Académique Documents
Professionnel Documents
Culture Documents
Of
DISA 2.0 Course
(Evaluation of software development)
Group No. 10
Batch No. FAR1904051
Members:-
In terms of our engagement letter dated May 05, 2019 PPA & Co., have carried out an independent audit
of ENTERPRISES LTD with a view to view the security and control of enterprise engaged in the business
of supply & distribution of power and to formulating policy for Security And Control of Operations of
ENTERPRISES LTD. This assignment was focused primarily to prepare Security control matrix and
drafting policy with sample procedures for implementing SECURITY POLICY.
The information contained herein and our report is confidential. It is intended only for the sole use and
information of the Company, and only in connection with the purpose for which assessment has been
done. It is to be noted that any reproduction, copying or otherwise quoting of this report or any part
thereof, can be done only with our prior permission in writing.
In the following report, we have summarized the audit observations together with recommendations in
order to address the control weaknesses and associated risks.
Yours faithfully,
For PPA & Co.
Chartered Accountants
CA ADITYA GUPTA
Partner
Place: Faridabad
Date: 29/05/2019
A. Project Report (Case Study)
In Enterprises, change in the customer support process was undertaken by using newer technology. Two
main areas of concern have been found as detailed below:
1. DATA INTEGRITY
2. IMPLEMENTATION
1. DATA INTEGRITY
A. Issue
B. Control
C. Control Risks
2. IMPLEMENTATION
A. Improper feasibility
B. Improper testing
Improper functional testing:-During audit it has been noticed that the no structured approach is followed
while testing the software developed. Following categories of tests on new program has not been
performed which resulted into incomplete functionality of the application delivered and undetected error:-
Functional test:- to check whether software do, what they are suggest to do or not.
Performance test:- to verify whether the expected performance criteria of software has been
achieved.
Stress test:- to determine the stability and limitation of the software.
Structural tests:- to examine the internal processing logic of the software.
Further the test result has not been documented properly and modifications made on the basis of test
results are not properly authorized and documented.
User Acceptance Testing:-Audit observed that users were not involved throughout different stages of
project e.g. planning, development, testing, training etc. The enterprise staff/users were not convinced of
the new system’s adequacy, particularly because the legacy system provided specific functionalities to the
business users that were not considered in the initial programme planning and had to be developed in
parallel. Ultimately, there were lots of quality issues in servicing end customers
Unstructured approach/monitoring of Project :- The audit found that an unstructured approach was
followed by IT department entrusted with the responsibility of getting the software developed. The project
controlling techniques & tools like project evaluation review technique (PERT). Critical path method
(CPM), Gantt Chart etc. were not being used. Project completed with delays and overrun of budgets.
(Business Benefit Realisation)did not exist for the project.
a) Insecure System Configuration :- The results of the vulnerability scans also indicated that
several servers contained insecure configurations that could allow hackers or unprivileged users
to insert code that would result in privilege escalation. The escalated privileges could grant the
hackers unauthorized access to sensitive and proprietary information.
c) User based role:-“Need to know and need to do” concept was not followed as is evident from
the fact that every user of application has access to critical customer information. Further, no
control exists to track users actions.
d) Formal Access Security Policy and Procedures: An ENTERPRISES security policy was
developed in draft form at the time of the audit; however, the policy was not in the process of
being approved by management or distributed to key stakeholders. Formal ENTERPRISES
security policy and procedures will help to ensure that ENTERPRISES access is granted
consistently throughout the enterprise and that all responsibilities for granting access are clearly
defined and assigned to the appropriate individuals. Management has reported having taken
action on security policy and procedures.
In conclusion, to be efficiently and effectively run a change in customer process, proper feasibility study
need to be conducted specifying the requirements correctly, different stages of project development life
cycle need to be executed & monitored & necessary security need to be implemented in order to have
uninterrupted services . A number of recommendations have been made to fix the situationin these areas.
Management has reported that 1corrective actions have either been taken or are under process.
B. Project Report (Solution)
For the purpose, a one-year IT programme was planned. However there were certain challenges faced
e.g.
An external service provider named as ENTERPRISES LTD., Chartered Accountants (Anonymous name)
was hired to support the change of customer processes and the underlying technology, which was new for
the enterprise. ENTERPRISES LTD.. is having specialization in Information Systems
Assurance/Audit/Implementation, trainings and consulting including Management consultancy services.
ENTERPRISES LTD.. is led by Mr. Purushottam Das who is a Chartered Accountant and has a diploma in
Information Systems Audit of ICAI. The firm has qualified(4) and trained IS audit personnel(11). The firm
also has on its panel Technology\Domain experts available, as required. ENTERPRISES LTD. have been
involved in providing Information Systems Assurances for both the public and private sector in India and
abroad. Theirclientele includes IT Companies, Banks and public/private sector companies.
2. AUDITEE ENVIRONMENT
Enterprises is a Government owned power enterprise engaged in the business of supply & distribution of
power to all category of consumers e.g. domestic, business, commercial, govt. at a large and a huge
customer interface was involved.
Currently, company was working through legacy IT system. Most of the mission critical applications in the
company have been computerized and networked. In order to improve further on customer services, BOD
decided to redefine the process e.g. customer-facing connection, billing, etc. by deploying IT assets under
one year programme . Also, existing underlying information systems was supposed to be renewed. To
implement, functional specifications were created along with other specification and in house
arrangements were made to work upon by company owned IT department.
The IT department of ENTERPRISES has issued Information Systems Controls (Policies, Procedures,
practices and organization structure) as envisaged by the management for ensuring uniformity and
standardization in implementation of IT Solutions across the company. The internal audit team of the
company has been well trained in IT and has gained extensive experience in auditing all IT applications
Following assumptions are taken for specific internal policies and procedures such as information security
policy:
1. ENTERPRISES LTD. security policy was developed in draft form at the time of the audit, however,
the policy was not in the process of being approved by management or distributed to key
stakeholders. Management has reported having taken action on security policy and procedures.
2. There is no policy for assigning of duties and responsibilities by senior management for information,
its processing and its use.
3. This was the first audit of SMS of this kind.
4. There are policies and procedures to ensure that information systems, programs and configuration
changes have gone through change management process adequately. However adherences to
these were not evidenced through requisite documentations.
5. There is no policy for training to personnel involved in system acquisition and configuration
activities.
6. User acceptance testing was neither conducted nor feedback session were held in order to seek
feedback on the system changes.
7. There is no policy established by senior management providing an appropriate segregation of
incompatible functions:
Basis administration
Transport/import
Develop program change
Develop role change
User security administration
Change monitoring
User testing
Authorize change
Perform change.
8. Backup policies have been made but they are not tested on regular basis.
9. Nopassword policy has been setup by the organization.
10. There is no policy and procedure for checking Router Log File used to identify to unauthorized
access at remote locations
3. BACKGROUND
(Need for Evaluation of Software Development)
The IT assets delivered by the scheduled programme need to be corrected/ amended to meet the
full functionality.
Change management process as prescribed in policies was not followed for up gradation of
software
Users acceptance testing was neither conducted nor feedback was obtained
Lower service quality to the customers, e.g., from incomplete information for customer service and
support staff.
Under performance of project cost e.g. delay of 200% and 100% overrun of Budgets
The management’s concerns regarding this project & its impact on company reputation
Stakeholder’s interest
All of these situations directly affect the business drivers. Business drivers can be defined as the attributes
of a business function (service delivery) that arise out of strategic objectives to enhance targets and goals
of business function to achieve the strategic business goals. Therefore, above mentioned situation gave
rise to the need of independent evaluation of software development process adopted by company in order
to identify current areas of control weakness and provide recommendations for improvement.
Based on the discussion held with the IT team headed by Mr. Narender Singh at the ENTERPRISES LTD.
premises at New Delhi on 21 st May 2019, the scope has been proposed and defined. This proposal
outlines the overall strategy and methodology for this assignment.
4. SITUATION
Details of Existing Scenario and Current Situation which has rise the need for assignment:
b) Quality issues
c) Lack of interoperability with other enterprise systems (connection of new customers, measurement of
client’s energy consumption, etc.)
d) Budgets overrun
e) The enterprise staff was not convinced of the new system’s adequacy, particularly because the legacy
system provided specific functionalities to the business users that were not considered in the initial
programme planning and had to be developed in parallel.
ENTERPRISES LTD. should have conducted/tested all the project changes in test environment before
going live and necessary assurance should have been taken externally/ internally regarding this to ensure
that the system is working perfectly, targeted efficiencies as envisaged has been achieved and to ensure
100% management control over the system in help achieving the set objectives.
a) Poor project planning e.g. No milestones of the project were set, Envisaged cost was not
determined correctly
b) Delays in deliveries
c) Change management process was not followed
d) User acceptance testing/feedback not conducted
e) Changes not tested before putting them in live environment
f) No structured approach was followed by IT department entrusted with the responsibility of
software development
g) Non adherence to existing information security policies
h) Inadequate IS policies and procedures
i) Functional specifications were not designed fully to cater all category of Consumers
j) Necessary authorizations and approval process was not followed at the time of planning for
required changes
5. TERMS AND SCOPE OF ASSIGNMENT
The primary objective of the assignment is to conduct evaluation of software development project by using
the Latest and globally recognised standard COBIT 5 best practices as issued by the Information Systems
Audit and Control Association, USA.
The review of software development would be with the objective of providing comfort on the efficiency,
adequacy and appropriateness of application so as to mitigate the system operational risks and ensure
that the information systems are implemented as designed in order to provide a workable, safe and secure
computing environment.
Based on our understanding of ENTERPRISES LTD..'s needs for conducting assurance on software
development, it was decided to primarily focus on Review of various stages of development of application.
We propose the scope of review and the terms of reference as laid down in the following paragraphs. The
envisaged terms of reference are based on the personal discussions held with key members of
assignment team with the IT team of ENTERPRISES LTD. and selective critical users on 21 st Aug, 2017 to
25th Aug, 2017. The detailed scope of review and methodology followed are given in the annexure. The
methodology would be further enhanced and refined as the audit progresses based on specific needs of
the audit environment. Broadly the scope of review primarily would involve:
2. RFP document covering system design, development and programming and testing
4. Application controls at various stages such as Input, Processing, Output, Storage, Retrieval and
transmission so as to ensure Confidentiality, Integrity and Availability of data.
DOCUMENTATION REQUIRED
3. UAT document
INFRASTRUCTURE REQUIRED
6. Facilities for discussions amongst our team and your designated staff.
TOOLS/TECHNIQUES USED:
1. CAAT
2. Prototyping model in order to assess the correct requirements of operations to cater business
needs
3. Review of coding practices to ensure that these are standardized one to mitigate risk of
compromising with quality
User manuals and documentation relating to new software developed and implemented by
ENTERPRISES LTD..
Audit Trails
1. We propose to deploy a core team of 3 to 5 IS audit personnel for this assignment in batches of 2 to
3 as per the skill sets required, under the personal direction and liaison of the Principal, Mr. Gupta.
3. Detailed systematic audit procedures would be finalized after completing review of the documentation
and discussion with the systems staff and the users
.
In tune with terms and scope of reference of the assignment, we will adapt the methodology from COBIT®
“Build, Acquire and implement” (BAI processes) /Management Guidelines of the relevant IT process shall
be selected for this assignment after obtaining understanding of the organisation structure, Information
Technology deployment and available documented policies and procedures.
Structured Methodology
The above-mentioned objectives shall be achieved through the following structured methodology :
Application of COBIT® for formulating IT best practices for the Policy and procedures of
ENTERPRISES LTD..
Formulation of draft report on our findings covering our review and benchmarking.
Presentation of final report with agreed action plan based on feedback of IT management of
ENTERPRISES LTD..
ENTERPRISES LTD.. shall make available all the required resources on time and provide one coordinator
for interaction and clarifications as required.
Audit plan :- The audit plan would cover the following activities:
Discussions with the
Top management
Systems\Implementation Team
Users and user management
Examination of different cycle of software development
Observation of the Users and the systems in operation
Observing internal weaknesses through out the life cycle of SDLC
Recommendation with agreed action plan to overcome the challenges
Review of Feasibility study/RFP/UAT document
Review of Operating Systems (OS) documentation
Review of application software Manuals
Post implementation assurance of effective operations
Audit Program\procedures
Our audit team would perform the following tasks based on the audit methodologies and include the
following programs\procedures:
Undertake an in-depth study and analysis of all aspects of Software application as implemented at
ENTERPRISES LTD.. We will take steps to identify the way in which the system currently
operates. In doing so, the following objectives would be kept in mind while setting the overall
goals:
Accurate and complete processing of data
Error messages in case of incomplete/aborting of processing of data
Optimise data handling and storage
Better management of information
Review the in-built controls & weaknesses in internal control at different phases of Software
development
Review the testing phase and user acceptance testing in testing environment
Review controls established for the development, documentation and amendment of programs so
as to ensure that they go live as intended.
Summarize the key findings, recommendations, agreed corrective action and assurance
Review the legacy software in operation; understand how it was catering to across consumer
categories & the needs of improvement.
Review how each phase of new application software development has been tested including the
documentation prepared in respect of each.
Review the methods employed for implementation of the system, including post-implementation
review procedures undertaken to ensure that the objectives set out were actually achieved.
Understand the business processes and review how these have been mapped in the information
systems with a top down approach.
Assignment Team
Our approach to selecting the right people for a project is to bring together the necessary skills and
experience for a particular assignment from the rich mix of skills and experience available. The
assignment would be executed under the personal supervision and lead by Mr. Gupta. The team would be
a blend of professionals with extensive experience in management, Information Technology and Auditing.
The team includes Chartered Accountants, IT Professionals, Management Consultants and
Certified Information System Auditors
The senior members of the team are:
1. Mr. Pavan Verma
2. Mr. Pradeep Garg
3. Mr. Aditya Gupta
.
9. REFERENCES
a) The regulatory requirements of fraud as per Indian legislations:
CARO 2003
COSO
c) Fraud investigation tools and techniques:
Data analysis technologies using Computer Assisted Audit Techniques (CAAT) are the most
effective tools and techniques to combat fraud.
9. Trend Analysis:To analyse trends by reviewing patterns which vary from normal.
10 . DELIVERABLES
1. Draft Report including executive summary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.
2. Final Report incorporating Management Comment and agreed priority plan of action based on
exposure analysis.
12. SUMMARY/CONCLUSION
In the present era, the critical need for Information Technology (IT) can be understood from the need to
plan and develop safe, secure, and reliable system solutions using information systems which form the
backbone for developing innovative product offerings and services. Information systems also play a key
role in performing short and long term management functions and activities.
SDLC is an essential aspect of automating business processes using information technology. It has been
evolving with changing technology and global proliferation of computers. Today’s business heavily
depends on IT and any problem faced has multi-fold repercussions. Controlling SDLC process helps
organisations in mitigating risks associated with implementation and use of IT.
There is also greater need to ensure appropriate level of security when developing information systems so
as to establish appropriate privacy and protection practices and to develop acceptable implementation
strategies for these practices.
The audit confirmed that as of May, 2019 a comprehensive SDLC methodology/structured approach was
not adopted while developing application software affecting ENTERPRISES LTD. operations, security and
maintenance.
A number of recommendations have been made by establishing procedures and practices governing the
initiation, definition, design, development, deployment, operation, maintenance, enhancement to address
existing issues &Management has reported that corrective actions have either been taken or are
underway.
ANNEXURES:
1 AUDIT REPORT
2 CHECKLIST FOR FUTURE USE
AUDIT REPORT
(EVALUATION OF SOFTWARE DEVELOPMENT)
OF
ENTERPRISES LTD
By
PPA & Co, Chartered Accountants
PAVAN VERMA, ACA
PRADEEP GARG, ACA
ADITYA GUPTA, ACA
AUDIT OBJECTIVE AND SCOPE
OBJECTIVE
The primary objective is to provide comfort on the efficiency, adequacy and appropriateness of application so
as to mitigate the system operational risks and ensure that the information systems are implemented as
designed in order to provide a workable, safe and secure computing environment by benchmarking against
global best practices and
a) To assess and evaluate management system relating to changes requested and made to the existing
production systems in respect of new application software, so as to minimize the likelihood of
disruption, unauthorized alterations, and errors & to achieve full operational efficiency.
b) The review of software development would be with the objective of identifying the areas of control
week ness in the software development process& to recommend the best practices which could be
adapted by the enterprise in future in case of such needs.
c) To assess vulnerabilities of the Application software implementation to attacks from within and outside
and suggest appropriate counter-measures so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss.
d) To assess that audit trails exist to facilitate the tracing of transaction processing and reconciliation of
data so as to ensure that adequate and appropriate audit trails/logs are developed and used within the
company for ensuring effective monitoring of the mission critical systems and processes.
e) To assess and evaluate data collection, analysis and reporting on resource performance, application
sizing and workload demand so as to ensure that adequate capacity is available and that best and
optimal use is made of it to meet required performance needs of the business process owners.
f) To assess the internal control framework in respect of specified application, review of parameter
settings and configuration management and suggest improvements so as to ensure that data remains
complete, accurate and valid during its input, update and storage.
SCOPE OF AUDIT
1. The primary objective of the assignment is to evaluate the newly developed software application and
develop related Audit checklists for future use, through external consultants by using the globally
recognized IS Audit standards and best practices.
2. Specific areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework.
3. Broadly the scope of review primarily from evaluation\controls and would involve:
BACKGROUND
ENTERPRISES Group has been using Information Technology as a key enabler for facilitating business
process Owners and enhancing services to its customers. The senior management of ENTERPRISES has
been very proactive in directing the management and deployment of Information Technology. Most of the
mission critical applications in the company have been computerized and networked. ENTERPRISES selected
change in the customer process by adopting new software application to bring a more integrated and seamless
approach to internal processes.
With the deployment of new software application in ENTERPRISES, management was expecting to provide
quality services to its consumers, superior operational excellence and business agility and also to achieve
defined objectives.
� Inadequate project management procedures could lead to scope creep, a poorly designed system that does not
meet the needs of the business or end users, unclear responsibilities, lack of communication, inadequate
monitoring, and undetected deviations from project scope. All of these have a direct impact on the budgeted dollars
and timelines of the project. It also indicates a lack of management control over capitalizable projects.
� Inadequatesystem implementation procedures resulting from poor planning, poor or insufficient user testing,
system issues not being resolved, inadequate security measures for both network and application, lack of
communication, inadequately designed automated controls or edit checks. This would have a direct impact on
the system’s ability to integrate within the existing infrastructure, the functionality of the system, the productivity
and buy-in of employees, data integrity, completeness and accuracy, the system being vulnerable to a security
compromise. It also indicates a lack of management control over the project.
Inadequate security controls result in vulnerabilities that may expose data to unauthorized access,
unauthorized disclosure or theft.
� A lackof management control over systems could lead to non-compliance of required regulations resulting in
fines and / or penalties