Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
of
DISA 2.0 Course
CERTIFICATE
Project report of DISA 2.0 Course
This is to certify that we have successfully completed the DISA 2.0 course training conducted
at the UDUPI BRANCH OF SIRC OF ICAI from 05-01-2019 to 03-02-2019 and we have the
required attendance. We are submitting the Project titled “EVALUATION OF SOFTWARE
DEVELOPMENT PROJECT”. We hereby confirm that we have adhered to the guidelines
issued by CIT, ICAI for the project. We also certify that this project report is the original work
of our group and each one of us have actively participated and contributed in preparing this
project. We have not shared the project details or taken help in preparing project report from
anyone except members of our group.
Place: UDUPI
Date: 17.02.2019
Project Report
Evaluation of Software
Development Process
1
2/17/19
Table of Contents
1. Introduction................................................................................ 3
2. Auditee Environment................................................................ 7
3. Background& Situation.............................................................10
8. References....................................................................................36
9. Deliverables.................................................................................37
2
1. INTRODUCTION
With a vision to fulfil the expectations of the Government, the Dakshina Vidyuth
Distribution Company Limited (A subsidiary of Govt. of Karnataka), came into
being on 2nd June 2005, with an objective of distributing electricity to the people
at an affordable price. It was initially established to cater the needs of consumers
in Dharwad district, but has slowly expanded its reach to nearby districts. It has
helped the people of north Karnataka to have good and continuous power supply
with minimum interruption.
3
Presently, its headquarters is situated at Hubli, a major industrial town of
Karnataka. The DVDCL is built in a huge area of 15 acres in the outskirts of the city
and encompasses 5 districts of Northern Karnataka which includes Belagavi,
Gadag, Haveri, Koppal and Bagalkot. As on today, DVDCL caters to the power
requirements of 1.5 crore consumers. It has a vast infrastructure facility in its
operating area with 1,504 Nos. of 33/11 KV substations 2,942 Nos. of power
transformers, 1,102 Nos. of 33 KV feeders 6,609 Nos. of 11 KV feeders and around
3,84,477 Nos. of distribution transformers of various capacities.
Having electrified 6,489 villages , 5,600 general hamlets, 2,059 tribal hamlets, 12,105
Dalit wadas and 5,806 weaker sections colonies, DVDCL is looking forward to
meet many challenges with promise to deliver quality customer services through
innovative programmes.
4
Vision
1. Customer Satisfaction through service excellence.
2. To become one of the most efficient power Generation companies Globally
3. To build, operate and maintain an efficient power transmission system.
Mission
1. To drive for efficiency and reliability in our operations by providing
excellent service driven by innovation, excellence and knowledge.
2. To use best Technology in communication and best practices in Power
Sector
3. To provide reliable and quality power at competitive cost.
4. To reach global standard in reducing distribution losses.
The growing customer needs and more importantly the emergence of new players in
the power sector has driven the DVDCL to aim at providing superior experience and
value to its customers. The Company intends to smoothen out the process of
registrations of new applicants and improve the system of billing, accepting payments
and resolving customer grievances.
DVDCL intends to achieve the above stated objectives by renewing the existing
software. However, due to quality and interoperability issues & failure of adherence
to functional specifications, the task of developing and implementation of the new
software has had a persisting delay.
To overcome the difficulties in the current software development process, the DVDCL
has appointed M/s ARS & Co., a Firm of Chartered Accountants, to identify areas of
control weaknesses and provide suitable recommendations for improvements & best
practices that can be adopted in the software development model.
5
THE AUDIT ENGAGEMENT TEAM
Our approach to selecting the right people for a project is to bring together the
necessary skills and experience for a particular assignment from the rich mix of skills
and experience available. The assignment will be executed by M/s ARS & Co under
the personal supervision and lead by Ms.X.
M/s ARS & Co is one of the leading practitioner in the area of IS audit, comprising of
the following main team members:
She has worked on 30+ SAP Engagements across different industries like
FMCG, Telecom, Heavy Engineering, Automotive, Media, Chemicals, Oil &
Gas, Professional Services, Insurance etc., performing key leadership roles of
Program/Project Management.
The said team has handled various other projects concerning IS audits and have been
into consultation of Software Development Life Cycle, Migration Audits, Business
Continuity Management etc.
6
2. AUDITEE ENVIRONMENT
The DVDCL is a public sector entity which is owned by the Government of Karnataka
with its headquarters in Hubli. It was incorporated in the year 2005 considering the
surge in demand of power as a result of growth in economy. It is poised for a multi-
fold growth in the generations to come. The Company currently is catering to the
power needs of 5 districts of Northern Karnataka and is planning to venture into
power supply in the other districts in the forthcoming years.
Nature of Business:
The DVDCL is into the business of supply of power and caters to the needs of both
business organisations as well as retail customers.
7
E. Preparing and carrying out schemes for distribution and generally for
promoting the use of electricity within the State.
Technology Infrastructure
Hardware used:
The DVDCL is currently using desktops as well as laptops, which is sourced to them
by a vendor called M/s CompNext Solutions Private Limited. An annual maintenance
contract (AMC) has been entered into with the said vendor and accordingly the
servicing, repairs and replacements are done by them as per the terms of the AMC.
8
System Software:
Currently, DVDCL uses Windows 7 as the Operating System across its entire area of
operations.
Application Software:
Until recently, DVDCL had been using a general purpose software called ‘Electronic
Billing Software’ (EBS) which was developed & provided by M/s NextGen Software.
However, as the said software lacks a lot of features and is unable to handle the
growing business needs, DVDCL has decided to scrap off the same and adopt a new
software as designed by Bharath Software Services Private Limited.
Network:
DVDCL offices are connected through a remote connection accessible via validation
checks. Employees are provided with a 6 digit security codes (which changes every 60
seconds) and can connect to the network remotely via such dynamic codes.
Users:
DVDCL has a workforce of 1,257 people out of which 430 people are engaged in back
end operations and the rest are on-field employees. The employees engaged in the
main operations of systems are trained on the basic use of computer and system
software only at the time of initial recruitment.
A number of new IT initiatives for improving the quality supply of power were
introduced by DVDCL
5. EBS,MATS,CAT
9
3. BACKGROUND & SITUATION (Project Case Study)
The DVDCL felt a need to revamp its existing customer process (like Billing Process
and customer facing connections) in order to improve the Efficiency and Effectiveness
and develop an automated process of its business functions. They approached Bharath
Software Services Pvt Ltd to develop a Programme to renew their Information
Systems. However the IT solutions delivered by the programme (Bharath Bill Pay)
did not completely meet the requirement as specified by the management of the
DVDCL and therefore the entire process of Meter Reading, Billing, Customer
Relationship and various other Technological interventions could not be redesigned
in an effective and efficient manner. Functional specifications were created, but
developers Bharath Software Services Pvt Ltd deviated from those without
appropriate approval or feedback which resulted in improper and incorrect decision
making that had a huge impact on its consumer service and Governance .The
additional work and inefficiencies in service development also caused delays on the
deliveries, exceeding costs on IT and on the provider’s services, and lower service
quality to the customers, e.g., from incomplete information for customer service and
support staff. The delay of 2 years and the excess of 100 % of the project costs also
show the lack of performance and efficiency in the programme As a result the
management of The DVDCL were concerned about the delay caused by the New
software team and impact it had on the entire business process and thus approached
our firm M/s ARS & Co to conduct an independent Information Systems Audit on
the Software Development process to identify current areas of control weaknesses and
provide recommendations for improvement
10
The audit team conducted a detailed study of the existing system followed by The
DVDCL and arrived at the following conclusion.
a) IT Department charged with the responsibility of IT projects did not have a
structured approach wherein most of the processes were not documented and
were ad hoc in nature.
Therefore after an extensive review of the Software development process
documentation and interaction with key members of the IT department, Ms X the
engagement leader and her team identified some of the key issues in Project
implementation.
1. Planned Improvement on efficiency was not achieved and delayed- The specific
requirements provided by the management of the DVDCL was interpreted wrongly
by Bharath software services Limited, thus leading to deviation in most of the required
areas. And all the decisions were taken by the chairman, there was lot of delay for
approval of any proposal. This eventually led to development of an inefficient
software loaded with lot of quality issues in various domains of the DVDCL which
included the customer billing information, connection details of new customers ,
measurement of clients energy consumption to name a few.
2. Other Initiatives had to be postponed due to the delay and the corresponding
information systems could not be planned accordingly- Since the software
implementation was delayed by a 2 year period, many other planned initiatives like,
process re-engineering, Metering and Billing, enabling online payment of bills
monitoring customer care units had to be postponed as effective Information System
could not be established which effected work environment.
11
not updated with the appropriate source data. Few key issues like meter reading
details, Billing, new connection requests were not designed precisely which also
lacked technological interventions and therefore delayed the delivery of required
results.
12
errors in the areas of Databases, meter reading details, Billing, new connection
requests
13
c. There was delay in the verification process for issuing new
connections and there was lack of authorization controls to
identify the correct user
8. Information Security Problems- One of the major issue was, the DVDCL failed
to align the IT security with that of the business. The reason for this was they
were not able to develop new security systems and procedures that were
responsive to the improving technology and also to recognise threats and
attacks and there was no proper configuration of the IT products correctly.
There were major weaknesses identified in these areas –
a. Security Technologies, Networking Devices and configuration Options
were not upgraded.
b. Absence of Firewalls, Intrusion Detection Systems and Virtual Private
Networks that could provide protection to system from malicious
attacks.
c. No Information Security Professionals were hired to ensure that the
evolving network architectures do not compromise information
security capabilities.
d. There was no proper system to monitor the database on real time basis
to identify any unauthorized or suspicious activity that compromised
the privacy and integrity of trusted information in data centre
14
4. Terms and Scope of Engagement
Scope of Audit
The audit conducted shall primarily cover our review of Implementation and Post
implementation effectiveness of Software implemented by DVDCL (“the Company”).
This shall contain the following Scope:
1. Understanding the Current business position, the processes involved and the
software to implement the same
2. Understanding the issues faced by the Company in the current scenario
3. Understanding the requirement of the Company towards re-defining the
customer process and to renew the underlying information system
4. Develop framework and communication structure of Information Technology
implementation
5. Analysis of existing vendor contracts and its implementation
6. Identify changes required in the existing IT resources for smooth functioning
of business
7. Review of the contacts entered with the new vendor for providing IT resources
8. Identifying the Cost Benefit analysis for choosing the vendor and implementer
regarding the underlying software provided
9. Testing of the software to be implemented to analyse the desired outcome of
that case
10. Providing draft report on the key issues identifying areas of control weakness
in the software development process with recommendations for improvement.
11. Providing final recommendations after discussion with the IT department with
confirmation of findings and agreed plan of action.
12. Providing specific recommendations on software development model and best
practices which can be adapted by the enterprise.
13. Post implementation report regarding effectiveness of the software
implemented
15
Terms of engagement:
For the effective conduct of the audit, the following terms has been agreed upon
by the management:
a. The management shall make available all the information, policy documents to
the auditors as and when it is required to be examined.
b. It shall provide the Audit team with an unrestricted access for the systems, data
storage and to take any information or to deploy a test package thereon from
or into the system.
c. Audit team may also contact the present Vendors of system and software to
gain any additional information about the present structure
d. Audit team may question or interview any level users of the system on a prior
intimation to gain the feedback and expectation.
e. The assignment is conducted only to recommend the Management with regard
to software development model and best practices which can be adapted by the
enterprise.
16
5. Logistic Arrangements Required
Infrastructure required:
It will be necessary for DVDCL to appoint one co-ordinator who will be the part of the
discussion on the work plan initially and will continue to work with the team till the
assignment is complete. The appointment of such a co-ordinator will help in quick
execution of the assignment and will erase out the possibility of delay in access to
certain information/requirements.
DVDCL will make available the necessary computer time, software resources and
support facilities necessary for the timely completion of the assignment. It is requested
that DVDCL communicates to the respective IT personnels/developers about the
conduct of the assignment so as to facilitate full-fledged co-operation from the
respective personnel. We will require the following infrastructure for executing the
assignment:
Four Nodes with Read only access to the software under development
2 laptops with Windows 7/Microsoft Office 2013
Access to printers for printing reports as required
Adequate seating and storage space for the audit team
Facilities for discussion amongst our team and your designated co-ordinator
Documentation required:
Contracts/Service level agreements with M/s Bharath Software Services Pvt
Ltd
Organisation structure which outlines the hierarchy and job responsibilities
IS Security policy of DVDCL
User manuals/technical manuals as prepared by M/s Bharath Software
Services Pvt Ltd
Any circular/guidelines issued to employees on the usage of software
Documents relating to software implementation by M/s Bharath Software
Services Pvt Ltd
Any other document as identified by us as required for the assignment
17
6. Methodology and Strategies Adopted:
Based on our study of present conditions and requirements of various users, for
further improvement of the Company to achieve its organisational goals, we the
auditors have considered the adoption of the following methodologies:
1. Creation of Strategic team in the management: A strategic team should be
created comprising the key governance personnel of business and
information systems. This team shall steer all the decisions to achieve the
needs and future of the Organisation. It shall have the following duties:
a. Decide whether proposed IT solution will deliver business value to
the organisation through the IT enabled investments.
b. Decide the exact time line within which all the necessary software
development to be completed and executed
c. Decide the security requirements of the software when implemented
d. Cost benefit analysis of the implementation
e. Compatibility of the software for the future initiatives like metering
and billing, online payment, etc
f. Identification of risk and the tolerance limit of the same
18
d. Designing framework for the better understanding to users
e. The expectation of the stake holders from the Company
These requirements should be gathered from the end users who are the
employees and in some cases the customers. From employees it can be
collected by providing questionnaire or through interviews. From
customers it can be collected through survey. These requirements shall be
analysed from the technology perspective and necessarily documented.
19
4. Service Level Agreements with the vendors: The company has to enter into
a contract with the vendor. It shall contain all the necessary terms
depending upon the requirements. Some of the terms can be:
a. Specific description of services, deliverables and their costs
b. Commitments for data migration
c. Arrangement for a software escrow agreement or deliverables of
source code and system documentation
d. Description of the support to be provided during
installation/customisation
e. Criteria for user acceptance
f. Reasonable Acceptance test before purchase
g. Confidentiality clauses
h. Data protection clauses
20
i. Terms of software maintenance
Stress or Volume
Stress Test
Testing
Performance
Structural Test
Testing
Parallel Test
21
Unit test shall determine the work of a single program. A unit is the smallest
functional part of an application often called as module. It can be done by Static
testing or dynamic testing. Under this the following tests shall be performed:
Functional Test To check whether programs performs their required tasks
Performance Test To check the expected performance from the program
Stress Test To test the stability of the program
Structural Test To check the internal process logic of the software
Parallel Test To verify the results from existing software to new one
System testing is the process in which software and other system elements are
tested as a whole. System testing begins either when the software as a whole is
operational or when the well-defined subsets of the software's functionality
have been implemented. This shall contain
Recovery Testing To check the recovery of software after
crashes
Security Testing To check the protection of the data and
maintaining functionality
Volume Testing To check the stability when there is data
growth
Performance testing To check the internal hardware usage
22
Final Testing is conducted when all the other test provides satisfactory results
and the software is ready for implementation. Here the whole system is tested
and compared with the requirement analysis.
DVDCL has to perform any or all the above testing process so that there shall
be smooth functioning of IT resources to achieve business objectives.
c. Pilot Changeover: With this strategy, the new system replaces the old
one in one operational area or with smaller scale. Any errors can be
rectified and new system is stabilized in pilot area, this stabilized
system is replicated in operational areas throughout the whole
system.
23
d. Parallel Changeover: The new systems is implemented, however the
old system also continues to be operational. The output of new
system is regularly compared with old system. If results matches
over period of time and issues observed with new system are taken
care of, the old system is discontinued.
6. Compliance with Internal control for Users of the software: The Company
has to prepare a document which shall create awareness and specify the
roles and responsibilities of the Users for better implementation of the
software
24
For the methodology the software to be implemented we have considered the best
practices as prescribe in COBIT which is specified as under:
Application controls objectives: COBIT provides best practices for application
controls which can be used as a benchmark for implementing or evaluating
application controls. The COBIT 4.1 control objectives and control practices provides
the best collection of controls which are generic and can be customised and used as
benchmark for implementation or used as assessment criteria for any application
audit. COBIT defines six control objectives for application controls:
1. Source Data Preparation and Authorisation: Ensure that source documents are
prepared by authorised and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the
origination and approval of these documents. Errors and omissions can be
minimised through good input form design. Detect errors and irregularities so
they can be reported and corrected.
2. Source Data Collection and Entry: Ensure that data input is performed in a
timely manner by authorised and qualified staff. Correction and resubmission
of data that were erroneously input should be performed without
compromising original transaction authorisation levels. Where appropriate for
25
reconstruction, retain original source documents for the appropriate amount of
time.
a. Accuracy, Completeness and Authenticity Checks: Ensure that transactions
are accurate, complete and valid. Validate data that were input, and edit or
send back for correction as close to the point of origination as possible.
b. Processing Integrity and Validity: Maintain the integrity and validity of
data throughout the processing cycle. Detection of erroneous transactions
does not disrupt the processing of valid transactions.
c. Output Review, Reconciliation and Error Handling: Establish procedures
26
4. Ensure that all source documents include standard components, contain proper
documentation and are authorised by management
5. Automatically assign a unique and sequential identifier to every transaction
6. Return documents that are not properly authorised or are incomplete to the
submitting originators for correction, and log the fact that they have been
returned. Review logs periodically to verify that corrected documents are
returned to originators in a timely fashion, and to enable pattern analysis and
root cause review.
Source Data collection and entry
1. Define and communicate criteria for timeliness, completeness and accuracy of
source documents. Establish mechanisms to ensure that data input is
performed in accordance with the timeliness, accuracy and completeness
criteria.
2. Use only pre-numbered source documents for critical transaction.
3. Define and communicate who can input, edit, authorize, accept and reject
transaction, and override errors. Implement access controls and record
supporting evidences to establish accountability in line with the role and
responsibility definitions.
4. Define procedures to correct errors, override errors and handle out-of-balance
conditions as well as to follow up, correct, approve and resubmit source
documents and transactions in a timely manner.
5. Generate error messages in a timely manner as close to the point of origin as
possible. The transactions should not be processed unless errors are corrected
or appropriately overridden or bypassed. Error logs should be reviewed and
acted upon within a specified and reasonable period of time
6. Ensure that errors and out of balance reports are reviewed by appropriate
personnel, followed up and corrected within a reasonable period of time and
where necessary, incidents are raised for more senior-level attention.
Automated monitoring tools should be used to identify, monitor and manage
errors.
27
7. Ensure that source documents are safe-stores for a sufficient period of time in
line with legal, regulatory or business requirements
Accuracy, completeness and authenticity checks
1. Ensure that transaction data are verified as close to the data entry point as
possible and interactively during online sessions. Wherever possible, do not
stop transaction validation after the first error is found. Provide
understandable error messages immediately to enable efficient remediation
2. Implement controls to ensure accuracy, completeness, validity and
compliance to regulatory requirement of data input. Controls may include
sequence, limit, range, validity, reasonableness, table look-ups key
verification, duplicate and logical relationship checks and time edits.
Validations criteria and parameters should be subject to periodic reviews
and confirmation
3. Establish access controls and role and responsibility mechanisms so that
only authorised persons input, modify and authorised data
4. Define requirements for segregation of duties for entry, modification and
authorization of transaction data as well as for validation rules. Implement
automated controls and role and responsibility requirements
5. Report transactions failing validation and post them to a suspense file.
Report all errors in a timely fashion and do not delay processing of valid
transactions
6. Ensure that transactions failing edit and validation routines are subject to
appropriate follow up until errors are remediated. Ensure that information
on processing failures is maintained to allow for root cause analysis and
help adjust processed and automated controls.
Processing integrity and validity
1. Establish and implement mechanisms to authorise initiation of transaction
processing and to enforce that only appropriate ad authorised applications
and tools are used.
2. Routinely verify that processing is completely and accurately performed
with automated controls where appropriate. Controls may include checking
28
for sequence and duplication errors, transaction/record counts, referential
integrity checks, control and hash totals, range checks and buffer overflows.
3. Ensure that transactions failing validation routines are reported and posted
to a suspense file. Where a file contains valid and invalid transactions,
ensure that the processing of valid transactions is not delayed and all errors
are reported in a timely fashion. Ensure that information on processing
failure is kept to allow for root cause analysis and help adjust procedures
and automated controls, to ensure early detection or prevention of errors.
4. Ensure that transactions failing validation routines are subject to
appropriate follow-up until errors are remediated or the transaction is
cancelled.
5. Ensure that the correct sequence of jobs has been documented and
communicated to IT operations. Job output should include sufficient
information regarding subsequent jobs to ensure that data are not
inappropriately added, changed or lost during processing.
6. Verify the unique and sequential identifier to every transaction
7. Maintain the audit trail of transactions processed. Include date and time of
input and user identification for each online or batch transaction. For
sensitive data, the listing should contain before and after images and should
be checked by the business owner for accuracy and authorization of changes
made.
8. Maintain the integrity of data during unexpected interruptions in data
processing with system and database utilities. Ensure that controls are in
place to confirm data integrity after processing failures or after use of
system or database utilities to resolve operational problems. Any changes
made should be reported and approved by the business owner before they
are processed.
9. Ensure that adjustments, overrides and high-value transactions are
reviewed promptly in detail for appropriateness by a supervisor who does
not perform data entry
10. Reconcile file totals. Identify report and act upon out of balance conditions
29
Output review, reconciliation and error handling
1. When handling and retaining output from IT applications, follow defined
procedures and consider privacy and security requirements. Define, communicate
and follow procedures for the distribution of output
2. At appropriate intervals, take a physical inventory of all sensitive output, such as
negotiable instruments, and compare it with inventory records. Create procedures
with audit trails to account for all exceptions and rejections of sensitive output
documents
3. Match control totals in the header and/or trailer records of the output to balance
with the control totals produced by the system at data entry to ensure
completeness and accuracy of processing. If out of balance control totals exist,
report them to the appropriate level of management.
4. Validate completeness and accuracy of processing before other operations are
performed. If electronic output is reused, ensure that validation has occurred prior
to subsequent uses.
5. Define and implement procedures to ensure that the business owners review the
final output for reasonableness, accuracy, and completeness, and output is handle
in line with the applicable confidentiality classification. Report potential errors, log
them in an automated, centralised logging facility, and address errors in a timely
manner.
6. If the application produces sensitive output, define who can receive it, label the
output so it is recognizable by people and machines, and implement distribution
accordingly. Where necessary, send it to special access-controlled output devices.
30
repudiation and allow for content integrity verification upon receipt by the
downstream application.
3. Analyse input received from other transaction processing applications to
determine authenticity of origin and the maintenance of the integrity of content
during transmission
In order to ensure that our review of the SDLC was complete and to formalise our
roles and practices, a master checklist was prepared by our team. The remarks column
in the checklist have been filled by our team members based on their understanding
of the SDLC process in your Company and was further confirmed by the co-ordinator
as appointed by you. The said checklist helped our team in getting a basic
understanding of the software development process carried out by the vendor and
served as a supplement in providing our recommendations.
We have reproduced the same below, for your quick reference:
Sl Checkpoints Remark
No
1 Whether the information system software On the basis of the review
development policy and procedure of the software
documented? development policy
documentation, it has
been observed that the
documentation is not
updated on a regular
basis.
2 Whether the software development policy and It is observed that the
procedure approved by the Management before Management approval
kickstarting the project? has not been taken for the
policy and procedure.
3 Whether the policy and procedure cover the following:
Issues Remarks
31
Problems in the existing software Yes. But a lot of Weightage must
and the need for replacement be given to the areas not
covered in the initial software
Functionality of new software Yes
Security needs Proper policies and procedures
must be framed
Proposed roles & responsibilities It is covered. However it must
be clearly defined
Migration to new IS Yes
Post Implementation Review Yes
Maintenance arrangements Need to be ensured
32
Confirms compatibility with IT Yes
infrastructures
Identified bugs and errors and addresses
them by analysing root causes
8 Whether there is adequate documentation for:
Preserving test results for future reference Yes
Preparation of manuals like system
manual, installation manual and user
manual
Obtaining user sign-off/ acceptance
9 Whether the implementation covers the
following?
User training
Acceptance training Yes
33
7. Documents reviewed
5. Support Documentation
This documentation incorporates preparing materials explicit to help staff; all client
documentation to use as reference when taking care of issues; a troubleshooting guide;
34
acceleration procedure for taking care of troublesome issues; and a rundown of
contact focuses inside the upkeep group.
6. Security Rules/Regulations
Security policy statement so as to give a fair view of various rules, policies and
procedures regarding the security measures taken by the company to safeguard the
information assets
35
8. References
b. COBIT 5
c. CAAT Tools as described in the institute material for Information System Audit
2.0 Course
f. www.google.com
g. icisa.cag.gov.in
36
9. Deliverables
Summary of Testing
OFFICIAL SUMMARY: The DVDCL had implemented the Bharath Bill Pay software
after a delay of 2 years from the pre-decided date in order to ease the generation of
bills, meter reading details and give better client interface to their current and eminent
customers. Due to the lack of communication and misinterpretation of the
requirements specified by the management, the software was not designed as per the
needs of the company. There were continuous issues as both the software had to be
applied in parallel. This lead to loss of time, additional man power and costs. All such
issued added up over a period of time which needed an immediate attention.
Therefore the company decided to get software application audited and appointed
our firm M/s ARS & Co to conduct a detailed review and testing of the software. With
a request from the management to conduct the audit of their Software Application,
our engagement team has successfully completed the audit procedures and we are
submitting a detailed findings of the same.
Findings
37
leave or on professional industrial visits, the approvals would remain
pending which also meant lot of time being wasted.
38
of people in the organization, the data and information could have been
more secure.
g. Data backup plans were not appropriate: Even though policies were
framed for periodically checking the backups of the data, neither the
backup tests were tried occasionally nor were any logs kept up in
support of such test checks. This was an extreme level of risk since there
was every chance of the data being lost had one of the storage servers
being damaged.
h. Lack of disaster management policies: The chairman and the company
management had not considered having a proper disaster management
policy had there been any data theft or any data loss due to natural
calamities. This could have led to abrupt loss of business.
i. Software was not properly tested: Since the software was delivered
after a delay of 2 years, the company without doing a thorough check,
directly implemented it. This led to a lot of errors which generated from
the software and the company could not rectify these.
39
10. Report to the Management
To,
The Chairperson,
DVDCL,
Hubli.
The primary objective of this Information Systems Audit assignment was to audit the
software development process and to identify current areas of control weakness of the
program ‘Bharath Bill Pay’ provided by Bharath Software Services Pvt. Ltd. and to
provide recommendations to improve the customer process followed by DVDCL
which involves customer facing connection, billing etc.,
The audit conducted primarily covered our review of Implementation and Post
implementation effectiveness of Software implemented by DVDCL (“the Company”).
This audit specifically included the testing of Bharath Bill Pay (Software) with regard
to customer interface, customer billing and other customer related activities and to
provide recommendations for improving the existing system or for implementing a
new system if necessary. Our testing also covered to find out the reasons for the
problems existing in the system and to find a possible solution to rectify it. However,
our testing and audit did not cover hardware and other related components of the
information system.
40
4. Project Overview and Source Code Listing
5. Support Documentation
6. Security Rules and Regulations
Approach/Methodology Followed:
The audit was carried out as pre-planned Audit Plan and program, which was
discussed with the senior management of DVDCL. We have used the international
accepted standard for IS Audit – COBIT (Control Objectives for Information and
Related Technology, issued by the Information Systems Audit and Control
Associations, USA for this review. The key tasks of our audit plan are highlighted
below:
Discussions with the IT Department and user management
Review of the circulars issued by DVDCL regarding the IT Related activities
Examination of processing controls
Review of Information Security Policies
Review of ‘Bharath Bill Pay’ and user manuals
Observation of users and the system in operation
Review of reports and audit logs in system software and ‘Bharath Bill Pay’
Package
Audit Environment:
We have conducted IS Audit at the IT department of DVDCL in a simulated
environment using a Windows 7 as the operating System which are connected to
servers. Our team as discussed earlier comprised of Chartered Accountants having
experiences in the field of IS Audit
Audit Reports:
We issued a draft report outlining our issues and recommendations and obtained
feedback from the IT Department. Further, a meeting was held with IT department
represented by Mr. AA, AGM (IT) and Mr. AB, AGM (Finance and Accounts) where
41
the issues and recommendations were discussed in detail. The IT Department has
been very proactive in incorporating our suggestions. The report incorporates all the
issues, which have been agreed and confirmed.
Overall Conclusions:
Based on our review our overall recommendations on specific areas are:
a. Proper Decision making policy:
In DVDCL, since all the major requirement approval or change approval is decided
by the chairman, this leads to a big delay as well as less work outcome. There is no
delegation of duties or segregation of duties to the lower level managers/engineers to
take any decision. It takes a very lengthy period which has to be rectified by assigning
some responsibilities and by giving authorities to the manager level personnel to take
decisions. This will help in control the unnecessary delay of any event which is the
biggest problem at present. Only important policy level decisions must be taken the
top level management.
b. Training to Employees:
A new software implies a new change in the company and it has be ensured that the
software knowledge reaches to all the required staff. All the employees who are
required to work on the system must be properly and adequately trained so that the
employees will be having knowledge about the modules available to them to work
and to facilitate correct usage of it.
c. Password Policy:
The organization has to define a password policy for the employees and it should be
properly monitored. The employees must be given awareness about the necessity of
following it and importance of password policy. The policy must be reviewed
regularly and must be updated accordingly. This will help in fixing responsibility and
also the employees can be given access to only those data or information which they
are required to know.
42
d. Proper BCP and DRP:
The DVDCL has to define a proper Business Continuity Plan (BCP) and Disaster
Recovery Plan (DRP) so that in case of any disaster the system will not be interrupted
and smooth running will be carried on. The BCP and DRP should be reviewed at
regular time and should be updated accordingly.
f. Proper Reporting:
The system must have a reporting mechanism of complaints raised by customers and
there should be a follow up procedure for resolving it. Policy like 4+2 days should be
implemented and unresolved grievances must be recorded with reason for not
resolving within time prescribed so that it can be verified by top level management.
(Sd/-)
CA. X
Partner, MRN: -----
43
11. Summary and Conclusion
The DVDCL had appointed our firm to conduct a detailed audit of their application
software, since there were a lot of issues with the existing Bharath Bill Pay Software
which in turn affected the customer relationship as well as the growth prospects of
the company. There were lots of risks and control weaknesses in the process which
could not be avoided with the existing software.
Risks though being a part of the growth process of any entity, it is always wise to keep
it in check. The company must have the right policy, procedures, organization
structure in place. Redundancy must be as avoided as far as possible. Back up plans,
risk mitigation strategies should be well documented and all involved must be
educated and trained in this process.
Based on the findings and observations arrived at, through our audit procedure ,
recommendations have been provided to the DVDCL by our team to overcome the
loopholes and discrepancies in the software in order to improve their efficiency and
effectiveness in their business process and meet their quality assurance standards
44