Jingga/Organization-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Organization-Guide.git synced 2026-01-11 12:58:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Dennis Eichhorn 2022-12-16 18:37:58 +01:00
parent 3c130a3d09
commit fd535a1b27
22 changed files with 323 additions and 241 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Legal/Licensors.md
View File

@ -125,4 +125,3 @@ Additional resources can be found in:
* The respective package.json files in the repositories
* External/third party tools mentioned in the documentation
* [Approved Customer Software](../Processes/Support/Approved%20Customer%20Software.md)

6
Policies & Guidelines/Accounting/Provisions.md
View File

@ -2,6 +2,12 @@
Provisions are recognized when the Group has a present obligation (legal or constructive) resulting from a past event and it is probable that an outflow of resources embodying economic benefits will be required to settle the obligation and a reliable estimate can be made of the amount of the obligation. The expense relating to any provision is presented in the income statement, net of any reimbursement. If the effect of the time-value of money is material, provisions are discounted. Where discounting is used, the increase in the provision due to the passage of time is recognized as a finance expense.
The basis for the provision amount if available are in the following order:
1. Invoice amount
2. Offer amount
3. Historic amount
4. Market amount if available
5. Estimation by the accountant
2022-01-01 - Version 1.0

8
Policies & Guidelines/IT/Backup & Data Recovery.md
View File

@ -40,10 +40,6 @@ This type of backup is done incrementally, meaning only changes are stored.
Once a quarter a full data backup (clone) is created and stored on an external hard drive. The purpose of these backups are to provide long term backups which are not replaced/overwritten. Additionally, these backups provide some fall back solution for sleeper malware or malware which encrypts backup files. Only 4 quarters at a maximum are allowed to be stored on the same hard drive. The backup is stored in a separate building than the main backup or in a bank vault.
## Responsibility
The responsibility for the data backup lies with the head of IT. Other IT employees may only take over these tasks if the head of IT considers these employees sufficiently trained in this area. The responsible employees must control the data integrity of the backups once a quarter.
## Data storage
The data should be stored in such a way that only authorized personnel has access to the backup files. Authorized in this case means IT department and management. The data backups should be marked or labeled so that it is easily possible to identify the contents of the backup (i.e. Backup 2022-01.01 2:00:01).
@ -52,6 +48,10 @@ The data should be stored in such a way that only authorized personnel has acces
The data reconstruction is documented in a reconstruction tutorial in the IT processes. During the reconstruction it may be necessary to put a higher priority on files and data which are more important for the ongoing organization activities (e.g. customer data, source code data).
## Responsibility
The responsibility for the data backup lies with the head of IT. Other IT employees may only take over these tasks if the head of IT considers these employees sufficiently trained in this area. The responsible employees must control the data integrity of the backups once a quarter.
2022-01-01 - Version 1.0

14
Policies & Guidelines/IT/Change Management.md
View File

@ -1,6 +1,14 @@
# Change Management
## Permissions
In an organization employees change, tasks get transfered and new challenges arise. These changes often require changes in user permissions and new software needs.
## Goal
Changes to the IT system and permissions should be performed in such a way that they ensure the stability long-term operability of the IT environment without exposing the system to large risks such as unauthorized data access and data loss. For this purpose this authorization and documentation guidline must be followed.
## Implementation
### Permissions
Permission changes are sometimes necessary if a role of an employee changes or if the employee has to take over additional tasks. Such permission requests must get approved by the respective HOD and verified by the IT department. If the change request is justified the IT department changes the permissions for the employee.
@ -10,7 +18,7 @@ Potential documents to be changed are:
* [Permission List](../../Processes/IT/Permission%20List.md)
## Software
### Software
Software changes include software updates, new software or functional/feature changes. Change requests can be made by any employee but must get approved by the respective HOD. If the change request is justified the IT department performs the change in a testing environment where the employee or HOD can test the change.
@ -30,7 +38,9 @@ Potential documents to be changed are:
* [Approved Customer Software](../../Processes/Support/Approved%20Customer%20Software.md)
* [Key Supplier Evaluation](../../Processes/Purchase/Key%20Supplier%20Evaluation.md)
## Responsible
The responsibility for the data backup lies with the head of IT. Other IT employees may only take over these tasks if the head of IT considers these employees sufficiently trained in this area. The responsible employees must ensure the appropriatness of the changes and authorization.
2022-01-01 - Version 1.0

20
Policies & Guidelines/IT/Database Guidelines.md
View File

@ -1,6 +1,14 @@
# Database Guidelines
## Access permissions
The databases contain critical organization, customer and supplier data. In most cases data is created, deleted and manipulated through software which provide a workflow with data validation to ensure the correctness of the change. Manual changes, damages and unprofessional interaction with a database may cause severe damage for the organization.
## Goal
Manual interaction with any database must be kept at a minimum. Strict limitations are necessary to ensure the data integrity in the database.
## Implementation
### Access permissions
Access permissions to the databases must be defined as granular as reasonably possible.
@ -9,17 +17,21 @@ Access permissions to the databases must be defined as granular as reasonably po
* Application specific user and permission settings:
* some applications need one main user with admin permissions on a specific table
* some application need multiple users where the different users have different permissions
* All other database users must only be have read-only permissions
* All other database users must have read-only permissions
## Direct data changes
### Direct data changes
No direct data changes are allowed in the databases. All changes in the database must be performed by the applications managing the database.
## Logging
In case they are absolutely necessary direct data changes must only be performed by the head of IT or by the third party software provider and supervised by the head of IT. Direct data changes must be tested and documented by the head of IT.
### Logging
Logging must be always enabled for errors and warnings. Additional logging can be enabled if deemed helpful by the Head of IT or CTO. Error or warning logs must be sent to the head of IT and CTO on a daily basis, if any occurred. The head of IT or CTO must take appropriate steps to solve the errors and warnings in a timely manner.
## Responsible
The responsibility for the database lies with the head of IT. No other employee may directly interact witht the database except for backups and restarting the database in case of failures.
2022-01-01 - Version 1.0

8
Policies & Guidelines/IT/Development and Maintenance.md
View File

@ -1,8 +0,0 @@
# Development and Maintenance
2022-01-01 - Version 1.0

57
Policies & Guidelines/IT/General Employee Guideline.md
View File

@ -1,8 +1,65 @@
# General Employee Guideline
IT is part of our daily lives and an important tools for any organization. The proper interaction and handling of IT is crucial for protecting user, company and partner data.
## Goal
Employees should gain a good awareness about IT risks and proper use of IT in any form to protect themselves, the company and any thrid party.
## Implementation
### Authentication
Employees may receive user-ID and authentication inforamtion for hardware and software components. These information must be kept confidential and not shared with anyone, including other employees.
#### Shared accounts
Only in very few cases shared accounts exist. Credentials for such accounts can be used by multiple employees but must also be kept confidential within that group of employees. Examples for such situations are:
* Accounts for shipping software
* Accounts for some online shops
* Accounts for IT components in meeting rooms
The responsible person for shared accounts is the respective head of department.
### Hardware
Only company issued hardware must be used by employees as this hardware is tested and protected with security software such as anti-virus software, firewall software etc.
The hardware handed over to the employee belongs to the company and must be handled with care. This includes preventing damages and unauthorized access. Company hardware must not be accessible to third parties and must only be used for company tasks.
Any hardware provided by the company must be returned before leaving the company after a termination.
If additional hardware is required please make a request with the IT department.
#### USB devices
No third party USB devices (i.e. USB storage device) must be used as they can contain malware or hardware damaging components. Only company provided USB devices must be used. If a USB storage device is necessary please request one from the IT department.
If you receive a USB storage device from a thrid party please hand it over to the IT department who can inspect the data stored on the device and send you a copy.
### Software
Only company issued software must be installed on the company hardware. The software handed over to the employee belongs to the company. Company software must not be accessible to third parties and must only be used for company tasks.
Any software including license keys provided by the company must be returned before leaving the company after a termination.
If additional software is required please make a request with the IT department.
### Email
A common way to attack a company is through malicious emails. This includes phishing emails and emails containing malware.
1. Don't open any files from unknown sources
2. If you unexpectedly receive files from known sources verify before opening them with the sender that he actually sent these files
### Support & Changes
IT support can be requested through the support portal (e..g faulty hardware) and change requests (e.g. permission changes) can be requested through the change management.
## Responsible
Every employee is responsible for following this guideline.
2022-01-01 - Version 1.0

40
Policies & Guidelines/IT/IT Security.md
View File

@ -1,8 +1,14 @@
# IT Security
## Password
## Goal
### Format
These security guidelines and policies should reduce the risk of a unauthorized data and hardware access, data and hardware manipulation, data loss and damages to hardware in order to ensure smooth IT operations.
## Implementation
### Password
#### Format
Passwords protect confidential company data, as well as customer and supplier data. The length and the combination of different character types (i.e. lower case letters, upper case letters, numerics and special characters) can have a significant impact on the strength of a password. For this reason the IT department should configure the password settings if possible in such a way that the following format must be used:
@ -12,33 +18,45 @@ Passwords protect confidential company data, as well as customer and supplier da
* At least one special character
* At least one numerical character
### Change interval
#### Change interval
Additionally, if it is possible to define a password change interval it should be set to once a year. This way passwords don't become stale and in case of a password leak get rotated out. Shorter password change intervals could lead to friction for the employees resulting in a security fatigue.
### Additional protection
#### Additional protection
For direct server access ssh keys must be used instead of passwords. In addition, these ssh keys should be password protected according to the above mentioned format specifications. If possible second factor authentication should be enabled for direct server access. This second factor authentication should be bound to the owner of the ssh key (i.e. SMS authentication, app authentication, ...)
Sometimes it becomes necessary for third party partners to access the servers (i.e. maintenance or support), in such a case second factor authentication is mandatory. The second factor authentication for third parties must be configured in such a way that only the head of IT can approve the access.
## Access Restrictions
### Access Restrictions
Every user must have their own user-ID and authentication. The user can be assigned to multiple groups. Permissions can be granted for groups and individual users.
In general only whitelist user access permissions instead of blacklisting them. In other words don't be afraid to create multiple accounts or user groups for single applications and only give them reading/writing/execution permissions to directories and files they need access to.
## Permissions
#### Physical Server access
The servers are located in a locked server room. Only the IT department has access to this room. Additionally, the server room has a camera recording the access.
### Permissions
Permissions should always be defined as low as possible and only get expanded if required. The IT department can decide to reject a permission change if they consider the request inappropriate.
The general permission structure is defined in the Permission List.
User and group permissions must be reviewed annually by the head of IT ensuring that they are appropriately defined. This process also includes the verification of inactive users or users which should no longer be active in the system (i.e. former employees).
It is strongly recommended to use the basic organization schematic and job description for every area as a basis to define user permissions. Based on the job descriptions and user tasks, groups should be generated with the appropriate permissions. The permission management through groups is preferred since it's much more verbose and shows a clear structure. While permissions on user basis are in some cases more convenient for quick permission handling they indicate that the actual job function compared to the organization layout is not coherent with the actual tasks that person is performing. Permission handling on user level is strongly advised against and re-structuring groups and creating new groups is much cleaner even if in some cases a group only has one account assigned. Permissions for accounts should also get re-evaluated on a regular basis in order to prevent non-active accounts or accounts whose job description changed to have permissions they no longer need.
## Updates
### Updates
Updates are very important not only to implement the newest features but also to close potential security vulnerabilities. This doesn't only apply for the operating system but also all the other software you may be running. Updates should be tested in a testing environment and then migrated to the live environment.
## HTTPS
### HTTPS
The server must use HTTPS for its internal and external communication.
## Security software
### Security software
Security software which must be used on the main server are:
@ -48,5 +66,9 @@ Security software which must be used on the main server are:
* Firewall (not defined)
* Intrusion detection system (not defined)
## Responsible
The responsibility for the IT security lies with the head of IT. Other IT employees may only take over these tasks if the head of IT considers these employees sufficiently trained in this area.
2022-01-01 - Version 1.0

37
Policies & Guidelines/IT/Infrastructure.md Normal file
View File

@ -0,0 +1,37 @@
# Infrastructure
```mermaid
graph TD;
ROUTER[Router]---FIREWALL[Firewall & IPS/IDS];
ROUTER---REMOTE_BACKUP_SERVER[Remote backup server];
FIREWALL---INTERNAL_ROUTER[Core routers];
INTERNAL_ROUTER---SWITCH[Organization switches];
INTERNAL_ROUTER---SWITCH_PUBLIC[Public switches];
SWITCH_PUBLIC---WEB_SERVER[Web servers];
WEB_SERVER---WEBSITE[Website];
WEB_SERVER---SHOP[Shop];
WEB_SERVER---SOFTWARE[Software];
WEB_SERVER---DEMO_SERVER1[Puplic demo server 1];
DEMO_SERVER1---DEMO_SERVER2[Puplic demo server 2];
WEB_SERVER---DEMO_SERVER3[Private demo server];
SWITCH---DEV_SERVER[Dev server];
DEV_SERVER---DEV_RESOURCES[Dev resources/assets];
DEV_SERVER---TESTING[Testing server];
DEV_SERVER---INTERNAL_DEMO_SERVER[Demo server];
SWITCH---MAIL_SERVER[Mail server];
SWITCH---FILE_SERVER[File server];
SWITCH---DB_SERVER[DB server];
DB_SERVER---MIRRORED_DB_SERVER[Mirrored DB server];
SWITCH---IP_PHONE_SERVER[IP Phone Server];
SWITCH---USER_HARDWARE[User hardware];
USER_HARDWARE---PC[PC];
USER_HARDWARE---PHONE[Phone];
USER_HARDWARE---PRINTER[Printer]
INTERNAL_ROUTER---SWITCH_PRIVATE[Private switches];
SWITCH_PRIVATE---LOCAL_BACKUP_SERVER[Local backup server];
```
2022-01-01 - Version 1.0

75
Policies & Guidelines/IT/Operations Guidelines.md
View File

@ -1,41 +1,54 @@
# Operations Guidelines
## Goal
The IT is an important aspect of our company and should ensure save, reliable and performant work of every companies core business. IT operations should be integrated into the daily business as seamless as possible in order to achieve the companies goals.
## Infrastructure
## Implementation
```mermaid
graph TD;
ROUTER[Router]---FIREWALL[Firewall & IPS/IDS];
ROUTER---REMOTE_BACKUP_SERVER[Remote backup server];
FIREWALL---INTERNAL_ROUTER[Core routers];
INTERNAL_ROUTER---SWITCH[Organization switches];
INTERNAL_ROUTER---SWITCH_PUBLIC[Public switches];
SWITCH_PUBLIC---WEB_SERVER[Web servers];
WEB_SERVER---WEBSITE[Website];
WEB_SERVER---SHOP[Shop];
WEB_SERVER---SOFTWARE[Software];
WEB_SERVER---DEMO_SERVER1[Puplic demo server 1];
DEMO_SERVER1---DEMO_SERVER2[Puplic demo server 2];
WEB_SERVER---DEMO_SERVER3[Private demo server];
SWITCH---DEV_SERVER[Dev server];
DEV_SERVER---DEV_RESOURCES[Dev resources/assets];
DEV_SERVER---TESTING[Testing server];
DEV_SERVER---INTERNAL_DEMO_SERVER[Demo server];
SWITCH---MAIL_SERVER[Mail server];
SWITCH---FILE_SERVER[File server];
SWITCH---DB_SERVER[DB server];
DB_SERVER---MIRRORED_DB_SERVER[Mirrored DB server];
SWITCH---IP_PHONE_SERVER[IP Phone Server];
SWITCH---USER_HARDWARE[User hardware];
USER_HARDWARE---PC[PC];
USER_HARDWARE---PHONE[Phone];
USER_HARDWARE---PRINTER[Printer]
INTERNAL_ROUTER---SWITCH_PRIVATE[Private switches];
SWITCH_PRIVATE---LOCAL_BACKUP_SERVER[Local backup server];
```
### Availability
At least one IT employee must be available during the core work hours who can solve critical IT issues.
### Maintenance, Updates, Upgrades
#### Schedule
Maintenance tasks on working components which would effect the active work of employees during the core business hours should be performed outside this timeframe, unless not possible.
Maintenance tasks on faulty or broken components should be performed as soon as possible.
Maintenance work should be performed once a week but at least one a month. This includes checking hardware components and software components. Software updates must be tested by the IT department and in some cases additionally by other departments in a testing environment before implementing them in the production system. The changes and tests must be documented in the change management system.
In general, free software updates and upgrades should be implemented in a timely manner.
If components reach EOL (end of life) the IT department (possibly together with other departments) has to coordinate a follow up solution.
### Problems, Support & Change requests
Problems and requests regarding IT components should be resolved in a timely manner. The IT department has to check the support and change management requests multiple times a day. The priorization of the tasks lies with the IT. However, the overall company operability must be kept in mind.
### Jobs
#### Schedules
Job schedules can and must only be changed by members of the IT department. Job schedule changes must be coordinated with the head of other departments if they are effected by these changes. The head of IT must be informed about all job schedule changes.
In case of schedule change requests from other departments, they must be performed by the respective HOD and checked by an employee in the IT department to ensure no conflicts arise by this non-scheduled job execution. Only then the IT department may change the schedule for a job or execute the non-scheduled job.
New jobs must be approved by the head of IT.
#### Failures
All jobs must be logged and monitored to ensure their correct operations. In case of failures during the job execution the IT department receives a automatic failure log message which must be solved. The IT department ensures that every job is completed successfully and in case of issues takes appropriate steps which include:
* re-running the job in coordination with other departments if necessary
* solving the underlying issue
* changing execution times
## Responsible
The overall responsibility for the IT operations lies with the head of IT. However, every IT employee is responsible within their area of work for upholding the IT guidelines and policies as well as a smooth operation of the IT.
2022-01-01 - Version 1.0

36
Policies & Guidelines/IT/Outsourcing Guidelines.md Normal file
View File

@ -0,0 +1,36 @@
# Outsourcing Guideline
The company should have most of the knowledge regarding the IT components in-house. However, some services must be outsourced either as redundancy, fall back solution or because the competencies are too unreasonable to acquire.
## Goal
Through outsourcing additional competencies are brought into the company. The outsourced services should be integrated into the in-house competencies as smoothly as possible with a high quality standard. In general, competencies should be kept within the company if reasonably possible.
## Implementation
Services and competencies should only be outsourced as a fall back solution or if they cannot be kept in-house with reasonable efforts. Before a service is outsourced the head of IT should evaluate the feasability of the outsourcing. This includes checking alternative solutions such as purchasing the necessary hardware, trianing existing employees or implementing alternative solutions which don't require outsourcing.
In addition to the feasability analysis by the head of IT, a supplier evaluation must be performed. The supplier evaluation for outsourcing includes:
* Are the necessary competencies available?
* Is the pricing reasonable?
* Are the necessary certificates available, if required?
* Are the terms of service / contract details reasonable?
* Does the vendor comply with GDPR and can it be integrated into the existing structure of the company?
* Is the vendor large enough to provide the services reliably?
* Are there signifcant negative reviews?
Potential documents to be used are:
* [Third Party Software Validation - New](../../Processes/IT/Third%20Party%20Software%20Validation%20-%20New.md)
* [Investment Form](../../Processes/Purchase/Investment%20Form.md)
Potential documents to be changed are:
* [Outsourced Services](../../Processes/IT/Outsourced%20Services.md)
## Responsible
The responsibility for the outsourcing lies with the head of IT.
2022-01-01 - Version 1.0

8
Policies & Guidelines/IT/Software Guidelines.md
View File

@ -1,8 +0,0 @@
# Software Guideline
2022-01-01 - Version 1.0

4
Policies & Guidelines/Whistleblower System.md
View File

@ -6,8 +6,8 @@ The whistleblower system is a way to allow anyone to report illegal behavior or
Compliance complaints can arrive in the following three ways:
* Email: [compliance@karaka.app](compliance@karaka.app) (is automatically sent to all compliance officers)
* Letter in an enveloper addressed to: Compliance (handed over by the secretariat to any compliance officer. The secretariat sends a email to [compliance@karaka.app](compliance@karaka.app), that a compliance mail arrived and who received the letter)
* Email: [compliance@jingga.app](compliance@jingga.app) (is automatically sent to all compliance officers)
* Letter in an enveloper addressed to: Compliance (handed over by the secretariat to any compliance officer. The secretariat sends a email to [compliance@jingga.app](compliance@jingga.app), that a compliance mail arrived and who received the letter)
* Direct contact to any compliance officer mentioned in the [Organigram](../Processes/Organigram.md).
## Information

2
Processes/06_Finance.md
View File

@ -134,6 +134,8 @@ The reporting for the organization is done once a month and shared with differen
The deadline is the 5th work day of the following month.
### Contents
### Responsibilities
The tasks and responsibilities can be found in the [Monthly Reporting Checklist](./Finance/Reporting/Monthly%20Reporting%20Checklist.md). The checklist must be signed by every responsible person after completing the defined task. (**R10**)

11
Processes/Document Owners.md
View File

@ -17,12 +17,11 @@
| Policies & Guidelines | IT: [Back & Data Recovery](../Policies%20&%20Guidelines/IT/Backup%20&%20Data%20Recovery.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Change Management](../Policies%20&%20Guidelines/IT/Change%20Management.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Database Guidelines](../Policies%20&%20Guidelines/IT/Database%20Guidelines.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Development and Maintenance](../Policies%20&%20Guidelines/IT/Development%20and%20Maintenance.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [General Employee Guideline](../Policies%20&%20Guidelines/IT/General%20Employee%20Guideline.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Infrastructure](../Policies%20&%20Guidelines/IT/Infrastructure.md) | Head of IT and CTO | CTO |
| Policies & Guidelines | IT: [IT Security](../Policies%20&%20Guidelines/IT/IT%20Security.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Operations Guidelines](../Policies%20&%20Guidelines/IT/Operations%20Guideline.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Password Guideline](../Policies%20&%20Guidelines/IT/Password%20Guideline.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Software Guidelines](../Policies%20&%20Guidelines/IT/Software%20Guidelines.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Back & Data Recovery](../Policies%20&%20Guidelines/IT/Backup%20&%20Data%20Recovery.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | IT: [Outsourcing Guidelines](../Policies%20&%20Guidelines/IT/Outsourcing%20Guideliens.md) | Head of IT and CTO | DQM or CEO |
| Policies & Guidelines | Sales: [Export Control](../Policies%20&%20Guidelines/Sales/Export%20Control.md) | Export Control Officer | CEO |
| Policies & Guidelines | Sales: [Export Control](../Policies%20&%20Guidelines/Sales/Pricing%20Policy.md) | CSO | CEO |
| Policies & Guidelines | [Car Pool Policy](../Policies%20&%20Guidelines/Car%20Pool%20Policy.md) | Fleet Manager | CEO |
@ -62,8 +61,8 @@
| Processes | Quality Management: [Quality Management Flow Chart](./08_Quality%20Management_Flowchart.md) | DQM and CEO | CEO |
| Processes | Quality Management: [Quality Management Risk Control Matrix](./08_Quality%20Management_Risk%20Control%20Matrix.md) | DQM and CEO | CEO |
| Processes/COSO | Quality Management: [Risk Management](./Quality%20Management/COSO/Risk%20Management) | CFO and DQM | CEO |
| Processes/COSO | Quality Management: [CLC](./Quality%20Management/COSO/CLC.md) | DQM and CEO | CEO |
| Processes/COSO | Quality Management: [ITGC](./Quality%20Management/COSO/ITGC.md) | Head of IT and DQM | CEO |
| Processes/COSO | Quality Management: [CLC](./Quality%20Management/COSO/CLC.md) | DQM and CEO | CEO |
| Processes/COSO | Quality Management: [ITGC](./Quality%20Management/COSO/ITGC.md) | Head of IT and DQM | CEO |
| Processes | Development: [Tutorials](./Development/Tutorials) | HOCS and CTO | CTO |
| Processes | Finance: [Budgeting](./Finance/Budgeting) | CFO | DQM or CEO |
| Processes | Finance: [Financial Closing](./Finance/Financial%20Closing) | CFO | DQM or CEO |

4
Processes/Finance/Financial Closing/Monthly Closing Checklist.md
View File

@ -14,11 +14,9 @@
| Create investment report | | | |
| Create cash reporting | | | |
| Create HR reporting | | | |
| Create KPI reportings | | | |
| Create KPI reporting | | | |
| Verify reporting | | | |
| Submit reporting | | | |
2022-01-01 - Version 1.0

6
Processes/IT/Outsourced Services.md Normal file
View File

@ -0,0 +1,6 @@
# Outsourced Services
| Service | Description | Vendor |
| --------------- | ----------------------- | -------------------- |
| Hosting | Website hosting | ispOne business GmbH |
| Version control | Version control hosting | Microsoft |

102
Processes/Management/Competitor Analysis.md
View File

@ -26,7 +26,7 @@
| tricoma AG | tricoma | 40 | ? |
| weclapp SE | weclapp | 100 | 7 |
### Branche overview
### Branch overview
| Name | Production | Retail | Wholesale | Service | Other |
| --------------------------------------- | ---------- | ------ | --------- | ------- | ----- |
@ -74,106 +74,6 @@
| tricoma | x | x | x | x | x | x | x |
| weclapp | x | x | | x | x | x | x |
### Procurement functionality
| | 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------------------------------- | -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- |
| Supplier core data | | | | | | | | | | | | | | | | | | | |
| Supplier analysis and evaluation | | | | | | | | | | | | | | | | | | | |
| Inquiry handling | | | | | | | | | | | | | | | | | | | |
| Offer comparison | | | | | | | | | | | | | | | | | | | |
| Order monitoring | | | | | | | | | | | | | | | | | | | |
| Master contracts with suppliers | | | | | | | | | | | | | | | | | | | |
| Foreacsting procurement | | | | | | | | | | | | | | | | | | | |
| Estimating order quantities | | | | | | | | | | | | | | | | | | | |
| Electronic ordering | | | | | | | | | | | | | | | | | | | |
| Quotation | | | | | | | | | | | | | | | | | | | |
| Delivery schedule | | | | | | | | | | | | | | | | | | | |
| Alloy surcharge | | | | | | | | | | | | | | | | | | | |
| Provision | | | | | | | | | | | | | | | | | | | |
| Supplier integration/interface | | | | | | | | | | | | | | | | | | | |
| Supplier login | | | | | | | | | | | | | | | | | | | |
### Sales functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Production functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Quality Management functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Logistics functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Accounting functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Controlling functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### HR functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Branch specific functionality
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Technologies
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
### Other functionalities
| 4SELLERS | ams.erp | APplus | e.bootis-ERP | lexbizz | HELIUM 5 | canias4.0 | JTL-Wawi | Microsoft Dynamics 365 | myfactory | oxaion | Pickware ERP | proALPHA ERP | PSIpenta | Sage 100 | AvERP | TimeLine Enterprise | tricoma | weclapp |
| -------- | ------- | ------ | ------------ | ------- | -------- | --------- | -------- | ---------------------- | --------- | ------ | ------------ | ------------ | -------- | -------- | ----- | ------------------- | ------- | ------- | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | | | |
## Disclaimer
The data are only for internal use. The completeness and correctness is not guaranteed. The main focus is on German software vendors. The source for the data can be found at https://www.wuerzburg.ihk.de/fileadmin/user_upload/PDF/Innovation_Umwelt/E-Business/ERP-Systeme_Broschure_NEU.pdf.

2
Processes/Purchase/Key Supplier Evaluation.md
View File

@ -23,6 +23,8 @@
| Fonticons, Inc. | Font Awesome | Icon font | 0 EUR | single purchase | very low | Alternative solutions are already implemented and ready for use. | No significant issues. | Dennis Eichhorn | 2022-01-01 |
| Roonas | Linearicons | Icon font | 0 EUR | single purchase | very low | Alternative solutions are already implemented and ready for use. | No significant issues. | Dennis Eichhorn | 2022-01-01 |
| Lineicons | Lineicons | Icon font | 0 EUR | single purchase | very low | Alternative solutions are already implemented and ready for use. | No significant issues. | Dennis Eichhorn | 2022-01-01 |
| ispOne business GmbH | Hosting | Website hosting | 49.41 EUR per year | subscription | very low | Alternative solutions exist and can be implemented within 1 day. | No significant issues. | Dennis Eichhorn | 2022-01-01 |
| Namecheap, Inc. | Domain | Domain provider | 13.24 EUR per year | subscription | medium | Alternatvie solutions exist however losing the domain name would hurt the marketing. | No significant issues. | Dennis Eichhorn | 2022-01-01 |
> Single purchase can also mean one time download for software without any dependency on other services.

28
Processes/Quality Management/COSO/CLC.md
View File

@ -2,29 +2,29 @@
| No. | Component | Control Area | Question | Answer | Evidences |
| ---- | ----------------------------- | ------------------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | Control Environment | Management philosophy and application | Does management determine the management philosophy, operating style and code of ethics and how are they communicated to the employees? | Yes, all are described in the organization guidelines which are available to every employee. | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 2 | Control Environment | Management philosophy and application | Which procedures or processes do you have to re-mediate detected behaviors deviating from the management philosophy, operating style and code of ethics. | Employees can submit deviations to a public email and employees can openly mention such deviations. | [Code of Conduct](../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Discussions](https://github.com/orgs/Karaka-Management/discussions)<br />[Issues](https://github.com/Karaka-Management/Karaka/issues) |
| 3 | Control Environment | Management philosophy and application | In case you find deviations from the principles, how do you deal with them? | So far no such case occurred but the company deals with them according to the German law and as described in the policies. | Code of Conduct<br />Organization Guidelines<br />Conflict of Interest Policy<br />Confidentiality Policy |
| 4 | Control Environment | Director | How do you define the responsibilities of the management in regard to the financial reporting and relevant internal controls? | They are defined by the legal obligations and the processes. | Processes |
| 1 | Control Environment | Management philosophy and application | Does management determine the management philosophy, operating style and code of ethics and how are they communicated to the employees? | Yes, all are described in the organization guidelines which are available to every employee. | [Code of Conduct](../../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Organization Guidelines](../../../Policies%20%26%20Guidelines)<br />[Conflict of Interest Policy](../../../Policies%20%26%20Guidelines/Conflict%20of%20Interest%20Policy.md)<br />[Confidentiality Policy](../../../Policies%20%26%20Guidelines/Confidentiality%20Policy.md) |
| 2 | Control Environment | Management philosophy and application | Which procedures or processes do you have to re-mediate detected behaviors deviating from the management philosophy, operating style and code of ethics. | Employees can submit deviations to a public email and employees can openly mention such deviations. | [Code of Conduct](../../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Discussions](https://github.com/orgs/Karaka-Management/discussions)<br />[Issues](https://github.com/Karaka-Management/Karaka/issues) |
| 3 | Control Environment | Management philosophy and application | In case you find deviations from the principles, how do you deal with them? | So far no such case occurred but the company deals with them according to the German law and as described in the policies. | [Code of Conduct](../../../Policies%20%26%20Guidelines/Code%20of%20Conduct.md)<br />[Organization Guidelines](../../../Policies%20%26%20Guidelines)<br />[Conflict of Interest Policy](../../../Policies%20%26%20Guidelines/Conflict%20of%20Interest%20Policy.md)<br />[Confidentiality Policy](../../../Policies%20%26%20Guidelines/Confidentiality%20Policy.md) |
| 4 | Control Environment | Director | How do you define the responsibilities of the management in regard to the financial reporting and relevant internal controls? | They are defined by the legal obligations and the processes. | [Processes](../../) |
| 5 | Control Environment | Director | How does the board of directors or corporate auditors supervise the performance of management regard the financial reporting and relevant internal controls? | The financial statement and controls are audited annualy by independent auditors. | Annual year end audit |
| 6 | Control Environment | Organization | How does the management appropriately improve organizational structures or practices to resolve existing problems considering the size, content of the operations and business objectives of the company? | During the budget process and if necessary based on information provided during meetings such as the executive committee meeting. | Budget<br />Executive Committee Meeting Minutes |
| 7 | Control Environment | Organization | How does the management assign roles in regard to each function and activity unit in the company? | This is handled in the organigram. | Organigram<br />Processes<br />Checklists |
| 8 | Control Environment | Organization | How do you clarify segregation of duties and appropriately delegate authority and responsibilities to personnel in charge of each function and activity unit in the company? | This is implemented in the organigram and in the processes. | Organigram<br />Processes<br />Checklists |
| 9 | Control Environment | Organization | Does the management assign a person in charge for each role? | Yes. This can be seen in the organigram. | Organigram<br />Processes<br />Checklists |
| 10 | Control Environment | Power | How are the assignment of responsibilities and delegation of authority made clear to all employees? | This can be seen in the organigram and processes available to all employees. | Organigram<br />Processes<br />Checklists |
| 11 | Control Environment | Power | How are the delegation of responsibilities and authority to employees, etc. updated in case organizational structures or other fundamentals of the company are changed? | Updates are implemented immediately on organizational structure changes or in case of changes in employees. | Organigram<br />Processes<br />Checklists |
| 12 | Control Activities | Business procedure | Which policies and procedures or operating manuals established to ensure the performance of control activities that sufficiently mitigate and address the risks in business operations, especially in regard to the reliability of the financial reporting exist? | The company implemented the process descriptions, risk control matrices of every process, risk management, CLC and ITGC. | Process Risk Control Matrix<br />Risk Management<br />Risk Review<br />CLC<br />ITGC |
| 7 | Control Environment | Organization | How does the management assign roles in regard to each function and activity unit in the company? | This is handled in the organigram. | [Organigram](../../Organigram.md)<br />[Processes](../../)<br />Checklists |
| 8 | Control Environment | Organization | How do you clarify segregation of duties and appropriately delegate authority and responsibilities to personnel in charge of each function and activity unit in the company? | This is implemented in the organigram and in the processes. | [Organigram](../../Organigram.md)<br />[Processes](../../)<br />Checklists |
| 9 | Control Environment | Organization | Does the management assign a person in charge for each role? | Yes. This can be seen in the organigram. | [Organigram](../../Organigram.md)<br />[Processes](../../)<br />Checklists |
| 10 | Control Environment | Power | How are the assignment of responsibilities and delegation of authority made clear to all employees? | This can be seen in the organigram and processes available to all employees. | [Organigram](../../Organigram.md)<br />[Processes](../../)<br />Checklists |
| 11 | Control Environment | Power | How are the delegation of responsibilities and authority to employees, etc. updated in case organizational structures or other fundamentals of the company are changed? | Updates are implemented immediately on organizational structure changes or in case of changes in employees. | [Organigram](../../Organigram.md)<br />[Processes](../../)<br />Checklists |
| 12 | Control Activities | Business procedure | Which policies and procedures or operating manuals established to ensure the performance of control activities that sufficiently mitigate and address the risks in business operations, especially in regard to the reliability of the financial reporting exist? | The company implemented the process descriptions, risk control matrices of every process, risk management, CLC and ITGC. | Process Risk Control Matrix<br />[Risk Management](Risk%20Management/Risk%20Management.md)<br />Risk Review<br />[CLC](./CLC.md)<br />[ITGC](./ITGC.md) |
| 13 | Control Activities | Business procedure | How do you confirm if employees perform their operations in compliance with policies and procedures or operating manuals? | This is done through the implemented controls and annual risk review. | Process Risk Control Matrix<br />Risk Review |
| 14 | Control Environment | Personnel deployment and training | How does the management identify the competencies necessary for the company and procure/dispatch qualified personnel | This is done during the HR search and the employee evaluation. | Job description<br />Employee Evaluation Form |
| 15 | Control Environment | Personnel deployment and training | How are the competencies necessary reviewed regularly and maintained appropriately? | This is done during the HR search and the annual employee evaluation. | Job description<br />Employee Evaluation Form |
| 16 | Control Environment | Personnel deployment and training | Does the management provide employees, etc. with the means, training etc. necessary to fulfill their duties and support them in the improvement of their abilities and how is this implemented? | This is done during the training period and checked in the employee evaluation. If additional training or competencies are identified they are trained internally or through external seminars. | Training Form<br />Employee Evaluation Form |
| 17 | Control Environment | Personnel evaluation | What are your personnel evaluation standards? | All employee evaluations must be performed based on the standard evaluation form once a year. | Employee Evaluation Form |
| 18 | Control Environment | Personnel evaluation | How are the personnel evaluation standards regularly reviewed and updated appropriately? | During the annual quality management audit the evaluation form is reviewed. | Quality Management Audit Checklist |
| 19 | Risk Assessment and Response | Risk assessment structure | Is there an effective risk assessment system that involves appropriate levels of the management and managers? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 20 | Risk Assessment and Response | Risk assessment structure | Does the management asses the risk considering not only superficial facts but also backgrounds, incidents and other substantial elements? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 21 | Risk Assessment and Response | Risk assessment structure | Does the management appropriately assess and address fraud risks based on not only superficial facts regarding fraud, but also incentives, causes, backgrounds and other factors that may result in fraud? | Yes. | Risk Management<br />Risk Review<br />Risk Register<br />Processes<br />Process Risk Control Matrix |
| 19 | Risk Assessment and Response | Risk assessment structure | Is there an effective risk assessment system that involves appropriate levels of the management and managers? | Yes. | [Risk Management](Risk%20Management/Risk%20Management.md)<br />Risk Review<br />Risk Register<br />[Processes](../../)<br />Process Risk Control Matrix |
| 20 | Risk Assessment and Response | Risk assessment structure | Does the management asses the risk considering not only superficial facts but also backgrounds, incidents and other substantial elements? | Yes. | [Risk Management](Risk%20Management/Risk%20Management.md)<br />Risk Review<br />Risk Register<br />[Processes](../../)<br />Process Risk Control Matrix |
| 21 | Risk Assessment and Response | Risk assessment structure | Does the management appropriately assess and address fraud risks based on not only superficial facts regarding fraud, but also incentives, causes, backgrounds and other factors that may result in fraud? | Yes. | [Risk Management](Risk%20Management/Risk%20Management.md)<br />Risk Review<br />Risk Register<br />[Processes](../../)<br />Process Risk Control Matrix |
| 22 | Risk Assessment and Response | Risk assessment structure | How does the management reassess the risk and take appropriate measures whenever changes occur that may have a significant impact on the company? | This is done at least annually during the risk review. | Risk Review |
| 23 | Communication and information | Communicating information | How are the management's or supervisor's instruction communicated to all employees? | This is done by providing the processes, policies and guidelines to all employees. | Processes<br />Policies |
| 23 | Communication and information | Communicating information | How are the management's or supervisor's instruction communicated to all employees? | This is done by providing the processes, policies and guidelines to all employees. | [Processes](../../)<br />Guidelines & Policies |
| 24 | Communication and information | Internal reporting | Do you have the Whistleblower System or other internal reporting program? | Yes, there is a whistleblower system in place. | Whistleblower System |
| 25 | Communication and information | Internal reporting | Is the system or program in operation according to its original design? | Yes, according to the annual check. | Quality Management Audit Checklist |
| 26 | Communication and information | Financial information | How does the management acquire or access the accounting and financial information of the company? | Financial information are provided during the budgeting process, monthly reporting and executive committee meeting. | Budget<br />Monthly Reporting<br />Executive Committee Meeting |

21
Processes/Quality Management/COSO/FSCP.md
View File

@ -4,17 +4,16 @@
| ---- | -------------------------- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | General closing | Principle of financial reporting | Which basic financial reporting policies do you have? | The organization follows the German law regarding financial reporting and has various internal reporting policies and guidelines. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Accounting<br />Process: Finance |
| 2 | General closing | Understanding accounting policies | Who approves the accounting policies and how are changes implemented? | The company follows the German laws. Internal accounting policies are approved by the CFO. Changes can be implemented by any accounting employee but must be approved by the CFO. | Financial laws (i.e. HGB, AO, Ustg, ...)<br />Policies: Accounting |
| 3 | General closing | Accounting manual | Which accounting manuals and related documents exist? | Policies: Accounting<br />Process: Finance | |
| 4 | General closing | Seggregation of duties | How are the duties of posting financial data, collecting financial data and approving financial data for the reporting seggregated? | Financial data is posted by accountants, the collection of financial data is handled by controllers and the approval of the reporting data is performed by the CFO. | |
| 5 | General closing | Management of accounting system | What are the accounting systems access control mechanisms and how are they implemented? | The accounting system is username and password protected with access restrictions according to the position and function of every person. | |
| 6 | General closing | Management of accounting system | How is the financial data stored and maintained in the accounting system to prevent them from being altered unauthorized? | Accounting data are stored digitally and can only be accessed and modified based on individual user permissions. | |
| 7 | General closing | Management of accounting system | What are the accounting systems functions to prevent alterations or modifications after the settlement of the accounts? | Accounting periods can be locked preventing further alterations in the accounting system. | |
| 8 | General closing | Closing schedule | What is your closing schedule and how do you ensure the completion of the closing in time? | | |
| 3 | General closing | Accounting manual | Which accounting manuals and related documents exist? | Various accounting policies and a finance process. | Policies: Accounting<br />Process: Finance |
| 4 | General closing | Seggregation of duties | How are the duties of posting financial data, collecting financial data and approving financial data for the reporting seggregated? | Financial data is posted by accountants, the collection of financial data is handled by controllers and the approval of the reporting data is performed by the CFO. | Process: Finance |
| 5 | General closing | Management of accounting system | What are the accounting systems access control mechanisms and how are they implemented? | The accounting system is username and password protected with access restrictions according to the position and function of every person. | ITGC |
| 6 | General closing | Management of accounting system | How is the financial data stored and maintained in the accounting system to prevent them from being altered unauthorized? | Accounting data are stored digitally and can only be accessed and modified based on individual user permissions. | ITGC |
| 7 | General closing | Management of accounting system | What are the accounting systems functions to prevent alterations or modifications after the settlement of the accounts? | Accounting periods can be locked preventing further alterations in the accounting system. | Screenshot |
| 8 | General closing | Closing schedule | What is your closing schedule and how do you ensure the completion of the closing in time? | The financial closing is on the 5th business day of the following month. This is ensured through sufficient qualified personnel, reporting tools and monthly closing check lists. | Process: Finance<br />Checklists |
| 9 | None-consolidation closing | Information and evidence | Do you keep references for financial statements including evidences such as contracts and invoices of significant transactions and how do you store them? | References are stored digitally for at least 10 years according to the German law. | |
| 10 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you prepare figures of accounts, such as allowances, which need accounting estimates? | Estimates are performed based on historic experiences and risk avoidance. | |
| 11 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you ensure the completeness and correctness of the journal entries? | Completeness is ensured by comparison to historic and budget figures as well as open orders. Correctness is ensured through comparison with historic and budget figures. | |
| 12 | None-consolidation closing | Preparation and approval of non-consolidated financial information | Which financial analysis do you perform (e.g. comparison of actuals and budget/previous year, KPI analysis, ...)? | Actual vs. budget, actual vs. previous year and KPI figures are analysed. | |
| 13 | Reporting package | Preparation and approval of reporting package | How do you ensure the necessary competencies for the employees involved in the creation of the financial closing and financial reporting? | This is done during the HR search and the employee evaluation. | |
| 10 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you prepare figures of accounts, such as allowances, which need accounting estimates? | Estimates are performed based on historic experiences and risk avoidance. | Guidelines: Provisions |
| 11 | None-consolidation closing | Preparation and approval of non-consolidated financial information | How do you ensure the completeness and correctness of the journal entries? | Completeness is ensured by comparison to historic and budget figures as well as open orders. Correctness is ensured through comparison with historic and budget figures. | Process: Finance |
| 12 | None-consolidation closing | Preparation and approval of non-consolidated financial information | Which financial analysis do you perform (e.g. comparison of actuals and budget/previous year, KPI analysis, ...)? | Actual vs. budget, actual vs. previous year and KPI figures are analyzed. | Process: Finance |
| 13 | Reporting package | Preparation and approval of reporting package | How do you ensure the necessary competencies for the employees involved in the creation of the financial closing and financial reporting? | This is done during the HR search and the employee evaluation. | Job description<br />Employee Evaluation Form |
| 14 | Reporting package | Preparation and approval of reporting package | Who approves the reporting package or revisions thereof? | CFO | |
2022-01-01 - Version 1.0

70
Processes/Quality Management/COSO/ITGC.md
View File

@ -44,7 +44,7 @@
| ------------------------------------------------------------ | ------------ | ------------------------------------------------------------ | ------------------------------- |
| What is the number of user? | A | Large number of users in large number of user locations/departments | Organigram<br />Permission List |
| What is the number of user? | OS, DB, N, O | Number of users and user locations/departments is limited | Organigram<br />Permission List |
| Frequency of "direct data change"<br /><br />(*"direct data change" means to change data with the utilities such as SQL software*) | N | No direct change to data has been required since its implementation, as the system has been in stable operation | |
| Frequency of "direct data change"<br /><br />(*"direct data change" means to change data with the utilities such as SQL software*) | DB | No direct change to data has been required since its implementation, as the system has been in stable operation | |
### Assessment of Design Effectiveness
@ -52,43 +52,43 @@
| ---- | ------------------------------------------------------------ | --------------- | ------------------------------------------------------------ | ------------------------------------------------------------ |
| 1 | Describe the user authentication process. | A, OS, DB, N, O | User-ID and password are assigned on an individual basis and necessary for accessing digital data. | Application login screen<br />OS login screen<br />DB login screen<br />Server login screen |
| 2 | How are user and access rights granted to each user documented? | A | A list of users is prepared with the rights granted to each user. This list is generated from the system | Application permission List |
| 2 | How are user and access rights granted to each user documented? | OS, DB, N, O | A list of users is prepared with the rights granted to each user | Permission List |
| 3 | Do you have policies and procedures for user-ID administration? | A, OS, DB, N, O | Policies and procedures for user-ID administration (add, change, remove, and periodic user validation) are described in an authorized documentation. The documentation is prepared and authorized by the head of IT | |
| 4 | How do you perform user validation? | A, OS, DB, N, O | Periodic user validation is performed, this means each user's access rights are reviewed on a periodic basis. Performed both in terms of existence of user and the detailed access rights granted to each user-ID on an annual basis by the head of IT | |
| 5 | How are user-ID administration requests approved? | A, OS, DB, N, O | User-ID administration requests are approved by managers in user dpt. and/or IT dpt, as appropriate. Records are maintained in the change management | |
| 6 | How do you handle access to IT functions? | A, OS, DB, N, O | Access to privileged IT functions is restricted to appropriate personnel. Logs of the use of such privileged user-IDs are reviewed annually | |
| 7 | Describe the password/authentication complexity. | A, OS, DB, N, O | Password complexity is configured based on a minimum length of 8, at least one upper case letter, at least one lower case letter, at least one special character and at least one numeric value. Password changes must happen every 3 months | |
| 8 | Which policies and procedures for direct change to data do you have? | DB | Only the head of IT may perform and authorize direct changes to the data | |
| 9 | How do you handle direct data changes? | DB | Direct changes to data must be authorized by the head of IT. No direct changes to data where made | |
| 10 | Do you test data after direct changes? | DB | Direct change to data are tested and documented. No direct changes to data where made | |
| 11 | How do you restrict direct data changes? | DB | Only the head of IT has write/change permissions to the DB | |
| 12 | How do you restrict access to applications and OS? | A, OS | Data and programs on a stand-alone PC are in control of the user. User permissions for applications, data on the server and OS are restricted appropriately. | |
| 12 | How do you restrict access to server hardware and databases? | DB | Server(s) are located in a machine room with appropriate physical access control. | |
| 2 | How are user and access rights granted to each user documented? | OS, DB, N, O | A list of users is prepared with the rights granted to each user / user group. The active permissions can be seen in the IT systems | Permission List |
| 3 | Do you have policies and procedures for user-ID administration? | A, OS, DB, N, O | Policies and procedures for user-ID administration (add, change, remove, and periodic user validation) are described in an authorized documentation. The documentation is prepared and authorized by the head of IT | Permission Policy |
| 4 | How do you perform user validation? | A, OS, DB, N, O | Periodic user validation is performed, this means each user's access rights are reviewed on a periodic basis. Performed both in terms of existence of user and the detailed access rights granted to each user-ID on an annual basis by the head of IT | Permission Policy |
| 5 | How are user-ID administration requests approved? | A, OS, DB, N, O | User-ID administration requests are approved by managers in user dpt. and/or IT dpt, as appropriate. Records are maintained in the change management | Change Management |
| 6 | How do you handle access to IT functions? | A, OS, DB, N, O | Access to privileged IT functions is restricted to appropriate personnel. Logs of the use of such privileged user-IDs are reviewed annually | Permission List<br />IT Security |
| 7 | Describe the password/authentication complexity. | A, OS, DB, N, O | Password complexity is configured based on a minimum length of 8, at least one upper case letter, at least one lower case letter, at least one special character and at least one numeric value. Password changes must happen every 3 months | IT Security |
| 8 | Which policies and procedures for direct change to data do you have? | DB | Only the head of IT may perform and authorize direct changes to the data | Database Guidelines |
| 9 | How do you handle direct data changes? | DB | Direct changes to data must be authorized by the head of IT. No direct changes to data where made | Database Guidelines |
| 10 | Do you test data after direct changes? | DB | Direct change to data are tested and documented. No direct changes to data where made | Database Guidelines |
| 11 | How do you restrict direct data changes? | DB | Only the head of IT has write/change permissions to the DB | Permission List |
| 12 | How do you restrict access to applications and OS? | A, OS | Data and programs on a stand-alone PC are in control of the user. User permissions for applications, data on the server and OS are restricted appropriately. | IT Security |
| 12 | How do you restrict access to server hardware and databases? | DB | Server(s) are located in a machine room with appropriate physical access control. | IT Security |
## System Operation and Administration
### Points to consider
| Question | Situation | Evidences |
| ------------------------------------- | ------------------------------------------------------------ | --------- |
| Frequency of problems/incidents | Material failure such as miscalculation or malfunction of the system has not occurred. | |
| Frequency of changes to job schedules | Changes to job schedules occur frequently but most of them are those in execution date | |
| Frequency of Non/Scheduled job | Non/Scheduled job is required in some cases but its frequency is low | |
| Question | Situation | Evidences |
| ------------------------------------- | ------------------------------------------------------------ | ---------------------- |
| Frequency of problems/incidents | Material failure such as miscalculation or malfunction of the system has not occurred | |
| Frequency of changes to job schedules | Changes to job schedules occur frequently but most of them are those in execution date/time | Change Management logs |
| Frequency of Non/Scheduled job | Non/Scheduled job is required in some cases but its frequency is low | Change Management logs |
### Assessment of Design Effectiveness
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ----------------------------------------------------------- | --------- |
| 1 | Do you have policies and procedures for backups? | Exists | |
| 2 | How do you ensure the completion of backups? | All backup job records are reviewed by monitoring personnel | |
| 3 | How do you test backups? | Every backup is automatically tested | |
| 4 | Which policies and procedures for job operation do you have? | | |
| 5 | How are job schedule changes approved? | | |
| 6 | How do you prevent/detect unauthorized changes to job schedules? | | |
| 7 | How is the completion of job execution ensured? | | |
| 8 | Requests for non-scheduled job execution are authorized | | |
| 9 | Which policies and procedures for identifying, resolving, reviewing, and analyzing IT operations problems or incidents exist? | | |
| 10 | How are IT operations problems or incidents identified, resolved, reviewed, analyzed, and follow-ups evidenced? | | |
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------------------------------ |
| 1 | Do you have policies and procedures for backups? | A Backup & Data Recovery policy exists | Backup & Data Recovery |
| 2 | How do you ensure the completion of backups? | All backup jobs are logged and failures are automatically forwarded to the IT department | Backup & Data Recovery |
| 3 | How do you test backups? | Every backup is automatically tested | Backup & Data Recovery |
| 4 | Which policies and procedures for job operation do you have? | Job guidelines are defined in the Operations Guidelines | Operations Guidelines |
| 5 | How are job schedule changes approved? | Changes can only be performed by the IT department. In addition the head of IT is informed about such changes | Operations Guidelines |
| 6 | How do you prevent/detect unauthorized changes to job schedules? | Only the IT department can change jobs | Operations Guidelines<br />Permission List |
| 7 | How is the completion of job execution ensured? | The completion is ensured through logs and automatic failure messages to the IT department | Operations Guidelines |
| 8 | Requests for non-scheduled job execution are authorized | Changes and non-scheduled jobs must be approved by the respective HOD and verified by the IT department | Operations Guidelines |
| 9 | Which policies and procedures for identifying, resolving, reviewing, and analyzing IT operations problems or incidents exist? | A operations guideline exist | Operations Guidelines |
| 10 | How are IT operations problems or incidents identified, resolved, reviewed, analyzed, and follow-ups evidenced? | | Operations Guidelines |
## Outsourcing Contract Management
@ -100,10 +100,10 @@
### Assessment of Design Effectiveness
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ------------------------------------------------------------ | --------- |
| 1 | Which outsourced IT services exist and how are they documented? | Outsourced service are clearly defined and agreed with the service vendor in writing e.g. in contract and/or SLA | |
| 2 | How do you ensure the compliance of vendors? | Service vendor's compliance to the service level is periodically reviewed | |
| 3 | How do you ensure the quality of the service vendors? | Regular review of service vendors is conducted in terms of appropriateness of the services defined, service vendor's ability to render the required service level, etc. | |
| No. | Question | Situation | Evidences |
| ---- | ------------------------------------------------------------ | ------------------------------------------------------------ | --------------------- |
| 1 | Which outsourced IT services exist and how are they documented? | Outsourced service are clearly defined and agreed with the service vendor in writing e.g. in contract and/or SLA | Outsourced Services |
| 2 | How do you ensure the compliance of vendors? | Service vendor's compliance to the service level is periodically reviewed | Outsourcing Guideline |
| 3 | How do you ensure the quality of the service vendors? | Regular review of service vendors is conducted in terms of appropriateness of the services defined, service vendor's ability to render the required service level, etc. | Outsourcing Guideline |
2022-01-01 - Version 1.0