Chapter III

Information Technology Audit

of Statutory Corporation
 Chapter III

Information Technology Audit of Statutory Corporation

Computerisation of e-ticketing system in Maharashtra State Road

Transport Corporation

Highlights

Maharashtra State Road Transport Corporation (Corporation)

incorporated in July 1961 under Section 3 of the State Road Transport
Corporations Act, 1950, is mandated to provide an efficient, adequate,
economical and properly coordinated road transport system within the
State of Maharashtra. The Information Technology (IT) Audit of
Computerisation of e-ticketing system revealed the following:
(Paragraphs 3.1)

There was deficient systems design resulting in non-capturing of data for

grant of concessions. The deficient input control and validation checks
resulted in low assurance regarding completeness and reliability of data
as observed from the tables containing details of freedom fighters, Arjuna
awardees etc.
(Paragraphs 3.9.1, 3.9.2, 3.10.4 and 3.10.5)

The system could not be used for an effective Management Information

System, data integration and data mining as envisaged in the scope of the
contract due to non-capturing of details of buses available with depots,
manual pass collection data, digitised routes and bus stops, digitisation of
data of pass holders etc.

(Paragraphs 3.8.8 and 3.11)

Inadequate accounting arrangements and control mechanism for

monetary transactions resulted in retention of amount by Authorised
Booking Agents in excess of permissible limits.

(Paragraphs 3.8.7)

Introduction

3.1 Maharashtra State Road Transport Corporation (Corporation),

incorporated in July 1961 under Section 3 of the State Road Transport
Corporations Act, 1950, is mandated to provide an efficient, adequate,
economical and properly coordinated road transport system within the State of
Maharashtra.

35
Audit Report No.2 of PSUs for the year ended 31 March 2014
The Corporation had six Regional Offices (ROs), 30 Divisional Offices (DOs)
and 250 Depots in the State as on 31 March 2014. The Information
Technology (IT) needs of the Corporation are overseen by the Electronic Data
Processing (EDP) Centre at Head Office (HO), Mumbai. EDP is headed by a
Deputy General Manager who is assisted by Senior Programmers, Junior
Programmers and Data Processing Officers.

IT ticketing system

3.2 In order to facilitate online/web-based reservation system and to adopt

software technology in its day to day operations, the Corporation invited
(June 2008) Request for Proposal (RFP) from interested parties for the project
of providing, computerising, implementing and maintaining - i) Electronic
Ticket Issuing Machine (ETIM) and ii) Online Reservation System (ORS)
with web facility on Build, Operate and Transfer (BOT) basis.

The Corporation awarded (December 2008) the project to Trimax IT

Infrastructure and Services Limited, Mumbai (Trimax) on BOT basis for six
years from the date of award. The scope of the project included provisioning
of required hardware and software for:
 ETIM machines across 247 depots together with required supporting staff
during the first year of operation to enable its staff members to familiarise
with the system;
 computerised ORS with web facility at its 32736 locations and its authorised
booking agents along with facilities to the traveling public such as payment
gateway and bus trip information;
 adequately secured Local/Wide Area Network connectivity for ETIM and
ORS with an assurance on high uptime;
 Data Centre and Disaster Recovery Centre to ensure business continuity;
and
 Necessary training to all levels of Corporation’s officials.

Further, Trimax was to provide services in data digitisation, data migration

and data mining for advanced business intelligence applications related
information system and bus trip management. Besides, Trimax was to provide
10 lakh ‘yearly re-chargeable’ smart cards at the start of the project with an
addition of 10 per cent new cards every year and a minimum guaranteed
quantity of 5 lakh ‘One time/use and throw’ smart cards every year.

The project was to be implemented in two phases viz., the pilot phase in ten
depot locations was to be completed by 18 June 2009 and rollout phase with
commercial deployment in all other locations to be completed till 8 April 2010
in three rollouts. The agreement with Trimax was executed on 22 July 2010.

As per terms of agreement, Trimax was to be paid at a unit rate of ` 0.21 per
ticket issued through ETIM and ORS, on which passengers actually traveled

36
Includes 247 depots and 80 bus stations

36
 Chapter-III-Information Technology Audit of Statutory corporation
and also on the cancelled tickets if booked through ORS, subject to an annual
minimum of 75 crore tickets. On expiry of contractual period, all the assets
including Hardware and System Software (excluding proprietary software)
was to be transferred to the Corporation at no extra cost with a guarantee for
functioning of equipments for a further period of two years. The platform
adopted by the Corporation was custom developed using open source
technology Linux-Apache-MySQL and PHP (LAMP).

The Management had not, however, framed any IT policy laying down
procedures, rules and regulations till date (December 2014) to oversee and
monitor its IT environment.

Audit objectives

3.3 The audit objectives were to ensure as to whether:

• The requirements of users and other stake holders were assessed and
adequately addressed;
• The contract terms were duly adhered to and payments to the contractor
were made as per the terms of Contract;
• The general controls were adequate and system was operating in an
adequately controlled environment;
• The application controls were adequate and the system was in compliance
with laid down business rules and adequately secured from possibilities of
fraud; and
• The accounting arrangements and control mechanism for monetary
transactions were adequate.

Audit criteria

3.4 In pursuing audit objectives, audit adopted the following criteria;

• State Road Transport Corporations Act and Rules made thereunder;
• e-Governance Policy of the Government of Maharashtra (GoM);
• Terms and conditions of contract with Trimax; and
• Policy decisions, business rules etc. related to ticketing and other operating
parameters.

Scope of Audit

3.5 The scope of IT Audit included scrutiny of contract with Trimax,

evaluation of ETIM and ORS with specific reference to the security and
control measures; evaluation of operating parameters of routes and crew with
specific reference to the revenue earnings. The scope also included evaluation
of performance of authorised booking agents and payment gateway agencies
with specific reference to timely collection of revenues earned through ORS.
The period covered by Audit was from the date of implementation of the
e-ticketing system (May 2009) upto October 2014.

37
Audit Report No.2 of PSUs for the year ended 31 March 2014

Audit methodology and sample selection

3.6 The objectives and scope of audit were explained to the Management
in the Entry Conference held on 18 September 2014 seeking their co-operation
in understanding the table structures and content of the soft data furnished.
For, its inference, audit relied on the detailed analysis of data pertaining to
146 locations of 1237 DOs being the sample selected out of 320 locations from
30 DOs where ETIM and ORS were implemented (February 2014). The data
analysis was carried out through IDEA software package.

The sample selection was made by utilising Sampling Techniques. Two

Divisions each from the six38 Regions was selected by stratifying the data in
terms of highest traffic revenue generated and highest quantum of online
reservation done in the Region.

The audit findings were discussed in an Exit Conference held on

24 December 2014 which was attended by Vice Chairman and Managing
Director of the Corporation. The views expressed by the Corporation in the
meeting/replies (December 2014) have been considered while finalising the IT
Audit Report.

Audit findings

The audit findings are discussed in the following paragraphs broadly classified
into two major headings viz., ‘Contract Management’ and ‘IT Ticketing
Database Management’.

Contract Management

3.7 In the implementation of the ETIM and ORS projects, Trimax had not
adhered to certain terms and conditions of Work Order and Master Service
Agreement (MSA) inclusive of Service Level Agreement (SLA) as discussed
below:

Advertising rights foregone

3.7.1 As per terms of MSA, Trimax was to supply ticket rolls free of cost
and the Corporation reserved its right of advertisements on the backside of the
ticket rolls to supplement its revenue. Trimax had also offered (August 2011)
` 0.01 per ticket for the advertisement rights but the offer was not considered
(November 2011) on the ground that it would be dealt separately. However, no
such efforts were made till date (December 2014). Considering total 417.15
crore tickets actually issued between September 2011 and October 2014, the
potential revenue thus foregone by the Corporation worked out to ` 4.17 crore.

37
Aurangabad, Beed, Bhandara, Buldhana, Dhule, Kolhapur, Mumbai, Nagpur, Nasik, Pune,
Ratnagiri, and Yavatmal
38
Amravati, Aurangabad, Mumbai, Nagpur, Nasik and Pune

38
 Chapter-III-Information Technology Audit of Statutory corporation
The Management accepted (December 2014) the views of audit and agreed to
finalise the issue at the earliest.

Non recovery of infrastructure cost

3.7.2 As per terms of MSA and Clause 9.28.1 of RFP, Trimax was to be
provided sufficient space at each depot/bus stand by the Corporation for
preparing infrastructure work as per their needs. Trimax was to make
provision for furniture, electrical fixtures and civil work including cooling
systems for entire project. It was noticed that the Corporation provided the
infrastructure to Trimax at EDP centre and depot/bus stand. The infrastructure
provided includes furniture, electrical fixtures and civil work including
cooling systems at a cost of ` 2.45 crore, which was not recovered from them
till date (December 2014).

The Management stated (December 2014) that amount of ` 2.45 crore was
withheld from Trimax and the decision would be taken for its adjustment after
due diligence.

Violation of e-Governance policy

3.7.3 The e-Governance policy issued (September 2011) by the GoM

provided for maintaining online record of Hardware & Software Inventory
(H&SI). However, neither online H&SI nor a physical H&SI was maintained
by the Corporation thereby, violating the directions given in the e-Governance
policy of the GoM.

The e-Governance policy also provided for constitution of a Departmental

Project Implementation Committee (PIC) for overseeing departmental
e-Governance projects with representatives from the Planning, Finance,
Industries and IT department, apart from members from the parent department.
Further, Schedule IV-Governance Schedule of the MSA directed the
appointment of Project Manager and a Core Team, which was not adhered to
by the Corporation till date (December 2014).

The Management stated (December 2014) that due care would be taken to
follow the norms of e-Governance policy issued by the GoM.

IT ticketing database management

3.8.1 The IT ticketing system in the Corporation comprises mainly of two

databases i.e., ETIM with 296 tables including Radio Frequency Identification
Device (RFID) tables and ORS with 781 tables. In the absence of data
dictionary, for understanding the tables with reference to their objective,
design, contents, relation to other tables, embedded controls etc., audit relied
on the information furnished by the Corporation.

System design

3.8.2 The Corporation has also been operating its buses outside the State

39
Audit Report No.2 of PSUs for the year ended 31 March 2014
under Reciprocal Transport Agreements39 executed with the respective State
Road Transport Corporations (SRTCs) to cater to the needs of passengers.
Keeping in view its network, the Corporation has created master tables viz.,
State, Region, District, Division and Depot with required fields. Even though
the Corporation had executed inter-state agreements with eight 40 neighbouring
SRTCs, data fields for only five states were created in the table containing
ticket details in ORS database.

In the master table “District”, names of the States with codes meant for
Districts, have been incorporated. Similarly, in the table “Depot”, details of
253 depots41 as against its existing 250 depots were captured. In so long as the
correct data was not captured in the correct table and correct field, besides the
error generation, the prospect of migration to new system in future, without
incurring additional cost, was inherent.

The Management, while accepting (December 2014) audit contention, agreed

to review and address the issues adequately in the new contract being
finalised.

3.8.3 On scrutiny of the tables, it was observed that almost one-third of the
tables under the ETIM database and more than half of the tables under ORS
database were blank and devoid of data. It was also noticed that fields to
capture Divisionname, Divisioncode, Deponame and Depocode though
created were blank and devoid of data in most of the Master tables. The
purpose of their creation was, thus, not achieved.

The Management stated (December 2014) that in ETIM database only

required tables were synchronised from central database therefore there may
be few tables in depot ETIM database which doesn’t have any records. It was
further stated that data fields such as division name, division code, depot
name, depot code etc. were added keeping in mind the future requirement and
currently these fields were not in use. Therefore presently these table/fields
remained blank.

The reply was not correct as all mandatory fields were overridden and kept
blank. In the event of migration or upgradation or centralisation at a future
date, the database cannot be integrated without remedial measures at
additional cost.

3.8.4 Table created and designed to capture waybill details and lock the date
of waybill was found to be blank and locking date of way bill was being
captured as a Character data field instead of a date field in a separate table
recording waybill time details. Thus, the data captured in the waybill during
the operation of bus schedules was susceptible to the risk of modification.
39
In the absence of any agreement between RTCs of two States for interstate operations, the
respective State Governments execute such agreements and impose the terms and conditions
on such RTCs. Revenue sharing is the major element addressed in such agreements
40
Andhra Pradesh, Goa, Gujarat, Karnataka, Madhya Pradesh, Rajasthan, Chattisgarh and
Dadra and Nagar Haveli
41
Payment Gateway, Sambhaji Nagar Rank and Borivali Nancy Colony, though not, are
included as Depots
40
 Chapter-III-Information Technology Audit of Statutory corporation
The Management stated (December 2014) that the process of waybill issuance
and allocation functionality was designed in such a way that ETIM can be
operated only within the schedule operation hours or within the pre-defined
locking date and there was no possibility of modification as apprehended by
audit.
The contention of the Management was not acceptable as in the absence of
capturing relevant data in the table, any happening of such incidences could
not be ruled out.

3.8.5 As per the policy of GoM, the Corporation has been allowing
concession in fares, with or without a limiting factor42 to different category of
passengers like physically handicapped, senior citizens, press reporters,
various sport and other awardees, MP/MLAs etc. The amount of concession so
allowed was periodically claimed from the State Government. In the ORS
database there was provision to capture data on documentary proof of the
passengers eligible for concession. In case of ETIM database at least one field
to capture the identity proof should have been incorporated in the TICKET
table.

The Management stated (December 2014) that capturing proof of record at the
time of ticket issuance may lead to the delay, thereby leaving scope for
de-boarding the passenger without tickets. It was also stated that the
Corporation had not evolved database of relevant ID proof for verification at
the time of issue of tickets.

The reply was not convincing as there should have been separate field for
indicating type of proof used for concessional tickets.

3.8.6 To facilitate mobile based advance booking, table was created in ORS
database to capture personal details of passengers availing the facility for the
first time. Audit observed that out of 247 distinct users captured in the table
during audit period on the basis of their email IDs, the mobile or landline
contact numbers in respect of 204 users were not captured as the relevant field
was not defined mandatory.

Similarly in the transaction table under ORS, the passenger name field
designed to capture the name of passengers booking in advance was blank in
54,65,107 out of 2,69,50,237 records of tickets booked through Authorised
Booking Agents (ABA).

The Management accepted (December 2014) the audit views and agreed to
take due care in this regard.

3.8.7 In the ORS database, the advance bookings are being allowed through
three sources viz., window booking, ABA and web-booking. While in window
booking, the amount collected through sale of tickets are remitted and
accounted for on the same day, in the other two types of bookings the sale
value is being received by the Corporation after lapse of period involved in the

42
Limiting factors are put on the number of times a concession holder can travel and/or the
total kilometres of travel permitted and/or on the total amount of concession allowed
41
Audit Report No.2 of PSUs for the year ended 31 March 2014
process of remittance by the agents/payment gateway banks. Hence, it was
imperative that a set of transaction tables be designed within the ORS database
to depict details of the total value of tickets sold but remittances yet to be
received from those two sources so as to monitor and reconcile the actual
receipt of ticket values with ticket sales preferably before the commencement
of journey. We, however, observed that the ORS database was not designed to
capture the details of cash receipt transactions. In one instance, ABA at Parel
Depot exploited the deficient system and retained an amount of ` 58 lakh, out
of which ` 38.94 lakh was pending for recovery (December 2014) subject to
settlement of litigation raised by him.

The Management while accepting the observation stated (December 2014) that
they were in the process of implementing pre-paid payment system i.e. online
wallet for booking agent by using payment gateway and this functionality
would be enabled soon.
3.8.8 As per terms of MSA, Trimax should integrate both ETIM and ORS
databases within 17 weeks i.e., up to 16 April 2009 from the date of issue of
work order. By virtue of data integration, the Corporation could have reaped
the benefits of standardisation and the Conductors operating ETIM would
have got the system data on the seats booked through advance reservation for
his scheduled trip as against the procedure adopted of relying on manual
intervention by way of printed copy of details of ORS booked tickets
(WBR-Window Booking Returns). It showed that the desired data integration
was not achieved.
The Management stated (December 2014) that System Integration of ETIM
with ORS and payment gateway was done. WBR printing facility has been
provided in ORS system for checking the details about advance reserved seats
and it is up to the user to take printouts or to check the details on ETIM.
However, Audit observed that no deliverables were presented by Trimax to
notify the occurrence of system integration as contended. Further, the User
Manuals stipulated for taking a print of WBR and option to check ORS details
in ETIM was not given.
3.8.9 Audit observed that the sale of passes and the revenue earned there
from either manually or through smart cards, were not being captured in the
database by designing relevant tables to enable the Corporation to estimate the
future cash flow as also to ensure the validity of passes at the time of travel
through the system without human intervention.
The Management stated (December 2014) that the revenue through sale of
passes through EPIM was by using smart card and could be seen on the
common revenue portal of the Corporation and revenue from sale of passes
manually was accounted as per prescribed procedure. The smart cards issued
to passengers were checked by using ETIM machine whereas Manual passes
issued to passengers were physically checked by conductor on board.

The fact remained that any IT system should be ideally designed to avoid
human intervention and the Corporation may design master table to capture
the passes issued manually to passengers.
42
 Chapter-III-Information Technology Audit of Statutory corporation

Mapping of business rules

3.9.1 Scrutiny of the table capturing ticket details in ORS database revealed
that 27,405 concession tickets under the "Freedom Fighter (FF) Quota" were
issued by ABA during audit period without capturing identity proof and
concession proof.

The Management stated (December 2014) that in the absence of specific

criterion for age validation, the seats were reserved against FF quota and the
conductor checks the identity proof of FF.

The reply was not convincing as the system shows that benefit was also given
to FF below 18 years in 146 cases which was not possible and should not have
been granted.

3.9.2 Recognition of outstanding achievement in National sports, specific

awards like Arjuna, Dronacharya etc., is given by the Ministry of Youth
Affairs and Sports, Government of India (GoI) from time to time. As per GoM
order dated 27 February 1998, such specific awardees were allowed to travel
by public road transport along with one escort free of cost and the fare would
be reimbursed by the GoM on the basis of claims from the transport operators.
Scrutiny of the table capturing ticket details under ORS database revealed that
155 tickets were issued to 75 Arjuna Awardees during audit period, of which
none of the names of awardees captured in the system tallied with the names
appeared on the website of the GoI. Unlike the FFs, such awardees were
limited in numbers and it would be possible to create their master data for
verification without manual intervention before granting the concession
whereby threat of fraud could have been minimised.

The Management accepted (December 2014) the contention of audit and

agreed to collect relevant data from the concerned sport authorities.

Application controls

3.10.1 Application controls are those checks and balances that are
incorporated in the developed application for maintaining data integrity. These
include input control, processing control and output control. Lack of any of
these controls would impact the integrity and reliability of the database. Some
of such lapses of control indicators observed during audit analysis are
discussed in the succeeding Paragraphs:

3.10.2 Scrutiny of the table Conductor Master revealed that 1443 out of 146
locations test checked showed duplicate records for 22 conductors due to
failure of constraint (Not_Null) defined for the data fields.

Similarly in ETIM database, a few tables containing fields though defined

with Not_Null constraints were blank or devoid of data.

43
Depots at Gangapur, Paithan, Soygaon, Mumbai Central, Nasik 2, Satana, Sinnar, Baramati,
Bhor, Chinchwad, Indapur, Narayangaon, Shirur and Shivajinagar
43
 Audit Report No.2 of PSUs for the year ended 31 March 2014
The Management stated (December 2014) that despite ‘Not_Null’ constraint,
if blank is forcefully inserted, there is possibility of devoid of data and that
care would be taken in future system implementation.

3.10.3 As per terms of MSA, Trimax was to update the system considering
changes in the situation. Accordingly Trimax updated the ETIM system from
time to time. However, Audit observed that 9,761 out of 12,072 ETIMs in
operation were still functioning in Mofussil areas with the older version.

The Management stated (December 2014) that efforts were being made to
monitor usage of updated version of ETIM.

3.10.4 Test check of columns containing ticket identification of the table

ticket at all locations revealed 1,58,80,897 missing TICKET_IDs. Missing
TICKET_ID raises doubt on the integrity and completeness of the data.

The Management stated (December 2014) that the said gaps in the ticket ID
may exist due to standard rollback feature at Relational Data Base
Management System (RDBMS) level operated to maintain the accuracy and
integrity of transaction data.

The reply was not correct as the rollback operation in an IT system was
intended to rectify a failed transaction and restore the database to a previous
state even after erroneous operations were performed.

3.10.5 In all 118.96 crore ETIM concession tickets were generated in

aggregate up to 31 March 2014 as detailed below:

Sl. CN Particulars of
2009-10 2010-11 2011-12 2012-13 2013-14 Total tickets
No. _ID concession facility
1 0 Null 1,829 28 25,98,17,330 27,62,93,018 3 53,61,12,208
2 11 Senior Citizen 94,43,423 16,07,35,384 4,43,57,248 4,45,20,226 27,15,14,561 53,05,70,842
Handicapped/
3 19 Mentally 12,33,202 2,32,60,516 59,54,661 66,04,372 3,90,53,086 7,61,05,837
Retarded Person
Annual Concession
4 2 4,58,580 83,36,578 21,65,350 31,45,474 1,99,78,049 3,40,84,031
Card
5 9 Blind 1,70,023 19,52,506 5,20,037 6,49,600 37,75,917 70,68,083
Handicapped/
6 45 Mentally Retarded 15,378 6,52,698 1,43,765 2,02,337 11,89,254 22,03,432
Person C
Handicapped/
7 20 Mentally Retarded 13,414 4,03,844 1,19,334 1,20,940 7,23,339 13,80,871
Escort
100 per cent
8 * 1,827 21,783 11,306 10,032 71,338 1,16,286
Concession*
9 ** Partial Concession** 36,611 7,08,177 1,40,442 1,24,431 9,35,804 19,45,465
10 *** No Concession*** 54 469 32 54 8,423 9,032
Total 1,13,74,341 19,60,71,983 31,32,29,505 33,16,70,484 33,72,49,774 1,18,95,96,087
* Includes Freedom Fighters, Arjuna Awardees, etc.
** Includes T.B. Patients, Cancer Patients, Blind, Handicapped persons, etc.
*** Includes Staff on Duty, Employee Free Pass, etc.

It was further observed that 53.61 crore tickets were categorised as concession
tickets without capturing the type of concession availed by the passengers.

44
 Chapter-III-Information Technology Audit of Statutory corporation
These concession details were the foundation on the basis of which
reimbursement were claimed by the Corporation from GoM.

In the absence of reliable and correct data for concessions to passengers, the
reliability and correctness of the claims raised by the Corporation on the GoM
for reimbursement of differential fare could not be vouchsafed. On verification
of data related to the claims made during 2013-14 against the concession of
senior citizens pertaining to selected 12 Divisions, Audit observed that in
11 Divisions (except Buldhana), the Corporation claimed reimbursement of
` 180.55 crore based on manual data as against the fare amount of
` 166.37 crore collected from senior citizens as per data generated by the
system. This needs reconciliation between system data and manual data.

The Management stated (December 2014) that proof of concession was not
captured in the ETIM and it was physically verified by conductor before issue
of ticket. It was further stated that concession wise ticket codes were captured
at depot level server and was not pulled centrally till December 2011 and that
for preferring the claims, monthly reports were being obtained from the depots
and manually consolidated at central level.

The fact remained that the Corporation had not made use of system generated
reports and data was also not reconciled.

3.10.6 The table for capturing waybill trip details was designed to generate
analytical report on trip-wise revenue earned for decision making process.

• Scrutiny revealed that in 21,235 records, ticket income of ` 4.44 lakh was
reported to have been generated against route number “0”, which was not
available in the master table containing routes.

• In Akola Depot in 9,661 records, cumulative revenue income of

` 1,00,03,845 was reported against analogous Trip number “00000000”.

• It is pertinent to note that in Akola Depot in the case of conductor badge no

43,365 against waybill number 3,994 duty was assigned on
15 January 2011 for the trips assigned for two days on 15 and
16 January 2011 and the Trip numbers assigned were also not in sequential
order i.e., Trip number 0S254131 and 0S254137 to 0S254138 were
assigned for 15 January 2011 whereas Trip numbers 0S254132 to
0S254136 were assigned for 16 January 2011, which indicates manual
intervention.

The Management stated (December 2014) that this was related to Depot Crew
operation and there were various routes, bus services created in the reservation
system, which were later on synchronised with depot ETIM application.
Further in regard to the case of "0" route number, it was stated that route data
string may not be loaded properly and in respect of Trip number “00000”, it
was stated that these trips referred to extra trip.

The reply was not acceptable as the fact remained that in an IT system human
intervention should be minimal.

45
Audit Report No.2 of PSUs for the year ended 31 March 2014
3.10.7 Gaps of 134 crew ID numbers in the table recording crew duty in 41
locations were observed which raises doubt on the completeness, integrity and
reliability of data

The Management stated (December 2014) that crew id may have gaps due to
standard usage of roll back feature at RDBMS level to maintain the accuracy
and integrity of transaction data.

The reply was not correct as the rollback operation in an IT system was
intended to rectify a failed transaction and restore the database to a previous
state even after erroneous operations were performed.

3.10.8 Audit trail in a system is essential to verify the veracity of the output
with reference to keyed input to ensure that its process control is proper and
for security of database was maintained. In ORS database, a table though
created, was being maintained only from 12 March 2014.

The Management stated (December 2014) that Audit trail data for all the
functionalities are captured and available with it. The reply was not
convincing as verification of database revealed that the audit trail was
available only for 15 tables as against 781 tables in ORS database.

3.10.9 Besides its own staff for window booking, ABAs were allowed to book
advance tickets for the prospective passengers by collecting fare from them.
As per contractual terms, credit limit approval44 was specified and the money
so collected was to be deposited in the designated bank account within specific
period. To enable them to perform their contractual obligations, limited access
to the ORS database was allowed and for capturing the details of agents,
irrespective of whether own employees or private booking agents, master table
for booking agents was maintained in ORS database. Scrutiny of the same
revealed the following deficiencies:

• In none of the ABAs, the data on money value limit specified in the
contractual terms was captured in the limit column contained in the master
table and hence the method of monitoring money value limit was not
known;

• In 12 cases, even though agent codes were allocated, the addresses of

ABAs were not captured in the relevant columns lacking input controls;

• In another 109 cases though Agent codes were available, details of Booking
Centre (BC) Code and BC Names were not captured to limit their access
over database;

• In the case of its own employees as Booking Agents, 119 cases where same
Agent code with access to more than one BCs falling in various locations
were detected;

44
Aggregate limit of value of tickets beyond which Corporation’s money could not be retained
by ABAs
46
 Chapter-III-Information Technology Audit of Statutory corporation
• In other 29 cases, different BC Codes were created for the same Agent at
the same location thereby facilitating the ABAs to avail more credit limits.

The Management (December 2014) accepted the observations and stated that
they were in the process of implementing pre-paid payment system i.e. online
wallet for booking agent by using payment gateway and this functionality will
be enabled soon.

3.10.10 On an analysis of table recording receipts generated, Audit observed

that in 1245 locations, 76,471 duplicate receipt numbers were generated. This
demonstrates the lack of process control in ensuring issue of unique receipt for
every collection transaction recorded in the table.

The Management stated (December 2014) that the process of generation of

Conductors Waybill Abstract (CWA) unique number is that, if no ticket block
has been sold from the tray then same CWA number will be continued. In case
if any sale from the tray, then new CWA number will be generated. By using
this process log of each duty ticket sale will be maintained. Cash collection is
recorded against each waybill number. Thus, there was no duplication or
inconsistency in generation of duplicate CWA numbers.

The reply of the Management did not address the issue of non-generation of
unique receipt number for each transaction distinctly but addressed the CWA
which was not the point of issue.

3.10.11 The Government of Maharashtra decided (February 2009) to extend

concessional ticket facility to Handicapped Exemplary Worker Awardee
(HEWA) along with escort. However, this concession was not codified and
included in the "Concessions" Master table and the same was being computed
manually by the Corporation.

The Management accepted (December 2014) the observation and assured that
care would be taken in future system implementation.

Management information system

3.11 Master Service Agreement envisaged the implementation of an

effective Management Information System (MIS) for Data Analysis, Data
Mining of various bus operations, revenue collected, passenger load, operating
profitability (ABC trips Analysis) etc. Audit, however, observed that ETIM
and ORS database did not contain tables to depict the details of buses
available with depots, manual pass collection data, digitised routes and bus
stops, digitisation of data of pass holders, ABA cash collection and remittance
data, data pertaining to all passengers eligible to different types of concessions
etc., as reported in different parts of the report.

45
Depots at Kurla, Mumbai Central, Panvel, Parel, Kolhapur, Sambhajinagar, Baramati,
Chinchwad, Narayangaon, Shivajinagar, Swargate and Talegaon.

47
Audit Report No.2 of PSUs for the year ended 31 March 2014
The Management stated (December 2014) that in all around 200 MIS reports
are being generated from the system and made use of at depot level in its day
to day traffic operation, which facilitated to have overall control on traffic
operation, mechanical operation, KPTL, CPKM, EPKM, etc. During the exit
conference, Management also agreed for improvement in analysis of data for
suitable decision making.
Deficient services to passengers

3.12 To make the e-ticketing more successful and increase the efficiency
and profitability of operations, a table was created in ETIM and ORS database
to define all the routes and all service stops on the routes. In respect of
Aurangabad-1 depot, Audit observed that out of 6,470 routes captured in the
aforesaid table, service stops were defined only for 837 routes leaving 5,633
routes.

The Management stated (December 2014) that v_routes' is prepared for only
Routes information present in routes table and 'v_all_service_stops' has only
those route stops on which the bus service is defined for the own depot only.

The fact remained that as long as all the service stops of all routes were not
defined and captured in the relevant tables, the services of Trimax was
deficient and the Corporation could not derive expected benefits of e-ticketing
by allowing prospective passengers to avail advance tickets as per their
requirement.
System performance audit

3.13 Clause 1.24 of MSA, stipulated that the operator should allow the
Corporation to access the network monitoring system located centrally or
locally for the purpose of verifying performance by way of quarterly audit that
would verify all service levels during the contractual period through the
necessary software/tools provided by the operator. It further stipulated that the
Corporation may, at its discretion, appoint a third party for carrying out
Performance Audit and the third party so appointed would be responsible for
verification, validation of all invoices under the terms and conditions of the
agreement and would recommend on the eligible payment within two days.

It was observed that Corporation did not carry out such audits during the
initial five years of the contract. Since the cost of such audits and inspections
was to be borne by the operator, the lapse of the Corporation in not carrying
out the audit had resulted in an extension of undue benefit to Trimax.

The Management, while explaining the constraints faced in carrying out the
system performance audit as envisaged in the contract, stated
(December 2014) that the Corporation had retained ` 3.50 crore from the
payment of Trimax for this lapse.
Disaster recovery and management

3.14 Adequate Disaster Recovery (DR) infrastructure has to be maintained

for ensuring recovery and business continuity in case of any disastrous

48
 Chapter-III-Information Technology Audit of Statutory corporation
scenario. It was observed that even though DR centre at Pune was established,
mock drills were not carried out periodically to ensure sound health of
equipments and cables deployed for the purpose as a preventive measure.

The Management has agreed (December 2014) to take due care in future to
conduct mock drills periodically.
Business continuity plan

3.15 As per contractual terms and conditions Trimax was to cover all the
aspects of providing, computerising, implementing and maintaining ETIM and
ORS with web facility for six years ending 11 December 2014. It also
included providing training (including hand holding training) to the
Corporation’s employees/officials, transferring ownership of all the assets
including Hardware and System Software (excluding proprietary software) to
the Corporation at free of cost. The contract envisaged that Trimax was to
submit an exit management plan in writing within 90 days from the effective
date of agreement. There was delay in handing over the exit plan which was
handed over only in October 2014 instead of within 90 days from the date of
agreement (22 July 2010).

The Management stated (December 2014) that Trimax has already complied
with submission of Exit Management plan, submission of source code,
imparting hand holding training to Corporation officials and data dictionary as
per contractual terms. However, after due "MAKE and BUY" Analysis
discussion, it was examined on whether Corporation can take over the ETIM
and ORS project and operate on its own. Non-availability of adequate and
suitable technical manpower, technical support (for operations and
maintenance) financial implication (for manpower, hardware, software, etc.)
and the constraints on recruitment, etc. were the reasons for not taking the
complete operations independently. In the mean time, Corporation has
initiated the process for selection of a new system integrator for up-gradation
of ETIM & ORS project. The new system integrator shall require a lead time
of approximately nine months for the development and deployment of the
new/upgraded ETIM & ORS system. Moreover, in order to have a complete
hand holding without any disruption in the operations of ticketing system
between the existing and the new system integrator there will be a requirement
of additional lead time. Hence, considering the overall impact on the business
it has been concluded by the Corporation for extending the existing contract
with Trimax for one year.

The fact remained that the aim of business continuity plan was to carry on the
business independently without any hindrance after completion of validity of
contract period. Under the circumstances, the Corporation, for its business
continuity, has no alternative but to rely on the support of either Trimax or
third parties in so far as its e-ticketing and on-line reservations are concerned.
It is pertinent to note that pending initiation/finalisation of tendering process
for next term, the Corporation initiated extension of existing contract with
Trimax for one year which indicated the fact of its incapability to continue the
business of e-ticketing and on-line reservations independently.

49
Audit Report No.2 of PSUs for the year ended 31 March 2014

Miscellaneous issues

3.16.1 The transaction table 'ticket' contains departure date and time of the
bus. Audit however, observed that record entries in these columns appeared as
0/0/0000 and 00:00:00 respectively. In so long as the conductors are not
instructed to punch the date and time of the actual departure of the bus through
ETIM by making it mandatory, the objective of designing the system for
improving the operations was defeated.

3.16.2 As per terms of contract ETIM was to be kept ready 40 minutes before
the scheduled departure time (30 minutes before the sign on time and Sign on
to be done before 10 minutes of the departure of the buses). The penalty of
` 1,50,000 per depot/per month was recoverable if the average delay was
between 0 and 10 minutes before schedule sign on time. Scrutiny of
conductors’ availability table revealed monthly average delay between 21 and
39 minutes in Asti Depot (District: Beed) during July 2011 to March 2012.
The penalty recoverable as per contract worked out to ` 13.50 lakh. However,
the same was not recovered from Trimax till date (December 2014).

The Management stated (December 2014) that all SLA parameters were
considered as per SLA business rules. SLA Formula’s was used as per the
business rule document and penalty was applicable after applying the SLA
business rules.

The reply was not acceptable as the SLA software developed and deployed
was kept by Trimax outside the database.

3.16.3 As per terms of contract, the application development should be made

free from any vulnerability and provide a ‘bug’ free environment for the entire
solution during the contractual period. The ‘Correctness of the delivery’
requirement clause of the SLA also stipulated that the software component
should be bug/defect free after the completion of the User Acceptance Testing
(UAT) and that the service provider would be liable to pay a penalty of
` 5,000 per bug/error/defect reported after UAT. The UAT of the ORS and
the ETIM was conducted on 29 December 2009 and 16 January 2010
respectively.

Scrutiny of data revealed reporting of 59,794 errors (ORS 197 and ETIM
59,597) logged after the UAT and up to 9 May 2014.

The Management replied (December 2014) that these tables were created to
handle exceptional conditions to maintain transactional data integrity so that
later on, these logs can be further examined for application performance
tuning & enhancement in the system and these findings would not hamper the
operations or business.

The reply was not correct as verified from the SLA which, in its correctness of
delivery definition, inter alia, stipulated that “Correctness would mean that
submission of all software components/ source code etc after the completion
of the UAT (or the 1 UAT), should be defect/bug free”.

50
 Chapter-III-Information Technology Audit of Statutory corporation

3.17 Conclusion and Recommendations

The Corporation had not framed any IT policy laying down procedures, rules
and regulations to oversee and monitor its IT environment.

The Corporation may formulate IT policy laying down procedures, rules and
regulations.

The deficient input control and validation checks resulted in low assurance
regarding completeness and reliability of data as observed from the tables
containing details of freedom fighters, Arjuna awardees etc. There was
deficient systems design resulting in non-capturing of data for grant of
concessions.

The Corporation may ensure sufficient input controls and validation checks
to have assurance of completeness and reliability of data.

The system could not be used for an effective MIS, data mining and data
integration as envisaged in the scope of the contract due to non-capturing of
details of buses available with depots, manual pass collection data, digitised
routes and bus stops, digitisation of data of pass holders.

The Corporation may evolve a system to make use of the data captured in
the e-ticketing database as business intelligent tool for improving the
business operations.

The Corporation provided the infrastructure to Trimax at EDP centre and

depot/bus stand without recovery of charges and also did not conduct the
System performance audit as provided in the agreement with Trimax.

The terms and conditions of agreement may be adhered to avoid any

financial loss to the Corporation.

Audit findings were reported (December 2014) to GoM; the reply was awaited
(December 2014).

51