Project of DISA 2.

0 Course CIT of ICAI

IS Audit of ERP Software

1. Introduction
ABM Limited (ABM) is one of the Leading Public Sector
Undertaking having Multi Manufacturing Divisions and
Regional Offices spread all over India. ABM operates on
three major business verticals for associated equipment
manufacturing: Mining & Construction, Defence, and Rail
& Metro. In addition to the above there are three Strategic
Business Units (SBUs): Technology Division for providing
end-to-end engineering solutions, Trading Division for
dealing in non-company products and International
Business Division for export activities. ABM has eight
manufacturing units spread over four locations. ABM is a
recognized leader in the industry and an early-adopter of
technology to improve efficiency and
competitiveness. ABM in achieving its Mission of
improving competitiveness through organizational
transformation and collaboration / strategic alliances / joint
ventures in technology has implemented ERP with effect
from October 2010 across the company. As continuing
evidence that Public Sector Entities are leveraging
enterprise technology from the world’s leading
business software company ABM has successfully
implemented SAP ERP and went live in a quick time span

Private and Confidential (for use by participants of DISA 2 Course) Page 1

Project of DISA 2.0 Course CIT of ICAI

of 12 months. In a first of its kind project in the country,

ABM consolidated its operations across multiple locations
spread across India, with all units going live
simultaneously.

1. Background
ABM Group has been using Information Technology as a
key enabler for facilitating business process Owners and
enhancing services to its customers. The senior
management of ABM has been very proactive in directing
the management and deployment of Information
Technology. Most of the mission critical applications in the
company have been computerized and networked. ABM
selected SAP Business Suite to bring a more integrated
and seamless approach to internal processes. SAP
deployment in ABM posed unique challenges arising out of
the need to integrate multiple units across different
locations, involving extensive procedures and large
volumes of data. The family of business applications
provides better insight into enterprise-wide analysis based
on real time data and key performance indicators,
improved quality and on-time delivery, reduction in
inventory cost and enhanced customer service. This
implementation has empowered ABM to seamlessly
connect all its vendors, customers and partners to achieve
improved business efficiency. SAP-R3 ECC 6.00 Version

Private and Confidential (for use by participants of DISA 2 Course) Page 2

Project of DISA 2.0 Course CIT of ICAI

is deployed across all of ABM’s financial, payroll

and human capital functions. The Modules implemented
are PP, MM, FICO, Quality, PM and HR including Pay Roll.
ABM has more than 500 sap users across the company.
By implementing SAP solutions ABM has achieved
superior operational excellence and business agility.

2. Need for IS audit of SAP

ABM proposes to have a comprehensive audit of the
Information Systems (ERP Audit) in the Company. While
the Information Systems Audit to be done covers both
audit of ERP System and review of its implementation, the
IS Audit is expected to be in compliance with the IS
Auditing Standards, Guidelines and Procedures. The
proposed IS Audit is further subjected to applicable
Auditing Standards of ICAI. The IS Auditor is expected to
have through knowledge in SAP ECC 6.00 version. The
objective is to identify areas for improvement of controls
by benchmarking against global best practices. Further,
any specific risks identified are expected be mitigated by
implementing controls as deemed relevant to ensure that
SAP implementation is secure and safe and provide
assurance to the senior management of ABM. Further, IS
Auditors are expected to develop an IS Audit checklist for
future use.

Private and Confidential (for use by participants of DISA 2 Course) Page 3

Project of DISA 2.0 Course CIT of ICAI

3. Scope and terms of reference of the

assignment
The primary objective of the assignment is to conduct
Information Systems Audit of SAP implementation and
develop related IS Audit checklists for future use, through
external consultants by using the globally recognized IS
Audit standards and best practices. The IS audit of SAP
would be with the objective of providing comfort on the
adequacy and appropriateness of controls and mitigate
any operational risks thus ensuring that the information
systems implemented through SAP provide a safe and
secure computing environment. Further, specific areas of
improvement would be identified by benchmarking with the
globally recognized best IT practices of COBIT framework.
The initial assignment could primarily focus on the
identified areas of SAP Implementation. The proposed
scope of review and the terms of reference as laid down in
the following paragraphs are given in annexure. These
terms of reference are based on the preliminary
discussion the assignment team had with the ABM team
and is subject to further modification as required. Broadly
the scope of review primarily from security\controls and
would involve:
A.Review of IT Resources as relevant
a. Operating Software: Access controls
b. Telecommunications Software: Access Controls

Private and Confidential (for use by participants of DISA 2 Course) Page 4

Project of DISA 2.0 Course CIT of ICAI

c. RDBMS Database: Access Controls

d. SAP - Major focus area: Configuration of
Parameters and Access Controls
e. Application controls at various stages such as
Input, Processing, Output, Storage, Retrieval and
transmission so as to ensure Confidentiality,
Integrity and Availability of data.
B.Organization structure policies, procedures and
practices as mapped in the information systems.
C. Review of policies, procedures and practices as
relevant to areas of audit.

4. Specific areas of Audit

The IS Audit of SAP deployment would be conducted at IT
department at corporate office at Bangalore. The proposed
phases and areas of audit are outlined below.
A. SECURITY AUDIT
OBJECTIVE: Assess vulnerabilities of the SAP
implementation to attacks from within and outside and
suggest appropriate counter-measures so as to safeguard
information against unauthorized use, disclosure or
modification, damage or loss.
B. USER AUTHENTICATION AND
AUTHORIZATION
OBJECTIVE: To review the processes relating to granting
access to systems, verify the logical access controls and
Private and Confidential (for use by participants of DISA 2 Course) Page 5
Project of DISA 2.0 Course CIT of ICAI

assess whether the specified roles and responsibilities are

aligned with the business, facilitate effective direction and
adequate control so as to ensure that access to systems,
data and programs is restricted to authorized users and
that information is safeguarded against unauthorized
use, disclosure or modification, damage or loss.
C. AUDIT TRAILS
OBJECTIVE: To assess that audit trails exist to facilitate
the tracing of transaction processing and reconciliation of
data so as to ensure that adequate and appropriate audit
trails/logs are developed and used within the company for
ensuring effective monitoring of the mission critical
systems and processes.
D. CHANGE MANAGEMENT (PRODUCTION SYSTEM
INTEGRITY)
OBJECTIVE: To assess and evaluate management
system relating to all changes requested and made to the
existing production systems in respect of SAP
applications, so as to minimize the likelihood of disruption,
unauthorized alterations, and errors.
E. SYSTEMS MONITORING
OBJECTIVE: To evaluate data collection, analysis and
reporting on resource performance, application sizing and
workload demand so as to ensure that adequate capacity
Private and Confidential (for use by participants of DISA 2 Course) Page 6
Project of DISA 2.0 Course CIT of ICAI

is available and that best and optimal use is made of it to

meet required performance needs of the business process
owners.
F. BUSINESS PROCESS CONFIGURATION
OBJECTIVE: Assess the internal control framework in
respect of specified SAP application, review of parameter
settings and configuration management and suggest
improvements so as to ensure that data remains
complete, accurate and valid during its input, update and
storage.
The audit plan would cover the following activities:
1. Discussions with the identified personnel, as required:
 Internal Audit, systems and implementation Team
 Business Process Owners, Users and user
management
 Review of Operating Systems (OS) documentation
 Examination of OS access rights
 Review of Oracle\SAP Manuals
 Examination of selected Modules access profiles
 Observation of the Users and the systems in
operation
 Review of access controls over Computers as
relevant
 Review of Parameter settings and configuration
management process
 Review of Change management process

Private and Confidential (for use by participants of DISA 2 Course) Page 7

Project of DISA 2.0 Course CIT of ICAI

 Examination of computerized processing controls

incorporated within the selected modules.

5. Expectations and deliverables from

Information Systems Audit of SAP
Expectations from IS Audit
The expectations as outlined in the letter outlining scope
of proposed Audit are given below:
 The findings of IS Audit are expected to identify
various risks and weakness in the Controls in ERP
and its environment and possible corrective action. It
is expected that the various internal controls,
procedures as are in force in the Company will be
reviewed for incorporation in ERP and
recommendations made for strengthening the ERP
Controls. Also, the IS audit will identify the areas
involving redundancy in internal audit checks for
elimination at the same time highlighting areas
requiring risk-based internal audit checks in the ERP
environment.
 It is expected that a Check list will be developed to
enable to Company’s Internal / Statutory / Govt. Audit
to satisfy themselves of the Internal Controls,
Securities incorporated into ERP, to make the Data
tamper proof and reliable. The Audit should cover the

Private and Confidential (for use by participants of DISA 2 Course) Page 8

Project of DISA 2.0 Course CIT of ICAI

Operating System, Data base Management, Server

Capacity & suitability, Data Security, Disaster recovery
plan, Access Control, Authorization Procedure &
Control, Password Policy, Business Process,
customization & configuration, integration with other
Modules, data flow across the Modules, Audit Trial,
change Management issues etc.,

6. Deliverables of project
1. Please prepare a questionnaire to understand the key
objectives of the assignment, nature of business
operations, details of IT Resources deployment
(Hardware, OS, Database, application software) and
details of overall security and controls as
implemented
2. Please prepare list of documentation which is
required for performing the assignment.
3. Please prepare list of Infrastructure required and
outline strategy for execution of assignment.
4. Please prepare list of audit team members with
specific skill-set required for the assignment.
5. Please prepare detailed methodology of execution of
assignment covering all phases of audit.

7. Format of deliverables
Please use relevant standards, guidelines and best
practices as relevant for IS Audit of SAP, specified
Private and Confidential (for use by participants of DISA 2 Course) Page 9
Project of DISA 2.0 Course CIT of ICAI

technology deployed, business processes of the

organisation and the organisation structure. Please refer
to DISA background material and perform additional
research as required. Please provide each of the above
deliverables in standard format.

Private and Confidential (for use by participants of DISA 2 Course) Page 10