Navratnas and IT: Not a very good report card

NEW DELHI: A very fresh Information Technology Audit of various software programmes revealed the following weaknesses/deficiencies with PSUs like National Aviation Company, Coal India Ltd, Bharat Electronics, GAIL, IOC, ONGC etc. The Comptroller and Auditor General of India’s (C&AG) Audit Report No. CA 23 of 2009-10 – Information Technology Applications in Public Sector Undertakings (Compliance Audit) was tabled in the Parliament yesterday. The report tabled in Parliament points out inadequacies of Public sector companies’ experiences with IT.

This Report No. CA 23 of 2009-10 contains results of Information Technology Audit of different IT applications used in various areas of activity in nine Public Sector undertakings (PSUs) under five Ministries. This is shared in a press release by Press Information Bureau under Ministry of Finance.

Some common deficiencies noted in audit were incorrect mapping of business rules, the business continuity plans, disaster recovery plans and IT security policy were either not in place and where formulated were deficient, weaknesses in input controls and validation checks did not ensure completeness, reliability and integrity of data.

To start with, the Frequent Flyer Programme of National Aviation Company of India Limited, which is a customer loyalty reward programme was found with deficient input controls resulting in issuance of award tickets even when adequate mileage points were not available at credit of members. The system had deficient information security controls due to which confidentiality, integrity and availability of information could be compromised.

In another instance, Coal India Limited (CIL) decided to implement computer network project ‘CoalNet’ for data sharing between the Ministry of Coal, CIL and its subsidiaries. The CoalNet project was not implemented completely in any of the subsidiary companies even after seven years due to non standardization of the business process. Absence of standard back up procedure made the data unsafe against disasters. Lack of adequate training on CoalNet and non-availability of user manuals also indicated the absence of business continuity plan. The implementation of CoalNet remained unsatisfactory despite an investment of Rs.39.58 crore.

Coming to Bharat Electronics Limited which introduced SAP in October 2006 in Bangalore Complex showed that savings projected by implementation of SAP towards inventory carrying cost, cost of goods sold and reduction in sundry debtors by the Company did not materialize. Failure to design the required controls in the system, inappropriate customization etc., during data migration resulted in non-utilization of the SAP system to its full potential and as a result the integrity and accuracy of the data could not be ensured. Consequently the Company still depended on the legacy system and resorted to manual interventions.

As to Biecco Lawrie Limited undertook computerization without formulating an IT policy and developed several modules. The deficiencies in system design like non-integration of different modules with finance modules and non-enforcement of data integrity resulted in manual intervention at each stage which rendered the system vulnerable to the risk of incorrect generation of data. In view of such deficiencies, the Company could not achieve the complete benefits of computerization.

A review of RAMCO e-Application system in Chennai Petroleum Corporation Limited revealed control weaknesses such as users IDs were not linked with employee ID and employee wise entry details (IN entries) did not match with exit details (OUT entries) which defeated the primary objective of access control. Non-integration of the RAMCO e Applications system among various units resulted in manual intervention and led to risk of data entry errors. Non-provision of maintaining history of changes in the system resulted in lack of audit trails.

GAIL (India) Ltd. switched over to SAP ERP system in August 2005. Review of the Financial Accounting module and e-Security issues for the period August 2005 to September 2008 revealed lacking input controls, validation checks and supervisory controls leading to unreliable database. Inadequate customization of system led to incomplete or incorrect data. Non-rationalized user roles and authorizations to critical combinations and sensitive transactions posed the risk of misuse and manipulation.

The Audit also reviewed the implementation and customization of Material Management module of Indian Oil Corporation Limited. The review revealed deficiencies in the input controls and validation checks which ran the risk of unreliable data entering into the system. Some features of the system were not adequately customized.

Human Resource module of the SAP system of Oil and Natural Gas Corporation Limited was not customized for manpower planning activities, determination of staffing needs, selection of personnel for various postings based on pre-defined criteria. Lack of input controls in the system also resulted in feeding of erroneous and incomplete data affecting integrity of data maintained.

Bokaro Steel Plant (BSP) of Steel Authority of India Limited computerized the Invoicing System which comprised of a ‘File Server System’ using Oracle9i developed in house. It was seen that there were multiple data entries of the same source data which delayed the preparation of invoices. There were inadequate physical access controls, as well as environment controls which rendered the System and data unsafe against un-authorized access, as well as fire hazards.