M/s RTA & CO.

I CHARTERED ACCOUNTANTS

PROJECT REPORT OF DISA 3.0 COURSE

AUDIT ON ONLINE BOOKING SYSTEM

Page 1 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

Certificate
Project Report of DISA 3.0 Course
This is to certify that we have successfully completed the DISA 3.0 course training conducted on online
from 28th October, 2020 to 18th November, 2020 and we have the required attendance. We are submitting
the Project titled “AUDIT ON ONLINE BOOKING SYSTEM”.

We hereby confirm that we have adhered to guidelines issued by Digital Accounting and Assurance Board
(DAAB), ICAI for the project. We also certify that this project report is the original work of our group and
each one of us have actively participated and contribution in preparing this project. We have not shared
the project details or taken help in preparing project report from anyone except members of group

SL NO NAME MEMBERSHIP DISA NO SIGNATURE

NO

1 RICHI SAXENA 520735 63548

2 TEJA KAMIREDDI 245566 63589

3 ARCHIE DALMIA 439960 63503

DATE: 08-11-2020

Page 2 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

Table of Contents
SL.NO CONTENTS PAGE NO.

1 Introduction 4-5

2 Auditee Environment 6-7

3 Background 8

4 Situation 9

5 Terms and Scope of assignment 10

6 Logistic arrangements required 11

7 Methodology and Strategy adapted for execution of assignment 12-13

8 Documents reviewed 14

9 References 15

10 Deliverables 16

11 Format of Report/Finding and Recommendations 17-21

12. Summary 22

Page 3 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

1. INTRODUCTION
Client Introduction
Arrange My Trip Limited (AMT) has been providing services to its customers through online booking system
using Information Technology as its key enabler. The system being used is huge enough to handle many
simultaneous operations like that of

1. Arranging data according to the client’s requirements related to the budget, facility demanded etc.

2. Suggesting the destinations based on real time reviews and accordingly listing the destinations in
demand.

3. Suggesting the best means to travel throughout the whole destination planned.

4. Locating the prioritized hotels to stay and the nearby places to visit in relation to
shopping/food/fun/leisure activities.

5. Last but not the least arranging various documentation required to visiting the finalized locations
like that of visa etc.

The top management of the company had laid down the directions for the overall functioning of the whole
system and deployed the information systems for managing the activities required so that the client’s
search operations are optimized and handy system support along with the customer care facilities are
made available to the clients.

The Information Technology processes required in implementing such practices have been custom
developed by AMT Limited and are fully integrated with the backend processes involved in providing the
clients the various services mentioned above. Now that the company has been dealing with large volumes
of data with extensive procedures over it being applied through the information systems AMT limited
proposes to have a comprehensive audit of the online booking system of the company. The objective of
the IS audit is to identify potential areas for improvement of controls and the identification of all risk
factors present in the system so as to mitigate them by implementing controls etc so that the whole IT
environment particularly that of online booking system is secure and safe and as such to provide assurance
to the senior management of AMT Limited.

Page 4 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

Auditee Firm Introduction

Name of the Firm: M/s RTA & Co.

Experience in IS Audit: 10 Years

M/s RTA & Co. is a chartered accountants firm consisting of 3 full time partners who are qualified
chartered accountants with specializations in Information systems audit. The firm has large experience in
handling risk based internal audits, assurance functions, accounting and other taxation matters. The offices
of the firm are equipped with high end software technologies which can be integrated with the client’s
systems so as to perform the audits etc in a more professional manner. The team of the firm consists of 20
Articled Assistants and 5 paid staff who have hands on experience of working in customized software
environments and have adequate in depth knowledge of the auditing function.

The details of the partners of M/s RTA & Co. are listed below:

Name of Partner ACA/FCA Years Of DISA/CISA Email-Id

Experience Qualification

Mr. R FCA 10 DISA r.audit@rta.org

Mr. T FCA 10 DISA t.audit@rta.org

Ms. A FCA 8 DISA a.audit@rta.org

The team comprising of 10 members would be deployed for the referred audit which will be led by Mr. R
who has experience in the relevant field of 10 years. The project’s completion time frame will be of 25 man
days.

Page 5 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

2. AUDITEE ENVIRONMENT
The primary objective of the assignment is to conduct Information Systems Audit of Online Booking
System and to develop a set of related IS Audit Checklists for future use so that it can be used by
external auditors for verifying the accuracy of the whole online booking process.
The enterprise viz., AMT Limited is a multi-national company with its business revolving around
procuring data about the destinations, hotels, transportation facilities and the like so as to provide the
data in a meaningful way to the company’s customers so that the customers make informed decisions
about where to travel, how to travel etc in a most efficient way while also availing the best facilities
throughout the travel and stays at the location.
The company’s organization structure is well built with a top to down approach and robust IT systems
have been deployed for the overall functioning of the whole system. The auditee environment along
with the information about system software, database, regulatory requirements, internal policies and
security policies in place is being outlined in the following paras:
a. The whole auditee environment consists of the custom developed application software known as Online
Booking System (OBS), the hardware including the networking devices, the database wherein whole of
the data including that of the internal and external users is being maintained and the system software.

b. The application software being maintained by the enterprise is OBS (Online Booking System) with an
appropriate database wherein all the details related to the information about destinations, transport
agencies, hotels, motels, restaurants, theme planners etc have been stored for client’s usage and
retrieval and further in which all the client level details have been stored in relation to his/her name,
age, identification number, wishlist, previous destinations visited history etc. The system being
maintained is a real time system wherein all the details related to present status of bookings, travel,
climate etc is updated on real time basis. The application system has also been connected with the
payment gateway named paytime so as to complete the user payment transactions in real time and in
the most secured way.

c. The database being maintained is that of RDBMS wherein whole lot of data can be searched with the
help of some key elements only and no time is wasted while searching for particular destinations etc.
The database is in complete control of a Data Base Administrator (DBA) who has been managing the
data structures, data updation and data control tasks.

d. The company has an internal security policy outlining the roles and responsibilities of the system
security, networking security and other hardware security required in the organization.

e. Windows 10 based operating systems have been installed in system software for appropriate
functioning of the application software applied in the organization. The operating system provides an
interface between the user and the hardware through GUI and also manages and allocates memory
space for applications. The operating system is also responsible for security management of files and
applications.
Page 6 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

f. Application level gateway firewall has been installed in the networking system which is serving as proxy
firewall and is operating at the application layer to filter incoming traffic between the network and the
traffic source.

g. Information security policy is required by the organizations to establish a general approach to

information security and to detect and forestall the compromise of information security such as misuse
of data, networks, computer systems and applications. Information security policy is also required to
protect the reputation of the company with respect to its ethical and legal responsibilities. This
company i.e., AMT Limited as appropriate information security policy in place and this policy is
addressing all data, programs, systems, facilities, other tech infrastructure, users of technology and
third parties without any exception.

h. Legal regulations applicable to the organization specifically pertaining to the Information System Audit
are Adherence to the Information Technology Act, 2000 amended 2008 and the e-Governance policy
issued in March 2020 by the Government of Jammu & Kashmir (GoJk) provided for maintaining online
record of hardware and software inventory (H&SI).

Page 7 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

3. BACKGROUND
AMT Limited proposes to have a comprehensive IS Audit of the whole IT Environment of the company.
An information systems audit comprises of audit of the application system installed in the company
along with the audit of system software, hardware, networking devices, system security and other
interconnected mechanisms including the adherence of the regulations applicable to the organization.
The proposed IS Audit is further subjected to applicable auditing standards of ICAI.

The objective of the organization’s plan to go for IS Audit is to identify the areas for improvement of
controls by benchmarking against global practices and further to ensure that the risks identified are
expected to be mitigated by controls designed by the organization so as to ensure that the application
software installed is secure and safe. IS Auditors are also expected to provide IS Audit Checklist for
future use by the company.

The Information Security Audit planned is also to be focused on data privacy that will cover technology
controls that enforce confidentiality controls on ay database, file system, or application server that
provides access to personally identifiable data.

Page 8 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

4. SITUATION
AMT Limited has for the first time integrated all the business units located in different areas in India by
adopting OBS-ERP system. With the integration of the new OBS-ERP system with their traditional OBS
system there has arisen a need to effectively implement some control factors so as to mitigate the risk
involved in such integration along with the risk of data loss. Some more areas of operation that need to
be addressed are data storage access, migration of data, maintenance of centralized servers, AMC
contracts. The company has been functioning effectively with its OBS system prior to such integration
with the OBS-ERP system but there were issues related to data access and data retrieval with the
branches of the company which are being resolved by implementation of OBS-ERP system.

Now that the company has integrated with the OBS-ERP system it becomes utmost necessary for the
company to implement various control mechanisms for controlling the whole IT Environment of the
company as the company is dealing directly with the public at large and it altogether becomes very
important to maintain the confidentiality of the data of the public shared win the systems of the
organization. The network technology is also required to be robust and secure enough along with the
payment gateways so as to provide a user-friendly scenario to the ultimate users of the organization.
The organization i.e., AMT Limited has taken all these factors into consideration while deciding upon the
reasons to take up IS audit and the problems which have been identified and control weaknesses which
are to be looked into have been summarized as follows:

Problematic Areas:
a. Risk of data duplication and unauthorized data retrieval.
b. Unauthorized changes to the data entered in the system regarding the information to be shared with
the prospective customers.
c. Frequent failure of the system.
d. Lack of proper BCP and DRP.

Control Weaknesses giving rise to risk scenarios:

a. Inadequate control procedures are in place at present which are giving rise to various kinds of risks that
the company is facing at present.
b. Inherent limitations in the customized application software developed as the software has not passed
through any trial phase.
c. No proper policy in place regarding the usage of personal devices such as tablets, mobile phones etc.
d. Centralized helpdesk systems have been made available for any technical issues.
e. No proper Backup strategy is in place at present. Data redundancy checks are also not implemented.
f. BCM manual has not been framed by the management.

Page 9 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

5. TERMS & SCOPE OF ASSIGNMENT

RTA & Co (Chartered Accountants Firm) have been appointed to conduct Information Systems Audit of
OBS-ERP implementation and develop related Audit Checklists. The IS audit of OBS-ERP would be with
the objective of providing comfort on the adequacy and appropriateness of controls and mitigate any
operational risks thus ensuring that the information systems implemented through OBS-ERP provide a
safe and secure computing environment. Further, specific areas of improvement would be identified by
benchmarking with the globally recognized best IT practices of COBIT framework. These terms of
reference are based on preliminary discussion the assignment team had with the AMT team and is
subject to further modifications as required at various stages of audit.
Broadly the scope of review primarily from security/controls would involve:
a. To review the processes relating to granting access to systems, verify the logical access controls and
assess whether the specified roles and responsibilities are aligned with the business to safeguard
against unauthorized use, disclosure, modification, damage or loss at any level.
b. To assess that audit trails exist for ensuring effective monitoring of the mission critical systems and
processes
c. Access vulnerabilities of the OBS-ERP implementation to attacks from within and outside and suggest
appropriate counter measures to safeguard against unauthorized use, disclosure, modification, damage
or loss.
d. To assess and evaluate management system relating to all changes requested and made to the existing
systems so as to minimize the likelihood of any type of disruptions.
e. Assess the internal control framework in respect of specified OBS-ERP application, review of parameter
settings and configuration management and suggest improvements so as to ensure that data remains
complete, accurate and valid during its input, update and storage.
f. Assessing application controls at various stages such as Input, Processing, Output, Storage, Retrieval and
transmission so as to ensure Confidentiality, Integrity and Availability of data.
Based on the understanding of the company’s need for conducting the information security audit of
online booking system we propose the scope of review and the terms of reference as laid down below.
The scope of review has been prepared on the basis of the discussions with the key members of the
assignment team and thereafter a detailed methodology has been framed for the audit to be
performed. The methodology so framed is subject to the modifications that might be required while
undergoing the audit process according to the prevalent conditions. Broadly the scope of review
primarily from security/controls perspective would include:
a. Review of information security policy, identification of risks and suitability of control practices
established.
b. Review of application software’s working in the controlled environment and review of the safety and
security aspect of the same.
c. Assessing the impact of the linkages with the payment gateway installed and the control mechanisms in
place.
d. Review of IT resources as a whole.

Page 10 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

6. LOGISTIC ARRANGEMENTS REQUIRED

IS Auditor requires the following tools for audit:

Hardware:

a. Window based Systems, PDA and Laptops.

b. Printers & other Printing devices.

c. Scanners.

d. Storage media.

System Software:

The auditor has to select the system software according to the IT environment in AMT Ltd and
accordingly the auditor will use windows 10 as the system software for performing the audit.

Application Software:

The auditor will be using CAAT tools as CAAT are significant tools for auditors to gather evidence and it
also provides a means to gain access to the systems and analyse data for a predetermined audit
objective and finally supports in reporting the findings with evidence. IDEA audit software will be used
by the auditor as a CAAT tool for performing audit on the company’s IT system.

Apart from this the auditor will use the application software implemented in the organization i.e., OBS-
ERP for checking the calculations and data access and data retrieval methods. Test Data packets will also
be logged into the system for thorough checking and Integrated Test Facility method will also be
simultaneously used.

Page 11 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

7. METHODOLOGY AND STRATEGY ADAPTED FOR

EXECUTION OF ASSIGNMENT.
Understanding the OBS-ERP system of the organization is one of the main challenges faced by any
auditor. It is quite important to know as to what will be the status of the system after two or three years
of its implementation. As such the major areas of focus are being listed out here so as to frame the
methodology accordingly and complete the audit process within time.

The objectives and scope of audit were explained to the management in the initial meetings held with
them seeking their co-operation. The samples were collected using sampling techniques. Four Divisions
were selected each from sixteen regions and the data was stratified in terms of the highest revenue
generated with highest traffic load.

Some of the major areas of focus as mentioned above are as follows:

a. The first major area of focus should be the on the controls implemented within the organization. It’s
imperative to check whether adequate controls have been implemented at all the levels of the
organization including that in the whole IT environment.

b. Undertake an in-depth study and analysis of all aspects of the security and control procedures related to
IT and environmental aspects. We will take steps to identify way in which the system actually operates.
In doing so, the following objective would be kept in mind while setting overall goals.

c. Review the user agreement along with terms of service forms the terms and conditions for the use of
services and products of AMT Ltd. And review the terms and conditions of contract between AMT Ltd
and OBC – ERP system developer.

d. Verify the general controls were adequate and OBC – ERP system was operated in an adequate
controlled environment and the application controls were adequate and the system was in compliance
with laid down business rules and adequately secured from possibilities of frauds.

e. Verify the accounting agreements and control mechanism for monetary transactions were adequate.

f. Review all the physical access to computing equipment as well as facilities housing the IS computing
equipment and supplies.

g. Review procedures used by management to ensure that individual having access to sensitive facilities
and adequately restricted and possess physical access authorisation.

h. Review security policies and procedures at the enterprise level, system level and process level are
aligned with business stated objectives.
Page 12 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

i. Review of emergency procedures adopted by the organisation, whether it is clearly documented and
readily accessible.

j. Review of necessary logical access controls framework in the form of logical access security policies and
standards are in place and effectively communicated.

k. Evaluation of various logical security techniques and mechanisms for their effective implementation,
operation and administration.

l. Determination of the level of effectiveness of logical security by determining compliance with procedure
manuals, such as administrator manuals and user manuals.

m. Testing of appropriateness of OBC – ERP configuration and bypass security procedures.

n. Visual examination of presence of water and smoke detectors, examine power supply arrangements to
such services, testing logs, etc. In the server room for not losing any data.

o. Examination of location of fire extinguishers, fire-fighting equipment, refilling date of fire extinguisher
and ensure they are adequate and appropriate.

p. Examination of complaint logs and maintenance logs to assess if Mean Time Between Failure (MTBF)
and Mean Time To Repair (MTTR) are within acceptable levels.

Page 13 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

8. DOCUMENTS REVIEWED
The following documents were verified/reviewed during the audit assignment:

a. Documentation of agreement between software vendor and the company.

b. Internal policies framed for implementation of the software so procured.

c. Internal policies of software management and user controls.

d. Documents related to the SOP and the technology used during the process of conversion from OBS
model to OBS-ERP model.

e. Documentation related to the security control framework framed for the organization and the
implementation status.

f. Training programs conducted for smooth implementation of the whole process and for continuous
updation of the staff working on the systems.

g. Data collection process and the means of its storage.

h. Inspection of monitoring process and rectification process implemented.

i. AMC contracts with the vendor and the roles assigned.

j. Documentation of security Policies and Procedures and verified whether the entity has any Business
Continuity Plan and Disaster Recovery Plan

k. Down time report and documentation of online bookings during down time.

Page 14 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

9. REFERENCES
The following references have been taken for the completion of the assignment:

a. Standards, Guidelines and Techniques for Information Systems Audit and Assurance as issued by DAAB
and available in its website.

b. ISA Course Book 3.0 with specific focus on

 IS Audit Phases

 Sample Audit Techniques

 CAAT Tools

 Protection of Information Assets

c. Auditing Standards issued by ICAI.

Page 15 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

10. DELIVERABLES
The deliverables of the audit of online booking system i.e., the assignment taken up are as follows:

SL.NO. PARTICULARS REMARKS

1 Is there vertical traceability from vision, mission, strategic goals, strategic

objectives, and actions?
2 Have metrics been established for measuring and reporting the effectiveness
of all established activities and projects?
3 Has the linkage between the activities and projects, their outputs, and
ultimately the outcomes and the organization’s strategic goals and strategic
objectives been established and communicated internally?
4 Does it meet the requirements for reporting, whether regulatory or
organizational?
5 Is there a system administrator with clearly defined roles and responsibilities?
6 Were adequate user requirements developed through meaningful Interaction?
7 Does the system Protect confidentiality and integrity of information assets
(CIA) and user personal information?
8 All system resources are protected from un authorized access and use?
9 IS there any terms and conditions of agreement may be adhered to avoid any
financial loss to the AMT Ltd by implementing OBC – ERP system?
10 Have workarounds or manual steps been required to meet business needs?
11 Are users trained? Do they have complete and current documentation?
12 Is there a formal change-request process, with documented, authorized
policies and related control forms and approvals?
13 Is there any person responsible for formulating and implementing IT policy
laying down procedures, rules and regulations?
14 Are all change requests and related activity logged for tracking purposes?
15 Does security administration to follow up on changes to permissions
immediately?
16 Whether a back-out plan is developed as a normal aspect of major change?

Page 16 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

11. FORMAT OF REPORT/FINDINGS AND RECOMMENDATIONS

PHYSICAL ACCESS CONTROLS
Issue Cause Exposure Recommendation Management
Comment
Visitor’s Confidentiality & Visitors of all types are The visitor entry Agree and
Access Integrity of data being being made to wait in the must be restricted will make
compromised reception area first but to the reception such change
thereafter the visitor’s are area only and no in policy.
escorted through the work visitor should be
area in the organization allowed to cross
where the staff is working that area for
on the systems. The visitors whatsoever work.
may get a chance to copy or Apart from that the
modify or delete the data. computer output
ports should also
be locked/disabled.
Temporary Un authorized Entry Validity of temporary passes Timely reconciliation Agree and
passes to issued to employees has to of employee data will follow
ensure. After getting of with Permanent
allow permanent cards from vendor, cards and temporary
server issued temporary cards have cards.
rooms to be taken back immediately.
Otherwise un authorized
access in to server room may
arise by visitors (as visitors are
allowed along with
employees) by way of sharing
of unblocked temporary cards
to visitors by employee.
Employee Doubts on Validity of Employees ID’s Timely Agree and
ID’s are Completeness, Integrity with data maintained in Reconciliation of will timely
missed and Reliability of data Employees database. After Employees ID with reconciled
validating ID’s are issued to Employees the employee
all employees and records database database and
should be maintained. ID’s.
Otherwise we didn’t
identify the authorized and
unauthorized employees.

Page 17 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

LOGICAL ACCESS CONTROLS

Issue Cause Exposure Recommendation Management
Comment
No Individual User The operations of The users of OBS - ERP need Agree. System
logins have accountability OBS - ERP may be to be given separate user ids manager will
been created of actions may affected in case of and passwords authorised in create user ids
not be breakdown or non- writing by senior for all
established availability of management. Creation of authorised
relevant personnel. their user id and password users.
Also, it is exposed to should be documented and
IT threats like accepted by the user and kept
Piggybacking, Denial by senior management in
of service, sealed cover in safe custody to
Masquerading. be available in case of need.
Password policy has to be
formulated and passwords
should be changed atleast
once in 90 days without being
reused.
Source code is Unauthorised Access to the source A review of security and Agree. Will be
accessed access code of software operations settings needs to reviewed and
online under development/ be done and strong security modified as
maintenance/ policy shall be made. required.
testing etc., is done Dial-back procedures shall be
online. Online access followed. Again to reduce the
of this makes it risk of unauthorised dial-in
vulnerable to access, remote users should
unauthorised access never store their passwords in
and eavesdropping. plain text login scripts on
notebooks and laptops.
Secure VPN can be created by
building a secure
communications link between
two nodes by emulating the
properties of a point-to-point
private link.

Screensavers Unauthorised Open telnet sessions Session locks and Agree and will
with access can be easily screensavers shall be follow
passwords or accessed by password protected.
session locks unauthorised user if Password policy shall be
with the original user is maintained.
passwords not at his/her desk Educating users is a critical
and if the component about passwords,
screensavers are not and making them responsible
Page 18 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

password protected. for their password is one of

the best controls against
various threats and exposures.

On line Access denied Result in Integrity Maintain a storage database Agree and will
Booking ID’s and completeness of for storing all the data of users implemented
are missing data being missed. and password and user id
So, maintain a recovery procedures are
storage database for implemented
storing Online
Booking ID’s and
Passwords.

Concessional Unauthorised
persons data access
is missed
For some persons For concessional people Agreed and will
discount is given for separate storage database is follow.
online booking in maintained for storing data.
Hotels or mall’s like
senior citizens,
Award winners etc.,
If data is missing
access is denied to
these people and
Unauthorized
people may access
and get concessions
in booking by using
missed data

DISASTER RECOVERY PLAN

ISSUE CAUSE EXPOSURE RECOMMENDATION MANAGEMENT

COMMENT

Lack of Specific Resumption and Loss of Business, Develop and Establish Agreed to Develop
Disaster Recovery Recovery to normal goodwill, profit etc., a specific and detailed and establish DRP
Plan/Procedure conditions in the Disaster Recovery Plan
event of disaster is
not possible as
required as per
policies and
objectives

Page 19 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

Non availability of Recovery of the Loss of data Purchase Backup Agreed to purchase
Backup Systems for Systems is not Systems and provide Backup
the systems supplied possible systems

No Redundancy for Loss of Non availability of Take actions to Agreed to make

Telecommunication communication telecommunication maintain Redundancy Redundancy for
Equipment for Communication Telecommunications
Equipment

No proper Security Threat of Unauthorised access provide proper Agreed and

and environmental storage media and loss of valuable security controls for appointed Security
controls for Off-site theft and information media Guard and try to
Storage media in unauthorised implement
Protected vault access environment
controls soon

No Alternative There will be huge Delay and damage Arrange alternative Agreed and try to
Processing business/process to organization in processing capabilities made arrangements
capabilities interruption till the form of data soon
resumption to loss, reputation loss
normal conditions etc.,
from the event of
disaster happen
No Disaster There will be a great Implementing of Establish disaster Agreed and
Recovery Teams at confusion to DRP may not recovery teams with identified Teams
All implement DRP in possible specific
the event of disaster responsibilities

Non-Maintenance of DRP is not up to Outdated DRP Establishing Agreed to develop a

DRP date and may not be doesn’t serve the Procedures and customized DRP for
useful in the event purpose policies to maintain TOLL and establish
of disaster operation and testing and
occurrence effectiveness of DRP requirements at
including testing the regular intervals
DRP etc.,

Not following ABC Compromise for Non-availability of Recommended to Agreed and made
Conventions for protection and data Data follow the ABC arrangements to
protection and back backup may arise conventions follow the same
up of data Conventions as per
the ABC

Page 20 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS
Not maintaining Required data may Data leakage and Recommended to Agreed to retain the
storage of data, not be available for information gap follow the SLA data etc., as per SLA
work product or required purposes period
deliverables off-site
for the period
mentioned in Service
level agreement
(SLA)

Page 21 of 22
M/s RTA & CO. I CHARTERED ACCOUNTANTS

12. SUMMARY
The company should keep addressing the following risks to security in particular to ensure continuity of
business systems:

A. Information Security-Top Level Management should consider the ease with which systems could be
compromised by referring to the case studies and should ensure good security practices are
implemented, up-to-date and regularly tested and enforced for key computer systems. They should
also conduct ongoing reviews of user access to systems to ensure they are appropriate at all times.

B. Business continuity- The Company should have a business continuity plan, a disaster recovery plan
and an incident response plan. These plans should be tested on a periodic basis.

C. Management of IT risks- The Company needs to ensure that IT risks are identified, assessed and
treated within appropriate timeframes and that these practices become a core part of business
activities and executive oversight.

D. IT operations- The Company should ensure that they have appropriate policies and procedures in
place for key areas such as IT risk management, information security, business continuity and
change control. IT strategic plans and objectives support the business strategies and objectives.

E. Change Control-Change control processes should be well developed and consistently followed for
changes to computer systems. All changes should be subject to thorough planning and impact
assessment to minimize the likelihood of problems. Change control documentation should be
current and approved changes formally tracked

F. Physical security- The Company should develop and implement physical and environmental control
mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and
systems.

---THE END---

Page 22 of 22