Professional Documents
Culture Documents
ISCA Revision by AT
ISCA Revision by AT
REVISION
300
CHAPTER 1 : CONCEPTS OF GOVERNANCE AND MANAGEMENT OF INFORMATION SYSTEMS
KEY CONCEPTS OF BENEFITS OF GOVERNANCE : (Afterwards Deffy and I GOVERNANCE
GOVERNANCE Provided Improvised Decision) DIMENSIONS
● Governance 1. Achieving enterprise objectives ● Conformance or Corporate
● Enterprise Governance 2. Defining and encouraging desirable behaviour in the use of IT Governance Dimension
● Corporate Governance 3. Implementing and integrating the desired business processes ● Performance or Business
● Improved transparency
to make the decisions ? regulatory requirements.
● What decision-making ● Governance requirements for
● Improved compliance
mechanisms are required ? board members are met.
● More optimal utilisation of
● How exceptions are
IT resources
handled ?
● How the governance results
are monitored and
improved ?
Information Systems Control and Audit
BEST PRACTICES OF CORPORATE GOVERNANCE : (SAIF INTERNAL CONTROLS : (MAP)
AND FARHAN CLEARLY EXERCISE IN GYM)
Revision
The SEC's final rules define "internal control over financial
1. Special monitoring reporting" :
2. Appropriate information flows internally and to the public 1. Pertain to the maintenance of records
3. Financial and managerial incentives 2. Provide reasonable assurance that transactions are recorded as
4. Clear assignment of responsibilities necessary to permit preparation of financial statements
5. Establishment of a mechanism for the interaction and co- 3. Provide reasonable assurance regarding prevention of timely
operation among the board of directors, senior management detection of unauthorised acquisition, use, or disposition of the
and the auditors company's assets
6. Implementing strong internal control systems
2. Risk Assessment ● To review and approve major IT deployment projects ● Management Control
basis
IT strategy planning in an enterprise could be broadly classified into the following categories :
● Enterprise Strategic Plan
RELATED TERMS
1. Asset : Asset can be defined as something of value to the organisation; e.g. information in electronic or physical form, software
systems, employees.
2. Vulnerability is the weakness in the system safeguards that exposes the system to threats.
3. Threat : Any entity, circumstance, or event with the potential to harm the software system or component through its unauthorised
access, destruction, modification, and / or denial of service is called a threat.
4. Likelihood : Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an
undesirable event.
5. Attack : An attack is an attempt to gain unauthorised access to the system's services or to compromise the system's dependability.
These risks lead to a gap between the need to protect systems and the degree of protection applied. The gap is caused by:
● Widespread use of technology.
● Interconnectivity of systems.
● External factors such as legislative, legal and regulatory requirements or technological developments.
Countermeasure : An action, device, procedure, technique or other measure that reduces the vulnerability of a component or system is
referred as countermeasure.
Residual Risk: Any risk still remaining after the counter measures are analysed and implemented is called residual risk.
Information Systems Control and Audit
RISK MANAGEMENT KEY GOVERNANCE KEY MANAGEMENT KEY MANAGEMENT
STRATEGIES : (5T) PRACTICES OF RISK PRACTICES OF RISK PRACTICES OF IT
Revision
● Tolerate/Accept the risk MANAGEMENT : (Electronic MANAGEMENT : (CA and COMPLIANCE : (I Owe
● Terminate/Eliminate the Dance Music) MAD about Results) Company an Apology)
risk 1. Evaluate Risk Management 1. Collect Data 1. Identify external compliance
● Transfer/Share the risk 2. Direct Risk Management 2. Analyse Risk requirements
● Treat/Mitigate the risk 3. Monitor Risk Management 3. Maintain a Risk Profile 2. Optimise response to
● Turn back 4. Articulate Risk external requirements
5. Define a Risk Management 3. Confirm external compliance
Action Portfolio 4. Obtain assurance of external
6. Respond to Risk compliance
2. It should be able to help group making decisions. ● Databases 1. Cost Accounting System
3. It should be flexible ● A planning language 2. Capital Budgeting System
4. DSS focuses on decision rather than data and information. ● Model Base 3. Budget Variance Analysis
5. It should be easy to use. System
6. DSS can be used for structured problems. 4. General Decision Support
7. DSS should be user-friendly. System
8. DSS should be extensible and evolve overtime.
9. DSSs are used mainly for decision making rather than
communicating decisions and training purposes.
10. The impact of DSS should be on decision where the manager's
judgement is essential
INFORMATION SYSTEM AND ITS ROLE IN The impact of IT on information systems for different sectors is
MANAGEMENT explained below :
● Aids in decision-making 1. E-business
● Gain competitive edge 2. Financial Service Sector
● Innovative ideas 3. Wholesaling and Retailing
● Knowledge 4. Public Sectors
● It can be integrated to formulate a strategy of action or 5. Others
operation
309
310
CHAPTER 3 : PROTECTION OF INFORMATION ASSETS
SECURITY OBJECTIVE WHAT INFORMATION IS TOOLS TO IMPLEMENT ISSUES TO ADDRESS
● Confidentiality SENSITIVE ? POLICY ● A definition of information
● Finances security.
● A brief explanation of the
MEMBERS OF SECURITY TYPES OF INFORMATION SECURITY POLICIES AND THEIR security policies, principles,
POLICY HIERARCHY : (U And I Can Obviously Nail It) standards and compliance
● Management members 1. User Security Policy requirements.
● Definition of all relevant
● Technical group 2. Acceptable Usage Policy
information security
● Legal experts 3. Information Security Policy
responsibilities.
4. Conditions of Connection
● Reference to supporting
5. Organisational Information Security Policy
documentation.
6. Network and System Security Policy
7. Information Classification Policy
EFFECT OF COMPUTERS Internal Controls used within BASED ON OBJECTIVE Another Classification of
ON INTERNAL an Organisation comprise of 1. Preventive Controls Controls is based on the
CONTROLS : (RAM’S the following five Interrelated 2. Detective Control Nature of such Controls with
Personal Assistant) Components : (Environment 3. Corrective Controls regard to the Nature of IS
● Record keeping Information Requires Resources to which they are
4. Compensatory Controls
● Access to assets and records Monitoring Activities) applied :
● Management supervision ● Control Environment (i) Environmental Controls
and review ● Information and (ii) Physical Access Controls
● Segregation of duties Communication (iii) Logical Access Controls
● Personnel ● Risk Assessment
● Control Activities
Information Systems Control and Audit
BASED ON AUDIT INFORMATION ACCESS CONTROL LOGICAL ACCESS PATHS :
FUNCTION CLASSIFICATION : (TCP/IP) MECHANISMS (D BOOT)
Revision
BOUNDARY CONTROL INPUT CONTROLS (b) Data Coding Controls (c) Validation Controls
TECHNIQUES ARE (a) Source Document Controls ● Transcription Errors ● Field interrogation
● On-line Data Entry Controls ● Division of Environments ● Who is permitted to update data?
● Data Processing and Storage ● Offsite Backup Storage ● Who is permitted to read and use the data?
Controls ● Quarter-End and Year-End ● Who is responsible for determining who can read and update
● Documentation ● Pen drives can be very ● Centralised purchase of hardware and software
● Dual control conveniently transported ● Standards set for developing, testing and documenting
● Input/ output verification ● Does not provide inherent ● Uses of antimalware software
● Supervisory review
data safeguards ● The use of personal computer and their peripheral must be
● Segregation of duty is not controls.
possible
● The staff mobility is higher
be adequately trained
313
REMOTE AND DISTRIBUTED DATA PROCESSING APPLICATIONS CAN BE CONTROLLED IN MANY WAYS 314
● Remote access to computer and data files through the network should be implemented.
● Applications that can be remotely accessed via modems and other devices should be controlled appropriately.
● Terminal and computer operations at remote locations should be monitored carefully and frequently.
● There should be proper control mechanisms over system documentation and manuals.
● When replicated copies of files exist at multiple locations it must be ensured that all are identical copies contain the same information
and checks are also done to ensure that duplicate data does not exist.
LOGICAL ACCESS CONTROL ACROSS THE SYSTEM PHYSICAL ACCESS ISSUES AND EXPOSURES
● User access management The following points elucidate the results due to accidental or
● User responsibilities intentional violation of the access paths:
● Network access control ● Abuse of data processing resources.
● Unauthenticated entry
Information Systems Control and Audit
PHYSICAL ACCESS CONTROLS FOR CYBER FRAUDS CYBER ATTACKS
CONTROLS ENVIRONMENTAL
Revision
Two types : The major cyber-attacks during
1. Locks on Doors EXPOSURES ● Pure Cyber Frauds the year 2011 are discussed as
● Cipher locks ● Hand-Held Fire ● Cyber Enabled Frauds follows :
(Combination Door Locks) Extinguishers ● Phishing
3. Business Continuity contain the damage and will be identified. ● Crisis management
Planning (BCP) minimize the impact on the ● Plans will be developed to
enterprise; and ensure continuity of key
3. is able to demonstrate a service delivery.
response through a process ● Invocation of incident
of regular testing and management and business
trainings. continuity plans can be PHASES OF BUSINESS
managed. CONTINUITY PLANNING :
OBJECTIVES AND GOALS OF BUSINESS CONTINUITY ● Incident Management Plans (Pakistan Vs Bangladesh
PLANNING and Business Continuity Delayed Playing Their Match
The key objectives of the contingency plan should be to: Plans are subject to ongoing In India)
● Provide for the safety and well-being of people on the premises testing, revision and The eight phases are described
at the time of disaster. updation as required. in detail in the following:
● Continue critical business operations. ● Planning and management 1. Pre-Planning Activities
● Minimise the duration of a serious disruption. responsibility are assigned to 2. Vulnerability Assessment
● Minimise immediate damage and losses. a member of the relevant and General Definition of
● Establish management succession and emergency powers. senior management team. Requirements
● Identify critical lines of business and supporting functions. 3. Business Impact Analysis
The goals of the business continuity plan should be to: 4. Detailed Definition of
● Identify weaknesses and implement a disaster prevention Requirements
program. 5. Plan Development
● Minimise the duration of a serious disruption to business 6. Testing Program
operations. 7. Maintenance Program
● Facilitate effective co-ordination of recovery tasks. 8. Initial Plan Testing and Plan
● Reduce the complexity of the recovery effort. Implementation
Information Systems Control and Audit
COMPONENTS OF BCM BCM DOCUMENTATION BUSINESS IMPACT BCM TESTING
PROCESS AND RECORDS ANALYSIS (BIA)
Revision
In case of Development of BCP,
● BCM - Management Process The following documents For each activity supporting the the objectives of performing
● BCM - Information (representative only) are delivery of key products and BCP tests are to ensure that:
Collection Process classified as being part of the services within the scope of its ● The recovery procedures are
● BCM - Strategy Process business continuity BCM program, the enterprise complete and workable.
● BCM - Development and
management system : should : ● The competence of personnel
Implementation Process ● The business continuity ● assess the impacts that would in their performance of
● BCM Testing and
policy; occur if the activity was recovery procedures can be
Maintenance Process ● The business continuity disrupted over a period of evaluated.
management system; time; ● The resources such as
● BCM Training Process
● The business impact analysis ● identify the maximum time business processes, IS
report; period after the start of a systems, personnel, facilities
● The risk assessment report; disruption within which the and data are obtainable.
● The aims and objectives of
activity needs to be resumed; ● The manual recovery
● Training program.
317
MAINTENANCE PROGRAM REVIEWING BCM ARRANGEMENT 318
● Determine the ownership and responsibility. An audit or self-assessment of the enterprise's BCM program
● Identify the BCP maintenance triggers to ensure that any should verify that :
organisational, operational, and structural changes are ● All key products and services and their supporting critical
● Implement version control procedures to ensure that the plan is ● The enterprise's BCM solutions are effective
relevant staff
● Change control processes are in place and operate effectively
TRAINING, AWARENESS AND COMPETENCY TYPES OF PLANS : (Boys SOFTWARE AND DATA
● Actively listens to others, their ideas, views and opinions; Entered the Room) BACK-UP TECHNIQUES -
● Provides support in difficult or challenging circumstances; 1. Back-up Plan TYPES OF BACK-UPS : (I
● Responds constructively to difficult circumstances; 2. Emergency Plan Managed to Draw a Flower)
● Adapts leadership style appropriately to match the 3. Recovery Plan 1. Incremental Backup
circumstances; 4. Test Plan 2. Mirror back-up
● Promotes and positive culture of health, safety and the 3. Differential Backup
environment; 4. Full Backup
● Recognizes and acknowledges the contribution of colleagues;
APPROACHES TO SYSTEM SYSTEM DEVELOPMENT LIFE CYCLE THE PHASES INVOLVED IN THE
DEVELOPMENT (SDLC): framework provides system SDLC: (I Require A Design Developer To
● Waterfall: Linear framework type designers and developers to follow a Implement and Maintain)
● Prototyping: Iterative framework type sequence of activities. It consists of a set of ● Preliminary Investigation
iterative framework type SDLC uses the results of the previous one. ● Systems Design
● Behavioural ● Operational
● Technical BENEFITS:
● Economical ● Tangible
● Resources ● Intangible
● Financial
323
STAGE - II : SYSTEMS ANALYSIS OF PRESENT SYSTEM SYSTEMS ANALYSIS OF PROPOSED 324
REQUIREMENTS ANALYSIS ● Review Historical Aspects SYSTEMS: After each functional area of
FACT FINDING TECHNIQUES: (Doctor ● Analyze Inputs the present information system has been
Interviews and Questions while ● Review Data Files Maintained
carefully analysed, the proposed system
Observation) ● Review Methods, Procedures & data
specifications must be clearly defined.
● Documents Communications
● Interviews ● Analyze Output
● Questionnaires ● Review Internal Controls
● Observations ● Model the Existing Physical & Logical
System
● Undertake Overall Analysis
support tool that uses a tree-like graph or about the data items in the files of a ● Identify of source document used to
model of decisions and their possible business information system. In other create data item
consequences, including chance event words, it is a computer file about data. ● Names of computer file storing data item
outcomes, resource costs, and utility. Uses: ● Names of computer programs that
DECISION TABLE: ● Aids in documentation - To modify data item
A Decision Table is a table which may Programmers & analysts ● Identity of individual permitted to access
accompany a flowchart, defining the ● File Security
● Identity of individual not permitted to
possible contingencies that may be ● For Accountant - Planning flow of access
considered within the program and the transaction data
appropriate course of action for each ● For Auditors - Establish audit trail
contingencyCondition Stub - which ● Aids in investigation / documenting
comprehensively lists the comparisons or internal control procedures
conditions;
● Condition Stub
● Action Stub
● Condition entries
● Action entries
325
LAYOUT FORM AND SCREEN SYSTEM SPECIFICATION ROLES INVOLVED IN SDLC 326
GENERATOR, MENU GENERATOR, At the end of the analysis phase, the ● Steering Committee
REPORT GENERATOR, CODE systems analyst prepares a document ● Project Manager
GENERATOR called “Systems Requirement ● Project Leader
● Layout form and Screen Generator Specifications (SRS)”, it contains: ● Systems Analyst / Business Analyst
● Menu Generator ● Introduction
● Module Leader / Team Leader
● Report Generator ● Information Description
● Programmer / Coder / Developer
● Code Generator ● Functional Description
● Database Administrator (DBA)
● Behavioural Description
● Quality Assurance
● Validation Criteria
● Tester
● Appendix
● Domain Specialist
● SRS Review
● IS Auditor
STAGE – III: SYSTEM DESIGN THE DESIGN PHASE INVOLVES: DESIGN OF DATABASE
System design involves first logical design ● Architectural Design ● Conceptual Modeling
and then physical construction of a system. ● Design of the Data / Information Flow ● Data Modeling
Design specifications instruct ● Design of the Database ● Storage Structure Design
programmers about what the system ● Design of the User-interface ● Physical Layout Design
should do. The programmers, in turn,
● Physical Design
write the programs that accept input from
● Design and acquisition of the hardware/
users, process data, produce the reports,
system software platform
and store data in the files.
Information Systems Control and Audit
DESIGN OF USER-INTERFACE Important factors in Input / Output PHYSICAL DESIGN:
design: (CM’s Fraud on TV)
Revision
Output Objectives: Design Principles-
● Convey info about past, current, future ● Content ● The recommended procedure is to design
● Signal important events, opportunities, ● Media two or three alternatives and choose the
warnings ● Form best one on pre-specified criteria.
● Trigger an action ● Format ● The design should be based on the
down.
● The design should be modular.
● Ensuring security, reliability, and ● Rapid implementation ● Compatibility with Existing Systems
functionality already built into a ● Cost ● Maintainability of the proposed system
product. ● Quality ● Cost benefits of the proposed system
● Ensuring managers complete ● Low risk ● Performance rating of the proposed
appropriate vendor, contract, and METHODS OF VALIDATING system in relation to its cost
licensing reviews. PROPOSAL
● Including invitations-to-tender and ● Checklists
request-for-proposals. ● Point Scoring Analysis
● Establishing acquisition standards to
● Public evaluation Reports
ensure functional, security, and ● Benchmarking problem for vendor’s
operational requirements to be proposal
accurately identified and clearly detailed
● Test problems
in request-for-proposals.
327
STAGE – IV – Part 2 : DEVELOPMENT Characteristics Of A Good Coded Program Debugging 328
(PROGRAMMING TECHNIQUES AND Program: Debugging refers to correcting
LANGUAGES) ● Reliability programming language syntax and
Objective: ● Robustness diagnostic errors so that the program
To convert the specification into a ● Accuracy compiles cleanly. It consists of:
functioning system. ● Efficiency ● Inputting the source program to the
Activities: ● Usability
compiler,
Application programs are written, tested ● Letting the compiler find errors in the
● Readability
and documented, conduct system testing. program,
Document / Deliverable: ● Correcting lines of code that are
● Incorrect Decision Making ● Data retention and storage ● Systematic Error certifications
● Costs of Computer Abuse ● Audit Evidence ● Understanding of
and transactions.
● The occurrence of non-compliance with laws and regulations.
● Identity of person who entered the data into the system. performed on data item. to users.
● Time and date when data was captured. ● Comprehensive log on ● Who received the output.
● Physical device used to enter data into system. hardware consumption - ● When the output was
(iii) System Controls operating the system and there should be separate persons
● There should be Electronic transfer of Data without manual dedicated to system design.
intervention. ● Contingency plans in case of failure of system should be
● The auditor should comment on the audit trial maintained introduced and tested at periodic intervals.
in the system for various activities. ● An appropriate control measure should be devised.
● The auditor shall also ascertain that the system has separate ● Uniformity of software used by various branches / offices.
logins for each user and maintains trail of every transaction ● Board of Directors and senior management are responsible
with respect to login ID, date and time for each data entry, for ensuring that an institution's system of internal controls
authorisation and modifications. operates effectively.
● Annual review of IS Audit Policy.
● To enhance and create National and Sectorial level 24*7 ● The Do Phase
● To enhance the protection and resilience of Nation's critical ● The Act Phase
cybercrime;
● To create a culture of cyber security and privacy enabling
● Multi-tasking 2. To scale the IT ecosystem quickly, easily and cost-effectively. ● Back End Architecture
CLOUD COMPUTING CLOUD COMPUTING MODELS 2. Platform as a Service 3. Software as a Service (SaaS)
ENVIRONMENT 1. Infrastructure as a Service (IaaS) (PaaS) Services
(a) Public Clouds Services Services ● Business Services
(b)Private Clouds ● Storage ● Programming Languages ● Social Network
(c) Hybrid Clouds ● Network ● Framework/Templets ● Document Management
(d) Community Clouds ● Compute ● Database (For Software ● Mail Services
Instances Instances
● NaaS ● TaaS
● STaaS ● APIaaS
● DBaaS ● EaaS