Professional Documents
Culture Documents
C/AU
Issue/Amendment
Page
E3
1/36
Our Reference
Date
C/AUC, C/AUT
1. Introduction
Main focus of the internal audits during the past years has been the adherence to central
directives and guidelines as well as the efficiency of procedures within commercial and technical
processes and information processing.
We ascertained partly serious or considerable deficiencies. This document gives an overview of
deficiencies that were repeatedly ascertained or that were evaluated as considerable or serious
during the internal audits of the past years. Amongst other effects they may increase the risk of
fraud or hamper the detection of fraudulent actions.
Please check if the following or similar weak points exist in your area of responsibility and start
corrective actions, where needed.
If you have questions, please contact us.
2.
2.1
Accounting
2.1.1
Accounts Receivable
A dunning procedure for outstanding amounts does not exist; interests for amounts
overdue are not reclaimed.
Processes to block customers or to take legal measures were not defined.
Postings were not carried out at all or not in a timely manner (e.g. total sum of various
documents entered at the end of the month).
2.1.2
Accounts Payable
Credit notes received from the supplier were not processed in a timely manner.
For the creation of vendor master data the dual review principle was not adhered to; no
separation of functions; a procedure did not exist; mitigating controls were not conducted.
A procedure to create and update vendor data did not exist; too many departments had
authorization to create or change.
From
C/AU
Issue/Amendment
Page
E3
2/36
Our Reference
Date
C/AUC, C/AUT
A posting system or posting books did not exist; Posting were done by other RG based on
monthly excel files.
Invoice Checking
Verification of price or content has not been carried out or the verification of price and
content has been carried out by the same employee (no dual review principle).
Invoices for transportations were not checked according to the dual review principle
(including price check); Invoices were checked after journal and payment release.
The signatory list was not used for invoice checking; Invoice checking was conducted
without sufficient supporting documents (e.g. purchase order); Invoice verification was
conducted by the same employee placing the order.
Invoices were released for payment by unauthorized employees or a regulation to approve
payments of invoices without purchase order PO did not exist.
Processes to prevent double payments of invoices (e.g. adding of invoice number during
posting) were not installed or existing processes were not used.
Invoices with price differences were not automatically blocked in the system or limits to
automatically block invoices with price differences in the system were not set.
Invoices blocked due to price differences were not released according to the dual review
principle.
Bank data were not entered into the IT system based on original supplier documents.
Vendor master data for suppliers with regular payments were not created, invoices were
posted to collective accounts (CpD).
Postings on CpD were not checked according to the dual review principle.
Although vendor master data was available, invoices were posted to CpD accounts.
There was no guideline regarding handling of CpD accounts.
Vendor accounts without movements were not blocked.
Signature specimen were not available for invoice verification.
From
C/AU
Issue/Amendment
Page
E3
3/36
Our Reference
Date
C/AUC, C/AUT
2.1.3
2.1.4
Fixed Assets
Incorrect depreciation rates were used or MAE were not depreciated at all.
From
C/AU
Issue/Amendment
Page
E3
4/36
Our Reference
Date
C/AUC, C/AUT
Asset disposals were not properly approved, not posted or not properly documented.
2.1.5
Balancing
Assets and stock were not considered in the balance sheet.
2.2
Finance
2.2.1
Banks
Bank accounts were not reconciled monthly.
The number of bank connections was not restricted to a minimum.
To give authorization to two employees without power of attorney an approval by the
responsible LD was missing.
The list of authorized signatories for banks was not updated.
Signature stamps were used; thus, signatures can be duplicated.
A separation of authorizations into A and B authorization did not exist.
The number of authorized signatories was not kept to a minimum; bank authorizations
have been too extensive (e.g. raising of credits).
Bank confirmations of authorized signatories did not exist.
The communication to C/FI regarding bank connections and bank accounts was
incomplete or incorrect; the approval for the opening of new bank accounts was missing.
2.2.2
Payment Transactions
Payment instructions were sent to the bank by unencrypted fax or unprotected disk.
Inter-company settlements by netting were possible but not used.
Payment instructions were issued without appropriate documentation or controls.
Direct debit payments were conducted without the required approvals.
From
C/AU
Issue/Amendment
Page
E3
5/36
Our Reference
Date
C/AUC, C/AUT
Reconciliation of account balances between bank accounts and general ledger accounts
were not carried out or were insufficient (e.g. frequency).
Payments were carried out by check or with bank draft although bank transfers were
possible.
Check handling was not conducted in compliance with proper business practices (blank
signature, insufficient tracing of check inventory, checks have been sent to employees
without adequate controls, insecure safe keeping of check portfolio).
2.2.3
From
C/AU
Issue/Amendment
Page
E3
6/36
Our Reference
Date
C/AUC, C/AUT
A check of the payment file was not performed. The payment file did not contain check
sums, or, if check sums were available, these have not been checked process
independently.
The release of payments was not in line with the dual review principle or checks have not
been documented comprehensibly.
2.2.4
Petty Cash
A site specific procedure did not exist.
Cashier or substitutes were not named.
Payments were approved or paid by the recipient.
Petty cash checks were not conducted or not conducted properly.
Receipt forms did not exist or were incomplete.
Cashier had posting rights for petty cash account in ERP-system; process independent
checks were not conducted.
The amount in the petty cash was too high or not adequately insured.
No updated signature specimen list of authorized persons was available at the cash desk.
Payments were not authorized (signature rules not adhered to).
Ledger for petty cash did not exist or was not sufficient.
Petty cash transactions were not limited to a necessary minimum (e.g. travel expense
advances through petty cash although cashless handling was possible).
Cash advances for employees were not posted or not a followed up.
The physical count did not reflect the actual accounting.
Petty cash transactions were not posted in a timely manner.
Petty cash box or related keys were not stored properly.
From
C/AU
Issue/Amendment
Page
E3
7/36
Our Reference
Date
C/AUC, C/AUT
2.3
Controlling
2.3.1
Reporting
Data for MGB reporting have not been calculated correctly (e. g. personnel capacity,
liquidity planning).
Deprecations were calculated wrongly leading to a wrong profit loss calculation.
2.3.2
Cost Calculation
The PHEK calculation process was not correct (e.g. standard times not revised, ratio
targets not included in the PHEK).
2.3.3
Transfer Prices
Framework agreements for supply of goods or services between RG and GB did not exist.
Transfer prices were not agreed upon before delivery or written transfer price agreements
did not exist.
A site specific procedure regarding transfer pricing documentation did not exist.
2.3.4
Investment Calculations
Key figures were not tracked during the investment.
From
C/AU
Issue/Amendment
Page
E3
8/36
Our Reference
Date
C/AUC, C/AUT
Required investment calculations were not conducted, were incorrect (e.g. overestimated
cost saving potentials, not all relevant costs considered) or benefit analysis were not
performed.
MAE approval documents were not available or incorrect.
Material Management
3.1
Purchasing
3.1.1
Purchasing Process
The purchasing function, especially price negotiation and supplier selection, was
conducted by requiring departments instead of the purchasing department.
Alternative quotations were not obtained; inquires were not documented sufficiently.
Purchasing decisions were not documented.
PO were not created in the IT system, issued without price information or changed after
issuance without authorization.
Requests for purchase or PO were issued after service was rendered.
There were no requests for quotation for services in more than five years.
Make or buy assessments were not conducted, inquiries for standard capabilities were not
conducted consistently.
Quotations were not comparable (e.g. inquiries without specifications).
Estimated prices were used improperly (e.g. for EZRS) in purchase orders.
Market inquiries were only conducted for new components. Market evaluations were not
performed systematically.
Hard- and Software was not purchased in adherence to CI/PUR guidelines.
For scrap and recyclable materials no inquires were conducted; the order decision was not
comprehensible.
From
C/AU
Issue/Amendment
Page
E3
9/36
Our Reference
Date
C/AUC, C/AUT
3.1.2
3.1.3
Supplier Monitoring
Supplier monitoring was not conducted.
3.1.4
3.1.5
Others
Employees of PUR without appropriate power of attorney signed purchasing contracts.
Supplier assessments were not conducted regularly, not completely or not conducted
frequently enough.
From
C/AU
Issue/Amendment
Page
E3
10/36
Our Reference
Date
C/AUC, C/AUT
Statements for Purchasing Cards were not authorized correctly (e.g. missing supporting
documents, signature regulation not adhered to). Unauthorized purchases were made
(e.g. meals, computer equipment). Purchases permitted for card holders were not defined.
3.2
Logistics
3.2.1
3.2.2
Customer Orders
A regulation for approval of free of charge deliveries did not exist.
There was only one inventory target for all EZRS or different material groups or values
(ABC) were not considered.
The key figure "Delivery Time to Customer" was insufficient; actions to improve the figure
were not defined.
3.2.3
Transportation
Reasons for special deliveries were not analyzed, actions to reduce the number of special
deliveries were not defined.
Costs for special deliveries were not tracked or not analyzed.
Costs for special transports have not been charged to the supplier.
3.2.4
Stock Taking
Too many employees have the authorization to book inventory discrepancies.
Stock taking has not been performed or not been performed completely.
Local cycle counting guidelines did not exist or were not comprehensive.
Inventory discrepancies were not analyzed sufficiently.
From
C/AU
Issue/Amendment
Page
E3
11/36
Our Reference
Date
C/AUC, C/AUT
Warehousing
Picking and packaging areas were not separated sufficiently.
The number of "non moving parts" within the warehouse was too high; actions to reduce
this number were not defined or not sufficient.
Access to warehouses was not secured or not regulated.
User authorizations for posting inventory movements (including scrap, inventory
discrepancies) were granted too extensively or granted to externals.
Inventory management was not based on storage locations.
In our spot check, we ascertained (high) inventory discrepancies.
Warehousing was not adequate.
3.2.6
Scrapping
Prices for disposal of raw material (e. g. copper) have not been updated.
Approval for scrapping was missing.
The possibility of selling scrap was not examined.
The approval process for scrapping was not defined.
Reasons for scrapping were not analyzed.
Physical scrapping was not conducted in time or not at all.
Scrap material was not weighed when delivered to the service provider. Thus, credit notes
from the service provider can not be verified.
From
C/AU
Issue/Amendment
Page
E3
12/36
Our Reference
Date
C/AUC, C/AUT
4.
Sales
4.1
Administration
4.1.1
4.1.2
Quotation Process
Purchase order confirmations were not submitted after receiving awarding (Target
agreement, LOI) and purchase orders from the customer.
RB general terms and conditions were not referenced to and liability risks are not
excluded.
From
C/AU
4.1.3
Issue/Amendment
Page
E3
13/36
Our Reference
Date
C/AUC, C/AUT
Credit Notes
Credit notes were not analyzed regarding number and reason. Measures to reduce the
number of credit notes were not taken.
Credit notes were issued without prior approval by authorized employees or the dual
review principle was not adhered to.
4.2.
4.2.1
Credit Limits
A regular monitoring of credit limits was not performed.
Credit limits were not calculated according to central requirements (e.g. credit limits too
high, not up to date).
Commercial reports on the creditworthiness of customers were not obtained.
The authorization process for credit limits was not defined.
Too many employees had authorization to unblock customer accounts with exceeded
credit limits.
4.2.2
Dunning Process
Follow up on accounts with overdues were not conducted.
4.3
5.1
Administration
From
C/AU
Issue/Amendment
Page
E3
14/36
Our Reference
Date
C/AUC, C/AUT
Payroll Processing
Employees could generate personnel master data, enter salary data and generate the
payment file at the same time. Thus, there was no separation of functions.
Payroll processing was conducted by one employee completely in Excel; process
independent checks were not carried out. Thus, there was no separation of functions.
Employees of the HR department were able to change their own personnel data in the ITSystem.
Review of severance calculations not according to dual review principle.
HR did not perform spot checks on payroll data processed by the external service
provider. A change report was not provided.
The payment file for wages and salaries could be altered before payment release (e.g.
payment file was stored on a non secure server or disk and not protected accordingly).
Changes in personnel master data not documented and checked sufficiently.
From
C/AU
Issue/Amendment
Page
E3
15/36
Our Reference
Date
C/AUC, C/AUT
Check of payment list before payment was incomplete or unblocking of the payment list is
not organized according to the dual review principle.
Grouping, continuing payments and salary data were incorrectly entered into the payroll
system or data could not be explained.
Housing allowances are paid exempt from tax and social security without proof.
Written contracts for expatriates did not exist. Salary amounts were not traceable.
Terminated employee still got salary payments.
5.3
Data Protection
For the payroll system, neither an authorization nor a security concept existed.
All employees connected to BCN could access the drive where personnel data was
retained.
Payroll data files were stored on local hard disks; data encryption or hard disk password
did not exist.
Employees processing personnel related data did not sign the required declaration of
obligation.
Confidentiality agreements for externals with access to Bosch information have not been
concluded.
Payroll was handled by EDL, no contracts existed, no definition of respective EDLemployees and authorizations, no confidentiality agreements.
Payments were posted as cost in a collective vendor account stating the name of the
employee to whom the amount is paid. Thus, personal data are accessible to employees
outside HR.
5.4
Temporary Employment
Within the purchase process for external service provider the G13 Central Directive
"Fremdvergabe von Arbeiten" is not adhered to.
Contracts with service provider for temporary employees were missing or incomplete.
From
C/AU
Issue/Amendment
Page
E3
16/36
Our Reference
Date
C/AUC, C/AUT
Some necessary documents for leased personnel were missing (e. g. individual contracts,
work permit).
Briefing of leased personnel in work safety were not conducted or documented.
Confidentiality agreements of leased employees did not exist.
5.5
Signature Regulations
External binding correspondence contains one or no signature. Respective approvals by
LD or G did not exist. Approvals at the appropriate level are not obtained.
Signature list was not complete, not available or not updated. Specimen signature of
authorized employees was not available.
Existing signature regulations are incomplete, signature regulations did not exist or
internal signature rules are not in accordance with respective directives (e.g. RB/GF 110).
Statement "This document is legally valid without a signature" was missing, if signature
was waived.
Internal signature rules are not adhered to (e.g. unauthorized signatories, exceeding
limits).
Registration in the Commercial Register was not updated.
5.6
Others
Employees exceed the maximum working hours per day.
Personnel performance appraisals were not, not on a yearly basis or only conducted for
managers or not filled or signed accordingly.
Employees were at the same time suppliers but without approval from the management; in
some cases, the employees where also involved in the procurement process.
Export Control
ZR/ZE Central Directive June 9, 2004 "Control of Export and technical Assistance with
reference to foreign countries" was not adhered to (e.g. no respective guideline, no
documentation, Ez not classified regarding mandatory approval).
From
C/AU
Issue/Amendment
Page
E3
17/36
Our Reference
Date
C/AUC, C/AUT
Quality Management
7.1
7.1.1
7.1.2
Keeping Records
Traceability for performed product audits did not exist.
Work instructions were not regularly reviewed or updated.
7.1.3
From
C/AU
7.1.4
Issue/Amendment
Page
E3
18/36
Our Reference
Date
C/AUC, C/AUT
Concessions
The form used did not comply with the CDQ, relevant data (e. g. cause, effect, risk
assessment, documentation of measures) were missing.
Concessions had expired, were repeatedly prolonged, multiple issued or closed without
corrective actions being taken (especially for drawing changes).
Concessions were partly incomplete or not approved properly (e.g. repeated concessions,
approval not by management).
Concessions emitted after already introduced changes or special treatment.
Tracking of concessions and action items respectively was not performed.
7.1.5
7.1.6
Engineering Changes
Changes were done without necessary customer's approval.
7.1.7
Quality complaints
Protective measure against possible customer's harm were not extended to all products in
supply chain (e.g. Eastern Europe).
7.2
7.2.1
Quality assessments
From
C/AU
Issue/Amendment
Page
E3
19/36
Our Reference
Date
C/AUC, C/AUT
7.2.2
FMEA
FMEA was incompletely performed (e. g. missing risk priority number (RPZ) and
measures).
FMEA were not or insufficiently updated (e. g. in case of new defects, additional
components and process changes).
FMEA ratings were inconsistent (e.g. for the same failure effect).
Not all required persons were involved in FMEA conduction.
Required signatures were missing.
Measures had not been defined although RPN was greater than threshold.
Measures were not implemented on schedule or documentation was not updated.
Requirements for FMEA were not met.
From
C/AU
Issue/Amendment
Page
E3
20/36
Our Reference
Date
C/AUC, C/AUT
7.2.3
8D Systematic
8D systematic for working on detected failures was not applied adequately (e. g. no risk
analysis, failure analysis in 8D-reports were incomplete, 8D reports are not signed).
8D reports were not concluded in a timely manner.
Corrective actions have not been introduced; no preventive actions to avoid reoccurring of
defects have been established.
8D reports have not been issued.
Costumer agreement was not requested.
8D were not in IQIS or there is no customer independent RB documentation.
7.2.4
Statistic
Quality control charts were used incorrectly; control limits were missing or wrong.
Measurement values were outside control limits or tolerance and no measures initiated.
Samples were not taken after events such as tool changes. Actions and events such as
tool changes or machine breakdown were not documented.
Capability studies were not conducted; the quantity of measured parts is too low.
Capability values were not sufficient.
From
C/AU
Issue/Amendment
Page
E3
21/36
Our Reference
Date
C/AUC, C/AUT
Technical Functions
8.1
8.2
Maintenance
Maintenance costs were not followed up by machine.
Preventive maintenance was not conducted in a timely manner.
8.3
MAE-Acceptance
For new MAE or after reconstruction or relocation, acceptances were not performed.
A procedure for safety release of MAE did not exist.
Measure processing was not executed consistently; final acceptances were not executed
or not documented.
HSE was not involved in the planning and approval process for new MAE.
A regular inspection of safety related MAE was not performed.
Free accessible electrical cabinets were either unlocked or open.
Safety acceptance has been given despite considerable safety deficiencies at MAE.
MAE safety releases were not conducted.
A plan to release existing MAE was not available.
Risk assessments were not conducted or not updated.
Acceptance check Reports were not filled in completely.
MAE were not labelled with inspection tags.
8.4
From
C/AU
Issue/Amendment
Page
E3
22/36
Our Reference
Date
C/AUC, C/AUT
For non-capable machines the tolerances, for which capability could be achieved, have
not been calculated; analysis of effects on the product have not been conducted.
Cognitions from the process development of the prototype construction have not been
transferred sufficiently into the processes of the series manufacturing.
8.5
Industrial Engineering
8.5.1
Wage System
The sum of VT and additional salary parts for payment led to a stable performance
efficiency over several months.
Wide variance of performance efficiency without systematic analysis of reasons.
Unrealistically high additional salary parts were planned and used.
Elements of bonus salaries do not correspond with actual determined values.
Determination of bonus salaries was not correct or not reproducible documented.
8.5.2
From
C/AU
Issue/Amendment
Page
E3
23/36
Our Reference
Date
C/AUC, C/AUT
9.1
9.2
From
C/AU
Issue/Amendment
Page
E3
24/36
Our Reference
Date
C/AUC, C/AUT
10
Project Management
10.1
10.2
Economic Efficiency
Assignment of project cost was incomplete or not project specific.
Project costs were not tracked adequately (e.g. no tracking of cost elements).
An approval procedure for exceeded project budget was missing.
11
Production
11.1
ESD - Protection
Employees not trained for ESD or annual repetition not executed.
Forbidden materials (e. g. plastic film, bottles) were within the ESD Protected Area (EPA).
Signposting of ESD protected areas was not sufficient; access to ESD protected area
without ESD check (e.g. employees, internal or external service).
From
C/AU
Issue/Amendment
Page
E3
25/36
Our Reference
Date
C/AUC, C/AUT
ESD release of annual check of MAE or items of minor value were not carried out or not
documented.
Defined personnel ESD-protection (e.g. wrist straps) were not or incorrectly used.
Measuring device for ESD checks were not available or inadequate or not used daily with
documentation.
Measuring of floor resistance was not carried out according to RB Standard N55 or
Certificate was not available.
MAE were not or not properly grounded (e.g. trolleys, rework bench).
ESD coordinator was not appointed.
Visitors neither received protection nor were informed about adequate behaviour within
the EPA.
Handling or storage of ESD critical components was performed without protective
measures.
Aids for material handling were not conforming to RB standard N55.
Electrostatic dissipation (resistance) was not within the required limits.
No ESD Audits were conducted or internal audits did not cover ESD-relevant items.
Information to customer regarding product related ESD issues was not documented.
11.2
Quality Inspections
Products were approved with parameters out of specification. Scales had inappropriate
precision.
Material destined for quality inspections is stored in the incoming area without being
marked sufficiently.
Regular checks of inspection equipment by means of adjusting pieces before each shift
were not performed.
Quality checks were not or only partly performed. A plan does not exist.
From
C/AU
Issue/Amendment
Page
E3
26/36
Our Reference
Date
C/AUC, C/AUT
Components which do not pass tests in production are not marked and not clearly
separated.
Sample size did not consider the lot size and the long term quality performance; all
samples are taken from the same packaging unit.
Tolerances for Q-Audits are estimated and not released by management.
11.3
11.4
Wages
Performance efficiency was not calculated correctly.
Reasons for additional wages were not or not reproducible documented.
Differences of calculated and charged bonus salary were not or not reproducible
documented.
12
12.1
Organization
HSE did not report directly to plant management.
An employee responsible for preparation and practical implementation of fire safety and
avoidance or for work safety and environmental protection was not appointed.
From
C/AU
Issue/Amendment
Page
E3
27/36
Our Reference
Date
C/AUC, C/AUT
Work Safety
Plant safety tours were not conducted.
Measures and corrective actions for work safety were not defined or not tracked.
Initial safety trainings were not conducted or not documented.
Electrical safety checks were not conducted or overdue.
Forklifts were not secured against unauthorized use.
Gas bottles were not protected against toppling.
Safety instructions were not available at work places; a work place related instruction was
not conducted.
Access to critical areas was not limited or the limitation was not adhered to.
Maximum loading capacity of shelves was unknown or not signposted.
Electrical cabinets were unlocked, open or not accessible.
Regular inspections of fork lifts, cranes, hoisting devices or ladders were not conducted.
Pallets were kept in gangways or stored in an upright position.
First aid equipment was not available, incomplete or validation of content was expired.
One employee was working alone without a dead man security device.
Protection equipment was not available or not in use.
12.3
From
C/AU
Issue/Amendment
Page
E3
28/36
Our Reference
Date
C/AUC, C/AUT
MAE Releases
MAE were not released by HSE after purchase, retrofit or relocation.
Vetting of MAE were missing.
Security inspections were not performed.
Risk analyses were not performed or were not sufficient.
HSE is not involved in purchase and release process.
From
C/AU
Issue/Amendment
Page
E3
29/36
Our Reference
Date
C/AUC, C/AUT
12.5
Hazardous Substances
12.5.1 Administration
The required release process for hazardous substances (e.g. avoidance examination,
permission of use) was not adhered to.
Lists of hazardous material in use were incomplete or not up to date.
12.5.2 Storage
Joint storage with oxidizing materials.
HS were not protected against access.
Hazardous substances were stored or disposed improperly.
Hazardous substances were not labelled.
Maximum quantity that was kept at workstations was not defined or exceeds defined
limits.
Maximum storage time of HS was expired.
Spill containments did not exist.
Sign postings did not exist.
12.5.3 Handling of Hazardous Substances
Material safety data sheets were not available or not up to date.
No systematic hazard determination was established.
Training of employees handling hazardous substances was not carried out.
From
C/AU
Issue/Amendment
Page
E3
30/36
Our Reference
Date
C/AUC, C/AUT
Hazardous substances (e.g. highly toxic) were handed out without restrictions.
13
Plant Security
13.1
Plant Protection
Responsibility for plant safety not defined, no security service installed, no organization of
security, no security concept, or no annual safety report available.
Insufficient capacity of guards, or presence of guards on duty not according to
specification, or plant security duties were not performed "full time" (24 hours per day).
No or insufficient specification of services for outsourced plant security services, or
outdated instructions, or insufficient check of contract fulfilment, or no certificates of
competence of employees.
Instruction for carrying out plant security service was not available at operating unit or
were incomplete.
Patrols were not performed in the required frequency.
Regular checks of daily reports of safety tour performed by external security service
providers were not conducted.
Key box in guard house was not secured against unauthorized access.
13.2
Admission Control
Badges did not exist.
Administration of badges was insufficient (too many badges issued, or access time not
limited, or badges not assigned to existing names, or no deactivation of missing or
collected badges, or no collection of temporary badges).
System for placing of badge authorization was not protected by password, or the
password is not regularly changed or data backups were not available.
The Burglar alarm system (BAS) was defective, not activated or not connected to a
monitoring station (or no overview of active and deactivated codes of BAS, or no
documentation about placing or cancelling of codes to employees existed or the password
was openly accessible).
From
C/AU
Issue/Amendment
Page
E3
31/36
Our Reference
Date
C/AUC, C/AUT
13.3
Inner Safety
Undetected entrance to sensitive areas like storage, server room etc. during work time for
unauthorized third party was possible.
Externals could stay on site longer than required and after working hours.
Protection of notebooks and other mobile equipment against theft was not conducted.
A location security concept did not exist.
From
C/AU
13.4
Issue/Amendment
Page
E3
32/36
Our Reference
Date
C/AUC, C/AUT
External Safety
Surveillance equipment was defective or switched off (e.g. camera, VCR), or amount of
monitors was not sufficient, or no videotaping existed, or storage of surveillance was too
short.
Fencing of factory was not sufficient (e.g. fence too small or damaged, or fence with
sizable gaps, or fence covered by vegetation, or no safety against climb over, or
dilapidated building as boundary).
Protection against burglary for buildings placed at the edge of the site was not sufficient.
There was no or insufficient conducting of security services like patrol, inspection of fence
and doors to defects, or recording of defects, or the reaction to alarms was not sufficient.
13.5
Locking System
No or insufficient key management (e.g. number of available keys, including master key,
unknown, or not conform with documents, or facility keys stored in unlocked cupboards, or
partly missing keys, or no central locking system, or system not updated, no inventory of
keys).
14
Information Technology
14.1
User Authorizations
The installed user authorization concepts were insufficient (e.g. overview authorizations of
employees).
Approval of user authorizations was given by not authorized persons (Master of the Data
not involved); assignment and changes of authorizations were not documented.
History of users and authorizations was not available.
User authorizations were not adjusted in case of employees' transfer to a new assignment
or leave.
Critical administrative user authorizations (CAA) were not reduced to the necessary
minimum, not approved by the SAP System Owner or approvals were expired out of one
year's validity.
From
C/AU
Issue/Amendment
Page
E3
33/36
Our Reference
Date
C/AUC, C/AUT
From
C/AU
Issue/Amendment
Page
E3
34/36
Our Reference
Date
C/AUC, C/AUT
Employees were not trained by DSP, ISP trainings were not documented.
The IS concepts of departments were incomplete or not updated yearly.
A yearly IS self check of DSP was not conducted.
Measures of DSO audits or IS self checks were not worked off.
Authorizations for the access to departmental and project directories, intranet pages as
well as on applications were not limited to the necessary minimum.
Security class 2 and 3 data was transmitted without encryption or was stored unprotected
on the network and intranet.
Screen savers were not activated or not password protected.
The assignment of protection classes for data, applications and equipment was
incomplete or did not adhere to the requirements of the C/ISP standard.
The regulation of approval of external network connections to BCN (e.g. involvement of
ISP, G-approval) was not completely adhered to.
Password settings (e.g. length, change intervals) were not in accordance with the C/ISP
Standard "Password and Login Rules".
Network login IDs and passwords were not secured (e.g. taped to computer); authorization
forms for network group accounts did not exist.
The scrapping or the return of IT components did not adhere to the ISP Standards.
Emergency concepts did not adhere to the C/ISP Standards.
Laptop computers remained unlocked on desk during absence or after working hours.
Declarations of obligation were not handled sufficiently (e.g. not existing, not reviewed
annually, not signed or not signed in a timely manner).
Personal data storage did not adhere C/ISP regulations.
Non-standard software, not approved by CI, was installed on share drives.
From
C/AU
14.3
Issue/Amendment
Page
E3
35/36
Our Reference
Date
C/AUC, C/AUT
From
C/AU
Issue/Amendment
Page
E3
36/36
Our Reference
Date
C/AUC, C/AUT
IP rooms were signposted as "Computer" rooms. Escapes and safety passages were not
signposted.
Annual self-check audits were not conducted.
Training regarding safety measures for automatic fire extinguishing devices using gas was
not conducted.
15