Project Report

of
DISA 3.0 Course

Page 1

1
 Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:

Centre of Excellence, Gachibowli, Hyderabad from 16/12/2017 to 21/01/2018 and we have the
required attendance. We are submitting the Project titled: IS Audit of ERP Software

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAWE for the project. We
also certify that this project report is the original work of our group and each one of us have actively
participated and contributed in preparing this project. We have not shared the project details or taken
help in preparing project report from anyone except members of our group.

Mekala Leela
1. Name: DISA Signed
Raghavendra Prasad 53515
No.
2. Name: Dinakar Ch DISA 51258 Signed
No.
3. Name: Santhosh Kumar DISA No. Signed
53500
Sunkara

Place: HYDERABAD

Date: 06/02/2018

Page 2

2
 Table of Contents

1 Details of Case/Project

2 Introduction

3 Auditee Environment

4 Background

5 Situation

6 Terms and scope of assignment

7 Logistics arrangements required

8 Methodologies and Strategy adapted for

execution of assignment

9 Documents reviewed

10 References

11 Deliverables

12 Format of Report/Findings and

Recommendations

13 Summary/Conclusion

Page 3

3
 Project Report
Title: IS Audit of ERP Software

M/S ABM LIMITED

1. Details of Case Study/Project

ABM Limited (ABM) has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. The senior management
of ABM has been very proactive in directing the management and deployment of
Information Technology. Most of the mission critical applications in the company have been
computerized and networked. ABM selected SAP Business Suite to bring a more
integrated and seamless approach to internal processes. SAP deployment in ABM
posed unique challenges arising out of the need to integrate multiple units across different
locations, involving extensive procedures and large volumes of data. The family of business
applications provides better insight into enterprise-wide analysis based on real time data and
key performance indicators, improved quality and on-time delivery, reduction in inventory cost
and enhanced customer service.
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the Company. The objective of IS audit is to identify areas for improvement of
controls by benchmarking against global best practices. Further, any specific risks
identified are expected be mitigated by implementing controls as deemed relevant to ensure that
SAP implementation is secure and safe and provide assurance to the senior management of
ABM.
Page 4

4
2. Introduction

Client: ABM limited

ABM Limited (ABM) is one of the Leading Public Sector Undertaking having Multi
Manufacturing Divisions and Regional Offices spread all over India. ABM
operates on three major business verticals for associated equipment
manufacturing:

 Mining & Construction;

 Defence, and
 Rail & Metro.

In addition to the above there are three Strategic Business Units (SBUs):
 Technology Division for providing end-to-end engineering solutions;
 Trading Division for dealing in non-company products and
 International Business Division for export activities. ABM has eight
manufacturing units spread over four locations.

ABM’s Mission is to improve competitiveness through organizational

transformation and collaboration / strategic alliances / joint ventures in technology.
To ensure the same ABM has implemented ERP with effect from October 2010 across the
company. ABM has successfully implemented SAP ERP and went live in a quick time span of
12 months. In a first of its kind project in the country, ABM consolidated its operations
across multiple locations spread across India, with all units going live simultaneously.

Audit Firm: MSD & Co LLP

We are MSD & Co LLP (“Firm”), a professional firm since 1995 and providing services
like Information System Audit (“IS Audit”), Statutory Audit, Internal Audit, Tax Audit,
Consultancy for Project Finance and other related services.
In our Firm we have 23 qualified chartered accountants and 46 semi qualified chartered
Page 5
accountants. Out of the 23 CAs, We have 9 CISA/DISA Qualified. Our firm was providing IS
Audit services since 10 years and we have totally 3 Groups

5
(Each group 3 CAs having CISA/DISA and 4 Semi Qualified) headed by the following
team leaders.

S.no Name of the Team Qualification Experience

Leader

1 Mr. M CA, CWA, CS, DISA, 10 Years of experience in IS

Audit, ERP Audit and
CISA Central Bank Audit

2 Mr.S CA, DISA, CISA, FAFD, 15 Years of experience in

FRM IS Audit, ERP Audit and
Forensic Audit

3 Mr.D CA. DISA, CISA, CS 9 Years of experience in

IS Audit and Other
Regular Statutory Audits

3. Auditee Environment

The primary objective of the assignment is to conduct Information Systems Audit of SAP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS
audit of SAP would be with the objective of providing comfort on the adequacy and
appropriateness of controls and mitigate any operational risks thus ensuring that the
information systems implemented through SAP provide a safe and secure computing
environment. Further, specific areas of improvement would be identified by benchmarking
with the globally recognized best IT practices of COBIT framework. The initial assignment
could primarily focus on the identified areas of SAP Implementation.
Page 6

6
4.Background

ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in the
Company. While the Information Systems Audit to be done covers both audit of ERP System
and review of its implementation, the IS Audit is expected to be in compliance with the
IS Auditing Standards, Guidelines and Procedures. The proposed IS Audit is further
subjected to applicable Auditing Standards of ICAI. The objective is to identify areas for
improvement of controls by benchmarking against global best practices. Further, any
specific risks identified are expected be mitigated by implementing controls as deemed
relevant to ensure that SAP implementation is secure and safe and provide assurance to
the senior management of ABM Limited. Further, IS Auditors are expected to develop an IS
Audit checklist for future use. Page 7

7
5. Situation
Business Model is:
ABM LIMITED

BUSINESS: EQUIPMENT MANUFACTURING FOR THE USE IN

• Mining & Construction;

• Defence; and
• Rail & Metro.
• Production • Technology • Trading • International
Division Division Division Business
Division

• Production Division has 4 Manufacturing Location

Location 1 Location 2 Location 3 Location 4 Page 8

• Each Location has two manufacturing unit

Mfg. 1 Mfg. 2 Mfg.3 Mfg.4 Mfg.5 Mfg. 6 Mfg. 7 Mfg. 8

8
 • There are 500 SAP users in all.

Problem:
ABM Limited is first time integrated all the business units located in different areas in
India by adopting SAP-ERP, it may have the following problems
 Integrating all the Existing data and application in to new SAP-ERP leads
loss of data
 It requires selection and Placing of Technical staff
 Each location of operations may differ from other location of operations
Control Weakness:
As the data and services will now provide by the SAP-ERP System, there are many control
factors need to be addressed. Authorized access, Data Storage, Segregation of Duties,
Migrating data, Maintenance of Central Server, AMC Contracts Etc.

Page 9

9
6. Terms and Scope of assignment

MSD & Co LLP (“Firm”) have been appointed to conduct Information Systems Audit of SAP
implementation and develop related IS Audit Checklists. The IS audit of SAP would be with
the objective of providing comfort on the adequacy and appropriateness of controls and mitigate
any operational risks thus ensuring that the information systems implemented through SAP
provide a safe and secure computing environment. Further, specific areas of improvement
would be identified by benchmarking with the globally recognized best IT practices of COBIT
framework. These terms of reference are based on the preliminary discussion the
assignment team had with the ABM team and is subject to further modification as required.

Broadly the scope of review primarily from security\controls and would involve:
 Access vulnerabilities of the SAP implementation to attacks from within
and outside and suggest appropriate counter measures to safeguard
against unauthorised use, disclosure or modification, damage or loss

 To review the processes relating to granting access to systems, verify

the logical access controls and assess whether the specified roles and
responsibilities are aligned with the business to safeguard against
unauthorized use, disclosure or modification, damage or loss

 To assess that audit trails exist for ensuring effective monitoring of the
mission critical systems and processes

 To assess and evaluate management system relating to all changes

requested and made to the existing production systems so as to
minimize the likelihood of disruption, unauthorized alterations, and
errors

 To evaluate data collection, analysis and reporting on resource

performance, application sizing and workload demand so as to ensure
that adequate capacity is available

 Assess the internal control framework in respect of specified SAP

application, review of parameter settings and configuration
management and suggest improvements so as to ensure that data
remains complete, accurate and valid during its input, update and Page 10
storage

10
  Review of IT Resources as relevant

 Operating Software: Access controls

 Telecommunications Software: Access Controls
 RDBMS Database: Access Controls
 SAP- Major focus area: Configuration of Parameters and Access Controls
 Application controls at various stages such as Input, Processing,
Output, Storage, Retrieval and transmission so as to ensure
Confidentiality, Integrity and Availability of data.

 Organization structure policies, procedures and practices as mapped

in the information systems.
 Review of policies, procedures and practices as relevant to areas of
audit.

7. Logistic arrangements required

IS Auditor requires the following tools for audit:

a) Hardware:

1) Window based Systems, PDA and Laptops.

2) Printers & other Printing devices.

3) Scanners.
4) Storage media.
b) System Software:
System software will be selected according to client IT environment, so here auditor has to
select the system software according to the IT environment in ABM Ltd. Auditor should
use the original licensed version of system software, because it maintains the authenticity of
data.

c) CAAT tools :
1) Audit Software:
a) IDEA Audit Software for data extraction

b) Software Used at client site etc.

Page 11
c) Analyzer-Arbutus Software.
d) Pivot Tables for using Sampling.

11
 e) Benfold’s Law.
f) Frequency Analysis.

g) Audit log.
d) Test data:
a) Using Test Packs technique.
b) Using Integrated Test Facility.

8. Methodology and Strategy adapted for execution of assignment

One of the main challenge faced by companies that has implemented SAP ERP (any ERP)
will be to get a clear understanding of the current ERP system. Two or three years after
implementation what will be status of the system.

The main areas of focus will be;

 Whether all the management controls are working fine

 Whether all the postings are being done as per accounting standards  Whether
proper documentation is being maintained
 Whether critical business related activites are done accurately etc.

A lot of practical difficulties arise in doing a ERP post implementation audit. Main
challenge is to frame the right set of questions and how to obtain answers for those. From my
experience and research, WEhave prepared a question list of more than 500 questions both from
the functional and technical side, which drill downs to the minutest level providing all the
necessary data required for the audit.

SAP has provided a very powerful framework in the standard ERP package for conducting
Audits, evaluvating them and taking corrective actions.

User should have answer for the following questions before starting the Audit procedure;
Page 12
1. Kind of Audit to be Conducted (Technical or Functional)
2. Number of questions for the Audit
3. Structure of list of Questions (Question drill down level)
4. Valuation type of Questions
12
 5. Question Priorities
6. What kind of Audit Controls to be implemented
7. Audit purpose
8. Audit Type
9. Kind of rating for the questions

First we need to do few configuration changes to tune the audit as per our requirement.

Execute transaction SPRO –> SAP reference IMG –> Cross-Application Components –>
Audit Management

Audit Management is divided into four categories.

Figure 1.0

For setting structure list of questions;

Figure 2.0
Create what kind of Question Profile is required. WE have created “Part-Sub
Part-Element-Sub Element-Sub Qu” for the Audit purpose.

Page 13

13
 Figure 3.0
Once the question profile is created you have to create the drill down level for
the profile. Below attached is the pictorial representation of the drill down level for questions
WE created.

Figure 4.0

Page 14

14
 Figure 5.0
Similarly you can create drill down level according to your requirement. After
defining the question hierarchy you have to specify the Valuation Specification and the scores to
be awarded for each value.

Figure 6.0
WE have created valuation 8003 Valuation of PRD system. By selecting the created
valuation profile double click on the “valuation” icon on the right side. There we need to set
the details of valuation and the scores we intend to
Page 15
provide for each.

15
 Figure 7.0
After valuation profile is entered enter question priority.

Figure 8.0

Audit control / Audit Definition requirements has to be configured.

Page 16

16
 Figure 9.0

Now all the configuration related to conducting the Audit has been configured. Following are the
main objects used for the Audit;

1) Audit Plan
The audit plan consists of all audits planned for a particular period of time. For example, all
audits that are to be executed in the space of one year are defined in an annual audit
plan. There is always only one current version of an audit plan, where all date shifts and the
degree of completion for the individual audits can be found.

2) Audit
An audit, according to DIN EN ISO 9000, is a systematic, independent, and documented
process used to obtain audit results and to evaluate these results objectively in order to
determine to what extent the criteria of the audit have been fulfilled.

3) Question List
Question lists are multilingual collections of questions that are answered during the execution of
the audit . The allowed valuation can be planned for each hierarchy level.
Page 17
4) Corrective Actions
These are actions that are deemed necessary to eliminate the cause of errors that were
determined during the audit and to prevent the recursion of these

17
errors. The corrective actions to be executed must be appropriate to the effects that the particular
error has on the product.

5) Preventive Actions
These are actions that are deemed necessary to eliminate the causes of possible errors
before they occur. The preventive actions to be executed must be appropriate to the effects that
the possible error could have on the product.

An audit, according to DIN EN ISO 9000, is a systematic, independent, and documented

process used to obtain audit results and to evaluate these results objectively in order to
determine to what extent the criteria of the audit have been fulfilled.

Execute transaction PLMD_AUDIT, first create the question list required for the audit with
the components newly configured.

Figure 10.0
For example purpose WE have created questions up to 15 drill down level

Page 18

18
 Figure 11.0
Attaching one real scenario from my Audit question list.

Figure 12.0
Once the question list has been created, you have to release the question list.
 Page 19
19
 Figure 13.0

Figure 14.0

Once the question list is attached to the audit we need to evaluate the questions.
Evaluations will be based on the configuration done in SPRO.

Evaluation:

Execute transaction PLM_AUDITMONITOR. Select the required fields and execute.

Page 20

20
 Figure 15.0

Select the required audit. Click on the Overview button. Click the Validate button for
valuation.

Figure 16.0 Page 21

The main success factor for any audit depends on the questions used for the audit. Let me
add few of the topics under which WE have prepared the question list.

21
The main topics are;

 System Overview
 Security & Access Protection
 Workbench Organizer
 Transport System
 Accessing and Logging DB Tables
 Job Request Procedure
 Documentations
 System Logs
 Batch Input Interface
 Master Data Changes
 Reconciling Posting Data Closing
 Invoice Checking and Posting Run
 Business Process Auditing
 BASIS Audit

Once the audit question list is created / uploaded to SAP\, user must create a sample set of
check list to be submitted to the client. The Check list should contain;

* All the documents that client has to Submit * All the

questions client has to answer.

Every company should run the audit at least twice a year to ensure that the system is
working perfectly, no manipulations are done, to ensure 100% management control over
the system their by over the employees.

Page 22

22
9. Documents reviewed

Following things are Reviewed:

 Policies – Are the management guidelines which should be approved

by the Top Management and should be reviewed at least once in
each year?

 Procedure – Are the detailed documents based on the policies set by

the top management? Procedures contain the detailed information
about the process. All the procedure should be approved by the
management and should be reviewed at least once in each year.

 Flowcharts – Pictures are worth thousand words when it comes to

understanding the interaction of various processes and how the
transaction flow has the dependencies and branches that run in
various directions.

 Audit logs and Screenshots – Every organisation implements the

monitoring control over the processes and the preserves the
evidences of the same, in the form of system screenshots and system
logs. This gives an added confidence to the Information System
Auditor about the monitoring control established by the management.

 Security Policies related to IT Operations

 Existing Cost sheet related to IT operations.

 SAP Implementation documentation.

Review of Error logs noted and corrected during the implementation of SAP ERP.

References
 ISO 27001/27002
 COBIT 5
 WWW.ISACA.ORG Page 23
 WWW.CISCO.COM
 WWW.BUSINESSOFGOVERNMENT .COM
 ISA 2.0 COURSE BACKGROUND MATERIAL
 WWW.BOOZ .COM

23
10. Deliverables
Once SAP is implemented, auditor can rely on the following
checklist for monitoring the implementation objectives, security controls,
future changes, if any:

No. Item Response

Yes No EXP
1 Whether methodology for prioritising system
change
requests from users exists and is in use?
EXP Reference:
2 Whether emergency change procedures are
addressed in
operation
EXP manuals?
Reference:
3 Whether change control is a formal procedure for
both
user
EXPand development groups?
Reference:
4 Whether change control log ensures all changes
shown
were resolved?
EXP Reference:
5 Whether user is satisfied with turnaround of
change
EXP Reference:
requests - timeliness and cost?
6 Whether for a selection of changes on the change
control log:
• that change resulted in programme and
operations documentation change
• that changes were made as documented
• current documentation reflects
changed environment

EXP Reference:

7 Whether change process is being monitored for

improvements in acknowledgment, response-
time, response-effectiveness and user satisfaction
with the process?
EXP Reference:

8 Whether maintenance to Private Branch Exchange

EXP Reference:
(PBX) a service level agreement process is
Whether
Page 24
9
system is included in the change control
identified
by policy?
procedures?
EXP Reference:
10 Whether user participation in process is required
for
creation and modification of agreements?

24
 EXP Reference:
No. Item Response
Yes No EXP
11 Whether
defined? responsibilities of users and providers are
EXP Reference:
12 Whether management monitors and reports on
the
achievement of the specified service performance
criteria and all problems encountered?
EXP Reference:

13 Whether regular review process by management

EXP Reference:
exists?
14 Whether recourse process is identified for non- performance?
EXP Reference:

15 Whether service level agreements include, but

are not limited to having:
• definition of service
• cost of service
• quantifiable minimum service level
• level of support from the IT function
• availability, reliability, capacity for growth
• continuity planning
• security requirements
• change procedure for any portion of the
agreement
• written and formally approved agreement
between provider and user of service
• effective period and new
period review/renewal/non-
renewal
• content and frequency of performance
reporting and payment for services
• charges are realistic compared to history,
industry, best practices

EXP•Reference:
calculation for charges
• service improvement commitment
16 Whether IT policies and procedures relating to third-
party
EXP Reference:
relationships exist and are consistent with Page 25
17 Whether policies
organisational exist
general specifically for addressing
policies?
need
for contracts, definition of content of contracts,
owner or relationship manager responsible for
ensuring contracts are created, maintained,
monitored and renegotiated as required?
EXP Reference:
25
No. Item Response
Yes No EXP
18 Whether interfaces are defined to independent
agents
involved in the conduct of the project and any
EXP
other Reference:
parties, such as subcontractors?
19 Whether contracts represent a full and complete
record of
EXP Reference:
third-party supplier
Whether relationships?
contracts are established for
20
continuity of
services specifically, and that these contracts
include contingency planning by vendor to ensure
continuous
EXP service to user of services?
Reference:

21 Whether contract contents include at least the

following:
• formal management and legal approval
• legal entity providing services
• services provided
• service level agreements both
qualitative and quantitative
• cost of services and frequency of
payment for services
• resolution of problem process
• penalties for non-performance
• dissolution process
• modification process
• reporting of service - content, frequency,
and distribution
• roles between contracting parties during
life of contract
• continuity assurances that services will
be provided by vendor
• user of services and provider
communications process and frequency
• duration of contract
• level of access provided to vendor
• security requirements

• non-disclosure guarantees
• right to access and right to audit
EXP Reference:
Page 26
22 Whether escrow agreements have been negotiated
where
EXP Reference:
appropriate?
23 Whether potential third-parties are properly
qualified
through an assessment of their capability to

deliver the required service (due diligence)? 26

 No Item Response
.
Yes No EX
P
EXP Reference:
EXP Reference:
24 Whether time frames and level of service are
25 Whether time frames and service levels reflect user
defined for
all services provided by the IT function?
requirements?
EXP Reference:
26 Whether time frames and service levels are
eference:
consistent
27 Whether an availability plan exists, is current and
with
reflectsperformance expectations of the
EXP R equipment potentials?
user requirements?

EXP Reference:
28 Whether ongoing performance monitoring of all
equipment and capacity is occurring, reported
upon, lack of performance addressed by
EXPmanagement
Reference: and performance improvement
opportunities are formally addressed?
29 Whether optimal configuration performance is
being
monitored by modeling tools to maximize
EXP Reference:
performance while minimizing capacity to required
30 Whether both users and operational performance
groups
levels?
are pro-actively reviewing capacity and
performance and workload schedule modifications
EXP Reference:
are occurring?
31 Whether workload forecasting includes input from
users
on changing demands and from suppliers on
EXP Reference:
new technology
Whether or current product
organisational enhanceme
policies nts? a
require
32
continuity
framework and plan to be part of normal
operational requirements for both the IT
function and all organisations
33
dependent on IT resources?
EXP Reference:
34 Whether IT policies and procedures require:
• a consistent philosophy and framework
relating to development of continuity plan
development
• a prioritisation of applications with respect
to timeliness of recovery and return

•
27

Page 27
No. Item Response
Yes No EXP
• risk assessment and insurance consideration
for loss of business in continuity situations for
the IT function as well as users of resources
• outline specific roles and responsibilities
with respect to continuity planning with
specific test, maintenance and update
requirements
• formal contract arrangements with
vendors to provide services in event of need
to recover, including back-up site facility or
relationship, in advance of actual need
• in each continuity plan minimum
¾ c ontent t o
E m e ency include:
r g procedures to ensure the
safety
of all affected staff
members
¾ Roles and responsibilities of the IT
function, vendors providing recovery
services, users of services and support
administrative personnel
¾ A recovery framework consistent with
long-range plan for
continuity
¾ Listing of systems resources requiring
alternatives (hardware, peripherals,
software)
¾ Listing of highest to lowest priority
applications, required recovery times
and expected performance
norms
¾ Administrative functions for

communicating and providing support

services such as benefits, payroll,
¾ Specific equipment
external and supply needs cost
communications,
are
tracking, etc., in event high
identified such as of needspeed printers,
to recover
¾ signatures,
Various recoveryforms,
scenarios communications
from minor
equipment, telephones,toetc., and a source
and alternative source defined
Page 28
loss of total capability and response to each
¾ in sufficient
Training and awareness
detail for step-by-stepof execution
individual
and
group roles in continuity
plan
¾ Testing schedule, results of last test
and
corrective actions taken based on prior
test(s 28
 No Item Response
.
Yes No EX
P
¾ Itemisation of contracted
service
providers,
services and response

expectations
¾ Logistical information on location of
key
resources, including back-up site
for
recovery operating system,
applications, data files,
operating manuals and

programme/system/user documentation
¾ Current names, addresses,
telephone/pager
numbers of
EXP Reference:
key
35 Whether regulatory agency requirements with
personnel
respect
¾ to
EXP Reference: Reconstruction plans are included for
36 continuity
Whether planning
re- user are met?
continuity plans are developed
based on recovery at original location of all systems
unavailability of physical resources for
resourcesperforming critical processing -
EXP Reference:Business resumption alternatives for
¾
manualalland computerised?
37 Whether the telephone system, VoiceMail, fax and
image users for establishing alternative work
EXP Reference:
locations once
systems are
Whether partsystems,
of the continuity plan?paper
38 ¾ imageIT fax systems,
resources are available; i.e.,
documents as
system
well as microfilm and mass storage media are part
recovered
of the continuity plan?at alternative site but user
building burned to the ground and
unavailable

EXP Reference: Page 29

40 Whether centralised security organisation is in
EXP Reference:
place
39 Whether
responsible strategic security
for ensuring only plan is in place
appropriate
EXP Reference:
providing
access to system resources?
centralised direction and control over information
system security, along with user security requirements
for consistency?
29
No. Item Response
Yes No EXP
41 Whether data classification schema is in place and
being
used, that all system resources have an owner
EXP Reference:
responsible for security and content?
42 Whether user security profiles are in place
representing
"least access as required" and profiles are
EXP Reference:
regularly reviewed by management for re-
43 Whether employee indoctrination includes security
accreditation?
awareness, ownership responsibility and virus
protection requirements?

EXP Reference:

44 Whether reporting exists for security breaches and

formal problem resolution procedures are in place,
and these reports include:
• unauthorised attempts to access system (sign
on)
• unauthorised attempts to access system
resources
• unauthorised attempts to view or change
security definitions and rules
• resource access privileges by user ID
• authorised security definitions and rule
changes
• authorised access to resources (selected by
user or resource)
EXP Reference:
• status change of the system security
45 • accesses
Whether to operating
cryptographic system and
modules security
key
parameter
maintenance tables
procedures exist, are administered centrally and
EXP Reference:
are used for all external access and transmission
46 Whether cryptographic key management
standards
activity? exist
for both centralised and user activity?
EXP Reference:
47 Whether change control over security software is
formal
and consistent with normal standards of system
development and maintenance?
EXP Reference:

48 Whether the authentication mechanisms in use Page 30

provide one or more of the following features:
• single-use of authentication data (e.g.,
passwords are never re-usable)
• multiple authentication (i.e., two or more
different authentication mechanisms are
used)

30
 No Item Response
.
Yes No EX
P
• policy-based authentication (i.e., ability to
specify separate authentication procedures
for specific events)
• on-demand authentication (i.e., ability to
EXP Reference:
re- authenticate the user at times after the
49 Whetherinitial authentication)
the number of concurrent sessions
belonging to
the same user is limited?
EXP Reference:
50 Whether at log-on, an advisory warning message to
users
EXP Reference:
51 regarding athewarning
Whether appropriate use the
screen is hardware,
displayed prior to
completing log-on to inform
software or connection logged on?reader that
unauthorised access may result in prosecution?
EXP Reference:
52 Whether upon successful session establishment, a
history
of successful and unsuccessful attempts to
accessReference:
EXP the user's account is displayed to the user?
53 Whether password policy includes:
• initial password change on first use enforced
• an appropriate minimum password length
• an appropriate and enforced
frequency of password changes
• password checking against list of not
allowed values (e.g., dictionary checking)
• adequate protection of emergency passwords

EXP Reference:

54 Whether formal problem resolution procedures

include:
• User ID is suspended after 5 repeated
unsuccessful log-on attempts Page 31
• Date, time of last access and number of
unsuccessful attempts is displayed to
authorised user at log-on
• Authentication time is limited to 5 minutes,
after which the session is terminated
EXP Reference:
for itis informed of suspension, but not the
• User
reason

31
 No Item Response
.
Yes No EX
P
55 Whether dial in procedures include dial-back or
token
based authentication, frequent changes of dial-
EXP
up Reference:
numbers, software and hardware firewalls to
restrict access to assets and frequent changes of
56 Whether location control methods are used to
passwords and deactivation of former employees'
apply
EXP Reference:
passwords?
57 additionalaccess
Whether restrictions
to theatVoiceMail
specific locations?
service and the
PBX
system are controlled with the same physical and
logical controls as for computer systems?

EXP Reference:

58 Enforcement of sensitive position policies

occurs, including:
• employees in sensitive job positions are
required to be away from the
organisation for an appropriate
period of time every calendar year; during this
time their user ID is suspended; and persons
replacing the employee are instructed to
notify management if any
EXP Reference:
security-related abnormalities are noted
59 • unannounced
Whether rotation
security-related of personnel
hardware and software,
involved in
such as
sensitive modules,
cryptographic activities isare
performed from against
protected time to
timeor disclosure, and access is limited to a
tampering
EXP Reference:
"need to know" basis?
60 Whether access to security data such as security
management, sensitive transaction data,
passwords and cryptographic keys is limited to a
EXP Reference:
need to know basis?
61 Whether trusted paths are used to transmit non-
encrypted
sensitive information?

EXP Reference: Page 32

62 Whether to prevent denial of service due to an
attack with junk faxes, protective measures are
taken such as:
EXP• Rlimiting the disclosure of fax numbers outside
eference:
the organisation
used to a "need-to-know" basis
for other purposes
• fax lines used for solicitation of business are
not
32
No. Item Response
Yes No EXP
63 Whether preventative and detective control
measures
have been established by management with
EXP Reference:
respect to computer viruses?
64 Whether to enforce integrity of electronic
value, measures are taken such as:
• card reader facilities are protected
against destruction, disclosure or
modification of the card information
• card information (PIN and other
information) is protected against
insider
disclosure
eference:
EXP•R counterfeiting of cards is prevented
65 Whether to enforce protection of security
features, measures are taken such as:
• the identification and authentication
process is required to be repeated after a
specified period of inactivity
• a one-button lock-up system, a force button
or a
shut-off sequence can be activated
EXP when the terminal is left alone
Reference: _
66 Whether IT function has a group responsible for
reporting
and issuing chargeback bills to users
Procedures are in place that:
• develop a yearly development and
maintenance plan with
user identification of priorities for

development, maintenance and operational

expenses
• allow for a very high level of user
determination of where IT resources are spent
• generate a yearly IT budget including:
¾ Compliance to organisational
requirements
in budget preparation
¾ Consistency with what costs are to

be
allocated by the user departments
¾ Communication of historical costs,
assumptions for new costs- for understanding
by users of what costs are included in
chargeback
33

Page 33
 No Item Response
.
Yes No EX
P
¾ User sign-off on all budget costs to

be
allocated by IT function
¾ Frequency of reporting and actual
charging
of costs to users
• track allocated costs of all IT resources
of, but not limited to:
¾ Operational hardware
¾ Peripheral equipment
¾ Telecommunications usage
¾ Applications development and support
¾ Administrative overhead
¾ External vendor service costs
¾ Help desk
• for regular
¾ Facilities reporting to users on
and maintenance
performance
¾ Direct/indirect costscost categories
for the various
• reportand
¾ Fixed to variable
users onexpenses
external benchmarks
regarding cost
Sunk and discretionary effectiveness so as to allow
comparison
costs to industry expectations, or user
alternative sourcing for services
• for timely modification to cost
allocations to reflect changing business needs
formally approve and accept charges as received
• identify IT improvement opportunities to
reduce
EXP chargebacks or get greater value for
chargebacks

EXP Reference:
Reference: __
67
68 Whether
Whether reports provide
capture assurance that chargeable
and highlight changes
items
in the
are identifiable,
underlying
EXP cost measurable
Reference: components and
or apredictable?
llocation algorithm? _
69 Whether policies and procedures relating to
ongoing
security and controls awareness exist?
EXP Reference: _
70 Whether there is an education/training
programme Page 34
focusing on information systems security and
control principles?

EXP Reference: _
71 Whether new employees are made aware of
security and
EXP Reference:
control responsibility with respect to using and
having custody of IT resources?
34
No. Item Response
Yes No EXP
72 Whether there are policies and procedures in
effect
relating to training and they are current with
EXP Reference:
respect to technical configuration of IT resources? _
73 Whether availability of in-house training
opportunities
EXP Reference: _
74 Whether availability
and frequency of external
of employee attendance?technical training
opportunities and frequency of employee
attendance?
EXP Reference: _
75 Whether a training function is assessing training
needs of
personnel with respect to security and controls, and
translating those needs into in-house or external
EXP Reference:
training opportunities? _
76 Whether all employees are required to attend
security and control awareness training on an
ongoing basis that would include, but not be limited
to:
• general system security principles
• ethical conduct related to IT
• security practices to protect against harm
from failures affecting availability,
confidentiality, integrity and

performance of duties in a secure manner

• responsibilities associated with custody and
use of
IT resources
EXP• Reference:
security of information and _
77 Whether security awareness informattraining
ion includes a
systems
policy on when used off-site
preventing the disclosure of sensitive
information through conversations (e.g.,
by announcing the status of the information to all
EXP Reference: _
persons taking
Whether naturepart in thedesk
of help conversation)?
function (i.e., how
78
requests
for assistance are processed and assistance is
EXP Reference:
provided) is effective? _
79 Whether actual facilities, divisions or departments
are
performing
EXP Reference: the help desk function and the _
80 Whether level of documentation
individuals or posi
activities
tions responsibleforfor
help
thedesk
help desk? Page 35
is
EXPadequate and current?
Reference:
81 Whether actual process for logging or registering
requests for service and use of logs exists?
EXP Reference:

35
 No Item Response
.
Yes No EX
EXP Reference: P
82 Whether process for query escalation and
management
Whether time frame for clearing queries received is
83
intervention for resolution is sufficient?
adequate?
EXP Reference:
84 Whether procedures for tracking trends and
EXP Reference:
reporting on
85 Whether performance improvement initiatives are
help desk activities exist?
formally identified and executed?
EXP Reference:
86 Whether service level agreements and
EXP Reference:
performance
87 Whether user satisfaction level is periodically
determinedare being met?
standards
and reported?

EXP Reference:
88 Whether process for creating and
controlling
configuration baselines (the cut-off point in the
design and development of a configuration item
beyond which evolution does not occur without
EXP Reference:
89 undergoing
Whether functionsstric
fort maintaining
configura tion
configuration control)
baseline is
EXP
exist?Reference:
appropriate?
90 Whether process for controlling status
accounting of
purchased and leased resources - including
inputs, outputs and integration with other processes
- exists?
EXP Reference:

91 Whether configuration control procedures include:

• configuration baseline integrity
• programmed access authorisation controls
over the change management system
• the recovery of configuration items and
change requests at any point in time
Page 36
• completion of configuration and reports
assessing the adequacy of
configuration recording procedures
•

36
 No Item Response
.
Yes No EX
P
• periodic evaluations of the
configuration recording function
• individuals responsible for
reviewing configuration
control have the
requisite knowledge, skills and
abilities
EXP• Reference:
procedures exist for reviewing access to _
92 Whethersoftware
periodicbaselines
review of configuration with
EXP• Reference:
results
inventory of reviews are provided _
93 Whether
and accounting records is performed on a regulhistory
configuration baseline
to has sufficient ar
for management for corrective action
basis? changes?
tracking

EXP Reference: _
94 Whether software change control procedures exist
for:
• establishing and maintaining licensed

application programme library

• ensuring licensed application programme
library is adequately controlled
• ensuring the reliability and integrity of
the software inventory
• ensuring the reliability and integrity of
the inventory of authorised
software used and
checking for unauthorised software
EXP• Reference:
assigning responsibility for unauthorised _
software control
Whether process for to a specific
migrating member
staff
95
• recording use of unauthorised software
developmental
applications intoandthe
reporting
testingto environment
management for and
ultimately into action
corrective production status interacts
EXP• determining
with whether management
configuration took
reporting?
corrective
action on violations
Reference: _
96 Whether the software storage process includes:
• defining a secure file storage area (library)
for all valid software in appropriate phases of
the system development life cycle
• requiring that software storage libraries are
separated from each other and from
development, testing and production file
storage areas
37

Page 37
 No Item Response
.
Yes No EX
P
• requiring existence within source libraries
that allow temporary location of source
modules moving into production cycle period
• requiring that each member of all libraries
has an assigned owner
• defining logical and physical access controls
• establishing software accountability
• establishing an audit trail
• detecting, documenting and reporting to
management all instances of non-compliance
with this procedure
97 Whether coordination
determining is occurringtook
whether management among
corrective
applications
development,
EXP Reference:quality assurance
action and operations
with respect to updating configuration baseline
EXP Reference:
upon change?
Whether software is labeled and periodically
98

inventoried?
EXP Reference:
99 Whether library management software is
used to:
• produce audit trails of program changes
• maintain program version numbers
• record and report program changes
• maintain creation/date information for
production
EXP Reference:modules
100 Whether therecopies
• maintain is ofa previous versions
problem management
• control
process that concurrent updates
ensures all operational events which are not part of
standard operations are recorded, analysed and
resolved in a timely manner, and incident reports
are generated for significant problems?
EXP Reference:
10 Whether problem management procedures exist for:
1 • defining and implementing a problem
management system
Page 38
• recording, analysing, resolving in a timely
• establishing incident reports for critical events
manner all non-standard events
and reporting to users
• identifying problem types
and prioritisation methodology allowing
for varying resolution efforts based on risk

38
 No Item Response
.
Yes No EX
P
• defining logical and physical control of
problem management information distributing
outputs on a "need to know" basis
• tracking of problem trends to maximise
resources, reduce turnaround
• collecting
notifying accurate, current, consistent and
appropriate level of
usable data inputs to reporting
management for escalation and awareness
• determining if management periodically
evaluates the problem management
process for increased
effectiveness and efficiency
• sufficiency of audit trail for system problems
• integration with change, availability,
configuration
EXP Reference: m a n a g e men t s ystems and
personnel
102 Whether emergency processing priorities exist,
are
documented and require approval
by appropriate program and IT
management?
EXP Reference:

10 Whether there are emergency and temporary

3 access authorisation procedures which require:
• documentation of access on standard
forms and maintained on file
• approval by appropriate managers
• secure communication to the security function
EXP• Reference:
automatic access termination, after a _
104 For datapredetermined
preparation: period of time
• data preparation procedures ensure
completeness, accuracy and validity
• authorisation procedures for all source
documents exist
• separation of duties between origination,
approval and conversion of source

•
documents into data is occurring
authorised data remains complete,
Page 39
accurate and valid through source
document origination
• data is transmitted in a timely manner
• periodic review of source documents for
proper completion and approvals occurs

39
No. Item Response
Yes No EXP
• appropriate handling of erroneous
source documents
• adequate control over sensitive information
exists on source documents for
protection from compromise
• procedures ensure completeness and
accuracy of source documents, proper
accounting for source documents and timely
conversion
• source document retention is sufficiently
long to allow reconstruction in event of loss,
availability for review and audit, litigation
Reference:
EXP inquiries or regulatory requirements _
10 For data input:
5 • appropriate source document routing for
approval prior to entry
• proper separation of duties among
submission, approval, authorisation and data
entry functions
• unique terminal or station codes and
secure operator identification
• usage, maintenance and control of station
codes and operator IDs
• audit trail to identify source of input
• routine verification or edit checks of inputted
data as close to the point of origination as
possible
• appropriate handling of erroneously input
EXPdata
Reference: _
• clearly assign responsibility for enforcing
106 For data processing:
proper authorisation over data
Whether programmes contain error prevention,
detection, correction routines:
• programmes must test input for errors
(i.e., validation and editing)
• programmes must validate all transactions
against a master list of same
• programmes must disallow override of error
conditions Page 40
EXP Reference:
107 Whether error handling procedures include:
• correction and resubmission of errors must
be approved
• individual responsibility for suspense files is
defined

40
 No Item Response
.
Yes No EX
P
• suspense files generate reports for non-
resolved errors
EXP Reference:
suspense file prioritisation scheme is available based
108 on
Whether logs of programmes executed and
age and type
transactions
processed/rejected for audit trail exist?
EXP Reference:
10 Whether a control group for monitoring entry
9 activity
and
EXP investigating
Reference: non-standard events, along with
balancing of record counts and control totals for all
110 Whether that all fields are edited appropriately,
data processed?
even Reference:
EXP if
one field has an error?
111 Whether tables used in validation are reviewed on a
frequent basis?
EXP Reference:
112 Whether written procedures exist for correcting
and
resubmitting data in error including a non-
disruptive solution to reprocessing?

EXP Reference:
11 Whether resubmitted transactions are processed
3 EXP Reference:
exactly
114 Whether responsibility for error correction resides
as originally processed?
with
original submitting function?
EXP Reference:
115 Whether Artificial Intelligence systems are placed in
an
interactive control framework with human
operators to ensure that vital decisions are
approved?
EXP Reference:
11 For output, interfacing, and distribution:
6 • Access to output is restricted physically
and logically to authorised people Page 41
• Ongoing review of need for
outputs is occurring
• Output is routinely balanced to
relevant control totals
•

41
 No Item Response
.
Yes No EX
P
• Audit trails exist to facilitate the tracing of
transaction processing and the
reconciliation of disrupted data
• Output report accuracy is reviewed and
errors contained in output is controlled by
cognisant personnel
• Clear definition of security issues
during output, interfacing and
distribution exist
• Communication of security breaches
during any phase is communicated to
management, acted upon and reflected
in new procedures as appropriate
• Process and responsibility of output
disposal is clearly defined
• Destruction is witnessed of materials used
but not needed after processing
• All input and output media is stored in off-
site location in event of later need
rence: _
117 • library:
For media Information marked as deleted is
changed in
• Contents of such
mediaa library
way thatareit can no
EXP Refe systematically inventoried
longer be retrieved
• Discrepancies disclosed by the inventory
are remedied in a timely manner
• Measures are taken to maintain the
integrity of magnetic media stored in the
• Hlibrary
ousekeeping procedures exist to
protect media library contents
• Responsibilities for media library
management have been assigned to
specific members of IT staff
• Media back-ups and restoration strategy
exists
• Media back-ups are taken in
accordance with the defined back-up Page 42
strategy and usability of back-ups is
• Media back-ups are securely stored
regularly verified
and storage sites periodically
reviewed regarding physical access
security and security of data files and
other items

42
 No Item Response
.
Yes No EX
P
• Retention periods and storage terms
are defined for documents,
data, programmes, reports and messages
(incomingdition
and to the storage
outgoing) as wellofas paper
the
source(keys,
data documents,
certificates) usedtelephone
for their
• Ienn carydption and conversations
authentication
are recorded and retained - if
not in conflict with local privacy laws - for
transactions or other activities that are
part of the business activities traditionally
conducted over telephones
• Adequate procedures are in place
regarding the archival of information (data
and programmes) in line with legal and
business
EXP Reference: requirements and _
118 enforcing accountability
For information authentication and integrity:
• The integrityandofreproducibility
the data files is
checked periodically
• Requests received from outside the
organisation, via telephone or VoiceMail,
are verified by call- back or other means
• Aof authentication
prearranged method is used for
independent verification of the
authenticity of source and contents of
transaction requests received via fax or image
system
• Electronic signature or certification is used
to verify the integrity
EXP Reference: and authenticity of incoming
electronic documents

Page 43

43
13. Conclusion/Recommendation

Recommendation # 1:
Implement targeted security monitoring over ERP support staff access in the production
environment.
Recommendation # 2:
Perform a risk assessment/cost benefit analysis over the access and system functions that
pose the greatest risks to determine which controls merit the associated expense of
generating logs or using personnel's time to regularly review. Automated review, such as
the use of scripts to identify certain unauthorized or high risk activity should be used
wherever possible to cut back on personnel time and log retention requirements.

Recommendation # 3:
Critical controls should have an automated trigger or alert such as an email generated from
the use of a critical transaction, and sent to the appropriate party for review.

Recommendation # 4:
Risks, controls implemented/mitigated risk, method of implementation, and frequency of
review should be documented in the monitoring portion of the SAP Security Policy.

Recommendation # 5:
Documented reviews of monitoring controls should be performed at least semi- annually over
the implemented monitoring to ensure that the monitoring defined through this exercise
are adequate, effective and consistently in place.
Recommendation # 6:
We recommend the security group clearly document technical roles within the SAP environments
and enforce Segregation of Duties between technical roles wherever possible.

44
Page 44
Recommendation # 7:
Access for each ERP support department staff should be restricted to only the access that user
requires to perform their day to day functions.

Recommendation # 8:
ERP support department staff access should be reviewed at defined regular intervals on a
semi annual basis at a minimum.
Recommendation # 9: Additional access beyond standardized support staff roles must
be approved by management external to the ERP support department staff, and should
be provided through a monitored account such as a Firefighter account.

Recommendation # 10:
Unmonitored generic accounts should not exist in the production (live financial) environment.

Recommendation # 11:
Logs generated from monitored accounts (such as firefighter accounts) should be reviewed at
defined points and signed off by the supervising manager when they are in use. Simplified
automation can be employed such as automating the generation and sending of the log to the
manager via email, whose reply can serve as his auditable electronic sign-off.

Recommendation # 12:
Security logs should be stored in a location where the SAP IT teams do not have access to modify
the logs.

Recommendation # 13:
Ensure that production client authentication settings meet and continue to meet the
Standard authentication requirements defined in the Security Policy.

Page 45
45
Recommendation # 14:
Management should take precautions to ensure that no user can increase or modify their
own access. If it is not feasible to limit this capability to users required to provision
access, controls such as monitoring their account permissions for modifications using
a standardized methodology should be implemented to mitigate this security risk.

Recommendation # 15:
To mitigate the control weaknesses related to the vendor database, we have made the
following recommendations:

Recommendation # 16:
Create and run a periodic report across non PO invoices looking for duplicate payments
similar to the previous mitigating controls report that was in place prior to the implementation of
SAP.

Recommendation # 17:

Analyse the ABM'S vendor database and remove all duplicate vendor data.

Recommendation # 18:

Implement a required "unique identifier" for a vendor/business, such as the tax ID, for new
vendors and create a process for adding the unique identifier to existing vendors.

Recommendation # 19:
Complete an evaluation for providing centralized continuing education, and ensure that at a
minimum, classes addressing the core functions of SAP are provided on a periodic
basis, and made available to the appropriate departments.

Recommendation # 20:
Develop a training schedule for specific requirements based on the results of the survey they
conducted.

Page 46
46
Recommendation # 21:
Make the training schedule available to ABM Employees, using means such as email or the
ABM’s intranet site. Further, a method for feedback after each training should be provided,
such as a survey, to ensure the trainings remain effective.

Recommendation # 22:

Ensure enough resources are dedicated to provide on-going training.

Recommendation # 23:

Ensure that skilled employees have scheduled dedicated time to train users in their respective
proficiency.
This report is issued upon the request of management and to the best of our knowledge &
belief. This report is issued without any prejudice & subject to terms & conditions of the
engagement. Thanking & assuring you best of our attention at all points.

PREPARED AND SIGNATURE BY

C.A. MEKALA LEELA RAGHAVENDRA PRASAD, M.NO.237875, ISA NO

53515 C.A. DINAKAR CH, M.NO.237078, ISA NO 51258
C.A. SANTHOSH KUMAR SUNKARA, M.NO 243365, ISA NO 53500

Page 47

47