Form 18**S.

1, Cash RCM-ITGC
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls— RCM

Sr. No. Process Attribute Activity Description Identification of Risk of Material Misstatement Control Control That Addresses Risk of Material Classification
Reference ("What Could Go Wrong") Ref Misstatement of Inherent
Risk Description Number — Control Name Risk
(Normal,
Significant)

1 ITGC Risk IT Policy Intended IT related processes not followed due to absence of ITGC 01 A defined comprehensive IT policy document to Significant
Assessment defined comprehensive IT policy document provide various guidelines to work in the IT
environment, is in place

2 ITGC Control Access Rights Editable access of Financial System (Accounting Software) ITGC 02 View-only access of Accounting Software provided Significant
Environment provided to persons other than Company employees (Internal to persons other than Company employees (Internal
and Statutory Auditors, Consultants, etc.) and Statutory Auditors, Consultants, etc.) who are
not required to modify the financial transactions

3 ITGC Control Closing of Accounting Erroneous/intentional posting of Accounting entry in the ITGC 02 Closing of previous period/year to restrict back- Significant
Environment period/year in the earlier closed period/year dating of transactions
Accounting Software
Form 18**S.1, Cash RCM-ITGC
Sr. No. Process Attribute Activity Description Identification of Risk of Material Misstatement Control Control That Addresses Risk of Material Classification
Reference ("What Could Go Wrong") Ref Misstatement of Inherent
Risk Description Number — Control Name Risk
(Normal,
Significant)

4 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 1. For CMS System - all new users are given pre- Significant
Environment general controls over results in errors in financial reporting expired password and the system prompts the user to
technology set new password at the time of first login

2. For Tally - all new users are given pre-expired

password and the system prompts the user to set new
password at the time of first login

5 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 02 1. For CMS - Users access rights are granted by IT Significant
Environment general controls over results in errors in financial reporting only upon specific approval by the concerned
technology functional head

2. For Tally - Users access rights are granted by IT

only upon specific approval by the concerned
functional head

6 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 System prompts the user to change the password Normal
Environment general controls over results in errors in financial reporting after the expiration of 30 days.
technology
7 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 Password must contain at least 7 characters, alpha Normal
Environment general controls over results in errors in financial reporting numeric (alphabets, numbers and special characters).
technology
Form 18**S.1, Cash RCM-ITGC
Sr. No. Process Attribute Activity Description Identification of Risk of Material Misstatement Control Control That Addresses Risk of Material Classification
Reference ("What Could Go Wrong") Ref Misstatement of Inherent
Risk Description Number — Control Name Risk
(Normal,
Significant)

8 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 If the password is wrongly entered continuously for Normal
Environment general controls over results in errors in financial reporting 5 times within 30 minutes, the respective login id
technology gets locked.

9 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 If a user is not accessing the system for more than Normal
Environment general controls over results in errors in financial reporting specified time, the system gets automatically locked.
technology
10 ITGC Control Identifies and analyses Unauthorized access to IT systems, applications and data ITGC 10 There exists a periodic review of the user profiles Normal
Environment significant changes that results in errors in financial reporting for systems access, to confirm appropriateness.
could impact internal
controls

11 ITGC Information Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 Requests for creation of new user ids are received by Significant
& general controls over results in errors in financial reporting the IT Executive on standardized form, duly signed
Communicati technology by the respective HOD.
on

12 ITGC Information Selects and develops Unauthorized access to IT systems, applications and data ITGC 03 1. User termination, resignation is informed to IT Normal
& control activities to results in errors in financial reporting Executive through email by HR.
Communicati mitigate risks
on 2. User account is disabled immediately after
receiving an email request. Before processing this
request, IT archives the mail box of the user.

3. Full & Final Settlement Form is signed by the IT

Executive only when the necessary access rights
have been disabled in the system.
Form 18**S.1, Cash RCM-ITGC
Sr. No. Process Attribute Activity Description Identification of Risk of Material Misstatement Control Control That Addresses Risk of Material Classification
Reference ("What Could Go Wrong") Ref Misstatement of Inherent
Risk Description Number — Control Name Risk
(Normal,
Significant)

13 ITGC Control Selects and develops Absence of regular back-up which may lead to loss of crucial ITGC 04 1. Regular back-up strategy defined for server and Significant
Environment general controls over data auto-back up is taken at defined frequency.
technology
2. Retrieval is tested at reasonable frequency

14 ITGC Control Selects and develops Absence of regular back-up which may lead to loss of crucial ITGC 04 Off-site storage of back-up to tackle any unforeseen Significant
Environment general controls over data event at the office premises.
technology
15 ITGC Control Identifies risks to the Servers and end users PCs are infected with virus ITGC 05 1. Desktops: Significant
Environment achievement of All the user desktops are installed with anti virus
objectives and analyses scanner, which scans the new files on an ongoing
risks to manage them basis

2. Servers:
All servers are installed with anti virus scanner.

3. Gateway:
Mail server is managed and all the Emails are
scanned by threat management gateway.

4. The anti virus gets automatically updated with the

latest version through process of auto updates

16 ITGC Control Assesses fraud risk to Unauthorized access to the IT systems, applications and data ITGC 05 1. Firewalls have been installed. Significant
Environment the achievement of by external parties 2. The logs are regularly reviewed by IT Executive
objectives
Form 18**S.1, Cash RCM-ITGC
Sr. No. Process Attribute Activity Description Identification of Risk of Material Misstatement Control Control That Addresses Risk of Material Classification
Reference ("What Could Go Wrong") Ref Misstatement of Inherent
Risk Description Number — Control Name Risk
(Normal,
Significant)

17 ITGC Control Selects and develops Unauthorized access to IT systems, applications and data ITGC 06 Changes in programs can be made only with prior Significant
Environment control activities to results in errors in financial reporting approval of the Board of Directors or the HOD
mitigate risks concerned, with the simultaneous involvement and
approval of the IT personnel.

18 ITGC Control Selects and develops Significant developments and changes to information systems ITGC 06 Decisions around significant developments and Significant
Environment control activities to relevant to financial reporting are made, resulting in errors in changes to information systems relevant to financial
mitigate risks financial reporting. reporting are made in conjunction with Finance
Manager and after approval of BOD

19 ITGC Control Identifies and analyses Errors in changes made to key applications relevant to ITGC 06 Specific changes are made to key applications Significant
Environment significant changes that financial reporting. relevant to financial reporting only after sign off
could impact internal from the relevant stakeholders
controls

20 ITGC Control Selects and develops Problems and incidents are not effectively managed. ITGC 09 An in-house IT personnel resolves issues faced by Normal
Environment general controls over users as required
technology
21 ITGC Control Selects and develops Intentional sharing of crucial and confidential data of the ITGC 07 1. Deactivation of external storage devices on Significant
Environment general controls over company by staff to outsiders (e.g. competitors) company PCs.
technology
2. Restricting access to all public sites and domain
Form 18**S.1, Cash RCM-ITGC
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls— RCM

Process Risk Associated Operating Nature of Control- Deficiencies Control Exist

Reference with the Control Frequency Control Automated (Yes/No)
(Not Higher, (Annually, or Manual
Higher) Quarterly,
Monthly, Weekly,
Daily, Many
Times per Day, As
Needed)

ITGC Higher As Needed Preventive Manual Defined comprehensive IT policy document to No

provide various guidelines to work in IT
environment is not in place.

ITGC Higher As Needed Preventive Automated Editable access of Financial System (Accounting No
Software) provided to persons other than Company
employees (Internal and Statutory Auditors,
Consultants, etc.)

ITGC Higher As Needed Preventive Automated Previous closed month/year is not blocked for No
editing transactions
Form 18**S.1, Cash RCM-ITGC
Process Risk Associated Operating Nature of Control- Deficiencies Control Exist
Reference with the Control Frequency Control Automated (Yes/No)
(Not Higher, (Annually, or Manual
Higher) Quarterly,
Monthly, Weekly,
Daily, Many
Times per Day, As
Needed)

ITGC Higher As Needed Preventive Automated For Tally - all three users are given same password 1. Yes
which is not required to be changed either after first 2. No
login or subsequently

ITGC Higher As Needed Preventive Automated For Tally - all the users in the accounts dept. are 1. Yes
sharing common user-id password and having same 2. No
access rights

ITGC Not Higher As Needed Preventive Automated System does not give any alerts or notifications to No
force-change the password after expiration of 30
days
ITGC Not Higher As Needed Preventive Automated Password logic is not defined No
Form 18**S.1, Cash RCM-ITGC
Process Risk Associated Operating Nature of Control- Deficiencies Control Exist
Reference with the Control Frequency Control Automated (Yes/No)
(Not Higher, (Annually, or Manual
Higher) Quarterly,
Monthly, Weekly,
Daily, Many
Times per Day, As
Needed)

ITGC Not Higher As Needed Preventive Automated No locking of login id upon incorrect entries of No
password.

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Both Preventive Automated No periodic review of user profile for system access. No
& Detective

ITGC Higher As Needed Preventive Manual No procedure of sending a standard form duly No
signed by the respective HOD for new user-id
creation.

ITGC Not Higher As Needed Preventive Manual 1. No procedure of sending a email request for No
disabling the access rights from the system.

2. IT Executive does not sign on the Full & Final

Settlement form regarding disabling access rights
from the system
Form 18**S.1, Cash RCM-ITGC
Process Risk Associated Operating Nature of Control- Deficiencies Control Exist
Reference with the Control Frequency Control Automated (Yes/No)
(Not Higher, (Annually, or Manual
Higher) Quarterly,
Monthly, Weekly,
Daily, Many
Times per Day, As
Needed)

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Preventive Automated There is no off-site storage of the back-up server No

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Preventive Automated The logs are not reviewed by IT Executive 1. Yes
2. No
Form 18**S.1, Cash RCM-ITGC
Process Risk Associated Operating Nature of Control- Deficiencies Control Exist
Reference with the Control Frequency Control Automated (Yes/No)
(Not Higher, (Annually, or Manual
Higher) Quarterly,
Monthly, Weekly,
Daily, Many
Times per Day, As
Needed)

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Not Higher As Needed Preventive Automated - Yes

ITGC Higher As Needed Preventive Automated Access to public sites and domain have not been 1. Yes
restricted 2. No
Form 18**S.1, Cash RCM-ITGC
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls— RCM

Process Remedial methods Control Design Control Substantive Procedures Planned Evidence of Control Control Process
Reference Conclusion Operational Owner Owner
(Effective, Effectiveness
Ineffective) Conclusion
(Effective,
Ineffective)

ITGC Define a comprehensive IT policy document to Ineffective Review comprehensive IT policy As per discussion with IT Finance IT
provide various guidelines to work in IT Executive Manager Executive
environment.

ITGC Eligible persons other than designated employees to Ineffective Access right restriction As per discussion with IT Finance IT
be provided view-only access of Accounting Executive and various users Manager Executive
Software

ITGC Block previous closed month/ year for editing Ineffective Access right restriction As per discussion with IT Finance IT
transactions Executive and various users Manager Executive
Form 18**S.1, Cash RCM-ITGC
Process Remedial methods Control Design Control Substantive Procedures Planned Evidence of Control Control Process
Reference Conclusion Operational Owner Owner
(Effective, Effectiveness
Ineffective) Conclusion
(Effective,
Ineffective)

ITGC For Tally - give all the users individual pre-expired 1. Effective Conduct live-check for password change As per discussion with IT Finance IT
passwords, which the users need to change at the 2. Ineffective Executive Manager Executive
time of first log-in

ITGC For Tally - give all the users separate user-id 1. Effective Process of granting access rights As per discussion with IT Finance IT
password and access rights. 2. Ineffective Executive Manager Executive

ITGC Introduce a password change policy whereby the Ineffective Conduct live-check for password change As per discussion with IT Finance IT
system gives a pop-up to force-change the password Executive Manager Executive
after expiration of 30 days
ITGC Define a Password policy Ineffective - As per discussion with IT Finance IT
Executive Manager Executive
Form 18**S.1, Cash RCM-ITGC
Process Remedial methods Control Design Control Substantive Procedures Planned Evidence of Control Control Process
Reference Conclusion Operational Owner Owner
(Effective, Effectiveness
Ineffective) Conclusion
(Effective,
Ineffective)

ITGC Define a Password policy Ineffective - As per discussion with IT Finance IT

Executive Manager Executive

ITGC - Effective Conduct live-check for auto-locking of system As per discussion with IT Finance IT
Executive Manager Executive

ITGC Introduce a process of periodic review of user Ineffective - As per discussion with IT Finance IT
profiles for system access. Executive Manager Executive

ITGC Require request for new user-id creation to be sent to Ineffective Standard forms duly signed by respective HOD to As per discussion with IT Finance IT
the IT Executive through a duly signed standard be checked Executive Manager Executive
form

ITGC 1. Introduce a procedure of sending email request for Ineffective Review the procedure of disabling access rights As per discussion with IT Finance IT
disabling the access rights from the system. from the system Executive and Finance Manager Manager Executive

2. Require signature by IT Executive on the Full &

Final Settlement form confirming disabled access
rights from the system
Form 18**S.1, Cash RCM-ITGC
Process Remedial methods Control Design Control Substantive Procedures Planned Evidence of Control Control Process
Reference Conclusion Operational Owner Owner
(Effective, Effectiveness
Ineffective) Conclusion
(Effective,
Ineffective)

ITGC - Effective Review back-up policy As per discussion with IT Finance IT

Executive Manager Executive

ITGC Ensure off-site storage of back-up for ensuring Ineffective Review back-up policy As per discussion with IT Finance IT
safety of back-up Executive Manager Executive

ITGC - Effective Check for working of anti-virus software on As per discussion with IT Finance IT
selected PC's Executive Manager Executive

ITGC Require regular review of logs by IT Executive 1. Effective - As per discussion with IT Finance IT
2. Ineffective Executive Manager Executive
Form 18**S.1, Cash RCM-ITGC
Process Remedial methods Control Design Control Substantive Procedures Planned Evidence of Control Control Process
Reference Conclusion Operational Owner Owner
(Effective, Effectiveness
Ineffective) Conclusion
(Effective,
Ineffective)

ITGC - Effective Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

ITGC - Effective Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

ITGC - Effective Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

ITGC - Effective Review the mechanism of solving the problems As per discussion with IT Finance IT
and incidents faced by the users Executive and various users Manager Executive

ITGC Restrict access to public sites and domain 1. Effective Ensure whether external storage devices are As per discussion with IT Finance IT
2. Ineffective deactivated and access to public sites have been Executive and various users Manager Executive
restricted
Form 18**S.1, Cash RCM-ITGC
ABC Private Limited
ICFR for the year ending 31st March, 2016
IT General Controls— RCM

Process Application Is IPE used in If yes, List of IPE Reference of Testing Work
Reference System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
List of IPE and Operating Effectiveness

ITGC Tally, CMS, No - -

Sensys TDS &
Matrix Cosec

ITGC Tally No - -

ITGC Tally No - -
Form 18**S.1, Cash RCM-ITGC
Process Application Is IPE used in If yes, List of IPE Reference of Testing Work
Reference System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
List of IPE and Operating Effectiveness

ITGC 1. CMS No - -
2. Tally

ITGC 1. CMS No - -
2. Tally

ITGC Tally, CMS, No - -

Sensys TDS

ITGC Tally, CMS, No - -

Sensys TDS
Form 18**S.1, Cash RCM-ITGC
Process Application Is IPE used in If yes, List of IPE Reference of Testing Work
Reference System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
List of IPE and Operating Effectiveness

ITGC Tally, CMS, No - -

Sensys TDS

ITGC Tally, CMS, No - -

Sensys TDS

ITGC CMS No - -

ITGC - No - -

ITGC - No - -
Form 18**S.1, Cash RCM-ITGC
Process Application Is IPE used in If yes, List of IPE Reference of Testing Work
Reference System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
List of IPE and Operating Effectiveness

ITGC CMS, Sensys No - -

TDS

ITGC CMS, Sensys No - -

TDS

ITGC - No - -

ITGC - No - -
Form 18**S.1, Cash RCM-ITGC
Process Application Is IPE used in If yes, List of IPE Reference of Testing Work
Reference System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
List of IPE and Operating Effectiveness

ITGC Tally, CMS No - -

ITGC Tally, CMS No - -

ITGC Tally, CMS No - -

ITGC CMS, Sensys No - -

TDS & Matrix
Cosec
ITGC - No - -