ITAM Vol III.pdf - Manual of Information Technology Audit Volume III Audit Programmes for Specific Applications Office of the Comptroller Auditor

ITAM Vol III.pdf - Manual of Information Technology Audit...

This preview shows page 1 out of 113 pages.

You've reached the end of your free preview.

Want to read all 113 pages?

Unformatted text preview: Manual of Information Technology Audit Volume III Audit Programmes for Specific Applications Office of the Comptroller & Auditor General of India IT Audit Manual IT Audit Manual Volume III: Audit Programmes for Specific Applications Table of content Particulars 1. Page Audit of ERP Systems 3 (i) Audit Programme 1 : Planning & Acquisition in Audit of ERP Systems 7 (ii) Audit Programme 2 : Checklist for Established ERP system 32 2. Audit Programme 3 : Computerised Inventory / Material Management Systems Audit 59 3. Audit Programme 4 : Checklist / Guidelines for auditor’s involvement in IT Systems under development 70 4. Audit Programme 5 :Auditing E - Governance 94 5. Audit Programme 6 : Analysing VLC Data For Audit 102 6. Bibliography 112 IT Audit Manual Volume III – SAI, India 2 IT Audit Manual 1. AUDIT OF ERP SYSTEMS Introduction 1.1 Enterprise Resource Planning (ERP) is a high-end solution featuring integration of information technology and business application. The ERP solutions seek to streamline and integrate operational processes and information flows in the organization to integrate the resources namely Personnel, Inventory, Finance and Manufacturing through information technology. A system that provides seamless integration between all of these functions into a single system, designed to serve the needs of each different department within the enterprise is called ERP. Thus in an ERP solution the whole is greater than the sum of its parts. An ERP system spans multiple departments in an organizations and in some cases an ERP will also transcend the organizational boundary to incorporate systems of partners and suppliers as well, to bring in additional functions like supply chain management. Each implementation is unique and is designed to correspond to the implementer's various business processes. Evolution of ERP 1.2 In the ever competitive environment increasing demands are placed on organizations like aggressive cost control initiatives, need to analyze costs / revenues on a product or customer basis, flexibility to respond to changing business requirements, more informed management decision making and changes in the various ways of doing business. However, many hurdles in the growth of any business exist, such as difficulty in getting accurate data, timely information and improper interface of the complex business functions. To overcome these hurdles and achieve growth in business and depending upon the rate of change of the growing business needs, many applications, over a period of time, have been introduced by organizations such as • • • • • • • • Management Information Systems (MIS) Integrated Information Systems (IIS) Executive Information Systems (EIS) Corporate Information Systems (CIS) Enterprise Wide Systems (EWS) Material Resource Planning (MRP) Manufacturing Resource Planning (MRP II) Money Resource Planning (MRP III) 1.3 As automated solutions were developed to cater to different activities of organizations it was only a matter of time before somebody thought of integrating all of those to give an end to end IT solution for an organization’s operational and decision support needs. Thus ERP is more of a methodology than a piece of software, although it incorporates several software applications, brought together under a single, integrated interface. Most organizations across the world have IT Audit Manual Volume III – SAI, India 3 IT Audit Manual realized that in a rapidly changing environment, it is impossible to create and maintain a custom designed software package, which will cater to all their requirements, and also be completely up-to-date. Realizing the requirement of user organizations some of the leading software companies have designed Enterprise Resource Planning software which will offer an integrated software solution to all the functions of an organisation. Features of ERP 1.4 Some of the major functionalities of ERP are as below: • Facilitates enterprise-wide Integrated Information System covering all functional areas like Manufacturing, Sales and distribution, Payables, Receivables, Inventory, Accounts, Human resources, Purchases etc and bridges the information gap across the organisation. • Facilitates introduction of latest technologies like Electronic Fund Transfer (EFT), Electronic Data Interchange (EDI) E-Commerce etc. • Helps in eliminating most of the business problems like Material shortages, Productivity enhancements, Customer service, Cash Management, Inventory problems, Quality problems, Prompt delivery etc., • Provides avenues of continuous improvement and refinement of business processes. • Helps in laying down Decision Support Systems (DSS), Management Information System (MIS), Reporting, Data Mining and Early Warning Systems to the organization. Components of ERP 1.5 ERP solutions are usually divided into many sub-systems, like Sales and Marketing, Master Scheduling, Material Requirement Planning, Capacity Requirement Planning, Bill of Materials, Purchasing, manufacturing including Shop floor control, Accounts Payable/Receivable, Logistics, Asset Management and Financial Accounting Benefits of ERP 1.6 According to the organizations to have implemented ERP some of the claimed benefits are as follows: • Gives Accounts Payable personnel increased control on invoicing and payment processing and thereby boosting their productivity and eliminating their reliance on computer personnel for these operations. • Reduce paper documents by providing on-line formats for quickly entering and retrieving information. • Improves timeliness of information by permitting daily postings instead of monthly. • Greater accuracy of information with detailed content and better presentation. IT Audit Manual Volume III – SAI, India 4 IT Audit Manual • Improved Cost Control • Faster response and follow up on customers • More efficient cash collection, through reduction in delay in customer payments. • Better monitoring and quicker resolution of queries. • Enables quick response to change in business operations and market conditions. • Helps to achieve competitive advantage by improving business process. • Provides a unified customer database usable by all applications. • Improves International operations by supporting a variety of tax structures, invoicing schemes, multiple currencies, multiple period accounting and languages. • Improves information access and management throughout the enterprise. Auditing ERP Systems 1.7 An ERP solution by its very nature has some peculiarities which have to be considered while planning and conducting the audit. Some of these are given below: 1.8 Implementation of an ERP solution goes closely with not only business process reengineering but also with organizational remodelling; these may be extensive in nature. Hence it is very important to evaluate whether the auditee understands the full import of going for ERP and whether it has enough organizational resilience and flexibility to undertake the project. Many ERP projects have failed not because of technical deficiencies but because of a mismatch between the management aspirations and organizational compliance. 1.9 The database is usually centralized and as the applications reside on multiple users the system allows flexibility in customization and configuration. The processing is real time online whereby the databases are updated simultaneously by minimal data entry operations. The input controls are dependent on pre data acceptance validation and rely on transaction balancing. Thus time tested controls such are batch totals etc are often no longer relevant. Since the transactions are stored in a common database the different modules update entries into the database. Thus database is accessible from different modules. Moreover the authorization controls ere enforced at the level of application and not the database. As a result the security control evaluation is of paramount importance. Accordingly the auditors have to spend considerable time understanding the data flow and transaction processing. Since the system is heavily dependent on networking on a large scale with increased access from not only users but also business associates and customer's networks and database security are important areas to look into. Vulnerability by increased access is a price that is paid for higher integration and faster processing of data in an integrated manner. Because of its very nature of having centralized database the risk of single point failures is higher in ERP solutions hence Business Continuity and Disaster Recovery should be examined closely. 1.10 The broad areas to look in the IT Audit of an ERP solution are given below: IT Audit Manual Volume III – SAI, India 5 IT Audit Manual 1. The primary objective of Audit is to check whether the organization’s objectives in implementing ERP have been fulfilled. Here is important that the objectives have been listed in detail and not in general terms. 2. Audit should also ensure that the organisation has followed the structured steps involved in implementation of an ERP, such as Project Planning, Business & Operational analysis including Gap analysis, Business Process Reengineering, Installation and configuration, Project team training, Business Requirement mapping, Module configuration, System interfaces, Data conversion, Custom Documentation, End-user training, Acceptance testing and Post implementation/Audit support. 3. It should be verified if the implementation was done systematically, through detailed discussions, design & customisation, implementation and production. 4. It would be advantageous if the auditor has reasonable awareness of ERP, so that he can evaluate whether system is compliant with external regulations (for e.g. the provisions of Income tax or other fiscal laws are not ignored, and the Accounting Standards are consistently followed across the company). This would enable him to achieve better quality of the audit report. 5. In a large organisation where the quantum of data processed by the ERP is extremely voluminous, the analysis of patterns and trends proves to be extremely useful in ascertaining the efficiency and effectiveness of operations. 6. The auditor can use various tools and techniques to audit an ERP environment to address entire populations, highlight potential risk areas and efficiently perform an audit. ERP not only interfaces to/from non-ERP systems, but also may serve as a web-enabled environment-where the boundaries of the processes extend beyond the ERP itself, and it becomes imperative that tools and techniques should be considered fora. Data mining and analysis. b. Separation of duties analysis/authorisation analysis. c. Workflow/report delivery. d. Upgrades control. 1.11 An audit of an ERP thus examines area of process integrity, application security, infrastructure integrity and implementation integrity. Planning ERP Audit 1.12 Remember that first IT Audits of an ERP system would be time consuming and would be largely an opportunity to understand the working of the system. However in cases where the audit offices are very familiar with the functioning of the auditee organizations such as in RAO/RAPs it would be comparatively easier to examine transaction processing and outputs. Otherwise at the outset of an IT audit of an ERP system or ERP system implementation project, the auditor should invest sufficient IT Audit Manual Volume III – SAI, India 6 IT Audit Manual time and effort of gathering background knowledge and understanding of the organisation’s existing/planned development and gaining control of the ERP system and related sources. 1.13 The audit of ERP implementation can be carried out any time in the life cycle of the project by examining what has been done till that time and what is planned for the future. Audit of ERP solutions is not just an audit of technology but of the business process as well, hence it is important that a judicious mix of IT and auditing skills is made in an ERP audit team. Though the audit concerns may differ some of the specific concerns are: Failure to meet user requirements; Failure to integrate; Incompatibility with technical infrastructure; Vendor support problems; and Expensive and complex installations. Audit Programme 1: Enterprise Risk Planning (ERP) – Planning & Acquisition The focus of ERP solutions is to integrate Personnel, Inventory, Finance and Manufacturing functions through information technology. ERP implementations are critical systems and need specific focus of holistic approach and Business Process Reengineering. The Focus is on the processes of Designing and Implementation of Controls in the New System i.e. Business process Reengineering and project management. There might be some overlap between the checklist and the Guidelines for Systems Under Development. In case an organization is clearly taking an SDLC approach towards adopting ERP application then the following programmes can be supplemented by the guidelines. The manual presents Audit Programmes for two different kinds of audit viz. (i) Audit/Review of the Planning and Acquisition and (ii) Audit/Review of Established ERP System. These programmes are based on the CoBIT framework. The IT auditors could also draw up additional auditee-specific control objectives and application-specific audit procedures for conducting IT Audit of ERP solutions. No. Item Response Yes No KD PLANNING AND ORGANISATION Strategic IT Plan 1 Whether IT or business enterprise policies and procedures address a structured planning approach? KD Reference: _______________________________ _ 2 Whether a methodology is in place to formulate and modify the plans and at a minimum, they cover: • organisation mission and goals • IT initiatives to support the organisation mission and goals • opportunities for IT initiatives • feasibility studies of IT initiatives • risk assessments of IT initiatives IT Audit Manual Volume III – SAI, India 7 IT Audit Manual No. Item Yes Response No KD • optimal investment of current and future IT investments • re-engineering of IT initiatives to reflect changes in the enterprise's mission and goals evaluation of the alternative strategies for data applications, technology and organization KD Reference: _______________________________ _ 3 4 5 6 7 8 9 10 Whether organisational changes, technology evolution, regulatory requirements, business process reengineering, staffing, in- and out-sourcing, etc. are taken into account and adequately addressed in the planning process? KD Reference: _______________________________ ___________________________________________ Whether long- and short-range IT plans exist, are current, adequately address the overall enterprise, its mission and key business functions? KD Reference: _______________________________ _ Whether IT projects are supported by the appropriate documentation as identified in the IT planning methodology? KD Reference: _______________________________ _ Whether checkpoints exist to ensure that IT objectives and long- and short-range plans continue to meet organisational objectives and long- and short-range plans? KD Reference: _______________________________ _ Whether review and sign-off IT plan by process owners and senior management occurs? KD Reference: _______________________________ _ Whether the IT plan assesses the existing information systems in terms of degree of business automation, functionality, stability, complexity, costs, strengths and weaknesses? KD Reference: _______________________________ _ Whether the absence of long-range planning for information systems and supporting infrastructure results in systems that do not support enterprise objectives and business processes, or do not provide appropriate integrity, security and control? KD Reference: _______________________________ _ Information Architecture Whether IT policies and procedures address the development and maintenance of the data dictionary? KD Reference: ___ ____________________________ IT Audit Manual Volume III – SAI, India 8 IT Audit Manual No. Item 11 Whether the process used to update the information architecture model is based on long- and short-range plans, considers associated costs and risks, and ensures that senior management sign-off is obtained prior to making changes to the model? KD Reference: _______________________________ ___________________________________________ Whether a process is used to keep the data dictionary and data syntax rules up to date? KD Reference: _______________________________ _ Whether a medium is used to distribute the data dictionary to ensure that it is accessible to development areas and that changes are reflected immediately? KD Reference: _______________________________ _ Whether IT policies and procedures address the classification of data, including security categories and data ownership, and access rules for the classes of data are clearly and appropriately defined? KD Reference: _______________________________ _ Whether standards define the default classification for data assets which do not contain a data classification identifier? KD Reference: _______________________________ _ Whether IT policies and procedures address the following: • authorisation process is in place requiring the owner of the data (as defined in the data ownership policy) to authorise all access to that data and to the security attributes of the data • security levels are defined for each data classification • access levels are defined and are appropriate for the data classification • access to sensitive data requires explicit access levels and data is only provided on a "need to know" basis KD Reference: _______________________________ _ Technology Direction Whether there is a process for creating and regularly updating the technological infrastructure plan for confirming that proposed changes are first examined to assess associated costs and risks and that senior management sign-off is obtained prior to making changes to the plan? KD Reference: _______________________________ _ Whether technological infrastructure plan is compared to the IT long- and short-range plans? KD Reference: _______________________________ _ Whether there is a process for evaluating the organisation's current technological status to ensure that it encompasses aspects such as systems architecture, technological direction and migration strategies? KD Reference: _______________________________ _ 12 13 14 15 16 17 18 19 IT Audit Manual Volume III – SAI, India Yes Response No KD 9 IT Audit Manual No. Item 20 Whether the IT policies and procedures ensure addressing the need to evaluate and monitor current and future technology trends and regulatory conditions, and that they are taken into consideration during the development and maintenance of the technological infrastructure plan? KD Reference: _______________________________ _ Whether the logistical and environmental impact of technological acquisitions is planned for? KD Reference: _______________________________ _ Whether the IT policies and procedures ensure that the need to systematically assess the technological plan for contingency aspects is addressed (i.e., redundancy, resilience, adequacy and evolutionary capability of the infrastructure)? KD Reference: _______________________________ _ Whether IT management evaluates emerging technologies, and incorporates appropriate technologies into the current IT infrastructure? KD Reference: _______________________________ _ Whether it is the practice for the hardware and software acquisition plans to comply with the needs identified in the technological infrastructure plan and are being properly approved? KD Reference: _______________________________ _ Whether technology standards are in place for the technological components described in the technological infrastructure plan? KD Reference: _______________________________ _ IT Organization 21 22 23 24 25 26 27 28 29 30 31 Yes Response No KD Whether policy s...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture