Sr.

No Process Sub-process Risk Description: Control

Reference

1 ITGC IT Policies If the IT security policies/procedures IT-1

do not exist, or are not defined and
documented by management then it
may result in inconsistency in the
implementation of the
policlies/procedures which may cause
confidentiality, integrity and
availablity issues, legal, regulatory
and compliance issues

2 ITGC IT Policies If the employees are not aware of the IT-2

security policy/procedures of the
organization then they may not follow
the same resulting in inconsistent
process

3 ITGC IT Security If the new/existing employees are not IT-3

training aware of the security
policy/procedures of the organization
then it may impact the confidentiality,
integrity and security of the
organisation and it's assets
 4 ITGC Third Party If the service level management IT-4
Management framework does not exist then it may
result in non measurement of
performance and financial and
business loss.

5 ITGC SOD Conflicts If the procedures do not exist for IT-5

identifying, preventing and monitoring
potential SoD conflicts then it may
result in poor internal controls,
accounting fraud and
misappropriation of company assets

6 ITGC Change Unauthorized changes are made in the IT-6

Management production environment that do not
follow the Change & Release
management process

7 ITGC Change Unauthorized changes are made in the IT-7

Management production environment that do not
follow the Change & Release
management process

8 ITGC Change Untested changes are made directly to IT-8

Management the production environment

9 ITGC Change Unauthorized changes are made in the IT-9

Management production environment that do not
follow the Change & Release
management process

10 ITGC Change Unauthorized or untested changes are IT-10

Management migrated to the production
environment

11 ITGC Patch Unauthorized patches or patches IT-11

Management having adverse effects on
systems/business process are
installed

12 ITGC Information If incident/problem management IT-12

Security procedures do not exist then
Incident incidents/problems may not resolved
Management in a timely manner and Information
Security weakness might go unnoticed
13 ITGC Job & Batch Application systems are not processed IT-13
Scheduling effectively.
Backup may be wrong

14 ITGC Malware Systems are prone to compromise and IT-14

Protection hack attacks in the absence of an
effective antivirus solution

15 ITGC Backup & Backup copies of critical data are not IT-15
recovery available when required

16 ITGC Physical and Unauthorized changes are made in the IT-16

Environment production environment that do not
Security follow the Physical Access &
Environmental Controls process

17 ITGC Physical and Unauthorized personnel gains access IT-17

Environment to information processing facilities
Security

18 ITGC Physical and Unauthorized personnel gains access IT-18

Environment to information processing facilities
Security
19 ITGC Physical and Critical information processing IT-19
Environment systems are not adequately protected
Security from damage.

20 ITGC Physical and Critical information processing IT-20

Environment systems are not adequately protected
Security from damage.

21 ITGC Access Unique IDs if not maintained, would IT-21

Management lead to difficulty in fixing of
responsiblities

22 ITGC Access Controls are in place to ensure IT-22

Management application and system resource users
are appropriately authorized.

23 ITGC Access Standard policies and procedures do IT-23

Management not exist or are not followed to ensure
that authorized access is granted to
user accounts

24 ITGC Access Standard policies and procedures do IT-24

Management not exist or are not followed to ensure
that user accounts of
resigned/terminated employees are
revoked immediately.

25 ITGC Access A weak password management system IT-25

Management might lead to chances of intrusion by
outsiders
26 ITGC Access Lack of segregation of duties over IT-26
Management requesting and granting access to the
systems and data

27 ITGC Disaster Disaster Recovery Plan, Policies and IT-27

Recovery/ Procedures do not exist leading to
Business disruption of the activities of the
Continutiy company (loss of data etc.)
plan

28 ITGC Vendor access -Endanger network vulnerability and IT-28

to network data security
-Window for potential fraud and
malpractices

29 ITGC Procurement -Uncontrolled purchases leading to IT-29

of IT assets unwarranted expenditure
-Unauthorized purchase of IT asset
opening potential fraud and
malpractice avenues

30 ITGC New Programs -Unauthorized implementation of new IT-30

or Services programs
-Unwarranted outflow of funds

31 ITGC Hardware -Loss/ damage/ theft of hardware IT-31

Monitoring components
-Unwarranted outflow of funds

32 ITGC Web filtering -Free access to websites containing IT-32

malicious viruses
-Endanger network vulnerability and
data security
33 ITGC Vulnerability -Window for
-Existence ofpotential fraud and
unidentified IT-33
Assessments malpractices
vulnerabilities in the system
-Network exposure to malicious
programs
34 ITGC Independent -Risks in IT framework and IT-34
IT Audit infrastructure remaining undetected
-Management not timely updated on IT
issues
-Stakeholder dissatisfaction
 Control Objective

IT Security Policy & Procedures are

defined and formally documented,
reviewed periodically and
communicated to all related parties

IT Security Policy & Procedures are

stored on common accessible location
with easy access to employees

All employees and third party staff

should be provided with adequate
training on information security
aspects of the organization that
include ethical conduct, system
security practices, confidentiality
standards, integrity standards
Service Level Management framework
exists and is complied with

Segregation of Duties (SoD) matrix is

defined, documented and approved by
business management. Periodic review
is performed using information
extracted from systems

Controls are in place to ensure that

Change & Release Management
Policy/procedures are in place,
approved, reviewed on an annual basis
and communicated to all relevant
parties

Controls are in place to ensure that all

changes follow a documented Change
& Release management process

Controls are in place to ensure that

physically separate testing and/or
development environment is in place
and all changes are tested in an
environment that is physically separate
from production environment

Controls are in place to ensure that

adequate segregation of duties are
implemented in Change & Release
management process

Controls are in place to ensure that

developers do not have access to
production data and systems

Controls are in place to ensure that

system software updates are evaluated
and tested prior to implementation in
the production environment

Controls are in place to ensure that all

production problems are recorded and
tracked until their final resolution
Controls are in place to ensure that an
effective scheduling method is in place
to support batch and online processes.

Controls are in place to ensure that all

systems are secured by antivirus and is
upto date with latest virus definitions
and updates

Controls are in place to ensure that

backups are performed regularly and
data recovery is tested and certified on
a regular basis

Controls are in place to ensure that

Physical Access & Environmental
Controls Policy/procedures are in place,
approved, reviewed on an annual basis
and communicated to all relevant
parties

Controls are in place to ensure that

Physical Access to critical rooms is
monitored on a continuous basis

Controls are in place to ensure that all

information processing servers and
systems are locked in a secure rack or
cabinet and only authorized personnel
have access to the keys
Controls are in place to ensure that
critical rooms are equipped with
adequate environmental controls and
uninterrupted power supply.

Controls are in place to ensure that

critical rooms having environmental
control equipment are covered under
an annual maintenance contract (AMC)
and serviced regularly

Controls are in place to ensure all

application and system resource users
are uniquely identified

Controls are in place to ensure

application and system resource users
are appropriately authorized.

Controls are in place to ensure that

creation of new user accounts follows a
formalized procedure.

Controls are in place to ensure that

removal of existing user accounts
follows a formalized procedure.

Controls are in place to ensure that

access authentication mechanisms
(e.g. passwords) are effective
Controls are in place to ensure that
only authorized personnel are able to
create and modify system user
accounts.

Disaster recovery plan and business

continutiy plans are in place

Vendor access to the company's

network for diagnostic and/or
maintenance activities is properly
restricted

All purchases of IT assets are made

centrally and with adequate approval

New programs or services are

approved prior to implementation

The company's policies and procedures

establish for hardware monitoring

The company utilizes web filtering to

prevent employees from visiting
dangerous websites

The company obtains periodic network

vulnerability assessments
Independent reviews of IT related
areas are performed regularly
 Control Description: Anti-Fraud Operational/
(Yes/No) Financial

Company A should have developed information security Yes Operational

policies/procedures to cover the following areas:
- Business information and data classification
- Information security incident management and problem
management
- Acceptable use policy
- Third party management
- Network management and monitoring
- User Access Management
- Password Settings and Management
- Vulnerability and Patch Management
- System acquisition, development and maintenance policy
- Laptop encryption Policy
- Capacity management policy
- Antivirus and malware protection
- Physical and environmental security
- Change and release Management Process
and should be reviewed periodcally and communicated to
related parties

All Information security policies/procedures should be No Operational

easily accessible to employees for ready reference like
Password policy
Malware protection policy
Acceptable usage policy
Email policy
Internet policy
Data classification policy
Information security Incident management policy

New employees and third party staff should be provided Yes Operational
training on the information security aspects and IT
policies/procedures of the organization during induction.
Employees and third party staff are required to sign off and
confirm that they have read and understood the policies
and procedures.
The IT policies and procedures are communicated to all the
employees at the time of joining. Refresher trainings are
provided in case of any changes in the policies or
procedures. Annual trainings should be provided to existing
employees and third party staff
Formal Statement of Work(SOW) is included in a contract as Yes Operational
supporting document for service contracts to define the
work scope, schedule and service deliverables. SOW is
approved by the management as part of the service
contract and SLA are measured for compliance

Business and IT function SoD Conflict Matrix is defined, Yes Operational

developed and mapped to applications to identify potential
fraud conflicts in financial reporting. SoD is approved by
business management and reviewed atleast once a year

Change & Release management process is defined, Yes Operational

documented and approved by management. Review is
performed on an annual basis and the policy/procedure are
communicated to all relevant parties

All changes follow the Change & Release management Yes Operational
process, relevant approvals are taken and all details are
adequately documented

Separate environments are established for development, No Operational

testing and production activities. These environments are
operating on physically separated servers.

For all changes, testing and UAT are performed in a

separate development and quality assurance environment
before migration to production environment
For all changes, the change requestor and change approver Yes Operational
cannot be the same person

Developers do not have access to production environment Yes Operational

and are restricted from migrating program code to
production environment

All OS patches should be evaluated and tested in test or No Operational

development environment prior to installation in
production, to determine the system impact and result of
new patches or software updates.

Downtime should be requested from application team prior

to installation of patches in production environment.
Incident and Problem management policy/procedure is in No Operational
place. All incidents/problems are recorded in Helpdesk tool
and documented with information such as root cause
analysis, actions taken, final solution, responsible staff,
management review and impact to the Company's business.
Incidents/problems are categorized depending on the
criticality or Impact as defined in Incident and problem
The schedule run once in a week to fetch data from meters Yes Financial
in MDAS server on Secure revenue management suite (web
based app);
Daily data backup schedules

All systems are installed with Symantec End Point antivirus No Operational
solution and are updated with latest virus definitions and
updates

Full backup on Daily and weekly basis for user data and No Operational
MDAS are kept in the data center room.
Application like HRMS, SAP, Email (Gmail) are completely
outsourced to third party vendors and hosted in cloud/
vendor’s data center. Company A depends on the third
party vendors for BCP/DR for those applications

Physical Access & Environmental Controls process is Yes Operational

defined, documented and approved by management.
Review is performed on an annual basis and the
policy/procedure is communicated to all relevant parties

All authorized employees entering the critical rooms are Yes Operational
required to enter through a controlled entry point
monitored by security guards and CCTV Surveillance. And
others (vendors and unauthroized employees) are required
to be escorted by authorized person and temporary access
is granted after management approval

All servers and systems should be securely locked in No Operational

cabinets or racks and only authorized personnel are allowed
to open and access the systems. Prior approvals are taken
from management for opening and accessing the systems
Data center equipment is kept cool in a well-air conditioned No Operational
room with a stable temperature.
Servers and other hardware are protected from power
surge and mechanisms are in place to mitigate and prevent
electrical loss or temperature variances. Systems are
protected from fire damage by a fire suppression system
that may include (but not be limited to) sprinklers, Halon
gas suppression units or a fire extinguishers.
Servers and other hardware are protected from water
damage through the use of tarps, protected overhangs or
other physical barriers preventing water from coming into
contact with the servers and other hardware.

Environmental control equipment like UPS, Fire No Operational

control/suppression systems, AC, etc., are monitored and
checked regularly and maintenance activities and testing is
carried out on a quarterly basis

The naming convention No Financial

(firstname.lastname@companya.com) is applied whereas
possible for system user ID creation to assure that the ID is
uniquely identified

The logical access rights are reviewed, defined and Yes Operational
authorized by the division controller (i.e. data owner).

On Joining of new user the HR sends a request to the IT Yes Operational

team for creating user account and allocating the system.
If further application rights are required for the job then
the respective head sends the approval for providing the
access

On exit the HR sends an email to the IT team for Yes Operational

disabling/removing the access for the user.
Based on the mail IT team disables/delete the user access

The authentication access mechanism is through Active No Operational

Directory and all password rules are enforced through the
domain and application's should have access authentication
as per the password policy
Only authorized user can create and modify user accounts. Yes Operational
All relevant approvals as mentioned in User Account
Management Procedure are taken prior to
creation/modification of user accounts.

The DR and BCP policies and procedures should be in place No Operational

to help recovering from disaster

Company A has outsourced its IT functions to Xenolith, IBM Yes Operational

& Cronos to assist in the day to day IT functions ( IT
Infrastructure & SAP). The access to these service providers
should be limited through Non-disclosure Agreements
(NDAs) and confidentiality agreements.

A note sheet is prepared seeking the approvals for any IT Yes Operational
asset purchase. Thereafter, the Purchase Requisition (PR)
for all the IT assets is created by IT function and approved
by Head IT. Any new laptop / desktop purchased is issued to
the user only after appropriately configured by IT.

For installation/implementation of any new program, a No Operational

relevant business case is prepared after detailed debates
and discussions with each stakeholder involved, and
documented through a Change Request Form (CRF). Once
the stakeholders approve the business case, a work-based
requisition (WBR) is created for the project. The WBR is
approved by CEO.

The IT function maintains the IT Asset Inventory in an Excel Yes Operational

Workbook. Physical verification of all hardware is
performed by IBM. Wall to wall reconciliation of IT assets is
performed quarterly for all locations. The verification report
is compiled in an excel spreadsheet and shared with IT
Head.

The company is using cyberom firewall traffic monitoring Yes Operational

and restricting access to potentially dangerous websites,
which may expose organisation network to threat

The company should have a periodic vulnerability Yes Operational

assessment to help timely identify the vulnerabilities
There should be an periodic indpendent review of IT related Yes Operational
areas to timely highlight the deviations and help in process
improvement
 Test Type: Period: Key/ Control Performer Preventive /
(Inquiry/ Non-Key Frequency: Detective
Inspection/
Observation/
Re-performance)

Inspection 01/04/2016 - Key Annual Head IT Preventive

31/12/2016

Inquiry/ 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inspection 01/04/2016 - Key Ad-hoc HR Function Preventive

31/12/2016
Inspection 01/04/2016 - Key Monthly IT Function Preventive
31/12/2016

Inspection 01/04/2016 - Key Annual IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Annual IT Head Preventive

31/12/2016

Inspection 01/04/2016 - Key Annual Stakeholders Preventive

31/12/2016 CEO
IT Function

Inspection 01/04/2016 - Non-Key Annual IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Monthly IT Function Detective

31/12/2016
Inquiry/ 01/04/2016 - Key Continuous IT Function Preventive
Inspection 31/12/2016

Inspection 01/04/2016 - Non-Key Continuous IT Function Detective

31/12/2016

Inspection 01/04/2016 - Key Daily IT Function Corrective

31/12/2016

Inspection/ 01/04/2016 - Key Annual IT Head Preventive

Observation 31/12/2016

Inspection/ 01/04/2016 - Key Ad-hoc IT Team/ Facility Preventive

Observation 31/12/2016 management team

Inspection/ 01/04/2016 - Key Ad-hoc IT Function Preventive

Observation 31/12/2016
Inspection/ 01/04/2016 - Key Ad-hoc IT Team/ Facility Preventive
Observation 31/12/2016 management team

Inspection/ 01/04/2016 - Key Ad-hoc IT Function Preventive

Observation 31/12/2016

Inspection 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function/ Service Preventive

31/12/2016 Provider

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016 HR Function

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016 HR Function

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016
Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive
31/12/2016

Inquiry / 01/04/2016 - Non-Key Annual IT Function Corrective

Inspection 31/12/2016 Maintenance
Function
Administration
function

Inquiry / 01/04/2016 - Non-Key Annual IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Quartely IT Function Detective

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Continuous IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Yearly IT Function Detective

Inspection 31/12/2016
Inquiry / 01/04/2016 - Key Ad-hoc Statutory & Detective
Inspection 31/12/2016 Internal Auditors
 Automated / Test of Design Issue
Manual Conclusion

Manual Pass NA

Manual Pass NA

Manual Pass NA
Manual Fail The SLA's are not monitored for
ensuring compliance

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA
Automated Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA
Manual Pass NA

Manual Pass NA

Automated Pass NA

Automated Pass NA

Manual Pass NA

Manual Pass NA

Automated Pass NA
Manual We observed
the population
and noted that
there is no
privileged user
created during
the testing
Manual Fail Company A currently have no
Business Continuity Planning
(BCP)/ Disaster Recovery (DR) in
place.

Manual Pass NA

Automated Pass NA

Manual Can not test NA

the design
effectiveness;
since there is
no population
during FY 16-
17

Manual Pass NA

Automated Pass NA

Automated Pass NA
Manual Pass NA
Recommendation Summary

NA

NA

NA
There should be a regular performance monitoring for
ensuring compliance with SLA's

NA

NA

NA

NA

NA

NA

NA

NA
 NA

NA

There should be a periodic restoration testing.

NA

NA

NA
NA

NA

NA

NA

NA

NA

NA
To have BCP/DR plan

NA

NA

NA

NA

NA

NA
NA
 1 APO01 - IT Management Framework 27
2 APO02 - IT Service Strategy Principles 28
3 APO02 - IT Strategy Principles 29
4 APO03 - Architectural Principles 30
5 APO04 - Innovation Principles 31
6 APO05 - Portfolio Principles 32
7 APO06 - Budgeting Policy 33
8 APO07 - Contract Staff Policy 34
9 APO07 - Human Resources Policies 35
10 APO08 - Business-IT Relationship Management Policy 36
11 APO10 - IT Procurement Policy 37
12 APO10 - Third-Party IT Service Delivery Management Policy 38
13 APO11 - Quality Management Policy 39
14 APO12 - Fraud Risk Policy 40
15 APO13 - Information Security Policy 41
16 APO14 - Data Cleansing Policy 42
17 APO14 - Data Quality Assessment Policy 43
18 APO14 - Data Management Policy 44
19 APO14 - Privacy Policy
20 BAI01 - Program-Project Management Policy
21 BAI03 - Maintenance Policy
22 BAI03 - Software Development Policy
23 BAI03 - System and Service Acquisition Policy
24 BAI04 - Availability Management Policy
25 BAI04 - Crisis Management Policy
26 BAI05 - Organizational Change Management Policy
BAI06 - IT Change Management Policy 45 EDM03 - Enterprise Risk Policy
BAI07 - IT Change Acceptance and Transitioning 46 EDM04 - Performance Measurement Policy
BAI08 - Knowledge Management Policy 47 EDM05 - Transparency Policy
BAI09 - Asset Management Policy 48 MEA01 - Self-Assessment Policy
BAI09 - Intellectual Property Policy 49 MEA01 - Whistle-Blower Policy
BAI10 - Configuration Management Policy 50 MEA02 - Internal Control Policy
BAI10 - Service level agreement (SLA) Policy 51 MEA02 - Internal Control Self-Assessment Guidance
DSS01 - Service Management Policy 52 MEA03 - Compliance Policy
DSS02 - Incident Management Policy 53 MEA04 - Assurance Guide
DSS02 - Service Request Fulfillment Policy 54 MEA04 - Internal Audit Charter
DSS03 - Problem Resolution Policy 55 COBIT Process Policy Mapping
DSS04 - Business Continuity Policy 56 COBIT-2019- Maturity Assessment
DSS06 - Business Controls Guidance
Enterprise Architecture Principles - Development Options and Process
Four Ps Description Governance Enablers & Tools
EDM01 - Delegation of Authority Policy
EDM01 - IT Governance Policy
EDM02 - Delivery Execution Policy
ssment Guidance