Project of DISA 2.

0 Course CIT of ICAI

PROJECT REPORT

ON

IS AUDIT OF ERP

SOFTWARE

Page 1
Project of DISA 2.0 Course CIT of ICAI

TABLE OF CONTENTS

CONTENTS:

Project Report of DISA 2.0 Course

S. No. Particulars Page No.

1. Introduction 3

2. Auditee Environment 4

3. Objective, Scope & Methodology 7

4. Logistic Arrangements required 10

5. ERP System Architecture 11

6. Risks in an ERP Environment 11

7. Audit Findings & Recommendations 12

8. Audit Checklist 27

9. Conclusion 29

Page 2
Project of DISA 2.0 Course CIT of ICAI

IS Audit of ERP Software

1.Introduction

ABM Limited (ABM) is one of the Leading Public Sector Undertaking having
Multi Manufacturing Divisions and Regional Offices spread all over India. ABM
operates on three major business verticals for associated equipment manufacturing:
Mining & Construction, Defence, and Rail & Metro. In addition to the above there
are three Strategic Business Units (SBUs): Technology Division for providing end-
to-end engineering solutions, Trading Division for dealing in non-company products
and International Business Division for export activities. ABM has eight
manufacturing units spread over four locations. ABM is a recognized leader in the
industry and an early-adopter of technology to improve efficiency and
competitiveness. ABM in achieving its Mission of improving competitiveness
through organizational transformation and collaboration / strategic alliances / joint
ventures in technology has implemented ERP with effect from October 2010 across
the company. As continuing evidence that Public Sector Entities are leveraging
enterprise technology from the world’s leading business software company ABM
has successfully implemented SAP ERP and went live in a quick time span of 12
months. In a first of its kind project in the country, ABM consolidated its operations
across multiple locations spread across India, with all units going live
simultaneously.

Background

ABM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. The senior
management of ABM has been very proactive in directing the management and
deployment of Information Technology. Most of the mission critical applications in
the company have been computerized and networked. ABM selected SAP Business
Suite to bring a more integrated and seamless approach to internal processes. SAP
deployment in ABM posed unique challenges arising out of the need to integrate

Page 3
Project of DISA 2.0 Course CIT of ICAI

multiple units across different locations, involving extensive procedures and large
volumes of data. The family of business applications provides better insight into
enterprise-wide analysis based on real time data and key performance indicators,
improved quality and on-time delivery, reduction in inventory cost and enhanced
customer service. This implementation has empowered ABM to seamlessly connect
all its vendors, customers and partners to achieve improved business efficiency.
SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll
and human capital functions. The Modules implemented are PP, MM, FICO,
Quality, PM and HR including Pay Roll. ABM has more than 500 sap users across
the company. By implementing SAP solutions ABM has achieved superior
operational excellence and business agility.

About Us

We, M/s HRK & Associates, Chartered Accountants established in the year 2016
under guidance of our founder partner CA Himanshu Jain. There are 4 partners in
the firm at present, each having expertise in various fields of audit (statutory &
Internal), including Information system audit, Bank Audits, Direct & Indirect
taxation, Power consultancy. We have deployed a team of 3 Chartered Accountants
on our current assignment, the composition of which is as follows:
1. CA Himanshu Jain (Team Leader)
2. CA Karnika Pradeep
3. CA Riya Agrawal

2.Auditee Environment
Nature of Business: ABM limited is a leading PSU primarily engaged in equipment
manufacturing segregated into three major areas, (a) Mining & Construction (b)
Defence (c) Rail & Metro.

Organization Structure: ABM Ltd. Has 3 Strategic Business Units :-

1. Technology division
2. Trading Division and
3. International Business Division.
Page 4
 Project of DISA 2.0 Course CIT of ICAI

Also, ABM Ltd. has 8 Manufacturing units spread over 4 locations.

Technology Deployed: ABM Ltd is having most of its critical mission applications
in computerized and networked form. In order to handle extensive procedures and
large volumes of data ABM Ltd. has deployed SAP business suite across its different
business locations. ABM Ltd has deployed SAP-R3 ECC 6.00 Version including
various modules like PP, MM, FICO, Quality, PM and HR including Pay Roll.

Policy & Procedure adopted by ABM Ltd. for all key areas of IT Operations
and business processes are as follows:

a) Security Policy
b) Human Resource Policy
● Working Time Policy
● Health & Safety Policy
● Employees Code of Conduct
● Disciplinary Procedure

c) Operational Policies

Page 5
Project of DISA 2.0 Course CIT of ICAI

● Standard Operating Procedures

● Market Supplement Policy
d) Data Retention Policy
e) System Acquisition and Implementation Policy
f) IT Policies
● Data Protection Policy
● Computer Usage policy
● Network Usage Policy
● Information Security Policy
● Social Networking Usage Policy

We will conduct audit in the following steps:

1. Gather Information and Plan
● Knowledge of business
● Knowledge of Industry
● Recent financial information
● Inherent Risk Assessments
2. Obtaining an understanding of Internal Control
● Control Environment
● Control procedures
● Detection Risk Assessments
● Control Risk Assessments
3. Preform Compliance Tests:
● Identify key controls to be tested
● Perform tests on reliability, risk prevention
4. Perform Substantive Tests:
● Analytical Procedures
● Detailed Test of Accounts
● Auditing Checks & Balances
● Other Substantive Audit Procedures
5. Conclude the Audit:
● Provide Recommendations
● Draft Audit Report

3. Objectives, Scope and Methodology

Page 6
Project of DISA 2.0 Course CIT of ICAI

OBJECTIVE:
We conducted a review of ERP implementation activities to:
● Determine if the City’s key financial activities are being adequately
reviewed and documented prior to the new system implementation to
ensure key financial processes are properly addressed by the new system,
and;
● Provide an insight on the extent the SAP -ERP solution is helping the
organization to achieve business objectives.
● Identify the gaps for comprehensiveness and correctness of the
transactions including identifying areas of improvements.
● Check if the system is designed in the most optimal manner to meet the
business objectives.
● Assessed overall risks
● Accumulated Results
● Conduct training on the observations to improve utilization of the SAP
Solution.

Results on the review include:

⮚ Detailed report on identified gaps.
⮚ Potential improvement areas and recommendations in line with business
process.
⮚ Presentation of observations and recommendations to the top management.
⮚ Roadmap for implementation of the agreed recommendations to the Top
management.

SCOPE:

The scope of our audit was developed incorporating ISACA’s Control Objectives
for Information and related Technology (COBIT) standards and ERP Systems
Review Guidelines (ISACA Document G21). The audit was carried out in a two-
phased manner to review the SAP performance, utilization and optimization.

⮚ Phase I – SAP assessment and audit, observations, recommendations for

improvement, training and roadmap for implementation of the agreed
recommendations.
Page 7
Project of DISA 2.0 Course CIT of ICAI

⮚ Phase II –Follow‐up review and re‐audit (After implementation of the agreed

recommendations)

The following audit scope was developed using the ISACA standards and guidelines
discussed above, following a risk-based methodology. We separated our audit into
the following categories or key risk areas:

Audit Review
Categories
Category For Review Areas Included
Review of policies, procedures and practices as relevant to areas of audit
Policies and Procedures along with organization structure policies, procedures and practices as
mapped in the information system.
(a) Operating Software: Access Controls
(b) Telecommunications Software: Access Controls
(C) RDBMS Database: Access Controls
Review of IT Resources as (d) SAP - Major focus area: Configuration of Parameters and Access
relevant Controls
(e) Application controls at various stages such as Input, Processing,
Output, Storage, Retrieval and transmission so as to ensure
Confidentiality, Integrity and Availability of data.
Integration Testing Integration Testing Cycles

Data Conversion Conversion Strategies, Cross Walk, Mock Conversion Testing Cycles

Roll-out Strategy, Requirements prior to go-live, post go-live support and

Reporting
roll-out
Cut-Over and Stabilization Strategy, Support Level Requirements & Delivery Methodology

Training and Communication Training Roll-out, Methodology, Key Areas Addressed

Retiring Systems Historical Data Storage, Access, System Phase Out
Security Implementation Strategy, Governing Documents, Role Mapping,
Security
Access Controls, Process Controls

We should note that entity level SAP controls for individual business units
were not included in this audit due to the resulting increase in scope. We did however
perform a high level centralized internal controls review of the Governance Risk and
Compliance (GRC) module and City access. These controls will be comprehensively
Page 8
 Project of DISA 2.0 Course CIT of ICAI

reviewed in future audits of those entities. Further, the comptroller’s internal

controls group is in the process of reviewing and documenting these controls through
their Internal Controls over Financial Reporting (ICOFR) project.

METHODOLOGY:

In the review of each section, we employed the following methodology

customized for each primary area reviewed.

● We first determined components within each category to review based on risk

to the implementation completion, intended functionality, and schedule;
● Reviewed component implementation methodology and plans for sufficiency
(such as the strategy for Integration Testing, and sampled the planned tests to
perform);
● Observed components implementation and tracked to planned methodology
to ensure that there was no disconnects between what was planned and
documented and the work that was actually performed;
● Reviewed implemented components using judgmental sampling to confirm
that the end result came out as planned, or was appropriately adjusted;
● Reported issues discovered throughout the process based on risk, and
conveyed recommendations directly to the implementation component lead.

Due to the nature of the ERP implementation, reporting issues in a timely manner
presented unique challenges as compared to a standard audit. As is the case with
system implementation audits, issues present a moving target. Our reporting
process takes into account the fact that issues are expected to occur during an
implementation and do not necessarily present a risk to the project. Further,
management had several methods available at any given time during the project
to identify and remediate issues. As a result of the fast pace of the implementation
and the immediate management need for information, we developed the following
reporting process.
● Initially, we approach each potential issue with the appropriate section team
lead. Medium and low risk issues are not formally reported though may be
presented to a higher level of management if required. This results in quick
response times to most issues and quick resolution of the larger amount of
smaller issues as they arise.

Page 9
Project of DISA 2.0 Course CIT of ICAI

● High risk issues, based on potential impact to project, are brought to

management’s attention. Issues that could have a potential impact to the
project’s implementation are formally reported at a high level if they are not
remediated in a short time frame or carry a significant risk to the project’s
adequate and on-time completion;
● High risk issues are communicated defining the condition, criteria, cause, and
effect.

4.Logistic arrangements required

During the course of the assignment we require the following infrastructure:

● 3 nodes with Read only access to SAP
● Access to, SOP’s and Manuals of the Company including the IT manual
● One Laptop with Windows 8/Microsoft Office 2013
● Access to a laser printer for printing reports, data etc.
● Adequate Seating facility and storage space for audit team
● Facilities for discussion amongst our team along with the staffs of ABM Ltd
● Permission to apply the desired CAAT tools as considered necessary for
executing the assignment
● Data from IS Manager & Data Owner
● Access to the database server directly
● Backward Reconciliation of data to the Host system

5.ERP System Architecture

Page 10
Project of DISA 2.0 Course CIT of ICAI

6.Risks in an ERP Environment

The risks in an ERP environment include both those present in a manual
processing environment and those that are unique or increased in an ERP
environment. These risks may pertain to any of the following:

● Improper Use of Technology

● Inability to Control Technology
● Inability to Translate User Needs into Technical Requirements
● Illogical Processing
● Inability to React Quickly
● Cascading of Errors
● Repetition of Errors
● Incorrect Entry of Data
● Concentration of Data

Page 11
Project of DISA 2.0 Course CIT of ICAI

● Inability to Substantiate Processing

● Concentration of Responsibilities
● Program Errors
● Misuse by Authorized End Users
● Ineffective Security Practices for the Application

7.Audit Findings & Recommendations

Security Review
Findings:
● It was noticed that 29 combinations of two or more conflicting critical
transaction codes involving processing sale orders / invoices / deliveries,
payments, creation, settlement, change, deletion etcwere extended to users
ranging from 18 to 4,808. It was observed that Users’ roles rationalization,
authorization and segregation of duties was deficient.
● 88 users other than the BASIS team was given access to the sensitive
Transaction Codes.
● Password policy of the Company allowed simple, trivial and non-
alphanumeric passwords to be entered which made the system vulnerable to
security threats internally.

Recommendations:
1. The Steering Committee of the organization should segregate the duties to the
employees as per their roles.
2. The employees should be given access to the system as per their specified
roles, responsibility and authority.
3. Proper policy should be made for maintaining passwords like use of Upper
Case, Lower Case, numbers, special character, non-repetition of old
passwords.
4. Creation and deletions of User Ids should be with proper approvals from the
right persons. Proper documentation of the approvals should be maintained
for record purpose.

Page 12
Project of DISA 2.0 Course CIT of ICAI

5. Access to the database should be secured not only at the application level but
also at the Operating System, database and network levels through suitable
controls.

Finance Module
Findings:
Finance Module (FI) was designed for management of the processes involved in
preparation of the accounts. The FI Module has inter-linkages with all the
modules in the ERP system and consolidates all the financial information to
generate the financial statements of the Company. On review of the Finance
Module following observations were observed:

● There is no review mechanism to clear long aged Parked

Documents. On review of parked documents in SAP, it is noted that 26
accounting documents are parked but not posted with ageing ranges
from 43 to 294 days.
Implication: Possibility of fraudulent transaction
Recommendation: Review mechanism to be placed to review all the old aged
parked documents.

Ageing (in days)

Document
Description Total
Type 31- 121- 151- 181- 211- 271-
60 150 180 210 240 300

Vendor
KR 2 2 2 3 5 11 25
Invoice
G/L
SA Account 1 1
Document

● No SOP in place for Period Opening in SAP detailing the following:

❖ Approving Authority,

Page 13
Project of DISA 2.0 Course CIT of ICAI

❖ Details of GL’s in approvals which needs to be opened for

posting
❖ Details of Time period in approvals for which period to be
opened
❖ Log for Period opened and accounting entry posted etc.
Implication: Possibility of Unauthorized changes in General ledger Master.
Recommendation: Standard Of Procedure for period opening in SAP to be
framed.
● SAP functionality not used to tag Advances with Purchase Orders. SAP
have functionality to tag advance with purchase order that allows user to
trace advance payment made against purchase order (PO). On sample review
of advance payments as on balance sheet date, it is noticed that some
advances payments are processed without tagging PO. In absence of
adequate tagging it is difficult to identify without PO advance payment.
Implication: Inadequate Tracking of utilisation of Advances against
Purchase orders.
Recommendation: SAP functionality to be used to tag advances with
Purchase Orders to track the payments and subsequent adjustments

Page 14
Project of DISA 2.0 Course CIT of ICAI

● GR/IR is an intermediary account used for payments against goods

received. Analysis showed that more than three lakh entries amounting
to Rs. 33701.7 million were pending clearance ranging from one to four
years indicating lack of proper monitoring by the Company
● It was observed that, though the stock balances are maintained in the
system the valuation of stocks is done outside the system which
defeated the purpose of the ERP system.

The Company decides and assigns credit limits to various categories of

customers which are accordingly entered into the system. Analysis of data on
credit limit extended to customers showed that, there were inadequate
validation checks with the credit limits maintained in the system that resulted
in overdue amount of Rs. 2948.9 million in respect of 293 customers who had
exceeded their credit limit.

Each customer is allotted a unique code. However, there was more than one
customer code assigned to the same customer in 1103 cases in the customer
master.

Recommendations:
1. The Scrap Value is not entered into the system for all assets, due to which
depreciation calculation in the SAP is not correct. The Company must
ensure that all assets have their scrap value entered into the system to ensure
that depreciation calculation is correct and as per the required laws and
Regulations.
2. The company must bring the Fixed Assets which are in use by the company
but at a Zero book value to their specific Scrap value, as assets which are in
use although their life as per Schedule to Companies Act is over must be
reflected at their respective Scrap Value unless it is discarded or Sold.
3. The company must adopt a System of Materials Requirements Planning
(MRP) to provide a clear vision into gaps between current inventory levels
and forecasted demand for each inventory item. Additionally, MRP generates
alerts and replenishment orders to keep a company’s inventory at an optimal
level. This would enable better control over material, prevent excessive

Page 15
Project of DISA 2.0 Course CIT of ICAI

stocking and above all, ensure regular supply of materials for uninterrupted
production.
4. Clearance of GR/IR should be run in regular intervals to ensure that No
unnecessary entries are reflecting in GR/IR Account and proper monitoring
of GR/IR Account should be done by Management.
5. All the details like freight, Qty, Input credit of Taxes related to a material
should be properly entered into the system so that Stock Calculation can be
correctly done by the system, which at present cannot be done in SAP as
proper details are absent due to which Stock calculation calculated by the SAP
is not correct.
6. The CIO together with the CEO must work on scientific techniques and
reporting requirements of ERP to fairly determine the landed cost of material,
Non Moving and Slow Moving of Material with their respective Expiry date/
period upto which they can be used so that proper planning can be done for
issuance and consumption of Raw Materials and better utilisation of
resources.
7. The Management must make use of intelligent forecasting tools, to create an
efficient demand planning process and achieve optimal planning accuracy.
The individual plans from the various department managers including top
executives, sales, marketing, purchasing managers and so on, can be
integrated into one valid plan. Forecast analytics tools provide decision
makers with historical data and enable the visualization of market trends
which in turn allow for the adjustment of demand plans in real-time.

Vendor Master
Findings:

The Company was maintaining 76543 vendor master records. Review of these
records revealed:

● Purchase orders were placed on vendors with incomplete details

● Duplicate vendors

Page 16
Project of DISA 2.0 Course CIT of ICAI

● Multiple vendors with same bank account: It was seen that there were
76 vendor records attached with 37 bank accounts; indicating risks of
irregular payments.

Recommendations:

● Company should ensure that at the time of creation of New Vendor,

Proper checking of details of vendor is done specifically his bank
Account details, MSME registration number, GSTIN Number/Service
tax Number, PAN etc so that risk of frauds is reduced as payment is
made to the account details entered into the system at the time of New
Vendor Creation. Also their registration number under various tax
authorities must be present so that various reconciliation report can be
prepared easily by the system if proper details are entered at the starting.
This will ensure that No duplicate Vendors are present into the system.

Missing Credit Master Data

Findings:
The Company was maintaining credit data of its customers, which includes allotted
credit limit and actual credit extended to them. It was seen that the credit data was
not available for 5188 customers out of 9839 customers. Out of the above, 797
customers were carrying outstanding balance of Rs.13023.7 million

Recommendations:
The Company should link the credit limit of the Customers with the respective
Ledgers account so that system could automatically detect whether the Credit limit
is crossed or not, and if crossed then Sales to that customer cannot be booked in the
system. This will prevent the excess credit limit given to the customer and reduce
Interest cost to the company.

Incorrect posting in GL accounts:

Page 17
Project of DISA 2.0 Course CIT of ICAI

Findings:
1. Assets carrying negative value: As per the general principles of asset
accounting, assets should not carry negative balances, since that will turn them
into liabilities rather than assets. During review of assets for the year 2010-
11, it was found that some assets were carrying negative balances.

2. Credit extended beyond credit limit: A review of credit management data

of customers was carried out and it was observed that the credit extended was
not validated from the respective credit limit prescribed. As a result, 557
customers, for whom the credit limit was defined as zero, were extended credit
of Rs.4150.78 million.

3. Payments trail in SAP: To facilitate a trail on payment cycle it is necessary

that date of vendor invoice and date of receipt of invoice are captured in the
system. It was observed that the system had not been customized to capture
these dates.

Users with critical combination of procurement functions:The major

functions in a procurement cycle include placing of Purchase Requisition
(PR), release i.e. approval of PR, creation of PO, release of PO indicating
approval of the same, creation of vendor masters, modification in vendor
masters, receive goods, receive invoice and process payments. Since, all these
functions have a bearing on outflow of funds; the rationalization of
combination of transactions assigned to users was important.

During review it was found that users enjoyed various combinations of critical
transactions, the details of which are as follows:

(i) Eight hundred users were authorized to create PR and release i.e. approve
the PR;

(ii) Nineteen users were authorized to create PO and release i.e. approve the
PO; and

(iii) Thirteen users were assigned roles to receive goods (Make Goods Receipt
Voucher) and process vendor invoices.

Recommendations:
Page 18
Project of DISA 2.0 Course CIT of ICAI

1. Since Scrap Value of Assets are not entered into the system and their linkage
with the depreciation calculation function of ERP is missing into the system,
assets are carried over in balance sheet with negative value as higher
depreciation is charged on assets resulting in assets with zero value or even
negative balance in ERP. Company is advised to properly enter scrap value of
each assets and link them with the depreciation calculation function.
2. Difference Access rights as per segregation of duties and also considering the
principle of Least Privilege given to employee should be given to employees
so that same person doesn’t performs functions which are interlinked with
each other and may result in frauds in the company, moreover proper rotation
of duties should also be there.

System design/customization deficiencies:

Findings:
(i) The system was configured to value the inventory at different rates with
reference to corresponding sale orders. This led to valuation of inventory
against the Company’s accounting policy.

(ii) Lack of relational integrity was observed between the materials shown under
work in progress (WIP) in material management module and the
corresponding status of the material in the production planning module.

(iii) The system was not designed to adjust the advance payment made
immediately on receipt of material. This resulted in over lapping of
accounting entries of both debiting and crediting inventory account and wrong
depiction of accounting status of payment as advances.

(iv) The system was not designed to calculate rates as a percentage above or below
the accepted tender rates. This resulted in not only duplication of work but
full dependence on manual controls.

(v) The system did not exhibit the opening balance of the ledger resulting in this
being incorporated through manual intervention to prepare Trial balance.

Page 19
Project of DISA 2.0 Course CIT of ICAI

(vi) After creation of the master database, the system did not display relevant pop-
ups at the time of entering the data which was required to ensure data integrity.
This led to multiple party codes for the same party, in respect of supply
contract, works contract and miscellaneous contracts.

The absence of referential integrity between sale order and production order
resulted in data inconsistency, incorrect valuation of raw material and manual
intervention. This increased the risk of incorrect data being processed and
accounted as illustrated below: -

● The value of the raw materials differed among account schedules, purchase price,
store ledger and pricing entry.
● The status of material worth Rs.10.2 million were shown as ‘finished goods’ as
on 31 March 2008 even though the materials had been sold in March 2007.
● Test check of major completed sale orders revealed that out of six sale orders
selected, against three sale orders the production orders were not closed (May
2008). Hence, these were still shown under WIP and manual entries were resorted
to effect value reduction (Rs.23.6 million) in WIP as at 31 March 2008.
● Out of 3702 production orders reviewed, 177 were created without linking to any
authorized orders.
● Absence of uniform pattern for coding of material built into the system resulted
in inconsistent material codes in the system.
● Incomplete capturing of details in columns like profit center, purchasing group
etc., affected the cost allocation.
● The non-incorporation of data in respect of net value, material code, vendor code
and quantity etc. affected allocation of cost and the accounts of the units.
● The system was designed to block duplicate entries of vendors. However,
inconsistency in pattern of data entry led to duplicate vendor codes, which led to
risk of inconsistent order placements and deficient payment tracking for the
vendors.

Recommendations:

1. As there were many cases identified during our Audit in which TDS
was not deducted at the time of payment to contractors as the system

Page 20
Project of DISA 2.0 Course CIT of ICAI

was automatically giving the option to deduct TDS only at the time of
booking of invoice into the ERP. Thus, we recommend that the
company should develop the tool in the ERP which automatically
indicates advance payments on whom TDS liability is arising so that
company can properly deduct TDS on advance payments and timely
deposit the same.
2. Linking Decided targets for Managing team members in their
respective ID’s in SAP with their actual figures of completed Targets
to keep a check on performance of Sales & Marketing Team and help
them to achieve their targets, also enabling the Management to keep a
check over them.

Password policy
Ensure that password policy parameters are set as:

Maximum password age: 40 days

1. Minimum password length: 8 Characters
2. Minimum password age: 2 days
3. Maintain password history: Remember last 3 passwords
4. Password complexity: Complex
5. Forcing users to change password on first logon: Enabled

Critical Requirements not envisaged

Critical activities had not been envisaged during system development
and consequently certain activities that were part of the user’s requirement
had not been designed/ developed;

Certain activities were designed/developed but with deficiencies;

Page 21
Project of DISA 2.0 Course CIT of ICAI

● The linkages and interfaces of FA module with other modules were yet
to be implemented (September 2007);
● The validation checks were inadequate, critical changes in business
rules were not incorporated/updated; and
● The business continuity and disaster recovery system were deficient
● The system was not envisaged to generate region wise trial balances
although separate regional cost centers were maintained. Thus, the
system could not monitor and evaluate performance of different
regions.
● Simple functions like calculation of tax deducted at source, sales tax,
other taxes, etc. were not envisaged to be performed through the
system. Thus, recovery/short recovery of the above items had to be
calculated and monitored manually.
● The system was not envisaged to capture the accounting period to
which the bill were related. Thus, important information like
outstanding liabilities, prepaid expenses of the respective accounting
period could not be generated. For example, a contactor’s/supplier’s
bill which related to the accounting period 2006-07 could be accounted
for in 2007-08 and vice versa, prepaid insurance for the period 2007-08
could be booked as expenditure in 2006-07.
● Critical information relating to contracts such as, date of completion,
number of extensions, penalty waived, interest levied/waived for
delayed completion/supply were not envisaged to be captured to enable
the system based monitoring and evaluation of the execution of
contracts.

SAP Controls related to Plant Maintenance

● Inadequacies in SAP control around creation of Maintenance Order
While creating a maintenance order against an equipment following details are
required to be captured in SAP:
❖ Basic Start Date
❖ Basic Finish Date
Page 22
Project of DISA 2.0 Course CIT of ICAI

❖ Equipment Reference
❖ WBS Element, etc.
Review of controls around creation of maintenance order in SAP PM module,
highlighted following inadequacies:
- SAP is allowing to create back dated ‘Maintenance Order’
While reviewing the list of maintenance order (Through IW-39) created
during the audit period, instances were noted wherein date of
creating maintenance orders were after the basic start date. Further
walk through highlighted that there is no restriction in SAP to create
a back dated maintenance schedule.

- SAP allows modification of initial data of a Maintenance Order

Page 23
Project of DISA 2.0 Course CIT of ICAI

While walk through of the process for creating maintenance order in SAP
through IW31, it was noted that there is no restriction in SAP to modify
initial details (entered at the time of creating order) like Start Date, End
Date, WBS Element, Equipment, Business Area, etc.All these
modifications are allowed until TECO (technical ok) is done in SAP.

●
●
●
●
●
●
●
●
●
●
●
● Non usage of SAP functionality – Breakdown Analysis
As per the Blue Print of Preventive Maintenance Module, ‘Season Maintenance
activity scope includes all planned or unplanned maintenance

Page 24
Project of DISA 2.0 Course CIT of ICAI

requirements on the equipment. This scenario deals with the creation and
processing of maintenance work orders, to capture all the
breakdown/Corrective/Scheduled/Routine maintenances that occur on
equipment’. On confirmation of the development of ‘Preventive
Maintenance Schedule & Breakdown Maintenance’ it has been informed
that functionality has been developed in SAP.However, during our review,
it was noted that currently Breakdown analysis is being done in Excel.

● Functionality for maintaining Preventive Maintenance Schedule not

available in SAP
Currently progress of preventive maintenance is being captured and reviewed in
MS Project, however possibility of preparing the same in SAP has not been
explored, though the option is available in SAP.

● Mapping of Equipment with Functional Vertical not done

There are different verticals in engineering department like Boiling House, Mill
House, Power Plant, Distillery, etc. with their respective list of equipment.
However in SAP there is no mapping of functional vertical with respective
equipment list.
During the walk through of creating a maintenance order for Boiling House, it
was noted that equipment list of all other verticals are getting displayed.

Page 25
Project of DISA 2.0 Course CIT of ICAI

● Bill of Material for Equipment not maintained in SAP

A maintenance bill of material (BOM) is a complete structured list of the
components making up a technical object or an assembly; the list contains
the object numbers of the individual components together with their
quantity and unit of measure. However, Bill of Material has not been
allocated for respective equipment in SAP.

● ABC indicator not assigned to Equipment

ABC indicator in PM equipment master data is used for analysis purpose and
also to determine the type of maintenance strategy and spare parts
stocking applicable for particular equipment. In SAP following indicators
are possible:
a) Critical generally denotes equipment whose breakdown may result into
production loss or accidental hazard

Page 26
Project of DISA 2.0 Course CIT of ICAI

b) Less Critical generally denotes equipment whose breakdown affects

operational functionality
c) Non-Critical denotes other than the above two
However, no such tagging is done against available equipment list.

Implication:Non utilization of basic function makes SAP less user friendly.

Possibility of incomplete details in MIS reports.

Recommendation: Implement the basic functions related to PM module in SAP after

exploring the purpose and necessity

9.Audit Checklist

1. Computer Operating System Procedures of Terminal Logon,

Automated terminal identification,
User Identification and Authentication

2. Database Management DBA can build profile with setting

define by security policies. These
profiles are then assigned to roles
defined to performs functions on data
base like view, update, delete.
3. Server Capacity & Suitability It should be as per business size and
hardware requirements and
usability of data and storage

Page 27
Project of DISA 2.0 Course CIT of ICAI

4. Disaster recovery Plan DRP encompasses three basic

strategies i.e Preventive measures,
Detective measures and corrective
measures. Preventivemeasures seeks
to identify andreduce risk. Detective
measuresare taken to discover
thepresence of any unwanted
eventswithin the infrastructure.
Correctivemeasuresaim to restore
asystem after a disaster otherwise
unwanted events takeplace.
5. Business Process Business Process should be
documented and key control points
should be identified.
6. Password Policy Password Policy should be set up as
per relevant policies
7. Integration with other modules There should be proper integration
with other modules in such a way so as
to ensure that no
unauthorisedmodification in data is
made.
8. Data flow across the modules Data flow across the modules
should be done accurately and in a
secured manner.

9. Authorization Process& Control The authorisation should be done

only by relevant authority in an
authentic manner.

Page 28
Project of DISA 2.0 Course CIT of ICAI

10. Customization & Configuration All applications and software should

be customized according to user needs
and requirements.

11. Access Controls Authentication system should be

multifactor. There are three user
authentication techniques such as:

● Something user knows (For eg.

password)
● Something user has. (For eg.
Token or smart card)
● Something user Is. (For eg.
Biometric authentication)

12. Audit Trail In Information system audit, system

logs are the audit trails to be verified
and used as audit evidence as it reflects
date, time, place where transaction
occurred and responsible person ought
to be acted at that very point of time.

CONCLUSION
As mentioned above, there are several weaknesses and risk present
in the internal control system & the IT system of the company.
Although they came live in the ERP Environment within a short span

Page 29
Project of DISA 2.0 Course CIT of ICAI

of 12 months, there are various modules of the ERP that are not
integrated appropriately. This leads to increase in risk of errors in the
financial and operating data provided by the system. Such errors in the
system would increase the need of manual workings and reports to be
prepared for the top management, this would lead to increase in need
for manpower which ultimately will not be cost effective for the
Company to implement the ERP software. Further, the lack of proper
internal control system could also increase the risk of frauds in the
Company. Therefore, it is suggested that the management performs a
thorough trail and check of the ERP and implement required internal
controls in the system.

Page 30