Sr.

No Process Sub-process Risk Description: Control

Reference

1 ITGC IT Policies If the IT security policies/procedures do not exist, IT-1

or are not defined and documented by management
then it may result in inconsistency in the
implementation of the policlies/procedures which
may cause confidentiality, integrity and availablity
issues, legal, regulatory and compliance issues

2 ITGC IT Policies If the employees are not aware of the security IT-2
policy/procedures of the organization then they
may not follow the same resulting in inconsistent
process

3 ITGC IT Security If the new/existing employees are not aware of the IT-3
training security policy/procedures of the organization then
it may impact the confidentiality, integrity and
security of the organisation and it's assets
 4 ITGC Third Party If the service level management framework does IT-4
Management not exist then it may result in non measurement of
performance and financial and business loss.

5 ITGC SOD Conflicts If the procedures do not exist for identifying, IT-5
preventing and monitoring potential SoD conflicts
then it may result in poor internal controls,
accounting fraud and misappropriation of
company assets

6 ITGC Change Unauthorized changes are made in the production IT-6

Management environment that do not follow the Change &
Release management process

7 ITGC Change Unauthorized changes are made in the production IT-7

Management environment that do not follow the Change &
Release management process

8 ITGC Change Untested changes are made directly to the IT-8

Management production environment

9 ITGC Change Unauthorized changes are made in the production IT-9

Management environment that do not follow the Change &
Release management process

10 ITGC Change Unauthorized or untested changes are migrated to IT-10

Management the production environment

11 ITGC Patch Management Unauthorized patches or patches having adverse IT-11

effects on systems/business process are installed

12 ITGC Information If incident/problem management procedures do not IT-12

Security Incident exist then incidents/problems may not resolved in a
Management timely manner and Information Security weakness
might go unnoticed
13 ITGC Job & Batch Application systems are not processed effectively. IT-13
Scheduling Backup may be wrong

14 ITGC Malware Protection Systems are prone to compromise and hack attacks IT-14
in the absence of an effective antivirus solution

15 ITGC Backup & recovery Backup copies of critical data are not available IT-15
when required

16 ITGC Physical and Unauthorized changes are made in the production IT-16
Environment environment that do not follow the Physical Access
Security & Environmental Controls process

17 ITGC Physical and Unauthorized personnel gains access to information IT-17

Environment processing facilities
Security

18 ITGC Physical and Unauthorized personnel gains access to information IT-18

Environment processing facilities
Security
19 ITGC Physical and Critical information processing systems are not IT-19
Environment adequately protected from damage.
Security

20 ITGC Physical and Critical information processing systems are not IT-20
Environment adequately protected from damage.
Security

21 ITGC Access Unique IDs if not maintained, would lead to IT-21

Management difficulty in fixing of responsiblities

22 ITGC Access Controls are in place to ensure application and IT-22

Management system resource users are appropriately
authorized.

23 ITGC Access Standard policies and procedures do not exist or IT-23

Management are not followed to ensure that authorized access is
granted to user accounts

24 ITGC Access Standard policies and procedures do not exist or IT-24

Management are not followed to ensure that user accounts of
resigned/terminated employees are revoked
immediately.

25 ITGC Access A weak password management system might lead IT-25

Management to chances of intrusion by outsiders
26 ITGC Access Management Lack of segregation of duties over requesting and IT-26
granting access to the systems and data

27 ITGC Disaster Recovery/ Disaster Recovery Plan, Policies and Procedures do IT-27
Business not exist leading to disruption of the activities of the
Continutiy plan company (loss of data etc.)

28 ITGC Vendor access to -Endanger network vulnerability and data security IT-28
network -Window for potential fraud and malpractices

29 ITGC Procurement of IT -Uncontrolled purchases leading to unwarranted IT-29

assets expenditure
-Unauthorized purchase of IT asset opening
potential fraud and malpractice avenues

30 ITGC New Programs or -Unauthorized implementation of new programs IT-30

Services -Unwarranted outflow of funds

31 ITGC Hardware -Loss/ damage/ theft of hardware components IT-31

Monitoring -Unwarranted outflow of funds

32 ITGC Web filtering -Free access to websites containing malicious IT-32

viruses
-Endanger network vulnerability and data security
-Window for potential fraud and malpractices
33 ITGC Vulnerability -Existence of unidentified vulnerabilities in the IT-33
Assessments system
-Network exposure to malicious programs
34 ITGC Independent IT -Risks in IT framework and infrastructure IT-34
Audit remaining undetected
-Management not timely updated on IT issues
-Stakeholder dissatisfaction
 Control Objective

IT Security Policy & Procedures are defined and

formally documented, reviewed periodically and
communicated to all related parties

IT Security Policy & Procedures are stored on

common accessible location with easy access to
employees

All employees and third party staff should be

provided with adequate training on information
security aspects of the organization that include
ethical conduct, system security practices,
confidentiality standards, integrity standards
Service Level Management framework exists and is
complied with

Segregation of Duties (SoD) matrix is defined,

documented and approved by business management.
Periodic review is performed using information
extracted from systems

Controls are in place to ensure that Change &

Release Management Policy/procedures are in place,
approved, reviewed on an annual basis and
communicated to all relevant parties

Controls are in place to ensure that all changes

follow a documented Change & Release
management process

Controls are in place to ensure that physically

separate testing and/or development environment is
in place and all changes are tested in an
environment that is physically separate from
production environment

Controls are in place to ensure that adequate

segregation of duties are implemented in Change &
Release management process

Controls are in place to ensure that developers do

not have access to production data and systems

Controls are in place to ensure that system software

updates are evaluated and tested prior to
implementation in the production environment

Controls are in place to ensure that all production

problems are recorded and tracked until their final
resolution
Controls are in place to ensure that an effective
scheduling method is in place to support batch and
online processes.

Controls are in place to ensure that all systems are

secured by antivirus and is upto date with latest
virus definitions and updates

Controls are in place to ensure that backups are

performed regularly and data recovery is tested and
certified on a regular basis

Controls are in place to ensure that Physical Access

& Environmental Controls Policy/procedures are in
place, approved, reviewed on an annual basis and
communicated to all relevant parties

Controls are in place to ensure that Physical Access

to critical rooms is monitored on a continuous basis

Controls are in place to ensure that all information

processing servers and systems are locked in a
secure rack or cabinet and only authorized
personnel have access to the keys
Controls are in place to ensure that critical rooms
are equipped with adequate environmental controls
and uninterrupted power supply.

Controls are in place to ensure that critical rooms

having environmental control equipment are
covered under an annual maintenance contract
(AMC) and serviced regularly

Controls are in place to ensure all application and

system resource users are uniquely identified

Controls are in place to ensure application and

system resource users are appropriately authorized.

Controls are in place to ensure that creation of new

user accounts follows a formalized procedure.

Controls are in place to ensure that removal of

existing user accounts follows a formalized
procedure.

Controls are in place to ensure that access

authentication mechanisms (e.g. passwords) are
effective
Controls are in place to ensure that only authorized
personnel are able to create and modify system user
accounts.

Disaster recovery plan and business continutiy plans

are in place

Vendor access to the company's network for

diagnostic and/or maintenance activities is properly
restricted

All purchases of IT assets are made centrally and

with adequate approval

New programs or services are approved prior to

implementation

The company's policies and procedures establish for

hardware monitoring

The company utilizes web filtering to prevent

employees from visiting dangerous websites

The company obtains periodic network vulnerability

assessments
Independent reviews of IT related areas are
performed regularly
 Control Description: Anti-Fraud Operational/
(Yes/No) Financial

Company A should have developed information security policies/procedures to Yes Operational

cover the following areas:
- Business information and data classification
- Information security incident management and problem management
- Acceptable use policy
- Third party management
- Network management and monitoring
- User Access Management
- Password Settings and Management
- Vulnerability and Patch Management
- System acquisition, development and maintenance policy
- Laptop encryption Policy
- Capacity management policy
- Antivirus and malware protection
- Physical and environmental security
- Change and release Management Process
and should be reviewed periodcally and communicated to related parties

All Information security policies/procedures should be easily accessible to No Operational

employees for ready reference like
Password policy
Malware protection policy
Acceptable usage policy
Email policy
Internet policy
Data classification policy
Information security Incident management policy

New employees and third party staff should be provided training on the Yes Operational
information security aspects and IT policies/procedures of the organization
during induction. Employees and third party staff are required to sign off and
confirm that they have read and understood the policies and procedures.
The IT policies and procedures are communicated to all the employees at the
time of joining. Refresher trainings are provided in case of any changes in the
policies or procedures. Annual trainings should be provided to existing
employees and third party staff
Formal Statement of Work(SOW) is included in a contract as supporting Yes Operational
document for service contracts to define the work scope, schedule and service
deliverables. SOW is approved by the management as part of the service
contract and SLA are measured for compliance

Business and IT function SoD Conflict Matrix is defined, developed and Yes Operational
mapped to applications to identify potential fraud conflicts in financial
reporting. SoD is approved by business management and reviewed atleast once
a year

Change & Release management process is defined, documented and approved Yes Operational
by management. Review is performed on an annual basis and the
policy/procedure are communicated to all relevant parties

All changes follow the Change & Release management process, relevant Yes Operational
approvals are taken and all details are adequately documented

Separate environments are established for development, testing and production No Operational
activities. These environments are operating on physically separated servers.

For all changes, testing and UAT are performed in a separate development and
quality assurance environment before migration to production environment

For all changes, the change requestor and change approver cannot be the same Yes Operational
person

Developers do not have access to production environment and are restricted Yes Operational
from migrating program code to production environment

All OS patches should be evaluated and tested in test or development No Operational

environment prior to installation in production, to determine the system impact
and result of new patches or software updates.

Downtime should be requested from application team prior to installation of

patches in production environment.

Application
Incident andand DB patch
Problem management
management should followsisthe
policy/procedure normal
in place. AllChange No Operational
Management Process
incidents/problems are recorded in Helpdesk tool and documented with
information such as root cause analysis, actions taken, final solution,
responsible staff, management review and impact to the Company's business.
Incidents/problems are categorized depending on the criticality or Impact as
defined in Incident and problem management policy/procedure. Escalation
procedures are defined
The schedule run once in a week to fetch data from meters in MDAS server on Yes Financial
Secure revenue management suite (web based app);
Daily data backup schedules

All systems are installed with Symantec End Point antivirus solution and are No Operational
updated with latest virus definitions and updates

Full backup on Daily and weekly basis for user data and MDAS are kept in the No Operational
data center room.
Application like HRMS, SAP, Email (Gmail) are completely outsourced to third
party vendors and hosted in cloud/ vendor’s data center. Company A depends
on the third party vendors for BCP/DR for those applications

Physical Access & Environmental Controls process is defined, documented and Yes Operational
approved by management. Review is performed on an annual basis and the
policy/procedure is communicated to all relevant parties

All authorized employees entering the critical rooms are required to enter Yes Operational
through a controlled entry point monitored by security guards and CCTV
Surveillance. And others (vendors and unauthroized employees) are required to
be escorted by authorized person and temporary access is granted after
management approval

All servers and systems should be securely locked in cabinets or racks and only No Operational
authorized personnel are allowed to open and access the systems. Prior
approvals are taken from management for opening and accessing the systems
Data center equipment is kept cool in a well-air conditioned room with a stable No Operational
temperature.
Servers and other hardware are protected from power surge and mechanisms
are in place to mitigate and prevent electrical loss or temperature variances.
Systems are protected from fire damage by a fire suppression system that may
include (but not be limited to) sprinklers, Halon gas suppression units or a fire
extinguishers.
Servers and other hardware are protected from water damage through the use
of tarps, protected overhangs or other physical barriers preventing water from
coming into contact with the servers and other hardware.

Environmental control equipment like UPS, Fire control/suppression systems, No Operational

AC, etc., are monitored and checked regularly and maintenance activities and
testing is carried out on a quarterly basis

The naming convention (firstname.lastname@companya.com) is applied No Financial

whereas possible for system user ID creation to assure that the ID is uniquely
identified

The logical access rights are reviewed, defined and authorized by the division Yes Operational
controller (i.e. data owner).

On Joining of new user the HR sends a request to the IT team for creating user Yes Operational
account and allocating the system.
If further application rights are required for the job then the respective head
sends the approval for providing the access

On exit the HR sends an email to the IT team for disabling/removing the access Yes Operational
for the user.
Based on the mail IT team disables/delete the user access

The authentication access mechanism is through Active Directory and all No Operational
password rules are enforced through the domain and application's should have
access authentication as per the password policy
Only authorized user can create and modify user accounts. All relevant approvals as Yes Operational
mentioned in User Account Management Procedure are taken prior to
creation/modification of user accounts.

The DR and BCP policies and procedures should be in place to help recovering No Operational
from disaster

Company A has outsourced its IT functions to Xenolith, IBM & Cronos to assist Yes Operational
in the day to day IT functions ( IT Infrastructure & SAP). The access to these
service providers should be limited through Non-disclosure Agreements
(NDAs) and confidentiality agreements.

A note sheet is prepared seeking the approvals for any IT asset purchase. Yes Operational
Thereafter, the Purchase Requisition (PR) for all the IT assets is created by IT
function and approved by Head IT. Any new laptop / desktop purchased is
issued to the user only after appropriately configured by IT.

For installation/implementation of any new program, a relevant business case is No Operational

prepared after detailed debates and discussions with each stakeholder involved,
and documented through a Change Request Form (CRF). Once the
stakeholders approve the business case, a work-based requisition (WBR) is
created for the project. The WBR is approved by CEO.

The IT function maintains the IT Asset Inventory in an Excel Workbook. Yes Operational
Physical verification of all hardware is performed by IBM. Wall to wall
reconciliation of IT assets is performed quarterly for all locations. The
verification report is compiled in an excel spreadsheet and shared with IT Head.

The company is using cyberom firewall traffic monitoring and restricting access Yes Operational
to potentially dangerous websites, which may expose organisation network to
threat

The company should have a periodic vulnerability assessment to help timely Yes Operational
identify the vulnerabilities
There should be an periodic indpendent review of IT related areas to timely Yes Operational
highlight the deviations and help in process improvement
 Test Type: Period: Key/ Control Performer Preventive /
(Inquiry/ Non-Key Frequency: Detective
Inspection/
Observation/
Re-performance)

Inspection 01/04/2016 - Key Annual Head IT Preventive

31/12/2016

Inquiry/ 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inspection 01/04/2016 - Key Ad-hoc HR Function Preventive

31/12/2016
Inspection 01/04/2016 - Key Monthly IT Function Preventive
31/12/2016

Inspection 01/04/2016 - Key Annual IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Annual IT Head Preventive

31/12/2016

Inspection 01/04/2016 - Key Annual Stakeholders Preventive

31/12/2016 CEO
IT Function

Inspection 01/04/2016 - Non-Key Annual IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Monthly IT Function Detective

31/12/2016
Inquiry/ 01/04/2016 - Key Continuous IT Function Preventive
Inspection 31/12/2016

Inspection 01/04/2016 - Non-Key Continuous IT Function Detective

31/12/2016

Inspection 01/04/2016 - Key Daily IT Function Corrective

31/12/2016

Inspection/ 01/04/2016 - Key Annual IT Head Preventive

Observation 31/12/2016

Inspection/ 01/04/2016 - Key Ad-hoc IT Team/ Facility Preventive

Observation 31/12/2016 management team

Inspection/ 01/04/2016 - Key Ad-hoc IT Function Preventive

Observation 31/12/2016
Inspection/ 01/04/2016 - Key Ad-hoc IT Team/ Facility Preventive
Observation 31/12/2016 management team

Inspection/ 01/04/2016 - Key Ad-hoc IT Function Preventive

Observation 31/12/2016

Inspection 01/04/2016 - Non-Key Ad-hoc IT Function Preventive

31/12/2016

Inspection 01/04/2016 - Key Ad-hoc IT Function/ Service Preventive

31/12/2016 Provider

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016 HR Function

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016 HR Function

Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive

31/12/2016
Inspection 01/04/2016 - Key Ad-hoc IT Function Preventive
31/12/2016

Inquiry / 01/04/2016 - Non-Key Annual IT Function Corrective

Inspection 31/12/2016 Maintenance
Function
Administration
function

Inquiry / 01/04/2016 - Non-Key Annual IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Ad-hoc IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Quartely IT Function Detective

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Continuous IT Function Preventive

Inspection 31/12/2016

Inquiry / 01/04/2016 - Key Yearly IT Function Detective

Inspection 31/12/2016
Inquiry / 01/04/2016 - Key Ad-hoc Statutory & Detective
Inspection 31/12/2016 Internal Auditors
 Automated / Test of Design Issue
Manual Conclusion

Manual Pass NA

Manual Pass NA

Manual Pass NA
Manual Fail The SLA's are not monitored for
ensuring compliance

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA
Automated Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA

Manual Pass NA
Manual Pass NA

Manual Pass NA

Automated Pass NA

Automated Pass NA

Manual Pass NA

Manual Pass NA

Automated Pass NA
Manual We observed
the population
and noted that
there is no
privileged user
created during
the testing
Manual period.
Fail Hence, Company A currently have no
design Business Continuity Planning
effectiveness (BCP)/ Disaster Recovery (DR) in
can't be tested place.

Manual Pass NA

Automated Pass NA

Manual Can not test NA

the design
effectiveness;
since there is
no population
during FY 16-
17

Manual Pass NA

Automated Pass NA

Automated Pass NA
Manual Pass NA
Recommendation Summary

NA

NA

NA
There should be a regular performance monitoring for
ensuring compliance with SLA's

NA

NA

NA

NA

NA

NA

NA

NA
 NA

NA

There should be a periodic restoration testing.

NA

NA

NA
NA

NA

NA

NA

NA

NA

NA
To have BCP/DR plan

NA

NA

NA

NA

NA

NA
NA