Title: Review of IT Security Policies and Procedures in Audit
Zydaan Outsourcing Solutions Ltd (Zydaan) is India’s fastest growing Business Processing Outsourcing (BPO) Specialist catering to all corporate business needs. It is providing Business Process Outsourcing Solutions in areas of Employer Services, Accounting Services and Financial Services. It is a Pvt Ltd Company.Head-quarters of companis at Pune and having Branch offices at Jaipur, Ahmedabad, kanpur, Gurgaon and Noida. in India. It has more than 500 employees and 120 clients. Its payroll services cover more than 25,000 employees. It has data centre at Pune with back-up server at Noida providing resiliency.
2. Auditee Environment
Zydaan Outsourcing Solutions Ltd (Zydaan (auditee) appointed M/s XYZ Enterprises LLP (Chartered Accountants known as auditor) to conduct the Review of IT Security Policies and Procedures of auditee. Auditor firm is having huge experience in conducting IS Audit. Firm is having 5 partner (CAs), 3 system auditor (CISA) and 5 other technical staff all having good knowledge and experience in their respective domain.
|S.NO||TEAM MEMBER NAME||QUALIFICATION||DESIGNATION|
|1||Mr. A||FCA, CISA||Team Leader|
|2||Mr. B||FCA, CISA||Co-Team Leader|
|3||Mr. C||FCA, CISA||Co-Team Leader|
|4||Mr.P||ACA ,DISA||Team Member|
|5||Mr. D||FCA, DISA||Team Member|
|M.Tech, Phd (IT), BE (Software)||Software Engineer and Programmer|
|7||Mr. R||M.Tech, BE (Software)||Software Engineer and Programmer|
|8||Mr. S||Phd (IT-Hardware Engineer)||Hardware Engineer|
Zydaan Outsourcing Solutions Ltd (Zydaan) is India’s fastest growing Business Processing Outsourcing (BPO) Specialist catering to all corporate business needs. It is providing Business Process Outsourcing Solutions in areas of Employer Services, Accounting Services and Financial Services. With an inspiring record of being able to blend multi-domain skills into it’s offering the company is empowering leading Indian enterprises to better manage emerging needs. Zydaan monitors performance on the parameters of Accuracy, Timeliness, Responsiveness and Confidentiality. The Service Level Agreements executed with its customers clearly define the same. Zydaan is currently providing Integrated Accounting and Payroll Services using Internet platform. A high-end Internet platform architected on multiple Sun Solaris servers, Web Logic Application Servers with multiple layers of security has been deployed to enable its customers and its employees to have access to latest pay information online.
4. Terms and Scope of assignment
Auditor has defined their scope of assignment as follows:-
- How much security is enough.
- Independent auditor report..
- What is impact on compliance and security?
- Who is responsible for data security?
- Review contractual compliance between service provider and customer i.e. auditee.
- Control issue specific to service provider.
- Country and regional regulations and industrial regulations.
Areas where Auditor Consulting Services is required:-
- Create and implement a governance strategy.
- Create and implement a security strategy.
5. Logistic arrangements required
Auditor requires following Hardware, Software (application and system), Information, and System Configuration documentation.
Auditor (XYZ Enterprises LLP) need 4 laptops, 4 desktops, networking cables, data cable, power backup equipments for execution of the assignment. All hardware must be configured in such a manner to be compatible with software.
Software (Application as well as System):-
We need licensed software to be installed in all desktop , laptop so as to work in auditee IT environment with high bandwidth of internet speed.
We need the information to be audited that may be data, audio, video, electronic form data, images etc
System Configuration Documents :-
We need system configuration documentation from supplier or vendor of hardware, software, source code to understand technical things clearly.
ISO 27001 Information Security Management System:-
It is systematic approach to manage sensitive company information to maintain the same in secure mode. It includes people, processes and IT System by applying a risk management process. Company (auditee) has taken certificate from ISO organization stating that it meets objectives of ISO 27001. The aim is provide confidence and assurance to clients and customers that it follows best accepted business practices.
Use of CAAT Tools (Computer Aided Audit Techniques):-
The use of CAAT tools improves the audit process and help in data extraction and analyzing software. Following are the techniques:-
Generalized Audit Software:-
This tool is effective & efficient for IS audit. In this method Access Control List (ACL) is table under which data is lock down as read only to prevent inadvertently changing data. In this method organization define access right to each system users. Every user have different right such as read only, read and modification, approval etc.
These program are used to perform common data processing function such as sorting, creating and printing files. This utility don’t contain feature such as automatic record counts or control totals.
Audit Test Data:-
Test data involve the auditors using a sample set of data to assess whether logic errors exist in a program and program meets organization objectives. It provides information about internal control and weakness if any exist.
6. Audit Expert System;-
In this techniques auditor perform tests details of transaction and balance, analytical review procedure, compliance test IS general control, compliance test IS application control and vulnerability testing
Audit Program or Audit Procedure:-
Below is audit procedure with COBIT Framework, auditor has defined control objective and procedure thereof the same.
|S. No||COBIT Control Objective||Audit Procedure|
|1||Benefit Management (Acquire, Plan and Organize)||Review process for developing metrics for measuring benefits. E.g. Guidance from domain expert, industry analyst.|
|2||Supplier Contract Management (Acquire and Implement)||Confirm through interviews with key staff members that the policies and standards are in place for establishing contracts with suppliers. E.g. Legal contract, financial contract, intellectual property contract etc.|
|3||Supplier Performance Monitoring (Deliver, Service and Support)||Inspection of supplier service report to determine supplier performance is in alignment with pre defined SLAs and supplier contract.|
|4||Identity Management (Deliver, Service and Support)||Every user have unique and generic id and access right to system is as per documentary business process framework.|
|5||Network Security (Deliver, Service and Support)||Confirm with organization that there is network security policy has been established and maintained in organization. Further confirm that all network component are updated regularly such as routers, VPN switches etc.|
|6||Information Exchange (Deliver, Service and Support)||Confirm with organization that proper encryption policy in place to exchange information outside the organization.|
|7||Contract Compliance (Monitor and Evaluate)||Review policies and procedure to ensure that contracts with third party service provider for compliance with applicable laws, regulation and contract commitments.|
|8||Data Integrity (Deliver, Service and Support)||Determine that a policy has been defined and implemented to protect sensitive information from unauthorized access, have authentication codes and encryption.|
7. Documents reviewed of Audit
Information security policies are the documented business and technical rules for protecting an organization from information security risk faced by its business and technical infrastructure. These written policy documents provide a high-level description of the various controls which the organization will use to manage its information security risks. The information security policy documents are also considered to be a formal declaration of managements intent to protect its information asset from relevant risks.
In specific cases, the information security policies are supported by information security procedures that identify key activities required to implement relevant information security policies.
Acceptable Use Policy
The purpose of the Acceptable Use Policy is to ensure that all computer systems and networks owned or managed by PCC are operated in an effective, safe, ethical and lawful manner and it is the responsibility of every computer user to know these requirements and to comply with them.
Access Control Policy
The purpose of the Access Control Policy is to ensure that information systems resources and electronic information assets owned or managed by PCC are available to all authorised personnel. The Policy also deals with the prevention of unauthorised access through managed controls to create a secure computing environment.
Anti Virus Policy
This Policy is about protecting networks, systems and equipment from malicious code and malware. Laptops and mobile devices are most at risk as they may only be connected to the network periodically. The appropriate use of Anti-virus software will lessen the risk of the Council experiencing this type of security incident.
Business Continuity/DR Policy
The purpose of the IT Business Continuity/DR Policy is to ensure that PCC has the appropriate documentation and procedures in place to ensure that business will continue in the event that its computer systems and networks are affected by a security incident.
Communication and Mobile Devices Policy
The purpose of the Communication and Mobile Devices Policy is to advise acceptable use with regard to mobile devices (including mobile phones) and communication systems used for business activities. With the convergence of data and voice and video communication systems the ability to connect remotely to internal systems and the wide range of options offered by mobile devices it is essential that these technologies be used by authorised persons for legitimate business activities.
Computer Systems And Equipment Use Policy
The purpose of the Computer Systems and Equipment Use Policy is to advise users of the Council’s expectations regarding the acceptable use of the technology provided to them.
The purpose of the Computers for Councillors Policy is to ensure that computers supplied for Council business are managed, maintained and operated in accordance with Council requirements.
The purpose of the Cyber Crime and Security Incident Policy is to ensure that the correct procedures are followed should systems be affected by a security incident or other event. The impact an event will have on business continuity will depend on how well it is handled.
The purpose of the Email Policy is to document how electronic mail systems and services are to be used. Email has become a major communication channel and a common means of conducting day to day business. Compliance with these Policies is essential to ensure that important email documents become part of the corporate knowledge-base and to ensure compliance with information management and legal requirements.
The purpose of the Encryption Policy is to ensure that encryption keys are securely managed throughout their life cycle. This includes their creation, storage and the manner it which they are used and destroyed.
Firewall Management Policy
The purpose of the Firewall Management Policy is to ensure that the external perimeter defence for PCC is configured, managed and maintained to prevent the occurrence of a major security threat.
Hardware Management Policy
The purpose of the Hardware Management Policy is to ensure that the correct procedures are followed with regard to the purchase, deployment, maintenance and replacement of computer hardware and other devices.
Information Management Policy
The Information Management Policy sets out the guidelines for managing the data and information stored in the files and directories that comprise the electronic information repositories of PCC.
Internet Use Policy
The purpose of the Internet Use Policy is to ensure that the internet is used for business purposes and to ensure that users conduct their online activities in an appropriate, responsible and ethical manner.
Laptop And Tablet Security Policy
The purpose of this Policy is to inform those who have been allocated a laptop computer or tablet of the Council’s requirements for its use and care. Theft, loss or damage to portable computers is becoming increasingly commonplace. The costs of replacement are not just financial and include loss of data, lost productivity, increased insurance premiums and the time to configure and set up a new machine. There are also risks associated with the loss or exposure of sensitive, unique or personal information including reputation, commercial advantage and privacy and this Policy seeks to mitigate these risks.
Legal Compliance Policy
The purpose of the Legal Compliance Policy is to ensure that staff understand the implications of privacy, confidentiality, copyright, intellectual property, misrepresentation and other relevant legislation in respect to information and information systems.
Network Management Policy
The purpose of the Network Management Policy is to protect PCC’s internal computer systems and networks from abuse or exploitation and defines the parameters for managing, designing and connecting to the Council’s computer systems.
Online Services Policy
The purpose of the Online Services Policy is to provide the guidelines for configuring systems to safely enable business to be carried out over the Internet as an alternative service channel. The term “business” can apply to anything from providing information online to making payment for a service online and refers providing and using online services.
Password And Authentication Policy
This Policy describes the authentication requirements for accessing internal computers and networks and includes those working in-house as well as those connecting remotely. Every person, organisation or device connecting to internal IT resources and networks must be authenticated as a valid user before gaining access to PCC’s computer systems, networks and information resources.
Personnel Management Policy
The purpose of the Personnel Management Policy is to ensure that those using and managing PCC’s computer systems and networks act in a responsible and ethical manner. It is also intended to minimise the threat of an internal security breach.
Physical Access Policy
The purpose of the Physical Access Policy is to protect PCC’s IT resources from harm, abuse or exploitation and describes the parameters for controlling the environmental conditions for critical computing devices.
Remote Access Policy
This Policy describes the security requirements for remote access connections to internal IT resources. It covers a wide variety of technologies and methods of effecting the connection.
Software Management Policy
The purpose of the Software Management Policy is to ensure that the correct processes and procedures are followed when purchasing, developing, deploying, maintaining and replacing software applications. It assists with compliance with industry standards, encourages consistency throughout PCC and ensures that software continues to meet the needs of the business.
Special Access Policy
Special Access relates to System Administrator and Domain Administrator rights. The purpose of the Special Access Policy is to ensure that only those users needing special access rights and enhanced privileges to manage the Council’s computer systems and networks are granted them with the appropriate controls.
General Payroll Controls
Consider using a selection of the following controls for nearly all payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
- Audit. Have either internal or external auditors conduct a periodic audit of the payroll function to verify whether payroll payments are being calculated correctly, employees being paid are still working for the company, time records are being accumulated properly, and so forth.
- Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Otherwise, there is no proof that the employee wanted a change to be made. The same control applies for any pay rate changes requested by a manager.
- Change tracking log. If you are processing payroll in-house with a computerized payroll module, activate the change tracking log and make sure that access to it is only available through a password-protected interface. This log will track all changes made to the payroll system, which is very useful for tracking down erroneous or fraudulent entries.
- Error-checking reports. Some types of payroll errors can be spotted by running reports that only show items that fall outside of the normal distribution of payroll results. These may not all indicate certain errors, but the probability of underlying errors is higher for the reported items. The payroll manager or a third party not involved in payroll activities should run and review these reports.
- Expense trend lines. Look for fluctuations in payroll-related expenses in the financial statements, and then investigate the reasons for the fluctuations.
- Issue payment report to supervisors. Send a list of payments to employees to each department supervisor, with a request to review it for correct payment amounts and unfamiliar names. They may identify payments being made to employees who no longer work for the company.
- Restrict access to records. Lock up employee files and payroll records at all times when they are not in use, to prevent unauthorized access. Use password protection if these records are stored on line. This precaution is not just to keep someone from accessing the records of another employee, but also to prevent unauthorized changes to records (such as a pay rate).
- Separation of duties. Have one person prepare the payroll, another authorize it, and another create payments, thereby reducing the risk of fraud unless multiple people collude in doing so. In smaller companies where there are not enough personnel for a proper separation of duties, at least insist on having someone review and authorize the payroll before payments are sent to employees.
Payroll Calculation Controls
The following list of possible controls address such issues as missing timesheets, incorrect time worked, and incorrect pay calculations. They are:
- Automated timekeeping systems. Depending on the circumstances, consider installing a computerized time clock. These clocks have a number of built-in controls, such as only allowing employees to clock in or out for their designated shifts, not allowing overtime without a supervisory override, and (for biometric clocks) eliminating the risk of buddy punching. Also, you should send any exception reports generated by these clocks to supervisors for review.
- Calculation verification. If you are manually calculating payroll, then have a second person verify all calculations, including hours worked, pay rates used, tax deductions, and withholdings. A second person is more likely to conduct a careful examination than the person who originated the calculations.
- Hours worked verification. Always have a supervisor approve hours worked by employees, to prevent employees from charging more time than they actually worked.
- Match payroll register to supporting documents. The payroll register shows gross wages, deductions, and net pay, and so is a good summary document from which to trace back to the supporting documents for verification purposes.
- Match timecards to employee list. There is a considerable risk that an employee will not turn in a timesheet in a timely manner, and so will not be paid. To avoid this problem, print a list of active employees at the beginning of payroll processing, and check off the names on the list when you receive their timesheets.
- Overtime worked verification. Even if you do not require supervisors to approve the hours worked by employees, at least have supervisors approve overtime hours worked. There is a pay premium associated with these hours, so the cost to the company is higher, as is the temptation for employees to claim them.
- Pay change approval. Consider requiring not just one approval signature for an employee pay change, but two signatures – one by the employee’s supervisor, and another by the next-higher level of supervisor. Doing so reduces the risk of collusion in altering pay rates.
Check Payment Controls
When you pay employees with checks, several controls are needed to mitigate the risks of fraud and various errors. Key controls are:
- Update signature authorizations. When check signers leave the company, remove them from the authorized check signer list and forward this information to the bank. Otherwise, they could still sign company checks.
- Hand checks to employees. Where possible, hand checks directly to employees. Doing so prevents a type of fraud where a payroll clerk creates a check for a ghost employee, and pockets the check. If this is too inefficient a control, consider distributing checks manually on an occasional basis.
- Lock up undistributed paychecks. If you are issuing paychecks directly to employees and someone is not present, then lock up their check in a secure location. Such a check might otherwise be stolen and cashed.
- Match addresses. If the company mails checks to its employees, match the addresses on the checks to employee addresses. If more than one check is going to the same address, it may be because a payroll clerk is routing illicit payments for fake employees to his or her address.
- Payroll checking account. You should pay employees from a separate checking account, and fund this account only in the amount of the checks paid out. Doing so prevents someone from fraudulently increasing the amount on an existing paycheck or creating an entirely new one, since the funds in the account will not be sufficient to pay for the altered check.
You may find that several controls buttress each other, so that there are overlapping effects resulting from multiple controls. In these cases, you may be able to safely eliminate a few controls, knowing that other controls will still mitigate the risk of loss.
Verify Employment Status
Review the list of paychecks issued during the audit period. Verify that each employee who received a paycheck was actively employed by the company during the time that the paycheck was issued.
Confirm Pay Rates
Check the salary or hourly rate in the payroll system for each of the employees paid during the period. Compare the rate in the payroll system to that physically paid out to the employee to ensure that gross pay calculations are accurate. If there are any questions, verify the pay rate in the payroll system against the employment contract or most current performance review on file with Human Resources.
Check the total hours worked for each employee according to the time cards or other time reporting system for that pay period. Make sure that the hours reported are equal to the hours on the paycheck. Verify that any employee who received sick or vacation pay was eligible at the time it was paid and had time available on the books.
Validate Ledger Accounts
Check the transactions posted in the payroll ledger accounts against the total payroll expenses for the period. Verify the vacation pay, personal time and other associated payroll costs against the transactions posted in each of the corresponding general ledger accounts.
Verify that all of the cancelled checks for the payroll account match the payroll checks issued by the payroll department. The payroll bank account should show only transactions confirmed by the payroll accounting reports. Make sure that none of the checks appear to be modified, and that the amounts on the cancelled checks match the amounts on the transaction reports from the payroll ledger.
As an employer, you are required to comply with wage and hour and employment tax laws that occur on a federal, state and local level. Conducting periodic audits at least once or twice per year helps you maintain compliance and strengthen your company’s financial controls. The audit enables you to verify that payroll records are correct and to spot and fix issues that could have led to an external audit. A qualified member of your staff or a third-party auditor can perform the audit.
Verify duties of all workers in the payroll department and ensure their payroll system access is restricted to the type of work they do. For example, if an employee’s job description is timekeeping and payroll record changes, she should not have the system access required to process paychecks.
Generate a payroll report that identifies active employees, and confirm that these employees actually work for the company. Run a report to identify terminated employees, and ensure that they are not getting paid. This helps you recognize ghost or phantom employees, which is a type of payroll fraud. The ghost employee may be a terminated employee who has not been taken out of the payroll system or a fictitious employee who does not work for the company.
Compare regular and overtime wages with employees’ timekeeping data, which should be approved by their respective supervisors or managers. Verify salaries, pay increases and supplemental wage payments such as commissions and bonuses.
Confirm that mandatory deductions, such as and payroll taxes and wage garnishments, if applicable, are being withheld from employees’ wages. Generate a report that shows the company’s employment tax liabilities, and verify that your employees’ withholding and your portion of taxes are paid and reported to the appropriate government agencies.
Evaluate employee benefits, such as health insurance and retirement benefits, and balance payments made to vendors. Review fringe benefits, including expense reimbursements and vacation and leave procedures.
Reconcile amounts paid to employees via live checks and direct deposit and amounts paid to third parties with the amounts posted in your company’s financial statements. Ensure accurate coding.
Confirm that all wage and hours laws that pertain to your business are being met. This includes Fair Labor Standards Act policies for classifying and paying nonexempt and exempt employees and related state and local policies.
Assess record-keeping procedures to ensure compliance with federal and state record-keeping laws. Verify that payroll records are stored in secured areas.
Review internal payroll policies, such as confidentiality clauses and policies relating to termination, timekeeping, paycheck distribution and security breaches.
Create a written evaluation of your findings and your suggestions for improving internal controls.
We reviewed following document during execution of this assignment for identifying control and weakness thereof.
- Information Security Policy:- First we reviewed Information Security Policy (ISP) of company and policy content to check whether policy meets objects of organization and its stakeholders. Board is responsible for framing policy.
- Organization Structure:- Auditee organization is in proper hierarchy such as finance and accounts department, sales and marketing, purchase and production, payroll, inventory management etc in order to run proper functionality of organization.
- Service Level Agreement or Vendor Contract:- Auditor has read and understand all the terms and conditions of SLA. Any terms which is harmful for the company, the same has been discussed with management in order to secure stakeholder interest.
- Access Matrix:- Auditor has reviewed the access matrix list, which includes list of employee and their extent to which they have data access right.
- Audit Findings:- Auditor finding are as follows with respect to Cloud Service Provider:-
- 1 Auditor reviewed firewall and anti-virus program of company in order to secure data or unauthorized access.
- 2 Auditor reviewed alternates delivery site of working, in case CSP fails to provide service due to some circumstances.
- 3 Auditor reviewed the backup policy and the methodology of backup, how backup will be taken and time frame thereof.
- 4 Auditor reviewed the DRP (Disaster Recovery Plan), how company can continue its business function even if business is discontinued due to earthquake, tsunami, flood, fire etc.
- 5 Review external and internal policy which affect organization business both internally and externally.
We have taken references from below these:-
- ISA Background Material
- ISACA Audit Program and CAAT Tools
- ISO Standard 27001
- The following table summarizes the review area and relevant finding, auditor suggestion and risk rating.
|S. No||Auditor’s Findings||Auditor’s Recommendation / Suggestions||Risk Rating|
|1||Technology Selection:- Before moving to cloud organization (auditee) did not performed cost benefit analysis.||NIL||Low|
|2||Physical Access Control:- Accessibility of data should be allowed to person authorized only. Since data may be sensitive to its stakeholder.||Organization should apply biometric devices so that history can be saved.
Organization should adopt maker and checker rule.
Use Audit trail to check, who access the data previously and user activity.
Use Clean Desk policy in order to secure sensitive data in paper form etc.
|3||Login Access Control :- In this scenario every user have unique login access control and they can access data for which they have permitted for transactions.||This concepts help to prevent any unauthorized data accessibility. No user can approve or authenticate data. Eg Login id password, using network monitoring and using access control.||Medium|
|4||Audit Trail:- In this scenario we can identify who last logged in, user activity and time spent by previous users.||With the help of this concept, user don’t work within the rights assigned to them in order to maintain data security and integrity, Even if anybody attempts to work beyond rights to his/her. The same is traceable. User personal accountability also exists.||Medium|
|5||Firewall:- Any data coming or going outside the organization boundary is filtered in firewall system. The system in which firewall is installed is called Beston Host.||Firewall act as a security between public and private network and checks any data packets coming from outside world into private network, since it checks data packets for authentication and authorization etc. Organization should install all firewall namely proxy server, network level, application level and stateful inspection.||Medium|
|6||Data Privacy and confidentiality:- Accessibility of customer data is restricted to respective organization and its authorized personnel, not to be shared with other organization or other personnel.||Organization should establish policy in such a manner to maintain data privacy with other service receiver with same cloud service provider.||High|
|7||Service Level Agreement :- Any terms and condition which is harmful for auditee organization such as block out , disruption in service.||Organization and CSP should meet in order to resolve the conflict and let them know about alternates sites by which service will be provided in case of emergency failure of main sites.||Medium|
|8||Natural Disaster Events:- Organization should consider natural events such as earthquake, tsunami, flood, fire etc.||Organization should have one additional BCP site with wholly IT Infrastructure in case of natural disaster so as to continuity of normal business function without disruption.||High|
Implication of High, Medium and Low:-
- High:- The issue representing a finding that organization exposed to significant risk and require immediate resolution.
- Medium:- The issue representing a finding that organization exposed to risk that require resolution in near future.
- Low:- The issue represents a finding, which don’t require action from organization.
11. 11.Format of Report/Findings and Recommendations
As mentioned in Point No 10