords at predefined interval and password protection mechanism exist to guard
against misuse of SAP user codes.
Risk of not changing
password on regular basis
leading to mis-use
High 15
Passwords of all servers / clients are changed after installation / every use by designated authority and
preserved securely.
16 Passwords granted initially or re-set for the users are communicated in a secured manner to maintain the
confidentiality.
17 Duly approved Password re-set forms are used for requesting initialization of passwords as per policy.
18 Authorizations are granted to users strictly based on Need to do and need to do principle and
excess/unauthorized access are reviewed/removed regularly.
Risk of granting unauthorised
access to user High
SSAE 16 Audit Project
The Company (Service Provider) is located in Mumbai, India and provides One Stop Solution for all
employee life cycle management, needs with flexible delivery models including outsourced processing of
payroll to its user organizations. The Company provides solutions to customer base of over 160 Clients and
processes three hundred thousand plus employee records every month with its offices in five cities in India
and operations in Singapore, Sri Lanka, Australia and Dubai.
About Company
About the
Engagement
Service provider on behalf of its US Listed Clients has appointed us to provide reasonable assurance on
following aspects (on behalf of User entity/ auditor):
i. service organization's system fairly presents the system that was designed and implemented
throughout the specified period
ii. the controls related to the control objectives were suitably designed throughout the specified period
iii. the controls operated effectively to provide reasonable assurance that the control objectives were
achieved throughout the specified period.
The head quarters of the company is situated at Mumbai with multiple data processing and production sites in
the suburbs of Mumbai. Audit Sites
Identify sub-processes and
controls
Identify control objectives for
each sub-process
Assess and verify control objectives by
identifying tests to be performed
Highlight results of the tests and
control weakness
to the management
Implement suggestive
controls and issue audit
report
Under standing of
Key Business Process &
Risks
Audit Approach & Methodology
Sr. No Process Title Observations Corrective Action Plans Initiated
1 ITGC Disaster
Recovery
• Software data can be recovered within 4 hours (as defined in
SLA with IDC) from the disaster. Service provider has not tested
recovery plan till date.
• No recovery of working excel files & emails can be made in
case of disaster strike at local server area.
• Mock drill was carried out and data was pulled from
the IDC.
• Monthly schedule was prepared for back up of
working excel files and emails
2 ITGC Issues
Management
• 2282 issues were closed and on an average 7.87 days are
taken to close the issues.
• Turn Around Time (TAT) was defined for resolving
IT issues and one of the KRA for IT team was set to
resolve the issue within TAT.
3 ITGC
Audit trail of
access and/or
attempted
access
• Company doesn't have infrastructure in place to maintain
an audit trail of access and/or attempted access
• Firewall was set up to provide audit trail of access
and/or attempted access.
4 ITGC
Prevention of
System from
virus, worm,
security threats
etc.
• Kaspersky antivirus used for virus protection but in many PC's
licences are expired and no action are taken for getting it
renewed and updated.
• No system of triggers in the case of removal\uninstallation of
antivirus from a PC.
• No uninstallation logs are maintained for antivirus
• One time activity was carried out identifying expired
antivirus
5 ITGC
System changes/
development are
authorized.
Change
management
• There is no standard format for such requests therefore
controlling database access requests and impact analysis will
be difficult. All the access given so far are not revoked till date
• Each access request was recorded, approved,
monitored and revoked post event (if no permanent
need). One Database custodian was identified for
this purpose.
6 ITGC Business
Continuity Plan
• BCP policy has been developed and documented, however, it is
not implemented or tested till date. No BCP team and critical
team is identified. No recovery time is tested and identified. No
mock drill is carried out etc.
• Mock drill was carried out as per BCP policy and
result was recorded
Controls Tested & Deficiencies Observed
Sr. No Process Title Observations Corrective Action Plans Initiated
7 ITGC Data Security
• As per agreement with original company, service provider will
store data at three different locations, however, the same is only
stored at two locations
• As per agreement with original company, service provider
should encrypt the data which is shared, however, data
transferred through email are not encrypted
• CCTV camera in server room only records real time video and
no back up is done for recording. Moreover, there is no
dedicated person or computer where video can be monitored.
• No passwords for BIOS and are configured on default mode.
• BCP location was identified as third location for
storing data
• Service provider will evaluate encryption
options
• Service provider will evaluate the option of back
up of CCTC camera in next meeting
• BIOS is now password protected
8 ITGC
Implementation of
information security
policy
• Users can access their personal email which have a risk of
sharing company files
• Social networking sites and gaming sites, which is declared as
blocked in group policy, are not blocked and it can be accessed
by all the employees
• Personal emails and social networking sites is
blocked now
9 ITGC WLAN
• Service provider wireless network is secured by weak password
protection but no mac filtering has done and ssid is kept open.
• SSID broadcast should kept hidden and mac filtering should be
done to ensure greater security.
• Service provider will evaluate the risk and make
necessary amendments
10 ITGC Network Scanning • No periodic network scanning done and system crashes @
maximum pressure while processing payrolls
• Service provider had put it place a process to
check its network perimeters to ensure a good
health of its network. Various tools have been
used for the same
11 ITGC Authorisation & Access
Control
• No such system is available \ used and each directory \ folders
are accessible on network
• Software were used for authorization of access
to the network and Access to all the folder was
restricted and was given on need basis
Controls Tested & Deficiencies Observed
Sr. No Process Title Observations Corrective Action Plans Initiated
12 New client
Induction Agreeement
• On verification on sample basis, we observed that for all the
three sample clients agreement has not been signed till date,
however the work has started on the same.
• Agreement has been signed by both parties
immediately
13 New client
Induction
Sign off from
implementation team &
payroll team during
transfer of client from
implementation team to
payroll team
• Sign-off is not obtained from implementation team to confirm that
implementation is done to the satisfaction of client
• Sign-off that all the data and knowledge understanding is
passed on to payroll is not obtained from implementation team
and also sign-off from payroll team that they have properly
understood the clients requirement should be obtained
• Sign-off list is prepared wherein key parameters
like all the client files including emails have
been transferred, critical issues faced during
implementation have been discussed etc.
14 Employee
Master
New employees input
data checking and
validation
• On a sample verification, we have observed that no checking or
validation is done for new employees. New employees are
updated in master as and when inputs are received from clients
• Checkpoints is defined to ensure that duplicate
entry is not made. Unique fields like, PAN,
PF/ESIC A/C no, Bank A/C no etc. is identified
as inbuilt controls in system.
15 Payroll
Processing
Authenticating input
data
• On verification on sample basis, we have observed that in 2
cases out of 5 clients, list of authorized personnel was not
obtained. Inputs are accepted on a call and the same are
processed without obtaining confirmation over an email.
• List of authorized personnel for sending
information is defined now at the inception of
the engagement and information received from
authorized personnel is only considered.
16 Payroll
Processing
Maker Checker concept
to ensure that payroll is
processed for all
employees accurately
• We have analyzed maker-checker logs and it has been
observed that for 50% of checking on an average 32 and 14
seconds are taken by checker 1 and checker 2 respectively.
• Checkpoints was defined for checker (rather
than verifying all the activities of maker).
Following are checkpoints:
• Reconciliation of last month salary with current
month salary
• Employee count reco
• Reco of input tracking register
• sample base check for addition, updation,
deletion & existing
Controls Tested & Deficiencies Observed
The views expressed in this material are personal in nature. Any reliance should be placed only post
consultation with the author.
Thank You
Contact [email protected]