Professional Documents
Culture Documents
PROJECT REPORT
ON
IS AUDIT OF ERP
SOFTWARE
Page 1
Project of DISA 2.0 Course CIT of ICAI
TABLE OF CONTENTS
CONTENTS:
1. Introduction 3
2. Auditee Environment 4
8. Audit Checklist 27
9. Conclusion 29
Page 2
Project of DISA 2.0 Course CIT of ICAI
1.Introduction
ABM Limited (ABM) is one of the Leading Public Sector Undertaking having
Multi Manufacturing Divisions and Regional Offices spread all over India. ABM
operates on three major business verticals for associated equipment manufacturing:
Mining & Construction, Defence, and Rail & Metro. In addition to the above there
are three Strategic Business Units (SBUs): Technology Division for providing end-
to-end engineering solutions, Trading Division for dealing in non-company products
and International Business Division for export activities. ABM has eight
manufacturing units spread over four locations. ABM is a recognized leader in the
industry and an early-adopter of technology to improve efficiency and
competitiveness. ABM in achieving its Mission of improving competitiveness
through organizational transformation and collaboration / strategic alliances / joint
ventures in technology has implemented ERP with effect from October 2010 across
the company. As continuing evidence that Public Sector Entities are leveraging
enterprise technology from the world’s leading business software company ABM
has successfully implemented SAP ERP and went live in a quick time span of 12
months. In a first of its kind project in the country, ABM consolidated its operations
across multiple locations spread across India, with all units going live
simultaneously.
Background
ABM Group has been using Information Technology as a key enabler for facilitating
business process Owners and enhancing services to its customers. The senior
management of ABM has been very proactive in directing the management and
deployment of Information Technology. Most of the mission critical applications in
the company have been computerized and networked. ABM selected SAP Business
Suite to bring a more integrated and seamless approach to internal processes. SAP
deployment in ABM posed unique challenges arising out of the need to integrate
Page 3
Project of DISA 2.0 Course CIT of ICAI
multiple units across different locations, involving extensive procedures and large
volumes of data. The family of business applications provides better insight into
enterprise-wide analysis based on real time data and key performance indicators,
improved quality and on-time delivery, reduction in inventory cost and enhanced
customer service. This implementation has empowered ABM to seamlessly connect
all its vendors, customers and partners to achieve improved business efficiency.
SAP-R3 ECC 6.00 Version is deployed across all of ABM’s financial, payroll
and human capital functions. The Modules implemented are PP, MM, FICO,
Quality, PM and HR including Pay Roll. ABM has more than 500 sap users across
the company. By implementing SAP solutions ABM has achieved superior
operational excellence and business agility.
About Us
We, M/s HRK & Associates, Chartered Accountants established in the year 2016
under guidance of our founder partner CA Himanshu Jain. There are 4 partners in
the firm at present, each having expertise in various fields of audit (statutory &
Internal), including Information system audit, Bank Audits, Direct & Indirect
taxation, Power consultancy. We have deployed a team of 3 Chartered Accountants
on our current assignment, the composition of which is as follows:
1. CA Himanshu Jain (Team Leader)
2. CA Karnika Pradeep
3. CA Riya Agrawal
2.Auditee Environment
Nature of Business: ABM limited is a leading PSU primarily engaged in equipment
manufacturing segregated into three major areas, (a) Mining & Construction (b)
Defence (c) Rail & Metro.
1. Technology division
2. Trading Division and
3. International Business Division.
Page 4
Project of DISA 2.0 Course CIT of ICAI
Technology Deployed: ABM Ltd is having most of its critical mission applications
in computerized and networked form. In order to handle extensive procedures and
large volumes of data ABM Ltd. has deployed SAP business suite across its different
business locations. ABM Ltd has deployed SAP-R3 ECC 6.00 Version including
various modules like PP, MM, FICO, Quality, PM and HR including Pay Roll.
Policy & Procedure adopted by ABM Ltd. for all key areas of IT Operations
and business processes are as follows:
a) Security Policy
b) Human Resource Policy
● Working Time Policy
● Health & Safety Policy
● Employees Code of Conduct
● Disciplinary Procedure
c) Operational Policies
Page 5
Project of DISA 2.0 Course CIT of ICAI
Page 6
Project of DISA 2.0 Course CIT of ICAI
OBJECTIVE:
We conducted a review of ERP implementation activities to:
● Determine if the City’s key financial activities are being adequately
reviewed and documented prior to the new system implementation to
ensure key financial processes are properly addressed by the new system,
and;
● Provide an insight on the extent the SAP -ERP solution is helping the
organization to achieve business objectives.
● Identify the gaps for comprehensiveness and correctness of the
transactions including identifying areas of improvements.
● Check if the system is designed in the most optimal manner to meet the
business objectives.
● Assessed overall risks
● Accumulated Results
● Conduct training on the observations to improve utilization of the SAP
Solution.
SCOPE:
The scope of our audit was developed incorporating ISACA’s Control Objectives
for Information and related Technology (COBIT) standards and ERP Systems
Review Guidelines (ISACA Document G21). The audit was carried out in a two-
phased manner to review the SAP performance, utilization and optimization.
The following audit scope was developed using the ISACA standards and guidelines
discussed above, following a risk-based methodology. We separated our audit into
the following categories or key risk areas:
Audit Review
Categories
Category For Review Areas Included
Review of policies, procedures and practices as relevant to areas of audit
Policies and Procedures along with organization structure policies, procedures and practices as
mapped in the information system.
(a) Operating Software: Access Controls
(b) Telecommunications Software: Access Controls
(C) RDBMS Database: Access Controls
Review of IT Resources as (d) SAP - Major focus area: Configuration of Parameters and Access
relevant Controls
(e) Application controls at various stages such as Input, Processing,
Output, Storage, Retrieval and transmission so as to ensure
Confidentiality, Integrity and Availability of data.
Integration Testing Integration Testing Cycles
Data Conversion Conversion Strategies, Cross Walk, Mock Conversion Testing Cycles
We should note that entity level SAP controls for individual business units
were not included in this audit due to the resulting increase in scope. We did however
perform a high level centralized internal controls review of the Governance Risk and
Compliance (GRC) module and City access. These controls will be comprehensively
Page 8
Project of DISA 2.0 Course CIT of ICAI
METHODOLOGY:
Due to the nature of the ERP implementation, reporting issues in a timely manner
presented unique challenges as compared to a standard audit. As is the case with
system implementation audits, issues present a moving target. Our reporting
process takes into account the fact that issues are expected to occur during an
implementation and do not necessarily present a risk to the project. Further,
management had several methods available at any given time during the project
to identify and remediate issues. As a result of the fast pace of the implementation
and the immediate management need for information, we developed the following
reporting process.
● Initially, we approach each potential issue with the appropriate section team
lead. Medium and low risk issues are not formally reported though may be
presented to a higher level of management if required. This results in quick
response times to most issues and quick resolution of the larger amount of
smaller issues as they arise.
Page 9
Project of DISA 2.0 Course CIT of ICAI
Page 10
Project of DISA 2.0 Course CIT of ICAI
Page 11
Project of DISA 2.0 Course CIT of ICAI
Recommendations:
1. The Steering Committee of the organization should segregate the duties to the
employees as per their roles.
2. The employees should be given access to the system as per their specified
roles, responsibility and authority.
3. Proper policy should be made for maintaining passwords like use of Upper
Case, Lower Case, numbers, special character, non-repetition of old
passwords.
4. Creation and deletions of User Ids should be with proper approvals from the
right persons. Proper documentation of the approvals should be maintained
for record purpose.
Page 12
Project of DISA 2.0 Course CIT of ICAI
5. Access to the database should be secured not only at the application level but
also at the Operating System, database and network levels through suitable
controls.
Finance Module
Findings:
Finance Module (FI) was designed for management of the processes involved in
preparation of the accounts. The FI Module has inter-linkages with all the
modules in the ERP system and consolidates all the financial information to
generate the financial statements of the Company. On review of the Finance
Module following observations were observed:
Vendor
KR 2 2 2 3 5 11 25
Invoice
G/L
SA Account 1 1
Document
Page 13
Project of DISA 2.0 Course CIT of ICAI
Page 14
Project of DISA 2.0 Course CIT of ICAI
Each customer is allotted a unique code. However, there was more than one
customer code assigned to the same customer in 1103 cases in the customer
master.
Recommendations:
1. The Scrap Value is not entered into the system for all assets, due to which
depreciation calculation in the SAP is not correct. The Company must
ensure that all assets have their scrap value entered into the system to ensure
that depreciation calculation is correct and as per the required laws and
Regulations.
2. The company must bring the Fixed Assets which are in use by the company
but at a Zero book value to their specific Scrap value, as assets which are in
use although their life as per Schedule to Companies Act is over must be
reflected at their respective Scrap Value unless it is discarded or Sold.
3. The company must adopt a System of Materials Requirements Planning
(MRP) to provide a clear vision into gaps between current inventory levels
and forecasted demand for each inventory item. Additionally, MRP generates
alerts and replenishment orders to keep a company’s inventory at an optimal
level. This would enable better control over material, prevent excessive
Page 15
Project of DISA 2.0 Course CIT of ICAI
stocking and above all, ensure regular supply of materials for uninterrupted
production.
4. Clearance of GR/IR should be run in regular intervals to ensure that No
unnecessary entries are reflecting in GR/IR Account and proper monitoring
of GR/IR Account should be done by Management.
5. All the details like freight, Qty, Input credit of Taxes related to a material
should be properly entered into the system so that Stock Calculation can be
correctly done by the system, which at present cannot be done in SAP as
proper details are absent due to which Stock calculation calculated by the SAP
is not correct.
6. The CIO together with the CEO must work on scientific techniques and
reporting requirements of ERP to fairly determine the landed cost of material,
Non Moving and Slow Moving of Material with their respective Expiry date/
period upto which they can be used so that proper planning can be done for
issuance and consumption of Raw Materials and better utilisation of
resources.
7. The Management must make use of intelligent forecasting tools, to create an
efficient demand planning process and achieve optimal planning accuracy.
The individual plans from the various department managers including top
executives, sales, marketing, purchasing managers and so on, can be
integrated into one valid plan. Forecast analytics tools provide decision
makers with historical data and enable the visualization of market trends
which in turn allow for the adjustment of demand plans in real-time.
Vendor Master
Findings:
The Company was maintaining 76543 vendor master records. Review of these
records revealed:
Page 16
Project of DISA 2.0 Course CIT of ICAI
● Multiple vendors with same bank account: It was seen that there were
76 vendor records attached with 37 bank accounts; indicating risks of
irregular payments.
Recommendations:
Recommendations:
The Company should link the credit limit of the Customers with the respective
Ledgers account so that system could automatically detect whether the Credit limit
is crossed or not, and if crossed then Sales to that customer cannot be booked in the
system. This will prevent the excess credit limit given to the customer and reduce
Interest cost to the company.
Findings:
1. Assets carrying negative value: As per the general principles of asset
accounting, assets should not carry negative balances, since that will turn them
into liabilities rather than assets. During review of assets for the year 2010-
11, it was found that some assets were carrying negative balances.
During review it was found that users enjoyed various combinations of critical
transactions, the details of which are as follows:
(i) Eight hundred users were authorized to create PR and release i.e. approve
the PR;
(ii) Nineteen users were authorized to create PO and release i.e. approve the
PO; and
(iii) Thirteen users were assigned roles to receive goods (Make Goods Receipt
Voucher) and process vendor invoices.
Recommendations:
Page 18
Project of DISA 2.0 Course CIT of ICAI
1. Since Scrap Value of Assets are not entered into the system and their linkage
with the depreciation calculation function of ERP is missing into the system,
assets are carried over in balance sheet with negative value as higher
depreciation is charged on assets resulting in assets with zero value or even
negative balance in ERP. Company is advised to properly enter scrap value of
each assets and link them with the depreciation calculation function.
2. Difference Access rights as per segregation of duties and also considering the
principle of Least Privilege given to employee should be given to employees
so that same person doesn’t performs functions which are interlinked with
each other and may result in frauds in the company, moreover proper rotation
of duties should also be there.
(ii) Lack of relational integrity was observed between the materials shown under
work in progress (WIP) in material management module and the
corresponding status of the material in the production planning module.
(iii) The system was not designed to adjust the advance payment made
immediately on receipt of material. This resulted in over lapping of
accounting entries of both debiting and crediting inventory account and wrong
depiction of accounting status of payment as advances.
(iv) The system was not designed to calculate rates as a percentage above or below
the accepted tender rates. This resulted in not only duplication of work but
full dependence on manual controls.
(v) The system did not exhibit the opening balance of the ledger resulting in this
being incorporated through manual intervention to prepare Trial balance.
Page 19
Project of DISA 2.0 Course CIT of ICAI
(vi) After creation of the master database, the system did not display relevant pop-
ups at the time of entering the data which was required to ensure data integrity.
This led to multiple party codes for the same party, in respect of supply
contract, works contract and miscellaneous contracts.
The absence of referential integrity between sale order and production order
resulted in data inconsistency, incorrect valuation of raw material and manual
intervention. This increased the risk of incorrect data being processed and
accounted as illustrated below: -
● The value of the raw materials differed among account schedules, purchase price,
store ledger and pricing entry.
● The status of material worth Rs.10.2 million were shown as ‘finished goods’ as
on 31 March 2008 even though the materials had been sold in March 2007.
● Test check of major completed sale orders revealed that out of six sale orders
selected, against three sale orders the production orders were not closed (May
2008). Hence, these were still shown under WIP and manual entries were resorted
to effect value reduction (Rs.23.6 million) in WIP as at 31 March 2008.
● Out of 3702 production orders reviewed, 177 were created without linking to any
authorized orders.
● Absence of uniform pattern for coding of material built into the system resulted
in inconsistent material codes in the system.
● Incomplete capturing of details in columns like profit center, purchasing group
etc., affected the cost allocation.
● The non-incorporation of data in respect of net value, material code, vendor code
and quantity etc. affected allocation of cost and the accounts of the units.
● The system was designed to block duplicate entries of vendors. However,
inconsistency in pattern of data entry led to duplicate vendor codes, which led to
risk of inconsistent order placements and deficient payment tracking for the
vendors.
Recommendations:
1. As there were many cases identified during our Audit in which TDS
was not deducted at the time of payment to contractors as the system
Page 20
Project of DISA 2.0 Course CIT of ICAI
was automatically giving the option to deduct TDS only at the time of
booking of invoice into the ERP. Thus, we recommend that the
company should develop the tool in the ERP which automatically
indicates advance payments on whom TDS liability is arising so that
company can properly deduct TDS on advance payments and timely
deposit the same.
2. Linking Decided targets for Managing team members in their
respective ID’s in SAP with their actual figures of completed Targets
to keep a check on performance of Sales & Marketing Team and help
them to achieve their targets, also enabling the Management to keep a
check over them.
Password policy
Ensure that password policy parameters are set as:
Page 21
Project of DISA 2.0 Course CIT of ICAI
● The linkages and interfaces of FA module with other modules were yet
to be implemented (September 2007);
● The validation checks were inadequate, critical changes in business
rules were not incorporated/updated; and
● The business continuity and disaster recovery system were deficient
● The system was not envisaged to generate region wise trial balances
although separate regional cost centers were maintained. Thus, the
system could not monitor and evaluate performance of different
regions.
● Simple functions like calculation of tax deducted at source, sales tax,
other taxes, etc. were not envisaged to be performed through the
system. Thus, recovery/short recovery of the above items had to be
calculated and monitored manually.
● The system was not envisaged to capture the accounting period to
which the bill were related. Thus, important information like
outstanding liabilities, prepaid expenses of the respective accounting
period could not be generated. For example, a contactor’s/supplier’s
bill which related to the accounting period 2006-07 could be accounted
for in 2007-08 and vice versa, prepaid insurance for the period 2007-08
could be booked as expenditure in 2006-07.
● Critical information relating to contracts such as, date of completion,
number of extensions, penalty waived, interest levied/waived for
delayed completion/supply were not envisaged to be captured to enable
the system based monitoring and evaluation of the execution of
contracts.
❖ Equipment Reference
❖ WBS Element, etc.
Review of controls around creation of maintenance order in SAP PM module,
highlighted following inadequacies:
- SAP is allowing to create back dated ‘Maintenance Order’
While reviewing the list of maintenance order (Through IW-39) created
during the audit period, instances were noted wherein date of
creating maintenance orders were after the basic start date. Further
walk through highlighted that there is no restriction in SAP to create
a back dated maintenance schedule.
Page 23
Project of DISA 2.0 Course CIT of ICAI
While walk through of the process for creating maintenance order in SAP
through IW31, it was noted that there is no restriction in SAP to modify
initial details (entered at the time of creating order) like Start Date, End
Date, WBS Element, Equipment, Business Area, etc.All these
modifications are allowed until TECO (technical ok) is done in SAP.
●
●
●
●
●
●
●
●
●
●
●
● Non usage of SAP functionality – Breakdown Analysis
As per the Blue Print of Preventive Maintenance Module, ‘Season Maintenance
activity scope includes all planned or unplanned maintenance
Page 24
Project of DISA 2.0 Course CIT of ICAI
requirements on the equipment. This scenario deals with the creation and
processing of maintenance work orders, to capture all the
breakdown/Corrective/Scheduled/Routine maintenances that occur on
equipment’. On confirmation of the development of ‘Preventive
Maintenance Schedule & Breakdown Maintenance’ it has been informed
that functionality has been developed in SAP.However, during our review,
it was noted that currently Breakdown analysis is being done in Excel.
Page 25
Project of DISA 2.0 Course CIT of ICAI
Page 26
Project of DISA 2.0 Course CIT of ICAI
9.Audit Checklist
Page 27
Project of DISA 2.0 Course CIT of ICAI
Page 28
Project of DISA 2.0 Course CIT of ICAI
CONCLUSION
As mentioned above, there are several weaknesses and risk present
in the internal control system & the IT system of the company.
Although they came live in the ERP Environment within a short span
Page 29
Project of DISA 2.0 Course CIT of ICAI
of 12 months, there are various modules of the ERP that are not
integrated appropriately. This leads to increase in risk of errors in the
financial and operating data provided by the system. Such errors in the
system would increase the need of manual workings and reports to be
prepared for the top management, this would lead to increase in need
for manpower which ultimately will not be cost effective for the
Company to implement the ERP software. Further, the lack of proper
internal control system could also increase the risk of frauds in the
Company. Therefore, it is suggested that the management performs a
thorough trail and check of the ERP and implement required internal
controls in the system.
Page 30