Professional Documents
Culture Documents
of
DISA 2.0 Course
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
and we have the required attendance. We are submitting the Project titled:
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Place: London
Date: 21/11/2015
Table of Contents
1. Introduction
A. The IS Audit Team audited project management controls over the implementation of the
SAP ECC 6.00 Version (ERP) Business Solution. Our purpose was to evaluate Security Controls,
User authentication and authorization, Audit Trails, Assess and Evaluate Management System relating
to change, System monitoring and business process configuration of the SAP ECC 6.00 Version (ERP)
Business Solution.
ABM Group has been using Information Technology as a key enabler for facilitating business
process Owners and enhancing services to its customers. The senior management of ABM has
been very proactive in directing the management and deployment of Information Technology.
Most of the mission critical applications in the company have been computerized and networked.
ABM selected SAP Business Suite to bring a more integrated and seamless approach to internal
processes. SAP deployment in ABM posed unique challenges arising out of the need to integrate
multiple units across different locations, involving extensive procedures and large volumes of
data. The family of business applications provides better insight into enterprise-wide analysis
based on real time data and key performance indicators, improved quality and on-time delivery,
reduction in inventory cost and enhanced customer service. This implementation has empowered
ABM to seamlessly connect all its vendors, customers and partners to achieve improved business
efficiency. SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll
and human capital functions. The Modules implemented are PP, MM, FICO, Quality, PM and HR
including Pay Roll. ABM has more than 500 sap users across the company. By implementing
SAP solutions ABM has achieved superior operational excellence and business agility.
2. Auditee Environment
The primary objective of the assignment is to conduct Information Systems Audit of SAP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of SAP would be with the objective of providing comfort on the adequacy and appropriateness of
controls and mitigate any operational risks thus ensuring that the information systems
implemented through SAP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified areas
of SAP Implementation.
3. Background
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the Company. While the Information Systems Audit to be done covers both audit of ERP System
and review of its implementation, the IS Audit is expected to be in compliance with the IS Auditing
Standards, Guidelines and Procedures. The proposed IS Audit is further subjected to applicable
Auditing Standards of ICAI. The objective is to identify areas for improvement of controls by
benchmarking against global best practices. Further, any specific risks identified are expected be
mitigated by implementing controls as deemed relevant to ensure that SAP implementation is
secure and safe and provide assurance to the senior management of ABM. Further, IS Auditors
are expected to develop an IS Audit checklist for future use.
4. Situation
Business Model is:
ABM LIMITED
Following logistics arrangements have been made and confirmation about the
same should be obtained before travelling.
• Travel Arrangements – Bus/Train/ Flight bookings
• Accommodation Arrangements – Hotel / Guest House
• Pick-up and Drop arrangements to / from accommodation facility to / from
office and/or station / airport
8. Documents reviewed
Following things are Reviewed:
a. Policies – Are the management guidelines which should be approved by
the Top Management and should be reviewed atleast once in each year?
b. Procedure – Are the detailed documents based on the policies set by the
top management? Procedures contain the detailed information about the
process. All the procedure should be approved by the management and
should be reviewed at least once in each year.
c. Flowcharts – Pictures are worth thousand words when it comes to
understanding the interaction of various processes and how the
transaction flow has the dependencies and branches that run in various
directions.
d. Audit logs and Screenshots – Every organisation implements the
monitoring control over the processes and the preserves the evidences of
the same, in the form of system screenshots and system logs. This gives
an added confidence to the Information System Auditor about the
monitoring control established by the management..
9. Deliverables
*Security audit log should be properly configured.* It is configured using transaction
(1)
code *SM19*. Certain parameters need to be enabled during configuration of audit logs.
* *rsau/max_diskspace/per_day* or *rsau/max_diskspace/per_file* –
* *rsau/selection_slots* – This is used for deciding the number of filters based on the
various types of logs needed (like a filter for logs related to RFC function calls, filter for
logs related to transaction and reports executed by users etc.)
The logs which get generated can be seen using tcode *SM20*. SM20 giveslogs based
on the filter which has been set ( like what transaction or report was executed by what
user at what time etc.) It also gives a very important information – i.e. from what terminal
the transactions were executed.
The old logs can be deleted using tcode *SM18*. This access should be restricted to
Basis team only.
(2) *Maintaining User Groups* : It is a Best Practice to maintain User groups. User groups
can be created using transaction code SUGR and can be assigned to users. User groups
are very helpful as they help in identifying whether the user is a business user or an IT
user or System user etc. To some extent this helps in identifying the responsibilities that
a user is supposed to have.
Some of the user groups can be as follows (name can be used as per convenience):
(3) *Table logging* : There are certain tables where table logging should be enabled in
Production system. The technical setting of such tables need to be adjusted to “/Log data
changes/”. Transaction code *SE13* can be used for verifying whether table logging is
enabled or not. Table *DD09L* can also be used with the condition /Log = X/ to get an
overview of the tables for which table logging is enabled. Change document for such
tables can be viewed using table *DBTABLOG*.
(4) *Maintaining proper values for Profile Parameters* :Proper profile parameters values
must be maintained as per the Best Practices so as to satisfy Security Audit
Requirements. Below are examples of some such profile parameters.
Description
Ref
Segregation of Duties
Completeness
Authorisation
Accuracy
Validity
Source Data Preparation and Authorisation
Ensure that source documents are prepared by authorized and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the origination and approval of
1
these documents. Check whether the source document is a well-designed input form. Detect errors and
irregularities so they can be reported and corrected.
b Whether the procedures for preparing source data entry, and ensure
that they are effectively and properly communicated to appropriate
and qualified personnel? [These procedures should establish and
communicate required authorization levels (input, editing,
authorizing, accepting and rejecting source documents).The
procedures should also identify the acceptable source media for
each type of transaction.]
2 Establish that data input is performed in a timely manner by authorized and qualified staff. Correction
and resubmission of data that ware erroneously input should be performed without compromising
original transaction authorization levels. Where appropriate for reconstruction, retain source documents
for appropriate amount of time.
c Whether definition for who can input, edit, authorize, accept and
reject transactions, and override errors is there?
Whether error logs are reviewed and acted upon within a specified
and reasonable period of time?
3 Accuracy, Completeness and Authenticity Checks Establish that data input is performed in a timely
manner by authorized and qualified staff. Correction and resubmission of data that were erroneously
input should be performed without compromising original transaction authorization levels. Where
appropriate for reconstruction, retain original source documents for the appropriate amount of time.
a Whether the transaction data are verified as close to the data entry
point as possible and interactively during online sessions?
4 Maintain the integrity and validity of data throughout the processing cycle. Detection of erroneous
transactions does not disrupt the processing of valid transactions.
Whether there are procedures with audit trails to account for all
exceptions and rejections of sensitive output documents?
c Whether out-of-balance control totals exist and exceptions reported
to the appropriate level of management?
We determined that
(1) Controls could be improved for recording restricted transactions and Activities.
(2) System interface modification prevented posting payroll during the period October 2013
through March 2014,
(3) Petty cash expenses were not promptly posted,
(4) Centrally billed travel was not posted in a timely manner, and
(5) Beginning balance reports were not made available to the units until July 2014, nine months
after the October 2013 Phase I implementation date. As of September 24, 2014, units across the
Institution were still verifying their respective beginning balances.
(6) Audit of the Purchase Card Program, December 3,2014. We determined that the Chief
Financial Officer did not ensure that the ERP working group that developed the purchase card
functional requirements included cross-functional experts. Also, cardholders and fund managers
could not use the ERP system to determine whether available fund balances existed prior to
making purchases because the system provided inaccurate fund balances.
(7) Inaccurate fund balances have contributed to the erosion of confidence in the SAP ECC 6.00
Version (ERP) Business Solution information.
(8) Audit of the Smithsonian Financial System, July 12, 2011. We determined that the Smithsonian
Financial System was not meeting internal management and reporting needs of Institution units.
The Smithsonian Financial System was not a user-friendly system and did not provide the units
with the financial information needed to manage their various projects and activities related to
project accounting, ad-hoc reporting, and monthly reports.
Audit of the Project Management of the Steven F. Udvar-Hazy Center, July 31,2014. We identified
improvements needed in financial management and project controls for monitoring budget-to-
actual project revenues and expenses; planning system user requirements; and procedures for
monitoring contract modifications.
Audit of Project Management of the National Museum of the American Indian Mall Museum,
September 30,2013. We determined that the Office of facilities Engineering and Operations was
not completing reconciliations of its internal project financial tracking system records to the
Institution's financial system in a timely manner. We recommended that financial and
management controls be strengthened by the ERP project team defining requirements and
reports needed for monitoring construction projects.
Audit of Trust Fund Budget Process, September 28,2012. We determined that significant
management control weaknesses existed in the trust fund budget process. We recommended
improvements in two areas: (1) completeness of the trust fund budget process and (2) controls to
ensure that budgeted expenditures are not exceeded.
Audit of Financial Management of Traveling Exhibits, September 26, 2012. We determined that
controls were inadequate due to inaccurate managerial cost accounting information. We
recommended that policies and procedures be established for accumulating and reporting costs
regularly, consistently, and reliably. Such cost information is necessary for the Institution to
manage its operations and to carry out its fiduciary duties and responsibilities effectively. Routine
cost information is fundamental to any well-managed, cost-effective organization.
Audit of Project Management Related to the Purchase of the Victor Building, February 21, 2012.
We determined that there was no dedicated project manager to ensure that prudent business
practices and generally accepted project management procedures were in place and operating
properly. As a result, there was a high risk of cost overruns on the projects, delays in their
completion, and added costs inevitably occasioned by such delays.
11. Summary/Conclusion
This report is quite reasonable as verified from various departments and managers and
workers, to the best of our knowledge & belief. This report is issued without any prejudice &
subject to terms & conditions of the policy issued. Thanking & assuring you best of my attention
at all points.