Information Security Group
|
Services > Assurance

Assurance (Audits)

Internal Audit is the process of assessing and evaluating the adequacy of the security and privacy controls for internal systems , customer Deliveries and TechM managed Platforms and Services. This process helps in closing or minimizing privacy and cyber security risks associated with TechM or Customer Delivery while providing IT / BPO services to Tech Mahindra or its customers.

Audit includes all the Delivery Accounts , internal functions. applicable internal Projects , platforms and Suppliers. Delivery Accounts may have access to Tech Mahindra assets or environments, work in customer environments or outsource work to supplier environment. The Audit process identifies, assesses, recommend remediation and monitors - inadequacy or lack of Security or privacy compliance risks in Customer engagement.

This unit will provide us with an unbiased report on how successful ISG is in ensuring compliance across the organization, and on the level of adherence within the various functions.

  • To be independent and therefore have auditors which work exclusively on audit.
  • To enlist auditors with a sound domain understanding as the emerging risks such as cloud security and data privacy
  • To rely on the technical team for technical assistance and audit support.
  • To be able to enlist external audit help from other units (internal to ISG and ESRM/ QWay / Delivery) as needed.
  • Auditors will not be dedicated to SBUs projects/accounts - a rotation policy will have to be followed.
  • Auditors will travel from a regional base location to smaller locations as per the audit schedule.

Audit Process

ISG Assurance Audit Process Strategy is based on external and internal business risks and client contractual requirements.

The audit covers the functions, accounts and projects within Tech Mahindra under organizational units such as Delivery, Support, Competencies and Sales.

Accounts/ Projects are audited based upon their Cat A/B/C, criticality and spread at a location. Location Security Managers schedule the audits as per the frequency defined in strategy section. Directions from IDU/IBU/Account management are also considered while planning the audit.


1. Plan Audit
  • Annual audit planner is prepared.
  • Every month the planned audit account details will be communicated to IBU head and relevant stake holders.
  • If there is any change in the plan it is communicated with stake holders accordingly.
2. Schedule Audit meet
  • Auditor selects the applicable accounts for the respective month and schedules it in PRISM.
  • Audit schedule auto-generated mail is sent to auditee.
3. Conduct Audit
  • Auditor will use a defined audit process methodology, tools(QSPACE) and templates for conducting audit and reporting its findings.
  • Audit team will use Account and Project assessment workbooks for audits, including MSA checklist.
  • Auditor and auditee will meet for audit discussion. Auditee shares the evidences requested by auditor.
4. Report Submission
  • Auditor will discuss the findings and recommendations with auditee and get concurrence.
  • Final report is prepared and submitted in system by auditor. Auditee will be able to view the final report in Audit PRISM.
  • Audit scorecards is available in BI tool for stakeholders to refer the overall compliance status.


1. Action plan submission
  • Auditee must update the action plan in PRISM for auditor’s review.
  • Auditor will either accept the plan or reject. If the plan submitted is rejected, auditee must update the action plan again after discussion with auditor.
2. Resolution comments
  • Auditee must update the resolution comments and evidence in PRISM for auditor’s review.
  • Auditor will either accept or reject. If the resolution submitted is rejected, auditee must update again after discussion with auditor.
3. Closure of NC
  • Auditor will update the closure comments and close the NC in system.

Audit FAQ Questions

You may drop a mail to - Mail Id : ISG Assurance Leads ISGAssuranceLeads@TechMahindra.com

You may refer to Internal Security and Business Continuity Audit Procedure ISG-PR009.

This document provides a clear information about various categories of Accounts , Frequency of audits, domains covered and all other details about Internal Audit.

PM can refer to Procedure for Information Security in Projects - ISG-PR014. This document list down the documents that needs to be maintained as a part of the Audit needs.

Yes. Simultaneous audits might be scheduled and conducted. This will include Physical security to the ODC and other location specific requirements compliance.

All the accounts are segregated as per category A, B, C and Z depending on their Head count/Project Count.

  • If account falls under Category A audit will be conducted once in every quarter.
  • If account falls under Category B audit will be conducted yearly twice (Once in Six months).
  • If account falls under Category C/Z audit will be conducted yearly once.

Category Definition

Account Category Description
A Either FTE Count >200 or Project Count >=30
B Either FTE Count between 25 to 200 or Project count >5
C Account with: Either FTE Count <25 or Project Count <=5
Z Accounts with FTE =< 2

The Internal security audits covering the standards and management systems are reported in nine specific areas:

Client contractual compliances Customer IP protection
Data privacy checks Technical Vulnerability
IT network security HR security
Physical security Business Continuity Management
Security Awareness

You need to contact with your (Cluster) ISG Compliance manager

If you project is having PI/SPI data then you need to complete mandatory Privacy Impact Assessment. For further details you may check the Data Privacy page in this site Data Privacy Web link to DP page. Alternately you may contact with ISG Data Protection team. (ISG Data Protection ISGDataProtection@TechMahindra.com

In this situation, system check audit, mandate exam completion and BCP drills scheduled for the location will be there in scope. You may contact with your Auditor for further details when you receive the Audit schedule auto mailer.

The scope will be limited to reviewing The scope will be limited to reviewing compliance documents, Logical access verification, SPHR and BCP drills.

  • Tech M internal Policies
  • Client contractual policies (as per MSA and SOWs)
  • Compliance documents
  • SPHR
  • BCP drills
  • Mandate exam completion status
  • System checks
  • All PIDs operating from auditable location will be considered for audit.

  • Antivirus updates on system.
  • Windows version updates in system.
  • Drive encryption status in laptops.
  • Information Security Policies.
  • Internet and admin access.

Yes. The documents has to be shared or showcased during audit. Hence it is recommended to keep all the relevant documents in a proper folders for reference.

In this scenario the Audit Scope will be minimal, Basic compliance check will be validated like, Awareness, Logical revocation, Customer asset return etc..

Below table gives a overview of the various function audits and the frequency of the audits.

You may refer to Internal Security and Business Continuity Audit Procedure ISG-PR009 for further details.

# Function /Account / Project Frequency of Internal Security ISMS & BCMS Audit Remarks Audit Checklist
1 CS, TIM-Ops, RMG-BV, HR-Ops, CS-BSG, TIM-BSG, HR-BSG Quarterly or Four times each FY (financial year)

Each Location will be covered once annually 		Each Location or Centrally as applicable Function Specific Audit checklist
2 CIO, TLS, Finance, HR Comp & Ben, HR Corp., RMG, Legal, HR-PMS, Infra, Qway, Tech Procurement, Training- BSG, Qway-BSG Half Yearly or Twice each FY

Each function will be covered once annually 		Centrally or locations as applicable Function Specific Audit checklist
3 Domain specific audits (Firewall, Network, WTG, Unix, Storage, Voice, GSOC, etc.) Half Yearly or Twice each FY

Each domain will be covered once annually 		Centrally by the ISG Technical Function Domain Specific Audit checklist
4 Third Party Supplier audits Annually This is covered as a part of the Delivery Project Audits. Specific Audit checklist #
5 Delivery–Projects / Account Level Audits. Category Definitions are decided by Information Security Group Audit Frequency for Accounts

Category A – 4 times a year Category B twice a year

Category C and Z Accounts: once in a year * 		Check the table below for the project criticality definition for selection of projects and audit methodology. Delivery Project Audit Checklist

ISG-CL 021
6 Customer Specific Audits Customer specified frequency Special Case. Audit report submitted directly to the customer by ISG or Third-Party Auditors Customer Specific Checklist
7 All Cloud Environments, Private and Public (Megham, AWS, Azure, GCP etc.) Across all functions, Project. Annual Audit for All cloud based projects in production including platforms Non-production environment will not be part of the audit unless there is any Exception or Critical requirement or mandated security and regulatory Compliance requirements Cloud Audit Checklist derived from ISO 27017/18 and CSA

Platform Security Audit Checklist

Yes. Based on NC, it will get calculated and report rating will be displayed.
Account Audit Report at a Location Audit Report Rating
No NC Very Good
Up to 1 Minor NC Good
2 to 3 Minor NCs Satisfactory
1 or more Major NCs OR Unsatisfactory
4 or More Minor NCs Unsatisfactory


Escalation of open NCs is done through Automailer facility in QSPACE.
# Escalation To CC Subject
1 After 7 days from audit report submission for open NC. Auditee/ NC Resolver Primary Auditor, Secondary Auditor, Reporting Manager AUDIT : Audit Report for Pending for your actions
2 After 14 days from audit report submission for open NC. Auditee/ NC Resolver Primary Auditor, Secondary Auditor, Reporting Manager, Group Head
3 After 21 days from audit report submission for open NC. Auditee/ NC Resolver Primary Auditor, Secondary Auditor, Reporting Manager, Group Head, IBU Head
4 After 30 days from audit report submission for open NC. IBG Head Auditee, Reporting Manager, Group Head, IBU Head, Primary Auditor, Secondary Auditor AUDIT : Open NCs > 30 days
5 Every week thereafter IBG Head Auditee, SPM, Group Head, IBU Head, Primary Auditor, Secondary Auditor AUDIT : Open NCs > …. days

Refer: Internal Security and Business Continuity Audit Procedure ISG-PR009.

No There is no exclusion of Projects during Internal audit, All accounts must undergo the audit, However STAFF Aug accounts, Less FTE accounts will covered with minimal scope.

However all the projects gets monitored on a regular basis through SPHR System for its basic mandatory compliance documentation status.

You may drop a mail to ISG Assurance Leads as we will facilitate Account specific external audits like PCIDSS, ISO 27001, Data Privacy Audits, SOC 1 Type 2 Audits and many more .

Contact DL : ISGAssuranceLeads@TechMahindra.com ISGAssuranceLeads@TechMahindra.com

Any queries related to Audits please write to : Assurance Team ISG Assurance

Audit Check List for Delivery and Functions

Support Function Process Documents Support Function Process_Docs

Audit Process and Training Links to DEXT

Audit Procedure Audit Procedure
LP01143 - Internal Auditor (ISBC) LP01143 Internal Auditor (ISBC)
SS0656 - Internal Security Auditors Training SS0656 - Internal Security Auditors Training
 
Copyright © Tech Mahindra Limited. All Rights Reserved