DR, IT Security Policies Not In Place In PSUs: CAG Report

The Comptroller and Auditor General of India’s (C&AG) Audit Report No CA 23 of 2009-0 – Information Technology Applications in Public Sector Undertakings (Compliance Audit) was tabled in the Parliament yesterday i.e., July 9, 2009.

This report contains results of the Information Technology Audit of different IT applications used in various areas of activity in nine Public Sector undertakings (PSUs) under five Ministries.

Some common deficiencies noted in audit were incorrect mapping of business rules; the business continuity plans, disaster recovery plans and IT security policies were either not in place and where formulated were deficient; and weaknesses in input controls and validation checks did not ensure completeness, reliability and integrity of data.

The Information Technology Audit of various software programmes revealed the following weaknesses/ deficiencies:

- The Frequent Flyer Programme of National Aviation Company of India is a customer loyalty reward programme. The IT audit revealed deficient input controls resulting in issuance of award tickets even when adequate mileage points were not available at the credit of members. The system had deficient information security controls due to which confidentiality, integrity and availability of information could be compromised.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

- Coal India Limited (CIL) decided to implement a computer network project ‘CoalNet’ for data sharing between the Ministry of Coal, CIL and its subsidiaries. The CoalNet project was not implemented completely in any of the subsidiary companies even after seven years due to non-standardisation of the business process. Absence of standard back-up procedure made the data unsafe against disasters. Lack of adequate training on CoalNet and non-availability of user manuals also indicated the absence of a business continuity plan. The implementation of CoalNet remained unsatisfactory despite an investment of Rs 39.58 crore.

- Bharat Electronics introduced SAP in October 2006 in Bangalore Complex and subsequently in other units. Acquisition and implementation of SAP, utilisation of Production Planning and Material Management modules of SAP at Bangalore Complex were reviewed. The savings projected by implementation of SAP towards inventory carrying cost, cost of goods sold and reduction in sundry debtors by the company did not materialise. Failure to design the required controls in the system, inappropriate customisation etc during data migration resulted in non-utilisation of the SAP system to its full potential and as a result the integrity and accuracy of the data could not be ensured. Consequently, the company still depended on the legacy system and resorted to manual interventions.

- Biecco Lawrie undertook computerisation without formulating an IT policy and developed several modules. The deficiencies in system design like non-integration of different modules with finance modules and non-enforcement of data integrity resulted in manual intervention at each stage, which rendered the system vulnerable to the risk of incorrect generation of data. In view of such deficiencies, the company could not achieve the complete benefits of computerisation.

- A review of RAMCO e-Application system in Chennai Petroleum Corporation revealed control weaknesses such as users’ IDs were not linked with employee ID and employee-wise entry details (IN entries) did not match with exit details (OUT entries), which defeated the primary objective of access control. Non-integration of the RAMCO e-Application system among various units resulted in manual intervention and led to risk of data entry errors. Non-provision of maintaining history of changes in the system resulted in lack of audit trails.

- GAIL (India) switched over to SAP ERP system in August 2005. Review of the Financial Accounting module and e-Security issues for the period August 2005 to September 2008 revealed lacking input controls, validation checks and supervisory controls leading to an unreliable database. Inadequate customisation of the system led to incomplete or incorrect data. Non-rationalised user roles and authorisations to critical combinations and sensitive transactions posed the risk of mis-use and manipulation.

- Audit reviewed the implementation and customisation of Material Management module of Indian Oil Corporation. The review revealed deficiencies in the input controls and validation checks, which ran the risk of unreliable data entering into the system. Some features of the system were not adequately customised.

- Human Resource module of the SAP system of Oil and Natural Gas Corporation (ONGC) was not customised for manpower planning activities, determination of staffing needs, selection of personnel for various postings based on pre-defined criteria etc. Lack of input controls in the system also resulted in feeding of erroneous and incomplete data affecting integrity of data maintained.

- Bokaro Steel Plant (BSP) of Steel Authority of India Limited (SAIL) computerised the Invoicing System, which comprised a ‘File Server System’ using Oracle9i developed in house. It was seen that there were multiple data entries of the same source data, which delayed the preparation of invoices. There were inadequate physical access controls as well as environment controls, which rendered the system and data unsafe against unauthorised access, as well as fire hazards.