a) Internal Audit

With the pace at which changes occur globally, with the advent of newer technologies at various domains of business, increased compliance requirements and with the varied cultures in which the company operates, a company is exposed to higher amount of risks than it used to be earlier.

The role of internal audit is to provide independent assurance that an organization’s risk management, governance and internal control processes are operating effectively. Thus it is a professional service offered to add value and improve organizations operations. Internal auditors deal with issues that are fundamentally important to the survival and prosperity of any organization. Unlike external auditors, they look beyond financial risks and statements to consider wider issues such as the organization’s reputation, growth, its impact on the environment and the way it treats its employees. It can help an organization accomplish its strategic objectives by bringing a systematic, disciplined approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

The pace at which the things are changing have a significant impact in Internal audit function. Internal Audit has to help organization address the risks it faces, anticipate risks and mitigate them.

Internal Audit has been mandated in Companies Act 2013 for companies beyond threshold limits. As a result it is prerogative for these companies to lay down a structured internal audit approach and execute the same. However the need for internal audit should be taken as being partners for improvements. Internal Audit function should be drivers or catalysts for

How can Ankekshan help?


a. Co –Sourcing
  • No internal Audit department is able to have all technical and expert resources it requires on hand, at all times. Therefore attempting to have full time staff available to meet every internal audit need may not be a practical approach.
  • Whether you need to address shortage of traditional internal audit staff or require specialized internal audit professionals, we deliver.
  • We deploy multidisciplinary teams of professionals experienced in financial and operational internal auditing, IT, fraud analytics and risk assessment, to augment and enhance an organizations’ existing internal audit capabilities.
  • We conduct offline testing of SOX controls as a part of offshore activity
b. Full Outsourcing
  • As internal audit needs are unique, we provide a high level of service and expertise under continuous full service outsourcing arrangement.
  • This plan assists the client with managing process and technology risks and efficiently integrating technology with critical business processes. These services can help management better understand and monitor the performance of core operations and support functions, as well as ensures the proper level of control.

Post Implementation Review

Implementation of ERP revolves around the timeliness of go-Live date. More often than not, controls; to some extent; are diluted to achieve the business continuity through new ERP. Post implementation review ensures that either General computer controls or specific module level application controls are strengthened; management gets an positive assurance on the success of the ERP implementation and adequacy of the control environment.

Ankekshan expertise in SAP and Oracle ERPs. We also offer support to custom developed ERPs for manufacturing and service sector including banking.

Objectives achieved from Post Implementation Controls Review
  • Assurance on automated controls and SAP configuration as per Management’s intent
  • Enhanced control environment by remediating gaps observed in weak automated controls and configurations
  • Enhanced security by remediating gaps observed in Basis audit
  • SAP Improvement through Identification of Best Practices, optimization of SAP functionalities and user licenses optimization
  • Process Standardization by way of identification of gaps in documented controls /configuration and actual implementation, Change Management Process, User Management- in particular Segregation of Duty conflicts

Typical scope of any Post implementation covers following:

I. SCOPE FOR IT GENERAL CONTROLS AUDIT
  • Review of User Management, Change Management and Back up Procedures
  • Review of Physical Security of Data Centre
  • Review of SAP Database and Application security by conducting ‘Basis’ audit
  • Determining SOD conflicts using automated tools
  • Suggesting best practices in User Management
II. SCOPE FOR REVIEW OF AUTOMATED CONTROLS
  • Testing of Automated Controls in SAP
  • Review of configurations and Parameters
  • Review of As-Is- To-Be documents
  • Identify areas where automated controls / Workflows can be enabled
  • Suggest best practices

Computer Generated Report Testing


Need for report testing

The audit team relies on a good number of reports generated from the ERP system during the conduct of the audit in an automated environment. In order to rely on the computer generated information, it is necessary to understand, evaluate and validate the reports for its integrity from a completeness and accuracy perspective.

Reports


Reports generated from the ERP systems can be categorized into following four type for the purpose of our understanding from a testing perspective.

  • Transaction Report display of available data in meaningful format
  • Calculated Report use of available data and perform mathematical or statistical functions
  • On the fly Report report based on certain parameters which can be dynamic.

Ankekshan Uses following Validations for testing reports

The following are few ways by which the integrity of the reports could be validated

  • Sample based testing
  • Re-performance
  • Report Code Review

Data Migration Audit


Data is the essence of any ERP. Volume of data and sensitivity of data involved requires management to take utmost care in planning and migrating the data from legacy systems to ERP. Master data and transaction data accuracy and completeness ensures smooth transitions and uninterrupted business.

We at Ankekshan provides following services:

  • Sequence followed for data upload.
  • Data validation/ integrity/ inter relation checks on the legacy data.
  • Review results of the pilot migration process documents.
  • Review of management identified gaps and inconsistencies and resolution thereof
  • To review test documents used by management to ensure completeness and accuracy of data proposed to be migrated

Information Security Framework


Unsecured information or data in any organization is the highest business risk. With the cloud databases and computing making its footsteps stronger, organizations should be more vigilant.

An information security management system (ISMS) is a set of policies and procedures for systematically managing an organization's sensitive data. The goal of an ISMS is to minimize risk and ensure business continuity by pro-actively limiting the impact of a security breach.

Ankekshan supports in preparing and implementing various information security policies based business requirements. An ISMS typically addresses employee behavior and processes as well as data and technology. It can be targeted towards a particular type of data, such as customer data, or it can be implemented in a comprehensive way that becomes part of the company's culture.

ISO 27001 Readiness


ISO 27001:2013 is an ISO standard for information security. Implementation and obtaining certification under this standard will increase the confidence of customers. Ankekshan supports in readiness and facilitation for certification of 27001 certification. The steps in implementation of ISO 27001 are:

  • Development of Governance framework to implement defined policies and procedures
  • Development of Security Objectives of organization
  • Development of Statement of applicability
  • Development of Risk assessment methodology and accordingly risk assessment will be documented.
  • Conducting Security Awareness trainings for staff.
  • Generation and maintenance of records by Organization according to standard requirements
  • Internal audits to be conducted on regular basis to check the adequacy of compliance
  • Corrective actions and preventive actions need to be implemented and
  • Application for final certification

SSE16 Readiness


Statement on Standards for Attestation Engagements 16 (“SSAE 16”):

SSAE 16 is a standard for reporting on Controls at the Service Organization. There are 3 types of SSAE 16 reports

Type What it reports on Users
SOC 1 Internal Controls processes which affect the financials of the User organization User organization’s Statutory Auditors and CFO
SOC 2 Security, Availability, Processing Integrity, Confidentiality, and Privacy User Organization, regulators and others. (restrictive use). Report is shared under NDA
SOC 3 Security, Availability, Processing Integrity, Confidentiality, and Privacy Publicly available to anyone

Further each type is divided in to Type 1 and Type 2. In Type 1, the auditor reports whether controls are designed to meet the Control Objectives as on a specified date and in Type 2, the auditor reports on design as well as operative effectiveness of the controls.

Ankekshan supports in building capabilities for certification of any of the above certifications.