Information Systems Audit Report

Presented by – Sanjiv Arora,

CISA, CISM, CGEIT
Email – sa@tech-controls.com 1
IS AUDIT REPORT

Executive Summary

Visual presentation

Scope and charter

Positive and negative observations

Assumptions and limitations

Findings, impact rating, recommendations

Evidence(s)

Information Systems Audit

2
INDEX

Contents

Background.................................................................................................... 3

Scope ............................................................................................................ 3

Executive Summary ...................................................................................... 6

Observations Summary ............................................................................... 7

Risk Rating Legend ...................................................................................... 8

Observations .................................................................................................. 9

End of Report.............................................................................................. 18

Information Systems Audit

3
BACKGROUND -

Version of ERP / RDBMS installed- 11.5.10.2

Modules Implemented –

Accounts Payable

Accounts Receivable,

General Ledger

Inventory module

Oracle Purchase

OPM (Oracle Production Management)

Order Management

Project Management

HR / Payroll

EAM (Enterprise Assets Management)

Fixed Assets

Cash Management

Duration since implemented - More than 3 years

Number of users – about 300-400 Users

Locations of users – at Multi locations

Information Systems Audit

4
SCOPE OF REVIEW

Current Implementation status

Customization

Functions implemented and in operations

IT Infrastructure and Configuration

Review of SW installation configuration

HW adequacy review

DR Review (backups / Infra)

Capacity and performance

Resource adequacy

End user review

Sr. Management objectives

Manager HOD level

User level

Reporting adequacy

Application utilization

Third Party support

Pending issues

Support contracts and SLA

Response and performance review
Information Systems Audit
5
AUDIT SUMMARY
Oracle ERP Audit
ERP menu less user friendly
Primary ERP use- as data management tool
User access to ERP in excess to Role (s)
Development of Isolated Software solutions
Multiple software platforms, databases exist
Enterprise wide Dashboard needs improvement
Central repository of changes is not maintained
Sharing of passwords
Network is accessible to transport vendors
Inadequacy of Database backup
Incomplete backup Risk - High (5), Medium (3), Low (1)
Weak monitoring using tools
FREE use of internet is allowed
Manual IP Address implemented
Weak Password Management
Printers in Excess
Network vulnerability Assessment
Information Security Policy and guidelines
Disaster Recovery Drills
Weak end user controls

0 1 2 3 4 5 6

Information Systems Audit

6
EXECUTIVE SUMMARY
Key Strengths

Data Centre team has at its disposal software tools, policies and procedures to perform the DC
management effectively

DC team acts on CMR, Alerts, emails and client requests in timely manner

DC team was working in tandem within technical groups, vendors across the IT operations

Monthly VA is carried out using Qualys Guard to identify and act upon vulnerabilities in
servers, Network devices

Key Weaknesses

Key administrative IDs are used by multiple admin and this may reduce accountability of
individuals

Backup storage procedures are somewhat weak and do require a review to enhance controls

Proactive management and exceptional reporting desires improvement through process of
setting up of KPIs

Access controls allowed to Admin users in respect to confidential folders / information across
network should be reviewed

Multiple vendor situation for IT operations at client location dilutes accountability to some
extent, thus may result (currently unmonitored) delay to resolve problems and issues
Information Systems Audit
7
CASE – A MANUFACTURING COMPANY IMPLEMENTED
ERP 3 YEARS BACK, WISHED TO REVIEW ADEQUACY
AND SUCCESS OF IMPLEMENTATION.

Information Systems Audit

8
CASE – REVIEW OF AN OUTSOURCED DATA CENTRE
OF A COMPANY INTO FINANCIAL SERVICES
MANAGEMENT.

Information Systems Audit

9
CASE – VULNERABILITY ASSESSMENT OF INTERNAL
NETWORK TO ASSESS COMPLIANCE TO ISO27001

Information Systems Audit

10
CASE – VULNERABILITY ASSESSMENT AND
PENETRATION TESTING (VAPT) OF A GOVT
DEPARTMENT WEBSITE AS PER OWASP

Information Systems Audit

11
EVIDENCE

Information Systems Audit

12
EVIDENCE

Information Systems Audit

13
IMPLEMENTATION OF RECOMMENDATIONS

Auditing is an ongoing process

Audit reporting, implementation and corrective processes

Follow up – on agreed to implement issues and timelines

External or internal auditors function

Information Systems Audit

14
THANK YOU.

Information Systems Audit

15