Sr. No.

Process Attribute Activity Description

Reference

1 ITGC Control Access Rights

Environment

2 ITGC Control Closing of Accounting

Environment period/year in the
Accounting Software
3 ITGC Control Selects and develops
Environment general controls over
technology

4 ITGC Control Selects and develops

Environment general controls over
technology

5 ITGC Control Selects and develops

Environment general controls over
technology
6 ITGC Control Selects and develops
Environment general controls over
technology

7 ITGC Control Selects and develops

Environment general controls over
technology

8 ITGC Control Selects and develops

Environment general controls over
technology
9 ITGC Control Identifies and analyses
Environment significant changes that
could impact internal
controls

10 ITGC Information Selects and develops

& general controls over
Communicati technology
on

11 ITGC Information Selects and develops

& control activities to
Communicati mitigate risks
on

12 ITGC Control Selects and develops

Environment general controls over
technology

13 ITGC Control Selects and develops

Environment general controls over
technology
14 ITGC Control Identifies risks to the
Environment achievement of
objectives and analyses
risks to manage them

15 ITGC Control Assesses fraud risk to

Environment the achievement of
objectives
16 ITGC Control Selects and develops
Environment control activities to
mitigate risks

17 ITGC Control Selects and develops

Environment control activities to
mitigate risks

18 ITGC Control Identifies and analyses

Environment significant changes that
could impact internal
controls

19 ITGC Control Selects and develops

Environment general controls over
technology
21 ITGC Control Selects and develops
Environment general controls over
technology
 Identification of Risk of Material Misstatement Control
("What Could Go Wrong") Ref
Risk Description Number
Editable access of eCIB application provided to persons other ITGC 02
than SBP's employees (Internal and Statutory Auditors,
Consultants, etc.)

Erroneous/intentional posting of Accounting entry in the ITGC 02

earlier closed period/year

Unauthorized access to eCIB application and database results ITGC 03

in errors in CIB reporting

Unauthorized access to IT systems, applications and data ITGC 02

results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting
Unauthorized access to IT systems, applications and data ITGC 10
results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting

Unauthorized access to IT systems, applications and data ITGC 03

results in errors in financial reporting

Absence of regular back-up which may lead to loss of crucial ITGC 04

data

Absence of regular back-up which may lead to loss of crucial ITGC 04

data

Servers and end users PCs are infected with virus ITGC 05

Unauthorized access to the IT systems, applications and data ITGC 05

by external parties
Unauthorized access to IT systems, applications and data ITGC 06
results in errors in financial reporting

Significant developments and changes to information systems ITGC 06

relevant to financial reporting are made, resulting in errors in
financial reporting.

Errors in changes made to key applications relevant to ITGC 06

financial reporting.

Problems and incidents are not effectively managed. ITGC 09

Intentional sharing of crucial and confidential data of the ITGC 07

SBP's by staff to outsiders (e.g. competitors)
 Control That Addresses Risk of Material Classification Risk Associated Operating
Misstatement of Inherent with the Control Frequency
— Control Name Risk (Not Higher, (Annually,
(Normal, Higher) Quarterly,
View-only access of eCIB applicationprovided to Significant Higher As Needed
persons other than SBP's employees (Internal and
Statutory Auditors, Consultants, etc.) who are not
required to modify the financial transactions

Closing of previous period/year to restrict back- Significant Higher As Needed

dating of transactions

1. For CMS System - all new users are given pre- Significant Higher As Needed
expired password and the system prompts the user to
set new password at the time of first login

2. For Tally - all new users are given pre-expired

password and the system prompts the user to set new
password at the time of first login

1. For CMS - Users access rights are granted by IT Significant Higher As Needed
only upon specific approval by the concerned
functional head

2. For Tally - Users access rights are granted by IT

only upon specific approval by the concerned
functional head

System prompts the user to change the password Normal Not Higher As Needed
after the expiration of 30 days.

Password must contain at least 7 characters, alpha Normal Not Higher As Needed
numeric (alphabets, numbers and special characters).

If the password is wrongly entered continuously for Normal Not Higher As Needed
5 times within 30 minutes, the respective login id
gets locked.

If a user is not accessing the system for more than Normal Not Higher As Needed
specified time, the system gets automatically locked.
There exists a periodic review of the user profiles Normal Not Higher As Needed
for systems access, to confirm appropriateness.

Requests for creation of new user ids are received by Significant Higher As Needed
the IT Executive on standardized form, duly signed
by the respective HOD.

1. User termination, resignation is informed to IT Normal Not Higher As Needed

Executive through email by HR.

2. User account is disabled immediately after

receiving an email request. Before processing this
request, IT archives the mail box of the user.

3. Full & Final Settlement Form is signed by the IT

Executive only when the necessary access rights
have been disabled in the system.

1. Regular back-up strategy defined for server and Significant Not Higher As Needed
auto-back up is taken at defined frequency.

2. Retrieval is tested at reasonable frequency

Off-site storage of back-up to tackle any unforeseen Significant Not Higher As Needed
event at the office premises.

1. Desktops: Significant Not Higher As Needed

All the user desktops are installed with anti virus
scanner, which scans the new files on an ongoing
basis

2. Servers:
All servers are installed with anti virus scanner.

3. Gateway:
Mail server is managed and all the Emails are
scanned by threat management gateway.

4. The anti virus gets automatically updated with the

latest version through process of auto updates

1. Firewalls have been installed. Significant Not Higher As Needed

2. The logs are regularly reviewed by IT Executive
Changes in programs can be made only with prior Significant Not Higher As Needed
approval of the Board of Directors or the HOD
concerned, with the simultaneous involvement and
approval of the IT personnel.

Decisions around significant developments and Significant Not Higher As Needed

changes to information systems relevant to financial
reporting are made in conjunction with Finance
Manager and after approval of BOD

Specific changes are made to key applications Significant Not Higher As Needed
relevant to financial reporting only after sign off
from the relevant stakeholders

An in-house IT personnel resolves issues faced by Normal Not Higher As Needed

users as required

1. Deactivation of external storage devices on SBP's Significant Higher As Needed

PCs.

2. Restricting access to all public sites and domain

 Nature of Control- Deficiencies Control Exist
Control Automated (Yes/No)
or Manual
Preventive Automated Editable access of eCIB application provided to No
persons other than SBP's employees (Internal and
Statutory Auditors, Consultants, etc.)

Preventive Automated Previous closed month/year is not blocked for No

editing transactions

Preventive Automated For Tally - all three users are given same password 1. Yes
which is not required to be changed either after first 2. No
login or subsequently

Preventive Automated For Tally - all the users in the accounts dept. are 1. Yes
sharing common user-id password and having same 2. No
access rights

Preventive Automated System does not give any alerts or notifications to No

force-change the password after expiration of 30
days
Preventive Automated Password logic is not defined No

Preventive Automated No locking of login id upon incorrect entries of No

password.

Preventive Automated - Yes

Both Preventive Automated No periodic review of user profile for system access. No
& Detective

Preventive Manual No procedure of sending a standard form duly No

signed by the respective HOD for new user-id
creation.

Preventive Manual 1. No procedure of sending a email request for No

disabling the access rights from the system.

2. IT Executive does not sign on the Full & Final

Settlement form regarding disabling access rights
from the system

Preventive Automated - Yes

Preventive Automated There is no off-site storage of the back-up server No

Preventive Automated - Yes

Preventive Automated The logs are not reviewed by IT Executive 1. Yes

2. No
Preventive Automated - Yes

Preventive Automated - Yes

Preventive Automated - Yes

Preventive Automated - Yes

Preventive Automated Access to public sites and domain have not been 1. Yes
restricted 2. No
 Remedial methods Control Design Control
Conclusion Operational
(Effective, Effectiveness
Ineffective) Conclusion
Eligible persons other than designated employees to Ineffective
be provided view-only access of eCIB application

Block previous closed month/ year for editing Ineffective

transactions

For Tally - give all the users individual pre-expired 1. Effective

passwords, which the users need to change at the 2. Ineffective
time of first log-in

For Tally - give all the users separate user-id 1. Effective

password and access rights. 2. Ineffective

Introduce a password change policy whereby the Ineffective

system gives a pop-up to force-change the password
after expiration of 30 days
Define a Password policy Ineffective

Define a Password policy Ineffective

- Effective
Introduce a process of periodic review of user Ineffective
profiles for system access.

Require request for new user-id creation to be sent to Ineffective

the IT Executive through a duly signed standard
form

1. Introduce a procedure of sending email request for Ineffective

disabling the access rights from the system.

2. Require signature by IT Executive on the Full &

Final Settlement form confirming disabled access
rights from the system

- Effective

Ensure off-site storage of back-up for ensuring Ineffective

safety of back-up

- Effective

Require regular review of logs by IT Executive 1. Effective

2. Ineffective
 - Effective

- Effective

- Effective

- Effective

Restrict access to public sites and domain 1. Effective

2. Ineffective
 Substantive Procedures Planned Evidence of Control Control Process
Owner Owner

Access right restriction As per discussion with IT Finance IT

Executive and various users Manager Executive

Access right restriction As per discussion with IT Finance IT

Executive and various users Manager Executive

Conduct live-check for password change As per discussion with IT Finance IT

Executive Manager Executive

Process of granting access rights As per discussion with IT Finance IT

Executive Manager Executive

Conduct live-check for password change As per discussion with IT Finance IT

Executive Manager Executive

- As per discussion with IT Finance IT

Executive Manager Executive

- As per discussion with IT Finance IT

Executive Manager Executive

Conduct live-check for auto-locking of system As per discussion with IT Finance IT

Executive Manager Executive
 - As per discussion with IT Finance IT
Executive Manager Executive

Standard forms duly signed by respective HOD to As per discussion with IT Finance IT
be checked Executive Manager Executive

Review the procedure of disabling access rights As per discussion with IT Finance IT
from the system Executive and Finance Manager Manager Executive

Review back-up policy As per discussion with IT Finance IT

Executive Manager Executive

Review back-up policy As per discussion with IT Finance IT

Executive Manager Executive

Check for working of anti-virus software on As per discussion with IT Finance IT

selected PC's Executive Manager Executive

- As per discussion with IT Finance IT

Executive Manager Executive
Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

Review the significant changes made during the As per discussion with IT Finance IT
year Executive Manager Executive

Review the mechanism of solving the problems As per discussion with IT Finance IT
and incidents faced by the users Executive and various users Manager Executive

Ensure whether external storage devices are As per discussion with IT Finance IT
deactivated and access to public sites have been Executive and various users Manager Executive
restricted
 Application Is IPE used in If yes, List of IPE Reference of Testing Work
System performing paper for conclusion on
relevant Control Design,
Control? If yes, Implementation
Tally No - -

Tally No - -

1. CMS No - -
2. Tally

1. CMS No - -
2. Tally

Tally, CMS, No - -
Sensys TDS

Tally, CMS, No - -
Sensys TDS

Tally, CMS, No - -
Sensys TDS

Tally, CMS, No - -
Sensys TDS
CMS No - -

- No - -

- No - -

CMS, Sensys No - -
TDS

CMS, Sensys No - -
TDS

- No - -

- No - -
Tally, CMS No - -

Tally, CMS No - -

Tally, CMS No - -

CMS, Sensys No - -
TDS & Matrix
Cosec
- No - -