REFERENCER
REFERENCER
REFERENCER
Revision
Final Course Paper-6:
Information Systems Control
and Audit
A compendium of subject-wise capsules published in the
monthly journal “The Chartered Accountant Student”
Board of Studies
(Academic)
ICAI
INDEX
Page Edition of Students’
Topics
No. Journal
Concepts of Governance and Management of
1-4 May 2017
Information Systems
4-6 May 2017 Information Systems Concepts
7-8 May 2017 Protection of Information Systems
May 2017 Business Continuity Planning and Disaster
9-10
Recovery Planning
May 2017 Acquisition, Development and Implementation of
11-16
Information Systems
17-19 May 2017 Auditing of Information Systems
19-20 May 2017 Information Technology Regulatory Issues
21-22 May 2017 Emerging Technologies
INFORMATION SYSTEMS CONTROL AND AUDIT
ISCA: A Capsule for Quick Revision
It has always been the endeavour of Board of Studies to provide quality academic inputs to the students of Chartered Accountancy
Course. Keeping in mind this objective, BoS has decided to come out with a crisp and concise capsule of each subject to facilitate
students in quick revision before examination. The second in such series of capsule in on Paper 6: Information Systems Control
and Audit of Final Course.
Students may note that this capsule is a tool for quick revision of some significant aspects of ISCA and thus, should not be taken
as a substitute for the detailed study of the subject. Students are advised to refer to the relevant Study Material, Practice Manual
and Revision Test Paper for May, 2017 examination for comprehensive study and revision.
Risk
Risk is where threat and vulnerability overlap. That is, we get a Risk Management Strategies
risk when our systems have a vulnerability that a given threat can When risks are identified and analyzed, risk management strategies are used.
attack.
• Tolerate/Accept the risk: One of the primary
Counter Measure functions of management is managing risk. Some
risks may be considered minor because their impact
An action, device, procedure, technique or other measure that and probability of occurrence is low.
reduces the vulnerability of a component or system is referred as
Counter Measure. • Terminate/Eliminate the risk: It is possible for a risk
to be associated with the use of a particular technology,
Attack supplier, or vendor. The risk can be eliminated by
replacing the technology with more robust products and
An attack is an attempt to gain unauthorized access to the system’s by seeking more capable suppliers and vendors.
services or to compromise the system’s dependability.
• Transfer/Share the risk: Risk mitigation
Exploit approaches can be shared with trading partners
and suppliers. A good example is outsourcing
An exploit is the way or tool by which an attacker uses a infrastructure management.
vulnerability to cause damage to the target system.
• Treat/Mitigate the risk: Where other options
Exposure have been eliminated, suitable controls must be
devised and implemented to prevent the risk from
An exposure is the extent of loss the enterprise has to face when a manifesting itself or to minimize its effects.
risk materializes.
Likelihood of the Threat • Turn back: Where the probability or impact of the
It is the estimation of the probability that threat will succeed in
risk is very low, then management may decide to
achieving an undesirable event. ignore the risk.
2
INFORMATION SYSTEMS CONTROL AND AUDIT
■ Evaluate Risk Management: Continually examine and make judgment on the effect of risk on the current and future use of IT
Key in the enterprise.
Governance ■ Direct Risk Management: Direct the establishment of risk management practices to provide reasonable assurance that IT risk
Practices management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
of Risk ■ Monitor Risk Management: Monitor the key goals and metrics of the risk management processes and establish how deviations
Management or problems will be identified, tracked and reported on for remediation.
■ Collect Data: Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
■ Analyze Risk: Develop useful information to support risk decisions that take into account the business relevance of risk factors.
Key ■ Maintain a Risk Profile: Maintain an inventory of known risks and risk attributes, including expected frequency, potential
Management impact, and responses, and of related resources, capabilities, and current control activities.
Practices ■ Articulate Risk: Provide information on the current state of IT-related exposures and opportunities in a timely manner to all
of Risk required stakeholders for appropriate response.
Management ■ Define a Risk Management Action Portfolio: Manage opportunities and reduce risk to an acceptable level as a portfolio.
■ Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.
■ Percentage of critical business processes, IT services and IT-enabled business programs covered by risk assessment;
■ Number of significant IT related incidents that were not identified in risk Assessment;
Key Metrics ■ Percentage of enterprise risk assessments including IT related risks; and
■ Frequency of updating the risk profile based on status of assessment of risks.
COBIT 5
(CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY) Principle 1: Meeting Stakeholder Needs: The COBIT 5 goals
COBIT is a set of best practices for Information Technology cascade is the mechanism to translate stakeholder needs into
management developed by Information Systems Audit & Control specific, actionable and customized enterprise goals, IT related
Association (ISACA) and IT Governance Institute in 1996. goals and enabler goals.
COBIT 5 is the only business framework for the governance and
management of enterprise Information Technology.
This evolutionary version COBIT 5 incorporates the latest Principle 2: Covering the Enterprise End-to-End: COBIT 5
thinking in enterprise governance and management techniques, integrates governance of enterprise IT into enterprise governance.
and provides globally accepted principles, practices, analytical It covers all functions and processes within the enterprise; COBIT 5
tools and models to help increase the trust in, and value from,
information systems. does not focus only on the ‘IT function’, but treats information and
related technologies as assets that need to be dealt with just like any
Components in COBIT other asset by everyone in the enterprise.
Framework
• Organize IT governance objectives and good practices Principle 3: Applying a Single Integrated Framework: COBIT 5
by IT domains and processes, and links them to business is a single and integrated framework as it aligns with other latest
requirements.
relevant standards and frameworks, thus allows the enterprise
Process Descriptions to use COBIT 5 as the overarching governance and management
• Process Reference Model and common language for framework integrator.
everyone in an organization. The processes map to
responsibility areas of plan, build, run and monitor.
Principle 4: Enabling a Holistic Approach: COBIT 5 defines a
Control Objectives
• Provide a complete set of high-level requirements to set of enablers to support implementation of a comprehensive
be considered by management for effective control of governance and management system for enterprise IT.
each IT process.
4
INFORMATION SYSTEMS CONTROL AND AUDIT
Components of Information Systems Functions of Information Systems
USER
Software Hardware Data CONTROL
System software/ Physical components Raw fact (Decision Makers,
Application Software of the computers Auto Control) FEEDBACK
Operational Level Knowledge Level Management Level Systems Strategic-level Systems (SLS) are
Systems that support Systems that support support the middle managers in for strategic managers to track and
operational managers the business to integrate monitoring, decision-making deal with strategic issues, assisting
in tracking elementary new knowledge into the and administrative activities. long-range planning. Support
activities. This is helpful in answering
business and control the the senior level management to
flow of paperwork and questions like are things tackle and address strategic issues
enable group working. working well and in order? and long term trends, both inside
This ensures that business organization and outside world.
procedures are followed.
Marketing Customer
Relationship Supply Chain Knowledge Retailing Decision
Management Management Management Making
SPECIALIZED SYSTEMS
These are the systems that provide comprehensive end-to-end IT solutions and services (including systems integration, implementation,
engineering services, software application customization and maintenance) to various corporations globally.
1. Expert Systems: Expert Systems are highly developed DSS that utilizes knowledge generally possessed by an expert to share a problem.
These are software systems that imitate the reasoning processes of human experts and provide decision makers with the type of advice they
would normally receive from such expert systems. Some of the business application areas of Expert system are Accounting and Finance,
Marketing, Manufacturing, Personnel and General business etc.
Benefits ♦ Preserve knowledge that might be lost through retirement, resignation or death of an acknowledged company
expert;
♦ Put information into an active-form so it can be summoned almost as a real-life expert might be summoned;
♦ Assist novices in thinking the way experienced professional do;
♦ Are not subjected to such human fallings as fatigue, being too busy, or being emotional.
♦ Can be effectively used as a strategic tool in the areas of marketing products, cutting costs and improving
products.
2. Enterprise Resource Planning (ERP): Enterprise Resource Planning (ERP) is process management software that allows an organization
to use a system of integrated applications to manage the business and automate many back-office functions related to technology, services
and human resources. ERP software integrates all facets of an operation, including product planning, development, manufacturing, sales
and marketing.
Components Software Component: The software component is the component that is most visible part and consists of several
modules such as Finance, Human Resource, Supply Chain Management, Supplier Relationship Management,
Customer Relationship, and Business Intelligent.
Process Flow: It is the model that illustrates the way how information flows among the different modules within
an ERP system.
Customer mindset: To lead ERP implementation to succeed, the company needs to eliminate negative value or
belief that users may carry toward utilizing new system.
Change Management: In ERP implementation, change needs to be managed at several levels - User attitude;
resistance to change; and Business process changes.
♦ Streamlining processes and workflows with a single integrated system.
♦ Reduce redundant data entry and processes and in other hand it shares information across the department.
♦ Establish uniform processes that are based on recognized best business practices.
♦ Improved workflow and efficiency.
♦ Improved customer satisfaction based on improved on-time delivery, increased quality, shortened delivery times.
Benefits
♦ Reduced inventory costs resulting from better planning, tracking and forecasting of requirements.
♦ Turn collections faster based on better visibility into accounts and fewer billing and/or delivery errors.
♦ Decrease in vendor pricing by taking better advantage of quantity breaks and tracking vendor performance.
♦ Track actual costs of activities and perform activity based costing.
♦ Provide a consolidated picture of sales, inventory and receivables.
3. Core Banking Systems: Core Banking Systems (CBS) may be defined as back-end systems that process daily banking transactions, and
post updates to accounts and other financial records. These systems typically include deposit, loan and credit-processing capabilities, with
interfaces to general ledger systems and reporting tools. Core banking functions differ depending on the specific type of bank. Examples
of core banking products include Infosys’ Finacle, Nucleus FinnOne and Oracle’s Flexcube application (from their acquisition of Indian IT
vendor i-flex).
Elements of Core ♦ Making and servicing loans.
Banking ♦ Opening new accounts.
♦ Processing cash deposits and withdrawals.
♦ Processing payments and cheques.
♦ Calculating interest.
♦ Customer Relationship Management (CRM) activities.
♦ Managing customer accounts.
♦ Establishing criteria for minimum balances, interest rates, number of withdrawals allowed and so on.
♦ Establishing interest rates.
♦ Maintaining records for all the bank’s transactions.
6
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER 3 PROTECTION OF INFORMATION SYSTEMS
This chapter provides the understanding on the Information Security Policies and various types of Information Systems Controls.
User Security Policies – These include User Security Policy and Acceptable Usage Policy.
User Security Policy – This policy sets out the responsibilities and requirements for all IT system users. It provides security terms of
reference for Users, Line Managers and System Owners.
Acceptable Usage Policy – This sets out the policy for acceptable use of email, Internet services and other IT resources.
Organization Security Policies – These include Organizational Information Security Policy, Network & System Security Policy and Information
Classification Policy.
Organizational Information Security Policy – This policy sets out the Group policy for the security of its information assets and the
Information Technology (IT) systems processing this information. Though it is positioned at the bottom of the hierarchy, it is the main IT
security policy document.
Network & System Security Policy – This policy sets out detailed policy for system and network security and applies to IT department users.
Information Classification Policy – This policy sets out the policy for the classification of information.
Condition of Connection – This policy sets out the Group policy for connecting to the network. It applies to all organizations connecting
to the Group, and relates to the conditions that apply to different suppliers’ systems.
CLASSIFICATION OF INFORMATION SYSTEMS' CONTROLS
Objectives of Controls Nature of IS Resource Audit Functions
(Based on the time they act) (Based on Resource its implemented) (On Auditor’s perspective)
Preventive Controls: Preventive Environmental Controls: These are the controls relating Managerial Controls: These
Controls are those inputs, which are to IT environment such as power, air-conditioning, Un- are the controls that must be
designed to prevent an error, omission interrupted Power Supply (UPS), smoke detection, fire- performed to ensure development,
or malicious act occurring. Use of extinguishers, dehumidifiers etc. implementation, operation &
passwords to gain access to a financial Physical Access Controls: These are the controls relating maintenance of IS in a planned
system is a preventive control. to physical security of the tangible IS resources and and controlled manner in an
Detective Controls: These controls are intangible resources stored on tangible media etc. Such organization. The controls at this
designed to detect errors, omissions controls include Access control doors, Security guards, level provide a stable infrastructure
or malicious acts that occur and door alarms, restricted entry to secure areas, visitor logged in which information systems can
report the occurrence. An example of access, CCTV monitoring etc. be built, operated, and maintained
a Detective Control would be a use of Logical Access Controls: These are the controls relating on a day-to-day basis.
automatic expenditure profiling where to logical access to information resources such as operating Application Controls: Application
management gets regular reports of systems controls, application software boundary controls, system controls are undertaken to
spend to date against profiled spend. networking controls, access to database objects, encryption accomplish reliable information
Corrective Controls: Corrective controls etc. These controls are implemented to ensure processing cycles that perform the
controls are designed to reduce the that access to systems, data and programs is restricted processes across the enterprise.
impact or correct an error once it has to authorized users to safeguard information against Applications represent the
been detected. A Business Continuity unauthorized use, disclosure or modification, damage or interface between the user and the
Plan (BCP) is a corrective control. loss. business functions.
MANAGERIAL CONTROLS – SCOPE
Managerial Controls Scope
Top Management and Information Discusses the top management’s role in planning, organizing, leading and controlling the information
Systems Management Controls systems function. Also, provides advice to top management in relation to long-run policy.
System Development Management Provides a contingency perspective on models of the information systems development process that
Controls auditors can use as a basis for evidence collection and evaluation.
Programming Management Discusses the major phases in the program life cycle and the important controls that should be
Controls exercised in each phase.
Data Resource Management Controls
Discusses the role of database administrator and the controls that should be exercises in each phase.
Quality Assurance Management Discusses the major functions that quality assurance management should perform to ensure that
Controls the development, implementation, operation, and maintenance of information systems conform to
quality standards.
Security Management Controls Discusses the major functions performed by operations by security administrators to identify major
threats to the IS functions and to design, implement, operate, and maintain controls that reduce
expected losses from these threats to an acceptable level.
Operations Management Controls Discusses the major functions performed by operations management to ensure the day-to-day
operations of the IS function are well controlled.
Information Technology General Controls (ITGC) Financial Controls Personal Computer Controls
ITGC are the basic policies and procedures that ensure These controls are generally defined Most common PC Controls:
that an organization’s information systems are properly as the procedures exercised by the Physically locking the system;
safeguarded, that application programs and data are secure, system user personnel over source, or Proper logging of equipment
and that computerized operations can be recovered in case transactions origination, documents shifting must be done;
of unexpected interruptions. before system input. These areas Centralized purchase of
The objectives of general controls are to ensure the exercise control over transactions hardware/ software;
proper development and implementation of applications, processing using reports generated Standards set for developing,
the integrity of program and data files and of computer by the computer applications to testing and documenting;
operations. Like application controls, general controls may reflect un-posted items, non- Uses of antimalware software;
be either manual or programmed. Examples of general monetary changes, item counts Use of PC and their peripheral
controls include the development and implementation of an and amounts of transactions for must have controls; and
IS strategy and an IS security policy, the organization of IS settlement of transactions processed Use of disc locks that prevent
staff to separate conflicting duties and planning for disaster and reconciliation of applications to unauthorized access to the floppy
prevention and recovery. general ledger. disk or pen drive of a computer.
8
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER 4 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING
This Chapter introduces the concepts of Business Continuity Management, Business Continuity Planning, Back-ups and Disaster
Recovery Planning (DRP).
10
INFORMATION SYSTEMS CONTROL AND AUDIT
This chapter conceptualizes a systematic approach to Systems Development Life Cycle (SDLC) and reviews its phase activities,
methods, tools and controls etc. and provides an analytical understanding of different SDLC models.
Characteristics Description
Process Project divided into number of identifiable processes, with each process having a starting point and an ending
point; comprises several activities; one or more deliverables, and several management control points.
Deliverables The specific reports and other documentation must be produced periodically during system development.
Sign-offs Generally provided by users, managers, and auditors that signify approval of the development process and the
system being developed.
Testing Project divided into number of identifiable processes, with each process having a starting point and an ending
point; comprises several activities; one or more deliverables, and several management control points.
Controls Formal program change controls established to prevent unauthorized changes to computer programs.
Post-implementation Review A post-implementation review of all developed systems must be performed to assess the effectiveness and
efficiency of the new system and of the development process.
Systems Development Life Cycle (SDLC) consists of a generic sequence of steps or phases in which each phase of the SDLC uses the results of
the previous one and provides system designers and developers to follow a sequence of activities. The following phases are involved in the cycle:
Phase I: Preliminary Investigation: A preliminary investigation is normally initiated by some sort of system request. The deliverable of the
preliminary investigation includes a report including feasibility study observations.
Phase II: System Requirement Analysis: This phase includes a thorough and detailed understanding of the current system, identifies the areas
that need modification to solve the problem, the determination of user/managerial requirements and to have fair idea about various systems
development tools.
Phase III: Systems Design: The objective is to design an Information System that best satisfies the users/managerial requirements. It
describes the parts of the system and their interaction; sets out how the system shall be implemented using the chosen hardware, software
and network facilities; specifies the program and the database specifications and the security plans and further specifies the change control
mechanism to prevent uncontrolled entry of new requirements.
Architectural Design This deals with the organization of applications in terms of hierarchy of modules and sub-modules wherein
major modules; functions and scope of each module; interface features of each module; modules that each
module can call directly or indirectly and Data received from / sent to / modified in other modules are
identified.
Design of data flow This includes designing the data / information flow for the proposed system, the inputs that are required are
and user interface for existing data / information flows, problems with the present system, and objective of the new system.
proposed system
Design of Database This involves determining its scope ranging from local to global structure and include Conceptual Modeling,
Data Modeling, Storage Structure Design and Physical Layout Design.
User Interface design It involves determining the ways in which users will interact with a system like - source documents to capture
raw data, hard-copy output reports, screen layouts for dedicated source-document input, inquiry screens for
database interrogation, graphic and color displays, and requirements for special input/output device.
Physical Design Concentrates on the issues like the type of hardware for client and server application, Operating systems to
be used, type of networking, periodical batch processing, online or real-time processing; frequency of I/O
etc.
System’s Operating The new hardware/system software platform required to support the application system will then have to be
Platform designed for requisite provisions.
Internal Design Controls The key control aspects at this stage include - Whether management reports were referred by System
Designer? Whether all control aspects have been properly covered?, etc.
Phase IV: Systems Acquisition: After a system is designed either partially or fully, the next phase of the systems development starts, which
relates to the acquisition of operating infrastructure including hardware, software and services. Such acquisitions are highly technical and
cannot be taken easily and for granted. Thereby, technical specifications, standards etc. come to rescue.
Acquisition Standards Acquiring System Components from vendors Other Acquisition aspects and practices
This focuses on ensuring The organization gets a reasonable idea of the Includes several other acquisition aspects and practices also like
security, reliability, and types of hardware, software and services, it needs – H/w Acquisition; S/w Acquisition; Contracts, S/w Licenses
functionality already built into for the system being developed. Request For and Copyright Violations, Validation of Vendors’ proposals and
a product. Proposal (RFP) from vendors called. methods of validating them.
12
INFORMATION SYSTEMS CONTROL AND AUDIT
Phase V: Systems Development: This phase is supposed to convert the design specifications into a functional system under the planned
operating system environments. Application programs are written, tested and documented, conduct system testing that results into a fully
functional and documented system.
Program Coding Programming Language Program Debugging Program Testing Program Program
Standards Documentation Maintenance
Coding Standards High level P/L such as Debugging is the most Programmer should The requirements The requirements
provide simplicity, COBOL, C, C++, Java etc.. primitive form of testing plan the testing to be of business of business
interop erability, Scripting language such as activity, which refers to performed, including data processing data processing
c o mp at i b i l i t y, JavaScript, VBScript, and correcting programming testing of all the applications are applications are
efficient utilization Decision Support or Logic language syntax and possible exceptions. subject to periodic subject to periodic
of resources and Programming languages diagnostic errors so that change that calls change. This calls
least processing such as LISP, PROLOG are the program compiles for modification of for modification of
time. used. cleanly. various programs. various programs.
Phase VI: Systems Testing: Testing is a process used to identify the correctness, completeness and quality of developed computer
software. Different levels of Testing are as follows:
Unit Testing Integration Testing Regression Testing System Testing Final Acceptance
A unit is the smallest testable part of anIntegration testing is an Each time a It is a process in which software and Testing
application, which may be an individual activity of software testing new module is other system elements are tested as During this testing,
program, function, procedure, etc. in which individual software added or any a complete system. The purpose of it is ensured that the
or may belong to a base/super class, modules are combined and modification made system testing is to ensure that the new system satisfies
abstract class or derived/child class. tested as a group. This is in the software, new or modified system functions the quality standards
The categories of tests that a carried out in the following it changes. New properly. These test procedures are adopted by the business
programmer typically performs on a two manners: data flow paths are often performed in a non-production and the system satisfies
program unit are as follows: Bottom-up Integration: estab-lished, new test environment. The types of testing the users. It is classified
I/O may occur and that might be carried out are as as under:
Functional Tests: Functional Tests It is the traditional strategy new control logic follows:
check ‘whether programs do, what they used to integrate the Quality Assurance
components of a software is invoked. These Recovery Testing: This is the activity Testing: It ensures that
are supposed to do or not’. changes may
system into a functioning of testing ‘how well the application is the new system satisfies
Performance Tests: Performance whole. It consists of unit cause problems able to recover from crashes, hardware the prescribed quality
Tests should be designed to verify the testing, followed by sub- with functions failures and other similar problems’. standards and the
response time, the execution time, the system testing, and then that previously development process is
throughput, primary and secondary testing of the entire system. worked flawlessly. Security Testing: The six basic
security concepts that need to be as per the organization’s
memory utilization and the traffic rates In the context of quality assurance
on data channels and communication Top-down Integration: It the integration covered by security testing are –
policy, methodology
links. starts with the main rou-tine, testing, the confidentiality, integrity, availability
and stubs are substituted, authentication, authorization, and and prescriptions.
Stress Tests: Stress testing is a form for the modules directly regression tests
ensure that non-repudiation. User Acceptance
of testing that involves testing beyond subordinate to the main
normal operational capacity, often to a module. Once the main changes or Stress or Volume Testing: It involves Testing: It ensures
breaking point, to observe the results. corrections have testing beyond normal operational that the functional
module testing is complete, not introduced capacity, often to a breaking point, to aspects expected by the
Structural Tests: Structural Tests are stubs are substituted with new faults. The observe the results. users have been well
concerned with examining the internal real modules one by one, data used for the addressed in the new
processing logic of a software system. and these modules are Performance Testing: This testing system.
regression tests technique compares the new
Parallel Tests: In Parallel Tests, the tested with stubs. This should be the same system's performance with that of
same test data is used in the new and old process continues till the as the data used in similar systems using well defined
system and the output results are then atomic modules are reached. the original test. benchmarks.
compared.
Phase VII: Systems Implementation: Generic key activities involved in System Implementation include Conversion of data to the new system files; Training of
end users; Completion of user documentation; System changeover; and Evaluation of the system a regular interval. Some of generic activities that are performed
are as follows:
Equipment Training System Change-Over Strategies Conversion Activities
Installation Personnel Conversion/changeover is the process of changing Conversion includes all those activities, which must be
An installation A system can over or shifting over from the old system (may be the completed to successfully convert from the previous system to
checklist succeed or fail manual system) to the new system. It requires careful the new information system.
should be depending on planning to establish the basic approach to be used in Procedure Conversion: Before any parallel or conversion
developed the way it is the actual changeover, as it may put many resources/ activities can start, operating procedures must be clearly
now with operated and assets/operations at risk. The four types of popular spelled out for personnel in the functional areas undergoing
operating used. Therefore, implementation strategies are as follows: changes.
advice from the quality Direct Implementation / Abrupt Change-Over:
the vendor of training File Conversion: Because large files of information must
With this strategy, the changeover is done in one be converted from one medium to another, this phase
and system received by operation, completely replacing the old system in one
development the personnel should be started long before programming and testing
go. are completed.
team. involved with
the system Phased Changeover: With this strategy, System Conversion: After on-line and off-line files have
in various implementation can be staged with conversion to been converted and the reliability of the new system has
capacities helps the new system taking place gradually. been confirmed for a functional area, daily processing
or hinders Pilot Changeover: With this strategy, the new can be shifted from the existing information system to the
the successful system replaces the old one in one operation but new one.
implementation only on a small scale. Scheduling Personnel and Equipment: Schedules should
of information Parallel Changeover: This is considered the most be set up by the system manager in conjunction with
system. secure method with both systems running in departmental managers of operational units serviced by
parallel over an introductory period. the equipment.
1. Waterfall Model
Preliminary Investigation
Requirements Analysis
System Design
System Development
System Testing
System
Implementation
Feedback and Maintenance
14
INFORMATION SYSTEMS CONTROL AND AUDIT
2. Prototyping Model
Proto Typing
Initial
Design Customer Customer
Requirements
Evaluation Satified
Review &
Updation
3. Incremental Model
Functionality
A : Analysis Phase
D : Design Phase
I : Implementation Phase Increment n
T : Testing Phase
A
Increment 2 D
I
A
T
Increment 1 D
I
A
D T
I
T
Time
Concept Advantages Weaknesses
The Incremental model is a method of software development After each iteration, regression testing is Resulting cost may
where the model is designed, implemented and tested conducted in which faulty elements of the software exceed the cost of the
incrementally (a little more is added each time) until the are quickly identified because few changes are organization.
product is finished. The product is defined as finished when made within any single iteration. As additional
it satisfies all its requirements. This model combines the Generally easier to test and debug than other functionality is added
elements of the waterfall model with the iterative philosophy methods of software development because relatively to the product,
of prototyping. smaller changes are made during each iteration. This problems may arise
The Incremental model is a method of software development allows for more targeted and rigorous testing of each related to system
where the model is designed, implemented and tested element within the overall product. architecture which
incrementally (a little more is added each time) until the Customer can respond to features and review the were not evident in
product is finished. The product is decomposed into several product for any needful changes. earlier prototypes.
components, each of which are designed and built separately
(termed as builds).
The Chartered Accountant Student May 2017 21
15
INFORMATION SYSTEMS CONTROL AND AUDIT
4. Spiral Model
5. Rapid Application Development (RAD) Model: The RAD (Rapid Application Development) model is based on prototyping
and iterative development with no specific planning involved. The process of writing the software itself involves the planning required for
developing the product. RAD focuses on gathering customer requirements through workshops or focus groups, early testing of the prototypes
by the customer using iterative concept, reuse of the existing prototypes (components), continuous integration and rapid delivery.
Concept Advantages Weaknesses
RAD approaches to software development but less emphasis on planning Reduced development Depends on strong team and individual
tasks and more emphasis on development. In contrast to the waterfall time. performances for identifying business
model, which emphasizes rigorous specification and planning, RAD Increases reusability of requirements.
approaches emphasize the necessity of adjusting requirements in reaction components. Only system that can be modularized
to knowledge gained as the project progresses. Features of model are: can be built using RAD.
Rapid Application Development. Quick initial reviews occur. Requires highly skilled developers/
Emphasizes on a short development cycle. Encourages customer designers.
A “high speed” adaptation of the waterfall model. feedback. High dependency on modeling skills.
Uses a component-based construction approach. Integration from very Inapplicable to cheaper projects as
May deliver software within a very short time (e.g. 60 to 90 days) if beginning solves a lot of cost of modeling and automated code
requirements are well understood and project scope is constrained. integration issues. generation is very high.
6. Agile Model: Agile modelling is a methodology for modelling and documenting software systems based on best practices. It is
an organized set of s/w development methodologies based on iterative and incremental development. This is an organized set of software
development methodologies based on the iterative and incremental development, where requirements and solutions evolve through
collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development and delivery; time
boxed iterative approach and encourages rapid and flexible response to change.
Concept Advantages Weaknesses
Agile Manifesto is based on following 12 features: Customer satisfaction by In case of some software deliverables,
rapid, continuous delivery of especially the large ones, it is difficult to
Customer satisfaction by rapid delivery of useful software; useful software. assess the effort required at the beginning
Welcome changing requirements, even late in development; People and interactions are of the software development life cycle.
Working software is delivered frequently (weeks rather than months); emphasized rather than There is lack of emphasis on necessary
Working software is the principal measure of progress; process and tools. Customers, designing and documentation.
Sustainable development, able to maintain a constant pace; developers and testers The project can easily get taken off track
Close, daily co-operation between business people and developers; constantly interact with each if the customer representative is not
Face-to-face conversation is the best form of communication (co- other.
Working software is delivered clear of what outcome that they want.
location);
frequently (weeks rather than Only senior programmers can take the
Projects are built around motivated individuals, who should be trusted;
months). kind of decisions required during the
Continuous attention to technical excellence and good design;
Face-to-face conversation development process. Hence it has no
Simplicity;
is the best form of place for newbie programmers, unless
Self-organizing teams; and
communication. combined with experienced resources.
Regular adaptation to changing circumstances.
16
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER – 6 AUDITING OF INFORMATION SYSTEMS
This chapter comprehends the knowledge about the Information Systems Audit, its need, methodology and related standards. The
chapter also provides an in-sight to various types of controls, their related concepts and their audit.
NEED AND CONTROL OF INFORMATION SYSTEMS’ AUDIT
Value of hardware, software personnel Cost of computer abuse Controlled evolution of computer use
Sound knowledge of business operations, practices and compliance requirements; Inadequate information security controls;
Should possess the requisite professional technical qualification and certifications;
Good understanding of information Risks & Controls; Inefficient use of resources, or poor governance;
Knowledge of IT strategies, policy & procedural controls; Ineffective IT strategies, policies and practices; and
Ability to understand technical and manual controls relating to business continuity; and IT-related frauds (including phishing, hacking etc.)
Good knowledge of Professional Standards and Best Practices of IT controls & security.
Systems and Application: To verify that Scoping Snapshots: The snapshot software
systems & applications are appropriate, is built into system at those points
Planning
are efficient, and are adequately controlled where material processing occurs
to ensure valid, reliable, timely, and secure Fieldwork
which takes images of flow of any
input, processing, and output at all levels of Analysis
transaction as it moves through
a system's activity. Reporting application.
Information Processing Facilities: Close
Integrated Test Facility (ITF): The
To verify that the processing facility is ITF technique involves the creation
Scoping and pre-audit survey: Auditors
controlled to ensure timely, accurate, of a dummy entity in the application
determine main area/s of focus based on scope-
and efficient processing of applications system files and the processing of audit
definitions agreed with management.
under normal and potentially disruptive test data against the entity as a means
conditions. Planning and preparation: The scope is broken
down into greater levels of detail, usually involving of verifying processing authenticity,
Systems Development: To ensure that the accuracy, and completeness.
generation of audit work plan or risk-control-
systems are developed in accordance with System Control Audit Review File
matrix.
generally accepted standards for systems (SCARF): The SCARF technique
development. Fieldwork: This step involves gathering of evidence
by interviewing staff and managers, reviewing involves embedding audit software
Management of IT and Enterprise modules within a host application
documents, and observing processes etc.
Architecture: To verify that Information system to provide continuous
Technology management has developed an Analysis: SWOT (Strengths, Weaknesses,
monitoring of the system’s
organizational structure & procedures to Opportunities, Threats) or PEST (Political,
transactions.
ensure a controlled & efficient environment Economic, Social, Technological) techniques can
be used for analysis. Continuous and Intermittent
for information processing. Simulation (CIS): This technique can
Telecommunications, Intranets, and Reporting: Reporting to the management is done
be used to trap exceptions whenever
Extranets: To verify that controls are in after analysis of evidence is gathered and analysed.
the application system uses a DBMS.
place on the client (end-point device), Closure: Closure involves preparing notes for future
Audit Hooks: These are audit routines
server, and on the network connecting the audits and follow up with management to complete
that flag suspicious transactions.
clients and servers. actions they promised after previous audits.
AUDIT TRAIL
Audit Trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit
trails provide an important detective control to help accomplish security policy objectives.
Audit trail controls attempt to ensure that a chronological record of all events that have occurred in a system is maintained.
The Accounting audit trail shows the source and nature of data and processes that update the database.
The Operations audit trail maintains record of attempted or actual resource consumption within a system.
Audit Trail Objectives: Audit trails can be used to support security objectives in three ways:
Detecting unauthorized access to the system: The primary objective of real-time detection is to protect the system from outsiders
who are attempting to breach system controls. Depending upon how much activity is being logged and reviewed; real-time detection can
impose a significant overhead on the operating system, which can degrade operational performance.
Facilitating the reconstruction of events: Audit analysis can be used to reconstruct steps that led to events such as system failures,
security violations by individuals, or application processing errors.
Promoting personal accountability: Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a
preventive control that can be used to influence behavior.
18
INFORMATION SYSTEMS CONTROL AND AUDIT
Testing: Auditor’s primary concern is to see that unit testing; integration testing of the system testing has been
undertaken appropriately.
Operation and Maintenance: Auditors need to ensure effectively & timely reporting of maintenance needs occurs
& maintenance is carried out in a well-controlled manner.
Data Resource Auditors should determine what controls are exercised to maintain data integrity. They might employ test data to
Management Controls evaluate whether access controls and update controls are working.
Quality Assurance Auditors might use interviews, observations and reviews of documentation to evaluate how well Quality Assurance
Management Controls (QA) personnel perform their monitoring and reporting function.
Security Management Auditors must evaluate whether security administrators are conducting ongoing, high-quality security reviews or
Controls not; and check whether organisations have opted appropriate Disaster Recovery and Insurance plan or not.
Operations Auditors should pay concern to see whether the documentation is maintained securely and that it is issued only to
Management Controls authorized personnel.
APPLICATION CONTROLS - AUDIT TRAILS
Application Controls Audit Trails
Boundary This maintains the chronology of events that occur when a user attempts to gain access to and employ systems resources.
Input This maintains the chronology of events from the time data and instructions are captured and entered an application system
until the time they are deemed valid and passed onto other subsystems within the application system.
Communication This maintains a chronology of the events from the time a sender dispatches a message to the time a receiver obtains the message.
Processing The audit trail maintains the chronology of events from the time data is received from the input or communication
subsystem to the time data is dispatched to the database, communication, or output subsystems.
Output The audit trail maintains the chronology of events that occur either to the database definition or the database itself.
Database The audit trail maintains the chronology of events that occur from the time the content of the output is determined until
time users complete their disposal of output because it no longer should be retained.
20
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER – 8 EMERGING TECHNOLOGIES
This chapter introduces the Emerging Technologies like Cloud Computing, Mobile Computing, Green Computing etc. and their perspectives.
I. Grid Computing: Grid computing is a network of computing or processor machines managed with a kind of software such as middleware,
to access and use the resources remotely. Grid Services provide access control, security, access to data including digital libraries and databases,
and access to large-scale interactive and long-term storage facilities.
Grid Computing is more popular due to the following reasons:
It can make use of unused computing power, and thus, it is a cost-effective solution (reducing investments, only recurring costs).
Enables heterogeneous resources of computers to work cooperatively and collaboratively to solve a scientific problem.
II. Cloud Computing: Cloud Computing is both, a combination of software and hardware based computing resources delivered as a
networked service. This model of IT enabled services enables anytime access to a shared pool of applications and resources. These applications
and resources can be accessed using a simple front-end interface such as a Web browser, and thus enabling users to access the resources from
any client device including notebooks, desktops and mobile devices.
Architecture Characteristics Advantages
Front End Architecture: The front end of the cloud computing High Scalability Cost Efficiency
system comprises of the client’s devices (or computer network) and Agility & Multi-sharing Almost Unlimited Storage
some applications needed for accessing the cloud computing system. High Availability and Reliability Backup & Recovery
Back End Architecture: Back end refers to some service facilitating Services in Pay-Per-Use Mode Automatic Software Integration
peripherals. In cloud computing, the back end is cloud itself, which may Virtualization Easy Access to Information
encompass various computer machines, data storage systems and servers. Performance & Maintenance Quick Deployment
Groups of these clouds make up a whole cloud computing system.
Types of Cloud Service Models
Private Cloud Public Cloud Community Cloud Hybrid Cloud Infrastructure as a Platform as a Service Software as a
This cloud The public cloud The community This is a Service (IaaS) (PaaS) Service (SaaS)
c o m p u t i n g is the cloud cloud is the cloud combination of
environment infrastructure that infrastructure that both at least one IaaS, a hardware- PaaS provides the SaaS provides
resides within the is provisioned for is provisioned for private (internal) level service, users the ability to ability to the
boundaries of an open use by the exclusive use by a and at least one provides computing develop and deploy end users
organization and is general public. It specific community public (external) resources such as an application on the to access an
used exclusively for may be owned, of consumers from cloud computing processing power, development platform application over
the organization’s managed, and organizations that environments memory, storage, provided by the the Internet that
benefits. operated by a have shared concerns - usually, and networks for service provider. PaaS is hosted and
business, academic, (eg. mission security consisting of cloud users to run changes the application managed by the
or government requirements, policy, inf ra str uc ture, their application on- development from service provider.
organizations, or and compliance platforms and demand. local machine to online.
some combination considerations). applications.
of them. This allows users PaaS providers may SaaS is
Private Clouds can Typically, public It may be owned, The usual to maximize the provide programming delivered as
either be private to clouds are managed, and method of using utilization of languages, application an on-demand
the organization a d m i n i s t r a t e d operated by one the hybrid cloud computing capacities f r a m e w o r k s , service over
and managed by third parties or more of the is to have a without having to databases, and testing the Internet,
by the single or vendors over organizations in private cloud own and manage tools apart from there is no
organization (On- the Internet, and the community, initially, and then their own resources. some build tools, need to install
Premise Private the services are a third party or for additional Different instances deployment tools the software to
Cloud) or can be offered on pay- some combination resources, the are - NaaS, STaaS, and software load the end-user’s
managed by third per-use basis of them, and it public cloud is DBaaS, BaaS, and balancers as a service devices.
party (Outsourced may exist on or off used. DTaaS. in some cases.
Private Cloud) premises.
Cloud Computing Security Issues
Confidentiality: Prevention of the unauthorized disclosure of the data is referred as Confidentiality.
Integrity: Integrity refers to the prevention of unauthorized modification of data and it ensures that data is of high quality, correct, consistent and accessible
Availability: Availability refers to the prevention of unauthorized withholding of data and it ensures the data backup through Business Planning
Continuity Planning (BCP) and Disaster Recovery Planning (DRP).
Governance: Due to the lack of control over employees and services, it creates problems relating to design, implementation, testing & deployment.
So, there’s a need of governance model, which controls standards, procedures & policies of organization.
Trust: Deployment model provided a trust to the Cloud environment. An organization has direct control over security aspects as well as the federal
agencies even have responsibility to protect the information system from the risk.
Compliance and Legal Issues: There are various requirements relating to legal, privacy and data security laws that need to be studied in Cloud system.
One of the major troubles with laws is that they vary from place to place, and users have no assurance of where the data is located physically.
Privacy: Privacy is also considered as one of the important issues in Cloud. The privacy issues are embedded in each phase of the Cloud design. It
should include both the legal compliance and trusting maturity.
Audit: Auditing is type of checking that ‘what is happening in the Cloud environment’. It is an additional layer before virtualized application
environment, which is being hosted on virtual machine to watch ‘what is happening in system’.
Data Stealing: In a Cloud, data stored anywhere is accessible in public form and private form by anyone at any time. In such cases, an issue arises
as data stealing.
Architecture: In the architecture of Cloud computing models, there should be a control over the security and privacy of the system. The architecture
of the Cloud is based on a specific service model.
Identity Management and Access control: The key critical success factor for Cloud providers is to have a robust federated identity management
architecture and strategy internal in the organization.
Incident Response: It ensures to meet the requirements of the organization during an incident. It ensures that Cloud provider has transparent
response process in place & sufficient mechanisms to share information during & after an incident.
Software Isolation: Software isolation is to understand virtualization and other logical isolation techniques that Cloud provider employs in its
multi-tenant software architecture, and evaluate the risks required for the organization.
Application Security: Security issues relating to application security still apply when applications move to a cloud platform. Service provider
should have complete access to server with all rights for monitoring/maintenance of server.
IV. Green Computing: Green Computing or Green IT refers to the study and practice of environmentally sustainable computing or IT. In
other words, it is the study and practice of establishing / using computers and IT resources in a more efficient and environmentally friendly
and responsible way.
Best Practices Develop a sustainable Green Computing plan
Recycle
Make environmentally sound purchase decisions
Reduce Paper Consumption
Conserve Energy
V. BYOD (Bring Your Own Device): This refers to business policy that allows employees to use their preferred computing devices, like
smart phones and laptops for business purposes. It means employees are welcome to use personal devices (laptops, smart phones, tablets
etc.) to connect to the corporate network to access information and application.
Advantages Emerging Threats
Happy Employees Network Risks: It is normally exemplified and hidden in ‘Lack of Device Visibility’. As BYOD permits employees to carry
Lower IT budgets their own devices (smart phones, laptops for business use), the IT practice team is unaware about the number of devices
IT reduces support being connected to the network. As network visibility is of high importance, this lack of visibility can be hazardous.
requirement Device Risks: It is normally exemplified and hidden in ‘Loss of Devices’. A lost or stolen device can result in an enormous
Early adoption of financial and reputational embarrassment to an organization as the device may hold sensitive corporate information.
new Technologies Application Risks: It is normally exemplified and hidden in ‘Application Viruses and Malware’. Organizations are not clear
Increased employee in deciding that ‘who is responsible for device security – the organization or the user’.
efficiency Implementation Risks: It is normally exemplified and hidden in ‘Weak BYOD Policy’. The effective implementation of the
BYOD program should not only cover the technical issues mentioned above but also mandate the development of a robust
implementation policy.
WEB 2.0 AND WEB 3.0 TECHNOLOGIES
Web 2.0 Technology Web 3.0 Technology
Web 2.0 is the term given to describe a Known as the Semantic Web, this describes sites wherein the computers will be generated raw
second generation of the World Wide data on their own without direct user interaction.
Web that is focused on the ability Web 3.0 standard uses semantic web technology, drag and drop mash-ups, widgets, user behavior,
for people to collaborate and share user engagement, and consolidation of dynamic web contents depending on the interest of the
information online. individual users.
The two major contributors of Web 2.0 Web 3.0 Technology uses the “Data Web” Technology, which features the data records that are
are the technological advances enabled publishable and reusable on the web through query-able formats. The Web 3.0 standard also
by Ajax (Asynchronous JavaScript and incorporates the latest researches in the field of artificial intelligence.
XML) and other applications and other The two major components of Web 3.0 are as follows:
applications such as RSS (Really Simple • Semantic Web: This provides the web user a common framework that could be used to share
Syndication) and Eclipse that support the and reuse the data across various applications, enterprises, and community boundaries
user interaction and their empowerment • Web Services: It is a software system that supports computer - to - computer interaction over
in dealing with the web. the Internet.
The main agenda of Web 2.0 is to An example of typical Web 3.0 application is the one that uses content management systems
connect people in numerous new ways along with artificial intelligence.
and utilize their collective strengths, in a Web 3.0 helps to achieve a more connected open and intelligent web applications using the
collaborative manner. concepts of natural language processing machine learning, machine reasoning and autonomous
agents.
22