Professional Documents
Culture Documents
Pranay Project Presentation
Pranay Project Presentation
of
DISA 2.0 Course
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Place: London
Date: 21/11/2015
Table of Contents
1. Introduction
A. The IS Audit Team audited project management controls over the implementation of the
SAP ECC 6.00 Version (ERP) Business Solution. Our purpose was to evaluate Security Controls,
User authentication and authorization, Audit Trails, Assess and Evaluate Management System
relating to change, System monitoring and business process configuration of the SAP ECC 6.00
Version (ERP) Business Solution.
ABM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. The senior management of
ABM has been very proactive in directing the management and deployment of Information
Technology. Most of the mission critical applications in the company have been computerized
and networked. ABM selected SAP Business Suite to bring a more integrated and seamless
approach to internal processes. SAP deployment in ABM posed unique challenges arising out of
the need to integrate multiple units across different locations, involving extensive procedures
and large volumes of data. The family of business applications provides better insight into
enterprise-wide analysis based on real time data and key performance indicators, improved
quality and on-time delivery, reduction in inventory cost and enhanced customer service. This
implementation has empowered ABM to seamlessly connect all its vendors, customers and
partners to achieve improved business efficiency. SAP-R3 ECC 6.00 Version is deployed
across all of ABM’s financial, payroll and human capital functions. The Modules implemented
are PP, MM, FICO, Quality, PM and HR including Pay Roll. ABM has more than 500 sap users
across the company. By implementing SAP solutions ABM has achieved superior operational
excellence and business agility.
2. Auditee Environment
The primary objective of the assignment is to conduct Information Systems Audit of SAP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of SAP would be with the objective of providing comfort on the adequacy and appropriateness
of controls and mitigate any operational risks thus ensuring that the information systems
implemented through SAP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified
areas of SAP Implementation.
3. Background
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the Company. While the Information Systems Audit to be done covers both audit of ERP
System and review of its implementation, the IS Audit is expected to be in compliance with the
IS Auditing Standards, Guidelines and Procedures. The proposed IS Audit is further subjected
to applicable Auditing Standards of ICAI. The objective is to identify areas for improvement of
controls by benchmarking against global best practices. Further, any specific risks identified are
expected be mitigated by implementing controls as deemed relevant to ensure that SAP
implementation is secure and safe and provide assurance to the senior management of ABM.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.
4. Situation
Business Model is:
ABM LIMITED
Following logistics arrangements have been made and confirmation about the
same should be obtained before travelling.
• Travel Arrangements – Bus/Train/ Flight bookings
• Accommodation Arrangements – Hotel / Guest House
• Pick-up and Drop arrangements to / from accommodation facility to /
fromoffice and/or station / airport
8. Documents reviewed
Following things are Reviewed:
a. Policies – Are the management guidelines which should be approved by
the Top Management and should be reviewed atleast once in each year?
b. Procedure – Are the detailed documents based on the policies set by the
top management? Procedures contain the detailed information about
theprocess. All the procedure should be approved by the management
andshould be reviewed atleast once in each year.
c. Flowcharts – Pictures are worth thousand words when it comes
tounderstanding the interaction of various processes and how the
transactionflow has the dependencies and branches that run in various
directions.
d. Audit logs and Screenshots – Every organisation implements
themonitoring control over the processes and the preserves the evidences
ofthe same, in the form of system screenshots and system logs. This
gives anadded confidence to the Information System Auditor about the
monitoringcontrol established by the management..
9. Deliverables
(1)*Security audit log should be properly configured.* It is configuredusing transaction
code *SM19*. Certain parameters need to be enabledduring configuration of audit logs.
* *rsau/max_diskspace/per_day* or *rsau/max_diskspace/per_file* –
* *rsau/selection_slots* – This is used for deciding the number of filters based on the
various types of logs needed (like a filter forlogs related to RFC function calls, filter for
logs related totransaction and reports executed by users etc.)
The logs which get generated can be seen using tcode *SM20*. SM20 giveslogs based
on the filter which has been set ( like what transaction orreport was executed by what
user at what time etc.) It also gives a veryimportant information – i.e. from what terminal
the transactions wereexecuted.
The old logs can be deleted using tcode *SM18*. This access should berestricted to
Basis team only.
Some of the user groups can be as follows (name can be used as perconvenience):
(3) *Table logging* : There are certain tables where table loggingshould be enabled in
Production system. The technical setting of suchtables need to be adjusted to “/Log
data changes/”. Transaction code*SE13* can be used for verifying whether table
logging is enabled ornot. Table *DD09L* can also be used with the condition /Log = X/
to getan overview of the tables for which table logging is enabled. Changedocument for
such tables can be viewed using table *DBTABLOG*.
(4) *Maintaining proper values for Profile Parameters* :Proper profileparameters values
must be maintained as per the Best Practices so as tosatisfy Security Audit
Requirements. Below are examples of some suchprofile parameters.
Audit is a never ending topic. We can continue to talk about as manysecurity audit
concepts as possible. We will discuss about some othervery important points in our
/*next post*/ on SAP Security Audit Guidelines.
Controls & Check list
IS Auditor Review of Application Controls
Description
Ref
Segregation of Duties
Completeness
Authorisation
Accuracy
Validity
Source Data Preparation and Authorisation
Ensure that source documents are prepared by authorized and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the origination and approval of
1
these documents. Check whether the source document is a well-designed input form. Detect errors and
irregularities so they can be reported and corrected.
b Whether the procedures for preparing source data entry, and ensure
that they are effectively and properly communicated to appropriate
and qualified personnel? [These procedures should establish and
communicate required authorization levels (input, editing,
authorizing, accepting and rejecting source documents).The
procedures should also identify the acceptable source media for
each type of transaction.]
c Whether the function responsible for data entry maintains a list of
authorized personnel, including their signatures?
2 Establish that data input is performed in a timely manner by authorized and qualified staff. Correction
and resubmission of data that ware erroneously input should be performed without compromising
original transaction authorization levels. Where appropriate for reconstruction, retain source documents
for appropriate amount of time.
c Whether definition for who can input, edit, authorize, accept and
reject transactions, and override errors is there?
Whether error logs are reviewed and acted upon within a specified
and reasonable period of time?
3 Accuracy, Completeness and Authenticity Checks Establish that data input is performed in a timely
manner by authorized and qualified staff. Correction and resubmission of data that were erroneously
input should be performed without compromising original transaction authorization levels. Where
appropriate for reconstruction, retain original source documents for the appropriate amount of time.
a Whether the transaction data are verified as close to the data entry
point as possible and interactively during online sessions?
4 Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous
transactions does not disrupt the processing of valid transactions.
Whether there are procedures with audit trails to account for all
exceptions and rejections of sensitive output documents?
We determined that
(1) Controls could be improved for recording restricted transactions and Activities.
(2) System interface modification prevented posting payroll during the period October 2013
through March 2014,
(3) Petty cash expenses were not promptly posted,
(4) Centrally billed travel was not posted in a timely manner, and
(5)Beginning balance reports were not made available to the units until July 2014, nine months
after the October 2013 Phase I implementation date. As of September 24,2014, units across the
Institution were still verifying their respective beginning balances.
(6) Audit of the Purchase Card Program, December 3,2014. We determined that the
ChiefFinancial Officer did not ensure that the ERP working group that developed the purchase
card functional requirements included cross-functional experts. Also, cardholders and fund
managers could not use the ERP system to determine whether available fund balances existed
prior to making purchases because the system provided inaccurate fund balances.
(7) Inaccurate fund balances have contributed to the erosion of confidence in the SAP ECC 6.00
Version (ERP) Business Solution information.
(8) Audit of the Smithsonian Financial System, July 12, 2011. We determined that the
Smithsonian Financial System was not meeting internal management and reporting needsof
Institution units. The Smithsonian Financial System was not a user-friendly system and did not
provide the units with the financial information needed to manage their various projects and
activities related to project accounting, ad-hoc reporting, and monthly reports.
Audit of Project Management of the National Museum of the American Indian Mall Museum,
September 30,2013. We determined that the Office of facilities Engineering and Operations was
not completing reconciliations of its internal project financial tracking system records to the
Institution's financial system in a timely manner. Werecommended that financial and
management controls be strengthened by the ERP project team defining requirements and
reports needed for monitoring construction projects.
Audit of Trust Fund Budget Process, September 28,2012. We determined that significant
management control weaknesses existed in the trust fund budget process. We recommended
improvements in two areas: (1) completeness of the trust fund budget process and (2) controls
to ensure that budgeted expenditures are not exceeded.
Audit of Project Management Related to the Purchase of the Victor Building, February 21, 2012.
We determined that there was no dedicated project manager to ensure that prudent business
practices and generally accepted project management procedures were in place and operating
properly. As a result, there was a high risk of cost overruns on the projects, delays in their
completion, and added costs inevitably occasioned by such delays.
11. Summary/Conclusion
This report is quite reasonable as verified from various departments and managers and
workers, to the best of our knowledge & belief. This report is issued without any prejudice &
subject to terms & conditions of the policy issued. Thanking & assuring you best of my attention
at all points.