1. Introduction

Client Introduction

Arrange My Trip Limited (AMT) has been providing services to its customers through online booking system using Information Technology as its key enabler. The system being used is huge enough to handle many simultaneous operations like that of
1. Arranging data according to the client’s requirements related to the budget, facility demanded etc.
2. Suggesting the destinations based on real time reviews and accordingly listing the destinations in demand.
3. Suggesting the best means to travel throughout the whole destination planned.
4. Locating the prioritized hotels to stay and the nearby places to visit in relation to shopping/food/fun/leisure activities.
5. Last but not the least arranging various documentation required to visiting the finalized locations like that of visa etc.
The top management of the company had laid down the directions for the overall functioning of the whole system and deployed the information systems for managing the activities required so that the client’s search operations are optimized and handy system support along with the customer care facilities are made available to the clients.
The Information Technology processes required in implementing such practices have been custom developed by AMT Limited and are fully integrated with the backend processes involved in providing the clients the various services mentioned above. Now that the company has been dealing with large volumes of data with extensive procedures over it being applied through the information systems AMT limited proposes to have a comprehensive audit of the online booking system of the company. The objective of the IS audit is to identify potential areas for improvement of controls and the identification of all risk factors present in the system so as to mitigate them by implementing controls etc so that the whole IT environment particularly that of online booking system is secure and safe and as such to provide assurance to the senior management of AMT Limited.

The team comprising of 10 members would be deployed for the referred audit which will be led by Mr. R who has experience in the relevant field of 10 years. The project’s completion time frame will be of 25 man days.

Auditee Firm Introduction

Name of the Firm: M/s RTA & Co.
Experience in IS Audit: 10 Years
M/s RTA & Co. is a chartered accountants firm consisting of 3 full time partners who are qualified chartered accountants with specializations in Information systems audit. The firm has large experience in handling risk based internal audits, assurance functions, accounting and other taxation matters. The offices of the firm are equipped with high end software technologies which can be integrated with the client’s systems so as to perform the audits etc in a more professional manner. The team of the firm consists of 20 Articled Assistants and 5 paid staff who have hands on experience of working in customized software environments and have adequate in depth knowledge of the auditing function.

2.  AUDITEE ENVIRONMENT

The primary objective of the assignment is to conduct Information Systems Audit of Online Booking System and to develop a set of related IS Audit Checklists for future use so that it can be used by external auditors for verifying the accuracy of the whole online booking process.
The enterprise viz., AMT Limited is a multi-national company with its business revolving around procuring data about the destinations, hotels, transportation facilities and the like so as to provide the data in a meaningful way to the company’s customers so that the customers make informed decisions about where to travel, how to travel etc in a most efficient way while also availing the best facilities throughout the travel and stays at the location.
The company’s organization structure is well built with a top to down approach and robust IT systems have been deployed for the overall functioning of the whole system. The auditee environment along with the information about system software, database, regulatory requirements, internal policies and security policies in place is being outlined in the following paras:

1. The whole auditee environment consists of the custom developed application software known as Online Booking System (OBS), the hardware including the networking devices, the database wherein whole of the data including that of the internal and external users is being maintained and the system software.
2. The application software being maintained by the enterprise is OBS (Online Booking System) with an appropriate database wherein all the details related to the information about destinations, transport agencies, hotels, motels, restaurants, theme planners etc have been stored for client’s usage and retrieval and further in which all the client level details have been stored in relation to his/her name, age, identification number, wishlist, previous destinations visited history etc. The system being maintained is a real time system wherein all the details related to present status of bookings, travel, climate etc is updated on real time basis. The application system has also been connected with the payment gateway named paytime so as to complete the user payment transactions in real time and in the most secured way.
3. The database being maintained is that of RDBMS wherein whole lot of data can be searched with the help of some key elements only and no time is wasted while searching for particular destinations etc. The database is in complete control of a Data Base Administrator (DBA) who has been managing the data structures, data updation and data control tasks.
4. The company has an internal security policy outlining the roles and responsibilities of the system security, networking security and other hardware security required in the organization.
5. Windows 10 based operating systems have been installed in system software for appropriate functioning of the application software applied in the organization. The operating system provides an interface between the user and the hardware through GUI and also manages and allocates memory space for applications. The operating system is also responsible for security management of files and applications.
6. Application level gateway firewall has been installed in the networking system which is serving as proxy firewall and is operating at the application layer to filter incoming traffic between the network and the traffic source.
7. Information security policy is required by the organizations to establish a general approach to information security and to detect and forestall the compromise of information security such as misuse of data, networks, computer systems and applications. Information security policy is also required to protect the reputation of the company with respect to its ethical and legal responsibilities. This company i.e., AMT Limited as appropriate information security policy in place and this policy is addressing all data, programs, systems, facilities, other tech infrastructure, users of technology and third parties without any exception.
8. Legal regulations applicable to the organization specifically pertaining to the Information System Audit are Adherence to the Information Technology Act, 2000 amended 2008 and the e-Governance policy issued in March 2020 by the Government of Jammu & Kashmir (GoJk) provided for maintaining online record of hardware and software inventory (H&SI).
9.  

3. Background

AMT Limited proposes to have a comprehensive IS Audit of the whole IT Environment of the company. An information systems audit comprises of audit of the application system installed in the company along with the audit of system software, hardware, networking devices, system security and other interconnected mechanisms including the adherence of the regulations applicable to the organization. The proposed IS Audit is further subjected to applicable auditing standards of ICAI.
The objective of the organization’s plan to go for IS Audit is to identify the areas for improvement of controls by benchmarking against global practices and further to ensure that the risks identified are expected to be mitigated by controls designed by the organization so as to ensure that the application software installed is secure and safe. IS Auditors are also expected to provide IS Audit Checklist for future use by the company.
The Information Security Audit planned is also to be focused on data privacy that will cover technology controls that enforce confidentiality controls on ay database, file system, or application server that provides access to personally identifiable data.

4. Situation

AMT Limited has for the first time integrated all the business units located in different areas in India by adopting OBS-ERP system. With the integration of the new OBS-ERP system with their traditional OBS system there has arisen a need to effectively implement some control factors so as to mitigate the risk involved in such integration along with the risk of data loss. Some more areas of operation that need to be addressed are data storage access, migration of data, maintenance of centralized servers, AMC contracts. The company has been functioning effectively with its OBS system prior to such integration with the OBS-ERP system but there were issues related to data access and data retrieval with the branches of the company which are being resolved by implementation of OBS-ERP system.
Now that the company has integrated with the OBS-ERP system it becomes utmost necessary for the company to implement various control mechanisms for controlling the whole IT Environment of the company as the company is dealing directly with the public at large and it altogether becomes very important to maintain the confidentiality of the data of the public shared win the systems of the organization. The network technology is also required to be robust and secure enough along with the payment gateways so as to provide a user-friendly scenario to the ultimate users of the organization. The organization i.e., AMT Limited has taken all these factors into consideration while deciding upon the reasons to take up IS audit and the problems which have been identified and control weaknesses which are to be looked into have been summarized as follows:
Problematic Areas:

1. Risk of data duplication and unauthorized data retrieval.
2. Unauthorized changes to the data entered in the system regarding the information to be shared with the prospective customers.
3. Frequent failure of the system.
4. Lack of proper BCP and DRP.

Control Weaknesses giving rise to risk scenarios:

1. Inadequate control procedures are in place at present which are giving rise to various kinds of risks that the company is facing at present.
2. Inherent limitations in the customized application software developed as the software has not passed through any trial phase.
3. No proper policy in place regarding the usage of personal devices such as tablets, mobile phones etc.
4. Centralized helpdesk systems have been made available for any technical issues.
5. No proper Backup strategy is in place at present. Data redundancy checks are also not implemented.
6. BCM manual has not been framed by the management.
7.  

5. Terms and Scope of assignment

RTA & Co (Chartered Accountants Firm) have been appointed to conduct Information Systems Audit of OBS-ERP implementation and develop related Audit Checklists. The IS audit of OBS-ERP would be with the objective of providing comfort on the adequacy and appropriateness of controls and mitigate any operational risks thus ensuring that the information systems implemented through OBS-ERP provide a safe and secure computing environment. Further, specific areas of improvement would be identified by benchmarking with the globally recognized best IT practices of COBIT framework. These terms of reference are based on preliminary discussion the assignment team had with the AMT team and is subject to further modifications as required at various stages of audit.
Broadly the scope of review primarily from security/controls would involve:

1. a. To review the processes relating to granting access to systems, verify the logical access controls and assess whether the specified roles and responsibilities are aligned with the business to safeguard against unauthorized use, disclosure, modification, damage or loss at any level.
2. b. To assess that audit trails exist for ensuring effective monitoring of the mission critical systems and processes
3. c. Access vulnerabilities of the OBS-ERP implementation to attacks from within and outside and suggest appropriate counter measures to safeguard against unauthorized use, disclosure, modification, damage or loss.
4. d. To assess and evaluate management system relating to all changes requested and made to the existing systems so as to minimize the likelihood of any type of disruptions.
5. e. Assess the internal control framework in respect of specified OBS-ERP application, review of parameter settings and configuration management and suggest improvements so as to ensure that data remains complete, accurate and valid during its input, update and storage.
6. f. Assessing application controls at various stages such as Input, Processing, Output, Storage, Retrieval and transmission so as to ensure Confidentiality, Integrity and Availability of data.

Based on the understanding of the company’s need for conducting the information security audit of online booking system we propose the scope of review and the terms of reference as laid down below. The scope of review has been prepared on the basis of the discussions with the key members of the assignment team and thereafter a detailed methodology has been framed for the audit to be performed. The methodology so framed is subject to the modifications that might be required while undergoing the audit process according to the prevalent conditions. Broadly the scope of review primarily from security/controls perspective would include:

1. a. Review of information security policy, identification of risks and suitability of control practices established.
2. b. Review of application software’s working in the controlled environment and review of the safety and security aspect of the same.
3. c. Assessing the impact of the linkages with the payment gateway installed and the control mechanisms in place.
4. d. Review of IT resources as a whole.
5.  

6. Logistic arrangements required

IS Auditor requires the following tools for audit:

Hardware:

1. Window based Systems, PDA and Laptops.
2. Printers & other Printing devices.
3. Scanners.
4. Storage media.

System Software:

The auditor has to select the system software according to the IT environment in AMT Ltd and accordingly the auditor will use windows 10 as the system software for performing the audit.

Application Software:

The auditor will be using CAAT tools as CAAT are significant tools for auditors to gather evidence and it also provides a means to gain access to the systems and analyse data for a predetermined audit objective and finally supports in reporting the findings with evidence. IDEA audit software will be used by the auditor as a CAAT tool for performing audit on the company’s IT system.

Apart from this the auditor will use the application software implemented in the organization i.e., OBS-ERP for checking the calculations and data access and data retrieval methods. Test Data packets will also be logged into the system for thorough checking and Integrated Test Facility method will also be simultaneously used.

7. Methodology and Strategy adapted for execution of assignment

Understanding the OBS-ERP system of the organization is one of the main challenges faced by any auditor. It is quite important to know as to what will be the status of the system after two or three years of its implementation. As such the major areas of focus are being listed out here so as to frame the methodology accordingly and complete the audit process within time.

The objectives and scope of audit were explained to the management in the initial meetings held with them seeking their co-operation. The samples were collected using sampling techniques. Four Divisions were selected each from sixteen regions and the data was stratified in terms of the highest revenue generated with highest traffic load.
Some of the major areas of focus as mentioned above are as follows:

1. The first major area of focus should be the on the controls implemented within the organization. It’s imperative to check whether adequate controls have been implemented at all the levels of the organization including that in the whole IT environment.
2. Undertake an in-depth study and analysis of all aspects of the security and control procedures related to IT and environmental aspects. We will take steps to identify way in which the system actually operates. In doing so, the following objective would be kept in mind while setting overall goals.
3. Review the user agreement along with terms of service forms the terms and conditions for the use of services and products of AMT Ltd. And review the terms and conditions of contract between AMT Ltd and OBC – ERP system developer.
4. Verify the general controls were adequate and OBC – ERP system was operated in an adequate controlled environment and the application controls were adequate and the system was in compliance with laid down business rules and adequately secured from possibilities of frauds.
5. Verify the accounting agreements and control mechanism for monetary transactions were adequate.
6. Review all the physical access to computing equipment as well as facilities housing the IS computing equipment and supplies.
7. Review procedures used by management to ensure that individual having access to sensitive facilities and adequately restricted and possess physical access authorisation.
8. Review security policies and procedures at the enterprise level, system level and process level are aligned with business stated objectives.
9. Review of emergency procedures adopted by the organisation, whether it is clearly documented and readily accessible.
10. Review of necessary logical access controls framework in the form of logical access security policies and standards are in place and effectively communicated.
11. Evaluation of various logical security techniques and mechanisms for their effective implementation, operation and administration.
12. Determination of the level of effectiveness of logical security by determining compliance with procedure manuals, such as administrator manuals and user manuals.
13. Testing of appropriateness of OBC – ERP configuration and bypass security procedures.
14. Visual examination of presence of water and smoke detectors, examine power supply arrangements to such services, testing logs, etc. In the server room for not losing any data.
15. Examination of location of fire extinguishers, fire-fighting equipment, refilling date of fire extinguisher and ensure they are adequate and appropriate.
16. Examination of complaint logs and maintenance logs to assess if Mean Time Between Failure (MTBF) and Mean Time To Repair (MTTR) are within acceptable levels.
17.  

8. Documents reviewed

The following documents were verified/reviewed during the audit assignment:

1. Documentation of agreement between software vendor and the company.
2. Internal policies framed for implementation of the software so procured.
3. Internal policies of software management and user controls.
4. Documents related to the SOP and the technology used during the process of conversion from OBS model to OBS-ERP model.
5. Documentation related to the security control framework framed for the organization and the implementation status.
6. Training programs conducted for smooth implementation of the whole process and for continuous updation of the staff working on the systems.
7. Data collection process and the means of its storage.
8. Inspection of monitoring process and rectification process implemented.
9. AMC contracts with the vendor and the roles assigned.
10. Documentation of security Policies and Procedures and verified whether the entity has any Business Continuity Plan and Disaster Recovery Plan
11. Down time report and documentation of online bookings during down time.
12.  

9. References

The following references have been taken for the completion of the assignment:

1. Standards, Guidelines and Techniques for Information Systems Audit and Assurance as issued by DAAB and available in its website.
2. ISA Course Book 3.0 with specific focus on
   • IS Audit Phases
   • Sample Audit Techniques
   • CAAT Tools
   • Protection of Information Assets
3. Auditing Standards issued by ICAI.
4.  

10. Deliverables:

The deliverables of the audit of online booking system i.e., the assignment taken up are as follows:

1. Is there vertical traceability from vision, mission, strategic goals, strategic objectives, and actions?

2. Have metrics been established for measuring and reporting the effectiveness of all established activities and projects?

3. Has the linkage between the activities and projects, their outputs, and ultimately the outcomes and the organization’s strategic goals and strategic objectives been established and communicated internally?

4. Does it meet the requirements for reporting, whether regulatory or organizational?

5. Is there a system administrator with clearly defined roles and responsibilities?

6. Were adequate user requirements developed through meaningful Interaction?

7. Does the system Protect confidentiality and integrity of information assets (CIA) and user personal information?

8. All system resources are protected from un authorized access and use?

9. IS there any terms and conditions of agreement may be adhered to avoid any financial loss to the AMT Ltd by implementing OBC – ERP system?

10. Have workarounds or manual steps been required to meet business needs?

11. Are users trained? Do they have complete and current documentation?

12. Is there a formal change-request process, with documented, authorized policies and related control forms and approvals?

13. Is there any person responsible for formulating and implementing IT policy laying down procedures, rules and regulations?

14. Are all change requests and related activity logged for tracking purposes?

15. Does security administration to follow up on changes to permissions immediately?

16. Whether a back-out plan is developed as a normal aspect of major change?

PHYSICAL ACCESS CONTROLS
Issue : No Individual logins have been created
Cause : User accountability of actions may not be established
Exposure : The operations of OBS – ERP may be affected in case of breakdown or non- availability of relevant personnel. Also, it is exposed to IT threats like Piggybacking, Denial of service, Masquerading.
Recommendation : The users of OBS – ERP need to be given separate user ids and passwords authorised in writing by senior management. Creation of their user id and password should be documented and accepted by the user and kept by senior management in sealed cover in safe custody to be available in case of need. Password policy has to be formulated and passwords should be changed atleast once in 90 days without being reused.
Management Comment : Agree. System manager will create user ids for all authorised users.
Issue : Source code is accessed online
Cause : Unauthorised access
Exposure : Access to the source code of software under development/ maintenance/ testing etc., is done online. Online access of this makes it vulnerable to unauthorised access and eavesdropping.
Recommendation : A review of security and operations settings needs to be done and strong security policy shall be made.
Dial-back procedures shall be followed. Again to reduce the risk of unauthorised dial-in access, remote users should never store their passwords in plain text login scripts on notebooks and laptops.
Secure VPN can be created by building a secure communications link between two nodes by emulating the properties of a point-to-point private link.
Management Comment : Agree. Will be reviewed and modified as required.
Issue : Screensavers with passwords or session locks with passwords
Cause : Unauthorised access
Exposure : Open telnet sessions can be easily accessed by unauthorised user if the original user is not at his/her desk and if the screensavers are not password protected.
Recommendation : Session locks and screensavers shall be password protected. Password policy shall be maintained. Educating users is a critical component about passwords, and making them responsible for their password is one of the best controls against various threats and exposures.
Management Comment : Agree and will follow
Issue : On line Booking ID’s are missing
Cause : Access denied
Exposure : Result in Integrity and completeness of data being missed. So, maintain a storage database for storing Online Booking ID’s and Passwords.
Recommendation : Maintain a storage database for storing all the data of users and password and user id recovery procedures are implemented
Management Comment : Agree and will implemented
Cause : Unauthorised access
Exposure : For some persons discount is given for online booking in Hotels or mall’s like senior citizens, Award winners etc., If data is missing access is denied to these people and Unauthorized people may access and get concessions in booking by using missed data
Recommendation : For concessional people separate storage database is maintained for storing data.
Management Comment : Agreed and will follow.

DISASTER RECOVERY PLAN
ISSUE : Lack of Specific Disaster Recovery Plan/Procedure
CAUSE : Resumption and Recovery to normal conditions in the event of disaster is not possible as required as per policies and objectives
EXPOSURE : Loss of Business, goodwill, profit etc.,
RECOMMENDATION : Develop and Establish a specific and detailed Disaster Recovery Plan
MANAGEMENT COMMENT : Agreed to Develop and establish DRP
ISSUE : Non availability of Backup Systems for the systems supplied
CAUSE : Recovery of the Systems is not possible
EXPOSURE : Loss of data
RECOMMENDATION : Purchase Backup Systems
MANAGEMENT COMMENT : Agreed to purchase and provide Backup systems
ISSUE : No Redundancy for Telecommunication Equipment
CAUSE : Loss of communication
EXPOSURE : Non availability of telecommunication
RECOMMENDATION : Take actions to maintain Redundancy for Communication Equipment
MANAGEMENT COMMENT : Agreed to make Redundancy for Telecommunications
ISSUE : No proper Security and environmental controls for Off-site Storage media in Protected vault
CAUSE : Threat of storage media theft and unauthorised access
EXPOSURE : Unauthorised access and loss of valuable information
RECOMMENDATION : provide proper security controls for media
MANAGEMENT COMMENT : Agreed and appointed Security Guard and try to implement environment controls soon
ISSUE : No Alternative Processing capabilities
CAUSE : There will be huge business/process interruption till resumption to normal conditions from the event of disaster happen
EXPOSURE : Delay and damage to organization in the form of data loss, reputation loss etc.,
RECOMMENDATION : Arrange alternative processing capabilities
MANAGEMENT COMMENT : Agreed and try to made arrangements soon
ISSUE : No Disaster Recovery Teams at All
CAUSE : There will be a great confusion to implement DRP in the event of disaster
EXPOSURE : Implementing of DRP may not possible
RECOMMENDATION : Establish disaster recovery teams with specific responsibilities
MANAGEMENT COMMENT : Agreed and identified Teams
ISSUE : Non-Maintenance of DRP
CAUSE : DRP is not up to date and may not be useful in the event of disaster occurrence
EXPOSURE : Outdated DRP doesn’t serve the purpose
RECOMMENDATION : Establishing Procedures and policies to maintain operation and effectiveness of DRP including testing the DRP etc.,
MANAGEMENT COMMENT : Agreed to develop a customized DRP for TOLL and establish testing and requirements at regular intervals
ISSUE : Not following ABC Conventions for protection and back up of data
CAUSE : Compromise for protection and data backup may arise
EXPOSURE : Non-availability of Data
RECOMMENDATION : Recommended to follow the ABC conventions
MANAGEMENT COMMENT : Agreed and made arrangements to follow the same Conventions as per the ABC
ISSUE : Not maintaining storage of data, work product or deliverables off-site for the period mentioned in Service level agreement (SLA)
CAUSE : Required data may not be available for required purposes
EXPOSURE : Data leakage and information gap
RECOMMENDATION : Recommended to follow the SLA
MANAGEMENT COMMENT : Agreed to retain the data etc., as per SLA period

12. Summary/Conclusion:

The company should keep addressing the following risks to security in particular to ensure continuity of business systems:

1. A. Information Security-Top Level Management should consider the ease with which systems could be compromised by referring to the case studies and should ensure good security practices are implemented, up-to-date and regularly tested and enforced for key computer systems. They should also conduct ongoing reviews of user access to systems to ensure they are appropriate at all times.
2. B. Business continuity- The Company should have a business continuity plan, a disaster recovery plan and an incident response plan. These plans should be tested on a periodic basis.
3. C. Management of IT risks- The Company needs to ensure that IT risks are identified, assessed and treated within appropriate timeframes and that these practices become a core part of business activities and executive oversight.
4. D. IT operations- The Company should ensure that they have appropriate policies and procedures in place for key areas such as IT risk management, information security, business continuity and change control. IT strategic plans and objectives support the business strategies and objectives.
5. E. Change Control-Change control processes should be well developed and consistently followed for changes to computer systems. All changes should be subject to thorough planning and impact assessment to minimize the likelihood of problems. Change control documentation should be current and approved changes formally tracked
6. F. Physical security- The Company should develop and implement physical and environmental control mechanisms to prevent unauthorised access or accidental damage to computing infrastructure and systems.