E-Ticketing AUDIT PROGRAMME

Transcription

1 Auditor Responsible Audit Reviewed by Audit Month/Year Estimated Man Days OBJECTIVE The E-ticketing work program is developed in order to assess controls in the e-ticketing process, aiming at: Completeness, accuracy and timeliness of revenues related to e-ticketing; Reliability and availability of IT systems involved in e-ticketing. Page 1 of 39

2 Introduction This E-Ticketing work program is the outcome of an IAAIA workshop dedicated to e-ticketing, which was conducted on March 17 and March 18 in Schiphol, Netherlands. The work program is a so-called integrated work program, with elements from financial, operational and IT auditing. As the manners in which airlines execute processes differ from airline to airline, the applicability of this work program for a specific audit must be carefully assessed. Some risks may not be applicable and other risks may not have been listed. Likewise, controls mentioned may not be applicable and other controls may be in place. Implementing all controls mentioned in this work program will not always be necessary and may even lead to an over-complete control environment. Several ways can be followed to implement controlled processes and deliberately no selection of controls has been made in this program. Consequently, tailoring the work program will be necessary to match the audit procedures with the specific situation within your company. This work program is focused specifically on E-Ticketing and is not suitable for audits on paper ticket processes. Participants of the IAAIA E-Ticketing workshop: Iyimola Akinbola - Virgin Nigeria Airways Bashar Al Qudah - Royal Jordanian Airlines Bodosahondra Andriamialison - Air Madagascar Genevieve Braganza - Jet Airways Michelle Au-Chan - WestJet John Dunker - Surinam Airways Roshni Jagannathan Emirates Kishore Kanojia - Emirates Mohamed Khalaf Hasan - Gulf Air Suvi Kruse - Finnair Pauline Liew - Royal Brunei Airlines Syed Abdul Qader Mohd Ansari - Malaysia Airlines Kim Nehls - Scandinavian Airlines System Bartosz Ryters - LOT Polish Airlines Gudny Sigurdardottir - Fjarvakur Geoffrey Smith - Air Canada Stefan Stapfer - Swiss International Air Lines Sharon Ti Lien Heng - Malaysia Airlines Angelique Cue-Tinsay - Philippine Airlines Anna Gudrun Tomasdottir - Icelandair Vivek Tuli - Qatar Airways Antony Wamatu - Kenya Airways Margaret Zimunhu - British Airways Facilitators: Robert Engelbarts KLM Royal Dutch Airlines Jacqueline Holla KLM Royal Dutch Airlines Sjoerd Jansen KLM Royal Dutch Airlines Page 2 of 39

3 S.No A B C D E F G Area of Audit Reservation, booking and airport handling Revenue Recognition Revenue controls and monitoring (e.g. flown not sold, sold not flown) Manual interventions and critical transactions Electronic miscellaneous documents (EMDs) Interline / Non interline Management information Page 3 of 39

4 A. Reservation, booking and airport handling Not all E-Tickets are paid for Issuance without payment Duplicating paid E-Tickets (2 usable tickets, 1 payment) Ticketing systems and reservation systems not fully integrated E-Ticketing is not applied on all routes Ticketing systems and DCS s not fully integrated Mismatch between booking data and ticketing data IT control preventing issuance of E-Tickets without payment record IT control preventing issuance of earlier issued E- Ticket Report that matches E-tickets with payments Detailed analysis of compatibility of systems performed before linking systems Execution of tests before implementing a link between systems IT control preventing the issuance of E-Ticketing on not E-Enabled routes See above See above Application, database and interface design preventing such occurrences Assess and test design and actual functionality of application Assess whether a control that matches issued tickets with payments is available and used Assess whether analysis of compatibility has been (adequately) performed Assess whether tests before implementation have been (adequately) performed (e.g. the user organisation was involved in developing test scenarios en signing off on test results) Perform sample testing on accuracy of key functionalities (e.g. change in booking leads to change in ticket, payment makes ticket available for use etc.) Assess maintenance of list of non E-Enabled routes Test of one by trying to book an E-Ticket for a non E-Enabled route Assess application, database and interface design (e.g. what is regarded as primary source of data and what is done to prevent mutation of data in other sources?) Page 4 of 39

5 Interface controls Assess whether data transfers are automatically checked for completeness, accuracy and timeliness and whether follow-up of exceptions occurs Incomplete and/or incorrect data entry Lack of audit trail (e.g. log files) Malperformance of third parties (e.g. GDSs) data integrity contingency Boarding passes are issued without a ticket (e.g. by airline check-in staff, IT staff) and used Restricted access to database and logging of database administrators activity Input validations Logging and audit requirements established by management (preferably in design phase of systems) Agreed IT controls ensuring data integrity and contingency Right to audit or SAS 70 / ISAE 3402 Queries on boarding passes without valid reference to ticket Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Assess whether required fields cannot be left empty Assess whether input is subject to automated validity checks (e.g. date formatting check, inability to make a booking for a flight in the past, etc.) Assess whether logging and audit trails were addressed in the design phase of systems and agreed upon by those that need them (revenue assurance, anti-fraud department, etc.) Assess whether logging and audit trails were implemented as designed, saved to a secure location and used Assess whether a control framework ensuring data integrity and contingency has been agreed upon with the GDS and has been formalised in the contract Assess whether a right to audit the GDS on (amongst others) data integrity and contingency is present in the contract or Assess whether a SAS 70 Type II / ISAE 3402 statement with a relevant scope is periodically provided In case of a right to audit, perform an audit focusing on data integrity and contingency at the GDS Assess whether reports of boarding passes without a valid reference to a ticket are available and used Page 5 of 39

6 Multiple boarding passes for same stretch refer to a single e-ticket Status change from Flown to Open and subsequently reused or refunded Queries on repeated use of e- tickets on same stretch Restricted access to status change function at application level Restricted access to database and logging of database administrators activity Lists of suspicious status changes Tickets voided after flown See above See above Passengers are incorrectly Instruction of staff in contact identified with passengers Redundancy (identification both at check-in and at boarding) Disclosure of booking code name combination Restricted access to PNR Non-disclosure agreement (internally and with other parties handling PNRs) Procedures regarding distribution of booking codes Secure exchange of data between systems Assess whether reports of repeated use of e-tickets on the same stretch are available and used Assess whether access is restricted to those that need to perform related tasks in order to do their jobs Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Assess whether suspicious status changes are listed and followup takes place Assess whether staff is trained and periodically reminded on the importance of proper identification of passengers Assess whether procedures (and IT in case of check-in kiosk) support redundant identification Assess whether working practice is according to procedure Assess whether access is restricted to those that need to view PNRs in order to do their jobs Assess whether non-disclosure agreements are signed by all parties working with PNRs Assess whether a procedure is in place and followed to properly identify the passenger before communicating the booking code Assess whether exchanged data is adequately encrypted or adequate secure channels (VPN) are used Page 6 of 39

7 Abuse of credit card data Restricted access Assess whether credit card details cannot be made visible (on screen, in print, through exports, etc.) with standard transactions Assess whether each retrieval of credit card data (also at database level) is logged and whether this logging is reviewed Assess whether credit card details are stored in an encrypted manner Assess whether database administrator access is restricted; Assess the progress and outstanding issues of the PCI-DSS compliancy project. Discounted fare control in fully automated process (seamen, missionary, senior, staff, etc.) Passenger shows up for cancelled / rescheduled flights Incorrect claim on inventory (e.g. duplicate booking) Lack of e-ticket interline agreements and as a consequence settlement issues Verification of legitimacy of use of discounted fares (issuer s agent code, passport, seaman s passport, personnel ID, etc.) SMS service, Cancellations of unpaid bookings within x hours System does not allow E- Ticketing for stretches flown by airlines that do not have an interline agreement Assess the presence of automated controls for verifying the legitimacy of discounted fares (e.g. by checks with reference data) Assess whether ground handling staff is instructed to verify the legitimacy of discounted fares Assess whether ground handling staff verifies the legitimacy of use of discounted fares and takes appropriate action in case of (probable) misuse Assess whether passengers are recommended to leave their contact details at the time of booking Assess whether a procedure regarding passengers showing up for rescheduled / cancelled flights is in place and is followed up Assess whether unpaid reservations are automatically cancelled after a certain amount of time Verify that ticketing application does not allow the issuing of e- tickets for stretches flown by airlines that do not have an E- Ticket interline agreement Page 7 of 39

8 No collection of service fees from agents (service fees received from agents not included in fare amount (in some cases manually registered under remarks)) Incomplete revenue accounting System control: no check-in for non-interlined passenger allowed (or other interline restrictions) Consistent coding of service fees in one of the ticket fields Matching of received services fees with tickets and reporting unmatched tickets Verify that passengers with electronic ticket of airline with no E- Ticket interline agreement cannot check-in with E-Ticket Assess whether instructions were provided to agents regarding how to report collected service fees on tickets Assess whether matching takes places and reports of unmatched tickets are followed up Interface controls Assess whether controls on the interface between the e- ticketing environment (e.g. sequence checks) and the revenue accounting environment are in place and exception reporting is followed up. Check on presence of pax boarding status data for each executed flight Check on completeness of accounting for each individual flight leg Assess whether a match between flight schedule execution and boarding reports is made and mismatches are reported and followed up Assess the existence and use of control query that checks whether for each flown leg on non-free tickets a revenue > 0 has been calculated Abuse of IT systems, leading to unauthorised transactions that involve revenue leakage (e.g. changes to bookings, generation of boarding passes without ticket reference) Role based access, Segregation of Duties Access control lists Assess whether the available user profiles are free of conflicting tasks / contain safeguards against unauthorised bookings (e.g. segregation between creation and approval of exceptional bookings) Assess whether conflicting profiles are not granted to a single person Assess whether access is restricted to those that need to perform related tasks in order to do their jobs Page 8 of 39

9 Unavailability of reservation and booking systems Authentication of users of IT systems Maintenance of access rights to IT systems Logging of critical activities Restricted access to database and logging of database administrators activity Redundancy of IT servers, storage, power and network elements Continuity plans to minimise adverse effects of outages Testing of changes to IT Assess whether systems are protected with authentication mechanisms of sufficient strength (complex and personal passwords that frequently change, personal swipe cards, etc.) Assess whether accounts are locked after repeated failed login attempts Assess whether granting of access rights is only executed after approval of designated authorising managers Assess whether leaves and staff transfers lead to revocation of access rights Assess whether outstanding access rights are periodically reviewed by management Assess whether critical activities are logged, log files are archived and reviewed, and access to log files is restricted Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Assess hardware, networking and power supply for absence of single points of failure. In case single points of failure exist, verify whether the related risk is consciously accepted by management Obtain comfort from external providers regarding their redundancy Assess whether continuity plans are present, up-to-date and tested Assess whether changes to IT are subject to testing and sign-off for proper performance before the production environment is changed Page 9 of 39

10 Loss of application and data Back-up and recovery Assess whether frequent back-ups are made and stored at a distant and safe location Assess whether back-ups are scheduled and execution is monitored Assess whether recovery tests are performed Process Notes & Test Results Page 10 of 39

11 B. Revenue Recognition Incorrect revenue accounting (e.g. cut-off) Unrecognized/overrecognized revenue Presentation of revenues (pax versus ancillary) Follow the accounting rules of the company set in the financial policy Rule in the system: correct classification of earned and unearned revenue correct cut off rules in the system Restricted access to application parameters Management reporting is provided for review Proration rate/agreement according to IATA and SPA Reconciliation of unbalanced coupon batches Management reporting is provided for review System mapping based on accounting policy of the company. Assess testing of application before it was implemented Compare system rules to what has been set in the accounting policy Assess reports of tests executed prior to implementation Perform sample testing of correct cut of flight(s) Assess whether access to application parameters that influence the accounting method is restricted (need to have) Test to determine whether management reviewed management reporting Test whether systems provide adequate management reports Check the correctness/completeness of the proration parameters (comparison with agreement) Perform sample testing of correct proration calculation Review reporting provided by the system identifying unbalanced coupon batches (exception reporting). Ensure that appropriate actions are taken by management. Test to determine whether management reviewed management reporting Test whether systems provide adequate management reports Assess testing of application before it was implemented Compare system rules to what has been set in the accounting policy Page 11 of 39

12 Pricing inaccuracies tickets are priced higher or lower than your published fares Incomplete revenue accounting Fare audits Exception report System controls Pricing policy Interface controls Restricted access to database Check on presence of pax boarding status data for each executed flight Check on completeness of accounting for each individual flight leg Assess scope (sufficient coverage of sales), quality of execution and follow-up on fare audits Review exception report for fare discrepancies and justification Ensure ADMs were issues and collected on a timely basis Assess whether a system control is implemented which ensures compliance with the pricing policy Assess whether automated pricing and ticket module for reissue and revalidation is in place (if possible) Assess whether a policy regarding pricing and manual tariffication exists and is implemented Assess whether controls on the interface between the e-ticketing environment (e.g. sequence checks) and the revenue accounting environment are in place and exception reporting is followed up. Assess whether access to the database of the revenue accounting system is limited (need to have) Assess whether a match between flight schedule execution and boarding reports is made and mismatches are reported and followed up Assess the existence and use of control query that checks whether for each flown leg on non-free tickets a revenue > 0 has been calculated Loss of application and data Back-up and recovery Assess whether frequent back-ups are made and stored at a distant and safe location Assess whether back-ups are scheduled and execution is monitored Assess whether recovery tests are performed Unavailability of revenue accounting system Continuity plans to minimise adverse effects of outages Assess whether continuity plans are present, up-to-date and tested Page 12 of 39

13 Testing of changes to IT Assess whether changes to IT are subject to testing and sign-off for proper performance before the production environment is changed Untrained use or abuse of IT systems, leading to transactions that involve revenue leakage (e.g. with regard to interline settlement) Process Notes & Test Results Access control lists Authentication of users of IT systems Maintenance of access rights to IT systems Logging of critical activities Restricted access to database and logging of database administrators activity Assess whether access is restricted to those that need to perform related tasks in order to do their jobs (e.g. changing pro-rate settings) Assess whether systems are protected with authentication mechanisms of sufficient strength (complex and personal passwords that frequently change, personal swipe cards, etc.) Assess whether accounts are locked after repeated failed login attempts Assess whether granting of access rights is only executed after approval of designated authorising managers Assess whether leaves and staff transfers lead to revocation of access rights Assess whether outstanding access rights are periodically reviewed by management Assess whether critical activities are logged, log files are archived and reviewed, and access to log files is restricted Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Page 13 of 39

14 C. Revenue controls and monitoring (e.g. flown not sold, sold not flown) We ran out of time during the workshop to touch this topic. Please feel free to come up with potential risks and related controls and audit tests / questions. Flights are made with unsold tickets No insight in aging of obligation towards customers Incomplete measurement of revenue Coupon status of flying passenger not changed Expired tickets are not closed Process Notes & Test Results Reporting and follow-up on flown not sold tickets Aging analysis of that have been sold but not yet used Sequence check on issued e- tickets Reconciliation of sum of e- ticket list and gathered coupons with passenger name list Check periodically for expired tickets in operational database and take corrective action in line with general terms and conditions (ticket data must remain available for refunds) Assess whether the ticket numbers of flown coupons are matched with the related booking and payment, and coupons that cannot be matched are investigated Assess whether a sold not flown aging analysis exists and is reviewed by management Assess whether a sequence check on issued e-tickets is performed and that any gaps are investigated Assess whether the sum of the e-ticket list and the paper tickets for a flight is reconciled with the number of passengers on the passenger name list and whether discrepancies are investigated Assess whether periodical check and corrective action takes place Page 14 of 39

15 D. Manual interventions and critical transactions (refunds, flight disruption, charge backs, flight interruption manifest (FIMs), etc.) Manual interventions and refunds appeared to be key risks related to E-Ticketing. A good practice (best practice?) appears to be: 1. Try to reduce the need for manual interventions as much as possible by creating (critical) application transactions for actions that are frequently performed; 2. Keep the group that performs manual interventions as small as possible; 3. Keep the group that performs critical transactions as small as possible; 4. Control these small groups well. Potential Risks high level Expected Controls Audit Testing/ Questions WP Ref./ Unauthorised manual (database) changes, e.g. changes from final status (flown / exchanged / refunded) to open Coupons remaining in database with intermediate status Unauthorised critical transactions Periodical review of database authorisations Logging of manual changes Periodical review of executed changes Query of coupons that have intermediate status for more than x hours / days Follow-up on query Periodical review of transaction authorisations Logging of critical transactions Periodical review of executed transactions Assess whether authorisations for manual changes at database level are periodically reviewed Assess whether manual changes are logged and logs cannot be manipulated Assess whether these logs are periodically reviewed / analysed Assess whether coupons with an intermediate status for a long time that are in the database are queried and corrective action is taken Assess whether authorisations for critical transactions are periodically reviewed Assess whether critical transactions are logged and logs cannot be manipulated Assess whether these logs are periodically reviewed / analysed Page 15 of 39

16 Potential Risks high level Expected Controls Audit Testing/ Questions WP Ref./ Process Notes & Test Results Manual interventions (not exhaustive): Changing bookings Manual pricing Special offers/discounts Promotional tickets Coupon status changes Re-issues Exchanges Refunds Waiving of fees Flight Interruption Upgrades/downgrades SSR s Booking class changes and restrictions Out of sequence coupons Revalidation of e-tickets Frequent flyer manipulation PNR Changes Booking class changes and restrictions Out of sequence coupons Revalidation of e-tickets Extension of ticket validity/fare validity Ancillary fee manipulation Checking in e-ticket passengers as paper tickets Baggage allowance limits (printed on ticket) Re-routing Frequent flyer manipulation PNR Changes Extension of ticket validity/fare validity Ancillary fee manipulation Checking in e-ticket passengers as paper tickets Exchanging e- to p-tickets Baggage allowance limits (printed on ticket) Re-routing Page 16 of 39

17 Potential Risk more detailed Identical manual interventions are very frequently executed No revenue due to issuance of a ticket without a booking (Is this possible? Booking open segments is possible) Incorrect issuance of open segment ticket Expected Controls Audit Testing/ Questions WP Ref./ Report and root cause analysis of most frequently executed interventions Research into possibility of reducing the number of manual interventions Assess whether the most frequent interventions by type are reported an known to management Assess whether the root cause for these interventions is analysed Assess whether management researched the possibility of reducing the number of manual interventions (e.g. by tightening procedures, storing more fares or automating the intervention) Each ticket has a PNR Query the ticket database for issued tickets without PNR Applicable fare for open tickets permits electronic issuance with open segment, consequently reducing the need for manual fare adjustments for open tickets Assess ticketing business rules and fare filing relative to total of fares offered (the more fares filed, the less need for manual fare adjustments) Page 17 of 39

18 Potential Risk more detailed Loss of revenue due to unauthorized booking class changes and removal of fare restrictions Expected Controls Audit Testing/ Questions WP Ref./ System reports to identify magnitude of lost revenue and frequency of such transactions on an agent/base basis Access controls and audit trails Preventive controls in system for changes and collection Policies and procedures with respect to booking classes and changes to fare restrictions Automated re-issuance of tickets with new booking class Fare controls Sample testing of fares System automatically compares PNR booking class against the e-ticket and identifies exceptions for management review Compare class data according to DCS with class data according to ticket. Additional information required regarding frequent flyers (frequent flyer database) and involuntary upgrades (e.g. due to a/c change or cancellation) Trend analyses and comparisons between stations Check who is authorised to grant upgrades and check whether he/she is fed back on excessive amount of upgrades Review reports for evidence of management review Review access controls for reasonability against policies Review for evidence of monitoring of audit trails Tests of one for application controls (preventive controls over changes and collection, automated re-issuance of tickets with new booking class, system auto compares PNR booking class against the e-ticket) Review fare audit results (ensure audit coverage is appropriate) and perform sample testing Page 18 of 39

19 Potential Risk more detailed Circumstances of downgrades not documented, leading to incorrect or double complaint handling Unauthorised application of special fares Unauthorised application of tour codes (auto quoted) Expected Controls Audit Testing/ Questions WP Ref./ Entering remarks to support claim handling and compensation Central complaint registry and agreements regarding complaint handling for flights by other airlines Authorisation code reconciliation Authorising party for special fares needs to pay / is charged the discount amount Interface between revenue accounting system and fare filing database (enabling automated fare audit, e.g. by SIRAX) Authorisation code (tour code) reconciliation Check for duplicate claims (station plus headquarters or even other airlines) Spot checks on claims Assess whether policy and process manual are in place and followed Check for recurrence of same credit card number, bank account number, booker s IP address, etc. Fare audit procedure Check on recurring use of authorisation code Obtain list of special fares, including group fares, with details (period, station, etc.) Group fares by group Audit the charge account setup (are correct accounts / cost centres charged?) Reviewing follow-up on unauthorised application of discounts Assess interface controls Assess follow-up on exceptions Compare list of authorisation codes floating in the market with authorisation codes on ticket Page 19 of 39

20 Potential Risk more detailed Out of sequence coupons Misalignment of information where there is a separate reservation and e-ticketing database system Frequent flyer program manipulation (fraud risk e.g. agents inputting their own account number for bookings) Expected Controls Audit Testing/ Questions WP Ref./ System controls to automatically suspend the ticket based on chronological error System voids out of sequence coupons Access controls limit ability to perform this function (Help Desk users only, for example) Reporting out of system to identify out of sequence transactions for management review System prompts System reports on discrepancies between the reservation and e-ticketing databases System has a name check function to ensure that name on program account matches that on the e-ticket If system does not have name check functionality, review report detailing account usage/points acquired over a period of time Test of one over application controls (auto suspension of out of sequence coupons, system voids out of sequence coupons) Review access controls Review management review of out of sequence transactions Test of one over application controls (system prompts) Review management s review of reports regarding discrepancies Test of one over application controls (system check on names) Review management s review of account usage/points (high frequency and/or high points accumulation as compared to average) acquired reporting Page 20 of 39

21 Potential Risk more detailed Extension of ticket validity/fare validity Checking in e-ticket passengers as paper tickets (coupon status remains as not flown) Incorrect change of coupon status Expected Controls Audit Testing/ Questions WP Ref./ system prevents ability to extend ticket/fare validity (including differences in validity based on fare class) System produces report of exceptions for management review Post-flight procedures will show how many passengers are paper vs. e-ticket. These numbers are reconciled against the system. System generates report to facilitate reconciliation of passengers manifested against ETL/paper coupons collected and management reviews this report Test of one (prevent ability to extend ticket/fare validity, prevent creation of booking where fare class/date of travel does not match with e-ticket validity) Evidence of management review *** Is a re-issue the same as an exchange? Need to confirm vs. IATA standard *** Review reconciliation performed post-departure with respect to paper vs. e-ticket passengers and manifest Segregation of Duties Check for conflicting authorisations with one user Audit trail Check presence, retrievability and usability of logs Exception reporting Follow-up on exception reporting Review and feedback Assess existence and use of reports regarding coupon status changes Incorrect reissues Fare audits Assess scope, quality of execution and follow-up on fare audits Automated controls (in transaction) Assess whether automated controls that minimise the risk of incorrect reissues are implemented Four eyes (check by second person) Check whether the retained copy of a reissued ticket is accompanied by 2 names and signatures Incorrect exchanges of tickets See Expected Controls for reissued tickets See Audit Testing / Questions for reissued tickets Page 21 of 39

22 Potential Risk more detailed Exchanging e- to paper tickets without a status change made to the e-ticket Baggage allowance limits (printed on ticket) Unnecessary waiving of change / cancellation fees Collecting (or deducting from refund) the wrong change / cancellation fee Expected Controls Audit Testing/ Questions WP Ref./ System report that shows Review report for evidence of management review paper tickets with exchange value equalling to an e-ticket number. Report is reviewed and transactions validated. System report identifies where Review report for evidence of management review baggage allowance on the ticket database does not match with prescribed limit. This report is reviewed. Audit trail in application Assess the adequacy of the scope of the audit trail in the application (are all waivers logged in sufficient detail for further analysis? Authority list showing who is authorised to wave fees Investigating legitimacy of reason for waving fee Preventive IT controls (feasible due to dependency from GDSs?) Mix-up of fees, taxes and fare Fare audit (detective control) Recalculate historic refunds Obtain access control list and verify that rights to waive are only assigned to those that must be able to waive in order to perform their duties Obtain evidence for waiving fee (based on principle that not documenting reason is a control exception) Assess whether prescribed fees per type of change can be overruled and if yes, by whom. For those who can change prescribed fees, assess a sample of tickets changed / cancelled by the persons that can overrule the prescribed fees Assess whether rights to overrule are limited to those that need to be able to overrule and that an audit trail is in place and usable Take a sample of changed / cancelled tickets and compare actual collection / deduction with prescribed fees for the change / cancellation performed Page 22 of 39

23 Potential Risk more detailed Expected Controls Audit Testing/ Questions WP Ref./ in refund Calculating fare per segment Check that calculation of refund is based on fares and taxes per segment System controls Check that pricing elements (fees, taxes, fare) are classified correctly Incorrect refunding Ancillary fee manipulation Re-routing Refunding only after showing ID (refund to same person) Refunding on same form of payment (same credit card, same bank account, etc.) Obtaining authorisation from and calculation of amount from issuing office System reports identifying where fields have been changed. Reports are reviewed. System automatically generates fees, as required. Fee overrides are monitored and reviewed. Access controls restrict which users are able to execute re-routing transactions. System reports when rerouting has occurred. These reports are reviewed. Check existence of procedure Assess presence of copies of IDs in refund administration Check existence of procedure and supporting IT controls (application does not allow refund to different account / credit card) Test application controls are take a sample of refunds to check for refund on same form of payment Check enforcement of authorisation from issuing office by procedure or workflow in application Take a sample of refunds to check for presence of authorisation or test automated workflow Review report for evidence of management review Test of one (System automatically generate fees, as required) Review access controls against prescribed policies Review report for evidence of management review Page 23 of 39

24 Potential Risk more detailed Tickets are unvoided Voiding tickets with used segments Incorrect processing of flight interruptions Excessive SSRs that cannot be accommodated for flight safety reasons Unintended use of SSRs (e.g. wheelchair in order to use the fast lane) Requesting a Special Service which was not requested (and paid if applicable) Unauthorised interventions, leading to revenue leakage Expected Controls Audit Testing/ Questions WP Ref./ Application design / IT control Test of one to ensure that system control works as intended that prevents unvoiding Application design / IT control Test of one to ensure system control works as intended that prevents voiding of tickets with used segmants FIM is auto-generated with e- Remark: Involuntary reissuing of tickets also applied instead of tickets FIMS Counters on excessive requests Require official documentation to request SSR Putting proof of request on ticket (as a surcharge / tax code) Showing MCO at check-in Marry MCO to ticket in DCS (check-in agent sees what service is requested) Review SSR types on each flight (sample basis) for reasonability Select a sample of tickets with SSRs and obtain supporting documentation Review system workflows to determine whether proof of request is printed on ticket Observe procedures at check-in to determine whether agents request to see MCO s Test system configuration Ticket and MCO are linked Test system configuration Fill in MCO details in Test of one endorsement field of e-ticket (system requires this) Minimal or no interventions by Assess whether the possibility to execute manual interventions customer-facing employees is restricted to supervisors or is taken away from all customer front office) facing staff (back office only) if feasible Page 24 of 39

25 Potential Risk more detailed Expected Controls Audit Testing/ Questions WP Ref./ Role based access, Segregation of Duties Access control lists Authentication of users of IT systems Maintenance of access rights to IT systems Logging of critical activities Legitimacy checks Restricted access to database and logging of database administrators activity Assess whether the available user profiles are free of conflicting tasks / contain safeguards against unauthorised bookings Assess whether conflicting profiles are not granted to a single person Assess whether access is restricted to those that need to perform related tasks in order to do their jobs Assess whether systems are protected with authentication mechanisms of sufficient strength (complex and personal passwords that frequently change, personal swipe cards, etc.) Assess whether accounts are locked after repeated failed login attempts Assess whether granting of access rights is only executed after approval of designated authorising managers Assess whether leaves and staff transfers lead to revocation of access rights Assess whether outstanding access rights are periodically reviewed by management Assess whether critical interventions are logged, log files are archived and reviewed, and access to log files is restricted Assess whether checks regarding the legitimacy of interventions are executed Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Page 25 of 39

26 Potential Risk more detailed Unavailability of systems Expected Controls Audit Testing/ Questions WP Ref./ Redundancy of IT servers, storage, power and network elements Continuity plans to minimise adverse effects of outages Testing of changes to IT Assess hardware, networking and power supply for absence of single points of failure. In case single points of failure exist, verify whether the related risk is consciously accepted by management Obtain comfort from external providers regarding their redundancy Assess whether continuity plans are present, up-to-date and tested Assess whether changes to IT are subject to testing and sign-off for proper performance before the production environment is changed Loss of application and data Back-up and recovery Assess whether frequent back-ups are made and stored at a distant and safe location Assess whether back-ups are scheduled and execution is monitored Assess whether recovery tests are performed No downstream updates of intervened records (bookings, coupons etc.) Process Notes & Test Results Flagging and interfacing of changed records Assess whether changed intervened records are flagged and downstream systems (e.g. departure control, revenue accounting) are informed about the intervention whenever necessary Page 26 of 39

27 E. EMD s not available on a widespread basis yet MCOs Link EMDs to ticket numbers to facilitate proper revenue recognition There are some services for which the MCO is not initially linked to the ticket number need a trigger for this link to occur MCO purpose will define revenue recognition Value is linked so that when utilized is properly recognized Need to reconcile to form of payment and ensure that payment is collected Change of coupon status (if MCO is not marked as used can be available for refunds) Objective to ensure completeness and accuracy of revenue associated with EMD, ensure there are adequate controls over the accuracy of MCOs (in particular, fraud risk), ensure collection for fees over MCOs, accountability over MCOs and proper authorization, revenue leakage EMD utilization status is not reflective of the e-ticket status Fraudulent use of EMDs System automatically associates EMD(s) with an e- ticket. Status of EMD is then reflective of e-ticket status. System report identifies EMDs that have a status that is not the same as the associated e- ticket. Report is reviewed. Sequence controls in the system for EMDs issued. System report to identify EMDs unused for extended period of time. Report is reviewed. Perform a test of one to check whether EMD(s) is automatically associated with an e-ticket Review management s review of system report Assess whether a sequence control in the system for EMDs is present Assess whether a report that lists unused EMDs is in place Review management s review of system report Page 27 of 39

28 EMD is not linked to an e-ticket Improper revenue recognition for amounts associated with EMDs Coupon status change makes EMD available for use more than once Unauthorized issuance of EMDs System report identifies EMDs that to not have an associated e-ticket. Report is reviewed. EMDs are coded to identify purpose. Accounting research is performed to identify proper revenue recognition method for each EMD type. System maps appropriate revenue recognition for each EMD type according to accounting policy. System controls that prevent duplicate utilization. Access controls limit the number of users that can make coupon status changes. System generates an exception list that identifies coupons that have changed statuses. List is reviewed for reasonability and follow-up occurs. Stock control, including counts and reconciliation. Executed by Station Manager. Assess whether a report that lists all EMDs without associated tickets is in place Review management s review of system report Assess whether EMDs are coded in such a manner that the purpose can be easily / automatically identified Review accounting research memo Verify whether accounting department was involved in design of system and signed off on acceptance testing Assess whether system blocks used EMDs for further use Review access levels and compare against policy and procedures. Ensure that an appropriate authority approved the access levels. Review management s review of system report Review stock control and reconciliation working papers prepared by the Station Manager(s). Page 28 of 39

29 Over-utilization of EMDs Values of EMDs are Assess whether EMDs are automatically valued automatically loaded in the system and usage amounts are automated/linked to e- ticket usage Improper refunding of EMDs Reconciliation between form of Assess whether form of payment and form of refund are payment and form of refund reconciled and reviewed by management Policies and procedures are in Review policies and procedures for reasonability and approval. place that govern the appropriate refunding of EMDs Policy defines that refund Review policies and procedures for reasonability and approval. location must be the same location as sale of the EMD (where currency restrictions exist) Revenue from EMDs are not complete or do not exist Abuse of IT systems, leading to unauthorised EMD transactions that involve revenue leakage System generates exception reporting that shows transactions where original form of payment is not where the refund is processed. This report is monitored and reviewed by management Reconciliation of EMD amounts per the system to form of payment Role based access, Segregation of Duties Assess whether location of payment and refund are reconciled and reviewed by management Review reconciliation of system amount with form op payment and ensure that reconciling items are appropriately dealt with and/or accounted for. Assess whether the available user profiles are free of conflicting tasks / contain safeguards against unauthorised EMDs (e.g. segregation between creation and approval of exceptional EMDs) Assess whether conflicting profiles are not granted to a single person Page 29 of 39

30 Access control lists Assess whether access is restricted to those that need to perform related tasks in order to do their jobs Unavailability of systems Authentication of users of IT systems Maintenance of access rights to IT systems Logging of critical activities Restricted access to database and logging of database administrators activity Redundancy of IT servers, storage, power and network elements Continuity plans to minimise adverse effects of outages Testing of changes to IT Assess whether systems are protected with authentication mechanisms of sufficient strength (complex and personal passwords that frequently change, personal swipe cards, etc.) Assess whether accounts are locked after repeated failed login attempts Assess whether granting of access rights is only executed after approval of designated authorising managers Assess whether leaves and staff transfers lead to revocation of access rights Assess whether outstanding access rights are periodically reviewed by management Assess whether critical activities are logged, log files are archived and reviewed, and access to log files is restricted Assess whether database administrator access is limited (need to have) Assess whether critical changes to database records are logged and reviewed Assess hardware, networking and power supply for absence of single points of failure. In case single points of failure exist, verify whether the related risk is consciously accepted by management Obtain comfort from external providers regarding their redundancy Assess whether continuity plans are present, up-to-date and tested Assess whether changes to IT are subject to testing and sign-off for proper performance before the production environment is changed Page 30 of 39

31 Loss of application and data Back-up and recovery Assess whether frequent back-ups are made and stored at a distant and safe location Assess whether back-ups are scheduled and execution is monitored Assess whether recovery tests are performed EMDs are not updated when related tickets are changed Process Notes & Test Results Flagging and interfacing of changed tickets Assess whether changed tickets are flagged and EMD system is informed about the change whenever necessary Page 31 of 39

32 F. Interline / Non interline Bookings made for OAL stretches for which endorsement is not allowed Passenger shows up with valid OAL reference but ticket cannot be found in DCS (interline tickets not existing) Contract incorrectly implemented in system Available date insufficient to live up to data exchange agreed in contract Outdated or lack of interline agreement governing relationship for e-ticketing purposes System does not accept bookings on stretches for which endorsement is not allowed Known procedure regarding verifying validity of OAL tickets not in DCS Verification of with contract during acceptance testing Persons in charge of concluding contracts verify with information managers what information can be exchanged Contract management system/database that alerts stakeholders as to when contract term end is near (define period) Review significant interline agreements on a regular basis to determine whether renegotiation is required Assess whether the system rejects bookings on stretches when endorsement (for e-tickets) is not allowed / arranged Assess whether the list of non-endorsable stretches in the system is kept up-to-date Assess whether a procedure is in place for verifying the validity of OAL reference (e.g through e-ticketing backoffice with access to GDSs and OAL backoffices) Assess whether acceptance testing did include verification with the contract Assess whether information managers reviewed contract proposals for possibility to implement proposed data exchange Check for availability of contract register Review alignment of booking classes with other airlines and compare to what has been entered in to your prorate engine Review agreements on a sample basis Page 32 of 39

33 Lack of integrity of data Non-acceptance of tickets Inability of system to take control of coupons Billing is not timely and/or complete Billing delays Overbilling by partners Proration method needs to be registered Availability of reports on number of rejected tickets on both a coupon and total value basis. Reports are reviewed. Compare boarded pax figures versus boarded e-tickets to identify discrepancies Policy and procedures exist to dictate required actions when there is inability to take control of coupons System parameters have been set to identify required billing and complete billing Monitoring and prompt followup on rejected invoices Tickets require SAC code or they are withheld for payment until further investigation ensues Assess whether proration methods are contractually agreed upon Review alignment of booking classes with other airlines and compare to what has been entered in to your prorate engine Sample testing to confirm whether proration is appropriately calculated (to be performed in cooperation with Revenue Accounting department) Assess whether reports regarding rejected tickets are in place and reviewed by management Assess whether failures to change coupon status for boarded passengers are identified, reported and solved Assess whether procedures regarding solving coupon control issues are in place and followed Verify that system parameters that identify required billing are in place Verify that aging reports regarding unbilled coupons are in place and reviewed Assess whether rejected invoices are timely identified and prompt follow-up takes place Assess whether the system refuses payment for tickets without SAC code Review investigation procedures Page 33 of 39

34 Interline FIMs FIMs are issued but status of e-ticket has not been changed Abuse of IT systems, leading to unauthorised transactions that involve revenue leakage Revenue accounting system identifies inaccurate billing by identifying unreported sales (including auto-rejection) Reporting of FIMs issued by airport staff in order to map against billings from other airlines. FIM is mapped to an e-ticket Sequential control over the issuance of FIMs System control that automatically updates coupon status when FIMs are issued Use Ticket Exchanger (include in service provider agreements) Role based access, Segregation of Duties Access control lists Assess whether revenue accounting system rejects tickets of which no sale is reported Review reporting and mapping performed by management. Assess whether automatic mapping of FIMs to e-tickets is in place Assess whether a sequence control in the system for FIMs is present Assess whether coupon status is automatically updated at issuance of FIMs Where system controls are unavailable, perform sample testing of transactions Review service provider agreements Assess whether the available user profiles are free of conflicting tasks / contain safeguards against unauthorised transactions Assess whether conflicting profiles are not granted to a single person Assess whether access is restricted to those that need to perform related tasks in order to do their jobs Page 34 of 39