Project Report

Of
DISA 2.0 Course
 CERTIFICATE

Project report of DISA 2.0 Course

This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:

BHOPAL from 18 June 2016 to 31 July 2016 and we have the required
attendance. We are
submitting the Project titled: Security and Control Risk assessment of Toll Bridge
Company

We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for th
e project.
We also certify that this project report is the original work of our group and each
one of us have
actively participated and contributed in preparing this project. We have
not shared the project
details or taken help in preparing project report from anyone except members of our
group.

1. Name : CA DEEPAK AGRAWAL DISA No. 48854 Signed

2. Name : CA GAURAV BANSAL. DISA No. 48292 Signed

3. Name : CA DISHA TANWANI DISA No. 48563 Signed

Place: BHOPAL

Date: 08/08/2016
 Table of Contents

Details of Case Study/ Project (Problem)

Project Report (solution):

1. Introduction

2. Auditee Environment

3. Background

4. Situation

5. Terms and Scope of assignment

6. Logistic arrangements required

7. Methodology and Strategy adapted for execution of assignment

8. Documents reviewed

9. References

10. Deliverables

11. Format of Report/Findings and Recommendations

12. Summary/Conclusion
 Project Report

Security and Control Risk assessment of Toll Bridge operations

A. Details of Case Study/Project (Problem)

ABC Toll Company is a Road Toll Bridge Authority set up as an autonomous company wi
th the main
objective of managing the BangaloreHassan Toll Bridge. A fully automated collectio
n system is in place
to enable collections through 8 toll booths on both sides of the bridge.

The two main stakeholders in the efficient functioning of ABC Toll Company are:

1.
The Senior Management – they want assurance of the continuity of the business which
relies
heavily upon IT systems, and
2.
The Government – they want assurance of non leakage of revenues from the daily oper
ation of
the toll bridge.

With the aforementioned facts in mind, we, BIG3 Associates have been contracted to
conduct an IS Audit
so as to:

 assess adequacy of all BCP related controls,

 verify correctness and completion of transaction processing, and
 identify areas of weaknesses and suggest appropriate recommendations

B. Project Report (solution)

1. Introduction

ABC Toll Company (ABC Toll Co.) is in the business of administering the collection
of toll charges on the
BangaloreHassan Toll Bridge. It has been in set up as an autonomous
Company and has been
authorized by the Government to collect toll during the period of license. The lic
ense will span a period of
8 years after which the functioning of the Company shall cease. The organization st
ructure of the ABC &
Co. is flat as there are only three levels of hierarchy in the management of the co
mpany.
The Management’s view is that there should be a reliable computerized
system in place to collect and
account for Toll fee. A fully computerized system has been developed
for that purpose by their IT
Department. We, BIG3 Associates, have been contracted to conduct an IS Audit to:

 Assess adequacy of all BCP related controls

 Verify correctness and completion of transaction processing
 Identify areas of weakness, and
 Make appropriate recommendations.

Provide assurance to the government about integrity of information processed.

We at BIG3 Associates are a firm of Chartered Accountants that have extensive exper
ience in the area of
Information Systems Audit. Our clients in the past five years have
given us splendid testimonials and
consider us partners in their quest of value creation for all
stakeholders. Some of the areas we have
worked in are:

 Manufacturing of garments
 Retail and wholesale of FMCGs
 Educational Institutions
 Parking Lot management agencies, and
 Hotel chains

Our team comprises of:

CA MAYANK SHRIVAS – with 5 years of experience as a practicing Chartered Accountant

, three of them
as a team working in association with the World Bank he is the team
leader and has successfully led
many assignments of IS Audit in the past 3 years. His analytical thinking has preve
nted huge losses and
clients see him as a person who works tirelessly to generate high
quality deliverables and meet
deadlines.

CA TARUN PANWAL -
with 4 years of experience as a practicing chartered accountant having great
experience of working in PWC, specialized in the field of internal audit.

CA DEEPESH GUPTA – is Practicing since 2011. He has also qualified

DISA, IFRS, Concurrent Audit
Course & Indirect Tax Course of the CA Institute. He has successfully done lots of
system audit of banks
and other PSU.

2. Auditee Environment

Organization Structure
For the purpose of convenience, the three levels shall be referred to
as the Policy, Strategy and
Maintenance levels. As is evident from the names of the different
levels, their functions shall involve
Policy making, Strategy creation to implement policies formulated and the
Maintenance and upkeep of
the entire IT System.

Enabling Technologies

The Strategy level has decided that the IT system required for the purpose would en
tail setting up of a
network in the ClientServer architecture. The server runs on Windows 2008 OS and DB
MS manager is
Oracle. The minicomputer is connected to a standby server with disk
mirroring capability. Thus at any
one time there exist two sets of backup. Also there is no disruption of business du
e to switch over to the
standby server in case of any disruption. This is in consensus with
the policy of the management of
having assurance of non disruption of business in the eventuality of
failure of one or more interface
points. The system comprises of eight Windows Workstations (terminals), of which fo
ur (two each on the
East and West sides) are on standby. The connectivity between Toll
Plaza (servers) and Toll Booths
(Workstations) is through physical cabling. The Main Server is located
on the East plaza, while the
Backup Server is located on the West Plaza.

Provisions for Contingencies

There is an electricity backup of 2 hours by battery and a generator on standby to

power the server and
computers. The auditee organization also has UPS systems in place to power the comp
uters. Apart from
this, there are smoke detector alarms and fire extinguishers installed at toll plaz
as and toll booths. All IT
assets of the Company have been insured.

Enabling Software

On the occurrence of each transaction, the Toll Application Software

transmits data to the Server.
There are two events that complete the transaction – Classification and Pressing of
Validation button.
The procedure commences when 8 cameras atop each of the toll booths
capture the image of the
approaching vehicle, and concludes when the camera takes a picture of the vehicle l
eaving after paying
toll fee. An auditing menu in the Toll Application Software can be used to verify T
oll collections against
images of vehicles captured in the course of the transaction. Upon recovery of the
toll fee, the operator
presses the update button that concludes the transaction and results in
raising the boom to allow the
vehicle to pass. The details of the event with its unique transaction
ID, date, time, image, classification
category, operator ID and lane ID are captured and sent to the server. Entries wher
ein the Classification
and Pressing of Validation button are not triggered separately or in
the allocated sequence are
recorded separately as a violation of lane identifier.

Details of Regulatory requirements and best practices

 i
The basic principles of audit as enumerated in SA 200 shall apply to an IS Audit to
o. Therefore,
adequate consideration should be given to :
 integrity, objectivity, independence
 Skill and Competence
 Confidentiality
 Work performed by others
 Documentation

Internal Control assessment to assure validity, reliability and security of informa
tion and IS
 Audit conclusions and reporting.
ii The following categories of Information technology Assurance
Framework would have to be
adhered to:
 1000 Series – General Standards
 1200 Series – Performance Standards
 1400 Series – Reporting Standards
iii COBIT 5 specific process MEA 02 Monitor, Evaluate, Assess the
system of Internal
Controls would be applicable.
iv
A BCP audit should be programmed to cover the applicable laws, standards and framew
orks. To

ensure that this is followed COBIT 5 specific process MEA 03 – Monitor, evaluate an
d Assess
Compliance with External Requirements should be adhered to.
v COBIT 5 -
DSS04: Manage Continuity – this provides a framework of best practices in BCP.
vi COBIT 5 – BA104: Manage Availability and Capacity.
vii ISO 22301 : Standard on Business Continuity Management
viii Statement on Standards for Attestation Engagements (SSAE) 16
ix IT Infrastructure Library
x
Among the Indian legislations, the following are some regulatory requirements that
will have to

be taken into consideration while conducting the IS Audit of ABC Toll Company:
 Information technology Act,
 Income tax Act,
 Service Tax Act (Finance Act)
 Central Excise Act

3. Background

The main reasons for conducting the IS audit of ABC Toll Company are listed below:

Adequacy and appropriateness of Business Continuity Plan

ABC Toll Company has formulated a BCP plan to ensure that they can
continue all critical operations,
recover from a disaster and continue operations with least impact.
Considering that the environment in
which the business functions is constantly changing by varied degrees, it is of gre
at importance to review
the plans to evaluate if they continue to be adequate and appropriate
in achieving the predetermined
acceptable level of risk. During the course of such audit, old risks
and threats might be found to be
redundant while new ones become evident. Besides this, residual risks
that had not been considered
earlier may be discovered. Quantification of these risks and threats
would help determine whether the
BCP is adequate or needs revision.

Escapement of Revenue

ABC Toll Company was formed with the objective of administering the collection of T
oll fee on the
Bangalore – Hassan toll bridge. The various weaknesses in the IT system that compr
omise the correct
accounting of moneys received have been discussed below in subheading 4. Situation.

Make recommendations for improvements if necessary

ORAGANISATION COST OF DATA LOSS

Data is critical resources of ABC Toll Company for its present and future process a
nd its ability to adapt
and changing environment. Moreover since the company engage in the business of toll
collection and
administration and such business are always prone to revenue leakage, it is the dat
a and its audit which
prevent such revenue leakage. Therefore in order to ensure that such data is prot
ected, IS AUDIT
becomes the need of them.

COST OF COMPUTER ABUSE

Toll collection system of ABC company is totally automated, for which it deploy sop
histicated and costly
hardware (such as mini computers and workstations) and software (such as window ser
ver and
oracle).Unauthorized access of computer system, malware, unauthorized physical acce
ss to computer
facilities and unauthorized copy of sensitive data can lead to destruction of asset
s. That why in order to
avoid such abuse IS AUDIT is must.

COST OF INCORRECT DECISION MAKING

The information generated by information system is used by the management of the A

BC Company in
various decisions making ranging from decision at operational, tactical and strateg
ic level. If the
information generated by information system lead to incorrect decision making then
it will result heavy
cost to ABC company, in term of loss of competitive edge, loss of market share etc
Moreover nature of
business in which ABC company is engage is high revenue yielding business and incor
rect decision
making even at one time can lead to loss heavy revenue. Therefore in order to ensur
e the reliability of
information IS AUDIT is mandatory.
HIGH COST OF COMPUTER ERROR

Since the ABC company operate in computerized environment where many critical bus
iness processes
are performed, a data error during entry or process can cause great damage.i.e Bigg
est amount of the
revenue can be leaked by making series of small value error, since such error are d
ifficult to detect .
Hence to ensure the prevention of such error/omission IS AUDIT is necessarily requi
red.

CONTROL EVOLUTION OF COMPUTER USE

ABC company use Information Technology for toll collection purpose and use of techn
ology and reliability
of complex computer system cannot guarantee and the consequence of using unreliable
system can be
destructive. Moreover the change in the environment can make the use of computer pu
rpose less, unless
capabilities have been incorporate in the computer to cope with the changing enviro
nment. Therefore in
order to ensure that computer serve the purpose for which it was initially develope
d and to avoid
destruction which may arise due to use of unreliable system IS AUDIT is compulsory.

MAINTENANCE OF PRIVACY

Data collected by the ABC company in a business process contain private informati
on of individual too
e.g. Private information of employees of ABC company etc, these data were also col
lected before
computer use, but now there is fear that privacy had eroded beyond acceptable level
. Therefore in order
to maintain the confidentiality of the information in the information system IS AUD
IT becomes the need of
the ABC Company...

VALUE OF COMPUTER HARDWARE SOFTWARE AND PERSONNEL

These are the critical resources of the organization and have a credible impact on
its infrastructure and
business competitiveness. Hence in order to protect them IS AUDIT is must.

4. Situation

This IS Audit has been undertaken to verify the adequacy and appropriateness of the
BCP of ABC Toll
Company and also to make recommendations for revisions in BCP or other IT system co
mponents on the
basis of an analysis of areas that may be subject to leakage of
revenue. The “As is” situation of the
auditee organization that make it imperative to conduct an IT Audit are summarized
hereunder:

(A) Features of the existing scenario that effect the BCP


A backup server is in place that has disk mirroring capabilities and is capable of
being brought
into use immediately upon failure of the main server. This situation
gives rise to the following
probable problem areas / control weaknesses:

(i)
Can the backup server replace the other server for a sufficiently long period?
(ii)
Are any changes in software applications that help run the system backed up onto th
e
backup server also?
(iii) How often is the disk mirrored?
(iv) What are the safeguards to ascertain that the data is fully backed up?
(v)
Are there checks in place to evaluate if the processing in the new server has picke
d off
from where the main server left off?
(vi)
Does the main server or backup server have capability of recording the exact point
of
failure?
(vii) When the backup server is brought into use, is there a check
by the IT department

within a reasonable time to ensure that processing is accurate and proper?


The organization is using Windows Workstations at the toll booths. This situation g
ives rise to
the following probable problem areas / control weaknesses:
(i)
Systems based on Windows are far more susceptible to denial of service attacks
(ii) By comparison even Mac OS is far cheaper while being highly productive
(iii) Windows licensing costs are also very high and this will
determine costs of BCP
implementation or may discourage updating of software.
 Physical cabling is used to connect the server to the hub.
Workstations are plugged into this
hub. There are two hubs – one on the east side and the other on
the west side of the Toll
Bridge. Each hub is connected to the Main / backup server.
Connectivity between the two
servers is through fiber optic cable. Workstations at the toll booth
are connected in the star

network architecture. This situation gives rise to the following probable problem a
reas / control
weaknesses:
(i)
Is there any alternative to disruption in connectivity by the physical cable?
(ii)
Is the system capable of diagnosing that processing at any one or more workstations
is
faulty? If so what are the emergency procedures that are
programmed to occur once
such anomaly is detected?
(iii) As Hubs are single points of failure, are sufficient
measures in place to ensure that
operations are not impacted”

Electricity backup is maintained by employing UPS and batteries providing two hours
backup in
addition to the generator. This situation gives rise to the following
probable problem areas /
control weaknesses:
(i)
Are the UPS / battery regularly maintained and capable of providing adequate backup
?
 (ii) Is the fuel for the generator regularly monitored so as to
ensure that the set up
functions as planned?
(iii)
Is the time of backup planned for (2 hours) correct or is it subject to revision?
 Costs for Fire extinguishers, smoke detectors and adequate Insurance
cover have been

incurred to ensure that assets are safeguarded. There are two backup toll booths on
each side

of the Toll Bridge and a backup server to ensure continuity of business. This situa
tion gives rise
to the following probable problem areas / control weaknesses:
(i) Are the fire extinguishers / smoke detectors in good working condition?
(ii)
Is the extent of Insurance cover based on a scientific valuation of losses that may
be
incurred?
(iii) Are all the requisite documents required to process an
insurance claim maintained
separately and at a secure location?
(iv) Are the machines that are on backup well maintained and up to date?

There is a system of manual operations in the eventuality of any compromise in the
functioning
of the IS. This situation gives rise to the following probable
problem areas / control
weaknesses:
(i) Are there proper manuals setting out in clear terms the
processes, procedures,

accountability and the hierarchy of reporting when the IT systems are not available
for
use?
(ii) Are the operators adequately trained in the implementation of
this switch over to
manual systems?
(iii) Has there been adequate testing of the manual alternative by
simulating actual
conditions?
(iv)
Are there processes and procedures in place to ensure that all the necessary change
s
that could not be recorded in the IT system due to the
implementation of manual
operations are updated in the IT system before resuming
processing using the IT
Systems?
(v)
Is proper documentation maintained of all transactions processed manually?
(vi)
Is there a documented stipulation of the hierarchy of persons and the areas for whi
ch

different persons involved shall be held accountable in the event of manual operati
ons?
 The Operator at the toll booth uses his discretion to classify
vehicles for the purpose of
calculation of Toll Fee. This situation gives rise to the following probable proble
m areas / control
weaknesses:
(i)
Is there a regular audit performed using the Audit module of the Application Softwa
re to
verify the correctness of the Toll Fees collected?
(ii) Is a standard established to assist the Toll Booth Operator
in making a decision
regarding the classification of vehicles?
 (iii)
Is there any limit set for margin of error by the Toll Booth Operator?
(iv) Is it feasible to implement a system wherein the
image captured by the cameras is
verified against records with the Department of Road
Transportation to automatically

ascertain the classification and accompanying Toll Fee to be charged?

5. Terms and Scope of assignment

The Scope of the IT audits are based on examination procedures outlined

by the IS Audit Standards.
These standards enabled us to test and compare ABC toll company’s general computer
controls against
international benchmarks and widely accepted best practices within the
sector .Where applicable; we
referenced various information systems/technology guidelines issued by the ICAI. W
e also reference the
Control Objectives for Information and Related Technology (CobiT) published by the
Information Systems
Audit and Control Foundation, which is an international open standard of
good practices for IT
governance, security, and control
.
The IT audit includes completing the procedure issued by Institute of Chartered Acc
ountants of India for
doing IS audit, Information Security questionnaire, Information Systems
Technology Procedural Testing
reports, and other applicable IT auditing questionnaires.

Information systems controls involve specific activities performed by

people (manual) or by systems
(automatic) to ensure the confidentiality and integrity of data as well as the cont
inuity of Information and
Communication Technology (ICT) systems. These controls can be divided
into two broad categories:
application controls and general controls. Application controls apply to
specific software programs or
“Applications”. These Applications or Programs are used to facilitate key
business processes within an
organization, e.g. Payroll and Accounts are typical processes that are
dependent on software
applications. Application controls are designed to ensure the complete and accurate
processing of data
from input to output. Our audit focused on assessing the efficiency and
effectiveness of ABC toll
company’s general computer controls to ensure that systems, policies and
procedures are in place to
preserve the integrity and confidentiality of data

This involved the review and testing of controls in the following areas:

 Physical and Environmental Security;

 Access Controls and System/Network Security;
 Business Continuity and Disaster recovery;
 Change Management and Control;
 Management of Human Resources and Corporate Governance.
The scope of the information systemstechnology audit covers:

1. Senior management involvement, review applicable minutes

2.
Network, workstation, Internet, disaster recovery, and other IT security policies
 3. Overall security procedures

4. Segregation of IT duties

5. Internal quality and integrity controls

6. Data communication security

7. User identification authorization

8. User level of accessibility

9. Restricted transactions

10. Activity and exception reports

11. Backup procedures

12. Other operational security controls

13. Insurance coverage

14. Network security, which includes the Internet

15. Internal auditing procedures

16. Contingency planning and disaster recovery

17. Internet security procedures

18. Vendor due diligence

19. Internet banking controls and procedures

20.
Internal procedures and controls around your IT system, whether internal or externa
l processing

The IS audit would involve the following IT security tests also:

1. Domain server security settings
2. Virtual machine/guest security settings
3. Workstation security setting
4. Network user access
5. Core application access
6. Network topology security analysis
7. Systems security features and controls
8. Sampling for unauthorized software
9. Outsourcing/cloud activities

10. Internal network penetrationvulnerability test

 6. Logistic arrangements required

Infrastructure Required

It will be necessary for company to appoint one coordinator who will be the part of
the discussion on the
work plan initially and continue to work with the ARA team till the assignment is c
omplete.

Company will make available the necessary computer time, software resources and su
pport facilities
necessary for completing the assignment within the agreed timeframe.

The conduct of the assignment should be adequately communicated to the required per
sonnel so as to
facilitate extensive cooperation from respective personnel.

During the course of the assignment, we will require the following infrastructure.

a. Three Nodes with read only access to implemented software.

b. One Laptop with window 8/Microsoft office 2013.

c. Access to a laser printer for printing reports as required.

d. Adequate seating and storage space for audit team.

e. Facilities for discussion amongst our team and your designated staff.

Documentation required

 Network Chart
 User manual and technical manuals relating to system software.

Organization chart outlining the organization hierarchy and job responsibility.
 Access to circulars/guidelines issued to employees.

Access to user manuals and documentation relating to software implementation.

 Any other documentation as identified by us as required for assignments

Utilization of CAAT:

While conducting the audit we intend to utilize data generated from the SCARF concu
rrent audit tools so
as to give us a better understanding of the critical areas and the
kind of transactions that are most
frequently processed incorrectly.

7. Methodology and Strategy adapted for execution of assignment

i. SCOPING AND PRE AUDIT SURVEY

Here we determine the main area of focus and any area that is explicitly out of sco
pe, based on scope
definition agreed with management.

ii. PLANNING AND PREPARATION

Here the scope is breaking down into greater level of detail, usually involving the
generation of the audit
work plan or risk control matrix.

iii. FIELDWORK

Gathering evidence by interviewing staff and manger, reviewing documents

and observing processes
etc. Various fact finding techniques are used.

iv. ANALYSIS

This involves desperately sorting out reviewing and trying to make

sense of all the evidence gathered
earlier. SWOT (Strength, Weakness, opportunity, Threats) or PEST
(Political, Economical, Social,
Technological) technique can be used for analysis.

v. REPORTING

Reporting to the management is done after analysis of evidence gathered and analyze
d.

vi. CLOSURE

Closure involves preparing notes for future audits and follow up with management t
o complete the action
they promised.

Our team would perform the following tasks based on the audit methodologies and inc
lude the following
procedure

1.
Undertake an in depth study and analysis of all aspects of implemented software.
2.
We will take steps to identify the way in which the system currently operates. In d
oing so following
objectives would kept in mind while setting the overall goals.
a. Accurate and complete processing of data.
b. Error messages in case of incomplete/aborting of processing of data.
c. Optimize data handling and storage.
d. Better management of information.

3. Review the software in operation, understand how the various module inte
ract with each other.
 4. Review how each module in the system has been tested including the documen
tation prepared in
respect of each.

5.Review the method employed for implementation of the system

,including post implementation
review procedure.

6. Understand the business processes and review how these have

been mapped in the information
system by tracing the module in top down approach.

7. Review the control established over the continuity of stored data, necessary
to ensure that once data
is updated to a file, the data remain correct and current in the file.

8. Review the procedures established for backup and recovery of files in the pac
kage...

9. Review the control established for the development, documentation and amendme
nt of programs so
as to ensure that they go live as intended.

10. Review the control established so as to ensure that only valid transactions are
processed.

11. Review the control established which ensure that all transactions
are input and accepted for future
processing and that the transaction is not processed twice.

12. Review the inbuilt controls for stored data so as to ensure that only authorize
d persons have access
to data on computer files.

AUDIT TOOL USED FOR CONDUCTING AUDIT

We have used following audit tool while conducting audit brief detail of which are
as follow.

SYSTEM CONTROL AUDIT REVIEW FILE (SCARF)

SCARF technique involved embedding audit software modules within a host applicati
on system in order
to provide continuous monitoring of the system transaction. Information collected i
s written on to a special
audit file known as SCARF master file. Then we examine the information collected in
the file to determine
some aspect of application system require follow up.

We use SCARF technique in order to collect the following information.

a. Application system error: To check that Toll Bridge application system working p
roperly or not.

b. Policies and procedure variances: To check that Toll Bridge system

processed the data as per
Business logics and it has meet the organisation policies.

c. System Exception: To check that System exception has been generated

properly and available for
audit.

d. Statistical sampling: in this phase

Statistics simplifies problems by using a technique called sampling.
By conducting a statistical sample, our workload can be cut down
immensely. Rather than tracking the
behaviours of thousands of transactions of ABC toll company’s, we only
need to examine those of
hundreds transactions which have procedural variances

e. Performance Measurement: To check that system performance is as per standard or

not.

8. Documents reviewed
An organization’s policies and procedures and various internal controls
put in place to enforce these
policies and procedures towards the attainment of organizational goals
can be understood through
relevant documents maintained by the auditee concern. The documents that
would need to be
reviewed to gain a reasonable understanding of aforementioned policies /
procedures / controls are
specified below:

1. The events that trigger the activation of plans and which describe
the process to be followed before
each plan is activated.

2. Emergency which describe the action to be taken following an

incident which jeopardizes business
operation and human life. This should include arrangement for public
relations management and for
effective liaising with appropriate public authorities’ .e. g. police, fire service
s and local government.

3.Fallback procedure which describe the action to be taken to move

essential business activities to
alternate temporary location, to bring business process back into operation in the
required time scale.

4. Resumption procedure which describe action to be taken in order to

return to normal business
operation.

5. Maintenance schedule, which specifies the process for maintaining the plan.

6. Awareness and education activities, which are designed to create the

understanding of disaster
recovery process.
7. The responsibility of individuals describing who is responsible for
executing which component of the
plan.

8. Contingency plan document distributing list.

9. Detailed description of purpose and scope of plan.

10. Contingency plan testing and recovery procedure.

11. Checklist for inventory taking and updating the contingency plan on a regular b
asis.

12. List of phone number of employees in the event of emergency.

13. Medical procedure to be followed in case of injury.

16. Emergency phone list for fire, police, hardware, software, supplier, backup loc
ation.

17. Insurance paper and claim forms

18. Backup location contractual agreement correspondence

19. Name of employees trained for the emergency situations, first aid and life savi
ng techniques.

18. Alternate manual procedures to be followed during the period of disruption.

19. Location of data program file, data dictionary, documentation manual sources ob
jects code and data
media.

20. Primary computer centre hardware, software, peripheral equipment and software c
onfiguration.
 9. References

List of Standards / Guidelines and best practices that have been the basis of this
IS Audit

i
The basic principles of audit as enumerated in SA 200 shall apply to an IS Audit to
o. Therefore,
adequate consideration should be given to :
 integrity, objectivity, independence
 Skill and Competence
 Confidentiality
 Work performed by others
 Documentation

Internal Control assessment to assure validity, reliability and security of informa
tion and IS
 Audit conclusions and reporting.
ii The following categories of Information technology Assurance
Framework would have to be
adhered to:
 1000 Series – General Standards
 1200 Series – Performance Standards
 1400 Series – Reporting Standards
iii COBIT 5 specific process MEA 02 Monitor, Evaluate, Assess the
system of Internal
Controls would be applicable.
iv
A BCP audit should be programmed to cover the applicable laws, standards and framew
orks. To

ensure that this is followed COBIT 5 specific process MEA 03 – Monitor, evaluate an
d Assess
Compliance with External Requirements should be adhered to.
v COBIT 5 -
DSS04: Manage Continuity – this provides a framework of best practices in BCP.
vi COBIT 5 – BA104: Manage Availability and Capacity.
vii ISO 22301 : Standard on Business Continuity Management
viii Statement on Standards for Attestation Engagements (SSAE) 16
ix IT Infrastructure Library

10. Deliverables
1.
Soft and hard copy of checklists used for audit. This include various checklist wh
ich are used in
conducting audit, It work as a checkpoint against which various
fact have been identified and
evaluated. It is used to ensure that each and every aspect which
are covered in audit
programmer have been verify and evaluated.
2.
Soft or hard copy of audit methodology: This includes various strategies and techni
ques used by
us for carrying out audit. These strategies help us to conduct
the audit in accordance with
generally accepted standard and to complete the audit in timely manner.
 3.
Draft Audit Report: The draft audit report includes various facts found by us durin
g the audit which
include the weakness in the implemented internal control. In this
we have also specify the
recommendation in order to improve the existing ongoing processes
and system of internal
control.
4.
Executive summary: Executive summary included the name and designation of various e
xecutive

at various level of management such as top level, middle level, and operational lev
el.
5.
Final Audit Report: In this we will incorporate management comment and agreed prior
ity plan of

action based on exposure analysis. This also includes the fact and weakness which a
re accepted
by the management and promise/follow up which the management agreed to do.
6. Documentation : This includes;
 brief summary of relevant observation which we made during audit,
 Summary of work done by us during the audit.
 Management Representation taken by us.
 Copies of various correspondences.

11. Format of Report/Findings and Recommendations

Given below is a report of our findings based on our observations. We have also spe
cified hereunder our
recommendations which to the best of our knowledge will ensure proper functioning o
f the BCP as well as
avoid instances of revenue loss:

Finding 1. Power backup for Workstations and Server

Observation : UPS and battery have been installed to cover short
term power outages (up to 2
hours), while a generator has been installed for
backup in the event of a longer
power outage.
Exposure : In the event of a longer power outage, there is
a possibility of human error in that
the generator is not turned on in time. This
would result in a break in services
provided and consequently loss of revenue.
Cause : There is no automated mechanism to ensure that the
generator comes on

automatically in the eventuality of a long duration power outage.

Recommendation : There should be a system in place, preferably
computerized, to ensure that if the
time period of electricity outage exceeds a
predetermined time period (say 30
minutes), the generator will automatically turn on,
or a person is given the
 responsibility of turning the generator on as soon
as there is a power outage. In
case of a manually operated system, it is our
opinion that the generator should
come on within 15 minutes of the power outage.

Finding 2. The auditee organization has installed a generator in order to meet

long power cuts.

Observation :
We have found that sufficient quantity of fuel was not maintained in order to opera
te
 the generator for long time.
Exposure :
In the eventuality of a long drawn power outage, the generator will be required to
be
put into service. For this it is imperative that a
predetermined amount of fuel is
specified to be maintained at the Toll Plazas at all
times so as to ensure 24/7
service.
Cause : There have been many cases of political unrest quite
recently in Bangalore. It is

usually in events such as these that there is a shortage of fuel.

Recommendation :
There should be at least 20 liters of diesel at the Toll Plazas at any given point
in
time so as to ensure that there is no loss of
revenue due to unavailability of IT

systems. Maintaining the sufficient quantity of fuel is also necessary keeping in v

iew
that are no petrol-
diesel pumps in the immediate vicinity of Toll Plaza. The generator

should also be maintained regularly. In our opinion it is not necessary for the aud
itee
organization to have any more lines of defense
regarding this matter. A UPS,

Battery with 2 hours of standby time and a generator are adequate to take care of
electricity backup requirements.

Finding 3. The auditee organization has installed smoke

detectors and
fire
extinguishers to safeguard assets.
Observation : It was observed that the fire extinguishers were not
usable as they hadn’t been

serviced recently. It was also observed that the number of fire extinguishers was n
ot
commensurate with the area to be covered.
Exposure : All the IT assets namely Servers and Workstations are
onsite and as such are
vulnerable to fire. Even the backup server is on site
and this implies that an
accidental fire would wipe out any chances of recovery.
Cause :
The area of the toll plaza is quite open and allows for a fire to spread rapidly.
Recommendation :
As a top priority the number of fire extinguishers should be increased to two per t
oll
booth, i.e. a total of 16 (nos.) of fire extinguishers
need to be on site at any given
time. It is absolutely important to enter into an AMC
agreement for checking the
functionality and servicing of fire extinguishers.
 Finding 4. All control over revenue leakage is
exercised bytallying toll fee
received against images of the relevant vehicle.
Observation : Many of the images captured by the cameras at the
toll booths are very blurry. In

many cases it is impossible to identify even the make of a vehicle.

Exposure :
This could lead to massive revenue losses. The difference in toll fee between a Fou
r
wheel drive and a small car is Rs 15/-
. The estimated four wheel drive traffic on the
bridge on any given day is estimated at 600. This
implies that there is a possible
 loss of revenue to the tune of Rs 32,85,000/ every year.
Cause :
Bangalore is quite susceptible to fog. Even smog is becoming a regular phenomena
there. In such conditions, the image quality as
captured by the 8 cameras is very

blurred. There will be no way to audit the correctness of toll fees recovered unles
s

there is a fair level of clarity in the images captured by the cameras.

Recommendation : Special cameras that are capable of taking clear images
in bad lighting and low
visibility conditions should be procured to prevent this
possible leak in revenue.
Another option could be to place cameras at close
range such as at the Alarm
Contact Closure, which will take close up pictures of
registration numbers of
vehicles. This data when cross referenced against the
RTO public database will

enable the auditor to ascertain the type of vehicle and consequently the amount of
Toll Fee applicable.

Finding 5.There is a manual system in place for toll collection which is used in
the eventuality of unavailability of IT resources.

Observation :
The documentation for switching to manual mode of processing toll fees is absent.
Also there is minimal authorization required to
implement the switch. At the same

time it is observed that to be in a position to provide continuous services, the sw

itch
should not consume much time.
Exposure :
This could lead to major revenue losses and even audit procedures may not be able
to detect the loss of revenue.
Cause : There could be collusion between the operator and
supervisor implementing the
manual system. This could result in falsification of
records n order to embezzle
money.
Recommendation : All authorization for switching to manual system will
be given by the onsite

supervisor. The person authorizing the switch to the manual system should activate
a recording mechanism that will begin to record the
flow of traffic being streamed

from the cameras. Proper manual logs shall be maintained of all vehicles. The logs

should be available for verification against the video feed. An affidavit certifyi
ng the

truth of the manual logs shall be submitted by the authorizing supervisor. Surprise
checks both during the manual processing as well as
random tallying of recorded
feed against manual logs will ensure prevention of revenue leakage.

Finding 6.There is no security posted at the Toll

Booths to safeguard the
amount of toll fee received.
Observation :
Toll fees is always received in cash and this leads to a sizable buildup of cash at
the
toll booths.
Exposure :
Huge amounts of cash remain unguarded at toll booths. This in itself can defeat the
purpose of all other controls incorporated into the system.
Cause :
The placement of factors is such that it allows any person to quickly grab the cash
and speed away in a vehicle.
Recommendation : The cash should be out of sight of anyone outside the
booth. Every booth should
have inbuilt safes that are capable of being operated
by the toll booth operator

alone. Also, toll boot operators should be trained to raise the boom and let a vehi
cle

pass only after the transaction is concluded and after confirming that there is no
one
in the immediate vicinity of the toll booth.

Finding 7. Toll Booth Operators manually enter the classification of a vehicle.

Observation :
There is no failsafe incorporated in the system that will ensure that the classific
ation
of vehicle as entered by the Toll Booth operator
actually matches the images
captured.
Exposure :
Any difference in rates of toll may be pocketed by the toll booth operator.
Cause :
There is no mechanism in place to ensure that the classification as entered by the
toll booth operator is correct.
Recommendation : The RTO has a public database of all registered
vehicles. The Toll Application

Software should access this database to compare the registration numbers captured
by the close-
up cameras. This data can be used for classification. This classification
may be compared to the classification made by the toll
booth operator and after
considering a reasonable margin of error, if there is
any discrepancy, the operator

may be held accountable. Such checks should be made on a sampling basis as the
costs of such technology could be forbidding.
There could also be a maker checker system wherein one
operator does the

classification and another operator further on makers the collection of toll fee.

Finding 8. Servers and Workstations are connected by physical cable.

Observation : There is no backup to the physical cables that connect
the workstations to the
servers.
Exposure : The entire IT setup will be useless without the
networking cables. BCP and every
other system / plan put into place assume in the
first place the existence of a
functional IT system. This would normally result in the
triggering of a manual

system, but as discussed above, this could lead to revenue losses

Cause :
The disruption of cables is a single point of failure in the system.
Recommendation : An alternative connection should be available to replace
any disruption within
acceptable time. The cables should be deep enough in
the earth to ensure that
 there is no accidental disruption of connectivity.

12. Summary/Conclusion

ABC Toll Company has the lead role in the development and implementation of informa
tion systems for
various departments, in particular the revenue departments. The organization is man
dated to provide on
going operating service, support and maintenance for these systems and
to ensure that controls are in
place to maintain the integrity of all data within them. We found that
certain controls within the
organization were not consistently complied with while others were absent or not ad
equately reviewed or
monitored in accordance with international standards and best practice.
Consequently, ABC toll
company’s capacity to guarantee the security and operational efficiency of the info
rmation systems under
its control may be impaired if the potential information systems security risks are
materialized.

We therefore urge the management of ABC Toll Company to carefully

review the recommendations
contained in this report with a view to strengthening their control
systems by adopting the measures
outlined.

Overall, the ABC Toll Company has a sound governance framework that
provides effective decision
making, strong leadership and oversight. Except for the opportunities for
improvement identified in this
report, the ABC Toll Company has good and effective management controls
and practices. Processes
exist in planning, budgeting, forecasting and results and performance reporting, co
ding and delegation of
authorities.

Audit criteria were used to assess the identified key risks, management control fra
mework and practices.
The following is a summary of results.

Assessed Area
Result

Governance structure and strategic directions Criteria met

Planning, budgeting, forecasting and reporting Criteria met

Results and performance reporting

Criteria partially met

Transaction processing and coding

Criteria mostly met

Delegation of authorities
Criteria met