|
|
Total Number of Subscribers: 1626 |
|
|
|
|
|
|
|
Date:29th June 2010 |
Compiled by: M Sathya Kumar |
|
Introduction :
Mohan had joined Target Cosmetics Ltd. as Chief Internal Auditor. Target did not have a robust internal audit function hitherto but with the mandate clause 49 of the Listing Agreement, a seriousness was brought into the function with a distinct responsibility and accountability. Target was a family-owned organisation and had evolved into a medium-sized organisation with a turnover of Rs.200 crores. Given the close association of the owner promoters in the daily operations, the need for an internal audit function was never felt earlier.
The organisation had a legacy system which was built on Clipper and Foxpro — dos version. The data required by the field staff — sales and inventory, was made available through a section on the company website which they could log on and see. A need for change was not felt by the management as all their needs were being met. However, since the business was growing and the competitors were making use of IT, the CIA felt the need for improving the existing system. Mohan had a background in the FMCG sector and he was seeing the writing on the wall that if Target did not initiate the use of IT soon and integrate it with the business processes, it will experience adverse growth rates.
While the management had appointed a CIA, the owners were still not clear about his contribution. When Mohan raised the issue, they said that IT was being handled well by one of the Directors and there was no need for a review. Mohan then planned that an Application Software Review would be an acceptable audit area and it would provide him with the opportunity to expand the scope of his work and would also include review of the overall IT which would enable him to comment on the same. But as a first step, he planned to focus only on the Application Software Dimension.
Objective :
Mohan established the overall audit objective as — To review the Sales Module of the software and the related accounting effects.
Methodology :
An elaborate study of the systems was carried out by conducting detailed discussions with the software developers and the IT Administration, Users and the IT Head. Detailed dataflow diagrams were prepared and controls evaluated. Mohan had inducted a DISA into the team to ensure that adequate technical inputs would be available when the application software was being reviewed. Additionally, he had also referred to the IT Security Standards — BS 7799 and COBIT. For Data Analysis, he used CAATs including MS Excel and IDEA.
Gist of observations and recommendations :
1. Ease of modification to Database :
Data in the existing dBase and FoxPro-based software can be accessed using dBase/Excel and is amenable to easy modification by any person. There is a practice of forwarding Master file "dbf’s" to each C&F location to incorporate changes in the transactions. These files are sent by e-mail to be copied in the specified directory. These Masters could be Price Masters, Credit Limit changes, or others, which are created at the HO on the basis of written and documented approvals. There would not be any audit trail of such changes except time stamps of files and the base dbf at the HO - IT Department (but only of the Masters). Data integrity can be compromised by a user with mala fide intentions, causing related loss to the organisation.
There is a need for change of platform for a business critical application and an RDBMS-based software needs to be considered.
2. Segregation of duties :
Unsatisfactory segregation of duties within IT can result in data integrity problems. The roles of the System Analyst, Program Developer, Program Coder, Program Tester, Help Desk, DBA, Security Officer and Network Administrator are all performed by a small IT group. Although the IT group has pre-assigned roles, the segregation tends to be blurred, depending on work expediency. Segregation of roles in IT is desirable, given the criticality of the applications for the business activities. The decision for staffing of the function and the role definitions need to be reviewed in the perspective of overall business need and an HR intervention for the same is desired. Inputs from internal audit may also be taken to ensure control adequacy.
A manpower plan may be prepared by the GM-IT for the IT function, given the long term and short-term IT strategic plans and the structure suggested accordingly. This plan and structure may be presented to the top management for their approval. Suitable action may then be planned and executed.
3. Access to software over Web :
Field sales staff access software for information from cybercafes. The possibility of leakage of user id and password at these cybercafes is high, due to various factors like malicious programs loaded on the machines used by the field staff which could capture the data and transmit to potential hackers/even lead to possible industrial espionage.
Additional security to be introduced in the Web Tool where the access control in the system could be defined at Page Level. The users to be attached to one or multiple groups and then for each page, the group which can access the given page will be defined. Weekly password change could be enforced, either based on number of logins or based on predefined time. The issue of protecting against hacking could be addressed by following ways : (1) Allowing access from secured and pre-identified machines (2) Change password on weekly basis and communicate through SMS to the registered mobile users (3) Implement technology of random number generator and synchroniser (4) Use certificates for allowing access. The access is granted only on validation of certificate (5) Use random validated question along with username and password and match the answer with predefined stored values. 4. Documentation and user manuals :
Missing user manuals and training manuals make it person-dependent rather than process-dependent. The organisation has a large number of C&F agents at various locations all over the country. The persons responsible for the data entry at the depots are also not very qualified and computer-literate. Members from the IT Department undertake visits to a C&F, whenever newly appointed, and impart training about the software to them. But, there is no Training Manual in place. In the absence of standard training and operating instructions, troubleshooting by IT covers the entire gamut of support from basic to advanced, thereby putting avoidable pressure on IT for basic support.
User manuals should be created and kept active and current with all changes made. Standard introductory and advanced training module may be devised as per the varying competency levels within the organisation for efficient and effective use of the softwares. Frequently Asked Questions (FAQ’s) can be developed, based on commonly encountered problems and posted on the Intranet for ready/easy reference. The FAQ list should be comprehensive, simple and easy to follow. This will reduce the burden on the help-desk function.
5. Quality Management of Softwares :
Lack of standard testing documents that encompass the testing objective, testing method, data files used, tester, date, outcome of testing, identification of differences vis-ŕ-vis anticipated results, rectification of differences and learnings thereof, affects the control and monitoring over this critical activity.
Standard process documents should be introduced for testing, exception reporting and correction. A document may be introduced specifying the objective, testing method, data files, tester, date, outcome of testing, identification of differences vis-ŕ-vis anticipated results, rectification of differences and learnings thereof.
6. Help Desk and Troubleshooting :
Missing System to log all calls received, handled and addressed with standard notations, fields, categories of problems, categories of action taken and frequency and timing of the service, affects the monitoring, control and information feedback of support service activities. The IT department should put in place a system to log all calls received, handled and addressed. The log can be maintained in a spreadsheet with standard notations, fields, and categories of problems, categories of action taken and frequency and timing of the service.
7. Specific Software Weaknesses :
7.1 Missing control/check in place to confirm whether the scheme rate master has been correctly uploaded into the C&F software before the date of commencement of the scheme, thereby resulting in the system accepting sales order creation for the concerned products at the regular rates as given in the Product and Price Master.
7.2 There is a bug in the software whereby credit notes can be over-adjusted against invoices in specific cases. Even though this is a small amount, it could affect the ‘revenue’ of the company, if not detected in time through the system of internal IT checks. The bug in the program should be identified and corrected. Hence, tests should be undertaken to eliminate the likelihood of over-adjustments.
7.3 The debtors ageing report in the software is showing an inaccurate picture in the specific cases identified. Debtors ageing in the software is being done on the invoice date rather than the due date. Report parameters to be amended to reflect ageing on the basis of the invoice due date rather than the invoice document date.
7.4 Invoices billed but not due being shown in the Age < 30 day category. A separate field should be added to the existing report titled ‘Billed Not Due’.
7.5 Overdue ageing for a specific party is being shown under two ageing categories in the software, due to an error in the ageing programme.
Necessary correction to be made in the program logic of the debtors ageing.
8. Errors in upload of software entries into the ACCSYS Accounting System :
Transactions without reason codes (Orphan transactions) not entered by Accounts into ACCSYS for the current financial year resulting into over-statement of the Debtors Control A/c in ACCSYS by Rs.33.28 lacs.
The process of credit note, debit note preparation and approval seems to be flawed. In the interest of keeping the outstanding balance of debtors within the credit limit so as to push sales, certain category of credit notes and debit notes pertaining to Accounts are not being duly verified and approved prior to document release and processing.
The process of credit note, debit note preparation and approval seems to be flawed. These documents should not be passed until clear and specific accurate reason codes are available on the document itself. Entries concerning Accounts should be forwarded to Accounts for their pre-verification and remarks.
In the meantime, the list of open transactions sent by IT to Accounts every month should be examined, reason codes identified, and accounted for in ACCSYS giving effect to the Debtors Control Account and the correct General Ledger Account.
Conclusion :
Mohan’s efforts were well appreciated as the report resulted in releasing a lot of synergies of the IT and the Accounts team for better activities. Further, it was a good platform for the Directors to appreciate the positive contribution that an internal auditor could make to the organisation. Along with the report, Mohan made a mention about IT Governance and the need to establish a robust IT governance system in Target. He suggested that the Internal Auditor could facilitate the entire process in collaboration with the IT personnel. The Management willingly agreed to his suggestion and the process of I.T. review was initiated. Mohan was also commended personally by the Audit Committee chairman and was asked to continue being innovative in his work execution.
Article by Deepak Singhal, a renowed chartered accountant in the filed of internal audit |
|
|
|
|
|
|
|
|
Rewards
waiting for feedback at |
|
|
|
|
|
Disclaimer: We believe that the information contained in this e-zine is true. If you do not wish to receive Smart Trainee please click here. |
|
|
|
|
|
Click here to contact us, if you are unable to view the content properly |
|
|
|
|
|
|
|
