CERTIFICATE

Project report of DISA 3.0 Course

This is to certify that we have successfully completed the DISA 3.0 course training
conducted at: 9, V.K. Menon Bhawan, Bhagwan Dass Road, Opposite Supreme Court,
New Delhi-110032 from 19-Aug-2023 to 24-Sep-2023

and we have the required attendance. We are submitting the Project titled: “System
Audit of a Hospital Automation System”.

We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for
the project. We also certify that this project report is the original work of our group
and each one of us have actively participated and contributed in preparing this
project. We have not shared the project details or taken help in preparing project
report from anyone except members of our group.

Name Membership No Signature

CA Abhishek Gupta 560692 ………..sd……………
CA Akhil Mohanan 261045 ………..sd……………
CA Mohd Nasir 530474 ………..sd……………

Place: New Delhi

Date: 10.09.2023
 Table of Contents

Details of Case Study/Project (Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Report/Findings and Recommendations
12. Summary/Conclusion
 Project Report
System Audit of a Hospital Automation System

A. Details of Case Study/Project (Problem)

The hospital automation system is a critical system that manages all patient data,
including medical records, personal information, and billing details. The system
includes various software applications, databases, and servers. The regulatory
requirements for the healthcare industry, such as HIPAA and HITECH, are applicable
to the hospital. The hospital has an information security policy that outlines the
guidelines for data protection, access control, and disaster recovery.

The scope of the audit includes reviewing the hospital automation system’s controls,
including access controls, change management, data backup, and disaster recovery.
The audit will also review the hospital’s information security policies and procedures
to ensure that they align with regulatory requirements.

The audit team will review the hospital’s IT infrastructure, including servers, network
devices, and security devices. The team will also assess the hospital’s vulnerability
management process and conduct a penetration testing exercise to identify any
vulnerabilities that may exist.

In addition to the technical assessment, the audit team will conduct interviews with
key personnel, including the hospital’s IT staff and management, to understand the
hospital’s processes and controls related to the automation system.

To ensure the audit’s success, the audit team will require access to the hospital
automation system and relevant documentation, such as policies, procedures, and
logs. The audit team will also require cooperation from the hospital’s IT staff and
management.

Overall, the audit of the hospital automation system is crucial to ensure that the
system is secure, reliable, and compliant with regulatory requirements. The audit
findings will provide valuable insights into the hospital’s information security posture
and help identify areas for improvement to enhance the system’s security and overall
patient care.
B. Project Report (solution)

1. Introduction

M/s Star Hospital

M/s Star Hospital, established in the year 2005, is a 500-bed multi-specialty hospital
located in the city of New Delhi. It is and has been a leading provider of healthcare
services in the region, and is known for its high-quality care and innovative
treatments. The hospital sole motto has been “a strong focus on patient safety and
quality”, and is accredited by the National Accreditation Board for Hospitals (NABH).

The Hospital Automation System (HAS) is an integrated suite of software and

hardware that automates the management of patient data, appointments, medical
records, laboratory reports, and billing information. The HAS is critical to the smooth
and efficient operation of the hospital, and any disruption or failure could have a
significant impact on patient safety and quality of care. The hospital's policies and
procedures are designed to ensure the safety and quality of care, and are regularly
reviewed and updated.

M/s AAN & CO.

M/s AAN & CO. is a leading provider of audit, accounting, and consulting services.
The firm has over 10 years of experience, and has a team of experienced professionals
with a deep understanding of the healthcare industry. Auditing Firm is committed to
providing high quality services that meet the needs of its clients.

The firm's team is composed of auditors, accountants, and consultants with a variety
of skills -and experience. The team leader is Mr. Amrish, a chartered accountant with
over 10 years of experience in the healthcare industry. Mr. Amrish is a Chartered
Accountant (CA), Certified Public Accountant (CPA), Certified Information Systems
Auditor (CISA), and Diploma in Information Systems Audit (DISA). Mr. Amrish is also
having a strong understanding of the regulations that govern healthcare organizations,
and is committed to providing his clients with the highest quality of service.
 2. Auditee Environment

Nature of Business

M/s Star Hospital is a 500-bed multi-specialty hospital that provides a wide range of
healthcare services, including inpatient and outpatient care, surgery, diagnostic
imaging, laboratory services and pharmacy.

Organization Structure

M/s Star Hospital is a well structural organization department such as:

1. Administrative: This department is responsible for the overall management of

the hospital, including finance, human resources, and marketing.
2. Clinical: This department is responsible for providing patient care, including
nursing, medicine, and surgery.
3. Support: This department provides support services to the hospital, such as
housekeeping, food service, and maintenance.
4. Sales: This department is focus on purchase, stock maintenance and sales of
specialized medicines under the brand name of the hospital.

Technology Deployed

The Hospital Information System comprises various software applications, databases,

and servers. The regulatory requirements for the healthcare industry, such as HIPAA
and HITECH, also provides guidance on what automation software must be
maintained.

M/s Star Hospital uses a variety of technologies to support its operations including:

1. Microsoft SQL Server, a computerised patient record system (CPRS), that stores
patient information, such as medical history, medications, and allergies.
(RDBMS)
2. Epic, an electronic health records (EHRs), designed to be interoperable,
meaning that they can be shared between different healthcare organizations
(Application Software)
3. A digital imaging system that captures and stores medical images, such as X-
rays and MRIs. (Application Software)
 4. Epic Lab, a laboratory information system, used to manage laboratory tests and
results (DBMS)
5. Epic MyChart, a pharmacy information system, used to manage prescription
drugs and drug orders (DBMS)
6. HALO, an Artificial intelligence (AI), used in hospitals to improve the accuracy of
diagnoses, the efficiency of operations, and the quality of care
7. Windows Server system software that allows staff to access information and
resources from anywhere in the hospital.

Regulatory Requirements

Star Hospital is subject to a variety of regulatory requirements, including:

1. National Accreditation Board for Hospitals & Healthcare Providers (NABH):

National Accreditation Board for Hospitals & Healthcare Providers (NABH) is a
constituent board of Quality Council of India, set up to establish and operate
accreditation programme for healthcare organizations. The Board is structured
to cater to much desired needs of the consumers and to set benchmarks for
progress of health industry. The boards while being supported by all
stakeholders including industry, consumers, government have full functional
autonomy in its operation. Hospital is accredited by the NABH.
2. The healthcare industry is heavily regulated, and regulatory requirements such
as Health Insurance Portability and Accountability Act (HIPAA) and Health
Information Technology for Economic and Clinical Health (HITECH) Act are
applicable to the hospital. Compliance with these regulations is essential to
protect patient data and maintain the confidentiality of their medical records.

Internal Policies and Procedures

Star Hospital has a number of internal policies and procedures in place to ensure the
safety and quality of care, including:

1. The hospital has implemented a comprehensive information security program to

protect patient information. The program includes security policies, procedures,
and controls to protect the confidentiality, integrity, and availability of patient
information.
2. The hospital has a privacy policy that outlines the hospital's policies for
protecting patient privacy. The policy includes provisions for how patient
information is collected, used, and disclosed.
 3. The hospital has a quality assurance program that monitors the quality of care
provided by the hospital. The program includes procedures for identifying and
resolving quality issues.
4. The hospital has a risk management program that identifies and mitigates risks
to patient safety. The program includes procedures for identifying and assessing
risks, developing and implementing risk controls, and monitoring the
effectiveness of risk controls.
5. The hospital's network infrastructure is designed to ensure the availability and
reliability of the automation system. The system is hosted on a secure server
located in a dedicated server room with controlled access.
6. The hospital has a dedicated IT team responsible for maintaining and managing
the hospital automation system. The team comprises professionals with
relevant experience and certifications in IT systems management and support.
The IT team ensures the smooth operation of the system by providing regular
maintenance, updates, and support to the end-users.

In summary, the hospital has implemented a comprehensive set of policies,

procedures, and controls to protect patient information and ensure the smooth
operation of the hospital automation system. The auditor should evaluate the
effectiveness of these controls and ensure that they are in compliance with regulatory
requirements.

3. Background

1. To ensure compliance with regulations. M/s Star Hospital is subject to a variety

of regulatory requirements, such as the NABH, HIPAA and HITECH. By
conducting a system audit, the hospital can ensure that it is in compliance with
these regulations and is protecting patient safety and privacy.
2. To identify and mitigate risks. A system audit can help M/s Star Hospital
identify and mitigate risks to patient safety and privacy. For example, the audit
could identify security vulnerabilities in the hospital's information systems that
could be exploited by unauthorized individuals.
3. To improve the efficiency and effectiveness of the hospital's operations. A
system audit can help M/s Star Hospital identify areas where its operations can
be improved. For example, the audit could identify ways to streamline the
hospital's processes or to reduce costs.
4. To improve the quality of care. By ensuring that its information systems are
secure and reliable, M/s Star Hospital can improve the quality of care it
provides to patients. For example, the hospital can use its information systems
to track patient care and to identify potential problems early on.
5. Gain competitive advantage by demonstrating its commitment to patient safety
and quality.
 4. Situation

Problem areas

1. Data Security - There have been a couple of security incidents at M/s Star
Hospital in recent years, including unauthorised access to patient information
and data breaches.
2. System Failure - The automated information system have failed due to
hardware or software problems in the past and hence has raised concerns
about the quality of care provided by the hospital and the availability of data at
the time needed.
3. User Errors - The automated information system may be susceptible to user
errors, such as entering incorrect data or clicking on malicious links. The
hospital's information systems does not contain validation rules, to prevent
users from inputting incorrect data.
4. Interoperability - The automated information system is not be able to
communicate with other systems in the hospital. This has led to problems with
the exchange of patient information from Lab Tests to Billing. This has led to
manual input of data from one IS to another IS. For
5. Inaccurate Inventory Data – Due to non-integration of receipts and issues with
the automated information system within the hospital, there have been
instances where cases of misappropriation, stock run out has been reported in
the pharmacy.
6. Data Update: There have been cases where the list of approved/ empaneled
vendors is not reviewed and pharmacy orders have been made from non-
empaneled vendors.
7. Redundant Inventory: Due to non-capturing of expiry for Pharmacy Items, the
Information System is not able to provide the data for Redundant inventory.

Control weaknesses

1. The hospital's security policies and procedures are not up-to-date and are not
being implemented effectively.
2. The hospital does not have a comprehensive risk management program in
place, such as a Disaster Recovery Program and Business Continuity Plan is
not in place.
 3. There is no official proper training and learning plan for hospital's staff for
training and usage of Information System.
4. Ineffective Firewall and outdated Antivirus software.
5. Out Dated Version of System Software Used.
6. No Data Validation Controls.
7. Non-integrated Information System, leading to manual input error.
8. No Review of Vendor Empanelment.
9. Proper Data Capturing Points.

These problem areas and control weaknesses have raised concerns about the safety
and quality of care at M/s Star Hospital. The system audit will be conducted to
identify and mitigate these risks and to improve the hospital's overall security and
compliance posture.

5. Terms and Scope of assignment

The terms and scope of the assignment for the system audit of Star Hospital:

Areas being reviewed:

• The security policies and procedures of the hospital.

• The risk management program of the hospital.
• The training program of staff on patient safety and privacy procedures.
• The security and reliability of the hospital's information systems.
• The integration of the hospital's information systems.

6. Logistic arrangements required

1. Hardware: The audit team will need access to the hospital's computer systems,
including the servers, workstations, and network devices. The audit team may
also need access to other hardware, such as printers and scanners.
2. System software: The audit team will need access to the hospital's operating
system, database software, and other system software.
3. Application software: The audit team will need access to the hospital's
application software, such as the computerized patient record system (CPRS)
and the digital imaging system.
4. Data: The audit team will need access to the hospital's data, such as patient
records, financial data, and operational data.
5. Documentation: The audit team will need access to the hospital's
documentation, such as policies and procedures, security logs, and incident
reports.
 6. CAAT tools: The audit team may use computer-assisted audit tools (CAATs) to
help them with the audit. CAATs are software programs that can be used to
automate tasks, such as data extraction, data analysis, and risk assessment.
The CAAT tool used for the audit team used is Audit Command Language (ACL).

7. Methodology and Strategy adapted for execution of assignment

The audit firm will follow a structured approach for conducting the system audit of the
Hospital Automation System. The approach comprises the following steps:

1. Planning: The audit team will identify the audit objectives, scope, and
methodology. The team will review the hospital’s information security policy and
regulatory requirements to ensure compliance. The team will also schedule the
audit and coordinate with the hospital’s management.
2. Data collection: The audit team will collect data from various sources,
including the Hospital Automation System, IT infrastructure, policies and
procedures, and other relevant documentation. The team will also interview key
personnel, including the IT staff and department heads.
3. Risk assessment: The audit team will assess the risks associated with the
Hospital Automation System, including the confidentiality, integrity, and
availability of patient data. The team will also identify vulnerabilities and
threats that could impact the system’s security.
4. Testing: The audit team will perform various tests, including vulnerability
assessments, penetration testing, and application testing, to evaluate the
system’s security controls. The team will also test the system’s performance and
reliability.
5. Analysis: The audit team will analyze the data collected and test results to
identify weaknesses and deficiencies in the Hospital Automation System. The
team will also assess the system’s compliance with regulatory requirements and
industry standards.
6. Reporting: The audit team will prepare a comprehensive report that includes
the audit findings, recommendations, and action plan. The team will also
provide a rating of the system’s overall security posture and level of compliance.
7. The audit methodology followed the ISACA and IIA guidelines, which included
the following phases:
• Planning Phase: defining the scope, objectives, and audit approach.
• Fieldwork Phase: reviewing the system controls and conducting vulnerability
assessments and penetration testing.
• Reporting Phase: preparing the draft audit report, discussing the findings with
management, and issuing the final audit report.
 8. Documents reviewed

1. Information security policy: This document outlines the hospital's security

policies and procedures.
2. Organization structure: This document shows the hierarchy of the hospital and
the roles and responsibilities of each department.
3. Vendor contracts or SLAs: These documents outline the terms and conditions of
the hospital's contracts with its vendors.
4. Access matrix: This document shows who has access to what data and systems.
5. Audit findings: These documents document the findings of previous audits.
6. Incident reports: These documents document security incidents that have
occurred at the hospital.
7. Change management logs: These documents document changes that have been
made to the hospital's information systems.
8. User training records: These records document the training that has been
provided to staff on security procedures.
9. Security logs: These logs record access to the hospital's information systems.

9. References

ICAI standards/guidelines:

Standards on Auditing (SAs): The ICAI's SAs provide guidance on the planning,
execution, and reporting of audits. The following SAs are specifically relevant to audits
of automation systems:

1. SA 200: Overall Objectives of the Independent Auditor and the Conduct of an

Audit in Accordance with Standards on Auditing
2. SA 210: Agreeing the Terms of Audit Engagements
3. SA 220: Quality Control for Audits of Financial Statements
4. SA 250: Consideration of Laws and Regulations in an Audit of Financial
Statements
5. SA 315: Understanding the Entity and Its Environment and Assessing the Risks
of Material Misstatement
 6. SA 324: The Auditor's Consideration of Information Technology in an Audit of
Financial Statements
7. SA 330: The Auditor's Response to Assessed Risks
8. SA 402: Audit Considerations Relating to Information Security The ICAI's
Information Systems Auditing: Objectives, Techniques and Tools provides
guidance on auditing information systems.
9. SA 500: Audit Evidence
10. SA 620: Using the Work of an Auditor's Expert

Information Systems Auditing: Objectives, Techniques and Tools (DISA): The DISA
provides guidance on auditing information systems.

1. Chapter 1: Objectives and Scope of Information Systems Auditing

2. Chapter 2: Auditing Techniques and Tools
3. Chapter 3: Auditing Information Systems Controls
4. Chapter 4: Auditing Information Systems Applications

International standards/guidelines:

International Auditing and Assurance Standards Board's (IAASB) International

Standards on Assurance Engagements (ISAEs): The ISAEs provide guidance on
assurance engagements, including audits.

1. ISAE 3402, Assurance Reports on Controls at a Service Organization

International Organization for Standardization's (ISO) ISO/IEC 27001:2013

Information Security Management Systems: The ISO/IEC 27001 provides guidance on
implementing an information security management system.

Best practices:

1. The SANS Institute's Top 20 Critical Security Controls provides a list of the
most important security controls for organizations to implement.

10. Deliverables

Draft IS Audit Report: The draft IS Audit Report will be a preliminary document that
summarises the findings of the audit. The draft report will be reviewed by the audit
team and the hospital before the final report is issued.

Final IS Audit Report: The final IS Audit Report will be a comprehensive document
that summarises the findings of the audit and provides recommendations for
improvement. The final report will be issued to the hospital and will be made available
to the public.

Executive Summary: The Executive Summary is a concise overview of the audit

findings and recommendations. It is typically one or two pages long and is intended for
a lay audience.

Detailed Findings: The Detailed Findings section of the report provides a detailed
description of the audit findings. This section is typically organised by topic and
includes information such as the control weakness, the impact of the weakness, and
the recommendations for improvement.

Recommendations: The Recommendations section of the report provides specific

recommendations for improving the hospital's information security. The
recommendations are typically prioritized and include a timeline for implementation.

11. Format of Report/ Findings and Recommendations

SR. NO. OBSERVATION & IMPACT RECOMMENDATION AUDITEE

RESPONSE &
IMPLEMENTATION
TIME

1 Out Dated Information To update the Information

System Security Policy(s). information security Security policy will
Security Policy need to policy in line with be updated by 15-
incorporate the updates in updated technology. Oct-2023
Information System and
Technology and strong
password policy.

2 Absence of Disaster Define the Disaster Disaster Recovery

Recovery Program and Recovery Program Program and
Business Continuity Plan for and Business Business
organization to help in case Continuity Plan Continuity Plan will
of Information system failure be defined by 31-
Oct-2023

3 Absence of Employee Prepare and Formal employee

Training Program leading to implement a proper training program
staff not aware for Employee Training will be implemented
 Information System Program by 30-Sep-2023
handling.

4 Ineffective Firewall and Updated Firewall Updated Firewall

outdated antivirus software software and software and
to counter system antivirus to be antivirus will be
vulnerabilities installed installed by 30-Sep-
2023

5 Outdated System Software Updated System Updated system

used which is not suitable in Software to be software will be
current environment to installed installed after due
handle updated application consideration and
software and hampering approvals for
system performance budget by 31-Oct-
2023

6 Incorrect capturing of data Data Validation Rules Data Validation

due to improper data to be defined and Rules will be
validation rules implemented defined for each
data set and
implemented by 31-
Oct-2023

7 Inadequate System API integration Information

integration - manual input between systems to systems required to
of information from one be done be integrated will be
system to another and data identified and
error. integrated by 31-
Dec-2023

8 Inadequate process for Review Mechanism Vendor

Vendor empanelment for for Vendor empanelment
procurement empanelment for process to be
procurement only implemented by 30-
from empaneled Sep-2023
vendors

9 Redundant Inventory- Reviewing and System will be

Inadequate capturing of defining data fields enable to captured
data such as expiry date on required to be Expiry Date of
medicines at the time of captured for medicines will by
procurement capturing the 30-Sep-2023. For
relevant data reviewing other
required and avoiding data fields required
 the not required data. the same shall be
implemented along
with the updation
in Information
System

12. Summary/Conclusion

In conclusion, the system audit of the Hospital Automation System implemented in

the healthcare organization has been successfully executed by our audit firm. The
audit team, consisting of professionals with relevant skill-sets and experience, followed
a rigorous methodology and strategy to assess the effectiveness and efficiency of the
system. The auditee environment and background were thoroughly reviewed, and
documents such as the hospital’s information security policy, disaster recovery plan,
change management procedures, system configuration documents, access control
matrix, and vendor contracts were analysed.

The findings of the audit reveal that the Hospital Automation System is functioning
effectively and efficiently in managing patient data, appointments, medical records,
laboratory reports, and billing information. However, there were some areas of concern
identified, such as weak access controls and inadequate disaster recovery measures.
The audit team has provided recommendations to address these issues and improve
the overall security and reliability of the system.

The audit report has been presented in a comprehensive format, detailing the findings
and recommendations. The hospital management can use this report to take corrective
actions and strengthen the Hospital Automation System’s security and reliability.
Overall, the system audit has provided valuable insights into the effectiveness and
efficiency of the system, and the audit firm has ensured the confidentiality of the
project.