Professional Documents
Culture Documents
Project Report of DISA 2.0 Course
Project Report of DISA 2.0 Course
of
DISA 2.0 Course
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training conducted at:
and we have the required attendance. We are submitting the Project titled:
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.
Place: London
Date: 21/11/2015
Table of Contents
1. Introduction
A. The IS Audit Team audited project management controls over the implementation of the
SAP ECC 6.00 Version (ERP) Business Solution. Our purpose was to evaluate Security Controls,
User authentication and authorization, Audit Trails, Assess and Evaluate Management System
relating to change, System monitoring and business process configuration of the SAP ECC 6.00
Version (ERP) Business Solution.
ABM Group has been using Information Technology as a key enabler for facilitating business
process Owners and enhancing services to its customers. The senior management of ABM has
been very proactive in directing the management and deployment of Information Technology.
Most of the mission critical applications in the company have been computerized and
networked. ABM selected SAP Business Suite to bring a more integrated and seamless
approach to internal processes. SAP deployment in ABM posed unique challenges arising out of
the need to integrate multiple units across different locations, involving extensive procedures
and large volumes of data. The family of business applications provides better insight into
enterprise-wide analysis based on real time data and key performance indicators, improved
quality and on-time delivery, reduction in inventory cost and enhanced customer service. This
implementation has empowered ABM to seamlessly connect all its vendors, customers and
partners to achieve improved business efficiency. SAP-R3 ECC 6.00 Version is deployed across
all of ABM’s financial, payroll and human capital functions. The Modules implemented are PP,
MM, FICO, Quality, PM and HR including Pay Roll. ABM has more than 500 sap users across
the company. By implementing SAP solutions ABM has achieved superior operational
excellence and business agility.
2. Auditee Environment
The primary objective of the assignment is to conduct Information Systems Audit of SAP
implementation and develop related IS Audit checklists for future use, through external
consultants by using the globally recognized IS Audit standards and best practices. The IS audit
of SAP would be with the objective of providing comfort on the adequacy and appropriateness
of controls and mitigate any operational risks thus ensuring that the information systems
implemented through SAP provide a safe and secure computing environment. Further, specific
areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework. The initial assignment could primarily focus on the identified
areas of SAP Implementation.
3. Background
ABM proposes to have a comprehensive audit of the Information Systems (ERP Audit) in
the Company. While the Information Systems Audit to be done covers both audit of ERP System
and review of its implementation, the IS Audit is expected to be in compliance with the IS
Auditing Standards, Guidelines and Procedures. The proposed IS Audit is further subjected to
applicable Auditing Standards of ICAI. The objective is to identify areas for improvement of
controls by benchmarking against global best practices. Further, any specific risks identified are
expected be mitigated by implementing controls as deemed relevant to ensure that SAP
implementation is secure and safe and provide assurance to the senior management of ABM.
Further, IS Auditors are expected to develop an IS Audit checklist for future use.
4. Situation
Business Model is:
ABM LIMITED
BUSINESS: EQUIPMENT MANUFACTURING FOR THE USE IN
1. Mining & Construction;
2. Defence; and
3. Rail & Metro.
1. Production 2. Technology 3. Trading Division 4. International
Division Division Business Division
1. Production Division has 4 Manufacturing Location
Location 1 Location 2 Location 3 Location 4
2. Each Location has two manufacturing unit
Mfg. 1 Mfg. 2 Mfg.3 Mfg.4 Mfg.5 Mfg. 6 Mfg. 7 Mfg. 8
3. There are 500 SAP users in all.
Following logistics arrangements have been made and confirmation about the
same should be obtained before travelling.
• Travel Arrangements – Bus/Train/ Flight bookings
• Accommodation Arrangements – Hotel / Guest House
• Pick-up and Drop arrangements to / from accommodation facility to / from
office and/or station / airport
7. Methodologyand Strategy adapted for execution of assignment
a) Opening Meeting
e) Conducting Walkthroughs
f) Testing of IS Controls
i) Audit report
j) Follow up Activities
8. Documents reviewed
Following things are Reviewed:
a. Policies – Are the management guidelines which should be approved by
the Top Management and should be reviewed atleast once in each year?
b. Procedure – Are the detailed documents based on the policies set by the
top management? Procedures contain the detailed information about the
process. All the procedure should be approved by the management and
should be reviewed at least once in each year.
c. Flowcharts – Pictures are worth thousand words when it comes to
understanding the interaction of various processes and how the
transaction flow has the dependencies and branches that run in various
directions.
d. Audit logs and Screenshots – Every organisation implements the
monitoring control over the processes and the preserves the evidences of
the same, in the form of system screenshots and system logs. This gives
an added confidence to the Information System Auditor about the
monitoring control established by the management..
9. Deliverables
*Security audit log should be properly configured.* It is configured using transaction
(1)
code *SM19*. Certain parameters need to be enabled during configuration of audit logs.
* *rsau/max_diskspace/per_day* or *rsau/max_diskspace/per_file* –
* *rsau/selection_slots* – This is used for deciding the number of filters based on the
various types of logs needed (like a filter for logs related to RFC function calls, filter for
logs related to transaction and reports executed by users etc.)
The logs which get generated can be seen using tcode *SM20*. SM20 giveslogs based
on the filter which has been set ( like what transaction or report was executed by what
user at what time etc.) It also gives a very important information – i.e. from what
terminal the transactions were executed.
The old logs can be deleted using tcode *SM18*. This access should be restricted to
Basis team only.
(2) *Maintaining User Groups* : It is a Best Practice to maintain User groups. User
groups can be created using transaction code SUGR and can be assigned to users.
User groups are very helpful as they help in identifying whether the user is a business
user or an IT user or System user etc. To some extent this helps in identifying the
responsibilities that a user is supposed to have.
Some of the user groups can be as follows (name can be used as per convenience):
(3) *Table logging* : There are certain tables where table logging should be enabled in
Production system. The technical setting of such tables need to be adjusted to “/Log
data changes/”. Transaction code *SE13* can be used for verifying whether table
logging is enabled or not. Table *DD09L* can also be used with the condition /Log = X/
to get an overview of the tables for which table logging is enabled. Change document
for such tables can be viewed using table *DBTABLOG*.
(4) *Maintaining proper values for Profile Parameters* :Proper profile parameters values
must be maintained as per the Best Practices so as to satisfy Security Audit
Requirements. Below are examples of some such profile parameters.
Audit is a never ending topic. We can continue to talk about as many security audit
concepts as possible. We will discuss about some other very important points in our
/*next post*/ on SAP Security Audit Guidelines.
Segregation of Duties
Completeness
Authorisation
Accuracy
Validity
We determined that
(1) Controls could be improved for recording restricted transactions and Activities.
(2) System interface modification prevented posting payroll during the period October 2013
through March 2014,
(3) Petty cash expenses were not promptly posted,
(4) Centrally billed travel was not posted in a timely manner, and
(5) Beginning balance reports were not made available to the units until July 2014, nine months
after the October 2013 Phase I implementation date. As of September 24, 2014, units across
the Institution were still verifying their respective beginning balances.
(6) Audit of the Purchase Card Program, December 3,2014. We determined that the Chief
Financial Officer did not ensure that the ERP working group that developed the purchase card
functional requirements included cross-functional experts. Also, cardholders and fund managers
could not use the ERP system to determine whether available fund balances existed prior to
making purchases because the system provided inaccurate fund balances.
(7) Inaccurate fund balances have contributed to the erosion of confidence in the SAP ECC 6.00
Version (ERP) Business Solution information.
(8) Audit of the Smithsonian Financial System, July 12, 2011. We determined that the
Smithsonian Financial System was not meeting internal management and reporting needs of
Institution units. The Smithsonian Financial System was not a user-friendly system and did not
provide the units with the financial information needed to manage their various projects and
activities related to project accounting, ad-hoc reporting, and monthly reports.
Audit of the Project Management of the Steven F. Udvar-Hazy Center, July 31,2014. We
identified improvements needed in financial management and project controls for monitoring
budget-to-actual project revenues and expenses; planning system user requirements; and
procedures for monitoring contract modifications.
Audit of Project Management of the National Museum of the American Indian Mall Museum,
September 30,2013. We determined that the Office of facilities Engineering and Operations was
not completing reconciliations of its internal project financial tracking system records to the
Institution's financial system in a timely manner. We recommended that financial and
management controls be strengthened by the ERP project team defining requirements and
reports needed for monitoring construction projects.
Audit of Trust Fund Budget Process, September 28,2012. We determined that significant
management control weaknesses existed in the trust fund budget process. We recommended
improvements in two areas: (1) completeness of the trust fund budget process and (2) controls
to ensure that budgeted expenditures are not exceeded.
Audit of Financial Management of Traveling Exhibits, September 26, 2012. We determined that
controls were inadequate due to inaccurate managerial cost accounting information. We
recommended that policies and procedures be established for accumulating and reporting costs
regularly, consistently, and reliably. Such cost information is necessary for the Institution to
manage its operations and to carry out its fiduciary duties and responsibilities effectively.
Routine cost information is fundamental to any well-managed, cost-effective organization.
Audit of Project Management Related to the Purchase of the Victor Building, February 21, 2012.
We determined that there was no dedicated project manager to ensure that prudent business
practices and generally accepted project management procedures were in place and operating
properly. As a result, there was a high risk of cost overruns on the projects, delays in their
completion, and added costs inevitably occasioned by such delays.
11. Summary/Conclusion
This report is quite reasonable as verified from various departments and managers and
workers, to the best of our knowledge & belief. This report is issued without any prejudice &
subject to terms & conditions of the policy issued. Thanking & assuring you best of my attention
at all points.