Project Report

Of
DISA 2.0 Course

RDPS LLP Page 1

 CERTIFICATE

This is to certify that we have successfully completed the DISA 2.0 course training conducted at:Raipur (C.G.)from12.02.2015
to 01.03.2015 and we have the requiredattendance. We are submitting the Project titled:Implementing GRC as per Clause
49 listing requirements. We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We
also certify that this project report is the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in preparing project report from
anyone except members of our group.

Group No: N

1. Name Dhara SantwaniDISA No. 43874Signed ____________________________

2. Name Pragya JajodiaDISA No. 42650Signed _____________________________

3. Name RituGuptaDISA No. 43752Signed ________________________________

4. Name SonalJainDISA No. 42840Signed _________________________________

Place:Raipur
Date:06/04/2015

RDPS LLP Page 2

Table of Contents
CERTIFICATE......................................................................................................................................................................................... 2

1. INTRODUCTION...........................................................................................................................................................................................4
2. AUDITEE ENVIRONMENT..............................................................................................................................................................................5
2.1 ORGANISATION STRUCTURE.....................................................................................................................................................................5
2.2 TECHNOLOGY DEPLOYED.........................................................................................................................................................................5
2.3 POLICIES AND PROCEDURES.....................................................................................................................................................................6
3. BACKGROUND/ BUSINESS CASE FOR THE ASSIGNMENT.....................................................................................................................................6
4. TERMS AND SCOPE OF ASSIGNMENT..............................................................................................................................................................7
5. LOGISTIC ARRANGEMENTS REQUIRED..............................................................................................................................................................7
6. METHODOLOGY AND STRATEGY ADAPTED FOR EXECUTION OF ASSIGNMENT AND DOCUMENTS REVIEWED..................................................................7
7. DELIVERABLE.............................................................................................................................................................................................8
7.1. REVIEW OF INTERNAL CONTROL WEAKNESS.................................................................................................................................................8
7.1.1. PROCUREMENT PROCESS INTERNAL CONTROL PROBLEMS AND WEAKNESS..................................................................................................8
7.1.2. INVENTORY CONTROL AND MANAGEMENT...........................................................................................................................................10
7.1.3. LOGISTICS, WAREHOUSING, SALES AND DISTRIBUTION...........................................................................................................................11
7.1.4. INFORMATION TECHNOLOGY DEPARTMENT PROBLEMS AND WEAKNESSES..................................................................................................12
7.3. REVIEW OF THE INTERNAL AUDIT FUNCTION WITHIN THE ORGANISATION......................................................................................................15
7.4. REVIEW OF FINANCIAL AND RISK MANAGEMENT POLICIES..........................................................................................................................17
7.5. SPECIFIC COMPLIANCE REQUIREMENTS AS PER INFORMATION TECHNOLOGY ACT AS AMENDED IN 2008.............................................................20
8. CONCLUSION...........................................................................................................................................................................................23
9. ENCLOSURES............................................................................................................................................................................................23

RDPS LLP Page 3

 Project Report
Implementing GRC as per Clause 49 listing requirements

A. Details of Case Study

Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock exchange in India. AIT has been
traditionally a family owned business with the major shareholders and the senior management of the company belonging to
a well renowned business family. The management has decided to professionalise the company by appointing professionals
to all key posts and implement documented procedures and policies to meet regulatory and compliance requirements as
required as applicable to the company. AIT manufactures a well-known brand of UPS which enjoys a good reputation in the
market and has customers across all industry verticals. It has head office at Chennai and factory at Pondicherry. It has
regional offices in all metro cities and branch offices in 10 cities across India. It is using an integrated software solution with
all offices and factory networked together. It has more than 500 employees across its offices in India. It has combination of
in-house IT department and outsourced vendors. It is critically dependent on IT for all key operations. The company is
enjoying increasing growth in terms of turnover and market-share.

There have been recent failures of IT for long periods of time which has impacted production and delivery of products and
services to customers. The management is concerned with the risk management strategy adapted and the impact on
compliance. It would like to make the transition from a family managed company to a professional run company with
documented policies and procedures.

We have been approached by the newly appointed CIO and head of IT of AIT Ltd to provide a comprehensive list of
regulatory and compliance requirements which are to be met by the company as per various IT and regulatory requirements
and specifically for implementing GRC as part of the corporate governance requirements.

B. Project Report

1. Introduction
About us

We, at RDPS LLP, are a limited Liability Partnership established in the year 1988 under our founder Partner Mr. ABC.
Presently we are having 20 partners having expertise in various fields of direct and indirect taxes, Management Services,
Assurance Services and Information Systems Audit. Our experience in the area of Management Consultancy Services and
Information Systems Audit extends to more than 10 years.

We have deployed a team of 2 Chartered Accountants (Of whom 1 is a DISA qualified) and 5 assistants on our current
Assignment. The Composition of the team is as follows:

1. CA R. Mehta (Group Leader)

2. CA B. Nair
3. Mr. S. Sharma
4. Mr. D. Verma
5. Ms. A. Patel
6. Ms. K. Sinha
7. Ms. G. Sahu

RDPS LLP Page 4

About the Client:

Agile IT Solutions (AIT) Ltd founded by Shri XYZ in 1978, is a public company, listed on the National Stock Exchange of India.
Atpresent, AIT Ltd. is one of the leading manufacturers in the country of Power Backup Solutions in the form of high capacity
invertors and interactive UPS.

AIT Ltd. delivers products, services and innovative solutions for all power backup needs of top national and multinational
companies, service providers, enterprises, governments, research and educational institutions in India.
With an annual turnover of more than Rs. 1000 crores and an employee base of more than 500, AIT is set to be the Market
Leader of power backup solutions in the country in the times to come.

2. Auditee Environment
1.1 Organisation Structure
Refer Annexure “A”
1.2 Technology Deployed
I. Network Architecture

i. Between Head Office and Regional offices – Star topology using leased lines
ii. Between Head Office and Factory – Leased line
iii. Between Branches and Regional Offices – Star topology using secure VPN connection

II. Hardware

A. Servers at HO
i. MS SQL server
ii. Email Server
iii. Application Server
iv. Web Server
v. File Server
B. Servers at Regional Office and Factory
i. One Virtual Server (with distribution for database, email, application, web and file server functions)
C. Following Hardware as per requirement at each working location of the company
i. Client/ Nodal Computers
ii. Printers, Scanners and Faxes
iii. Routers and Modems
iv. UPS
v. Hubs and Switches
vi. Wireless Cards
vii. Storage devices like Hard drives, Pen Drives, CD ROMs
viii. LCD Projection Devices
ix. Security Hardware

RDPS LLP Page 5

 III. Software

A. System Software
i. Windows Server based Operating System
B. Application Software
i. In-House developed ERP integrating following functions
-Production and inventory
-Material Management
-Sales and Distribution
- Accounts and Financial
ii. Outsourced
-Payroll
-Customer Relation Management
C. Database
- MS SQL (In-house developed Software)
D. Security Software
i. Firewalls
ii. Anti-Virus

1.3 Policies and Procedures

Policies and procedure adopted by AIT Ltd. are as follows:

A. Human Resource policy and procedure

i. Employees Code of conduct
ii. Disciplinary procedure
iii. Working Time Policy
iv. Health and Safety Policy
v. Conflict of Interest Policy
B. Operational Policies
i. Standard Operating Procedures
ii. Market Supplement Policy
C. IT Policies
i. Information Security Policy
ii. Data Protection Policy
iii. Computer Use Policy
iv. Social Networking Policy

2. Background/ Business Case for the Assignment

AIT Ltd was listed on the NSE in the Year 2011. Ever since the listing, it has undertaken major expansion drives and are
today a Rs. 1000 crore company having 4 regional offices and 10 branches in addition to its HO at Chennai and the
Factory at Pondicherry.

Internal Control Systems and IT implementation could not keep pace with the high growth phase of the company.
Although the company has taken major steps towards professionalizing and systematizing its internal environment,
recent system failures have led to financial and reputational losses especially in the production and delivery segments of
the company.

RDPS LLP Page 6

 This has prompted the company to rethink its strategy and hence the company has approached us to provide it with a
risk management approach and strategy as well as compliance listing to thwart such systemic failures in future

3. Terms and Scope of assignment

Based on our understanding of Agile IT Solutions (AIT) Ltd it was decided to primarily focus on review of internal policies
and procedures with the objective to assure adequacy of risk management strategy and compliance with regulatory
requirements. Broadly, the area under review covers the following:

 Review adequacy of internal control systems and confirm its appropriateness. In case of control weakness, provide
appropriate recommendations for remediation.
 Review functioning of internal audit function, reporting structure coverage and frequency of internal audit and
identify areas requiring improvement.
 Review financial and risk management policies as per corporate governance requirements and provides
recommendations for improvement.
 Review compliance requirements as per Information Technology Act as amended in 2008.
 Review whether the current risk management strategy is adequate considering the enterprise current and future
business plans, business processes, technology deployed, organisation structure and regulatory requirements

4. Logistic arrangements required

It will be necessary for Agile IT Solutions (AIT) to appoint one coordinator who will be part of the discussion on the work
plan initially and continue to work with the ARA team till the assignment is complete. AIT will make available the
necessary computer time, software resources and support facilities necessary for completing the assignment within the
agreed timeframe. The conduct of the assignment should be adequately communicated to the required personnel so as
to facilitate extensive cooperation from the respective personnel.

5. Methodology and Strategy adapted for execution of assignment and

documents reviewed
The assignment was carried out as pre- planned assignment. We have used the international accepted standard for IS
Audit – COSO 2013, COBIT 5, ISO 31000 , a family of standards relating to risk management codified by the International
Organization for Standardization. The key tasks of our assignment are highlighted below:

 Use of Internal Control questionnaires (ICQs) developed leveraging COSO and COBIT frameworks.
 Business Process owners completed the ICQs
 Team conducted process walkthrough exercises with each business process owner vis a vis policies and SOPs
 Risk assessment was completed through a combination of the following
 Brainstorming with senior management for review of organisation risks
 Interviews with business leaders to understand key strategic business objectives
 Review of Key Business objectives
 Key points and risk considerations from the minutes of Board Meetings
 Review of vendor contracts and SLAs with Service Providers
 The team evaluated overall results
 Identified Areas for improvement
 Identified compensating controls
 Assessed overall risks

RDPS LLP Page 7

  Accumulated results
 Issue of draft audit report
 Review of the draft audit report by the business process owners and key management personnel
 Issue of Final Audit report

6. Deliverable

7.1. Review of internal control weakness

The company is in the process of professionalizing its set-up by appointing professionals to all key posts and implement
documented procedures and policies to meet regulatory and compliance requirements as applicable to the
company.There have been recent failures of IT for long periods of time which has impacted production and delivery of
products and services to customers. Hence our first scope of work within the assignment has been AN OVERALL LIMITED
REVIEW of the production and supply chain management processes and working on the internal control lacunae and
weaknesses of the same. The supply management consists of 4 essential components:
a. Procurement
b. Inventory Management
c. Logistics and Warehousing
d. Sales and Distribution

7.1.1. Procurement Process Internal Control Problems and Weakness

The following diagram is a graphical representation of the entire business operations of the company. As can be
observed, the production process mainly consists of assembling the various raw materials sourced from external
Parties. When we studied the production system, we realized that the major problem faced by the company in
production was not during the assembly stage but during the procurement process.

RDPS LLP Page 8

 The IT department of the company had developed in-house ERP software for material management and production.
During the course of audit, following weaknesses were observed:

SN Internal control Implications Recommendations

Weaknesses
1. The company is heavily Any mishap at this vendor would directly
reliant on only one affect the company’s operations.
vendor for itsThe use of a particular brand or supplier
transformer and battery specification seriously limits the company’s
requirement. commercial latitude (in terms of
negotiations) with the supplier. Also, only
recognizing the technical expertise of a
supplier, easily leads to situations where
the supplier selected cannot meet the
capacity and logistics requirements of the
company;
2. New vendor Purchase orders are placed with suppliers
development process is with whom the user has a friendly
not well defined in the relationship. As a result such suppliers may
company not be as competitive as the internal
customers think they are.
The company must have a new
vendor development system in
place.
There are numerous ways of doing
this. One can be that, above a
certain financial value, the
organization commits itself to
issuing three competitive bids
before awarding a contract to a
supplier.
Another principle could be that the
organization decides that a formal
contract is needed before engaging
in a formal relationship with a
supplier and making any purchase
order.

3. Most of the supplier’s The main vendors are monopolizing supply

LD Clause is a major deterrent to
agreement/contract and absence of competition has made suppliers to NOT delay their
does not contain them complacent. Delay in material supply
despatches. The management must
Liquidatory Damages from the vendor affects the company’s work out the losses due to delays in
clause to penalize for production. supply and incorporate an LD clause
late delivery. to suitably penalize unwarranted
delays.
4. Contracts, when Another problem is that most of the Creating a contract negotiation
available, are stated in contracts available are drafted by the strategy is a crucial step in the
general terms, they are suppliers using their own legal terms and vendor selection process. The
not complete and have conditions. management must rank its priorities
not passed legal and clearly define benchmarks and
scrutiny, and a clear time constraints. It must also
description of the evaluate its risks and liabilities as
product or supplier well as state the level of
requirements may be confidentiality required.
missing.
5. Stock once received at Delay in updating stock records results in All stock that enters the factory
the factory premises are inefficient production planning and premises is updated by the security
not verified promptly delayed payments to suppliers thereby in the security register manually.
and updated into the leading to reputational losses too. The IT team must incorporate an
system. There is no automated security register in the
system to ascertain ERP system duly linked to Pos. This
stock received but not would enable easy ascertainment of
updated in the stock stock received but not verified and
register. updated. Report of any such stock
lying unverified for more than 3
working days must be available on
the dashboard of the Manager.

RDPS LLP Page 9

 6. Invoices above Rs. 5 lacs More than 22% of the invoices were The management must review the
are to be authorized by authorized as a policy exception. This laid down policies and procedures
the VP (Pur). Out of 694 signifies that either the will to follow the and try to ensure its strict
such purchases, 156 policy is absent or the policy needs a adherence or change it as per
invoices above Rs 5 lacs change. current business needs.
were authorized by the
Manager (Pur) as
exceptions to this
policy.

7.1.2. Inventory Control and Management

Efficient inventory management is achieved through inventory control and inventory management. Inventory control
involves managing the inventory that is already in the warehouse, stockroom, or store. The information about where is
it, how many of them and how much each of it costs. Inventory management involves determining what, when, whom,
and how much to order. It is forecasting of the future requirements based on current and past trends.

S.No Internal control Implications

. Weaknesses Recommendations
1. The Re-Order Level of Manual Intervention is required for The company must adopt a system of
various Raw Material placing orders which can be easily Materials Requirements Planning (MRP) to
components required placed through the system at the provide a clear vision into gaps between
has not been entered right time, resulting in delay in current inventory levels and forecasted
within the ERP placing orders. demand for each inventory item.
Software. Additionally, MRP generates alerts and
2. Minimum Order This is the direct fall out of first replenishment orders to keep a company’s
Quantity and Lead weakness. Absence of an entire inventory at an optimal level.
Time for every Raw system of Re-Order Level, This would enable better control over
Material component Minimum Order Quantity and Lead material, prevent excessive stocking and
are also not defined. Time is leading to delays in above all, ensure regular supply of materials
procurement and receipt of for un-interrupted production.
material thereby effecting
production.
3. Inventory The overall average growth trend The Management must make use of
requirement planning as revealed by sales analytics has intelligent forecasting tools, to create an
is done is an over- been 10% per annum. Thus the efficient demand planning process and
simplified manner of company is stocking more than achieve optimal planning accuracy. The
1.5 times the sales of required. individual plans from the various
the same quarter in Needless to say, poor inventory department managers including top
the last F.Y. requirement planning results in executives, sales, marketing, purchasing
poor inventory management managers and so on, can be integrated into
one valid plan. Forecast analytics tools
provide decision makers with historical data
and enable the visualization of market
trends which in turn allow for the
adjustment of demand plans in real-time.
4. The system for Inability to determine a fair The CIO together with the CEO must work
calculating the landed inventory valuation leads to loss of on scientific techniques and reporting
costs of inventory revenue on account of faulty requirements of ERP to fairly determine the

RDPS LLP Page 10

 does not consider all pricing strategies landed cost of material.
costs incurred from The management must also consider
material requirement integrating accounts and financial reporting
planning to into the ERP software to prevent
warehouse. While duplication of work and realise accurate
financials are picked information.
up from the
accounting software
used separately, the
quantities are derived
from the ERP
software.

7.1.3. Logistics, Warehousing, Sales and distribution

The Company has one Central Distribution Centre(DC)located at Pondicherry and four Regional Distribution Centers
where it also holds stock of UPS based on the historical data of sale at each branch. Every regional DC caters to two
branches in that state. The company has a contractual agreement with a major transport company to transport goods
from the mother DC to the Regional DC as well as to the distributors.

Where the company has branches it directly supplies to customer on down payment of cash/ postdated Cheque basis
from its Regional Warehouse.

In the states where there are no branches, the company does not supply directly to customers but operates through its
network of dealer and distributors. The company is fast expanding its distributor network and aims to build an efficient
and motivated distribution channel to widen its market coverage across the country.

During the course of audit, following weaknesses were observed in the Logistics and Warehousing process of the
company:

S.No. Internal control Weaknesses Implications Recommendations

1. As per the contract with the
major transporter, the
transporter is liable for all goods
lost or damaged (with a few
well – defined exceptions). It
was observed that, during the
period under audit, transition
losses amounted to Rs. 10.62
Lacs and the company had not
claimed transition losses or
damage from the transporter.
2. The company does not have any
fixed transporter for
transporting goods from the
Regional DCs to the branches
and/ or customers. The
manager at the Regional DCs/
Branches dispatch goods
Non enforcement of the
recovery clause leads to
revenue losses for the
company and laissez Faire
attitude of the transporter.
Dispatch through non –
licensed transporters can lead
to major financial and
reputational losses for the
company. Moreover as the
company does not have
insurance cover for transit of
The causes of all transition losses
must be identified and due claim
must be lodged with the transporter
not only to recover losses but also to
make him accountable for careful
handling of goods during transport.
The company must select and review
an appropriate transport provider for
every state at the Central office with a
clear mandate that all despatches
would take place through qualified
transporter only. This mandate must
apply to the dealers and distributers

RDPS LLP Page 11

 through general public carriers goods, it must be extra careful as well.
which may not even be licensed while making a choice of the Transit insurance policy must also be
to do the job. We observed 5 transporter. availed.
instances where material
dispatched did not reach the
end user on time or was
received in damaged condition.
3. The policy of collecting Increase in bad debts leading The system must be configured that
postdated cheques is not to financial loss for the all direct customer orders at branch
followed diligently. The RMs company. Debtors greater level are logged only when PDC
without express authority sell than 6 months amounted to details have been entered. Any
goods without PDCs. Rs. 1.64 cr and the company exception must be with the approval
had w/off bad deblts to the of a higher authority.
tune of 64 lacs during the last
financial year.
3. The company does not have a Since the company is fast Appoint a channel marketing manager
separate channel marketing expanding its distribution and team to work in collaboration
manager to train, educate and network, the marketing with channel partners. The manager
address grievances of the manager alone is ill equipped should be responsible for selecting
channel distribution partner to cater to specific channel partners, training and developing
(CDPs). At present the distribution requirements. partners’ sales and marketing staff,
marketing manager and his Channel distribution problems and monitoring performance against
team are responsible for all can occur when your channel agreed targets. By building and
marketing activities whether at partners have inadequate maintaining relationships with the
company owned branches or product or market knowledge. distribution channel, the manager can
through CDPs. The result is poor service to identify potential problems and deal
your customers and lost sales with them before they become
opportunities. serious.

4. The company’s communication
with the CDPs is limited at
present to only stock
requirements, sales, collections
and incentives. No concerted
effort is being made to train,
motivate and communicate
customer service methods to
the CDP.
Channel partners are A specialised marketing team can
responsible for relationships overcome this problem by providing
with the customers that the training programs and guides that
company does not serve improve product knowledge. Also the
directly. If channel partners company must create a set of
offer poor standards of customer service standards and
service, such as late deliveries, communicate them to distributor
inaccurate invoicing or delays teams.
in dealing with customer
enquiries customer
satisfaction will drop with an
impact on company’s
reputation

7.1.4. Information Technology department problems and weaknesses

The company has a combination of in-house IT department and outsourced vendors. It is critically dependent on IT for all
key operations. Company’s in-house IT department has developed an ERP application software which covers the Material
Management, Logistics, Inventory Management, Sales and Distribution and Accounts and finance. The company uses
outsourced software for its customer relation management and payroll applications.

RDPS LLP Page 12

During the course of audit, following weaknesses were observed in different IT concerned areas:

1. VPN Service Level Agreement (SLA) with service providers for internet connectivity between Regional office and
respective branches.

The company has one Head Office and four Regional Offices cum Distribution Centers each in turn having 2 branches under
it. The branches are connected to RO server through VPN connection taken from different service providers at each location.
The VPN connectivity has its own problems and every SLA signed with the service provider must cover certain basic clauses
which are missing currently. Following is the list of weaknesses and consequence in the VPN scenario.

S.No. Weaknesses Implications Recommendations

1. The SLA does not include servicing
of VPN and other day to day
operational maintenance and
monitoring activities to be
performed by the service provider.
2. Loss on account of lack of VPN
connectivity is not quantified.
There is no provision to penalize
the VPN ISP in cases of persistent
and prolonged connectivity issues.
3. VPN (although cost effective high
speed internet solution) can pose a
security risk when used with
wireless devices and across access
points.
4. In case of connectivity issues at
branch or Regional level, the same
is reported to the head office and
the IT team at the head office
carries forward all communication
with the respective ISP.
The responsibility to report any
troubleshooting requirements to
the ISP is not defined in the job
profile of any employee at the
Regional or branch level.
The IT department at Head Office is
not equipped well to cater VPN
issues at remote branches. It is not
feasible for the company to deploy
an IT trained staff at every branch to
cater to day to day VPN issues.
Absence of a penalizing clause
makes the VPN ISP complacent
towards expediting troubleshooting
measures.
This can result in breach of data
security and Confidentiality risk.
Absence of direct point of contact
between Regional/ branch office and
VPN ISP leads to miscommunication
and delay in troubleshooting of
problems.
Consequently, all provision of
products and services to the
customers is affected for prolonged
periods of time. Normalization of
day to day activities is also delayed.
The SLA with every VPN service
provider must cover maintenance
and troubleshooting VPN
connectivity issues and secure
tunneling. This service should be
available 24 x 7 to the organization.
The fault response and restoration
time required to troubleshoot
problems (based on criticality levels)
must be defined in the SLA.
The SLA must provide for service
rebates in case the VPN service is
unavailable for more than “N” no of
hours. The company’s must be
automatically credited with the
mutually agreed service rebate
amount.
The SLA must expressly fix
responsibility on the ISP to provide
security infrastructure that protects
the company from unauthorized
external access to or broadcast of
the company’s intellectual property,
proprietary and confidential data.
The ISP must report to the company
any observed security breaches and
suspicious activity.
A “VPN Contact” must be appointed
to act as a central point of contact
for seeking any VPN Support. The
SLA must affix responsibility on the
ISP staff to provide initial training to
this contact and he shall be
responsible for reporting all VPN
Service problems to the VPN ISP.

RDPS LLP Page 13

2. Other General issues observed in IT and ERP management during the course of internal audit.

The company has listed on the NSE about 3 months ago. Prior to listing, the management had already taken steps to
implement an ERP software within the organisation integrating information and reporting requirements for the entire supply
chain operations and accounting and financial reporting within the company. However, the company is using outsourced
software for its CRM and payroll applications.

Key Findings and Recommendation:

SN Process Evaluated Effectiveness of Controls and Processes

1. Policy & Procedures Inadequate
2. System Access controls and segregation of duties Inadequate
3. Spreadsheets control Inadequate
4. Application Security Requires Improvement
5. Change Management Requires Improvement
6. Backup and Recovery Requires Improvement
7. Performance Planning and Testing Requires Improvement
8. Training Requires Improvement
9. Physical Security Requires Improvement
10. Password Controls Requires Improvement
11. Business Continuity Plan and Disaster Recovery
Non Existent
Mechanism

1. Policy and Procedures – Formal policies and procedures addressing areas such as process controls, user access,
password administration, policy enforcement, and monitoring practices have not been developed, documented, nor
formally communicated to system users. Standard operating manuals are yet to be updated in line with the business
process re-engineering carried out during ERP implementation. Accordingly, the company is exposed to mistakes
from both internal and external sources. We recommend the CIO to establish and maintain formal user policies and
procedures.
2. System Access controls and segregation of duties – Access to the financial systems (including general ledger,
accounts payable, accounts receivable, and fixed assets) and financial reporting systems have been restricted to
appropriate users (e.g., the finance division); however, access to individual functions within these systems has not
been restricted based upon the specific business needs of the individual users. Even though management has
appropriately established who should perform certain functions, preventative access controls in the systems do not
restrict who can perform certain functions. As a result, system users may be able to perform inappropriate or
incompatible functions. The management must establish user access roles in the systems and restricting access
based upon defined business needs.
3. Spreadsheets - End-user computing technologies (e.g., Microsoft Excel, Access, Word) that are used to generate
financial data or disclosures in the financial reports are not subject to a level of control commensurate with other
key financial application systems. Though access to the spreadsheets is restricted to the finance division, the
spreadsheets themselves are not subject to an appropriate level of security or change management control. The file
is not password protected, changes are not logged, and file versions are not managed. The company must deploy a
system to manage documentation throughout the enterprise. This system must have the ability to restrict access to
specific files and manage software versions.

RDPS LLP Page 14

 4. Application Security - Controls over access to the ERP application and operating system are not updated or
documented. We recommend user access be compared to job functions and access rights reconciled. In addition,
policies and procedures should be created to govern the authorization and maintenance of user accounts.
5. Change Management - The change management process in place is not current within the IT department. There is
also a lack of segregation of duties, as the same individual is responsible for making changes to the ERP system, then
testing the changes, and then implementing the changes in the production environment. IT management should
update the formal change management process, focusing particularly on the approval of changes to ERP and the
implementation of changes in the production environment.
6. Backup and Recovery - ERP backup tapes are stored in the data center instead of being stored offsite, and
restoration testing is not being performed on a regular basis. Additionally, formal IT policies regarding system
maintenance, restoration, storage and backup testing have not been adopted or documented. We recommend IT
department to create and document IT policies addressing these topics, moves backup tapes offsite, and to perform
and document restoration testing.
7. Performance, Planning and testing – Patches are uploaded in the live environment before adequate planning and
testing resulting in bugs and consequent operation failure. The company suffered from delay in deliveries of
products and services to customers as the patch updation to delivery module had bugs which had not been
corrected. We recommend that user sign off be received within every module where a patch has to be updated.
8. Training: Operations people within the company are accustomed to dealing with phone calls, faxes, spreadsheets or
hunches scrawled on paper, and are resistant to using the ERP software. The management must convince front-line
operations people that using the software will be worth their time so that they dont find ways to work around it.
9. Physical security - The data center housing the ERP server lacks a climate control system to regulate temperature,
humidity and air quality. We recommend equipment which monitors and regulates the climate of the data center be
installed. In addition, controls are not in place to limit access to the data center. We recommend limiting data center
access to IT personnel through use of swipe cards or other means.
10. Password controls - End users are not forced to change their passwords on a periodic basis. The functionality for
prompting password change must be enabled to force the user to change passwords periodically.
11. Business Continuity Plan and Disaster Recovery Plan: Disaster recovery (DR) and business continuity refers to an
organization’s ability to recover from a disaster and/or unexpected event and resume operations. The Management
must consider factors such as alternate site designation, training of personnel, and insurance issues while
formulating plans for Disaster recovery and business continuity

7.2. Management Action Plan:

Management is in agreement with the recommendations in this report and has developed action plans to address them.
All management action plans are scheduled to be completed by September 2016. The detailed management schedule
for completion of developed action plan has been provided to the audit committee for review.

7.3. Review of the Internal Audit Function within the Organisation

Key findings

As the company is graduating from a family owned company to a professionally managed one, it realises the importance of
having an effective and efficient internal audit function. The internal audit function was previously headed by the CFO of the
company directly and no specialised team was available for the purpose. The internal audit function was mainly covering

RDPS LLP Page 15

review of accuracy of financial statements and compliance with legal and regulatory requirements only. There was no
attempt to study internal control weaknesses and conduct risk analysis, mitigation and remediation.

The company has recently appointed an internal audit head with a dedicated internal audit team to carry out its internal
audit function. We have done a limited review of the major problems being faced in the supply chain management, but a
detailed and systematic risk - based internal audit must be carried out to continuously upgrade and update the internal
control mechanisms in a dynamic business scenario.

Recommendations

1. Clause 49 of the Listing Agreement of SEBI has made the top management accountable for weaknesses in the
internal control systems. It requires the CEO/ CFO to certify the effectiveness of the Internal Controls as well as
mandates formation of an audit committee that shall review all internal audit reports relating to internal control
weaknesses.

The Internal Audit function is responsible to ensure that internal controls are in placeto help the company navigate
towards its financial goals, to help it achieve its mission, to minimize surprises and risks, and to allow the
organization to successfully deal with change. Internal controls are defined as activities undertaken to increase the
likelihood of achieving management objectives in three areas:

 Efficiency and effectiveness of operations

 Reliability of financial reporting
 Compliance with laws and regulations

We recommend that the new internal audit team gravitates towards a risk- based internal audit program while
continuing with financial as well as compliance audits. We are attaching herewith a checklist (Annexure “B”)to
facilitate an assessment of internal controls of individual departments as well as the organisation as a whole. It is
intended to address general aspects of internal controls, and does not include specific controls applicable to
individual departments. Specific controls must be added to the checklist as per every individual department’s
requirements.

Organization of the checklist is consistent with the five interrelated components of internal control defined by the
Committee of Sponsoring Organizations of the Tread way Commission (COSO).

2. Based on the control and risk assessment done by our team as per the COSO and COBIT control framework, we have
identified the following critical processes that must be subjected to a risk based internal audit:

S.N Critical Processes S.N Critical Processes

1 Procurement and Cost Management 9 Network Security/ Privacy
2 HR – Recruiting, hiring and retention 10 Inventory Management
3 Marketing Strategy and Brand awareness 11 Legal Review – SLA/ Vendor Contracts
4 IT Project Review – Integrating CRM within ERP 12 Risk based Policies, Procedures and guidelines
5 Business Continuity and Disaster Recovery Plan 13 Logistics and Transportation
6 Succession Planning - Leadership identification 14 Payroll disbursal/ Compensation and Incentives
and Assessment
7 Data Processing and Access Controls 15 Customer Service and Delivery
8 ERP Change Management Process

RDPS LLP Page 16

 High

Importance to Business/Financial Performance

1
8

6 15 10

7 9
5

12
14

2
11 3
4 13
Medium

Likelihood of Process/Control
Weakness
Medium HIGH
High
The internal audit team in consultation with the management may work out the priorities for conducting its audit based on
the above matrix.

7.4. Review of Financial and Risk Management Policies

Clause 49 IV (C) Board Disclosures on Risk Management requires every listed company to lay down procedures to inform
board members about the risk assessment and minimization procedures. These procedures must be periodically reviewed to
ensure that executive management controls risk through means of a properly defined framework. Indian companies often
adopt a combination of home-grown, in-house practices and globally recognized frameworks for risk management. The ideal
approach would be to adopt a globally accepted risk management framework such as COSO, which provides a framework for
enterprise risk management, and then integrate the local practices as relevant. The amendments effected in Clause 49 V (C)
and (D) clearly bring out:

1. The responsibility entrusted to the CEO/CFO is in relation to establishing and maintaining internal controls for
financial reporting.
2. The CEO/CFO has to assert that he/she has evaluated the effectiveness of internal control systems of the company
pertaining to financial reporting.
3. The CEO/CFO certificate will further state the manner in which deficiencies (if any) in the design or operations of
such internal controls have been disclosed to the auditors and the audit committee.
4. The CEO/CFO certification will also state the steps they have taken or proposed to take to rectify these deficiencies
in the design or operation of such internal control pertaining to financial reporting.

RDPS LLP Page 17

S.No. Maturity Level of Current Observations on Current Status Recommendations to achieve
ERM Infrastructure Element Targeted Status – Very Capable
1. Business Policies and  Incomplete documented  Enterprise-wide policy guidelines
Procedures – Limited procedures documented
Capability  Process gaps are being  Risk limits allocated to every
identified and corrected operating unit
2. Business and Risk  No formal processes  Business and risk strategies aligned
Management Processes – Low  Reactionary and adhoc with focus on continued
Capability response improvement
 Organized efforts made to remove
inefficiencies
 Formal cost/ benefit analysis
effectively applied
 Best practices identified and
shared across organization
3. People and organisation  Risk owners are not clearly  Organization, process and
structure – Low Capability defined individual performance measures
 Roles/ commitments are fully aligned
overlapping and vague  Knowledge and skills upgraded
 Training is sporadic and continuously
unplanned  Process and individual
performance incentives linked to
enterprise-wide risk strategies
4. Management Reports –  Key metrics for Management  Integrated risk reporting
Limited Capability reports have been identified  Risk-adjusted profitability
 But reports are irregular with measures
inconsistent format and  Risk measures linked to KPIs
content  Risks quantified versus tolerances
 Limits violations reported
5. Methodologies – Low  Inconsistent measures of  Integrated physical and financial
Capability performance variability models
 Adhoc approach to assessing  Application of risk measures to
loss exposures performance goals
 Limited risk review and  Early warning systems
coverage  Exposures anticipated through
 No analysis of alternatives time-tested models and analytics
 Capital allocation techniques
applied
6. Systems and data – Limited  Systematic and reliable data  Reliable, web-enabled processes
Capability collection but data security and for data organization, extraction,
confidentiality questionable analysis and reporting
 Stable client server application  Enhanced functionality
 Scalable component  Expanded risk coverage within
architecture decision support system
 Unsystematic training  Database systems support
schedules collection, analysis and
management of risk and risk
portfolios as normal business
routine

RDPS LLP Page 18

The Management is in the process of formulating its Financial and Risk Management Policies and has set very ambitious
targets on having an ERM in place. However the process being followed is adhoc and vague resulting incomplete and
ineffective policies. Our observations on the maturity levels of the key elements of Enterprise Risk Management
Infrastructure are given above:

Although the “tone at the top” is positive, the management is not very systematic in its approach to Financial and Risk
Management Policies.

Corporates across the world have used COSO (www.coso.org) and COBIT (www.isaca.org/cobit) as the primary framework
and best practices for implementing governance, risk management and internal controls. The objective of COSO is to
improve the quality of financial reporting through business ethics, effective internal control and corporate governance. The
COSO 2013 framework outlines 17 principles of internal controls and highlights the need for management to implement a
system of risk management at the enterprise level. COBIT is a comprehensive framework for the governance and
management of enterprise IT, comprising five domains, 37 IT processes and over 200 management practices and activities
divided into governance and management processes. COBIT has been used as the business framework for implementing
Governance of enterprise IT. Together COSO and COBIT can be used for implementing a system of enterprise risk
management integrated with technology ensuring both conformance and performance.

COSO 2013 framework describes the role of controls to effect principles. We have attached a COSO based risk assessment
questionnaire (Annexure “B”) to help the organisation assess their internal control deficiencies.

It is recommended to adopt COBIT 5 for Risk for formulating and implementing Risk Management strategy, in a structured
manner, for the following reasons;

 COBIT 5 for Risk—much like COBIT 5 itself—is an umbrella approach for the provisioning of risk management
activities and is positioned in context with the following risk-related standards:
 ISO 31000:2009 – Risk Management – Cobit 5 for Risk covers all the principles of ISO 31000
 ISO 27005:2011 – Information security risk management -COBIT 5 for Risk addresses allof the components described
within ISO 27005, though some of the elements are structured or named differently.COBIT 5 for Risk takes a broader
viewon IT risk management compared with ISO 27005 which is focused on the management of security related risk.
Further, there is a stronger emphasis in COBIT 5 for Risk on processes and practices to ensure the alignment with
business objectives, the acceptance throughout the organisation and the completeness of the scope, amongst other
factors.
 COSO Enterprise Risk Management - COBIT 5 for Risk addresses all of the components defined in COSO Enterprise
Risk Management (ERM).Although COBIT 5 for Risk focuses less on controls, it provides linkages to enablers—
management practices in the COBIT 5 framework.The essentials with regards to both control and general risk
management as defined in COSO ERM are present in COBIT 5 for Risk, either through the:
 Principles themselves and the framework’s conceptual design
 Process model and additional guidance provided in the framework
 In addition, there is a stronger emphasis in COBIT 5 for Risk on processes and practices to ensure the alignment with
business objectives, the acceptance throughout the organisation and the completeness of the scope, amongst other
factors.

COBIT 5 for Risk provides specific guidance related to all enablers for the effective management of risk:

a. the core Risk Management process(es) used to implement effective and efficient risk management for the enterprise
to support stakeholder value
b. risk scenarios, i.e., the key information item needed to identify, analyse and respond to risk; risk scenarios are the
concrete, tangible and assessable representation of risk
c. How COBIT 5 enablers can be used to respond to unacceptable risk scenarios.

RDPS LLP Page 19

The detailed Governance and management areas for the implementation of Risk Management Strategy are articulated
through EDM 03 – Ensure Risk Optimization and AP012 Manage Risk. The detailed steps towards formulating risk
management strategy are given in “Annexure C”.

7.5. Specific compliance requirements as per Information Technology Act as

amended in 2008

An organization must evaluate its IT processes and IT-‐supported business processes to ensure that they are compliant
with laws, regulations and contractual requirements and obtain assurance that the requirements have been identified
and complied with and integrated with IT Governance. The Information Technology Act, 2000 lays down the law with
respect to use of information technology for e-business, digital signatures, information security and confidentiality. The
same was amended in 2008 in provide for further security and confidentiality of sensitive personal information collected
by an organisation for any purpose. The detailed compliance checklist (as compiled by the Data Security Council (DSC) is
attached herewith under “Annexure D”.

Non-compliance of IT Act, 2000 can bring in financial liabilities to the company and may even land the CEO or a Director
in jail [refer S(85) of IT Act,2000].

It is also necessary for organization to understand that even if any of its employees contravene the provisions of the Act
including committing of such personal offences such as searching for child pornography using the corporate network,
then there could be vicarious liabilities on the organization and its Directors and Executives.

7.6. Advisory on Risk management strategy

There is an element of risk in any decision or activity and encourages intelligent risk taking when the risk is appropriately
managed. Once identified, a risk must be analyzed to determine its potential effects. A risk score is developed by
assessing two variables:

1. The likelihood of a risk event or condition occurring and

2. Severity/ Impact of the consequences of that event or condition.

Likelihood descriptors were discussed with the management and following conclusions were drawn.

Score Likelihood Descriptors (as discussed with the AIT Management)

1 – Rare Has not occurred in the last 10 years at any organisation in the industry
2 – Unlikely
Has not occurred in the last 10 years at AIT Ltd
3 - Moderate
Similar events have occurred in the last 10 years at any organisation in this country
4 – Likely Similar events have occurred at AIT Ltd at least once in last 10 years or in the industry in
the last 5 years
5 – Almost Similar events have occurred at least once every 5 years or in the industry in the last 2
Certain years

Severity/ Impact descriptors were discussed with the Management and following conclusions were drawn

RDPS LLP Page 20

 Score Severity/ Impact Descriptors (as discussed with the Management)
1 –  No Legal consequence
Insignificant  Costs less than Rs. 5 lacs (absorbed by current budget)
 Achievement of strategic goal delayed within FY
2 – Minor  Warning or order to comply from regulatory authorities
 Loss of over Rs. 5 lacs but less than Rs. 25 lacs
 One or more strategic goals not attainable or must be revised
3 – Moderate  Statutory charges against one or two employees
 Financial losses upto 5% of total annual operating budget
 A key strategic goal underlying corporate commitment unattainable without significant
revision and delay over a year
4 – Major  Statutory charges or civil suits against the company or one or more senior management
 Financial losses upto 10% of total annual operating budget
 One or more corporate commitments unattainable in the planned time frame
5 – Extreme  Criminal charges or other legal actions against the company or one or more senior
management
 Financial losses upto 25% of total annual operating budget
 One or more corporate commitments unachievable

The above numerical scores for likelihood and severity/ impact descriptors must be multiplied to arrive at a risk
score. As per the risk score, the risk treatments must be identified and implemented. The risk mitigation strategy is
explained for each of the options.

1. Tolerate/Accept the risk. Some risks may be considered minor because their impact and probability of
occurrence is low. In this case, consciously accepting the risk as a cost of doing business is appropriate, as well as
periodically reviewing the risk to ensure its impact remains low.
2. Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of a particular technology,
supplier, or vendor. The risk can be eliminated by replacing the technology with more robust products and by
seeking more capable suppliers and vendors.
3. Transfer/Share the risk. Risk mitigation approaches can be shared with trading partners and suppliers. A good
example is outsourcing infrastructure management. In such a case, the supplier mitigates the risks associated
with managing the IT infrastructure by being more capable and having access to more highly skilled staff than
the primary organization. Risk also may be mitigated by transferring the cost of realized risk to an insurance
provider.
4. Treat/mitigate the risk. Where other options have been eliminated, suitable controls must be devised and
implemented to prevent the risk from manifesting itself or to minimize its effects.
5. Turn back. Where the probability or impact of the risk is very low, then management may decide to ignore the
risk.

Based on the above policies, the following risk management strategy is advised for risks with high risk scores as
observed during the audit.

RDPS LLP Page 21

 Risk Event Impact/ Risk score/ Risk Management Strategy
Probability Risk
Treatment
Operational
Labour unrest at main RM Impact: Major 12, Eliminate  New Vendor identification and
Vendor’s manufacturing Probability – development to develop alternate sources
concern Moderate of RM
Contractual liability in case Impact: 12, Treat  Work with the legal department to prepare
of “danger clauses” with Moderate fully understood and accepted documents
vendors/ ISP/ CDPs etc Probability –
Likely
Inadequate control on Impact: Major 16, Treat  Implement document generation and
business management Probability – distribution mechanisms
documents and Likely  Track issue of documents
communication channels  Take minutes and distribute copies to
relevant attendees
 Avoid verbal advice without written
confirmation
Lack of Staff/ Professional Impact: Major 12,  Develop skill capability matrix
Development Probability – Treat  Identify additional training requirements
Moderate and develop training plans
 Monitor performance and catalogue
achievements
Market
Competition Increases in Impact: Major 12,  Market awareness and strategy planning
Domestic Markets Probability – Treat  Local and National Marketing Campaigns
Moderate
Actions of channel Impact – 16,  Communication of objectives
distribution partners Major Treat  Brand value creation
(CDPs) inconsistent with Probability –  Brand equity review
business strategy Likely
External and Regulatory
Ignorance and Non Impact: 15,  Develop a checklist of relevant codes and
compliance of applicable Extreme Treat compliances
laws and regulations Probability –  Seek Professional help
Likely
Reduced growth Impact: Major 12,  Strategic Planning and Scheduling (Pipeline)
opportunities due to Probability – Treat  New Market Due Diligence
economic downturn Moderate  CDP Development
Financial
Insolvency of high value Impact: 9, Treat  Research Customer’s credit history and
clients Moderate background and accordingly extend credit
Probability – sales
Likely
Inadequate collection Impact: 12,  Maintain tight credit collection and manage
management and follow- Moderate Treat credit control (ensuring PDCs).
up on payments Probability –  Escalation of report on debts greater than 3
Almost Certain months
Working capital and cash Impact: Major 16,  Prepare financial budget and monitor
Flow deficits on ac of Probability – Treat collection and expenses
 Unplanned reduction in Likely  Ensure long term projects not funded by
revenue short term funds
 Business disruption
RDPS LLP Page 22  Identify essential and non-essential
 Unplanned Capex expenses
Interest rate volatility Impact: 9,  Diversified borrowing sources and
Moderate Treat investment avenues
8. Conclusion
The internal control and risk process in the company leaves a lot of room for inefficiencies to arise, as well as the
potential for missed savings and cash leakage. The management needs to work in close co-ordination with the internal
audit and IT Team to implement a fully integrated risk management framework both at enterprise level as well as IT
level. This would help facilitate the enhancement of stakeholder value by speeding up communication, reducing time for
approvals, eliminating some of the unnecessary paperwork, decrease in surprise elements and optimised conformance
and performance.

9. Enclosures

- Annexure “A” – Organisation Structure

- Annexure “B” – Internal Audit questionnaire based on the COSO 2013 framework
- Annexure “C” – Standard Risk Management approach based on the COBIT 5 framework for risks
- Annexure “D” – Compliance checklist as per the ITAA 2008 as developed by the Data Security Council of India

RDPS LLP Page 23