Professional Documents
Culture Documents
Of
DISA 2.0 Course
CERTIFICATE
This is to certify that we have successfully completed the DISA 2.0 course training
conducted at:
BHOPAL from 18 June 2016 to 31 July 2016 and we have the required
attendance. We are
submitting the Project titled: Security and Control Risk assessment of Toll Bridge
Company
We hereby confirm that we have adhered to the guidelines issued by CIT, ICAI for th
e project.
We also certify that this project report is the original work of our group and each
one of us have
actively participated and contributed in preparing this project. We have
not shared the project
details or taken help in preparing project report from anyone except members of our
group.
Place: BHOPAL
Date: 08/08/2016
Table of Contents
1. Introduction
2. Auditee Environment
3. Background
4. Situation
8. Documents reviewed
9. References
10. Deliverables
12. Summary/Conclusion
Project Report
The two main stakeholders in the efficient functioning of ABC Toll Company are:
1.
The Senior Management – they want assurance of the continuity of the business which
relies
heavily upon IT systems, and
2.
The Government – they want assurance of non leakage of revenues from the daily oper
ation of
the toll bridge.
With the aforementioned facts in mind, we, BIG3 Associates have been contracted to
conduct an IS Audit
so as to:
1. Introduction
ABC Toll Company (ABC Toll Co.) is in the business of administering the collection
of toll charges on the
BangaloreHassan Toll Bridge. It has been in set up as an autonomous
Company and has been
authorized by the Government to collect toll during the period of license. The lic
ense will span a period of
8 years after which the functioning of the Company shall cease. The organization st
ructure of the ABC &
Co. is flat as there are only three levels of hierarchy in the management of the co
mpany.
The Management’s view is that there should be a reliable computerized
system in place to collect and
account for Toll fee. A fully computerized system has been developed
for that purpose by their IT
Department. We, BIG3 Associates, have been contracted to conduct an IS Audit to:
We at BIG3 Associates are a firm of Chartered Accountants that have extensive exper
ience in the area of
Information Systems Audit. Our clients in the past five years have
given us splendid testimonials and
consider us partners in their quest of value creation for all
stakeholders. Some of the areas we have
worked in are:
Manufacturing of garments
Retail and wholesale of FMCGs
Educational Institutions
Parking Lot management agencies, and
Hotel chains
CA TARUN PANWAL -
with 4 years of experience as a practicing chartered accountant having great
experience of working in PWC, specialized in the field of internal audit.
2. Auditee Environment
Organization Structure
For the purpose of convenience, the three levels shall be referred to
as the Policy, Strategy and
Maintenance levels. As is evident from the names of the different
levels, their functions shall involve
Policy making, Strategy creation to implement policies formulated and the
Maintenance and upkeep of
the entire IT System.
Enabling Technologies
The Strategy level has decided that the IT system required for the purpose would en
tail setting up of a
network in the ClientServer architecture. The server runs on Windows 2008 OS and DB
MS manager is
Oracle. The minicomputer is connected to a standby server with disk
mirroring capability. Thus at any
one time there exist two sets of backup. Also there is no disruption of business du
e to switch over to the
standby server in case of any disruption. This is in consensus with
the policy of the management of
having assurance of non disruption of business in the eventuality of
failure of one or more interface
points. The system comprises of eight Windows Workstations (terminals), of which fo
ur (two each on the
East and West sides) are on standby. The connectivity between Toll
Plaza (servers) and Toll Booths
(Workstations) is through physical cabling. The Main Server is located
on the East plaza, while the
Backup Server is located on the West Plaza.
Enabling Software
ensure that this is followed COBIT 5 specific process MEA 03 – Monitor, evaluate an
d Assess
Compliance with External Requirements should be adhered to.
v COBIT 5 -
DSS04: Manage Continuity – this provides a framework of best practices in BCP.
vi COBIT 5 – BA104: Manage Availability and Capacity.
vii ISO 22301 : Standard on Business Continuity Management
viii Statement on Standards for Attestation Engagements (SSAE) 16
ix IT Infrastructure Library
x
Among the Indian legislations, the following are some regulatory requirements that
will have to
be taken into consideration while conducting the IS Audit of ABC Toll Company:
Information technology Act,
Income tax Act,
Service Tax Act (Finance Act)
Central Excise Act
3. Background
The main reasons for conducting the IS audit of ABC Toll Company are listed below:
ABC Toll Company has formulated a BCP plan to ensure that they can
continue all critical operations,
recover from a disaster and continue operations with least impact.
Considering that the environment in
which the business functions is constantly changing by varied degrees, it is of gre
at importance to review
the plans to evaluate if they continue to be adequate and appropriate
in achieving the predetermined
acceptable level of risk. During the course of such audit, old risks
and threats might be found to be
redundant while new ones become evident. Besides this, residual risks
that had not been considered
earlier may be discovered. Quantification of these risks and threats
would help determine whether the
BCP is adequate or needs revision.
Escapement of Revenue
ABC Toll Company was formed with the objective of administering the collection of T
oll fee on the
Bangalore – Hassan toll bridge. The various weaknesses in the IT system that compr
omise the correct
accounting of moneys received have been discussed below in subheading 4. Situation.
Data is critical resources of ABC Toll Company for its present and future process a
nd its ability to adapt
and changing environment. Moreover since the company engage in the business of toll
collection and
administration and such business are always prone to revenue leakage, it is the dat
a and its audit which
prevent such revenue leakage. Therefore in order to ensure that such data is prot
ected, IS AUDIT
becomes the need of them.
Toll collection system of ABC company is totally automated, for which it deploy sop
histicated and costly
hardware (such as mini computers and workstations) and software (such as window ser
ver and
oracle).Unauthorized access of computer system, malware, unauthorized physical acce
ss to computer
facilities and unauthorized copy of sensitive data can lead to destruction of asset
s. That why in order to
avoid such abuse IS AUDIT is must.
Since the ABC company operate in computerized environment where many critical bus
iness processes
are performed, a data error during entry or process can cause great damage.i.e Bigg
est amount of the
revenue can be leaked by making series of small value error, since such error are d
ifficult to detect .
Hence to ensure the prevention of such error/omission IS AUDIT is necessarily requi
red.
ABC company use Information Technology for toll collection purpose and use of techn
ology and reliability
of complex computer system cannot guarantee and the consequence of using unreliable
system can be
destructive. Moreover the change in the environment can make the use of computer pu
rpose less, unless
capabilities have been incorporate in the computer to cope with the changing enviro
nment. Therefore in
order to ensure that computer serve the purpose for which it was initially develope
d and to avoid
destruction which may arise due to use of unreliable system IS AUDIT is compulsory.
MAINTENANCE OF PRIVACY
Data collected by the ABC company in a business process contain private informati
on of individual too
e.g. Private information of employees of ABC company etc, these data were also col
lected before
computer use, but now there is fear that privacy had eroded beyond acceptable level
. Therefore in order
to maintain the confidentiality of the information in the information system IS AUD
IT becomes the need of
the ABC Company...
These are the critical resources of the organization and have a credible impact on
its infrastructure and
business competitiveness. Hence in order to protect them IS AUDIT is must.
4. Situation
This IS Audit has been undertaken to verify the adequacy and appropriateness of the
BCP of ABC Toll
Company and also to make recommendations for revisions in BCP or other IT system co
mponents on the
basis of an analysis of areas that may be subject to leakage of
revenue. The “As is” situation of the
auditee organization that make it imperative to conduct an IT Audit are summarized
hereunder:
(i)
Can the backup server replace the other server for a sufficiently long period?
(ii)
Are any changes in software applications that help run the system backed up onto th
e
backup server also?
(iii) How often is the disk mirrored?
(iv) What are the safeguards to ascertain that the data is fully backed up?
(v)
Are there checks in place to evaluate if the processing in the new server has picke
d off
from where the main server left off?
(vi)
Does the main server or backup server have capability of recording the exact point
of
failure?
(vii) When the backup server is brought into use, is there a check
by the IT department
network architecture. This situation gives rise to the following probable problem a
reas / control
weaknesses:
(i)
Is there any alternative to disruption in connectivity by the physical cable?
(ii)
Is the system capable of diagnosing that processing at any one or more workstations
is
faulty? If so what are the emergency procedures that are
programmed to occur once
such anomaly is detected?
(iii) As Hubs are single points of failure, are sufficient
measures in place to ensure that
operations are not impacted”
Electricity backup is maintained by employing UPS and batteries providing two hours
backup in
addition to the generator. This situation gives rise to the following
probable problem areas /
control weaknesses:
(i)
Are the UPS / battery regularly maintained and capable of providing adequate backup
?
(ii) Is the fuel for the generator regularly monitored so as to
ensure that the set up
functions as planned?
(iii)
Is the time of backup planned for (2 hours) correct or is it subject to revision?
Costs for Fire extinguishers, smoke detectors and adequate Insurance
cover have been
incurred to ensure that assets are safeguarded. There are two backup toll booths on
each side
of the Toll Bridge and a backup server to ensure continuity of business. This situa
tion gives rise
to the following probable problem areas / control weaknesses:
(i) Are the fire extinguishers / smoke detectors in good working condition?
(ii)
Is the extent of Insurance cover based on a scientific valuation of losses that may
be
incurred?
(iii) Are all the requisite documents required to process an
insurance claim maintained
separately and at a secure location?
(iv) Are the machines that are on backup well maintained and up to date?
There is a system of manual operations in the eventuality of any compromise in the
functioning
of the IS. This situation gives rise to the following probable
problem areas / control
weaknesses:
(i) Are there proper manuals setting out in clear terms the
processes, procedures,
accountability and the hierarchy of reporting when the IT systems are not available
for
use?
(ii) Are the operators adequately trained in the implementation of
this switch over to
manual systems?
(iii) Has there been adequate testing of the manual alternative by
simulating actual
conditions?
(iv)
Are there processes and procedures in place to ensure that all the necessary change
s
that could not be recorded in the IT system due to the
implementation of manual
operations are updated in the IT system before resuming
processing using the IT
Systems?
(v)
Is proper documentation maintained of all transactions processed manually?
(vi)
Is there a documented stipulation of the hierarchy of persons and the areas for whi
ch
different persons involved shall be held accountable in the event of manual operati
ons?
The Operator at the toll booth uses his discretion to classify
vehicles for the purpose of
calculation of Toll Fee. This situation gives rise to the following probable proble
m areas / control
weaknesses:
(i)
Is there a regular audit performed using the Audit module of the Application Softwa
re to
verify the correctness of the Toll Fees collected?
(ii) Is a standard established to assist the Toll Booth Operator
in making a decision
regarding the classification of vehicles?
(iii)
Is there any limit set for margin of error by the Toll Booth Operator?
(iv) Is it feasible to implement a system wherein the
image captured by the cameras is
verified against records with the Department of Road
Transportation to automatically
This involved the review and testing of controls in the following areas:
2.
Network, workstation, Internet, disaster recovery, and other IT security policies
3. Overall security procedures
4. Segregation of IT duties
9. Restricted transactions
20.
Internal procedures and controls around your IT system, whether internal or externa
l processing
Infrastructure Required
It will be necessary for company to appoint one coordinator who will be the part of
the discussion on the
work plan initially and continue to work with the ARA team till the assignment is c
omplete.
Company will make available the necessary computer time, software resources and su
pport facilities
necessary for completing the assignment within the agreed timeframe.
The conduct of the assignment should be adequately communicated to the required per
sonnel so as to
facilitate extensive cooperation from respective personnel.
During the course of the assignment, we will require the following infrastructure.
e. Facilities for discussion amongst our team and your designated staff.
Documentation required
Network Chart
User manual and technical manuals relating to system software.
Organization chart outlining the organization hierarchy and job responsibility.
Access to circulars/guidelines issued to employees.
Access to user manuals and documentation relating to software implementation.
Utilization of CAAT:
While conducting the audit we intend to utilize data generated from the SCARF concu
rrent audit tools so
as to give us a better understanding of the critical areas and the
kind of transactions that are most
frequently processed incorrectly.
Here we determine the main area of focus and any area that is explicitly out of sco
pe, based on scope
definition agreed with management.
Here the scope is breaking down into greater level of detail, usually involving the
generation of the audit
work plan or risk control matrix.
iii. FIELDWORK
iv. ANALYSIS
v. REPORTING
Reporting to the management is done after analysis of evidence gathered and analyze
d.
vi. CLOSURE
Closure involves preparing notes for future audits and follow up with management t
o complete the action
they promised.
Our team would perform the following tasks based on the audit methodologies and inc
lude the following
procedure
1.
Undertake an in depth study and analysis of all aspects of implemented software.
2.
We will take steps to identify the way in which the system currently operates. In d
oing so following
objectives would kept in mind while setting the overall goals.
a. Accurate and complete processing of data.
b. Error messages in case of incomplete/aborting of processing of data.
c. Optimize data handling and storage.
d. Better management of information.
3. Review the software in operation, understand how the various module inte
ract with each other.
4. Review how each module in the system has been tested including the documen
tation prepared in
respect of each.
7. Review the control established over the continuity of stored data, necessary
to ensure that once data
is updated to a file, the data remain correct and current in the file.
8. Review the procedures established for backup and recovery of files in the pac
kage...
9. Review the control established for the development, documentation and amendme
nt of programs so
as to ensure that they go live as intended.
10. Review the control established so as to ensure that only valid transactions are
processed.
11. Review the control established which ensure that all transactions
are input and accepted for future
processing and that the transaction is not processed twice.
12. Review the inbuilt controls for stored data so as to ensure that only authorize
d persons have access
to data on computer files.
We have used following audit tool while conducting audit brief detail of which are
as follow.
SCARF technique involved embedding audit software modules within a host applicati
on system in order
to provide continuous monitoring of the system transaction. Information collected i
s written on to a special
audit file known as SCARF master file. Then we examine the information collected in
the file to determine
some aspect of application system require follow up.
8. Documents reviewed
An organization’s policies and procedures and various internal controls
put in place to enforce these
policies and procedures towards the attainment of organizational goals
can be understood through
relevant documents maintained by the auditee concern. The documents that
would need to be
reviewed to gain a reasonable understanding of aforementioned policies /
procedures / controls are
specified below:
1. The events that trigger the activation of plans and which describe
the process to be followed before
each plan is activated.
5. Maintenance schedule, which specifies the process for maintaining the plan.
11. Checklist for inventory taking and updating the contingency plan on a regular b
asis.
16. Emergency phone list for fire, police, hardware, software, supplier, backup loc
ation.
19. Name of employees trained for the emergency situations, first aid and life savi
ng techniques.
19. Location of data program file, data dictionary, documentation manual sources ob
jects code and data
media.
20. Primary computer centre hardware, software, peripheral equipment and software c
onfiguration.
9. References
List of Standards / Guidelines and best practices that have been the basis of this
IS Audit
i
The basic principles of audit as enumerated in SA 200 shall apply to an IS Audit to
o. Therefore,
adequate consideration should be given to :
integrity, objectivity, independence
Skill and Competence
Confidentiality
Work performed by others
Documentation
Internal Control assessment to assure validity, reliability and security of informa
tion and IS
Audit conclusions and reporting.
ii The following categories of Information technology Assurance
Framework would have to be
adhered to:
1000 Series – General Standards
1200 Series – Performance Standards
1400 Series – Reporting Standards
iii COBIT 5 specific process MEA 02 Monitor, Evaluate, Assess the
system of Internal
Controls would be applicable.
iv
A BCP audit should be programmed to cover the applicable laws, standards and framew
orks. To
ensure that this is followed COBIT 5 specific process MEA 03 – Monitor, evaluate an
d Assess
Compliance with External Requirements should be adhered to.
v COBIT 5 -
DSS04: Manage Continuity – this provides a framework of best practices in BCP.
vi COBIT 5 – BA104: Manage Availability and Capacity.
vii ISO 22301 : Standard on Business Continuity Management
viii Statement on Standards for Attestation Engagements (SSAE) 16
ix IT Infrastructure Library
10. Deliverables
1.
Soft and hard copy of checklists used for audit. This include various checklist wh
ich are used in
conducting audit, It work as a checkpoint against which various
fact have been identified and
evaluated. It is used to ensure that each and every aspect which
are covered in audit
programmer have been verify and evaluated.
2.
Soft or hard copy of audit methodology: This includes various strategies and techni
ques used by
us for carrying out audit. These strategies help us to conduct
the audit in accordance with
generally accepted standard and to complete the audit in timely manner.
3.
Draft Audit Report: The draft audit report includes various facts found by us durin
g the audit which
include the weakness in the implemented internal control. In this
we have also specify the
recommendation in order to improve the existing ongoing processes
and system of internal
control.
4.
Executive summary: Executive summary included the name and designation of various e
xecutive
at various level of management such as top level, middle level, and operational lev
el.
5.
Final Audit Report: In this we will incorporate management comment and agreed prior
ity plan of
action based on exposure analysis. This also includes the fact and weakness which a
re accepted
by the management and promise/follow up which the management agreed to do.
6. Documentation : This includes;
brief summary of relevant observation which we made during audit,
Summary of work done by us during the audit.
Management Representation taken by us.
Copies of various correspondences.
Given below is a report of our findings based on our observations. We have also spe
cified hereunder our
recommendations which to the best of our knowledge will ensure proper functioning o
f the BCP as well as
avoid instances of revenue loss:
Observation :
We have found that sufficient quantity of fuel was not maintained in order to opera
te
the generator for long time.
Exposure :
In the eventuality of a long drawn power outage, the generator will be required to
be
put into service. For this it is imperative that a
predetermined amount of fuel is
specified to be maintained at the Toll Plazas at all
times so as to ensure 24/7
service.
Cause : There have been many cases of political unrest quite
recently in Bangalore. It is
should also be maintained regularly. In our opinion it is not necessary for the aud
itee
organization to have any more lines of defense
regarding this matter. A UPS,
Battery with 2 hours of standby time and a generator are adequate to take care of
electricity backup requirements.
serviced recently. It was also observed that the number of fire extinguishers was n
ot
commensurate with the area to be covered.
Exposure : All the IT assets namely Servers and Workstations are
onsite and as such are
vulnerable to fire. Even the backup server is on site
and this implies that an
accidental fire would wipe out any chances of recovery.
Cause :
The area of the toll plaza is quite open and allows for a fire to spread rapidly.
Recommendation :
As a top priority the number of fire extinguishers should be increased to two per t
oll
booth, i.e. a total of 16 (nos.) of fire extinguishers
need to be on site at any given
time. It is absolutely important to enter into an AMC
agreement for checking the
functionality and servicing of fire extinguishers.
Finding 4. All control over revenue leakage is
exercised bytallying toll fee
received against images of the relevant vehicle.
Observation : Many of the images captured by the cameras at the
toll booths are very blurry. In
blurred. There will be no way to audit the correctness of toll fees recovered unles
s
enable the auditor to ascertain the type of vehicle and consequently the amount of
Toll Fee applicable.
Finding 5.There is a manual system in place for toll collection which is used in
the eventuality of unavailability of IT resources.
Observation :
The documentation for switching to manual mode of processing toll fees is absent.
Also there is minimal authorization required to
implement the switch. At the same
supervisor. The person authorizing the switch to the manual system should activate
a recording mechanism that will begin to record the
flow of traffic being streamed
from the cameras. Proper manual logs shall be maintained of all vehicles. The logs
should be available for verification against the video feed. An affidavit certifyi
ng the
truth of the manual logs shall be submitted by the authorizing supervisor. Surprise
checks both during the manual processing as well as
random tallying of recorded
feed against manual logs will ensure prevention of revenue leakage.
alone. Also, toll boot operators should be trained to raise the boom and let a vehi
cle
pass only after the transaction is concluded and after confirming that there is no
one
in the immediate vicinity of the toll booth.
Software should access this database to compare the registration numbers captured
by the close-
up cameras. This data can be used for classification. This classification
may be compared to the classification made by the toll
booth operator and after
considering a reasonable margin of error, if there is
any discrepancy, the operator
may be held accountable. Such checks should be made on a sampling basis as the
costs of such technology could be forbidding.
There could also be a maker checker system wherein one
operator does the
classification and another operator further on makers the collection of toll fee.
12. Summary/Conclusion
ABC Toll Company has the lead role in the development and implementation of informa
tion systems for
various departments, in particular the revenue departments. The organization is man
dated to provide on
going operating service, support and maintenance for these systems and
to ensure that controls are in
place to maintain the integrity of all data within them. We found that
certain controls within the
organization were not consistently complied with while others were absent or not ad
equately reviewed or
monitored in accordance with international standards and best practice.
Consequently, ABC toll
company’s capacity to guarantee the security and operational efficiency of the info
rmation systems under
its control may be impaired if the potential information systems security risks are
materialized.
Overall, the ABC Toll Company has a sound governance framework that
provides effective decision
making, strong leadership and oversight. Except for the opportunities for
improvement identified in this
report, the ABC Toll Company has good and effective management controls
and practices. Processes
exist in planning, budgeting, forecasting and results and performance reporting, co
ding and delegation of
authorities.
Audit criteria were used to assess the identified key risks, management control fra
mework and practices.
The following is a summary of results.
Assessed Area
Result
Delegation of authorities
Criteria met