This report was made under the course of IS(Information System) Audit and Management learned in Institute of Business Management which teaches us how to Audit a company
This PowerPoint helps students to consider the concept of infinity.
Roche pharma IS Audit and Management
1. Roche Pharmaceutical IS
Audit Report
2015
SUBMITTED TO: SIRMUHAMMAD ASGHARKHAN
ROCHE PHARMACEUTICAL | [Companyaddress]
By: Arsalan Humayun
Mir Hussain
Mukash Kumar
Aliza Aqeel
2. 1
Table of Content
PROJECT PLAN:
o COMPANY INTORDUCTION……………………………………………………. 3
o WORK BREAKDOWN STRUCTURE…………………………………………..4
o CRITICAL AREA………………………………………………………………………..5
o NETWORK DIAGRAM………………………………………………………………6
o RESOURCE ALLOCATION…………………………………………………………7
o RESPONSIBILITY MATRIX………………………………………………………..8
o BUDGETING……………………………………………………………………………8
IS AUDIT PLAN:
o RISK ASSISTMENT…………………………………………………………………..9
IT AUDITING RANKING TABLE……………………………………..9
AUDIT PLANNING TABLE………………………………………………9
IDENTIFY INHERENT, CONTROL AND DETECTION RISK....10
AUDIT ENGAGEMENT RISK ANALYSIS…………………………..10
o PREPARE AUDIT ENGAGEMENT PLAN………………………………………11
OBJECTIVE…………………………………………………………………….11
SCOPE……………………………………………………………………………11
CONSTRAINTS……………………………………………………………….11
COMPLIANCE AND CRITERIA………………………………………….11
APPROCH……………………………………………………………………….11
CHECKLIST……………………………………………………………………..11
4. 3
Roche pharmaceutical is one of the largest and oldest pharmaceutical company of the world. It
was founded by F. Hoffmann-La Roche on October 1, 1896 in Switzerland. Today, Roche creates
innovative medicines and diagnostic test that help millions of patients globally. Roche
pharmaceutical currently stands at 26th best in Pakistani market according to IMS. Roche has a
market share of 1.08% and growth to be at -13.2%.
Targeted treatments was firstly introduced by Roche pharmaceuticals. With the combined
strength and diagnostics, Roche pharmaceutical is better equipped than any other company in
the healthcare business. Two-third of our research and development project are being
developed with companion diagnostics.
Roche came in Pakistan in the year 1984. Ahmed Faraz was the managing director till 2015.
Roche plant was laidin Korangi Industrial area on the outskirt of Karachi. In recent years,as Roche
Pakistan strategic focus moved towards its biotechnology medicines meant for the treatment of
cancer, hepatitis and chronic anemia, most of the traditional pharmaceutical business along with
the factory were divested in 2010.
COMPANY INTRODUCTION
6. 5
Critical Path determines the tasks which have minimum time for their completion. In MS Project
the critical path is shown in either Grant view or in the network diagram in red color. Critical
path is determined when total Stack is zero. All zeros are than combined which is known as
critical path and when it is drawn as a diagramthan it become network diagram. In my project
the critical path is:
9-15-16-17-18-19-20-21.
The network diagram is as follows:
Critical Path & Network Diagram
7. 6
Resource allocation helps you to allocate first your available resources for a task than it help
you to define which resource to need which resource to be used to accomplish which task and
how much efforts are needed to complete a task. The resources allocation is as follows:
It shows the available resources, the effort required to do a certain job and what are the rates
per effort.
The resources are assigned to the task as follows:
The above is the tasks which we assigned the resources needed.
Resource Allocation
8. 7
A responsibility matrix shows the number of tasks and tell you which task will be completed by
whom, who will supervise the work and who will support for the completion of the task. The
responsibility matrix for the group assignment is as follows:
This shows who will do the tasks and who is there for support.
Budgeting is what which decide what will be the costing for the completion of the task. The
budget for the completion of the task given to us is: $21,196 and total daysunderwhichthe task
will be completedis: 16days.
Responsibility Matrix
Budgeting
10. 9
Riskassessmentisaprocess of evaluatingthe riskwhichmaybe involved inaprojectedactivityor
undertakingi.e.itistocheckwhetherthe processwhichwe are doing,whatrisksare involvedinthat
processand howwe can deal withit.
IT Auditrankingtable isa table which tell accordingtothe pointswhichareais more importanttobe
auditedandwhatare theirrankingof auditing.
The followingisthe rankingtable whichis tell thatwhichareaswill be audited firstoryoucan say which
area has more importance thatitshouldbe auditedfirst, inwhichdepartments they are significant,how
manyissuesare known andhow manyInherentrisksare known.
Potential Audit Audit
Ranking
Total
points
Known Issues Inherentrisk Benefits Mgmt. input
Entity Control 1 30 8 6 8 8
Database 2 27 7 6 8 6
Data center 3 19 3 5 8 3
Auditplanningtable isatable whichshows thatwhicharea isauditedfirst, how longwill ittake toget
auditedandwhois responsible toperformthe auditing activity. Thistable issignificant forauditingasit
tell whichisresponsible to auditwhicharea.
The followingisthe planningtable whichisshowingthe time frame whichtellonwhattime whicharea
will be audited, wasthisareabeenaudited lasttime,if yesthanwhenand whoare responsible for
auditingthatarea.
Audit Area Time frame Date of last test Responsibility
Database Day 1 2013 Arsalan, Mir Hussain
and Aliza
Entity control Day 2 2014 Arsalan, Mukash and
Mir Hussain
Data center ----- Never No one as it is not
present
Risk Assessment
IT Audit ranking table
Audit planning table
11. 10
Auditengagementriskanalysis tellswhatare the three type of risk included inthe auditing. The three
type of risksare as follows:
INHERENT RISK: Inherentriskis a riskorganizationispredisposedto. ForExample:Hacking:
University isanopensystem, withnolimitations oninstalledsoftware andBYODdevices.
Studenthomework mustbe protected.
CONTROL RISK: Control riskisa riskthat a control has vulnerability. ForExample:Insufficient
Firewall/IPS Restrictions:Whilemuchof the universitynetwork isopen,criticaldatabases must
be in a secure zone witha highlevel of restrictive access.
DETECTION RISK: Detectionriskisa risk of auditornotdetectingaproblem. ForExample:
Hacker withinConfidentialZone: Thisauditmaynotdetectan infiltratedConfidential Zoneor
critical vulnerability.
The above three risks inherent,control anddetectionrisk involved inRoche pharmaceutical are as
follows:
INHERENT RISK:
The inherentriskinvolved inRoche pharmaceutical is:
In pharmaceutical industry all the companiesmake the same medicineusingthe same formula
and the same standards. So anycompanywhichjumpsinthisindustry will face this riskof being
knockeddownasall the productsare same.
CONTROL RISK:
The control riskinvolvedinRoche pharmaceutical is:
R&D departmentfailstodevelop aninnovativetreatmenttogetthe competitive advantage
fromthe competitors.
The formulaleakoutis alsoa risk.For R&D of a new formulacan be leakedoutto the
competitors.
DETECTION RISK:
The detection riskinvolvedinRoche pharmaceutical is:
Change of formulawithinthe confidential zone: if aproductionmanageroranyone whois
authorizedtogo inthe confidentialzone changesaformulathanit cannot be detectedby an
auditor.
Audit engagement Risk analysis
12. 11
Auditorwhenhasto audita firm,he give a planwhichhe call it an engagementplan. Inthis he give him
the detailsaboutwhatishisobjective, scope, constraints, compliance &criteria, approachandchecklist.
Thishelp auditorto tell the companythatthisis whathe will auditandthisishow he will audit. Italso
tell whenyouwill audit, whatwillbe yourapproachandwill be able totell whathave he has done.
Auditengagementplan forRoche pharmaceutical isasfollows:
Objective: Determine safetyof confidential zone entry.
Scope: Penetrationtest on confidential zone formularoom.
Constraints: Must be performedbefore factoryclosing.
Compliance & Criteria: Employee entrypolicy,EFPIA, FDA, MHRA, GMP,GCP
Approach: 1. Tester has validcredentials(‘employees’entryrecord).
2. Tester use manual and automated entry testingtools.
Checklist: The followingdatabase:CZ_Enty_Emp.
The followingsecurityattacks: force entry and fake illusionentry.
Audit engagement Plan