Project Report

Of
DISA 2.0 Course
(Evaluation of software development)

Group No. 10
Batch No. FAR1904051

Members:-

 PAVAN VERMA, ACA

 PRADEEP GARG, ACA
 Aditya Gupta, ACA
 Table of Contents

Details of Case Study/Project(Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Documents reviewed
8. Methodology and Strategy adapted for execution of assignment
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
To,
The Board of Directors
ENTERPRISES LTD
Faridabad

Sub. : Submission of report on Evaluation of software development

In terms of our engagement letter dated May 05, 2019 PPA & Co., have carried out an independent audit
of ENTERPRISES LTD with a view to view the security and control of enterprise engaged in the business
of supply & distribution of power and to formulating policy for Security And Control of Operations of
ENTERPRISES LTD. This assignment was focused primarily to prepare Security control matrix and
drafting policy with sample procedures for implementing SECURITY POLICY.
The information contained herein and our report is confidential. It is intended only for the sole use and
information of the Company, and only in connection with the purpose for which assessment has been
done. It is to be noted that any reproduction, copying or otherwise quoting of this report or any part
thereof, can be done only with our prior permission in writing.
In the following report, we have summarized the audit observations together with recommendations in
order to address the control weaknesses and associated risks.

Yours faithfully,
For PPA & Co.
Chartered Accountants

CA ADITYA GUPTA
Partner
Place: Faridabad
Date: 29/05/2019
A. Project Report (Case Study)

Title: EVALUATION OF SOFTWARE DEVELOPMENT

A. Details of Case Study/Project (Problem)

In Enterprises, change in the customer support process was undertaken by using newer technology. Two
main areas of concern have been found as detailed below:

1. DATA INTEGRITY

2. IMPLEMENTATION

1. DATA INTEGRITY
A. Issue
B. Control
C. Control Risks

2. IMPLEMENTATION

A. Improper feasibility
B. Improper testing

A summary of the key findings is as follows :

Improper Feasibility study:- During audit it has been observed that proper feasibility study was not
conducted for the software to be developed resulting in nonachievement of planned efficiency and causing
delays. No existing system analysis was done & functional specification as required were not duly
understood e.g. new developed software was not able to cater business category consumers which was
earlier being delivered by erstwhile legacy system. Further, it has been observed that the one year
programme was planned on adhoc basis and no formal service level agreement has been signed with the
vendor specifying the terms and conditions including timelines in which project is to be delivered.

Improper functional testing:-During audit it has been noticed that the no structured approach is followed
while testing the software developed. Following categories of tests on new program has not been
performed which resulted into incomplete functionality of the application delivered and undetected error:-
 Functional test:- to check whether software do, what they are suggest to do or not.
 Performance test:- to verify whether the expected performance criteria of software has been
achieved.
 Stress test:- to determine the stability and limitation of the software.
 Structural tests:- to examine the internal processing logic of the software.

Further the test result has not been documented properly and modifications made on the basis of test
results are not properly authorized and documented.
User Acceptance Testing:-Audit observed that users were not involved throughout different stages of
project e.g. planning, development, testing, training etc. The enterprise staff/users were not convinced of
the new system’s adequacy, particularly because the legacy system provided specific functionalities to the
business users that were not considered in the initial programme planning and had to be developed in
parallel. Ultimately, there were lots of quality issues in servicing end customers

Unstructured approach/monitoring of Project :- The audit found that an unstructured approach was
followed by IT department entrusted with the responsibility of getting the software developed. The project
controlling techniques & tools like project evaluation review technique (PERT). Critical path method
(CPM), Gantt Chart etc. were not being used. Project completed with delays and overrun of budgets.
(Business Benefit Realisation)did not exist for the project.

Information security problems:- Inadequate security in application development was noticed

e.g.

a) Insecure System Configuration :- The results of the vulnerability scans also indicated that
several servers contained insecure configurations that could allow hackers or unprivileged users
to insert code that would result in privilege escalation. The escalated privileges could grant the
hackers unauthorized access to sensitive and proprietary information.

b) Password History Configuration:-Company has implemented a corporate password policy that

is applicable to all information systems on the network. However, we performed automated
configuration compliance scans that indicated that several systems did not limit the time between
password changes. This configuration would allow users to circumvent company password history
requirement by changing their password multiple times within a short time period and then reuse
their initial password.

c) User based role:-“Need to know and need to do” concept was not followed as is evident from
the fact that every user of application has access to critical customer information. Further, no
control exists to track users actions.

d) Formal Access Security Policy and Procedures: An ENTERPRISES security policy was
developed in draft form at the time of the audit; however, the policy was not in the process of
being approved by management or distributed to key stakeholders. Formal ENTERPRISES
security policy and procedures will help to ensure that ENTERPRISES access is granted
consistently throughout the enterprise and that all responsibilities for granting access are clearly
defined and assigned to the appropriate individuals. Management has reported having taken
action on security policy and procedures.

In conclusion, to be efficiently and effectively run a change in customer process, proper feasibility study
need to be conducted specifying the requirements correctly, different stages of project development life
cycle need to be executed & monitored & necessary security need to be implemented in order to have
uninterrupted services . A number of recommendations have been made to fix the situationin these areas.
Management has reported that 1corrective actions have either been taken or are under process.
B. Project Report (Solution)

1. INTRODUCTION: Enterprises Pvt Ltd. (Anonymous name)

Enterprises is a Government owned power enterprise engaged in the business of supply& distribution of
power. Management set up their objectives (assumed) for year 2017 as :-

 Accurate & timely Billing

 Comprehensive billing basis reflecting actual consumption
 Convenient systems of payment
 Fair, equitable and cost based tariffs across consumer categories
 Guaranteed connections with in a reasonable time
 Prompt breakdown attendance
 Efficient complaint handling & effective consumer grievance readdressed system
 Growth of business organically and satisfied stakeholders by diversification
 Adherence to the guidelines issued by regulators
 Sustained growth and profits

In order to achieve these objectives, The Board of directors of company decided to :-

a) Re-define the customer process (customer-facing connection, billing, etc.)
b) Renew the underlying information systems.

For the purpose, a one-year IT programme was planned. However there were certain challenges faced
e.g.

a) First programme results were delivered with a two-year delay

b) Quality issues
c) Lack of interoperability with other enterprise systems (connection of new customers,
measurement of client’s energy consumption, etc.)
d) Budgets overrun
e) The enterprise staff was not convinced of the new system’s adequacy, particularly because the
legacy system provided specific functionalities to the business users that were not considered in
the initial programme planning and had to be developed in parallel.

An external service provider named as ENTERPRISES LTD., Chartered Accountants (Anonymous name)
was hired to support the change of customer processes and the underlying technology, which was new for
the enterprise. ENTERPRISES LTD.. is having specialization in Information Systems
Assurance/Audit/Implementation, trainings and consulting including Management consultancy services.
ENTERPRISES LTD.. is led by Mr. Purushottam Das who is a Chartered Accountant and has a diploma in
Information Systems Audit of ICAI. The firm has qualified(4) and trained IS audit personnel(11). The firm
also has on its panel Technology\Domain experts available, as required. ENTERPRISES LTD. have been
involved in providing Information Systems Assurances for both the public and private sector in India and
abroad. Theirclientele includes IT Companies, Banks and public/private sector companies.
2. AUDITEE ENVIRONMENT
Enterprises is a Government owned power enterprise engaged in the business of supply & distribution of
power to all category of consumers e.g. domestic, business, commercial, govt. at a large and a huge
customer interface was involved.

Currently, company was working through legacy IT system. Most of the mission critical applications in the
company have been computerized and networked. In order to improve further on customer services, BOD
decided to redefine the process e.g. customer-facing connection, billing, etc. by deploying IT assets under
one year programme . Also, existing underlying information systems was supposed to be renewed. To
implement, functional specifications were created along with other specification and in house
arrangements were made to work upon by company owned IT department.

The IT department of ENTERPRISES has issued Information Systems Controls (Policies, Procedures,
practices and organization structure) as envisaged by the management for ensuring uniformity and
standardization in implementation of IT Solutions across the company. The internal audit team of the
company has been well trained in IT and has gained extensive experience in auditing all IT applications
Following assumptions are taken for specific internal policies and procedures such as information security
policy:

1. ENTERPRISES LTD. security policy was developed in draft form at the time of the audit, however,
the policy was not in the process of being approved by management or distributed to key
stakeholders. Management has reported having taken action on security policy and procedures.
2. There is no policy for assigning of duties and responsibilities by senior management for information,
its processing and its use.
3. This was the first audit of SMS of this kind.
4. There are policies and procedures to ensure that information systems, programs and configuration
changes have gone through change management process adequately. However adherences to
these were not evidenced through requisite documentations.
5. There is no policy for training to personnel involved in system acquisition and configuration
activities.
6. User acceptance testing was neither conducted nor feedback session were held in order to seek
feedback on the system changes.
7. There is no policy established by senior management providing an appropriate segregation of
incompatible functions:
 Basis administration
 Transport/import
 Develop program change
 Develop role change
 User security administration
 Change monitoring
 User testing
 Authorize change
 Perform change.

8. Backup policies have been made but they are not tested on regular basis.
9. Nopassword policy has been setup by the organization.
10. There is no policy and procedure for checking Router Log File used to identify to unauthorized
access at remote locations
3. BACKGROUND
(Need for Evaluation of Software Development)

 The IT assets delivered by the scheduled programme need to be corrected/ amended to meet the
full functionality.

 Compliance of necessary approvals/authorizations were violated. Functional specifications were

created, but developers deviated from those without appropriate approval.

 Change management process as prescribed in policies was not followed for up gradation of
software

 Users acceptance testing was neither conducted nor feedback was obtained

 Delays on deliveries due to additional work and inefficiencies in service development

 Exceeding costs on IT and on the provider’s services

 Lower service quality to the customers, e.g., from incomplete information for customer service and
support staff.

 Under performance of project cost e.g. delay of 200% and 100% overrun of Budgets

 The management’s concerns regarding this project & its impact on company reputation

 Stakeholder’s interest

All of these situations directly affect the business drivers. Business drivers can be defined as the attributes
of a business function (service delivery) that arise out of strategic objectives to enhance targets and goals
of business function to achieve the strategic business goals. Therefore, above mentioned situation gave
rise to the need of independent evaluation of software development process adopted by company in order
to identify current areas of control weakness and provide recommendations for improvement.

Understanding the need

Based on the discussion held with the IT team headed by Mr. Narender Singh at the ENTERPRISES LTD.
premises at New Delhi on 21 st May 2019, the scope has been proposed and defined. This proposal
outlines the overall strategy and methodology for this assignment.
4. SITUATION
Details of Existing Scenario and Current Situation which has rise the need for assignment:

Management decided to meet its objectives through IT implementation especially to

1. Re-define the customer process (customer-facing connection, billing, etc.)

2. Renew the underlying information systems

However, they were facing below challenges:-

a) First programme results were delivered with a two-year delay

b) Quality issues

c) Lack of interoperability with other enterprise systems (connection of new customers, measurement of
client’s energy consumption, etc.)

d) Budgets overrun

e) The enterprise staff was not convinced of the new system’s adequacy, particularly because the legacy
system provided specific functionalities to the business users that were not considered in the initial
programme planning and had to be developed in parallel.

ENTERPRISES LTD. should have conducted/tested all the project changes in test environment before
going live and necessary assurance should have been taken externally/ internally regarding this to ensure
that the system is working perfectly, targeted efficiencies as envisaged has been achieved and to ensure
100% management control over the system in help achieving the set objectives.

Control weaknesses as observed :-

a) Poor project planning e.g. No milestones of the project were set, Envisaged cost was not
determined correctly
b) Delays in deliveries
c) Change management process was not followed
d) User acceptance testing/feedback not conducted
e) Changes not tested before putting them in live environment
f) No structured approach was followed by IT department entrusted with the responsibility of
software development
g) Non adherence to existing information security policies
h) Inadequate IS policies and procedures
i) Functional specifications were not designed fully to cater all category of Consumers
j) Necessary authorizations and approval process was not followed at the time of planning for
required changes
5. TERMS AND SCOPE OF ASSIGNMENT
The primary objective of the assignment is to conduct evaluation of software development project by using
the Latest and globally recognised standard COBIT 5 best practices as issued by the Information Systems
Audit and Control Association, USA.

The review of software development would be with the objective of providing comfort on the efficiency,
adequacy and appropriateness of application so as to mitigate the system operational risks and ensure
that the information systems are implemented as designed in order to provide a workable, safe and secure
computing environment.

Based on our understanding of ENTERPRISES LTD..'s needs for conducting assurance on software
development, it was decided to primarily focus on Review of various stages of development of application.
We propose the scope of review and the terms of reference as laid down in the following paragraphs. The
envisaged terms of reference are based on the personal discussions held with key members of
assignment team with the IT team of ENTERPRISES LTD. and selective critical users on 21 st Aug, 2017 to
25th Aug, 2017. The detailed scope of review and methodology followed are given in the annexure. The
methodology would be further enhanced and refined as the audit progresses based on specific needs of
the audit environment. Broadly the scope of review primarily would involve:

A. Review of IT Resources as relevant

1. Feasibility study document covering requirement definitions, System analysis

2. RFP document covering system design, development and programming and testing

3. UAT, implementation, support and operations

4. Application controls at various stages such as Input, Processing, Output, Storage, Retrieval and
transmission so as to ensure Confidentiality, Integrity and Availability of data.

B. Organisation structure policies, procedures and practices as mapped in the information

systems.

C. Review of policies, procedures and practices as relevant to areas of audit.

6. LOGISTIC ARRANGEMENTS REQUIRED
It will be necessary for Enterprises. to appoint one coordinator who will be part of the discussion on the
work plan initially and continue to work with the PPA team till the assignment is complete. Enterprises will
make available the necessary, software resources, users interface and support facilities necessary for
completing the assignment within the agreed timeframe. The conduct of the assignment should be
adequately communicated to the required personnel so as to facilitate extensive co-operation from the
respective personnel.

DOCUMENTATION REQUIRED

1. RFP (Request for proposal) document

2. Feasibility study document

3. UAT document

4. User/Training Manuals and Technical Manuals relating to System Software

5. Organisation chart outlining the organisation hierarchy and job responsibilities

6. Access to circulars\guidelines issued to employees.

7. Any other documentation as identified by us as required for the assignment.

INFRASTRUCTURE REQUIRED

1. Adequate seating and storage space for audit team

2. Facility for Wi-Fi should be available

3. Three Nodes with Read only access to software

4. Access to a laser printer for printing reports as required

5. One Laptop with windows 8/Microsoft office 2013.

6. Facilities for discussions amongst our team and your designated staff.

TOOLS/TECHNIQUES USED:

1. CAAT

2. Prototyping model in order to assess the correct requirements of operations to cater business
needs

3. Review of coding practices to ensure that these are standardized one to mitigate risk of
compromising with quality

4. Testing data on technical vulnerabilities

7. DOCUMENTS REVIEWED
 All circulars\guidelines issued to employees.

 User manuals and documentation relating to new software developed and implemented by
ENTERPRISES LTD..

 Audit Trails

 Area to be audited and its environment

8. METHOLOGY AND STRATEGY

Audit Approach
A. Our approach to the assignment would be as follows:

1. We propose to deploy a core team of 3 to 5 IS audit personnel for this assignment in batches of 2 to
3 as per the skill sets required, under the personal direction and liaison of the Principal, Mr. Gupta.

2. ENTERPRISES LTD.. should designate a person at a senior level to coordinate to us.

ENTERPRISES LTD.. should also depute one personnel each from systems and audit group to form
part of the audit team.

3. Detailed systematic audit procedures would be finalized after completing review of the documentation
and discussion with the systems staff and the users
.
In tune with terms and scope of reference of the assignment, we will adapt the methodology from COBIT®
“Build, Acquire and implement” (BAI processes) /Management Guidelines of the relevant IT process shall
be selected for this assignment after obtaining understanding of the organisation structure, Information
Technology deployment and available documented policies and procedures.

Structured Methodology
The above-mentioned objectives shall be achieved through the following structured methodology :

 Identification and documentation of Organisation Structure and Information Architecture

 Obtain understanding of IT Resources deployment at ENTERPRISES LTD..

 Identification and documentation of existing IT policies, procedures and practices relevant to

software development and implementation

 Review of the Feasibility/RFP/UAT/User manual documents

 Identification and documentation of IT related Circulars issued by ENTERPRISES LTD..

 Application of COBIT® for formulating IT best practices for the Policy and procedures of
ENTERPRISES LTD..
  Formulation of draft report on our findings covering our review and benchmarking.

 Presentation of final report with agreed action plan based on feedback of IT management of
ENTERPRISES LTD..

ENTERPRISES LTD.. shall make available all the required resources on time and provide one coordinator
for interaction and clarifications as required.

Audit plan :- The audit plan would cover the following activities:
 Discussions with the
 Top management
 Systems\Implementation Team
 Users and user management
 Examination of different cycle of software development
 Observation of the Users and the systems in operation
 Observing internal weaknesses through out the life cycle of SDLC
 Recommendation with agreed action plan to overcome the challenges
 Review of Feasibility study/RFP/UAT document
 Review of Operating Systems (OS) documentation
 Review of application software Manuals
 Post implementation assurance of effective operations

Audit Program\procedures
Our audit team would perform the following tasks based on the audit methodologies and include the
following programs\procedures:

 Undertake an in-depth study and analysis of all aspects of Software application as implemented at
ENTERPRISES LTD.. We will take steps to identify the way in which the system currently
operates. In doing so, the following objectives would be kept in mind while setting the overall
goals:
 Accurate and complete processing of data
 Error messages in case of incomplete/aborting of processing of data
 Optimise data handling and storage
 Better management of information

 Review the in-built controls & weaknesses in internal control at different phases of Software
development

 Review the testing phase and user acceptance testing in testing environment

 Review the procedures established for back-up and recovery of files.

 Review controls established for the development, documentation and amendment of programs so
as to ensure that they go live as intended.

 Summarize the key findings, recommendations, agreed corrective action and assurance
  Review the legacy software in operation; understand how it was catering to across consumer
categories & the needs of improvement.

 Review how each phase of new application software development has been tested including the
documentation prepared in respect of each.

 Review the methods employed for implementation of the system, including post-implementation
review procedures undertaken to ensure that the objectives set out were actually achieved.

 Understand the business processes and review how these have been mapped in the information
systems with a top down approach.

Assignment Team

Our approach to selecting the right people for a project is to bring together the necessary skills and
experience for a particular assignment from the rich mix of skills and experience available. The
assignment would be executed under the personal supervision and lead by Mr. Gupta. The team would be
a blend of professionals with extensive experience in management, Information Technology and Auditing.
The team includes Chartered Accountants, IT Professionals, Management Consultants and
Certified Information System Auditors
The senior members of the team are:
1. Mr. Pavan Verma
2. Mr. Pradeep Garg
3. Mr. Aditya Gupta

The above team is headed by CA Aditya Gupta.

.
9. REFERENCES
a) The regulatory requirements of fraud as per Indian legislations:

 Clause 49 of the Listing Agreement

 CARO 2003

 Information Technology (Amendment) Act 2008

b) Other standards required for Audit:

 Standard on Auditing (SA) 505 “External Confirmations”

 Standard on Internal Audit (SIA) 11

 Standard on Auditing (SA) 580 “Written Representations”

 Standards on Internal Audit- SIA 2

 Standards on Auditing: SA 240 & SA 315

  COBIT 5

 COSO
c) Fraud investigation tools and techniques:

 Data analysis technologies using Computer Assisted Audit Techniques (CAAT) are the most
effective tools and techniques to combat fraud.

 Some useful CAAT used for audit:

1. Stratification: To identify abnormal strata.

2. Classification: To identify abnormal patterns.

3. Summarisation: To compute control totals and identify analyse variances.

4. Duplicate Test: To identify duplicate records.

5. Relation: To relate records from different tables.

6. Compare: To compare records and identify differences.

7. Outliers: To identify outlying transactions which are outside normal range.

8. Benford Law: To identify possible fraud areas.

9. Trend Analysis:To analyse trends by reviewing patterns which vary from normal.

10. Gap Test: To identify gaps in a sequence.

10 . DELIVERABLES
1. Draft Report including executive summary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.

2. Final Report incorporating Management Comment and agreed priority plan of action based on
exposure analysis.

3. Soft or hard Copy of Checklist used for the audit.

4. Soft or hard Copy of Audit Methodology and documentation.

11.FORMAT OF REPORT/FINDINGS AND
RECOMMENDATIONS

AUDIT REPORT: ANNEXURE 1

12. SUMMARY/CONCLUSION
In the present era, the critical need for Information Technology (IT) can be understood from the need to
plan and develop safe, secure, and reliable system solutions using information systems which form the
backbone for developing innovative product offerings and services. Information systems also play a key
role in performing short and long term management functions and activities.

SDLC is an essential aspect of automating business processes using information technology. It has been
evolving with changing technology and global proliferation of computers. Today’s business heavily
depends on IT and any problem faced has multi-fold repercussions. Controlling SDLC process helps
organisations in mitigating risks associated with implementation and use of IT.

There is also greater need to ensure appropriate level of security when developing information systems so
as to establish appropriate privacy and protection practices and to develop acceptable implementation
strategies for these practices.

The audit confirmed that as of May, 2019 a comprehensive SDLC methodology/structured approach was
not adopted while developing application software affecting ENTERPRISES LTD. operations, security and
maintenance.

A number of recommendations have been made by establishing procedures and practices governing the
initiation, definition, design, development, deployment, operation, maintenance, enhancement to address
existing issues &Management has reported that corrective actions have either been taken or are
underway.

ANNEXURES:

1 AUDIT REPORT
2 CHECKLIST FOR FUTURE USE
 AUDIT REPORT
(EVALUATION OF SOFTWARE DEVELOPMENT)
OF
ENTERPRISES LTD

By
PPA & Co, Chartered Accountants
PAVAN VERMA, ACA
PRADEEP GARG, ACA
ADITYA GUPTA, ACA
AUDIT OBJECTIVE AND SCOPE

OBJECTIVE
The primary objective is to provide comfort on the efficiency, adequacy and appropriateness of application so
as to mitigate the system operational risks and ensure that the information systems are implemented as
designed in order to provide a workable, safe and secure computing environment by benchmarking against
global best practices and

a) To assess and evaluate management system relating to changes requested and made to the existing
production systems in respect of new application software, so as to minimize the likelihood of
disruption, unauthorized alterations, and errors & to achieve full operational efficiency.

b) The review of software development would be with the objective of identifying the areas of control
week ness in the software development process& to recommend the best practices which could be
adapted by the enterprise in future in case of such needs.

c) To assess vulnerabilities of the Application software implementation to attacks from within and outside
and suggest appropriate counter-measures so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss.

d) To assess that audit trails exist to facilitate the tracing of transaction processing and reconciliation of
data so as to ensure that adequate and appropriate audit trails/logs are developed and used within the
company for ensuring effective monitoring of the mission critical systems and processes.

e) To assess and evaluate data collection, analysis and reporting on resource performance, application
sizing and workload demand so as to ensure that adequate capacity is available and that best and
optimal use is made of it to meet required performance needs of the business process owners.

f) To assess the internal control framework in respect of specified application, review of parameter
settings and configuration management and suggest improvements so as to ensure that data remains
complete, accurate and valid during its input, update and storage.

SCOPE OF AUDIT
 1. The primary objective of the assignment is to evaluate the newly developed software application and
develop related Audit checklists for future use, through external consultants by using the globally
recognized IS Audit standards and best practices.

2. Specific areas of improvement would be identified by benchmarking with the globally recognized best IT
practices of COBIT framework.

3. Broadly the scope of review primarily from evaluation\controls and would involve:

A) Review of IT Resources as relevant

1. Feasibility study document covering requirement definitions, System analysis

2. RFP document covering system design, development and programming and testing
3. UAT, implementation, support and operations
4. Application controls at various stages such as Input, Processing, Output, Storage, Retrieval and
transmission so as to ensure Confidentiality, Integrity and Availability of data.

B) Organisation structure policies, procedures and practices as mapped in the information

systems.

C) Review of policies, procedures and practices as relevant to areas of audit.

BACKGROUND
ENTERPRISES Group has been using Information Technology as a key enabler for facilitating business
process Owners and enhancing services to its customers. The senior management of ENTERPRISES has
been very proactive in directing the management and deployment of Information Technology. Most of the
mission critical applications in the company have been computerized and networked. ENTERPRISES selected
change in the customer process by adopting new software application to bring a more integrated and seamless
approach to internal processes.

With the deployment of new software application in ENTERPRISES, management was expecting to provide
quality services to its consumers, superior operational excellence and business agility and also to achieve
defined objectives.

KEY BUSINESS/ AUDIT RISKs

The key risks related to implementing a system are as follows:
� Return on investment fails to meet management’s expectations; expected benefits are not realized or not
realized timely.

� Inadequate project management procedures could lead to scope creep, a poorly designed system that does not
meet the needs of the business or end users, unclear responsibilities, lack of communication, inadequate
monitoring, and undetected deviations from project scope. All of these have a direct impact on the budgeted dollars
and timelines of the project. It also indicates a lack of management control over capitalizable projects.

� Inadequatesystem implementation procedures resulting from poor planning, poor or insufficient user testing,
system issues not being resolved, inadequate security measures for both network and application, lack of
communication, inadequately designed automated controls or edit checks. This would have a direct impact on
the system’s ability to integrate within the existing infrastructure, the functionality of the system, the productivity
and buy-in of employees, data integrity, completeness and accuracy, the system being vulnerable to a security
compromise. It also indicates a lack of management control over the project.
Inadequate security controls result in vulnerabilities that may expose data to unauthorized access,
unauthorized disclosure or theft.

� A lackof management control over systems could lead to non-compliance of required regulations resulting in
fines and / or penalties