1. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 Internal Auditing Mar-2016 Internal Auditor Training 1 October 2016

2. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 2 Internal Auditing Mphasis Quality Policy Mphasis is committed to Quality as an integral part of total business strategy, with the goal of achieving market leadership and client satisfaction by continually improving our capability to identify, develop and provide services that are valued by our clients. Our primary focus is on consistency, reliability and security while providing the responsiveness and the continuous improvement necessary to support our clients’ success in their industry. Mphasis consistently delivers Applications services, Infrastructure services, and Business Process Outsourcing (BPO) services globally through a combination of technology knowhow, domain and process expertise. We are certified with ISO 9001:2008, ISO/IEC 27001:2005 (formerly known as ISO 17799), and are assessed at CMMI v 1.2 Level 5. We also provide SEI CMMI, ISO and Six Sigma related services support.

3. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 3 Internal Auditing Internal Auditing helps organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. We provide value adds by implementing best practices across Operations and other support functions like information security, compliance, HR best practices, etc. Internal Auditors' roles include monitoring, assessing, and analyzing organizational risk and controls; and reviewing and confirming information and compliance with policies, procedures, and laws. Working in partnership with management, internal auditors provide the board, the audit committee, and executive management assurance that risks are mitigated and that the organization's corporate governance is strong and effective. And, when there is room for improvement, internal auditors make recommendations for enhancing processes, policies, and procedures." Our core functions includes: Ensuring audits are planned, conducted and reported effectively. To Review of the internal control system as a service to the organisation. Conducting regular internal audits by qualifies personnel’s. To devise standard documentation for planning and reporting audits and their findings Present the finding of the assessment including any Observations, nonconformance identified along with Corrections and Corrective plans. To ensure that remedial actions are implemented promptly and accurately.

4. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 4 Internal Auditing ISO 9001 Quality Management System Audit An audit is a systematic, independent, and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. The term systematic means the company must plan and document its system for auditing. It must have management support and resources behind it. Audits must be performed in an impartial manner, which requires auditors to have freedom from bias or other influences that could affect their objectivity. Internal audits must be carried out to a documented procedure. The procedure must address the responsibilities for conducting the audits, ensuring independence, recording results, and reporting to management. Audits obtain objective evidence of conformity with requirements. The evidence must be based on fact and may be obtained through observation, measurement, test, or by other means. Evaluating the Extent to which audit criteria are fulfilled involves an assessment of both implementation and effectiveness. Is the organization practicing what it described in its documentation? Are the practices being carried out well? The presence of nonconformities in a department or process may indicate the system is ineffective for those areas

5. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 5 Internal Auditor Training ISO 9001 Audit Objectives Audit objectives are not limited to the ISO 9001 standard. Clear audit objectives help determine the scope and depth of the audit, as well as, the resources needed. Being clear on the objectives provides focus and helps the auditor from being distracted and going off on unnecessary points beyond the scope of the audit. Audit objectives include: Evaluating conformity of documentation to ISO 9001 Judging conformity of implementation to documentation Determining effectiveness in meeting requirements and objectives Meeting any contractual or regulatory requirements for auditing Providing an opportunity to improve the quality management system Permitting registration and inclusion in a list of registered companies Qualifying potential suppliers

6. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 6 Internal Auditor Training Benefits of ISO The ISO 9001 Standard is a tool that can help you better manage your organization. Like any other business tool, how much it helps will depend on how well you put it to use. This requires your organization to be clear on the benefits to be gained and how it plans to use ISO 9001 to achieve them. Can be classified as 1) External benefits 2) Internal benefits 3) Personal benefits 1) External Benefits Increased business competition and share in the market Improved customer confidence and satisfaction Improved conformity to customer and regulatory quality requirements.

7. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 7 Internal Auditor Training Benefits of ISO (Cont..) 2) Internal Benefits Improved operational efficiency and productivity Improved process consistency and stability Facilitated continual improvement Improved focus and effectiveness of training programs Improved employee motivation and participation Led to improved supplier performance Increased business profitability Increased opportunity for new business wins. Note : The extent of these benefits obviously varies from one organization to another..

8. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 8 Internal Auditor Training Benefits of ISO (Cont..) 3) Personal benefits Understand the concepts, principles, terminology and benefits of a Quality Management System based on ISO 9001:2008 Standard. Understand the requirements of the ISO 9001:2008 Standard and how to implement and audit a Quality Management System. Understand the purpose, content, and interrelationships of related standards such as ISO 9000, ISO 9001, ISO 9004, and ISO 19011. The difference and significance between legal conformity and conformity with ISO standards, when conducting audits. Learn the knowledge and skills required to manage and conduct any type of audit. The effective evaluation of product realization and supporting processes.

9. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 9 Internal Auditor Training Scope of Internal Audit The scope of the internal audit is to assess the process adherence to the Quality management system which is based on 1) The documented process criteria. 2) The requirements laid down in ISO 9001:2008 3) The requirements laid down in ISO/IEC 20000-1:2005 4) The Contractual needs. (As accepted in the MSA/SOW) 5) COPC (Customer Operations Performance Centre), etc.

10. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 10 Internal Auditor Training Stages of Internal Audit: Internal audit is planned and conducted in the following stages: Pre-audit Conducting Audit Post-audit.

11. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 11 Internal Auditor Training Stages of Internal Audit: (Cont..) Pre-audit: Is the preparatory stage where the following pre-requisites for an audit are taken cared by the auditor:- To identify the objectives of the Organization. To define internal audit Scope and objectives. To list out the Process need to be audited with the frequency To prepare an audit schedule and communicate to the Process head and other Stakeholders. Based on the audit Schedule, the auditors confirms the process about the exact date and time, the week before the audit. If there is any change in the Audit Schedule, the auditor will prepares a revised audit Schedule and communicates the same to the respective process SPOC and delivery head. Apart from these, a process under steady state should have process documentation (Level 1, Level 2 & Level 3) under QMS which is based on the MSA / SOW signed-off by both the parties. Any update in the documentation goes through a Change request process, approved by the process PDH and govern by the auditor

12. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 12 Internal Auditor Training Stages of Internal Audit: (Cont..) Conducting Audit: Based on the audit schedule and confirmation with the process, the auditor will visit the Audit SPOC designated by the PDH. The Audit SPOC will co-ordinate with the auditor at the site to provide necessary information and ensures the availability of persons who would be audited as per the agenda. A typical audit flow is listed below which could vary based on auditors approach and agenda Meeting with the PDH. The Auditor meets the PDH to introduce himself/herself and brief on the audit in terms of its Scope and exchanges updates if any. Understand their expectations and thoughts. Confirms the standard to be used as the basis of the audit. Explains the audit report and the non-compliance categorization being used. Brief about the sample size need to be covered during the process audit.

13. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 13 Internal Auditor Training Stages of Internal Audit: (Cont..) Conducting Audit (Cont..) Explains the areas of focus and with the checklist Explain the purpose of the Exit Meeting Verify the status of the Quality Management System being assessed After the brief introduction, the auditor will audit the PDH based on the checklist and move on to other staff resources as per the agenda to different levels and functionality of the process.

14. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 14 Internal Auditor Training Stages of Internal Audit: (Cont..) Post Audit: It begins with the Exit meeting with PHD to share the observations and the nonconformance. The Auditor presents the objective observations with facts and suggestions. The discussion also includes the process developmental plans and best practices, Projects and its progressions, etc. On completion of the audit, the Auditor will raise the CAR (Corrective action request) Report. The report is produced in a narrative form and includes information relating to the areas audited, the persons audited, observations and non-conformances raised. The auditor will send the CAR report along with his comments on Process health and acknowledge their help and cooperation to the relevant Manager/ PDH for distribution and action. The Auditee acknowledges the findings/ areas of improvement and Non-conformances. The Auditee also fills in the Root-cause analysis (RCA) as to why did the person or the process did not comply with the said requirement and fills in the CA/PA with the proposed closure date for the Non-Conformance. The Auditee initiates corrective action and correction taken on the NC’s and close them within the committed closure time or at their earliest feasible time. At the end of the committed timeframe, the Internal Auditor will verify the closure of the NC.

15. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 15 Internal Auditor Training Stages of Internal Audit: (Cont..) Post Audit: (Cont..) The Auditor will update the Corrective and Preventive Action Report. and these non-conformances raised will be recorded and tracked for NC closures and gap analysis. In the event of the Non-conformance not being closed within the committed timeframe, the time taken to close the NC is highlighted to the management during the MRM. Implementations of all corrective action are verified during the next internal audit. Review on trends in the No of NCs, repeating nature of certain NCs are analyzed, The trends shall be put in graphical format for each department and presented during the MRM, The performance of Departments will be analyzed from the trends. Audit team will carry out necessary changes to the audit plan based on the change in the Status of Department and also may initiate Corrective and / Preventive actions as may be finalized in the MRM.

16. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 16 Internal Auditor Training AUDITOR’S TOOL KIT Internal Audit Procedure Includes the detailed stages of the Internal Auditing procedures and stages to be followed. Internal Audit Objectives and Scope A detail guide on objectives, scope, planning, controlling, reporting and follow-up of internal audits. Internal Audit Checklist Audit checks against the process criteria and contractual needs.

17. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 THANK YOU About Mphasis Mphasis (an HP Company) enables chosen customers to meet the demands of an evolving market place. Mphasis fuels this by combining superior human capital with cutting edge solutions in hyper-specialized areas. Contact with us on www.mphasis.comwww.mphasis.com Presentation by E-mail : ITO_SDE@mphasis.comITO_SDE@mphasis.com © 2012 MphasiS The information contained herein is subjected to change without notice. Sanjay Gour Head – Audit & Compliance (ITO & BPO) Service Delivery Excellence Team

18. 1 October 2016 | Proprietary and confidential information. © Mphasis 2013 18 Revision History CR # (Optional) Document Version# Approval Date Modified By Section, Page(s) and Text Revised Approved by -1.028-Aug-2014Sanjay GaurInitial releaseAudit Head BEOPS-25581.118-Mar-2016 Sudha Jayachandran Revised to new Power point template PDI Leader