By CA Huzeifa I. Unwala,

Partner, NMAH & Associates, Chartered Accountants

Internal Control, Information Technology and Internal

Audit/ Audit under ERP System

November 23, 2013

Topics for discussion

• Truth or False

• Concept of Internal Controls in IT environment

• Case Studies

• Example of Risk & Control Matrix

01 Truth Or False

3

True or False

• ERP is only a depreciating asset on the Fixed Asset Register

• IT/ ERP implementation implies fully secured and controlled business environment

True or False

• ERP initiative should be owned by IT department as there is a lot of

technology involved

True or False

• CFOs should always manage IT implementations as they best understand business needs

True or False

02 Understanding Information Technology &

related Controls

03 Need to CONTROL Technology

• Trade secrets/ IP/ Breach of Sensitive data

• Direct business losses on account of IT/ Computer

environment related errors, IT investments

• Growth dampener/ hurdle/ pace of growth

• Attract and retain good talent

• Inefficient business processes

• Fraud risks

Key Note:

In today’s environment, financial reporting processes are

driven by IT systems. Such systems, whether ERP or

otherwise, are deeply integrated in initiating, authorizing,

recording, processing and reporting financial transactions.

As such, they are inextricably linked to the overall financial

reporting process and need to be assessed, along with

other important processes.

WHY Control Technology?

HOW to Control Technology [COBIT Framework]?

BUSINESS AND IT CONTROLS

The enterprise’s system of internal controls impacts IT at three levels:

• Executive Management Level:

Business objectives are set, policies are established and decisions are made on how to deploy and manage the resources

of the enterprise to execute the enterprise strategy. The overall approach to governance and control is established by the

board and communicated throughout the enterprise. The IT control environment is directed by this top-level set of objectives

and policies.

• Business Process Level:

Controls are applied to specific business activities. Most business processes are automated and integrated with IT

application systems, resulting in many of the controls at this level being automated as well. These controls are known as

application controls. However, some controls within the business process remain as manual procedures, such as

authorisation for transactions, separation of duties and manual reconciliations. Therefore, controls at the business process

level are a combination of manual controls operated by the business and automated business and application controls. Both

are the responsibility of the business to define and manage, although the application controls require the IT function to

support their design and development.

• Support Level:

IT provides IT services, usually in a shared service to many business processes, as many of the development and

operational IT processes are provided to the whole enterprise, and much of the IT infrastructure is provided as a common

service (e.g., networks, databases, operating systems and storage). The controls applied to all IT service activities are

known as IT general controls. The reliable operation of these general controls is necessary for reliance to be placed on

application controls. For example, poor change management could jeopardise (accidentally or deliberately) the reliability of

automated integrity checks.

• IT Governance Mechanisms

• Appropriate authority structure

• IT Risk Assessment – identification of points o f failure/ what can go wrong

• Consistent Preventive, Corrective, Monitoring Actions

• De-risk vendor dependence

• Not to tamper with source codes/ abap/ programming languages

• Hire or acquire relevant competencies

Learning to Control Technology?

ERP Application Modules

ERP System and Configuration

DBM System

Operating Systems

Oth

er

Inte

rnal S

yste

ms L

inkag

es

Oth

er E

xte

rnal S

yste

ms L

inkag

es

ERP environment

Risks in an ERP Environment

• Poor implementation

• Go live becomes Go leave

• Incorrect master creation and maintenance

• Conflicting roles/ duties

• Unauthorised access

• Cascading of errors (Domino effect of errors)

• Repetition of errors

• Incorrect entry of data

• Inadequate security practices

• Over reliance on vendors

• Remote access

• Access to sensitive codes/ transactions

Illustrative

Usual Internal Control Deficiencies

• Sharing of user id and passwords

• Duplicate vendors

• Unreconciled intermediate accounts

• Final statements outside the system

• Out of book valuations and adjustments

• Excess credit limits

• Duplicate customer codes

• Incomplete masters

• Poor audit trails as relevant customizations lacking

• Data integrity issues

Illustrative

04 Concept internal control (IT perspective)

17

True or False

• Internal control is effected by an organisation

• The first of line of defence is having adequate internal controls

True or False

• Value lies in monitoring of readiness and preparedness to protect

organisations from collateral damage

True or False

INTERNAL CONTROL IS DEFINED

Is a process, effected by an entity’s board of

directors, management, and other personnel,

designed to provide reasonable assurance

regarding the achievement of objectives in the

following categories:

• Effectiveness and efficiency of operations

• Reliability of reporting

• Compliance with applicable laws and

regulations

A process consisting of on-going tasks and activities. Policies

and procedures exist to effect control.

Effected by people.

Able to provide reasonable assurance, not absolute assurance.

Geared to the achievement of objectives in a one or more

separate but overlapping categories. The categories are:

- Effectiveness and efficiency of Operations Reliability of

Reporting (internal, external and non-financial)

- Adherence to laws and regulations

Adaptable to the entity structure. IC can be applied as per

management’s decision in the context of legal requirement,

operating model, entity structure or combination of these.

Understanding Internal Control

Control Environment

Risk Assessment

Control Activities

Information and Communication

Monitoring Activities

1

2

3

4

5

The 5 Components of IC

Control Environment (Principles)

1. Organization demonstrates a commitment

to integrity and ethical values

2. Board demonstrates independence

3. Management establishes oversight,

reporting lines and authority structure

4. Organization demonstrates a commitment

to attract, develop and retain competent

individuals

5. Individual accountability for IC

responsibilities

Risk Assessment (Principles)

Risk specific objectives

Risk identification and analysis

Consider the potential for fraud

Identify and assess changes that could

significantly impact the system of internal

control

Control Activities (Principles)

Organization selects and develops

control activities that contribute to the

mitigation of risks

Organization selects and develops

general control activities over

technology that contribute to the

mitigation of risks

Organization deploys control activities

as manifested in policies that establish

what is expected and in relevant

procedures to effect the policies

Information and Communication (P)

Information generation and use

Internal communications

External communications

Monitoring Activities (Principles)

Organization selects, develops and performs on going and/or separate

evaluations to ascertain whether the components of IC exists and

function

Communicates IC deficiencies

Components of Internal Control / System of IC

Information and Communication (P)

Information generation and use

Internal communications

External communications

Components of Internal Control / System of IC

Control Activities – 3 Principles and 16 attributes

► Select and Develops Control Activities : The organization selects and

develops control activities that contribute to the mitigation of risks to the

achievement of objectives to acceptable levels.

Integrates with Risk Assessment

Determines Relevant Business Processes

Considers Entity-Specific Factors

Evaluates a Mix of Control Activity Types

Considers at What Level Activities Are Applied

Addresses Segregation of Duties

► Selects and Develops General Controls over Technology : The

organization selects and develops general control activities over

technology to support the achievement of objectives.

Determines Dependency between the Use of Technology in Business

Processes and Technology General Controls

Establishes Relevant Technology Infrastructure Control Activities

Establishes Relevant Security Management Process Control Activities

Estimates Significance of Risks Identified

Establishes Relevant Technology Acquisition, Development, and Maintenance

Process Control Activities

Control Activities (Principles)

► Select and Develops Control Activities

► Selects and Develops General Controls over

Technology

► Deploys through Policies and Procedures

Source Data Preparation and Authorisation Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate

segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form

design. Detect errors and irregularities so they can be reported and corrected.

Source Data Collection and Entry Establish that data input is performed in a timely manner by authorised and qualified staff. Correction and resubmission of data that were erroneously

input should be performed without compromising original transaction authorisation levels. Where appropriate for reconstruction, retain original source

documents for the appropriate amount of time.

Accuracy, Completeness and Authenticity Checks Ensure that transactions are accurate, complete and valid. Validate data that were input, and edit or send back for correction as close to the point of

origination as possible.

Processing Integrity and Validity Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous transactions does not disrupt the processing of

valid transactions.

Output Review, Reconciliation and Error Handling Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient,

and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the

output is used.

Transaction Authentication and Integrity Before passing transaction data between internal applications and business/operational functions (in or outside the enterprise), check it for proper

addressing, authenticity of origin and integrity of content. Maintain authenticity and integrity during transmission or transport.

Business Application Controls

• To identify customized programs that have not been assigned to an

authorization group

Run report RSUSR002 through Table TRDIR

using T-Code > SE16

• Check that “Duplication Check” is activated in customer master data T-Code > OBB2

• Check that “Duplication Check” is activated in vendor master data T-Code > OBB3

• For incomplete customer accounts in Financial Accounting (FI) Run Report RFDKAG00 using T-Code > SE38

• For incomplete accounts in Sales & Distribution (SD) Run Report RFDKAG00 using T-Code > SE38

• For incomplete vendor accounts in Financial Accounting (FI) Run Report RFKKAG00 using T-Code > SE38

• For incomplete accounts in Material Management (SD) Run Report RFKKAG00 using T-Code > SE38

• To view changes to all customer master records Run Report RFDABL00 using T-Code > SE38

• To view changes to all vendor master records Run Report RFKABL00 using T-Code > SE38

• Changes made to General Ledgers in Company code segment can

be identified

T-Code > FSS4

• Changes made to General Ledgers in Chart of Accounts segment

can be identified.

T-Code > FSP4

• Monitoring of one time vendor activity T-Code > F40 and T-Code > FBL2N.

• Activating the “Chk double inv” indicator on the Payments in

Accounting screen in the vendor master

T-Code > FK02

Useful Internal Control related displays in SAP environment Illustrative

• To display Changes made to Credit management Run REPORT-RFDKLIAB using T-Code > SE38

• To Change Customer Master Data (FI) T-CODE > FD02

• To Change Customer Master Data(SD) T-CODE > VD02

• To Change Customer Master Data (Centrally) T-CODE > XD02

• List of customers for which no credit limit has been entered. T-Code > F.32

• The Customer Open Item Analysis (days overdue analysis) report Run Report - RFDOPR10 using T-Code > SA38

• Extract manual journal entries T-Code > SE38> RFBELJ00

• Used to extract the list of adjustments passed in consolidation T-Code > CX58

• Identify slow moving stock T-CODE > MC46

• Identify slow dead stock (stock that has not been used for a certain

period of time)

T-CODE > MC50

• Outstanding purchase orders T-CODE > ME2L

• Goods receipt against purchase orders not known T-CODE > MB0A

Useful Internal Control related displays in SAP environment Illustrative

CO

BIT

– C

OS

O M

ap

pin

g

COBIT - Appendix III

05 Case Study 1

Case Study – Project Audit in ERP Environment

Background: Client was assigned to provide Detailed Engineering, Supply, Installation, Testing, Commissioning and

handing over of Electrical Works as per the specifications, Bill of Quantities and Terms and conditions of the

LOI for one of the new Airport facilities.

The scope involved project auditing in ERP environment. Review of Project Site, Procurement, Labour, Time /

Cost Escalations from Budgets, Cash Expenditure and Custody Controls, Claims and Liabilities, Project

Invoicing and Collections, Quality, Project Management and Site Assets / Equipment. The overall objective of

the project audit was to determine the effectiveness of key controls as identified with Management and

walkthrough of processes relating to the operations and to identify any improvement opportunities.

The client had implemented SAP.

1

Sr No. Details of Observation Number Unit Amount

Involved

1 Change in BOQ 29 Times

2 Difference in quantity on

comparison of BOQ & PO items 59 Instances

3 Difference in rate on

comparison of BOQ & PO items 17 Instances

4 Non BOQ items – Approval

taken from Principal Contractor 1165 Items

BOQ creation Process

Process & Control Weaknesses in ERP Environment

2

Purchase Requisition

Sr No. Details of Observation Number Unit Delay Amount

Involved

1 Open PR 4 Instances

2 PR release before PR

creation – SAP STD Bug 6 Instances

Range of 11-

69 days

3

Vendor Selection Process

Sr No. Details of Observation Number Unit Amount

Involved

1

Awarding orders to vendors who

provided higher quote than

available vendors with lower

quote.

4 Instances

zz

zz 4

Purchase Ordering Process

Sr No. Details of Observation Number Unit Delay Amount

Involved

1 Delay between PR release and PO creation 77 Instances Upto 198

days

2

Another PO raised inspite of open PO

available for same vendor and for same

materials

12 Instances

3 PO creation before PR release – SAP STD

Bug 10 PO

Range of

1-149

days

5

Project Site Observation

Sr No. Details of Observation Number Unit Delay Amount

Involved

1 Date of Delivery not mentioned on the GRN 9 Instances Out of 10 sample

selection

2 GRN not available with Debit Note 7 Instances Out of 12

3 GRN not available with Invoice 3 Invoices Out of 10 sample

selection

4 No authorization on GRN 11 Instances Out of 11 sample

selection

5 Delay in preparation of GRN and sending the

same to HO

Sr

No. Details of Observation Number Unit Delay

1 Time Lag in preparation of

MIR 18 Instances

Out of 22 sample

selection

2 Maintenance of Fire

Extinguishers and Physical

Security

4 Instances

3 Approval of Consultant not

available 7 Instances

Out of 22 sample

selection

6

GRN Process

zz

06 Case Study 2

35

Case Study – Outsourced Account Payable Process in ERP

Background:

Payment process review (for Non: Edible Material Packing Materials and Non-Capital expenditure categories only) We

assessed the adequacy of the control environment for both PO and non-PO based payments. The review included following

sub processes:

Invoice verification by the users (availability of evidence of procurement of service/materials, system interface)

Payment processing by the outsourced service provider (basis for processing, authorizations, etc.)

Payment authorization by the Central office

Transactions’ review: We reviewed the following aspects of the payment transactions:

Existence of order/contract in the system with requisite terms

Supporting for receipt of goods / services

Evidence of the quality/quantity of receipt

GRN / service entry

3 way match (order, GRN and invoice)

Authorization for payments

Control over payments – correct vendor and correct amount

Sr. No. Control Weakness Business Risks

1

• PO raised during the period under scope are not authorized as there is no

release strategy defined in SAP for any of the spend categories except

Edible Material (EM), Packing Material (PM), Capex (CT) & Engineering

Goods (EG)

• Signature on PO has not been verified by the Outsourced Account Payable

Vendor under the assumption that all POs are raised through released

strategy.

• There is no process defined to raise purchase requisition before raising PO

for all the spend categories except EM, PM, CT & EG.

• Unauthorized procurement &

payment of goods / services

• Risk of payment for services not

procured/not received.

• Ordering of materials / services

which may not be required

2

• Payments for the invoices pertaining to and booked by locations are made

by Outsourced Account Payable Vendor based on Excel sheets details

provided by (plant) locations without verifying the actual invoices.

• Following are the control weaknesses in the process:

There is no authorized personnel identified at location to send invoice

details to the service provider for payment.

There is no check/control defined from HO on the payment made through

excel files.

There is no limit defined for making payment through excel files.

Credit period is not considered while making these payments.

• Unauthorized payments made

for location purchases

• Inadequate controls over

payment, if the payments are

made based on the excel sheet

details and not based on

verifying the scanned invoices/

supporting

Case Study – Outsourced Account Payable Process in ERP

Sr. No. Control Weakness Business Risks

3

• Outsourced Account Payable Vendor has made the payments

without VPF for non-PO based transaction and not parked

aside the invoices separately in SAP (as held for payment).

This is in non-compliance with the specific instruction to

Outsourced Account Payable Vendor for paying non-PO based

transactions only through VPF.

• Risk of payment without appropriate

authorizations.

4

• SAP Application controls not in place to disallow the duplicate

code creation for the vendors based on the PAN number /

other details like Vendor name / similar name.

• There is no preventive manual control in place to detect the

existence of similar vendor names in the Master records.

• Risk of making duplicate payments in the

existing scenarios where POs are made based

on Invoice after the receipt of invoice

• Risk of not detecting duplicate payments if any

made using SAP's duplicate-invoice checking

mechanism as the invoice has been paid

under a different vendor code.

5 • PO has been generated after the receipt of invoices. • Risk of duplicate payments if more than one

PO prepared for the same invoice.

6

• Absence of process / application control to identify and detect

the same invoice number for same vendors in SAP.

• Improper ASL structure wherein same receipt of same service

can be authorized by two persons. Person performing the

back-up role in the absence of the another person is however

allowed.

• Risk of Duplicate payments (5 Duplicate

payments amounting to Rs. xx lacs have been

identified for the period under audit)

Case Study – Outsourced Account Payable Process in ERP

07 RCM

39

Sr.

No. Activity Risk

Risk

Category Existing Control

1 Creation of new user ID

Risk of creating user

ID without

appropriate approval

High There is a Creation policy in place which states the procedure of creation

of user ID. A form for creation of User ID (SAP User ID Management and

Authorisation Form) is available on which approvals of the concerned

HOD, Business Process Owner, Role Owner are taken. The role in SAP

as per the designation and functions to be performed is also mentioned

on the form. Based on the information provided on the form, the

technical team processes the request, creates a SAP User ID and

assigns roles to the same.

2

User codes are not created

with critical SAP profiles like

SAP_ALL / SAP_NEW which

allows user to perform almost

all activities in SAP.

Risk of granting

access rights not

matching with users

roles &

responsibilities

High

3 Granting Access controls to

users

Risk of granting

access rights not

matching with users

roles &

responsibilities

High Roles are assigned to the User ID based on the approval of the BPO /

Role Owner on the creation form.

4

Display roles are created /

extended to users strictly for

viewing and data retrieval

purpose and not data

manipulation Xns. are

attached with such roles.

Risk of granting

access rights not

matching with users

roles &

responsibilities

High

Roles are assigned to the User ID based on the approval of the BPO /

Role Owner on the creation form and as per needs of the business. If a

screen is available to the role, then viewing rights are being given.

Existing IDs containing display rights will have 'DISPLAY' stated in the

description column. By SAP T-Code, rights assigned viz. creation,

amendment, approval, display etc. can be easily identified. Activities can

also be assigned codes 001, 002, 003 through which ids can be

controlled.

5

Review of controls for

creation of user ID for

outsourced/temporary staff

Risk of creating user

ID without

appropriate approval

High

Approval of CFO and CIO are taken. The HOD decides the role in SAP

as per the designation. Approval of role owner and Business Process

Owner (BPO) is taken for creation of User ID. Also, the minimum validity

of the User ID created is 6 months.

RCM – Access Control Review

Sr. No. Activity Risk Risk

Category Existing Control

6

Redundant user codes without use

for a specific time gap are monitored

on regular basis and reported to CIO

for necessary action.

Risk of

mis-use of

user IDs

High

There is a Password Policy which states that User must change the password

on first use and every 30 days, system level passwords to be changed every 60

days, Locking of Account after 5 unsuccessful logins, General password

construction guidelines etc. Dialog User ids which have not been logged in for

30 days gets blocked and not logged in for 60 days gets de-activated. The user

will have to approach the IT Help Desk Team to unbloch the ID. In case of de-

activated id, the user will have to follow the same procedure as creation for

subsequent re-activation.

7

Process exists to lock / delete user

codes of separated / job rotated

employees to guard against

unauthorized alteration of data. (If

yes, specify the mechanism in brief)

Risk of

usage of

user ID for

separated

employee

High

In case of amendment, Ids are usually changed for plant personnel. Plant

specific ids, in case of amendment, undergo deletion and subsequent creation.

In case of change in the designation of a person, approval of the Business Head

is taken. Also, Virsa Rules takes care of Maker - Checker conflict.

In case of deletion, there is a deletion policy in place which states the procedure

of deletion. The process note on User ID Management states that for permanent

and temporary employees, a scheduled background job will automatically delete

their ids on deactivation in HR Master Record. For off-roll associates, the SAP

User ID Management and Authorisation Form is to be filled and the approval of

HOD and BPO to be taken for further processing of deletion of user ID. As per

the deletion policy, deletion should take place within 2 days of the form

submission.

8

MIS reporting and regular monitoring

exists to identify duplicate / idle user

codes in SAP for necessary action

against them to pre-empt misuse.

(Share documented evidences of

regular monitoring of duplicate / idle

user codes and action taken report.)

Risk of

mis-use of

user IDs

Medium

The system has been configured to check for duplication of user ids. In case of

outsourced employee joining in as a permanent employee, the user id will have

to be deleted and a new user id with the applicable logic will be created.

Sr. No. Activity Risk

Risk

Categor

y

Existing Control

9

Formal authorized to authorize list

of BPOs / business owners is

available for approving access to

Telcon users including 3rd parties

Risk of creating user

ID without appropriate

approval

High

The activity of SAP User ID management has been outsourced to xx

Vendor. As the information systems is owned by the company, the

agreement has been entered into by the company with outsourced vendor.

10

User types of SAP user codes like

dialogue, service, system,

communication etc. are not altered

without written approval from

designated authority. (If changed,

share copies of approval.)

Risk of amendment

without proper

approval or against

norms

High

In case of amendement, Ids are usually changed for plant personnel. Plant

specific ids, in case of amendment, undergo deletion and subsequent

creation. In case of change in the designation of a person, approval of the

Business Head is taken. Also, Virsa Rules takes care of Maker - Checker

conflict. There is a role modification form available in case of assigment of

roles to User IDs on which appropriate approvals are to be taken. Also, if a

specific role is created for a defined set of users / dept., a Role creation

form is available for the same.

11

Mechanism exists to prevent

creation of duplicate user codes in

SAP. If yes, specify the

mechanism.

Risk of mis-use of user

IDs Medium

System checks for duplication. In case of outsourced employee joining in as

a permanent employee, the user id will have to be deleted and a new user

id with the applicable logic will be created.

Sr. No. Activity Risk

Risk

Categor

y

Existing Control

1 Access logs record monitoring Risk of mis-use of

user IDs High Record of Access logs are available

2

Documented, updated and approved policies / procedures are

available for logical access to SAP and communicated to all

concerned users.

Risk of non-

adherence to

documented

procedure

Medium

At the time of Creation of User ID, the form,

filled by the user, bears an undertaking w.r.t

access, password sharing, password security,

confidentiality, adherence to policies etc.

3

Following points are included in the policy / procedure documents.

(a) Maintenance and use of default super-users (e.g. SAP*, DDIC

etc.).

(b) User master creation, maintenance and administration.

(c) Allocation of user licences.

(d) Activation / deactivation of SAP user codes particularly in view of

separation / job rotation.

(e) Naming convention to be followed for creation / amendment of

user master.

(f) Setting of control parameters and password management etc.

(g) Use of firefighter IDs.

(h) Regular monitoring / locking of redundant user codes /

authorizations granted to users.

Medium

Policies pertaining to Creation, Deletion,

Password Management, Creation and Usage

of fire-fighter ids are in place.

4 Standard forms are available / used for approval and granting access

authorization by administrator to all users.

Risk of granting

access rights

without

appropriate

approval

Medium

SAP User ID Management and Authorisation

Form is available containing various details

for creation of User IDs on which appropriate

approvals as per the Approval Authority

Matrix are taken. Approvals are also taken for

amendment in SAP rights.

Sr.

No. Activity Risk

Risk

Category

6

SoD violation is checked using automated tool for each user code while granting any privilege and

approved documented evidences are preserved. (Share evidences of regular SoD checking and approval

reports) Review of access rights

given vis-à-vis roles of the

user

High

7 Mitigating control(s) are defied / approved by designated authority for all users granted authorizations with

SoD conflicts and updated in system.

8

All approved user code creation / deletion forms, evidences of SoD checking and related documents, if any

are preserved for future reference. (Share copies of latest 10 user code creation / deletion forms as

evidence)

Medium

9 Amendments of rights for user

Risk of amendment without

proper approval or against

norms

High

10 Firefighter IDs are created and extended to users with approval from designated authorities. Risk of misusing firefighters

ID High

11 Usage logs of Firefighter IDs are preserved and reviewed after every use to oversee any misuse of system

or posting of abnormal transactions. (If yes, share 5 log files of Firefighter IDs used in recent past.)

12 Super user IDs access review Risk of misusing super user

ID 13 Default super users are deactivated and used only with written approval from designated authority.

14 Automatic expiry of passwords at predefined interval and password protection mechanism exist to guard

against misuse of SAP user codes.

Risk of not changing

password on regular basis

leading to mis-use

High 15

Passwords of all servers / clients are changed after installation / every use by designated authority and

preserved securely.

16 Passwords granted initially or re-set for the users are communicated in a secured manner to maintain the

confidentiality.

17 Duly approved Password re-set forms are used for requesting initialization of passwords as per policy.

18 Authorizations are granted to users strictly based on Need to do and need to do principle and

excess/unauthorized access are reviewed/removed regularly.

Risk of granting unauthorised

access to user High

08 SAS 70/ SSAE 16

45

SSAE 16 Audit Project

The Company (Service Provider) is located in Mumbai, India and provides One Stop Solution for all

employee life cycle management, needs with flexible delivery models including outsourced processing of

payroll to its user organizations. The Company provides solutions to customer base of over 160 Clients and

processes three hundred thousand plus employee records every month with its offices in five cities in India

and operations in Singapore, Sri Lanka, Australia and Dubai.

About Company

About the

Engagement

Service provider on behalf of its US Listed Clients has appointed us to provide reasonable assurance on

following aspects (on behalf of User entity/ auditor):

i. service organization's system fairly presents the system that was designed and implemented

throughout the specified period

ii. the controls related to the control objectives were suitably designed throughout the specified period

iii. the controls operated effectively to provide reasonable assurance that the control objectives were

achieved throughout the specified period.

The head quarters of the company is situated at Mumbai with multiple data processing and production sites in

the suburbs of Mumbai. Audit Sites

Identify sub-processes and

controls

Identify control objectives for

each sub-process

Assess and verify control objectives by

identifying tests to be performed

Highlight results of the tests and

control weakness

to the management

Implement suggestive

controls and issue audit

report

Under standing of

Key Business Process &

Risks

Audit Approach & Methodology

Sr. No Process Title Observations Corrective Action Plans Initiated

1 ITGC Disaster

Recovery

• Software data can be recovered within 4 hours (as defined in

SLA with IDC) from the disaster. Service provider has not tested

recovery plan till date.

• No recovery of working excel files & emails can be made in

case of disaster strike at local server area.

• Mock drill was carried out and data was pulled from

the IDC.

• Monthly schedule was prepared for back up of

working excel files and emails

2 ITGC Issues

Management

• 2282 issues were closed and on an average 7.87 days are

taken to close the issues.

• Turn Around Time (TAT) was defined for resolving

IT issues and one of the KRA for IT team was set to

resolve the issue within TAT.

3 ITGC

Audit trail of

access and/or

attempted

access

• Company doesn't have infrastructure in place to maintain

an audit trail of access and/or attempted access

• Firewall was set up to provide audit trail of access

and/or attempted access.

4 ITGC

Prevention of

System from

virus, worm,

security threats

etc.

• Kaspersky antivirus used for virus protection but in many PC's

licences are expired and no action are taken for getting it

renewed and updated.

• No system of triggers in the case of removal\uninstallation of

antivirus from a PC.

• No uninstallation logs are maintained for antivirus

• One time activity was carried out identifying expired

antivirus

5 ITGC

System changes/

development are

authorized.

Change

management

• There is no standard format for such requests therefore

controlling database access requests and impact analysis will

be difficult. All the access given so far are not revoked till date

• Each access request was recorded, approved,

monitored and revoked post event (if no permanent

need). One Database custodian was identified for

this purpose.

6 ITGC Business

Continuity Plan

• BCP policy has been developed and documented, however, it is

not implemented or tested till date. No BCP team and critical

team is identified. No recovery time is tested and identified. No

mock drill is carried out etc.

• Mock drill was carried out as per BCP policy and

result was recorded

Controls Tested & Deficiencies Observed

Sr. No Process Title Observations Corrective Action Plans Initiated

7 ITGC Data Security

• As per agreement with original company, service provider will

store data at three different locations, however, the same is only

stored at two locations

• As per agreement with original company, service provider

should encrypt the data which is shared, however, data

transferred through email are not encrypted

• CCTV camera in server room only records real time video and

no back up is done for recording. Moreover, there is no

dedicated person or computer where video can be monitored.

• No passwords for BIOS and are configured on default mode.

• BCP location was identified as third location for

storing data

• Service provider will evaluate encryption

options

• Service provider will evaluate the option of back

up of CCTC camera in next meeting

• BIOS is now password protected

8 ITGC

Implementation of

information security

policy

• Users can access their personal email which have a risk of

sharing company files

• Social networking sites and gaming sites, which is declared as

blocked in group policy, are not blocked and it can be accessed

by all the employees

• Personal emails and social networking sites is

blocked now

9 ITGC WLAN

• Service provider wireless network is secured by weak password

protection but no mac filtering has done and ssid is kept open.

• SSID broadcast should kept hidden and mac filtering should be

done to ensure greater security.

• Service provider will evaluate the risk and make

necessary amendments

10 ITGC Network Scanning • No periodic network scanning done and system crashes @

maximum pressure while processing payrolls

• Service provider had put it place a process to

check its network perimeters to ensure a good

health of its network. Various tools have been

used for the same

11 ITGC Authorisation & Access

Control

• No such system is available \ used and each directory \ folders

are accessible on network

• Software were used for authorization of access

to the network and Access to all the folder was

restricted and was given on need basis

Controls Tested & Deficiencies Observed

Sr. No Process Title Observations Corrective Action Plans Initiated

12 New client

Induction Agreeement

• On verification on sample basis, we observed that for all the

three sample clients agreement has not been signed till date,

however the work has started on the same.

• Agreement has been signed by both parties

immediately

13 New client

Induction

Sign off from

implementation team &

payroll team during

transfer of client from

implementation team to

payroll team

• Sign-off is not obtained from implementation team to confirm that

implementation is done to the satisfaction of client

• Sign-off that all the data and knowledge understanding is

passed on to payroll is not obtained from implementation team

and also sign-off from payroll team that they have properly

understood the clients requirement should be obtained

• Sign-off list is prepared wherein key parameters

like all the client files including emails have

been transferred, critical issues faced during

implementation have been discussed etc.

14 Employee

Master

New employees input

data checking and

validation

• On a sample verification, we have observed that no checking or

validation is done for new employees. New employees are

updated in master as and when inputs are received from clients

• Checkpoints is defined to ensure that duplicate

entry is not made. Unique fields like, PAN,

PF/ESIC A/C no, Bank A/C no etc. is identified

as inbuilt controls in system.

15 Payroll

Processing

Authenticating input

data

• On verification on sample basis, we have observed that in 2

cases out of 5 clients, list of authorized personnel was not

obtained. Inputs are accepted on a call and the same are

processed without obtaining confirmation over an email.

• List of authorized personnel for sending

information is defined now at the inception of

the engagement and information received from

authorized personnel is only considered.

16 Payroll

Processing

Maker Checker concept

to ensure that payroll is

processed for all

employees accurately

• We have analyzed maker-checker logs and it has been

observed that for 50% of checking on an average 32 and 14

seconds are taken by checker 1 and checker 2 respectively.

• Checkpoints was defined for checker (rather

than verifying all the activities of maker).

Following are checkpoints:

• Reconciliation of last month salary with current

month salary

• Employee count reco

• Reco of input tracking register

• sample base check for addition, updation,

deletion & existing

Controls Tested & Deficiencies Observed

09 In conclusion

51

The views expressed in this material are personal in nature. Any reliance should be placed only post

consultation with the author.

Thank You

Contact huzeifa.unwala@verita.co.in