ABC Private Limited

ICFR for the year ending 31st March, 2016

IT General Controls— RCM

Sr. No. Process Reference Attribute Activity Identifica Control

Descripti tion of Ref
on Risk of Number
Material
Misstate
ment
("What
Could Go
Wrong")

Risk
Descripti
on
1 ITGC Risk IT Policy Intended ITGC 01
Assessme IT related
nt processes
not
followed
due to
absence
of defined
comprehe
nsive IT
policy
document
2 ITGC Control Access Editable ITGC 02
Environm Rights access of
ent Financial
System
(Accounti
ng
Software)
provided
to persons
other than
Company
employee
s (Internal
and
Statutory
Auditors,
Consultan
ts, etc.)

3 ITGC Control Closing Erroneous ITGC 02

Environm of /intention
ent Accountin al posting
g of
period/ye Accountin
ar in the g entry in
Accountin the earlier
g closed
Software period/ye
ar
4 ITGC Control Selects Unauthori ITGC 03
Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting

5 ITGC Control Selects Unauthori ITGC 02

Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting
6 ITGC Control Selects Unauthori ITGC 03
Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting

7 ITGC Control Selects Unauthori ITGC 03

Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting

8 ITGC Control Selects Unauthori ITGC 03

Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting
9 ITGC Control Selects Unauthori ITGC 03
Environm and zed
ent develops access to
general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting

10 ITGC Control Identifies Unauthori ITGC 10

Environm and zed
ent analyses access to
significan IT
t changes systems,
that could applicatio
impact ns and
internal data
controls results in
errors in
financial
reporting

11 ITGC Informati Selects Unauthori ITGC 03

on & and zed
Communi develops access to
cation general IT
controls systems,
over applicatio
technolog ns and
y data
results in
errors in
financial
reporting
12 ITGC Informati Selects Unauthori ITGC 03
on & and zed
Communi develops access to
cation control IT
activities systems,
to applicatio
mitigate ns and
risks data
results in
errors in
financial
reporting

13 ITGC Control Selects Absence ITGC 04

Environm and of regular
ent develops back-up
general which
controls may lead
over to loss of
technolog crucial
y data
14 ITGC Control Selects Absence ITGC 04
Environm and of regular
ent develops back-up
general which
controls may lead
over to loss of
technolog crucial
y data

15 ITGC Control Identifies Servers ITGC 05

Environm risks to and end
ent the users PCs
achievem are
ent of infected
objectives with virus
and
analyses
risks to
manage
them
16 ITGC Control Assesses Unauthori ITGC 05
Environm fraud risk zed
ent to the access to
achievem the IT
ent of systems,
objectives applicatio
ns and
data by
external
parties

17 ITGC Control Selects Unauthori ITGC 06

Environm and zed
ent develops access to
control IT
activities systems,
to applicatio
mitigate ns and
risks data
results in
errors in
financial
reporting

18 ITGC Control Selects Significan ITGC 06

Environm and t
ent develops developm
control ents and
activities changes
to to
mitigate informati
risks on
systems
relevant
to
financial
reporting
are made,
resulting
in errors
in
financial
reporting.
19 ITGC Control Identifies Errors in ITGC 06
Environm and changes
ent analyses made to
significan key
t changes applicatio
that could ns
impact relevant
internal to
controls financial
reporting.

20 ITGC Control Selects Problems ITGC 09

Environm and and
ent develops incidents
general are not
controls effectivel
over y
technolog managed.
y

21 ITGC Control Selects Intentiona ITGC 07

Environm and l sharing
ent develops of crucial
general and
controls confidenti
over al data of
technolog the
y company
by staff to
outsiders
(e.g.
competito
rs)
 Control That Classifica Risk Operating Nature of Control- Deficienc Control Remedial
Addresses Risk of tion of Associat Frequency Control Automat ies Exist methods
Material Inherent ed with (Annually, ed or (Yes/No)
Misstatement Risk the Quarterly, Manual
— Control Name (Normal, Control Monthly,
Significan (Not Weekly,
t) Higher, Daily, Many
Higher) Times per
Day, As
Needed)

A defined Significan Higher As Needed Preventiv Manual Defined No Define a

comprehensive IT t e comprehe comprehen
policy document nsive IT sive IT
to provide various policy policy
guidelines to work document document
in the IT to provide to provide
environment, is in various various
place guidelines guidelines
to work in to work in
IT IT
environm environme
ent is not nt.
in place.
View-only access Significan Higher As Needed Preventiv Automate Editable No Eligible
of Accounting t e d access of persons
Software provided Financial other than
to persons other System designated
than Company (Accounti employees
employees ng to be
(Internal and Software) provided
Statutory provided view-only
Auditors, to persons access of
Consultants, etc.) other than Accounting
who are not Company Software
required to modify employee
the financial s (Internal
transactions and
Statutory
Auditors,
Consultan
ts, etc.)

Closing of Significan Higher As Needed Preventiv Automate Previous No Block

previous t e d closed previous
period/year to month/ye closed
restrict back- ar is not month/
dating of blocked year for
transactions for editing
editing transaction
transactio s
ns
1. For CMS Significan Higher As Needed Preventiv Automate For Tally 1. Yes For Tally -
System - all new t e d - all three 2. No give all the
users are given users are users
pre-expired given individual
password and the same pre-expired
system prompts password passwords,
the user to set new which is which the
password at the not users need
time of first login required to change
to be at the time
2. For Tally - all changed of first log-
new users are either in
given pre-expired after first
password and the login or
system prompts subsequen
the user to set new tly
password at the
time of first login

1. For CMS - Significan Higher As Needed Preventiv Automate For Tally 1. Yes For Tally -
Users access rights t e d - all the 2. No give all the
are granted by IT users in users
only upon specific the separate
approval by the accounts user-id
concerned dept. are password
functional head sharing and access
common rights.
2. For Tally - user-id
Users access rights password
are granted by IT and
only upon specific having
approval by the same
concerned access
functional head rights
System prompts Normal Not As Needed Preventiv Automate System No Introduce a
the user to change Higher e d does not password
the password after give any change
the expiration of alerts or policy
30 days. notificatio whereby
ns to the system
force- gives a
change pop-up to
the force-
password change the
after password
expiration after
of 30 days expiration
of 30 days

Password must Normal Not As Needed Preventiv Automate Password No Define a

contain at least 7 Higher e d logic is Password
characters, alpha not policy
numeric defined
(alphabets,
numbers and
special
characters).

If the password is Normal Not As Needed Preventiv Automate No No Define a

wrongly entered Higher e d locking of Password
continuously for 5 login id policy
times within 30 upon
minutes, the incorrect
respective login id entries of
gets locked. password.
If a user is not Normal Not As Needed Preventiv Automate - Yes -
accessing the Higher e d
system for more
than specified
time, the system
gets automatically
locked.

There exists a Normal Not As Needed Both Automate No No Introduce a

periodic review of Higher Preventiv d periodic process of
the user profiles e& review of periodic
for systems Detective user review of
access, to confirm profile for user
appropriateness. system profiles for
access. system
access.

Requests for Significan Higher As Needed Preventiv Manual No No Require

creation of new t e procedure request for
user ids are of new user-id
received by the IT sending a creation to
Executive on standard be sent to
standardized form, form duly the IT
duly signed by the signed by Executive
respective HOD. the through a
respective duly signed
HOD for standard
new user- form
id
creation.
1. User Normal Not As Needed Preventiv Manual 1. No No 1.
termination, Higher e procedure Introduce a
resignation is of procedure
informed to IT sending a of sending
Executive through email email
email by HR. request request for
for disabling
2. User account is disabling the access
disabled the access rights from
immediately after rights the system.
receiving an email from the
request. Before system. 2. Require
processing this signature
request, IT 2. IT by IT
archives the mail Executive Executive
box of the user. does not on the Full
sign on & Final
3. Full & Final the Full & Settlement
Settlement Form is Final form
signed by the IT Settlemen confirming
Executive only t form disabled
when the regarding access
necessary access disabling rights from
rights have been access the system
disabled in the rights
system. from the
system

1. Regular back-up Significan Not As Needed Preventiv Automate - Yes -

strategy defined t Higher e d
for server and
auto-back up is
taken at defined
frequency.

2. Retrieval is
tested at
reasonable
frequency
Off-site storage of Significan Not As Needed Preventiv Automate There is No Ensure off-
back-up to tackle t Higher e d no off-site site storage
any unforeseen storage of of back-up
event at the office the back- for
premises. up server ensuring
safety of
back-up

1. Desktops: Significan Not As Needed Preventiv Automate - Yes -

All the user t Higher e d
desktops are
installed with anti
virus scanner,
which scans the
new files on an
ongoing basis

2. Servers:
All servers are
installed with anti
virus scanner.

3. Gateway:
Mail server is
managed and all
the Emails are
scanned by threat
management
gateway.

4. The anti virus

gets automatically
updated with the
latest version
through process of
auto updates
1. Firewalls have Significan Not As Needed Preventiv Automate The logs 1. Yes Require
been installed. t Higher e d are not 2. No regular
2. The logs are reviewed review of
regularly reviewed by IT logs by IT
by IT Executive Executive Executive

Changes in Significan Not As Needed Preventiv Automate - Yes -

programs can be t Higher e d
made only with
prior approval of
the Board of
Directors or the
HOD concerned,
with the
simultaneous
involvement and
approval of the IT
personnel.

Decisions around Significan Not As Needed Preventiv Automate - Yes -

significant t Higher e d
developments and
changes to
information
systems relevant
to financial
reporting are made
in conjunction
with Finance
Manager and after
approval of BOD
Specific changes Significan Not As Needed Preventiv Automate - Yes -
are made to key t Higher e d
applications
relevant to
financial reporting
only after sign off
from the relevant
stakeholders

An in-house IT Normal Not As Needed Preventiv Automate - Yes -

personnel resolves Higher e d
issues faced by
users as required

1. Deactivation of Significan Higher As Needed Preventiv Automate Access to 1. Yes Restrict

external storage t e d public 2. No access to
devices on sites and public sites
company PCs. domain and domain
have not
2. Restricting been
access to all public restricted
sites and domain
 Control Control Substanti Evidence Control Process Applicati Is IPE If yes, Reference of
Design Operation ve of Owner Owner on used in List of Testing Work
Conclusi al Procedur Control System performi IPE paper for
on Effectiven es ng conclusion on
(Effective ess Planned relevant Control Design,
, Conclusio Control? Implementatio
Ineffectiv n If yes, n
e) (Effective, List of and Operating
Ineffective) IPE Effectiveness

Ineffectiv Review As per Finance IT Tally, No - -

e comprehe discussion Manager Executive CMS,
nsive IT with IT Sensys
policy Executive TDS &
Matrix
Cosec
Ineffectiv Access As per Finance IT Tally No - -
e right discussion Manager Executive
restriction with IT
Executive
and
various
users

Ineffectiv Access As per Finance IT Tally No - -

e right discussion Manager Executive
restriction with IT
Executive
and
various
users
 1. Conduct As per Finance IT 1. CMS No - -
Effective live-check discussion Manager Executive 2. Tally
2. for with IT
Ineffectiv password Executive
e change

1. Process of As per Finance IT 1. CMS No - -

Effective granting discussion Manager Executive 2. Tally
2. access with IT
Ineffectiv rights Executive
e
Ineffectiv Conduct As per Finance IT Tally, No - -
e live-check discussion Manager Executive CMS,
for with IT Sensys
password Executive TDS
change

Ineffectiv - As per Finance IT Tally, No - -

e discussion Manager Executive CMS,
with IT Sensys
Executive TDS

Ineffectiv - As per Finance IT Tally, No - -

e discussion Manager Executive CMS,
with IT Sensys
Executive TDS
Effective Conduct As per Finance IT Tally, No - -
live-check discussion Manager Executive CMS,
for auto- with IT Sensys
locking of Executive TDS
system

Ineffectiv - As per Finance IT CMS No - -

e discussion Manager Executive
with IT
Executive

Ineffectiv Standard As per Finance IT - No - -

e forms discussion Manager Executive
duly with IT
signed by Executive
respective
HOD to
be
checked
Ineffectiv Review As per Finance IT - No - -
e the discussion Manager Executive
procedure with IT
of Executive
disabling and
access Finance
rights Manager
from the
system

Effective Review As per Finance IT CMS, No - -

back-up discussion Manager Executive Sensys
policy with IT TDS
Executive
Ineffectiv Review As per Finance IT CMS, No - -
e back-up discussion Manager Executive Sensys
policy with IT TDS
Executive

Effective Check for As per Finance IT - No - -

working discussion Manager Executive
of anti- with IT
virus Executive
software
on
selected
PC's
 1. - As per Finance IT - No - -
Effective discussion Manager Executive
2. with IT
Ineffectiv Executive
e

Effective Review As per Finance IT Tally, No - -

the discussion Manager Executive CMS
significan with IT
t changes Executive
made
during the
year

Effective Review As per Finance IT Tally, No - -

the discussion Manager Executive CMS
significan with IT
t changes Executive
made
during the
year
Effective Review As per Finance IT Tally, No - -
the discussion Manager Executive CMS
significan with IT
t changes Executive
made
during the
year

Effective Review As per Finance IT CMS, No - -

the discussion Manager Executive Sensys
mechanis with IT TDS &
m of Executive Matrix
solving and Cosec
the various
problems users
and
incidents
faced by
the users

1. Ensure As per Finance IT - No - -

Effective whether discussion Manager Executive
2. external with IT
Ineffectiv storage Executive
e devices and
are various
deactivate users
d and
access to
public
sites have
been
restricted