Project Report Final Project 1
Project Report Final Project 1
Project Report Final Project 1
of
DISA 2.0 Course
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
Ranchi from 28.05.2016 to19.06.2016 and we have the required attendance. We are submitting
the Project titled:Information Systems Audit of ERP Software
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Group No:12
Place:RANCHI
Date: 13.07.2016
Table of Contents
1. Introduction
Peacock Ltd. is A Multi-national Company which has chain of super markets. It is one of the
largest retail conglomerates in the India with a diverse portfolio of retail and hospitality brands.
The company provides value-driven product range for the entire family through an extended
portfolio of core retail brands. The unique value proposition is that it offers a one stop shopping
destination by catering to all the daily needs of a consumer by providing grocery, fruits &
vegetables, meat & fish, wine & spirits, kitchenware, electronics, apparel, health & beauty,
furniture & much more, under one roof. It has recently implemented an ERP solution which
integrates all the stores across the country. Due to recent spates of errors discovered in billing
and shortage of inventory, the CFO is increasingly concerned about the overall reliability and
security of their IT environment.
The following are the policies and procedures implemented by the company and reviewed by us
during the course of our audit:
1. Data Classification
2. Acceptable use of Information Assets
3. Physical access and Information Security
4. Asset Management Policy
5. Business continuity Management Policy
6. Network Security and Password Policy
Excellence, Integrity and Independence, the Motto of our Institute of Chartered Accountants of
India, is the ultimate objective of the Firm in all its professional commitments.
XYZ & Associates is focused on creating sustainable value growth to its client through
innovative solutions and unique pathways. It is our firm belief that we grow when we see our
client’s growth. Our values are at the heart of our business reputation and are essential to our
continued success. We encourage an environment to infuse these values in every aspect of our
organization.
Customer first
Corporate Relationship
Professionalism
Commitment
Quality Priority
Our team consist of following members with their qualification and experience in their respective
field. Our Team Leader is the founder member of the firm:
Name : CA. X
Designation : Founder and Senior Partner in XYZ & Associates
Year of
: 2007(C.A)
Completion
Name : CA. Y
Designation : Senior Partner in XYZ & Associates
Year of
: 2008(C.A)
Completion
Work Experiences : ISA, Statutory Audits, Internal Audits, Financial Project, Matters relating to
Companies, ROC Filing, TDS, E-Filing etc.
Name : CA. Z
Designation : Senior Partner in XYZ & Associates
Year of
: 2010(C.A)
Completion
Qualification : B.Com (H), ACA, ACS, L.L.B, CFA (US), CFA (INDIA),
Work Experiences : Statutory Audits, Internal Audits, Taxation, Consultancy, Financial Project,
Matters relating to Companies, ROC Filing, TDS, E-Filing etc.
2. Auditee Environment
Peacock Ltd. is A Multi-national Company which has chain of super markets. It is one of the
largest retail conglomerates in the India with a diverse portfolio of retail and hospitality brands.
There operations can be classified as:
The corporate IT environment to be audited consists of three distinct platforms. The mainframe
platform: an IBM mainframe system which provides the primary financial and sales applications.
The open systems platform consists of UNIX servers, running a variety of applications and
databases, including SAP /Payroll on an Oracle database, a logistics management system, and
a stores management system. The PC and terminals network platform comprises of a
combination of Windows servers utilized for file and print services, communication services, and
gateway services. Mainframe access is granted through Windows servers, and UNIX server
accessibility is provided through terminal emulation.
Corporate workstations are primarily running Windows 7. The corporate location is home to
approximately 300 employees and the company employs approximately 5,000 people. IT
Services are critical to the company as all the critical business operations are reliant on
computers. The company has its main data centre at Pune and back up data centre at Noida
with all critical data and operations available in the mirrored back up data centre. The company
has a specialized IT department with more than 50 IT professionals who are responsible for
keeping IT running. It has outsourced maintenance of network and network security to a well-
known IT company. It has specific documented policy and procedures for all key areas of IT
operations and business processes but these are not integrated.
The following are the policies and procedures implemented by the company and reviewed by us
during the course of our audit:
1. Data Classification
2. Acceptable use of Information Assets
3. Physical access and Information Security
4. Asset Management Policy
5. Business continuity Management Policy
6. Network Security and Password Policy
7. Information Security Policy
Regarding Information Security Policy, It is a business issue and needs to be properly
integrated into the organizations overall business goals and objectives because security issues
can negatively affect the resources an organization depends upon. The objectives of information
securities are to provide CIA.
3. Background
Accordingly Information Systems Audit and Security cell prepare Information Systems Audit
policy. The fundamental principle is that risk and controls are continuously evaluated by the
owners,where necessary, with the assistant of IS Audit function.It has now become impossible
to separate information Technology from any business.There isa need for focused attention of
the issues of the corporate governance of the information systems in computerized environment
and the security controls to safeguard informationand information systems. The developments
in Information Technology have atremendous impact on auditing. Well-planned and structured
audit is essential for riskmanagement and monitoring and control Information systems in any
organization.The senior management of the company and specifically the CIO is concerned
about the reliability and the impact of failure of technology. A series of discussions were held
with the IS Audit team. Based on this, the scope of IS Audit have been defined. The Enterprise
Security Audit has to include such tests as considered necessary to evaluate whether selected
procedures and policies are sufficient to provide reasonable assurance that required controls
are available, adequate and appropriate.
The Information systems assets of the organization must be protected by a system ofinternal
controls. It includes protection of hardware, software, facilities, people, data,technology, system
documentation and supplies. This is because hardware can bedamaged maliciously, software
and data files may be stolen, deleted or altered andsupplies of negotiable forms can be used for
unauthorized purposes. The IS auditor willbe require to review the physical security over the
facilities, the security over thesystems software and the adequacy of the internal controls. The
IT facilities must beprotected against all hazards. The hazards can be accidental hazards or
intentionalhazards.
a. Accuracy: Data should be accurate. Inaccurate data may lead to wrong decisionsand
thereby hindering the business development process.
b. Confidentiality: Information should not lose its confidentiality. It should beprotected from
being read or copied by anyone who is not authorized to do so.
c. Completeness: Data should be complete
d. Reliability: Data should be reliable because all business decision are taken onthe basis of
the current database.
e. Efficiency: The ratio of the output to the input is known as efficiency. If output ismore with the
same or less actual input, system efficiency is achieved, or elsesystem is inefficient. If
computerization results in the degradation of efficiency,the effort for making the process
automated stands defeated. IS auditors areresponsible to examine how efficient the application
in relation to the users andworkload.
4. Situation
We found management was generally quick and proactive in identifying and addressing risks in
project management, integration testing, and data conversion, cut-over, and retiring legacy
systems. However, while the company made improvements in security, the company remains at
risk. Furthermore, we found additional improvements are needed in payment controls and the
company requires more focus on employee training in order to fully utilize the company’s
significant investment in the system.
The primary objective of the assignment is to conduct Information Systems Audit of ERP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of ERP would be with the objective of providing comfort on the adequacy and appropriateness
of controls and mitigate any operational risks thus ensuring that the information systems
implemented through ERP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified
areas of ERP Implementation. The proposed scope of review and the terms of reference as laid
down in the following paragraphs are given in annexure.
In this section we explain how a computerized environment changes the way business
isinitiated, managed and controlled. Information technology helps in the mitigation and better
control of business risks, and at the same time brings along technology risks. Computerized
information systems have special characteristics, which require different types of controls.
Technology risks are controlled by General IS controls and business risks are controlled using
Application controls. Even though the controls are different, the objectives of the audit function
do not change whether information is maintained in the computerized environment or amanual
environment; the tools and techniques are different.
The changes in control and audit tools as well as techniques have resulted in newmethods of
audit. The internal controls are mapped onto the technology. These controlsand their mapping
need to be understood as also methods to evaluate and test thesecontrols. The requires new
skills to work effectively in a computerizedenvironment. These new skills are categorized in
three broad areas:
In this section we bring out the fact that Accounting Information System in the manualand
computerized environment is not the same.In the computerized environment accounting records
are kept in computer files, whichare of three types, namely master file, parameter file and
transaction file. Thisclassification is not based on the types of records but on the basis of need
andfrequency of updation and level of security required. File and record security isimplemented
using the facilities provided by the operating system, database andapplication software.
With the increasing use of information systems, transaction-processing systems play avital role
in supporting business operations. And many a times, a TPS is actually AIS.Every transaction
processing system has three components—input, processing andoutput. Since Information
Technology follows the GIGO principle, it is necessary thatinput to the system be accurate,
complete and authorized. This is achieved byautomating the input. A large number of devices
are now available to automate the inputprocess for a TPS. There are two types of TPS—Batch
processing and On-lineprocessing. The documents, control and security implementation is
different for eachsystem.
In this section we discuss the concept of security in detail. IS resources are vulnerable tovarious
types of technology risks and are subject to financial, productivity and intangiblelosses.
Resources like data actually represent the physical and financial assets of theorganization.
Security is a control structure established to maintain confidentiality,integrity and availability of
data, application systems and other resources.
Linkage to Standards
Standard 060 (Performance of Audit Work) states "During the course ofthe audit, we obtain
sufficient, reliable and relevantevidence to achieve the audit objectives. The audit findings and
conclusions areto be supported by appropriate analysis and interpretation of this evidence."
Standard 050 (Planning) states "As per the standard we plan theinformation systems audit
coverage to address the audit objectives and tocomply with applicable laws and professional
auditing standards."
Standard 030 (Professional Ethics and Standards) states "We exercise due professional care,
including observance of applicableprofessional auditing standards."
7. Documents reviewed
During our audit period relating to Information system, we verified the following document :
1. Conceptualization of SDLC.
5. Vendors Contracts
7. AMC Contracts
8. References
Deliverables
1 Environmental Controls:
Compliance Status Remarks
Yes / No
Whether Switch/ Router cabinet is YES
inaccessible to unauthorized users.
Switch/Router is housed in a separate YES
enclosure with proper locking facilities.
Yes / No
Whether the Information System YES
facility is located in least accessible
area or / and access is limited to
approved personnel only?
Yes / No
Check whether confidentiality of NO Confidentiality
passwords maintained among various should exist for
users. data integrity.
Yes / No
Whether the company holds the YES
original license for using the operating
system software/ application software
other than centralized software?
Yes / No
Whether each transaction is YES
recorded in such a way that it can
be subsequently established that it
has been input (e.g., Tran ID on
Vouchers etc)?
Control procedures to ensure that YES
all recorded transactions are,
· Input to the system and accepted
once and only once. · If
transactions are deleted, they are
reported as deleted.
Yes / No
Format, content, accuracy and utility YES
of the reports generated by the system
are verifiable
Outputs cannot be generated by all YES
users. It should be on ‘need to know’
basis
YES
All the important reports are with page
No, date, time stamp and who has
generated the report.
END