Professional Documents
Culture Documents
DISA Project Report
DISA Project Report
DISA Project Report
Of
DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:Raipur (C.G.)from12.02.2015
to 01.03.2015 and we have the requiredattendance. We are submitting the Project titled:Implementing GRC as per Clause
49 listing requirements. We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project. We
also certify that this project report is the original work of our group and each one of us have actively participated and
contributed in preparing this project. We have not shared the project details or taken help in preparing project report from
anyone except members of our group.
Group No: N
Place:Raipur
Date:06/04/2015
1. INTRODUCTION...........................................................................................................................................................................................4
2. AUDITEE ENVIRONMENT..............................................................................................................................................................................5
2.1 ORGANISATION STRUCTURE.....................................................................................................................................................................5
2.2 TECHNOLOGY DEPLOYED.........................................................................................................................................................................5
2.3 POLICIES AND PROCEDURES.....................................................................................................................................................................6
3. BACKGROUND/ BUSINESS CASE FOR THE ASSIGNMENT.....................................................................................................................................6
4. TERMS AND SCOPE OF ASSIGNMENT..............................................................................................................................................................7
5. LOGISTIC ARRANGEMENTS REQUIRED..............................................................................................................................................................7
6. METHODOLOGY AND STRATEGY ADAPTED FOR EXECUTION OF ASSIGNMENT AND DOCUMENTS REVIEWED..................................................................7
7. DELIVERABLE.............................................................................................................................................................................................8
7.1. REVIEW OF INTERNAL CONTROL WEAKNESS.................................................................................................................................................8
7.1.1. PROCUREMENT PROCESS INTERNAL CONTROL PROBLEMS AND WEAKNESS..................................................................................................8
7.1.2. INVENTORY CONTROL AND MANAGEMENT...........................................................................................................................................10
7.1.3. LOGISTICS, WAREHOUSING, SALES AND DISTRIBUTION...........................................................................................................................11
7.1.4. INFORMATION TECHNOLOGY DEPARTMENT PROBLEMS AND WEAKNESSES..................................................................................................12
7.3. REVIEW OF THE INTERNAL AUDIT FUNCTION WITHIN THE ORGANISATION......................................................................................................15
7.4. REVIEW OF FINANCIAL AND RISK MANAGEMENT POLICIES..........................................................................................................................17
7.5. SPECIFIC COMPLIANCE REQUIREMENTS AS PER INFORMATION TECHNOLOGY ACT AS AMENDED IN 2008.............................................................20
8. CONCLUSION...........................................................................................................................................................................................23
9. ENCLOSURES............................................................................................................................................................................................23
Agile IT Solutions (AIT) Ltd has recently gone public and is listed in the national stock exchange in India. AIT has been
traditionally a family owned business with the major shareholders and the senior management of the company belonging to
a well renowned business family. The management has decided to professionalise the company by appointing professionals
to all key posts and implement documented procedures and policies to meet regulatory and compliance requirements as
required as applicable to the company. AIT manufactures a well-known brand of UPS which enjoys a good reputation in the
market and has customers across all industry verticals. It has head office at Chennai and factory at Pondicherry. It has
regional offices in all metro cities and branch offices in 10 cities across India. It is using an integrated software solution with
all offices and factory networked together. It has more than 500 employees across its offices in India. It has combination of
in-house IT department and outsourced vendors. It is critically dependent on IT for all key operations. The company is
enjoying increasing growth in terms of turnover and market-share.
There have been recent failures of IT for long periods of time which has impacted production and delivery of products and
services to customers. The management is concerned with the risk management strategy adapted and the impact on
compliance. It would like to make the transition from a family managed company to a professional run company with
documented policies and procedures.
We have been approached by the newly appointed CIO and head of IT of AIT Ltd to provide a comprehensive list of
regulatory and compliance requirements which are to be met by the company as per various IT and regulatory requirements
and specifically for implementing GRC as part of the corporate governance requirements.
B. Project Report
1. Introduction
About us
We, at RDPS LLP, are a limited Liability Partnership established in the year 1988 under our founder Partner Mr. ABC.
Presently we are having 20 partners having expertise in various fields of direct and indirect taxes, Management Services,
Assurance Services and Information Systems Audit. Our experience in the area of Management Consultancy Services and
Information Systems Audit extends to more than 10 years.
We have deployed a team of 2 Chartered Accountants (Of whom 1 is a DISA qualified) and 5 assistants on our current
Assignment. The Composition of the team is as follows:
Agile IT Solutions (AIT) Ltd founded by Shri XYZ in 1978, is a public company, listed on the National Stock Exchange of India.
Atpresent, AIT Ltd. is one of the leading manufacturers in the country of Power Backup Solutions in the form of high capacity
invertors and interactive UPS.
AIT Ltd. delivers products, services and innovative solutions for all power backup needs of top national and multinational
companies, service providers, enterprises, governments, research and educational institutions in India.
With an annual turnover of more than Rs. 1000 crores and an employee base of more than 500, AIT is set to be the Market
Leader of power backup solutions in the country in the times to come.
2. Auditee Environment
1.1 Organisation Structure
Refer Annexure “A”
1.2 Technology Deployed
I. Network Architecture
i. Between Head Office and Regional offices – Star topology using leased lines
ii. Between Head Office and Factory – Leased line
iii. Between Branches and Regional Offices – Star topology using secure VPN connection
II. Hardware
A. Servers at HO
i. MS SQL server
ii. Email Server
iii. Application Server
iv. Web Server
v. File Server
B. Servers at Regional Office and Factory
i. One Virtual Server (with distribution for database, email, application, web and file server functions)
C. Following Hardware as per requirement at each working location of the company
i. Client/ Nodal Computers
ii. Printers, Scanners and Faxes
iii. Routers and Modems
iv. UPS
v. Hubs and Switches
vi. Wireless Cards
vii. Storage devices like Hard drives, Pen Drives, CD ROMs
viii. LCD Projection Devices
ix. Security Hardware
A. System Software
i. Windows Server based Operating System
B. Application Software
i. In-House developed ERP integrating following functions
-Production and inventory
-Material Management
-Sales and Distribution
- Accounts and Financial
ii. Outsourced
-Payroll
-Customer Relation Management
C. Database
- MS SQL (In-house developed Software)
D. Security Software
i. Firewalls
ii. Anti-Virus
Internal Control Systems and IT implementation could not keep pace with the high growth phase of the company.
Although the company has taken major steps towards professionalizing and systematizing its internal environment,
recent system failures have led to financial and reputational losses especially in the production and delivery segments of
the company.
Review adequacy of internal control systems and confirm its appropriateness. In case of control weakness, provide
appropriate recommendations for remediation.
Review functioning of internal audit function, reporting structure coverage and frequency of internal audit and
identify areas requiring improvement.
Review financial and risk management policies as per corporate governance requirements and provides
recommendations for improvement.
Review compliance requirements as per Information Technology Act as amended in 2008.
Review whether the current risk management strategy is adequate considering the enterprise current and future
business plans, business processes, technology deployed, organisation structure and regulatory requirements
Use of Internal Control questionnaires (ICQs) developed leveraging COSO and COBIT frameworks.
Business Process owners completed the ICQs
Team conducted process walkthrough exercises with each business process owner vis a vis policies and SOPs
Risk assessment was completed through a combination of the following
Brainstorming with senior management for review of organisation risks
Interviews with business leaders to understand key strategic business objectives
Review of Key Business objectives
Key points and risk considerations from the minutes of Board Meetings
Review of vendor contracts and SLAs with Service Providers
The team evaluated overall results
Identified Areas for improvement
Identified compensating controls
Assessed overall risks
6. Deliverable
Efficient inventory management is achieved through inventory control and inventory management. Inventory control
involves managing the inventory that is already in the warehouse, stockroom, or store. The information about where is
it, how many of them and how much each of it costs. Inventory management involves determining what, when, whom,
and how much to order. It is forecasting of the future requirements based on current and past trends.
Where the company has branches it directly supplies to customer on down payment of cash/ postdated Cheque basis
from its Regional Warehouse.
In the states where there are no branches, the company does not supply directly to customers but operates through its
network of dealer and distributors. The company is fast expanding its distributor network and aims to build an efficient
and motivated distribution channel to widen its market coverage across the country.
During the course of audit, following weaknesses were observed in the Logistics and Warehousing process of the
company:
4. The company’s communication Channel partners are A specialised marketing team can
with the CDPs is limited at responsible for relationships overcome this problem by providing
present to only stock with the customers that the training programs and guides that
requirements, sales, collections company does not serve improve product knowledge. Also the
and incentives. No concerted directly. If channel partners company must create a set of
effort is being made to train, offer poor standards of customer service standards and
motivate and communicate service, such as late deliveries, communicate them to distributor
customer service methods to inaccurate invoicing or delays teams.
the CDP. in dealing with customer
enquiries customer
satisfaction will drop with an
impact on company’s
reputation
The company has a combination of in-house IT department and outsourced vendors. It is critically dependent on IT for all
key operations. Company’s in-house IT department has developed an ERP application software which covers the Material
Management, Logistics, Inventory Management, Sales and Distribution and Accounts and finance. The company uses
outsourced software for its customer relation management and payroll applications.
1. VPN Service Level Agreement (SLA) with service providers for internet connectivity between Regional office and
respective branches.
The company has one Head Office and four Regional Offices cum Distribution Centers each in turn having 2 branches under
it. The branches are connected to RO server through VPN connection taken from different service providers at each location.
The VPN connectivity has its own problems and every SLA signed with the service provider must cover certain basic clauses
which are missing currently. Following is the list of weaknesses and consequence in the VPN scenario.
The company has listed on the NSE about 3 months ago. Prior to listing, the management had already taken steps to
implement an ERP software within the organisation integrating information and reporting requirements for the entire supply
chain operations and accounting and financial reporting within the company. However, the company is using outsourced
software for its CRM and payroll applications.
1. Policy and Procedures – Formal policies and procedures addressing areas such as process controls, user access,
password administration, policy enforcement, and monitoring practices have not been developed, documented, nor
formally communicated to system users. Standard operating manuals are yet to be updated in line with the business
process re-engineering carried out during ERP implementation. Accordingly, the company is exposed to mistakes
from both internal and external sources. We recommend the CIO to establish and maintain formal user policies and
procedures.
2. System Access controls and segregation of duties – Access to the financial systems (including general ledger,
accounts payable, accounts receivable, and fixed assets) and financial reporting systems have been restricted to
appropriate users (e.g., the finance division); however, access to individual functions within these systems has not
been restricted based upon the specific business needs of the individual users. Even though management has
appropriately established who should perform certain functions, preventative access controls in the systems do not
restrict who can perform certain functions. As a result, system users may be able to perform inappropriate or
incompatible functions. The management must establish user access roles in the systems and restricting access
based upon defined business needs.
3. Spreadsheets - End-user computing technologies (e.g., Microsoft Excel, Access, Word) that are used to generate
financial data or disclosures in the financial reports are not subject to a level of control commensurate with other
key financial application systems. Though access to the spreadsheets is restricted to the finance division, the
spreadsheets themselves are not subject to an appropriate level of security or change management control. The file
is not password protected, changes are not logged, and file versions are not managed. The company must deploy a
system to manage documentation throughout the enterprise. This system must have the ability to restrict access to
specific files and manage software versions.
As the company is graduating from a family owned company to a professionally managed one, it realises the importance of
having an effective and efficient internal audit function. The internal audit function was previously headed by the CFO of the
company directly and no specialised team was available for the purpose. The internal audit function was mainly covering
The company has recently appointed an internal audit head with a dedicated internal audit team to carry out its internal
audit function. We have done a limited review of the major problems being faced in the supply chain management, but a
detailed and systematic risk - based internal audit must be carried out to continuously upgrade and update the internal
control mechanisms in a dynamic business scenario.
Recommendations
1. Clause 49 of the Listing Agreement of SEBI has made the top management accountable for weaknesses in the
internal control systems. It requires the CEO/ CFO to certify the effectiveness of the Internal Controls as well as
mandates formation of an audit committee that shall review all internal audit reports relating to internal control
weaknesses.
The Internal Audit function is responsible to ensure that internal controls are in placeto help the company navigate
towards its financial goals, to help it achieve its mission, to minimize surprises and risks, and to allow the
organization to successfully deal with change. Internal controls are defined as activities undertaken to increase the
likelihood of achieving management objectives in three areas:
We recommend that the new internal audit team gravitates towards a risk- based internal audit program while
continuing with financial as well as compliance audits. We are attaching herewith a checklist (Annexure “B”)to
facilitate an assessment of internal controls of individual departments as well as the organisation as a whole. It is
intended to address general aspects of internal controls, and does not include specific controls applicable to
individual departments. Specific controls must be added to the checklist as per every individual department’s
requirements.
Organization of the checklist is consistent with the five interrelated components of internal control defined by the
Committee of Sponsoring Organizations of the Tread way Commission (COSO).
2. Based on the control and risk assessment done by our team as per the COSO and COBIT control framework, we have
identified the following critical processes that must be subjected to a risk based internal audit:
6 15 10
7 9
5
12
14
2
11 3
4 13
Medium
Likelihood of Process/Control
Weakness
Medium HIGH
High
The internal audit team in consultation with the management may work out the priorities for conducting its audit based on
the above matrix.
1. The responsibility entrusted to the CEO/CFO is in relation to establishing and maintaining internal controls for
financial reporting.
2. The CEO/CFO has to assert that he/she has evaluated the effectiveness of internal control systems of the company
pertaining to financial reporting.
3. The CEO/CFO certificate will further state the manner in which deficiencies (if any) in the design or operations of
such internal controls have been disclosed to the auditors and the audit committee.
4. The CEO/CFO certification will also state the steps they have taken or proposed to take to rectify these deficiencies
in the design or operation of such internal control pertaining to financial reporting.
Although the “tone at the top” is positive, the management is not very systematic in its approach to Financial and Risk
Management Policies.
Corporates across the world have used COSO (www.coso.org) and COBIT (www.isaca.org/cobit) as the primary framework
and best practices for implementing governance, risk management and internal controls. The objective of COSO is to
improve the quality of financial reporting through business ethics, effective internal control and corporate governance. The
COSO 2013 framework outlines 17 principles of internal controls and highlights the need for management to implement a
system of risk management at the enterprise level. COBIT is a comprehensive framework for the governance and
management of enterprise IT, comprising five domains, 37 IT processes and over 200 management practices and activities
divided into governance and management processes. COBIT has been used as the business framework for implementing
Governance of enterprise IT. Together COSO and COBIT can be used for implementing a system of enterprise risk
management integrated with technology ensuring both conformance and performance.
COSO 2013 framework describes the role of controls to effect principles. We have attached a COSO based risk assessment
questionnaire (Annexure “B”) to help the organisation assess their internal control deficiencies.
It is recommended to adopt COBIT 5 for Risk for formulating and implementing Risk Management strategy, in a structured
manner, for the following reasons;
COBIT 5 for Risk—much like COBIT 5 itself—is an umbrella approach for the provisioning of risk management
activities and is positioned in context with the following risk-related standards:
ISO 31000:2009 – Risk Management – Cobit 5 for Risk covers all the principles of ISO 31000
ISO 27005:2011 – Information security risk management -COBIT 5 for Risk addresses allof the components described
within ISO 27005, though some of the elements are structured or named differently.COBIT 5 for Risk takes a broader
viewon IT risk management compared with ISO 27005 which is focused on the management of security related risk.
Further, there is a stronger emphasis in COBIT 5 for Risk on processes and practices to ensure the alignment with
business objectives, the acceptance throughout the organisation and the completeness of the scope, amongst other
factors.
COSO Enterprise Risk Management - COBIT 5 for Risk addresses all of the components defined in COSO Enterprise
Risk Management (ERM).Although COBIT 5 for Risk focuses less on controls, it provides linkages to enablers—
management practices in the COBIT 5 framework.The essentials with regards to both control and general risk
management as defined in COSO ERM are present in COBIT 5 for Risk, either through the:
Principles themselves and the framework’s conceptual design
Process model and additional guidance provided in the framework
In addition, there is a stronger emphasis in COBIT 5 for Risk on processes and practices to ensure the alignment with
business objectives, the acceptance throughout the organisation and the completeness of the scope, amongst other
factors.
COBIT 5 for Risk provides specific guidance related to all enablers for the effective management of risk:
a. the core Risk Management process(es) used to implement effective and efficient risk management for the enterprise
to support stakeholder value
b. risk scenarios, i.e., the key information item needed to identify, analyse and respond to risk; risk scenarios are the
concrete, tangible and assessable representation of risk
c. How COBIT 5 enablers can be used to respond to unacceptable risk scenarios.
An organization must evaluate its IT processes and IT-‐supported business processes to ensure that they are compliant
with laws, regulations and contractual requirements and obtain assurance that the requirements have been identified
and complied with and integrated with IT Governance. The Information Technology Act, 2000 lays down the law with
respect to use of information technology for e-business, digital signatures, information security and confidentiality. The
same was amended in 2008 in provide for further security and confidentiality of sensitive personal information collected
by an organisation for any purpose. The detailed compliance checklist (as compiled by the Data Security Council (DSC) is
attached herewith under “Annexure D”.
Non-compliance of IT Act, 2000 can bring in financial liabilities to the company and may even land the CEO or a Director
in jail [refer S(85) of IT Act,2000].
It is also necessary for organization to understand that even if any of its employees contravene the provisions of the Act
including committing of such personal offences such as searching for child pornography using the corporate network,
then there could be vicarious liabilities on the organization and its Directors and Executives.
Likelihood descriptors were discussed with the management and following conclusions were drawn.
Severity/ Impact descriptors were discussed with the Management and following conclusions were drawn
The above numerical scores for likelihood and severity/ impact descriptors must be multiplied to arrive at a risk
score. As per the risk score, the risk treatments must be identified and implemented. The risk mitigation strategy is
explained for each of the options.
1. Tolerate/Accept the risk. Some risks may be considered minor because their impact and probability of
occurrence is low. In this case, consciously accepting the risk as a cost of doing business is appropriate, as well as
periodically reviewing the risk to ensure its impact remains low.
2. Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of a particular technology,
supplier, or vendor. The risk can be eliminated by replacing the technology with more robust products and by
seeking more capable suppliers and vendors.
3. Transfer/Share the risk. Risk mitigation approaches can be shared with trading partners and suppliers. A good
example is outsourcing infrastructure management. In such a case, the supplier mitigates the risks associated
with managing the IT infrastructure by being more capable and having access to more highly skilled staff than
the primary organization. Risk also may be mitigated by transferring the cost of realized risk to an insurance
provider.
4. Treat/mitigate the risk. Where other options have been eliminated, suitable controls must be devised and
implemented to prevent the risk from manifesting itself or to minimize its effects.
5. Turn back. Where the probability or impact of the risk is very low, then management may decide to ignore the
risk.
Based on the above policies, the following risk management strategy is advised for risks with high risk scores as
observed during the audit.
9. Enclosures