Professional Documents
Culture Documents
TSRS ML PGN 2009 With Comments
TSRS ML PGN 2009 With Comments
Observation
Based on our observation and discussion, we noted that the Company has
not developed formal procedure regarding program changes monitoring.
Thus, there is no periodic monitoring being performed on changes to
Oracle Financials application to detect unauthorized or unapproved
deployment to production environment.
Risk
Lack of formal procedures related to program change monitoring would
increase the risk of an unauthorized or unapproved changes is promoted
to the production environment
Recommendation
The Company should develop a periodic procedure for monitoring
changes in Oracle Financials application and the process should be
documented appropriately. Monitoring of program changes is important in
order to ensure that all changes made to Oracle Financials application met
user and business requirements
Management Comments
Observation
Based on our observation and discussion, we noted that the Company has
not developed formal procedure regarding the logical access process
monitoring. Thus, there is no periodic monitoring being performed on
access to Oracle Financials application to detect unauthorized or dormant
user accounts
Risk
The absence of periodic review and monitoring over logical access
process may increase the risk of unauthorized and dormant user accounts
still active in the system and unauthorized access to the system
Recommendation
We recommend the Company to develop formal procedure for logical
access process monitoring. A strong monitoring of Logical Access process
in Oracle Financials application should be performed in regular basis and
the result should be documented appropriately.
Management Comments
Observation
We noted that the O/S parameter settings were configured as follows:
• LockoutDuration : 30
• ResetLockoutCount : 30
• Enforce password history : 0 passwords
• Password complexity : Disabled
Risk
Weak password controls (parameters) increase the risk of unauthorized
access to the system.
Recommendation
We recommend the Company to enhance the password security setting to
the following:
Management Comments
We note this is improvement from the past audit result, we scheduled for
change in production environment.
PT Perusahaan Gas Negara
December 31, 2009
Observation
We noted that the backup is performed on a regular basis; however, we
noted that the backup and recovery procedure has not been formalized to
ensure that backup and recovery have been performed as standard.
Risk
Without formal procedure of backup and recovery there is no assurance
that the data was backup and able to be recovered appropriately based on
Company’s standard.
Recommendation
We recommend the Company to improve and formalized the backup and
recovery procedure. The procedure should be comprehensive and at least
include:
1. Identification of vital data that require backup (copies of data and
program files as well as key system resources), its storage and
recovery
2. Off-site backup storage (backup copies should be maintained in a
secure, environmentally controlled off-site location and adequate
physical security)
3. Test of backup copies through regular recovery procedures
4. Periodic inventory review of all backup tapes/media
5. Documentation of all backup and recovery activities to enable review
Management Response