Information Request List - IT General Controls

For financial year 2022, period April 01, 2022 to March 31, 2023
Kindly send evidences in below format;
• Mails – Complete Smail
No. as an attachment; Process Application/Area
1 IT Governance

--

2 IT Governance

Policies and Procedures

3 Logical Security ERP/AD

4 Logical Security

ERP/AD
5 Logical Security

ERP/AD
6 Logical Security
ERP/AD
7 Logs management ERP/AD
8 Logs management ERP/AD
9 Logical Security

ERP/AD
no Logical Security ERP/AD
11 Logical Security HR

12 IT Ops - Backup & All

Restoration

13 Logical Security All

14 Job Scheduling Job Scheduling

17 Job Scheduling Job Scheduling

18 Incident management Incident management

19 Network Security

Remote Authentication
20 Network Security

21 Network Security VA/PT

21 Network Security Antivirus

22 Logical Security Windows Domain

23 Change management ERP/AD

24 Change management ERP/AD

25 Logical Security ERP/AD

26 Physical security Data centre / server room

27 Physical security Data centre / server room

28 Physical security Data centre / server room

29 Physical security Data centre / server room

30 Physical security Data centre / server room

31 Logical Security ERP/AD

32 Asset Management Manage Engine Desktop

central

33 Physical security Data centre / server room

 Document /Information required
1. IT Organization Chart showing the IT management, BASIS, Administrators, IT operations
Developer, Migrator
2. Roles and responsibility matrix showcasing personnel responsible for security
administration of applications servers, database servers, domain server and patch server.
3. Roles and responsibility matrix showcasing personnel responsible for program
maintenance (development, test and promote changes into production) for ERP and AD
application.
4. MOU with Vendor (if applicable) where services provided by vendor relating to IT
governance is established.

Updated IT security policies and procedures covering the following:

1. Information Security Policy & Procedure
2. Change Management Policy & Procedure
3. User Access Management Policy & Procedure
4. Incident Management Policy & Procedure
5. Network Security Policy & Procedure
6. Policy & Procedure for system acquisition, development and maintenance of system
software
7. Backup and Restoration Policy & Procedure
8. Physical Access Management Policy & Procedure
9. Policy & SOP for Maintenance of in-scope application (Application and Database)
10. Antivirus Management Policy & Procedure
11. Patch Management.
12. Password policy
13. BCP/DR policy
14. Data Classification Policies and Procedures that discuss various categories of
information sensitivity and corresponding information retention, transmission, processing,
and disposal procedures.
15. Evidence of the updated policies being communicated and acknowledged by Current
employees
16. Evidence of the updated policy being communicated and acknowledged by New Hire

List of users & groups with creation / deactivation / last login details
System generated list of users created in application for the period 01 April 2022 till date
alongwith process screenshots of generation the list.
**Note: Sample will be shared for screenshots once above data is received

System generated list of user's role modified in application for the period 01 April 2022 till
date alongwith process screenshots of generation the list.
**Note: Sample will be shared for screenshots once above data is received

A list of employees separated during the audit period along with date of separation,
designation, ERP/AD User id and department of the employee
Last login of all the users
Last password reset date of all the users
1. System generated list of all active user IDs along with corresponding roles, user's
department and designation.
2. Process screenshots of generating the list.
**Note: Sample will be shared for screenshots once above data is received

User access review report

HR list of new hires/leavers during the audit period along with date of joining/leaving,
designation, ERP/AD User id and department of the employee
1. Backup and restoration plan
2. List of critical servers & network devices identified for backup.
3. Backup Monitoring screenshots for 1st, 10th and 30th of Apr, May, June, July, Aug, Sept,
Oct, Nov, Dec & Jan.
4. Backup Configuration, Backup log for the last backup performed, Evidence of last backup
restoration testing performed, list of users who have access to perform backup activity
5. List of failed jobs, failed job notification configuration

Password Parameters for application, Operating System and database

1. System generated list of all jobs scheduled during the audit period along with
identification of financially significant jobs, description of each jobs.
2. Process screenshots of generating the list.
**Note: Sample will be shared for screenshots once above data is received

Example of a job which failed in the audit period and how the issue was resolved (Incident
tickets, email confirmation etc.)
Incident logs with date and time of incidents raised/resolution taken.
List of employees who were provided remote/VPN access to servers, workstations, network
devices, application and database during the audit period.
List of employees who’s remote/VPN access from servers, workstations, network devices,
application and databases was revoked during the audit period.
Vulnerability assessment & Penetration Testing report
1. Screenshot of antivirus console showcasing the Antivirus administrators and password
parameters enforced.
2. Antivirus reports and evidence of corrective action taken for the period.
3. Screenshot of e-mail id configured on the central console for sending automated alerts (if
configured).

1. Screenshot showing password parameters on windows domain.

2. Screenshot of users in enterprise, schema admins.
3. System generated dump of current users from Domain
Go to My Computer -> Manage > Local Users and Groups
Take screenshot of all the Users

Groups
Take screenshot of following groups:
Administrators
Domain Admins (if any)
Remote Desktop Users
Power Users
Backup Operators

If above groups have sub-groups, obtain screenshot of each subgroup as well.

A list of application changes during the audit period 1st April 2022 to till date with below
mentioned field names:
Request/Task
Type
Status
Category
Owner
Created & Closure Date
Higher Level request

1. List of users having developer access

2. List of users who can transport/ import changes into production
3. Screenshot of seperate envirmonment for develpment, testing & production

Provide a screenshot of list of user groups created in ERP and AD during the audit period.

Provide a listing of individuals with access to the data centre / server room for our review,
with the corresponding job titles.
Server room access management procedure for authorising, Creation & Deactivation of the
users duly defined.
Access to authorized staff only (IT, Electrician & Admin) according to their profile. Staff are
authorised by IT Head over access requisition form.
Evidences to show that the access log of the data centre is reviewed periodically

1. Emergency exit routes are clearly Marked along with proper temperature check
2. Picture of fire extinguisher installed in server room
3. Picture of CCTV installed outside server room

Provide a list (Excel dump) of users having access to the following critical profiles in ERP and
AD:
System Admin / Superuser

1. Asset disposal policy

2. Asset tracker (Asset details, owner, OS version of assets, approved applications) along
with disposal records
3. Fixed asset register
3. Media disposal form filled for the audit period

1. Business Continuity Plan

2. Disaster recovery drill report
Date of request Applicability
 Comments, if any

Org chart of entire keyloop

Karthik will share policies document which needs to be amended to fit for KL and
approved by Jaswanth
drafted in email to be sent

Agreed to send list of user created between 4'22 to 3'23

Screenshot of creation date to be shared after sample selection

Agreed to send list of user modified between 4'22 to 3'23

Screenshot of modification date to be shared after sample selection
Agreed to send list of user disabled between 4'22 to 3'23
Screenshot of modification date to be shared after sample selection
Not maintained
Not maintained
List of all active users + their permissions
Not initiated for India

Write a mail to HR asking for new hires/leavers for 4'22 to 3'23

Written to DB test
Closed

Screenshots of job queue entry details of all jobs running in BC India

Service cloud ticket specifying job failure and resolution provided.

any VAT not calculated case and resolution

Closed

Closed
Not initiated for India

Written to Ravi/Arun

Written to Ravi/Arun
Jira developments between 04-22 - 3-23
Jira ticket rised by Fin team
Analysis will be done by BA
Approval will be done by Finance TL
Development will be done by Developer
Testing done by BA
UAT done by Fin team
deployment

Written to Pawan

Written to Desktop support

not applicable as ERP is cloud based

not applicable as ERP is cloud based

not applicable as ERP is cloud based

not applicable as ERP is cloud based

not applicable as ERP is cloud based

super user list - IT Support

Written to Madhav

Asked Madhav to Liaise with facilities

 Keyloop

HR

IT

IT

IT

IT
IT
NA
IT
IT

HR

Pawan
IT

IT

IT
IT

BDO

BDO
BDO

Desktop admin

Desktop admin
IT

Pawan

IT

BDO

BDO

BDO

BDO

BDO

IT

Finance

Fire drill report (Facilities)

Received
Partially Received
Not Applicable
Pending