REFERENCER

Download as pdf or txt
Download as pdf or txt
You are on page 1of 24

Referencer for Quick

Revision
Final Course Paper-6:
Information Systems Control
and Audit
A compendium of subject-wise capsules published in the
monthly journal “The Chartered Accountant Student”

Board of Studies
(Academic)
ICAI
INDEX
Page Edition of Students’
Topics
No. Journal
Concepts of Governance and Management of
1-4 May 2017
Information Systems
4-6 May 2017 Information Systems Concepts
7-8 May 2017 Protection of Information Systems
May 2017 Business Continuity Planning and Disaster
9-10
Recovery Planning
May 2017 Acquisition, Development and Implementation of
11-16
Information Systems
17-19 May 2017 Auditing of Information Systems
19-20 May 2017 Information Technology Regulatory Issues
21-22 May 2017 Emerging Technologies
INFORMATION SYSTEMS CONTROL AND AUDIT
ISCA: A Capsule for Quick Revision
It has always been the endeavour of Board of Studies to provide quality academic inputs to the students of Chartered Accountancy
Course. Keeping in mind this objective, BoS has decided to come out with a crisp and concise capsule of each subject to facilitate
students in quick revision before examination. The second in such series of capsule in on Paper 6: Information Systems Control
and Audit of Final Course.
Students may note that this capsule is a tool for quick revision of some significant aspects of ISCA and thus, should not be taken
as a substitute for the detailed study of the subject. Students are advised to refer to the relevant Study Material, Practice Manual
and Revision Test Paper for May, 2017 examination for comprehensive study and revision.

CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF INFORMATION SYSTEMS


This chapter facilitates the basic understanding of how to distinguish among key aspects of Enterprise Governance, Corporate Governance,
IT Governance, to examine the role of IT in formulating IT strategy, aligning IT as per business strategy and identify key processes and
practices required for ensuring value creation from IT; to review IS Risk management strategy based on different types of risks and their
impact; and how to use best practices frameworks such as COBIT and GEIT to meet enterprises need.
KEY CONCEPTS OF GOVERNANCE
Enterprise Governance is defined as the set of responsibilities and practices exercised by the Board and executive management of an enterprise.
The goal is to provide strategic direction to ensure that objectives are achieved, ascertaining that risks are managed appropriately and verifying
that the enterprise’s resources are used responsibly.
Corporate Governance is the system by which a company or enterprise is directed and controlled to achieve the objective of increasing shareholder
value by enhancing economic performance.
Business Governance/ Performance Governance gives an emphasis on business process performance using the analysis, monitoring, reporting
and optimization of business processes and business activities, and including process simulation and optimization of desired business outcomes by
using real-time, historical and estimated data values.
IT Governance is described as a framework for the organizational structures and associated processes and standards to ensure that IT supports the
achievement of strategic objectives of the company. 

Enterprise Governance Attributes of Good Governance

Corporate Governance Business Governance


Effective and Efficient
Accountability & Value Creation &
Assurance Resource Utilization
Accountable Equitable and
Inclusive
Chairman/CEO Strategic Planning & Alignment
Non-Executive Directors Strategic Decision Making Consensus
Strategic Risk Mgt. Participatory Oriented
Audit Committee
COBIT Scorecards GOOD
Remuneration Committee
Risk Management Strategic Enterprise Systems GOVERNANCE
Continuous Improvement Rule of Law Responsiveness
Internal Audit
Transparency
IT Governance
Risk Mitigation Value Creation
Security Policy Review and Control Performance

GOVERNANCE OF ENTERPRISE IT (GEIT)


Governance of Enterprise IT (GEIT) IT Strategy Planning
(Sub-set of Corporate Governance and facilitates implementation of a framework (Provides direction to deployment of Information System)
of IS controls within an enterprise as relevant and encompassing all key areas)

Key Governance Process Objectives Classification


Objectives Benefits Practices

• To analyze and • To provide a consistent approach • Evaluate the • Dynamic in • To provide a • E n t e r p r i s e


articulate the integrated and aligned with the Governance nature. holistic view of Strategic Plan;
requirements for enterprise governance approach. System • To ensure that the current IT • Information
the governance of • To ensure that IT-related a process is environment, Systems
enterprise IT; and decisions are made in line with • Direct the in place to • the future Strategic Plan;
• To put in place and the enterprise’s strategies and Governance modify and direction, and • Information
maintain effective System accommodate • the initiatives Systems
enabling structures, objectives. Requirements
• To ensure that IT-related changes to required to
principles, processes • Monitor the migrate to the Plan;
and practices, processes are overseen e n t e r p r i s e ’s
Governance long range plan desired future • Information
with clarity of effectively and transparently. environment. Systems
responsibilities and • To confirm compliance with legal System and change in Applications
authority to achieve and regulatory requirements. IT conditions. and Facilities
the enterprise’s • To ensure that the governance Plan.
mission, goals and requirements for board
objectives. members are met.
The Chartered Accountant Student May 2017 07
1
INFORMATION SYSTEMS CONTROL AND AUDIT
Enterprise Strategic Plan Provides the overall charter under which all units in the enterprise, including the information systems
function must operate.
Information Systems To focus on striking an optimum balance of IT opportunities and IT business requirements as well as
Strategic Plan ensuring its further accomplishment.
Information Systems The Information System Requirements Plan defines information system architecture for the information
Requirements Plan systems department. The architecture specifies the major organization functions needed to support
planning, control and operations activities and the date classes associated with each function.
Information Systems This plan includes specific application systems to be developed and an associated time schedule; Hardware
Applications and Facilities and Software acquisition/development schedule, Facilities required, and Organization changes required.
Plan

COMMITTEE OF SPONSORING ORGANIZATION (COSO) value


Internal Control – Integrated Framework Owners
Control Categorizing the criticality and materiality of wish to minimize
Environment each business process and its owner. to reduce
Risk Assessment An assessment of risks associated with each impose Counter Measures
business process.
Control To manage, mitigate and reduce the risks that may be that may
Activities associated with business process. reduced by possess
may be aware of
Information & Associated with control activities are Risk
Communication information and communication systems. Vulnerabilities
leading to
Monitoring With modifications made as warranted by
changing conditions. that exploit to
Threats Agents
that increase
RISK AND RELATED TERMS give rise to Threats
Assets
Asset
 Asset can be defined as something of value to the organization; wish to abuse and/or damage
e.g., information in electronic or physical form, software
systems, employees.

Vulnerability Threat Vulnerability Risk


 Vulnerability is the weakness in the system safeguards that exposes
the system to threats. Anti-Virus not updated Loss of Reputation
Loss of Data
Threat Virus Attack Tools not adequate
(Threat) Rework
 A threat is an action, event or condition where there is a
compromise in the system, its quality and ability to inflict harm to People Awareness Stress on People
the organization.

Risk
 Risk is where threat and vulnerability overlap. That is, we get a Risk Management Strategies
risk when our systems have a vulnerability that a given threat can When risks are identified and analyzed, risk management strategies are used.
attack.
• Tolerate/Accept the risk: One of the primary
Counter Measure functions of management is managing risk. Some
risks may be considered minor because their impact
 An action, device, procedure, technique or other measure that and probability of occurrence is low.
reduces the vulnerability of a component or system is referred as
Counter Measure. • Terminate/Eliminate the risk: It is possible for a risk
to be associated with the use of a particular technology,
Attack supplier, or vendor. The risk can be eliminated by
replacing the technology with more robust products and
 An attack is an attempt to gain unauthorized access to the system’s by seeking more capable suppliers and vendors.
services or to compromise the system’s dependability.
• Transfer/Share the risk: Risk mitigation
Exploit approaches can be shared with trading partners
and suppliers. A good example is outsourcing
 An exploit is the way or tool by which an attacker uses a infrastructure management.
vulnerability to cause damage to the target system.
• Treat/Mitigate the risk: Where other options
Exposure have been eliminated, suitable controls must be
devised and implemented to prevent the risk from
 An exposure is the extent of loss the enterprise has to face when a manifesting itself or to minimize its effects.
risk materializes.

Likelihood of the Threat • Turn back: Where the probability or impact of the
 It is the estimation of the probability that threat will succeed in
risk is very low, then management may decide to
achieving an undesirable event. ignore the risk.

08 May 2017 The Chartered Accountant Student

2
INFORMATION SYSTEMS CONTROL AND AUDIT
■ Evaluate Risk Management: Continually examine and make judgment on the effect of risk on the current and future use of IT
Key in the enterprise.
Governance ■ Direct Risk Management: Direct the establishment of risk management practices to provide reasonable assurance that IT risk
Practices management practices are appropriate to ensure that the actual IT risk does not exceed the board’s risk appetite.
of Risk ■ Monitor Risk Management: Monitor the key goals and metrics of the risk management processes and establish how deviations
Management or problems will be identified, tracked and reported on for remediation.

■ Collect Data: Identify and collect relevant data to enable effective IT-related risk identification, analysis and reporting.
■ Analyze Risk: Develop useful information to support risk decisions that take into account the business relevance of risk factors.
Key ■ Maintain a Risk Profile: Maintain an inventory of known risks and risk attributes, including expected frequency, potential
Management impact, and responses, and of related resources, capabilities, and current control activities.
Practices ■ Articulate Risk: Provide information on the current state of IT-related exposures and opportunities in a timely manner to all
of Risk required stakeholders for appropriate response.
Management ■ Define a Risk Management Action Portfolio: Manage opportunities and reduce risk to an acceptable level as a portfolio.
■ Respond to Risk: Respond in a timely manner with effective measures to limit the magnitude of loss from IT-related events.

■ Percentage of critical business processes, IT services and IT-enabled business programs covered by risk assessment;
■ Number of significant IT related incidents that were not identified in risk Assessment;
Key Metrics ■ Percentage of enterprise risk assessments including IT related risks; and
■ Frequency of updating the risk profile based on status of assessment of risks.

COBIT 5
(CONTROL OBJECTIVES FOR INFORMATION AND RELATED TECHNOLOGY) Principle 1: Meeting Stakeholder Needs: The COBIT 5 goals
COBIT is a set of best practices for Information Technology cascade is the mechanism to translate stakeholder needs into
management developed by Information Systems Audit & Control specific, actionable and customized enterprise goals, IT related
Association (ISACA) and IT Governance Institute in 1996. goals and enabler goals.
COBIT 5 is the only business framework for the governance and
management of enterprise Information Technology.
This evolutionary version COBIT 5 incorporates the latest Principle 2: Covering the Enterprise End-to-End: COBIT 5
thinking in enterprise governance and management techniques, integrates governance of enterprise IT into enterprise governance.
and provides globally accepted principles, practices, analytical It covers all functions and processes within the enterprise; COBIT 5
tools and models to help increase the trust in, and value from,
information systems. does not focus only on the ‘IT function’, but treats information and
related technologies as assets that need to be dealt with just like any
Components in COBIT other asset by everyone in the enterprise.

Framework 
• Organize IT governance objectives and good practices Principle 3: Applying a Single Integrated Framework: COBIT 5
by IT domains and processes, and links them to business is a single and integrated framework as it aligns with other latest
requirements.
relevant standards and frameworks, thus allows the enterprise
Process Descriptions  to use COBIT 5 as the overarching governance and management
• Process Reference Model and common language for framework integrator.
everyone in an organization. The processes map to
responsibility areas of plan, build, run and monitor.
Principle 4: Enabling a Holistic Approach: COBIT 5 defines a
Control Objectives 
• Provide a complete set of high-level requirements to set of enablers to support implementation of a comprehensive
be considered by management for effective control of governance and management system for enterprise IT.
each IT process. 

Management Guidelines Principle 5: Separating Governance from Management: The


• Help assign responsibility, agree on objectives, COBIT 5 framework makes a clear distinction between governance
measure performance, and illustrate interrelationship
with other processes.  and management. These two disciplines encompass different types of
activities, require different organizational structures and serve different
Maturity Models purposes.
• Assess maturity and capability per process and helps to
address gaps.
COBIT 5 Seven Enablers
Enabling a Holistic Approach
COBIT 5 Principles
2. Processes 3. Organizational 4. Culture, Ethics
1. Meeting Structures and Behaviour
stakeholder Needs

1. Principles, Policies and


5. Separating 2. Covering the Frameworks
Governance From COBIT- 5 Enterprise
Management End-to-End
Principles
5. Information 6. Services, Infrastructure 7. People, Skills
and Applications and Competencies
4. Enabling 3. Applying a Single
a Holistic Approach Integrated Framework RESOURCES

The Chartered Accountant Student May 2017 09


3
INFORMATION SYSTEMS CONTROL AND AUDIT
1. Principles, Policies and Vehicles to translate the desired behaviour into practical guidance for day-to-day management.
Frameworks
2. Processes Describe an organised set of practices and activities to achieve certain objectives and produce a set of
outputs in support of achieving overall IT-related goals.
3. Organisational Structures Are the key decision-making entities in an organisation.
4. Culture, Ethics and behaviour Of individuals and of the organisation; very often underestimated as a success factor in governance
and management activities.
5. Information Is pervasive throughout any organisation, i.e., deals with all information produced and used by the
enterprise for keeping the organisation running and well governed.
6. Services, Infrastructure and Include the infrastructure, technology and applications that provide the enterprise with information
applications technology processing and services.
7. People, skills and competencies Are linked to people and are required for successful completion of all activities and for making correct
decisions and taking corrective actions.

CHAPTER – 2 INFORMATION SYSTEMS CONCEPTS


This chapter explains the basic concepts of Information Systems, their types and their applications in businesses and organizations. The
chapter also comprehends the knowledge about different types of systems e.g. open, closed, probabilistic, deterministic, manual, physical
etc. and to differentiate between data and information.

● Information means Processed Data SYSTEM


Defined as a group of interconnected components working towards
Attributes of Information the accomplishment of a common goal by accepting inputs and
producing outputs in an ordered transformation process.
● Availability
■ Information is useless if it is not available at the time of need. Elements Interactive Behaviour
● Purpose/Objective
■ The basic objective of information is to inform, evaluate, Open
Abstract Physical
persuade, and organize. This indeed helps in decision making, Closed
generating new concepts and ideas, identify and solve problems,
planning, and controlling which are needed to direct human
activity in business enterprises. Degree of Human Intervention Working/Output
● Mode and format
■ The mode may be in the form of voice, text and combination of Manual Deterministic
these two. Format should be designed in such a way that it assists in
decision making, solving problems, initiating planning, controlling
and searching. Automated Probabilistic

● Current/Updated Systems Classification


■ Information should be refreshed from time to time as it
usually rots with time and usage. ■ Abstract System - Also known as Conceptual
System or Model that can be defined as an
● Rate
orderly arrangement of interdependent ideas or
■ Useful information is the one which is transmitted at a rate which Element Based constructs.
matches with the rate at which the recipient wants to receive. Systems ■ Physical System is a set of tangible elements,
● Frequency which operated together to accomplish an
■ The frequency with which information is transmitted or received objective e.g. Computer system.
affects its value.
■ An Open System interacts with other systems in its
● Completeness and Adequacy Interactive environment. For example; Information Systems.
■ The information provided should be complete and adequate in itself Behaviour ■ Closed System does not interact with the
because only complete information can be used in policy making. Based Systems environment and does not change with the
changes in environment.
● Reliability
■ In a Manual System, the activities like data
■ It is a measure of failure or success of using information for
decision-making. Degree collection, maintenance and final reporting are
of human done by human.
● Validity ■ In an Automated System, the activities like data
Intervention
■ It measures how close the information is to purpose for which it based collection, maintenance and final reporting are
asserts to serve. carried out by computer system or say machine
● Quality itself.
■ It means the correctness of information. ■ A Deterministic System operates in a predictable
● Transparency
manner. For example - software that performs on a
■ It is essential in decision and policy making. set of instructions is a deterministic system.
Working/
■ A Probabilistic System is defined in terms of
● Value of Information
Output Based
probable behaviour. For example - inventory
■ Defined as value of information when given a set of possible system is a probabilistic system where the average
decisions, a decision-maker may select one on basis of the demand, average time for replenishment, etc. may
information at hand. be defined.

10 May 2017 The Chartered Accountant Student

4
INFORMATION SYSTEMS CONTROL AND AUDIT
Components of Information Systems Functions of Information Systems

Human Resources INPUT PROCESSING OUTPUT


IT Professionals, (Business problems (Software, (Solution to
systems Computer Telecommunications in the form of Programs, people, problems in the form
administrators, System data, information, equipments, of reports, graphics,
Communication media instructions, storage)
programmers and calculations, voices)
end users opportunities

USER
Software Hardware Data CONTROL
System software/ Physical components Raw fact (Decision Makers,
Application Software of the computers Auto Control) FEEDBACK

TYPES OF INFORMATION SYSTEMS

Operational Level Knowledge Level Management Level Systems Strategic-level Systems (SLS) are
Systems that support Systems that support support the middle managers in for strategic managers to track and
operational managers the business to integrate monitoring, decision-making deal with strategic issues, assisting
in tracking elementary new knowledge into the and administrative activities. long-range planning. Support
activities. This is helpful in answering
business and control the the senior level management to
flow of paperwork and questions like are things tackle and address strategic issues
enable group working. working well and in order? and long term trends, both inside
This ensures that business organization and outside world.
procedures are followed.

Transaction Processing Office Automation Management Information Executive Information


System (TPS) is a lowest level Systems (OAS) System (MIS) Systems (EIS)
of operational level system that refer to the integration Features – sometimes referred to
manipulates data from business of office functions as an Executive Support
transactions to generate various usually related to Management Oriented;
System (ESS) serves the
information products for external managing information. Management Directed;
strategic level i.e. top
use. TPS ensures that business Sub-System Concept;
Basic activities level managers of the
procedures are followed. Heavy Planning
include – organization.
Element; Common
Examples are sales order entry, Data Flows; Common
hotel reservations, payroll, Document Capture;
Document Creation; Database; Integrated and
employee record keeping, and Computerized.
shipping. Receipts and
Distribution; Decision Support
Components – Input, Processing, System (DSS) is a
Storage, Output. Filling, Search, type of computerized
Features – Large volume of data, Retrieval and Follow up information system that
automation of basic operations, Calculations; and supports business and
measurable benefits, source of Recording Utilization of organizational decision –
input for other systems. Resources. making activities.

TYPES OF SYSTEMS GROUPS SERVED


Executive Support Systems STRATEGIC LEVEL SYSTEMS Senior Managers
(ESS) 5 year Operating Plan, 5 - year Budget Forecasting, 5 - Year Sales Trend
Forecasting, Profit Planning, Manpower Planning
Management Information MANAGEMENT LEVEL SYSTEMS Middle Managers
Systems (MIS) Sales Management Inventory Control, Annual Budgeting, Capital Investment
Analysis Relocation Analysis
Decision Support Systems
Sales Regional Analysis Production Scheduling Cost Analysis Pricing/
(DSS)
Profitability Analysis Contract Cost Analysis
Knowledge Management KNOWLEDGE LEVEL SYSTEMS Knowledge and
Systems(KMS) Engineering Workstations, Graphics Workstation, Managerial Workstations, Data Workers
Office Automation Systems Word Processing, Document Imaging, Electronic Calendars
(OAS)
OPERATIONAL LEVEL SYSTEMS
Machine Control, Securities, Trading Payroll, Compensation Order tracking
Operational
Transaction Processing Plant Scheduling, A/c Payable Training & Development, Order Processing,
Managers
Systems (TPS) Material Movement, Control Cash Mgt., A/c Receivable, Employee Record
Keeping
Sales & Manufacturing Finance Accounting Human Resources Marketing
The Chartered Accountant Student May 2017 11
5
INFORMATION SYSTEMS CONTROL AND AUDIT
IT in Business World

Marketing Customer
Relationship Supply Chain Knowledge Retailing Decision
Management Management Management Making

SPECIALIZED SYSTEMS

These are the systems that provide comprehensive end-to-end IT solutions and services (including systems integration, implementation,
engineering services, software application customization and maintenance) to various corporations globally.

1. Expert Systems: Expert Systems are highly developed DSS that utilizes knowledge generally possessed by an expert to share a problem.
These are software systems that imitate the reasoning processes of human experts and provide decision makers with the type of advice they
would normally receive from such expert systems. Some of the business application areas of Expert system are Accounting and Finance,
Marketing, Manufacturing, Personnel and General business etc.
Benefits ♦ Preserve knowledge that might be lost through retirement, resignation or death of an acknowledged company
expert;
♦ Put information into an active-form so it can be summoned almost as a real-life expert might be summoned;
♦ Assist novices in thinking the way experienced professional do;
♦ Are not subjected to such human fallings as fatigue, being too busy, or being emotional.
♦ Can be effectively used as a strategic tool in the areas of marketing products, cutting costs and improving
products.

2. Enterprise Resource Planning (ERP): Enterprise Resource Planning (ERP) is process management software that allows an organization
to use a system of integrated applications to manage the business and automate many back-office functions related to technology, services
and human resources. ERP software integrates all facets of an operation, including product planning, development, manufacturing, sales
and marketing.
Components  Software Component: The software component is the component that is most visible part and consists of several
modules such as Finance, Human Resource, Supply Chain Management, Supplier Relationship Management,
Customer Relationship, and Business Intelligent.
 Process Flow: It is the model that illustrates the way how information flows among the different modules within
an ERP system.
 Customer mindset: To lead ERP implementation to succeed, the company needs to eliminate negative value or
belief that users may carry toward utilizing new system.
 Change Management: In ERP implementation, change needs to be managed at several levels - User attitude;
resistance to change; and Business process changes.
♦ Streamlining processes and workflows with a single integrated system.
♦ Reduce redundant data entry and processes and in other hand it shares information across the department.
♦ Establish uniform processes that are based on recognized best business practices.
♦ Improved workflow and efficiency.
♦ Improved customer satisfaction based on improved on-time delivery, increased quality, shortened delivery times.
Benefits
♦ Reduced inventory costs resulting from better planning, tracking and forecasting of requirements.
♦ Turn collections faster based on better visibility into accounts and fewer billing and/or delivery errors.
♦ Decrease in vendor pricing by taking better advantage of quantity breaks and tracking vendor performance.
♦ Track actual costs of activities and perform activity based costing.
♦ Provide a consolidated picture of sales, inventory and receivables.

3. Core Banking Systems: Core Banking Systems (CBS) may be defined as back-end systems that process daily banking transactions, and
post updates to accounts and other financial records. These systems typically include deposit, loan and credit-processing capabilities, with
interfaces to general ledger systems and reporting tools. Core banking functions differ depending on the specific type of bank. Examples
of core banking products include Infosys’ Finacle, Nucleus FinnOne and Oracle’s Flexcube application (from their acquisition of Indian IT
vendor i-flex).
Elements of Core ♦ Making and servicing loans.
Banking ♦ Opening new accounts.
♦ Processing cash deposits and withdrawals.
♦ Processing payments and cheques.
♦ Calculating interest.
♦ Customer Relationship Management (CRM) activities.
♦ Managing customer accounts.
♦ Establishing criteria for minimum balances, interest rates, number of withdrawals allowed and so on.
♦ Establishing interest rates.
♦ Maintaining records for all the bank’s transactions.

12 May 2017 The Chartered Accountant Student

6
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER 3 PROTECTION OF INFORMATION SYSTEMS
This chapter provides the understanding on the Information Security Policies and various types of Information Systems Controls.

INFORMATION SECURITY POLICY AND ITS HIERARCHY


Information Security Policy: This policy provides a definition of Information Security, its overall objective and the importance that applies
to all users. Various types of Information Security Policies are as follows:
Information Security Policy

User Security Policies Organization Security Policies Condition of Connection

User Security Policy Organizational Information Security Policy

Acceptable Usage Policy Network & System Security Policy

Infomation Classification Policy

 User Security Policies – These include User Security Policy and Acceptable Usage Policy.
 User Security Policy – This policy sets out the responsibilities and requirements for all IT system users. It provides security terms of
reference for Users, Line Managers and System Owners.
 Acceptable Usage Policy – This sets out the policy for acceptable use of email, Internet services and other IT resources.

 Organization Security Policies – These include Organizational Information Security Policy, Network & System Security Policy and Information
Classification Policy.
 Organizational Information Security Policy – This policy sets out the Group policy for the security of its information assets and the
Information Technology (IT) systems processing this information. Though it is positioned at the bottom of the hierarchy, it is the main IT
security policy document.
 Network & System Security Policy – This policy sets out detailed policy for system and network security and applies to IT department users.
 Information Classification Policy – This policy sets out the policy for the classification of information.
 Condition of Connection – This policy sets out the Group policy for connecting to the network. It applies to all organizations connecting
to the Group, and relates to the conditions that apply to different suppliers’ systems.
CLASSIFICATION OF INFORMATION SYSTEMS' CONTROLS
Objectives of Controls Nature of IS Resource Audit Functions
(Based on the time they act) (Based on Resource its implemented) (On Auditor’s perspective)
Preventive Controls: Preventive Environmental Controls: These are the controls relating Managerial Controls: These
Controls are those inputs, which are to IT environment such as power, air-conditioning, Un- are the controls that must be
designed to prevent an error, omission interrupted Power Supply (UPS), smoke detection, fire- performed to ensure development,
or malicious act occurring. Use of extinguishers, dehumidifiers etc. implementation, operation &
passwords to gain access to a financial Physical Access Controls: These are the controls relating maintenance of IS in a planned
system is a preventive control. to physical security of the tangible IS resources and and controlled manner in an
Detective Controls: These controls are intangible resources stored on tangible media etc. Such organization. The controls at this
designed to detect errors, omissions controls include Access control doors, Security guards, level provide a stable infrastructure
or malicious acts that occur and door alarms, restricted entry to secure areas, visitor logged in which information systems can
report the occurrence. An example of access, CCTV monitoring etc. be built, operated, and maintained
a Detective Control would be a use of Logical Access Controls: These are the controls relating on a day-to-day basis.
automatic expenditure profiling where to logical access to information resources such as operating Application Controls: Application
management gets regular reports of systems controls, application software boundary controls, system controls are undertaken to
spend to date against profiled spend. networking controls, access to database objects, encryption accomplish reliable information
Corrective Controls: Corrective controls etc. These controls are implemented to ensure processing cycles that perform the
controls are designed to reduce the that access to systems, data and programs is restricted processes across the enterprise.
impact or correct an error once it has to authorized users to safeguard information against Applications represent the
been detected. A Business Continuity unauthorized use, disclosure or modification, damage or interface between the user and the
Plan (BCP) is a corrective control. loss. business functions.
MANAGERIAL CONTROLS – SCOPE
Managerial Controls Scope
Top Management and Information Discusses the top management’s role in planning, organizing, leading and controlling the information
Systems Management Controls systems function. Also, provides advice to top management in relation to long-run policy.
System Development Management Provides a contingency perspective on models of the information systems development process that
Controls auditors can use as a basis for evidence collection and evaluation.
Programming Management Discusses the major phases in the program life cycle and the important controls that should be
Controls exercised in each phase.
Data Resource Management Controls
Discusses the role of database administrator and the controls that should be exercises in each phase.
Quality Assurance Management Discusses the major functions that quality assurance management should perform to ensure that
Controls the development, implementation, operation, and maintenance of information systems conform to
quality standards.
Security Management Controls Discusses the major functions performed by operations by security administrators to identify major
threats to the IS functions and to design, implement, operate, and maintain controls that reduce
expected losses from these threats to an acceptable level.
Operations Management Controls Discusses the major functions performed by operations management to ensure the day-to-day
operations of the IS function are well controlled.

The Chartered Accountant Student May 2017 13


7
INFORMATION SYSTEMS CONTROL AND AUDIT
APPLICATION CONTROLS - SCOPE
Application Controls Scope
Boundary Establishes interface between the user of the system and the system itself. The system must ensure that it has an
authentic user.
Input Input Controls are validation and error detection of data input into system and are responsible for bringing both
data and instructions in to information system.
Communication Responsible for controls over physical components, communication line errors, flows, links, topological controls,
channel access controls, controls over subversive attacks, internetworking controls, communication architecture
controls etc.
Processing Responsible for computing, sorting, classifying and summarizing data.
Output To provide functions that determine the data content available to users, data format, timeliness of data and how
data is prepared and routed to users.
Database Responsible to provide functions to define, create, modify, delete and read data in an information system.

Information Technology General Controls (ITGC) Financial Controls Personal Computer Controls
ITGC are the basic policies and procedures that ensure These controls are generally defined Most common PC Controls:
that an organization’s information systems are properly as the procedures exercised by the  Physically locking the system;
safeguarded, that application programs and data are secure, system user personnel over source, or  Proper logging of equipment
and that computerized operations can be recovered in case transactions origination, documents shifting must be done;
of unexpected interruptions. before system input. These areas  Centralized purchase of
The objectives of general controls are to ensure the exercise control over transactions hardware/ software;
proper development and implementation of applications, processing using reports generated  Standards set for developing,
the integrity of program and data files and of computer by the computer applications to testing and documenting;
operations. Like application controls, general controls may reflect un-posted items, non-  Uses of antimalware software;
be either manual or programmed. Examples of general monetary changes, item counts  Use of PC and their peripheral
controls include the development and implementation of an and amounts of transactions for must have controls; and
IS strategy and an IS security policy, the organization of IS settlement of transactions processed  Use of disc locks that prevent
staff to separate conflicting duties and planning for disaster and reconciliation of applications to unauthorized access to the floppy
prevention and recovery. general ledger. disk or pen drive of a computer.

MAJOR CYBER ATTACKS SOME TECHNIQUES TO COMMIT


 Phishing: It is the act of attempting to acquire information such as usernames, passwords,
CYBER FRAUDS
and credit card details by masquerading as a trustworthy entity in an electronic
communication. Communications purporting to be from popular social web sites, auction Hacking: It refers to unauthorized
sites, online payment processors or IT administrators are commonly used to lure the access and use of computer systems,
unsuspecting public. usually by means of personal computer
and a telecommunication network.
 Network Scanning: It is a process to identify active hosts of a system, for purpose of Normally, hackers do not intend to
getting information about IP addresses etc. cause any damage.
 Virus/Malicious Code: As per Section 43 of the Information Technology Act, 2000,
"Computer Virus" means any computer instruction, information, data or program that Cracking: Crackers are hackers with
destroys, damages, degrades or adversely affects the performance of a computer resource malicious intentions, which means, un-
or attaches itself to another computer resource and operates when a program, data or authorized entry.
instruction is executed or some other event takes place in that computer resource.
 Spam: E-mailing the same message to everyone on one or more Usenet News Group or
Data Diddling: Changing data before,
LISTSERV lists is termed as Spam. during, or after it is entered into the
 Website Compromise/Malware Propagation: It includes website defacements and hosting system in order to delete, alter, or add
malware on websites in an unauthorized manner. key system data is referred as data
 Others: These are given as follows: diddling.
 Cracking: Crackers are hackers with malicious intentions.
 Eavesdropping: It refers to the listening of the private voice or data transmissions, Denial of Service (DoS) Attack: It
often using a wiretap. refers to an action or series of actions
 E-mail Forgery: Sending e-mail messages that look as if someone else sent it is that prevents access to a software
termed as E-mail forgery. system by its intended/authorized
 E-mail Threats: Sending a threatening message to try and get recipient to do users; causes the delay of its time-
something that would make it possible to defraud him is termed as E-mail threats. critical operations; or prevents any part
 Scavenging: This is gaining access to confidential information by searching of the system from functioning.
corporate records.
IMPACT OF CYBER FRAUDS Internet Terrorism: It refers to the
using Internet to disrupt electronic
 Financial Loss: Cyber frauds lead to actual cash loss to target company/organization. commerce and to destroy company and
For example, wrongfully withdrawal of money from bank accounts. individual communications.
 Legal Repercussions: Entities hit by cyber frauds are caught in legal liabilities to
their customers. Section 43A of the Information Technology Act, 2000, fixes liability
for companies/organizations having secured data of customers. These entities need to Logic Time Bombs: These are the
ensure that such data is well protected. In case a fraudster breaks into such database, it program that lies idle until some
adds to the liability of entities. specified circumstances or a particular
 Loss of credibility or Competitive Edge: News that an organizations database has been time triggers it. Once triggered,
hit by fraudsters, leads to loss of competitive advantage. This also leads to lose credibility. the bomb sabotages the system by
There have been instances where share prices of such companies went down, as the news destroying programs, data or both.
of such attach percolated to the market.
 Disclosure of Confidential, Sensitive or Embarrassing Information: Cyber-attack Masquerading or Impersonation:
may expose critical information in public domain. For example, the instances of In this case, perpetrator gains access
individuals leaking information about governments secret programs. to the system by pretending to be an
 Sabotage: The above situation may lead to misuse of such information by enemy country. authorized user.

14 May 2017 The Chartered Accountant Student

8
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER 4 BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING
This Chapter introduces the concepts of Business Continuity Management, Business Continuity Planning, Back-ups and Disaster
Recovery Planning (DRP).

BUSINESS CONTINUITY PLANNING (BCP)


It is creation and validation of a logistical plan for how an enterprise will recover & restore partially or completely interrupted critical functions
within a predetermined time after a disaster or extended disruption.

OBJECTIVES & GOALS DEVELOPMENT

OBJECTIVES Each of these phases are described below:


 Provide the safety and well-being of people on the Phase 1 – Pre-Planning Activities (Project Initiation): This Phase is used to obtain an
premises at the time of disaster; understanding of the existing and projected computing environment of the organization.
 Continue critical business operations; Phase 2 – Vulnerability Assessment and General Definition of Requirements: This
 Minimize the duration of a serious disruption phase addresses measures to reduce probability of occurrence of disaster.
to operations and resources (both information
Phase 3 – Business Impact Assessment (BIA): A Business Impact Assessment (BIA) of
processing and other resources);
all business units that are part of the business environment enables the project team to
 Minimize immediate damage and losses;
identify critical systems, processes and functions; assess economic impact of incidents/
 Establish management succession and emergency
disasters; & assess “pain threshold”.
powers;
 Facilitate effective co-ordination of recovery tasks; Phase 4 – Detailed Definition of Requirements: During this phase, a profile of recovery
 Reduce the complexity of the recovery effort; and requirements is developed. This profile is to be used as a basis for analyzing alternative
 Identify critical lines of business and supporting recovery strategies. Another key deliverable of this phase is the definition of the plan
functions. scope, objectives and assumptions.
Phase 5 – Plan Development: During this phase, recovery plans components are defined
GOALS and plans are documented.
 Identify weaknesses and implement a disaster Phase 6 – Testing/Exercising Program: Testing/ exercising goals are established and
prevention program; alternative testing strategies are evaluated.
 minimize the duration of a serious disruption to
Phase 7 – Maintenance Program: It is critical that existing change management
business operations;
processes are revised to take recovery plan maintenance into account.
 facilitate effective co-ordination of recovery tasks;
and Phase 8 – Initial Plan Testing and Implementation: Once plans are developed, initial
 reduce the complexity of the recovery effort. tests of the plans are conducted and any necessary modifications to the plans are made
based on an analysis of test results.

BUSINESS CONTINUITY MANAGEMENT


(A) Business Continuity Management (BCM) is a very effective management process to help enterprises to manage the disruption of all kinds,
providing countermeasures to safeguard from the incident of disruption of all kinds.
(B) Advantages of BCM are that- The enterprise:
 can proactively assess the threat scenario and potential risks;
 has planned response to disruptions which can contain the damage and minimize the impact on the enterprise; and
 can demonstrate a response through a process of regular testing and trainings.
(C) B
 CM Policy is a high-level document, which shall be the guide to make a systematic approach for disaster recovery, to bring about
awareness among the persons in scope about the business continuity aspects and its importance and to test and review the BCP for the
enterprise in scope.
(D) BCM Process: A BCM process should be in place to address the policy and objectives as defined in the Business Continuity Policy by
providing organization structure with responsibilities and authority, implementation and maintenance of BCM.
 BCM – Process: The management process enables the business continuity, capacity and capability to be established and maintained.
The capacity and capability are established in accordance to the requirements of the enterprise. The sub-processes are Organization
Structure; Implementing Business Continuity and Documentation and Records.
 BCM – Information Collection Process: The activities of assessment process do the prioritization of an enterprise’s products and
services and the urgency of the activities that are required to deliver them. This sets the requirements that will determine the selection of
appropriate BCM strategies in the next process. This process involves Business Impact Analysis and Risk Assessment.
 BCM – Strategy Process: This requires an appropriate response to be selected at an acceptable level and during and after a disruption
within an acceptable timeframe for each product or service, so that the enterprise continues to provide those products and services. This
involves range of strategies - Organization BCM Strategy; Process Level BCM Strategy and Resource Recovery BCM Strategy.
 BCM – Development and Implementation Process: This involves the Development of a management framework and a structure of
Incident Management, Business Continuity and Business Recovery and Restoration Plans.
 BCM – Testing and Maintenance Process: BCM testing, maintenance and audit testify the enterprise BCM to prove the extent to
which its strategies and plans are complete, current and accurate; BCM audit and Review arrangements to identify opportunities for
improvement.
 BCM – Training Process: Extensive trainings in BCM framework, incident management, business continuity, business recovery and
restoration plans enable it to become part of the enterprise’s core values and provide confidence in all stakeholders in the ability of the
enterprise to cope with minimum disruptions and loss of service. Accessing needs, designing and delivery trainings and measuring results
are the activities under this process.

The Chartered Accountant Student May 2017 15


9
TYPES OF PLANS

INFORMATION SYSTEMS CONTROL AND AUDIT


TYPES OF PLANS
Emergency Plan Back-Up Plan Recovery Plan Test Plan
 The Emergency Plan specifies the actions to 
The Backup Plan specifies  Recovery Plan sets out 
The purpose of
be undertaken immediately when a disaster the type of backup to be kept, procedures to restore the Test Plan is to
occurs. frequency with which backup full information system identify deficiencies
 Management must identify those situations that is to be undertaken, procedures capabilities. in the emergency,
require the plan to be invoked e.g., major fire, for making backup, location of  Recovery plan should backup, or recovery
major structural damage, and terrorist attack. backup resources, site where these identify a recovery plans or in the
 When the situations that evoke the plan have resources can be assembled and committee that will be preparedness of an
been identified, four aspects of the emergency operations restarted, personnel responsible for working organization and its
plan must be articulated. First, the plan must who are responsible for gathering out the specifics of personnel for facing
show ‘who is to be notified immediately when backup resources and restarting the recovery to be a disaster.
the disaster occurs - management, police, fire operations, priorities to be assigned undertaken. 
It must enable a
department, medicos, and so on’. Second, the to recovering the various systems,  The plan should specify range of disasters
plan must show actions to be undertaken, and a time frame for recovery of the responsibilities of the to be simulated
such as shutdown of equipment, removal of each system. committee and provide and specify the
files, and termination of power. Third, any  The backup plan needs continuous guidelines on priorities criteria by which the
evacuation procedures required must be updating as changes occur. to be followed. The plan emergency, backup,
specified. Fourth, return procedures (e.g.,  lists of hardware and software must might also indicate which and recovery plans
conditions that must be met before the site is be updated to reflect acquisitions applications are to be can be deemed
considered safe) must be designated. and disposals. recovered first. satisfactory.
TYPES OF BACK - UPS
Type Definition Advantages Disadvantages Example
Full A complete  Restores are fast and easy  Backups can take very long as each file Suppose a full backup job or task is to be done
Backup backup of to manage as the entire is backed up again every time the full every night from Monday to Friday. The first
everything list of files and folders are backup is run. backup on Monday will contain the entire list of
you want to in one backup set.  Consumes the most storage space files and folders in the backup job. On Tuesday,
backup.  Easy to maintain and compared to incremental and the backup will include copying all the files
restore different versions. differential backups. The exact same and folders again, no matter the files have got
files are stored repeatedly resulting in changed or not. The cycle continues this way.
inefficient use of storage.

Type Definition Advantages Disadvantages Example


Differential The backup  Much faster backups then  Backups are slower than incremental Suppose a differential backup job or task
Backup software looks full backups. backups. is to be done every night from Monday
at which files  More efficient use of  Not as efficient use of storage space as to Friday. On Monday, the first backup
have changed storage space then full compared to incremental backups. All will be a full back up since no prior
since you backups since only files files added or edited after the initial full backups have been taken. On Tuesday, the
last did a full changed since the last full backup will be duplicated again with differential backup will only backup the
backup. Then backup will be copied on each subsequent differential backup. files that have changed since Monday and
creates copies each differential backup  Restores are slower than with full any new files added to the backup folders.
of all the run. backups. On Wednesday, the files changed and files
files that are  Faster restores than  Restores are a little more complicated added since Monday’s full backup will be
different from incremental backups. than full backups but simpler than copied again. While Wednesday’s backup
the ones in the incremental backups. Only the full does not include the files from the first full
full backup. backup set and the last differential backup, it still contains the files backed up
backup are needed to perform a restore. on Tuesday.

Type Definition Advantages Disadvantages Example


Incremental The backup  Much faster backups.  Restores are slower than with Suppose an Incremental backup job or task is
Backup software creates  Efficient use of storage a full back-up and differential to be done every night from Monday to Friday.
copies of all the space as files is not backups. This first backup on Monday will be a full back up
files, or parts of files duplicated. Much less  Restores are a little more since no backups have been taken prior to this.
that have changed storage space used complicated. All backup However, on Tuesday, the incremental backup
since previous compared to running sets (first full backup and all will only backup the files that have changed
backups of any type full backups and even incremental backups) are since Monday and the backup on Wednesday
(full, differential or differential backups. needed to perform a restore. will include only the changes and new files since
incremental). Tuesday’s backup. The cycle continues this way.
Type Definition Advantages Disadvantages Example
Mirror Mirror backups are  The backup  There is a chance that Many online backup services offer a mirror backup with a 30 day
Backup a mirror of the source being is clean and files in the source delete. This means that when you delete a file on your source,
backed up. With mirror does not deleted accidentally, that file is kept on the storage server for at least 30 days before it
backups, when a file in the contain old by sabotage or is eventually deleted. This helps strike a balance offering a level
source is deleted, that file and obsolete through a virus may of safety while not allowing the backups to keep growing since
is eventually also deleted in files. also be deleted from online storage can be relatively expensive. Many backup software
the mirror backup. the backup mirror. utilities do provide support for mirror backups.
DISASTER RECOVERY PLANNING
Disaster Recovery Planning (DRP) is the factor that makes the critical difference between the organizations that can successfully manage crises with
minimal cost and effort and maximum speed, and those that are left picking up the pieces for untold lengths of time and at whatever cost providers
decide to charge; organizations forced to make decision out of desperation. The primary goal of any disaster recovery plan is to help the organization
maintain its business continuity, minimize damage, and prevent loss.
DRP will specify how the recovery of a function will be performed. Within a DR plan, there will be individual component system recovery plans
that would specify steps to recover. The big difference between BCP and DR plan is that a DRP will specify how the recovery of a function will be
performed. Within a DR plan, there will be individual component system recovery plans that would specify steps to recover.

16 May 2017 The Chartered Accountant Student

10
INFORMATION SYSTEMS CONTROL AND AUDIT

CHAPTER 5 ACQUISITION, DEVELOPMENT AND IMPLEMENTATION OF INFORMATION SYSTEMS

This chapter conceptualizes a systematic approach to Systems Development Life Cycle (SDLC) and reviews its phase activities,
methods, tools and controls etc. and provides an analytical understanding of different SDLC models.

SYSTEMS DEVELOPMENT METHODOLOGY

• A formalized, standardized, well-organized and documented set of activities.


• Refers to the process of examining a business situation with the intent of improving it through better procedures and methods.
• A framework to structure, plan and control the process of developing.
• Example - Waterfall Model, Prototyping Model, Incremental Model, Spiral Model, RAD Model and Agile Model.

Characteristics Description

Process Project divided into number of identifiable processes, with each process having a starting point and an ending
point; comprises several activities; one or more deliverables, and several management control points.

Deliverables The specific reports and other documentation must be produced periodically during system development.

Sign-offs Generally provided by users, managers, and auditors that signify approval of the development process and the
system being developed.

Testing Project divided into number of identifiable processes, with each process having a starting point and an ending
point; comprises several activities; one or more deliverables, and several management control points.

Training A training plan for its future users.

Controls Formal program change controls established to prevent unauthorized changes to computer programs.

Post-implementation Review A post-implementation review of all developed systems must be performed to assess the effectiveness and
efficiency of the new system and of the development process.

SYSTEMS DEVELOPMENT LIFE CYCLE (SDLC)

Systems Development Life Cycle (SDLC) consists of a generic sequence of steps or phases in which each phase of the SDLC uses the results of
the previous one and provides system designers and developers to follow a sequence of activities. The following phases are involved in the cycle:

Phase I: Preliminary Investigation: A preliminary investigation is normally initiated by some sort of system request. The deliverable of the
preliminary investigation includes a report including feasibility study observations.

1. Identification of Problem 4. Feasibility Study 5. Reporting Results to


Define the problem clearly and The likelihood that the proposed system will be useful for the Management
precisely. organization is determined on following factors: Provides one or more solution
2. Identification of Objectives  Technical Feasibility: It answers whether implementation of alternatives and estimates
the project is viable using current technology. the cost and benefits of each
Work out and precisely specify alternative and reports these
the objectives of the proposed  Financial Feasibility: This checks for whether the proposed results to the management.
solution. solution may be costly for the user organization.
6. Internal Control Aspects
3. Delineation of Scope  Economic Feasibility: This includes an evaluation of
incremental cost and benefit expected if the proposed system Management implements
Defines its typical boundaries proper internal audit team
that clearly and comprehensibly is implemented.
to ensure proper business
states the extent and defines  Schedule or Time Feasibility: – This marks an estimation of objectives.
‘What will be addressed by the time it will take a new system to become operational.
solution and what will not be'.  Resources Feasibility: Implementing sophisticated software
solutions becomes difficult at specific locations because of
the reluctance of skilled personnel to move to such locations.
 Operational Feasibility: This is concerned with finding view
of workers, employees, customers and suppliers about the
use of new system.
 Behavioural Feasibility: This refers to the systems, which
is to be designed to process data and produce the desired
outputs.

Phase II: System Requirement Analysis: This phase includes a thorough and detailed understanding of the current system, identifies the areas
that need modification to solve the problem, the determination of user/managerial requirements and to have fair idea about various systems
development tools.

The Chartered Accountant Student May 2017 17


11
INFORMATION SYSTEMS CONTROL AND AUDIT
1. Fact 2. Analysis of the 3. System Analysis 4. System 5. System 6. Roles involved 7. Internal
Finding Present Systems of Proposed Systems Development Tools Specification in SDLC Controls
Every system This step involves After thorough These are used The systems analyst A variety of tasks This includes
is built to meet survey of existing analysis, the to conceptualize, prepares a document during the SDLC whether
some set of methods, proposed system clarify, document called Systems are performed by present system
needs. To procedures, data specifications' and communicate Requirement Steering Committee analysis has
assess these flow, outputs, files, outputs are clearly the activities Specifications / Project Manager/ been properly
needs - input and internal determined; that and resources (SRS). SRS contain Project Leader / done; whether
Documents, controls should be results in inferring involved in the Introduction, System Analyst appropriate
Questionnaires, intensive to fully what inputs, organization and Information / Team Leader / domain expert
Interviews, understand the database, methods, its IS . Example – Description, Functional Developers/ Testers was engaged;
Observation present system and procedures and data Structured English, Description, / Auditors etc. whether all user
are some fact- its related problems. communications Flowcharts, Data Behavioural based on requisite requirements of
finding tools. must be employed. Flow Diagrams, Description, Validation expertise as well as proposed system
Decision Tree, etc. Criteria, Appendices skills set. have been
and SRS Review. considered; etc.

Phase I: Preliminary Investigation

Phase VIII: Post Implementation Phase II: Systems Requirement Analysis


Review and Maintenance

Phase VII: Systems Implementation Phase III: Systems Design

Phase VI: Systems Testing Phase IV: Systems Acquisition

Phase V: Systems Development

Phase III: Systems Design: The objective is to design an Information System that best satisfies the users/managerial requirements. It
describes the parts of the system and their interaction; sets out how the system shall be implemented using the chosen hardware, software
and network facilities; specifies the program and the database specifications and the security plans and further specifies the change control
mechanism to prevent uncontrolled entry of new requirements.
Architectural Design This deals with the organization of applications in terms of hierarchy of modules and sub-modules wherein
major modules; functions and scope of each module; interface features of each module; modules that each
module can call directly or indirectly and Data received from / sent to / modified in other modules are
identified.
Design of data flow This includes designing the data / information flow for the proposed system, the inputs that are required are
and user interface for existing data / information flows, problems with the present system, and objective of the new system.
proposed system
Design of Database This involves determining its scope ranging from local to global structure and include Conceptual Modeling,
Data Modeling, Storage Structure Design and Physical Layout Design.
User Interface design It involves determining the ways in which users will interact with a system like - source documents to capture
raw data, hard-copy output reports, screen layouts for dedicated source-document input, inquiry screens for
database interrogation, graphic and color displays, and requirements for special input/output device.
Physical Design Concentrates on the issues like the type of hardware for client and server application, Operating systems to
be used, type of networking, periodical batch processing, online or real-time processing; frequency of I/O
etc.
System’s Operating The new hardware/system software platform required to support the application system will then have to be
Platform designed for requisite provisions.
Internal Design Controls The key control aspects at this stage include - Whether management reports were referred by System
Designer? Whether all control aspects have been properly covered?, etc.

Phase IV: Systems Acquisition: After a system is designed either partially or fully, the next phase of the systems development starts, which
relates to the acquisition of operating infrastructure including hardware, software and services. Such acquisitions are highly technical and
cannot be taken easily and for granted. Thereby, technical specifications, standards etc. come to rescue.
Acquisition Standards Acquiring System Components from vendors Other Acquisition aspects and practices
This focuses on ensuring The organization gets a reasonable idea of the Includes several other acquisition aspects and practices also like
security, reliability, and types of hardware, software and services, it needs – H/w Acquisition; S/w Acquisition; Contracts, S/w Licenses
functionality already built into for the system being developed. Request For and Copyright Violations, Validation of Vendors’ proposals and
a product. Proposal (RFP) from vendors called. methods of validating them.

18 May 2017 The Chartered Accountant Student

12
INFORMATION SYSTEMS CONTROL AND AUDIT
Phase V: Systems Development: This phase is supposed to convert the design specifications into a functional system under the planned
operating system environments. Application programs are written, tested and documented, conduct system testing that results into a fully
functional and documented system.
Program Coding Programming Language Program Debugging Program Testing Program Program
Standards Documentation Maintenance
Coding Standards High level P/L such as Debugging is the most Programmer should The requirements The requirements
provide simplicity, COBOL, C, C++, Java etc.. primitive form of testing plan the testing to be of business of business
interop erability, Scripting language such as activity, which refers to performed, including data processing data processing
c o mp at i b i l i t y, JavaScript, VBScript, and correcting programming testing of all the applications are applications are
efficient utilization Decision Support or Logic language syntax and possible exceptions. subject to periodic subject to periodic
of resources and Programming languages diagnostic errors so that change that calls change. This calls
least processing such as LISP, PROLOG are the program compiles for modification of for modification of
time. used. cleanly. various programs. various programs.

Phase VI: Systems Testing: Testing is a process used to identify the correctness, completeness and quality of developed computer
software. Different levels of Testing are as follows:
Unit Testing Integration Testing Regression Testing System Testing Final Acceptance
A unit is the smallest testable part of anIntegration testing is an Each time a It is a process in which software and Testing
application, which may be an individual activity of software testing new module is other system elements are tested as During this testing,
program, function, procedure, etc. in which individual software added or any a complete system. The purpose of it is ensured that the
or may belong to a base/super class, modules are combined and modification made system testing is to ensure that the new system satisfies
abstract class or derived/child class. tested as a group. This is in the software, new or modified system functions the quality standards
The categories of tests that a carried out in the following it changes. New properly. These test procedures are adopted by the business
programmer typically performs on a two manners: data flow paths are often performed in a non-production and the system satisfies
program unit are as follows: Bottom-up Integration: estab-lished, new test environment. The types of testing the users. It is classified
I/O may occur and that might be carried out are as as under:
Functional Tests: Functional Tests It is the traditional strategy new control logic follows:
check ‘whether programs do, what they used to integrate the Quality Assurance
components of a software is invoked. These Recovery Testing: This is the activity Testing: It ensures that
are supposed to do or not’. changes may
system into a functioning of testing ‘how well the application is the new system satisfies
Performance Tests: Performance whole. It consists of unit cause problems able to recover from crashes, hardware the prescribed quality
Tests should be designed to verify the testing, followed by sub- with functions failures and other similar problems’. standards and the
response time, the execution time, the system testing, and then that previously development process is
throughput, primary and secondary testing of the entire system. worked flawlessly. Security Testing: The six basic
security concepts that need to be as per the organization’s
memory utilization and the traffic rates In the context of quality assurance
on data channels and communication Top-down Integration: It the integration covered by security testing are –
policy, methodology
links. starts with the main rou-tine, testing, the confidentiality, integrity, availability
and stubs are substituted, authentication, authorization, and and prescriptions.
Stress Tests: Stress testing is a form for the modules directly regression tests
ensure that non-repudiation. User Acceptance
of testing that involves testing beyond subordinate to the main
normal operational capacity, often to a module. Once the main changes or Stress or Volume Testing: It involves Testing: It ensures
breaking point, to observe the results. corrections have testing beyond normal operational that the functional
module testing is complete, not introduced capacity, often to a breaking point, to aspects expected by the
Structural Tests: Structural Tests are stubs are substituted with new faults. The observe the results. users have been well
concerned with examining the internal real modules one by one, data used for the addressed in the new
processing logic of a software system. and these modules are Performance Testing: This testing system.
regression tests technique compares the new
Parallel Tests: In Parallel Tests, the tested with stubs. This should be the same system's performance with that of
same test data is used in the new and old process continues till the as the data used in similar systems using well defined
system and the output results are then atomic modules are reached. the original test. benchmarks.
compared.

Phase VII: Systems Implementation: Generic key activities involved in System Implementation include Conversion of data to the new system files; Training of
end users; Completion of user documentation; System changeover; and Evaluation of the system a regular interval. Some of generic activities that are performed
are as follows:
Equipment Training System Change-Over Strategies Conversion Activities
Installation Personnel Conversion/changeover is the process of changing Conversion includes all those activities, which must be
An installation A system can over or shifting over from the old system (may be the completed to successfully convert from the previous system to
checklist succeed or fail manual system) to the new system. It requires careful the new information system.
should be depending on planning to establish the basic approach to be used in  Procedure Conversion: Before any parallel or conversion
developed the way it is the actual changeover, as it may put many resources/ activities can start, operating procedures must be clearly
now with operated and assets/operations at risk. The four types of popular spelled out for personnel in the functional areas undergoing
operating used. Therefore, implementation strategies are as follows: changes.
advice from the quality  Direct Implementation / Abrupt Change-Over:
the vendor of training  File Conversion: Because large files of information must
With this strategy, the changeover is done in one be converted from one medium to another, this phase
and system received by operation, completely replacing the old system in one
development the personnel should be started long before programming and testing
go. are completed.
team. involved with
the system  Phased Changeover: With this strategy,  System Conversion: After on-line and off-line files have
in various implementation can be staged with conversion to been converted and the reliability of the new system has
capacities helps the new system taking place gradually. been confirmed for a functional area, daily processing
or hinders  Pilot Changeover: With this strategy, the new can be shifted from the existing information system to the
the successful system replaces the old one in one operation but new one.
implementation only on a small scale.  Scheduling Personnel and Equipment: Schedules should
of information  Parallel Changeover: This is considered the most be set up by the system manager in conjunction with
system. secure method with both systems running in departmental managers of operational units serviced by
parallel over an introductory period. the equipment.

The Chartered Accountant Student May 2017 19


13
INFORMATION SYSTEMS CONTROL AND AUDIT
Phase VIII: Post Implementation Review and Systems Maintenance: A well-formalized review must be undertaken including some of the systems
maintenance activities, such as adding new data elements, modifying reports, adding new reports; and changing calculations.
Post Implementation Review: System Maintenance: As key personnel change positions in the organization, new changes will be
A Post Implementation Review implemented, which will require system updates at regular intervals. It can be categorized in the following
answers the question “Did we ways:
achieve what we set out to do in  Scheduled Maintenance: Scheduled maintenance is anticipated and can be planned for operational
business terms?” continuity and avoidance of anticipated risks.
 Development Evaluation: It  Rescue Maintenance: Rescue maintenance refers to previously undetected malfunctions that were not
requires schedules and budgets anticipated but require immediate troubleshooting solution.
to be established in advance and
that record of actual performance  Corrective Maintenance: Corrective maintenance deals with fixing bugs in the code or defects found
and cost be maintained. during the executions.
 Operational Evaluation: It tries  Adaptive Maintenance: Adaptive maintenance consists of adapting software to changes in the
to answer the questions related to environment, such as the hardware or the operating system.
functional aspects of the system.  Perfective Maintenance: Perfective maintenance mainly deals with accommodating to the new or
 Information Evaluation: An changed user requirements and concerns functional enhancements to the system and activities to increase
information system should the system’s performance or to enhance its user interface.
also be evaluated in terms  Preventive Maintenance: Preventive maintenance concerns with the activities aimed at increasing the
of information it provides or system’s maintainability, such as updating documentation, adding comments, and improving the modular
generates. structure of the system.

POPULAR SDLC MODELS

1. Waterfall Model
Preliminary Investigation

Requirements Analysis

System Design

System Development

System Testing

System
Implementation
Feedback and Maintenance

Concept Advantages Weaknesses


Project is divided into sequential phases, with some overlap and splash  A waterfall model is easy to follow  Inflexible- rigid
back/feedback acceptable between phases (in modified versions of and can be implemented for any size in requirement
Waterfall Model). project. gathering and not
 Preliminary investigation – Looking at the drawbacks in the existing  A waterfall model helps find problems open for change in
system, establishing the need of propose system and applying cost earlier on which can cost a business less requirement;
benefit criteria in the proposed application. than if it was found later.  Slow- as each
 Requirement Analysis – Determining user information  Requirements will be set and these phase is linear;
requirements – what they want from the new system. would not be changed.  Costly and
 Systems Design – Designing the user interface, files to be used, and  Documentation is produced at every cumbersome.
information processing functions to be performed by system. stage of a waterfall model, thus allowing  If requirements
 System Development – Designing, coding, compiling, testing, and people/new team to understand what change, the
documenting programs and system procedures and forms for the has been done and what is to be done. Waterfall model
users of system.  Progress of system development is may not work.
 System Testing – Final testing of the system and formal approval measurable.
and acceptance by management and users.  The orderly sequence ensures reliability,
 System Implementation and Maintenance – Ongoing running of quality, adequacy and maintainability
the system and subsequent modification considering problems of developed software.
detected.

20 May 2017 The Chartered Accountant Student

14
INFORMATION SYSTEMS CONTROL AND AUDIT
2. Prototyping Model
Proto Typing

Initial
Design Customer Customer
Requirements
Evaluation Satified

Review &
Updation

Maintain Test Development

Concept Advantages Weaknesses


Prototyping is the process of quickly putting  Users are actively involved in the  Each iteration builds on the previous iteration
together a working model (a prototype) to test development. and further refines the solution. This makes
various aspects of a design, illustrate ideas or  Users can try the system and provide it difficult to reject the initial solution as
features and gather early user feedback. A small constructive feedback during inappropriate and start over.
or pilot version called a ‘Prototype’ is developed development.  Formal end-of-phase reviews do not occur. Thus,
that is built quickly and at a lesser cost. When  Quicker user feedback is available its is very difficult to contain the scope of the
a prototype is developed that satisfies all user leading to better solutions prototype.
requirements, either it is refined and turned  An operational prototype can be  System documentation is often absent or
into the final system or it is scrapped. If it is produced in weeks. incomplete, since the primary focus is on
scrapped, the knowledge gained from building  Users become more positive about development of the prototype.
the prototype is used to develop the real system. implementing the system as they see a  System backup and recovery, performance, and
The basic idea here is that instead of freezing solution emerging that will meet their security issues can be overlooked.
the requirements before a design or coding needs.  Leads to implementing and then repairing way
can proceed, a throwaway prototype is built to  Prototyping enables early detection of of building systems.
understand the requirements. This prototype errors.  Practically, this methodology may increase the
is developed based on the currently known  Since in this methodology a working complexity of the system as scope of the system
requirements. By using this prototype, the client model of the system is provided, the may expand beyond original plans.
can get an “actual feel” of the system, since the users get a better understanding of  Incomplete application may cause application
interactions with prototype can enable the client the system being developed. not to be used as the full system was designed.
to better understand the requirements of the  Missing functionality can be  Incomplete or inadequate problem analysis.
desired system. identified easily.

3. Incremental Model
Functionality
A : Analysis Phase
D : Design Phase
I : Implementation Phase Increment n
T : Testing Phase
A
Increment 2 D
I
A
T
Increment 1 D
I
A
D T
I
T
Time
Concept Advantages Weaknesses
The Incremental model is a method of software development  After each iteration, regression testing is  Resulting cost may
where the model is designed, implemented and tested conducted in which faulty elements of the software exceed the cost of the
incrementally (a little more is added each time) until the are quickly identified because few changes are organization.
product is finished. The product is defined as finished when made within any single iteration.  As additional
it satisfies all its requirements. This model combines the  Generally easier to test and debug than other functionality is added
elements of the waterfall model with the iterative philosophy methods of software development because relatively to the product,
of prototyping. smaller changes are made during each iteration. This problems may arise
The Incremental model is a method of software development allows for more targeted and rigorous testing of each related to system
where the model is designed, implemented and tested element within the overall product. architecture which
incrementally (a little more is added each time) until the  Customer can respond to features and review the were not evident in
product is finished. The product is decomposed into several product for any needful changes. earlier prototypes.
components, each of which are designed and built separately
(termed as builds).
The Chartered Accountant Student May 2017 21
15
INFORMATION SYSTEMS CONTROL AND AUDIT
4. Spiral Model

Concept Advantages Weaknesses


Spiral model is a combination of sequential and prototype  High amount of risk analysis hence,  Can be a costly model to use.
model. There are specific activities which are done in one avoidance of risk is enhanced.  Risk analysis requires highly
iteration (spiral) where the output is a small prototype of  Good for large and mission-critical projects. specific expertise.
the large software. The same activities are then repeated  Strong approval and documentation control.  Project’s success is highly
for all the spirals till the entire software is built. The spiral  Additional Functionality can be added later. dependent on the risk analysis
model is intended for large, expensive and complicated  Software is produced early in the software phase.
projects. Game development is a main area where the spiral life cycle.  Does not work well for smaller
model is used and needed, that is because of the size and the projects.
constantly shifting goals of those large projects.

5. Rapid Application Development (RAD) Model: The RAD (Rapid Application Development) model is based on prototyping
and iterative development with no specific planning involved. The process of writing the software itself involves the planning required for
developing the product. RAD focuses on gathering customer requirements through workshops or focus groups, early testing of the prototypes
by the customer using iterative concept, reuse of the existing prototypes (components), continuous integration and rapid delivery.
Concept Advantages Weaknesses
RAD approaches to software development but less emphasis on planning  Reduced development  Depends on strong team and individual
tasks and more emphasis on development. In contrast to the waterfall time. performances for identifying business
model, which emphasizes rigorous specification and planning, RAD  Increases reusability of requirements.
approaches emphasize the necessity of adjusting requirements in reaction components.  Only system that can be modularized
to knowledge gained as the project progresses. Features of model are: can be built using RAD.
 Rapid Application Development.  Quick initial reviews occur.  Requires highly skilled developers/
 Emphasizes on a short development cycle.  Encourages customer designers.
 A “high speed” adaptation of the waterfall model. feedback.  High dependency on modeling skills.
 Uses a component-based construction approach.  Integration from very  Inapplicable to cheaper projects as
 May deliver software within a very short time (e.g. 60 to 90 days) if beginning solves a lot of cost of modeling and automated code
requirements are well understood and project scope is constrained. integration issues. generation is very high.

6. Agile Model: Agile modelling is a methodology for modelling and documenting software systems based on best practices. It is
an organized set of s/w development methodologies based on iterative and incremental development. This is an organized set of software
development methodologies based on the iterative and incremental development, where requirements and solutions evolve through
collaboration between self-organizing, cross-functional teams. It promotes adaptive planning, evolutionary development and delivery; time
boxed iterative approach and encourages rapid and flexible response to change.
Concept Advantages Weaknesses
Agile Manifesto is based on following 12 features:  Customer satisfaction by  In case of some software deliverables,
rapid, continuous delivery of especially the large ones, it is difficult to
 Customer satisfaction by rapid delivery of useful software; useful software. assess the effort required at the beginning
 Welcome changing requirements, even late in development;  People and interactions are of the software development life cycle.
 Working software is delivered frequently (weeks rather than months); emphasized rather than  There is lack of emphasis on necessary
 Working software is the principal measure of progress; process and tools. Customers, designing and documentation.
 Sustainable development, able to maintain a constant pace; developers and testers  The project can easily get taken off track
 Close, daily co-operation between business people and developers; constantly interact with each if the customer representative is not
 Face-to-face conversation is the best form of communication (co- other.
 Working software is delivered clear of what outcome that they want.
location);
frequently (weeks rather than  Only senior programmers can take the
 Projects are built around motivated individuals, who should be trusted;
months). kind of decisions required during the
 Continuous attention to technical excellence and good design;
 Face-to-face conversation development process. Hence it has no
 Simplicity;
is the best form of place for newbie programmers, unless
 Self-organizing teams; and
communication. combined with experienced resources.
 Regular adaptation to changing circumstances.

ROLE OF AUDITOR IN SDLC


To ensure ‘what project control To provide a list of the standard controls, over such operational
standards are to be complied with'. concerns as response time, CPU usage, and random access space
availability as assessment criteria.
Attend project and steering committee
meetings and examine project control To determining the extent to which
documentation and conducting interviews. Role of Auditor in SDLC compliance is being achieved.

Post-implementation, to determine if expected


Post-implementation, to review which of the benefits of new system are realized and whether
SDLC phases have not met desired objectives and users are satisfied with new system.
whether any corrective actions were taken.

22 May 2017 The Chartered Accountant Student

16
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER – 6 AUDITING OF INFORMATION SYSTEMS
This chapter comprehends the knowledge about the Information Systems Audit, its need, methodology and related standards. The
chapter also provides an in-sight to various types of controls, their related concepts and their audit.
NEED AND CONTROL OF INFORMATION SYSTEMS’ AUDIT

Value of hardware, software personnel Cost of computer abuse Controlled evolution of computer use

Costs of incorrect decision making High costs of computer error


Organization
Organizational costs of data loss Maintenance of privacy
Control and Audit of Computer-based Information Systems
Information Systems Auditing
Improved Safeguarding of assets
Organization Improved System Efficiency
Improved data Integrity
Improved System effectiveness

NEED AND CONTROL OF INFORMATION SYSTEMS’ AUDIT


Organisational Costs of Data Data is a critical resource of an organisation for its present and future process and its ability to adapt and
Loss survive in a changing environment.
Cost of Incorrect Decision Management and operational controls taken by managers involve detection, investigations and correction of
Making the processes.
Value of Computer Hardware, These are critical resources of an organisation, which has a credible impact on its infrastructure and business
Software and Personnel competitiveness.
Costs of Computer Abuse Unauthorised access to computer systems, malwares, unauthorised physical access to computer facilities and
unauthorised copies of sensitive data can lead to destruction of assets.
Controlled evolution of Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences
computer Use of using unreliable systems can be destructive.
High Costs of Computer Error In a computerised enterprise environment where many critical business processes are performed, a data
error during entry or process would cause great damage.
Maintenance of Privacy Data collected in a business process contains private information about an individual that needs to be maintained.
INFORMATION SYSTEMS’ AUDIT OBJECTIVES
Asset Safeguarding Objectives The information system assets (hardware, software, data information etc.) must be protected by a system of
internal controls from unauthorised access.
Data Integrity Objectives Data integrity important from the business perspective of the decision maker, competition and the market
environment.
System Effectiveness Objectives Effectiveness of a system is evaluated by auditing the characteristics and objective of the system to meet
business and user requirements.
System Efficiency Objectives To optimize the use of various information system resources along with the impact on its computing environment.

EFFECT OF COMPUTERS ON AUDIT


To examine Effect of Computers on IS Audit
(The auditor should be competent to independent evaluation as to whether the business process activities are recorded and reported
as per established standards or criteria.)

Changes to Evidence Collection Changes to Evidence Evaluation


Data retention and Storage System generated transactions
Absence of input documents
Non-availability of Audit trail
Audit evidence Automated transaction processing
Lack of availability of printed
Legal Issues output Systemic Error

INFORMATION SYSTEMS’ AUDITOR

SKILL SET FUNCTIONS (To Assess)

 Sound knowledge of business operations, practices and compliance requirements;  Inadequate information security controls;
 Should possess the requisite professional technical qualification and certifications;
 Good understanding of information Risks & Controls;  Inefficient use of resources, or poor governance;
 Knowledge of IT strategies, policy & procedural controls;  Ineffective IT strategies, policies and practices; and
 Ability to understand technical and manual controls relating to business continuity; and  IT-related frauds (including phishing, hacking etc.)
 Good knowledge of Professional Standards and Best Practices of IT controls & security.

The Chartered Accountant Student May 2017 23


17
INFORMATION SYSTEMS CONTROL AND AUDIT
INFORMATION SYSTEMS’ AUDIT
The Information Systems (IS) Audit process is to evaluate the adequacy of internal controls about both specific computer program and the data
processing environment. The IS Audit of an IS environment may include one or both:
• Assessment of internal controls within the IS environment to assure validity, reliability, and security of information and information systems.
• Assessment of the efficiency and effectiveness of the IS environment.
INFORMATION SYSTEMS’ AUDIT

CATEGORIES STEPS TOOLS

Systems and Application: To verify that Scoping Snapshots: The snapshot software
systems & applications are appropriate, is built into system at those points
Planning
are efficient, and are adequately controlled where material processing occurs
to ensure valid, reliable, timely, and secure Fieldwork
which takes images of flow of any
input, processing, and output at all levels of Analysis
transaction as it moves through
a system's activity. Reporting application.
Information Processing Facilities: Close
Integrated Test Facility (ITF): The
To verify that the processing facility is ITF technique involves the creation
Scoping and pre-audit survey: Auditors
controlled to ensure timely, accurate, of a dummy entity in the application
determine main area/s of focus based on scope-
and efficient processing of applications system files and the processing of audit
definitions agreed with management.
under normal and potentially disruptive test data against the entity as a means
conditions. Planning and preparation: The scope is broken
down into greater levels of detail, usually involving of verifying processing authenticity,
Systems Development: To ensure that the accuracy, and completeness.
generation of audit work plan or risk-control-
systems are developed in accordance with System Control Audit Review File
matrix.
generally accepted standards for systems (SCARF): The SCARF technique
development. Fieldwork: This step involves gathering of evidence
by interviewing staff and managers, reviewing involves embedding audit software
Management of IT and Enterprise modules within a host application
documents, and observing processes etc.
Architecture: To verify that Information system to provide continuous
Technology management has developed an Analysis: SWOT (Strengths, Weaknesses,
monitoring of the system’s
organizational structure & procedures to Opportunities, Threats) or PEST (Political,
transactions.
ensure a controlled & efficient environment Economic, Social, Technological) techniques can
be used for analysis. Continuous and Intermittent
for information processing. Simulation (CIS): This technique can
Telecommunications, Intranets, and Reporting: Reporting to the management is done
be used to trap exceptions whenever
Extranets: To verify that controls are in after analysis of evidence is gathered and analysed.
the application system uses a DBMS.
place on the client (end-point device), Closure: Closure involves preparing notes for future
Audit Hooks: These are audit routines
server, and on the network connecting the audits and follow up with management to complete
that flag suspicious transactions.
clients and servers. actions they promised after previous audits.

AUDIT TRAIL
Audit Trails are logs that can be designed to record activity at the system, application, and user level. When properly implemented, audit
trails provide an important detective control to help accomplish security policy objectives.
Audit trail controls attempt to ensure that a chronological record of all events that have occurred in a system is maintained.
 The Accounting audit trail shows the source and nature of data and processes that update the database.
 The Operations audit trail maintains record of attempted or actual resource consumption within a system.

Audit Trail Objectives: Audit trails can be used to support security objectives in three ways:
 Detecting unauthorized access to the system: The primary objective of real-time detection is to protect the system from outsiders
who are attempting to breach system controls. Depending upon how much activity is being logged and reviewed; real-time detection can
impose a significant overhead on the operating system, which can degrade operational performance.
 Facilitating the reconstruction of events: Audit analysis can be used to reconstruct steps that led to events such as system failures,
security violations by individuals, or application processing errors.
 Promoting personal accountability: Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a
preventive control that can be used to influence behavior.

MANAGERIAL CONTROLS - AUDIT TRAILS


Managerial Controls Audit Trails
Top Management and  Planning: Auditors need to evaluate whether top management has formulated a high-quality IS’s plan that is
Information Systems appropriate to the needs of an organization or not.
Management Controls  Organizing: Auditors should be concerned about how well top management acquires and manages staff resources.
 Leading: Auditors examine variables that often indicate when motivation problems exist or suggest poor leadership.
 Controlling: Auditors must evaluate whether top management’s choice to the means of control over the users of IS
services is likely to be effective or not.
System Development  Concurrent Audit: Auditors assist the team in improving the quality of systems development for the specific
Management Controls system they are building and implementing.
 Post -implementation Audit: Auditors seek to help an organization learn from its experiences in the development
of a specific application system.
 General Audit: Auditors seek to determine whether they can reduce extent of substantive testing needed to form an
audit opinion about management’s assertions relating to financial statements for systems effectiveness & efficiency.
Programming  Planning: Auditors must evaluate how well the planning work is being undertaken.
Management Controls  Control: Auditors must evaluate whether the nature of and extent of control activities undertaken are appropriate
for different types of s/w that are developed or acquired.
 Design: Auditors should find out whether programmers use some type of systematic approach to design.
 Coding: Auditors should seek evidence to check whether programmers employ automated facilities to assist them
with their coding work.

24 May 2017 The Chartered Accountant Student

18
INFORMATION SYSTEMS CONTROL AND AUDIT
 Testing: Auditor’s primary concern is to see that unit testing; integration testing of the system testing has been
undertaken appropriately.
 Operation and Maintenance: Auditors need to ensure effectively & timely reporting of maintenance needs occurs
& maintenance is carried out in a well-controlled manner.
Data Resource Auditors should determine what controls are exercised to maintain data integrity. They might employ test data to
Management Controls evaluate whether access controls and update controls are working.
Quality Assurance Auditors might use interviews, observations and reviews of documentation to evaluate how well Quality Assurance
Management Controls (QA) personnel perform their monitoring and reporting function.
Security Management Auditors must evaluate whether security administrators are conducting ongoing, high-quality security reviews or
Controls not; and check whether organisations have opted appropriate Disaster Recovery and Insurance plan or not.
Operations Auditors should pay concern to see whether the documentation is maintained securely and that it is issued only to
Management Controls authorized personnel.
APPLICATION CONTROLS - AUDIT TRAILS
Application Controls Audit Trails
Boundary This maintains the chronology of events that occur when a user attempts to gain access to and employ systems resources.
Input This maintains the chronology of events from the time data and instructions are captured and entered an application system
until the time they are deemed valid and passed onto other subsystems within the application system.
Communication This maintains a chronology of the events from the time a sender dispatches a message to the time a receiver obtains the message.
Processing The audit trail maintains the chronology of events from the time data is received from the input or communication
subsystem to the time data is dispatched to the database, communication, or output subsystems.
Output The audit trail maintains the chronology of events that occur either to the database definition or the database itself.
Database The audit trail maintains the chronology of events that occur from the time the content of the output is determined until
time users complete their disposal of output because it no longer should be retained.

CHAPTER – 7 INFORMATION TECHNOLOGY REGULATORY ISSUES


This chapter provides the knowledge about various sections of IT Act and its rules as relevant for assurance and assessing the impact of non-
compliance. Furthermore, it also provides the knowledge about various regulatory bodies such as RBI, SEBI and IRDA.

INFORMATION TECHNOLOGY ACT


The Information Technology Act was enacted on 17th May 2000, primarily to provide legal recognition for electronic transactions and facilitate
e-commerce. The IT Act was amended by passing of the Information Technology (Amendment) Act 2008 (Effective from October 27, 2009).
[Chapter II] Digital Signature and Electronic Signature [Chapter XI] Offences
This chapter of IT Act gives legal recognition to electronic records and Apart from giving recognition to electronic contracts, the IT Act
digital signatures. It contains only Section 3. The section provides the identifies certain acts as “Computer Crimes” and provides penalties for
conditions subject to which an electronic record may be authenticated these offences. The Act lists common crimes that can be perpetuated in
by means of affixing digital signature. the electronic society and specifies penalty. The Computer crimes that
[Section 3] Authentication of Electronic Records are recognized by the Act could affect hackers; Digital Contract parties;
[Section 3A] Electronic Signature The Digital IC users; Netizen; Web Site owners/Content creators;
Software professionals; Auditors and Certifying authorities web hosting
[Chapter III] Electronic Governance firms. Chapter XI deals with offences under the IT Act.
This chapter specifies the procedures to be followed for sending and
receiving of electronic records and the time and the place of the dispatch [Section 65] Tampering with Computer Source Documents
and receipt. This chapter contains sections 4 to 10. [Section 66] Computer Related Offences
[Section 4] Legal Recognition of Electronic Records [Section 66A] Punishment for sending offensive messages through
[Section 5] Legal recognition of Electronic Signatures communication service, etc.
[Section 6] Use of Electronic Records and Electronic Signatures in [Section 66B] Punishment for dishonestly receiving stolen computer
Government and its agencies resource or communication device
[Section 6A] Delivery of services by Service Provider [Section 66C] Punishment for identity theft
[Section 7] Retention of Electronic Records [Section 66D] Punishment for cheating by personation by using
[Section 7A] Audit of Documents, etc. maintained in Electronic form computer resource
[Section 8] Publication of rules, regulation, etc., in Electronic Gazette [Section 66E] Punishment for violation of privacy
[Section 9] Sections 6, 7 and 8 not to confer right to insist document [Section 66F] Punishment for cyber terrorism
should be accepted in electronic form [Section 67] Punishment for publishing or transmitting obscene
[Section 10] Power to make rules by Central Government in respect of material in electronic form
Electronic Signature [Section 67A] Punishment for publishing or transmitting of material
[Section 10A] Validity of contracts formed through electronic means containing sexually explicit act, etc. in electronic form
[Chapter V] Secure Electronic Records and Secure Electronic Signatures [Section 67B] Punishment for publishing or transmitting of material
Chapter V sets out the conditions that would apply to qualify electronic depicting children in sexually explicit act, etc. in
records and digital signatures as being secure. It contains sections 14 to 16. electronic form
[Section 14] Secure Electronic Record [Section 67C] Preservation and Retention of information by
[Section 15] Secure Electronic Signature intermediaries
[Section 16] Security Procedures and Practices [Section 68] Power of the Controller to give directions
[Chapter IX] Penalties, Compensation and Adjudication [Section 69] Powers to issue directions for interception or monitoring
This chapter contains sections 43 to 47, out of which sections 43 to 45 deal or decryption of any information through any computer
with different nature of penalties. It provides for awarding compensation resource
or damages for certain types of computer frauds. It also provides for the [Section 69A] Power to issue directions for blocking for public access of
appointment of Adjudication Officer for holding an inquiry in relation to any information through any computer resource
certain computer crimes and for awarding compensation. [Section 69B] Power to authorize to monitor and collect traffic data or
[Section 43] Penalty and Compensation for damage to computer, information through any computer resource for Cyber Security
computer system, etc. [Section 70] Protected system
[Section 43A] Compensation for failure to protect data [Section 70A] National nodal agency
[Section 44] Penalty for failure to furnish information return, etc. [Section 70B] Indian Computer Emergency Response Team to serve as
[Section 45] Residuary Penalty national agency for incident response

The Chartered Accountant Student May 2017 25


19
INFORMATION SYSTEMS CONTROL AND AUDIT
[Section 71] Penalty for misrepresentation [Chapter XIIA] Examiner of Electronic Evidence
[Section 72] Penalty for breach of confidentiality and privacy [Section 79A] Central Government to notify Examiner of Electronic
[Section 72A] Punishment for Disclosure of information in breach of Evidence
lawful contract [Chapter XIII] Miscellaneous
[Section 73] Penalty for publishing Electronic Signature Certificate [Section 80] Power of police officer and other officers to enter, search, etc.
false in certain particulars
[Section 74] Publication for fraudulent purpose [Section 81] Act to have Overriding effect
[Section 75] Act to apply for offences or contraventions committed [Section 81A] Application of the Act to electronic cheque and truncated
outside India cheque
[Section 76] Confiscation [Section 84B] Punishment for abetment of offence
[Chapter XII] Intermediaries not to be liable in Certain Cases
This chapter contains Section 79 that provides details of the exemption [Section 84C] Punishment for attempt to commit offences
from liability of intermediary in certain cases. [Section 85] Offences by Companies
[Section 79] Exemption from liability of intermediary in certain cases

VARIOUS AUTHORITIES FOR SYSTEMS CONTROL AND AUDIT


1. IRDA for Systems Control and Audit (IRDA): The Insurance Regulatory and Development Authority of India (IRDA) is the apex body
overseeing the insurance business in India. It protects the interests of the policyholders, regulates, promotes and ensures orderly growth of the
insurance in India. Information System Audit aims at providing assurance in respect of Confidentiality, Availability and Integrity for Information
systems. It also looks at their efficiency, effectiveness and responsiveness. It focuses on compliance with laws and regulations.
2. RBI for System Control and Audit: The Reserve Bank of India (RBI) is India's central banking institution, which formulates the monetary
policy about the Indian rupee. The Reserve Bank of India (RBI) has been at the forefront of recognizing and promoting IS Audit internally
and across all the stakeholders including financial institutions. RBI provides guidelines on key areas of IT implementation by using global best
practices. They have constituted various expert committees who review existing and future technology and related risks and provide guidelines,
which are issued by all stakeholders. Primarily, RBI suggests that senior management and regulators need an assurance on the effectiveness of
internal controls implemented and expect the IS Audit to provide an independent and objective view of the extent to which the IT related risks
are managed.
3. SEBI for Systems Control and Audit: The Securities and Exchange Board of India (SEBI) is the regulator for the securities market in
India. SEBI has to be responsive to the needs of three groups, which constitute the market - The issuers of securities; The investors, and the
market intermediaries. Mandatory audits of systems and processes bring transparency in the complex workings of SEBI, prove integrity of the
transactions and build confidence among the stakeholders.
SECURITY STANDARDS
1. ISO 27001 - This standard is the foundation of Information Security Management. ISO/IEC 27001 (International Organization for
Standardization (ISO) and the International Electro-Technical Commission (IEC)) defines how to organize information security in any
kind of organization, profit or non-profit, private or state-owned, small or large. It is a standard written by the world’s best experts in the field
of information security and aims to provide a methodology for the implementation of information security in an organization. It also enables an
organization to get certified, which means that an independent certification body has confirmed that information security has been implemented
in the best possible way in organization.
2. STANDARD ON AUDITING (SA) 402 - (SA) 402 is a revised version of the erstwhile Auditing and Assurance Standard (AAS) 24; "Audit
Considerations Relating to Entities Using Service Organizations" issued by the ICAI in 2002. The revised Standard deals with the user auditor's
responsibility to obtain sufficient appropriate audit evidence when a user entity uses the services of one or more service organizations. SA
402 also deals with the aspects like obtaining an understanding of the services provided by a service organization, including internal control,
responding to the assessed risks of material misstatement, Type 1 and Type 2 reports, fraud, non-compliance with laws and regulations and
uncorrected misstatements in relation to activities at the service organization and reporting by the user auditor.
3. INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY (ITIL) - The ITIL is a set of practices for IT Service Management (ITSM)
that focuses on aligning IT services with the needs of business. In its current form (ITILv3), it is published in series of five core publications, each
of which covers an ITSM lifecycle stage. ITIL has rapidly been adopted across the world as the standard for best practice in the provision of IT
services. ITIL assists in establishing a business management approach and discipline to IT Service Management.
INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY (ITIL)

SERVICE STRATEGY SERVICE DESIGN SERVICE TRANSITION SERVICE OPERATION


• Provides guidance • Provides good-practice • Elates to delivery of services • Provides best practice for
on clarification and guidance on design of IT required by a business into achieving the delivery of
prioritization of service- services, processes, and live/operational use, and often agreed levels of services
provider investments in other aspects of service encompasses the "project" side both to end-users and the
services. management effort; of IT rather than BAU; customers;
• Includes functions in • Includes functions in Service • Includes functions in Service • Includes functions in
IT Service Generation, Catalogue; Service Level Transition Planning & Support; Functions Incident Mgt.;
Service Portfolio Mgt.; Mgt.; Availability; Capacity; Change Mgt.; Service Asset & Request Fulfillment; Access
Financial Mgt.; Demand IT Service Continuity Mgt.; Configuration Mgt.; Release Mgt.; Event Mgt. and
Mgt. and Business Information Security Mgt. & Deployment Mgt.; Service Problem Mgt.
Relationship Mgt. and Supplier Mgt. Validation and Testing; Change
Evaluation; and Knowledge Mgt.

Continual Service Improvement


(Aims to align and realign IT services to changing business needs by identifying/
implementing improvements to IT services that support business processes).

26 May 2017 The Chartered Accountant Student

20
INFORMATION SYSTEMS CONTROL AND AUDIT
CHAPTER – 8 EMERGING TECHNOLOGIES
This chapter introduces the Emerging Technologies like Cloud Computing, Mobile Computing, Green Computing etc. and their perspectives.

I. Grid Computing: Grid computing is a network of computing or processor machines managed with a kind of software such as middleware,
to access and use the resources remotely. Grid Services provide access control, security, access to data including digital libraries and databases,
and access to large-scale interactive and long-term storage facilities.
Grid Computing is more popular due to the following reasons:
 It can make use of unused computing power, and thus, it is a cost-effective solution (reducing investments, only recurring costs).
 Enables heterogeneous resources of computers to work cooperatively and collaboratively to solve a scientific problem.
II. Cloud Computing: Cloud Computing is both, a combination of software and hardware based computing resources delivered as a
networked service. This model of IT enabled services enables anytime access to a shared pool of applications and resources. These applications
and resources can be accessed using a simple front-end interface such as a Web browser, and thus enabling users to access the resources from
any client device including notebooks, desktops and mobile devices.
Architecture Characteristics Advantages
 Front End Architecture: The front end of the cloud computing  High Scalability  Cost Efficiency
system comprises of the client’s devices (or computer network) and  Agility & Multi-sharing  Almost Unlimited Storage
some applications needed for accessing the cloud computing system.  High Availability and Reliability  Backup & Recovery
 Back End Architecture: Back end refers to some service facilitating  Services in Pay-Per-Use Mode  Automatic Software Integration
peripherals. In cloud computing, the back end is cloud itself, which may  Virtualization  Easy Access to Information
encompass various computer machines, data storage systems and servers.  Performance & Maintenance  Quick Deployment
Groups of these clouds make up a whole cloud computing system.
Types of Cloud Service Models
Private Cloud Public Cloud Community Cloud Hybrid Cloud Infrastructure as a Platform as a Service Software as a
This cloud The public cloud The community This is a Service (IaaS) (PaaS) Service (SaaS)
c o m p u t i n g is the cloud cloud is the cloud combination of
environment infrastructure that infrastructure that both at least one IaaS, a hardware- PaaS provides the SaaS provides
resides within the is provisioned for is provisioned for private (internal) level service, users the ability to ability to the
boundaries of an open use by the exclusive use by a and at least one provides computing develop and deploy end users
organization and is general public. It specific community public (external) resources such as an application on the to access an
used exclusively for may be owned, of consumers from cloud computing processing power, development platform application over
the organization’s managed, and organizations that environments memory, storage, provided by the the Internet that
benefits. operated by a have shared concerns - usually, and networks for service provider. PaaS is hosted and
business, academic, (eg. mission security consisting of cloud users to run changes the application managed by the
or government requirements, policy, inf ra str uc ture, their application on- development from service provider.
organizations, or and compliance platforms and demand. local machine to online.
some combination considerations). applications.
of them. This allows users PaaS providers may SaaS is
Private Clouds can Typically, public It may be owned, The usual to maximize the provide programming delivered as
either be private to clouds are managed, and method of using utilization of languages, application an on-demand
the organization a d m i n i s t r a t e d operated by one the hybrid cloud computing capacities f r a m e w o r k s , service over
and managed by third parties or more of the is to have a without having to databases, and testing the Internet,
by the single or vendors over organizations in private cloud own and manage tools apart from there is no
organization (On- the Internet, and the community, initially, and then their own resources. some build tools, need to install
Premise Private the services are a third party or for additional Different instances deployment tools the software to
Cloud) or can be offered on pay- some combination resources, the are - NaaS, STaaS, and software load the end-user’s
managed by third per-use basis of them, and it public cloud is DBaaS, BaaS, and balancers as a service devices.
party (Outsourced may exist on or off used. DTaaS. in some cases.
Private Cloud) premises.
Cloud Computing Security Issues
 Confidentiality: Prevention of the unauthorized disclosure of the data is referred as Confidentiality.
 Integrity: Integrity refers to the prevention of unauthorized modification of data and it ensures that data is of high quality, correct, consistent and accessible
 Availability: Availability refers to the prevention of unauthorized withholding of data and it ensures the data backup through Business Planning
Continuity Planning (BCP) and Disaster Recovery Planning (DRP).
 Governance: Due to the lack of control over employees and services, it creates problems relating to design, implementation, testing & deployment.
So, there’s a need of governance model, which controls standards, procedures & policies of organization.
 Trust: Deployment model provided a trust to the Cloud environment. An organization has direct control over security aspects as well as the federal
agencies even have responsibility to protect the information system from the risk.
 Compliance and Legal Issues: There are various requirements relating to legal, privacy and data security laws that need to be studied in Cloud system.
One of the major troubles with laws is that they vary from place to place, and users have no assurance of where the data is located physically.
 Privacy: Privacy is also considered as one of the important issues in Cloud. The privacy issues are embedded in each phase of the Cloud design. It
should include both the legal compliance and trusting maturity.
 Audit: Auditing is type of checking that ‘what is happening in the Cloud environment’. It is an additional layer before virtualized application
environment, which is being hosted on virtual machine to watch ‘what is happening in system’.
 Data Stealing: In a Cloud, data stored anywhere is accessible in public form and private form by anyone at any time. In such cases, an issue arises
as data stealing.
 Architecture: In the architecture of Cloud computing models, there should be a control over the security and privacy of the system. The architecture
of the Cloud is based on a specific service model.
 Identity Management and Access control: The key critical success factor for Cloud providers is to have a robust federated identity management
architecture and strategy internal in the organization.
 Incident Response: It ensures to meet the requirements of the organization during an incident. It ensures that Cloud provider has transparent
response process in place & sufficient mechanisms to share information during & after an incident.
 Software Isolation: Software isolation is to understand virtualization and other logical isolation techniques that Cloud provider employs in its
multi-tenant software architecture, and evaluate the risks required for the organization.
 Application Security: Security issues relating to application security still apply when applications move to a cloud platform. Service provider
should have complete access to server with all rights for monitoring/maintenance of server.

The Chartered Accountant Student May 2017 27


21
INFORMATION SYSTEMS CONTROL AND AUDIT
Cloud Computing Implementation/Adaptation Issues
 Threshold Policy: To test if the program works, develops, or improves and implements; a threshold policy is of immense importance in a pilot
study before moving the program to the production environment. This involves the checking how the policy enables to detect sudden increases in
the demand and results in the creation of additional instances to fill in the demand.
 Interoperability: If a company outsources or creates applications with one cloud computing vendor, the company may find it difficult to change to
another computing vendor that has proprietary Application Programming Interfaces (APIs) and different formats for importing and exporting data.
This creates problems of achieving interoperability of applications between two cloud computing vendors.
 Hidden Costs: Like any such services in prevailing business systems, cloud computing service providers do not reveal ‘what hidden costs are’.
 Unexpected Behaviour: It’s important to test application in cloud with a pilot study to check for unexpected behaviour.
 Software Development in Cloud: To develop software using high-end databases, the most likely choice is to use cloud server pools at the internal
data corporate centre and extend resources temporarily for testing purposes. This allows project managers to control costs, manage security and
allocate resources to clouds for a project.
 Environment Friendly Cloud Computing: One incentive for cloud computing is that it may be more environment friendly. First, reducing the number
of hardware components needed to run applications on the company's internal data centre and replacing them with cloud computing systems reduces
energy for running and cooling hardware.
III. Mobile Computing: Mobile Computing refers to the technology that allows transmission of data via a computer without having to be
connected to a fixed physical link.
Components Limitations Advantages
 Mobile Communication: Refers to infrastructure put in  Insufficient Bandwidth  Security Issues like Confidentiality; Integrity;
place to ensure that seamless and reliable communication  Security Standards Availability; Legitimate Accountability and Bandwidth;
goes on.  Power consumption  Location Intelligence;
 Mobile Hardware: This includes mobile devices/device  Transmission  Power Consumption;
components that range from Portable laptops, Smart interferences  Revising technical architecture;
Phones, Tablet PCs, and Personal Digital Assistants (PDA).  Potential health hazards  Reliability, coverage, capacity, and cost;
 Mobile Software: It is the actual programme that runs on  Human interface with  Integration with legacy mainframe and emerging
the mobile hardware and deals with the characteristics and device client/server applications;
requirements of mobile applications.  End-to-end design and performance; and
 Business challenges

IV. Green Computing: Green Computing or Green IT refers to the study and practice of environmentally sustainable computing or IT. In
other words, it is the study and practice of establishing / using computers and IT resources in a more efficient and environmentally friendly
and responsible way.
Best Practices  Develop a sustainable Green Computing plan
 Recycle
 Make environmentally sound purchase decisions
 Reduce Paper Consumption
 Conserve Energy

V. BYOD (Bring Your Own Device): This refers to business policy that allows employees to use their preferred computing devices, like
smart phones and laptops for business purposes. It means employees are welcome to use personal devices (laptops, smart phones, tablets
etc.) to connect to the corporate network to access information and application.
Advantages Emerging Threats
 Happy Employees  Network Risks: It is normally exemplified and hidden in ‘Lack of Device Visibility’. As BYOD permits employees to carry
 Lower IT budgets their own devices (smart phones, laptops for business use), the IT practice team is unaware about the number of devices
 IT reduces support being connected to the network. As network visibility is of high importance, this lack of visibility can be hazardous.
requirement  Device Risks: It is normally exemplified and hidden in ‘Loss of Devices’. A lost or stolen device can result in an enormous
 Early adoption of financial and reputational embarrassment to an organization as the device may hold sensitive corporate information.
new Technologies  Application Risks: It is normally exemplified and hidden in ‘Application Viruses and Malware’. Organizations are not clear
 Increased employee in deciding that ‘who is responsible for device security – the organization or the user’.
efficiency  Implementation Risks: It is normally exemplified and hidden in ‘Weak BYOD Policy’. The effective implementation of the
BYOD program should not only cover the technical issues mentioned above but also mandate the development of a robust
implementation policy.
WEB 2.0 AND WEB 3.0 TECHNOLOGIES
Web 2.0 Technology Web 3.0 Technology
 Web 2.0 is the term given to describe a  Known as the Semantic Web, this describes sites wherein the computers will be generated raw
second generation of the World Wide data on their own without direct user interaction.
Web that is focused on the ability  Web 3.0 standard uses semantic web technology, drag and drop mash-ups, widgets, user behavior,
for people to collaborate and share user engagement, and consolidation of dynamic web contents depending on the interest of the
information online. individual users.
 The two major contributors of Web 2.0  Web 3.0 Technology uses the “Data Web” Technology, which features the data records that are
are the technological advances enabled publishable and reusable on the web through query-able formats. The Web 3.0 standard also
by Ajax (Asynchronous JavaScript and incorporates the latest researches in the field of artificial intelligence.
XML) and other applications and other  The two major components of Web 3.0 are as follows:
applications such as RSS (Really Simple • Semantic Web: This provides the web user a common framework that could be used to share
Syndication) and Eclipse that support the and reuse the data across various applications, enterprises, and community boundaries
user interaction and their empowerment • Web Services: It is a software system that supports computer - to - computer interaction over
in dealing with the web. the Internet.
 The main agenda of Web 2.0 is to  An example of typical Web 3.0 application is the one that uses content management systems
connect people in numerous new ways along with artificial intelligence.
and utilize their collective strengths, in a  Web 3.0 helps to achieve a more connected open and intelligent web applications using the
collaborative manner. concepts of natural language processing machine learning, machine reasoning and autonomous
agents.

28 May 2017 The Chartered Accountant Student

22

You might also like