Revision 299

REVISION
CHAPTER 1 : CONCEPTS OF GOVERNANCE AND MANAGEMENT OF INFORMATION SYSTEMS

300
KEY CONCEPTS OF BENEFITS OF GOVERNANCE : (Afterwards Deffy and I GOVERNANCE
GOVERNANCE Provided Improvised Decision) DIMENSIONS
● Governance 1. Achieving enterprise objectives ● Conformance or Corporate

● Enterprise Governance 2. Defining and encouraging desirable behaviour in the use of IT Governance Dimension
● Corporate Governance 3. Implementing and integrating the desired business processes ● Performance or Business

4. Providing stability Governance Dimension

5. Improving customer, business and internal relationships
6. Enabling effective and strategically aligned decision making for
the IT

BENEFITS OF IT KEY PRACTICES TO BENEFITS OF GEIT KEY GOVERNANCE

GOVERNANCE
● Increased value delivered
through enterprise IT
● Increased user satisfaction
● Improved agility
● Better cost performance
● Improved management
● IT becoming an enabler
DETERMINE STATUS OF IT
GOVERNANCE
● Who makes directing,
controlling and executing
decisions ?
● How the decisions are
made ?
● What information is required
● It provides a consistent
approach.
● IT-related decisions are made
in line with the enterprise's
strategies and objectives.
● IT-related processes are
overseen effectively.
● Compliance with legal and
PRACTICES OF GEIT :
(Electronic Dance Music)
1. Evaluate the Governance
System
2. Direct the Governance
System
3. Monitor the Governance
System

● Improved transparency
to make the decisions ? regulatory requirements.
● What decision-making ● Governance requirements for
● Improved compliance

Information Systems Control and Audit

mechanisms are required ? board members are met.
● More optimal utilisation of
● How exceptions are
IT resources
handled ?
● How the governance results
are monitored and
improved ?

BEST PRACTICES OF CORPORATE GOVERNANCE : (SAIF
AND FARHAN CLEARLY EXERCISE IN GYM)
1. Special monitoring
2. Appropriate information flows internally and to the public
3. Financial and managerial incentives
4. Clear assignment of responsibilities
5. Establishment of a mechanism for the interaction and co-
operation among the board of directors, senior management
and the auditors
6. Implementing strong internal control systems
Revision
INTERNAL CONTROLS : (MAP)
The SEC's final rules define "internal control over financial
reporting" :
1. Pertain to the maintenance of records
2. Provide reasonable assurance that transactions are recorded as
necessary to permit preparation of financial statements
3. Provide reasonable assurance regarding prevention of timely
detection of unauthorised acquisition, use, or disposition of the
company's assets

INTERNAL CONTROLS AS IT STEERING COMMITTEE STRATEGIC PLANNING

PER COSO : (ERA of The role and responsibility of the IT Steering Committee : There are three levels of
Communalism was ● To ensure that long and short-range plans of the IT department managerial activity in an
Monitored) are in tune with enterprise goals and objectives enterprise :
1. Control Environment ● To establish size and scope of IT ● Strategic Planning

2. Risk Assessment ● To review and approve major IT deployment projects ● Management Control

3. Control Activities ● To approve and monitor key projects ● Operational Control

4. Information and ● To review the status of IS plans
Communication ● To review and approve standards, policies and procedures
5. Monitoring ● To make decisions on all key aspects of IT

● To facilitate implementation of IT security

● To facilitate and resolve conflicts in deployment of IT

● To report to the Board of Directors on IT activities on a regular

basis

IT strategy planning in an enterprise could be broadly classified into the following categories :
● Enterprise Strategic Plan

● Information Systems Strategic Plan

● Information Systems Requirements Plan

● Information Systems Applications and Facilities Plan

301
 302
KEY MANAGEMENT PRACTICES FOR ALIGNING IT BUSINESS VALUE FROM SOURCES OF RISK : (Mainly
STRATEGY WITH ENTERPRISE STRATEGY : (U Are The USE OF IT : (Electronic Dance HNI Causes Political and
Greatest Show Conductor) Music) Economical Tension)
1. Understand enterprise direction 1. Evaluate Value Optimisation 1. Management activities and
2. Assess the current environment, capabilities and performance 2. Direct Value Optimisation controls
3. Define the target IT capabilities 3. Monitor Value Optimisation 2. Human behaviour
4. Conduct a gap analysis 3. Natural events
5. Define the strategic plan and road map 4. Individual activities
6. Communicate the IT strategy and direction 5. Commercial and Legal
relationships
6. Political circumstances
7. Economic circumstances
8. Technology and Technical
issues

RELATED TERMS
1. Asset : Asset can be defined as something of value to the organisation; e.g. information in electronic or physical form, software
systems, employees.
2. Vulnerability is the weakness in the system safeguards that exposes the system to threats.
3. Threat : Any entity, circumstance, or event with the potential to harm the software system or component through its unauthorised
access, destruction, modification, and / or denial of service is called a threat.
4. Likelihood : Likelihood of the threat occurring is the estimation of the probability that the threat will succeed in achieving an
undesirable event.
5. Attack : An attack is an attempt to gain unauthorised access to the system's services or to compromise the system's dependability.

Information Systems Control and Audit

These risks lead to a gap between the need to protect systems and the degree of protection applied. The gap is caused by:
● Widespread use of technology.

● Interconnectivity of systems.

● Elimination of distance, time and space as constraints.

● Unevenness of technological changes.

● Devolution of management and control.

● External factors such as legislative, legal and regulatory requirements or technological developments.

Countermeasure : An action, device, procedure, technique or other measure that reduces the vulnerability of a component or system is
referred as countermeasure.
Residual Risk: Any risk still remaining after the counter measures are analysed and implemented is called residual risk.

RISK MANAGEMENT
STRATEGIES : (5T)
● Tolerate/Accept the risk
● Terminate/Eliminate the
risk
● Transfer/Share the risk
● Treat/Mitigate the risk
● Turn back
COBIT 5 - A GEIT
FRAMEWORK : NEED FOR
ENTERPRISES TO USE
COBIT 5
1. Increased value creation
from use of IT.
2. User satisfaction with IT
engagement and services.
3. Reduced IT-related risks
and compliance with laws,
regulations and contractual
requirements.
4. The development of more
business-focused IT
solutions and services.
5. Increased enterprise wide
involvement in IT-related
activities.
KEY GOVERNANCE
PRACTICES OF RISK
MANAGEMENT : (Electronic
Dance Music)
1. Evaluate Risk Management
2. Direct Risk Management
3. Monitor Risk Management
CUSTOMISING COBIT AS
PER NEED : (I Regularly Go
and Ask For Leave)
1. Information security
2. Risk management
3. Governance and
management of enterprise IT
4. Assurance activities
5. Financial processing or CSR
reporting
6. Legislative and regulatory
compliance
KEY MANAGEMENT
PRACTICES OF RISK
MANAGEMENT : (CA and
MAD about Results)
1. Collect Data
2. Analyse Risk
3. Maintain a Risk Profile
4. Articulate Risk
5. Define a Risk Management
Action Portfolio
6. Respond to Risk
FIVE PRINCIPLES OF COBIT
5 : (Municipal Corporation of
Ahmedabad Ensures Safety)
Principle 1 : Meeting
Stakeholder Needs
Principle 2 : Covering the
Enterprise End-to-End
Principle 3 : Applying a Single
Integrated Framework
Principle 4 : Enabling a Holistic
Approach
Principle 5 : Separating
Governance from Management
Revision
KEY MANAGEMENT
PRACTICES OF IT
COMPLIANCE : (I Owe
Company an Apology)
1. Identify external compliance
requirements
2. Optimise response to
external requirements
3. Confirm external compliance
4. Obtain assurance of external
compliance
COBIT 5 ENABLERS :
(Principal Informs us about
the Organisation, Processes,
Culture and Services rendered
to People)
1. Principles, policies and
frameworks
2. Information
3. Organisational structures
4. Processes
5. Culture, ethics and
behaviour
6. Services, infrastructure and
applications
7. People, skills and
competencies
303

COMPONENTS OF COBIT 5: EVALUATING IT
1. Control Objective GOVERNANCE STRUCTURE
2. Framework AND PRACTICES BY
3. Process Descriptions INTERNAL AUDITORS :
4. Management Guidelines (Organisational Leaders
Perform to Process Risky
Controls)
1. Organisational Structure
2. Leadership
3. Performance Measurement/
Monitoring
4. Processes
5. Risks
6. Controls
304
The key management practices for assessing and evaluating the
system of internal controls in an enterprise are given as follows :
(Play Station Is Ensured to be Exchanged on MRP)
1. Plan assurance initiatives
2. Scope assurance initiatives
3. Identify and report control deficiencies
4. Ensure that assurance providers are independent and qualified
5. Execute assurance initiatives
6. Monitor internal controls
7. Review business process controls effectiveness
8. Perform control self-assessment
Information Systems Control and Audit
 CHAPTER 2 : INFORMATION SYSTEMS CONCEPTS
CLASSIFICATION OF
SYSTEM
1. Elements
● Abstract System
● Physical System
2. Interactive Behaviour
● Closed System
● Open System
● Relatively Closed System
3. Degree of Human
Intervention
● Manual System
● Automated System
4. Working / Output
● Deterministic System
● Probabilistic System
MAJOR AREAS OF
COMPUTER BASED
APPLICATIONS
1. Finance and Accounting
2. Marketing and Sales
3. Production and
Manufacturing
4. Inventory / Stores
Management
5. Human Resource
Management
Revision
CHARACTERISTICS OF COMPONENT OF CHARACTERISTICS OF A
INFORMATION : (CAR has INFORMATION SYSTEM BUSINESS SYSTEM /
MRF Tyres and Voice ● People COMPUTER-BASED
Recorder) ● Computer System INFORMATION SYSTEM
1. Completeness ● Data
(CBIS)
2. Cost Benefit Analysis ● All systems work for
● Network
3. Accuracy and Quality predetermined objectives
4. Relevance and Purpose ● No subsystem can function in
5. Mode and Format isolation
● If one subsystem or
6. Redundancy
component of a system fails,
7. Frequency
then in most cases the whole
8. Timeliness
system does not work.
9. Validity
● The way a subsystem works
10. Reliability with another subsystem is
called interaction.
● The work done by an
individual subsystem is
TYPES OF INFORMATION SYSTEMS integrated to achieve the
● Operational Level IS central goal of the system.
- Transaction Processing Systems (TPS)
● Management Level IS
TRANSACTION
- Management Information Systems (MIS) PROCESSING SYSTEM (TPS)
- Decision Support Systems (DSS) ● Capturing data to organize
● Strategic Level IS in files or databases
- Executive Information Systems (EIS) ● Processing of files /
● Knowledge Base IS databases
- Knowledge Management Systems (KMS) ● Generating information
- Office Automation Systems (OAS) ● Handling of queries from
various quarters of the
organization.
305
 306
TPS COMPONENTS FEATURES OF TPS : (LABS) MANAGEMENT MISCONCEPTIONS ABOUT
● Inputs ● Large volume of data INFORMATION SYSTEM MIS
● Processing ● Automation of basic (MIS) ● Any computer based

● Storage operations Characteristics of an Effective information system is a MIS.

● Outputs ● Benefits are easily MIS : (MICS is a History) ● Any reporting system is MIS.

measurable 1. Management Oriented ● MIS is a management

● Source of input for other 2. Management Directed technique.

systems 3. Integrated ● MIS is a bunch of

4. Common Database technologies.

5. Computerised ● It is a file structure.

6. Sub system concept ● The study of MIS is about

7. Heavy Planning Element use of computers.

● More data is generated
reports refers more
information to managers.
● Accuracy plays vital role in
reporting.

PRE-REQUISITES OF AN CONSTRAINS IN LIMITATIONS OF THE MANAGEMENT INFORMATION

MIS : (D - CESS)
1. Database
2. Control and Maintenance of
MIS
3. Evaluation of MIS
OPERATING A MIS : SYSTEM : (LIMITATION)
(QUEST) 1. Less useful for unstructured data
1. Qualified staff not available 2. Internal information is taken into consideration
2. Quantifying the benefits of 3. Management keeps changing so does their goals
MIS is difficult

Information Systems Control and Audit

4. System and Management
Staff should be qualified
5. Support of Top Management
3. Expert’s turnover is high
4. Selection of Sub system of
MIS
5. Standardised approach not
possible
6. Staff’s Cooperation not
available
4. Inputs and processing quality determines the quality of outputs
of MIS
5. Transaction processing system’s limitations still exist in MIS
6. Ad-hoc reporting is not possible
7. The Attitudes and moral (non-quantitative factors) are ignored
in MIS
8. Integration is lacking
9. Hoarding of information and not sharing with others exists and
hence reduces the effectiveness of MIS
10. Not a substitute for effective management.
 Revision
CHARACTERISTICS OF DSS COMPONENTS OF A DSS EXAMPLES OF DSS IN
1. This supports decision making ● The User ACCOUNTING
2. It should be able to help group making decisions. ● Databases 1. Cost Accounting System
3. It should be flexible ● A planning language 2. Capital Budgeting System
4. DSS focuses on decision rather than data and information. ● Model Base 3. Budget Variance Analysis
5. It should be easy to use. System
6. DSS can be used for structured problems. 4. General Decision Support
7. DSS should be user-friendly. System
8. DSS should be extensible and evolve overtime.
9. DSSs are used mainly for decision making rather than
communicating decisions and training purposes.
10. The impact of DSS should be on decision where the manager's
judgement is essential

CHARACTERISTICS OF EIS CHARACTERISTICS OF THE TYPES OF INFORMATION

● EIS is a Computer-based-information system USED IN EXECUTIVE DECISION-MAKING : (SUFI Level)
● EIS enables users to extract summary data 1. Structure is lacking
● EIS provides rapid access to timely information 2. High degree of Uncertainty
● EIS is capable of accessing both internal and external data 3. Future orientation
● EIS provides extensive online analysis tool 4. Informal source
● EIS can easily be given a DSS support for decision making 5. Low Level of detail

PRINCIPLES TO BE FOLLOWED WHILE DESIGNING AN EIS KNOWLEDGE

● Easy to understand and collect. MANAGEMENT SYSTEMS
● Based on a balanced view of the organisation’s objectives. (KMS)
● Reflecting everyone’s contribution in a fair and consistent way. Types of Knowledge
● Encouraging for the management and staff to share ownership of the organisation’s objectives. ● Explicit Knowledge

● Available to everyone in the organization. ● Tacit Knowledge

● Evolving to meet the changing needs of the organization.

307
 308
Different office activities can be broadly grouped into the BENEFITS OF OFFICE CATEGORIES OF
following types of operations: (Files are Created, Captured, AUTOMATION SYSTEMS COMPUTER BASED OFFICE
Calculated & Recorded before Distribution) (i)Improve communication AUTOMATION SYSTEMS
● Filling, Search, Retrieval and Follow up (ii) Reduce the cycle time 1. Text Processing Systems
● Document Creation (iii) Reduce the costs 2. Electronic Document
● Document Capture (iv) Ensure accuracy Management Systems
● Calculations 3. Electronic Message
● Recording Utilization of Resources Communication Systems
● Receipts and Distribution 4. Teleconferencing and Video-
conferencing Systems

BUSINESS APPLICATIONS BENEFITS OF EXPERT SYSTEMS The Properties That Potential

OF EXPERT SYSTEM (i) Expert Systems preserve knowledge Applications Should Posses to
1. Accounting and Finance (ii) Expert Systems put information into an active-form Qualify For Expert System
2. Marketing (iii) Expert Systems assist novices in thinking Development are : (Due to
3. Manufacturing Domain Structure Complexity
(iv) Expert Systems are not subject to such human fallings
Expertise is Available)
4. Personnel (v) Expert Systems can be effectively used as a strategic tool
(i) Domain
5. General Business
(ii) Structure
(iii) Complexity
(iv) Expertise
(v) Availability

Information Systems Control and Audit

ENTERPRISE RESOURCE PLANNING (ERP) B. Benefits of ERP
A. Components of ERP/Methodology for Implementing ERP ● Streamline processes into single integrated system.
Model ● Improves workflow and efficiency.
● Software ● Reduced duplication in data entry.
● Process Flow ● Establish uniform process for sharing information.

● Customer Mindset ● Inventory - Reduced inventory cost from better planning.

● Change Management ● Improved customer satisfaction.

● Faster collection based on better visibly of accounts.

● Prepares consolidated picture for organisation.

 Revision
CORE BANKING SYSTEM (CBS) Information systems perform To operate information
Elements of CBS: following three vital roles in systems (IS) effectively and
(a) Opening a new account business firms : efficiently a business manager
(b) Process cash deposit and withdrawl 1. "Support an organization's should have following
(c) Processing payments and cheques business processes and knowledge about it :
(d) Making loans operations" ● Foundation Concepts

(e) Calculating interest 2. "Support business decision- ● Information Technologies

making" (IT)
(f) Managing CRM
3. "Support Strategic ● Business Applications
(g) Establishing minimum balance criteria
Competitive Advantage" ● Development Processes
(h) Maintaining records of all activities
● Management Challenges

INFORMATION SYSTEM AND ITS ROLE IN The impact of IT on information systems for different sectors is
MANAGEMENT explained below :
● Aids in decision-making 1. E-business
● Gain competitive edge 2. Financial Service Sector
● Innovative ideas 3. Wholesaling and Retailing
● Knowledge 4. Public Sectors
● It can be integrated to formulate a strategy of action or 5. Others
operation

309
 CHAPTER 3 : PROTECTION OF INFORMATION ASSETS
SECURITY OBJECTIVE
● Confidentiality
● Integrity
● Availability
MEMBERS OF SECURITY
POLICY
● Management members
● Technical group
● Legal experts
EFFECT OF COMPUTERS
ON INTERNAL
CONTROLS : (RAM’S
Personal Assistant)
● Record keeping
● Access to assets and records
● Management supervision
and review
● Segregation of duties
● Personnel
● Authorisation procedures
310
WHAT INFORMATION IS TOOLS TO IMPLEMENT ISSUES TO ADDRESS
SENSITIVE ? POLICY ● A definition of information
● Strategic Plans Standards, Guidelines and security.
● Business Operations Procedures ● Reasons why information
● Finances security.
● A brief explanation of the
TYPES OF INFORMATION SECURITY POLICIES AND THEIR security policies, principles,
HIERARCHY : (U And I Can Obviously Nail It) standards and compliance
1. User Security Policy requirements.
● Definition of all relevant
2. Acceptable Usage Policy
information security
3. Information Security Policy
responsibilities.
4. Conditions of Connection
● Reference to supporting
5. Organisational Information Security Policy
documentation.
6. Network and System Security Policy
7. Information Classification Policy
Internal Controls used within BASED ON OBJECTIVE Another Classification of
an Organisation comprise of 1. Preventive Controls Controls is based on the
the following five Interrelated 2. Detective Control Nature of such Controls with
Components : (Environment 3. Corrective Controls regard to the Nature of IS
Information Requires Resources to which they are
4. Compensatory Controls
Information Systems Control and Audit
Monitoring Activities) applied :
● Control Environment (i) Environmental Controls
● Information and (ii) Physical Access Controls
Communication (iii) Logical Access Controls
● Risk Assessment
● Monitoring
● Control Activities
 Revision
BASED ON AUDIT INFORMATION ACCESS CONTROL LOGICAL ACCESS PATHS :
FUNCTION CLASSIFICATION : (TCP/IP) MECHANISMS (D BOOT)
(a) Managerial Control ● Top Secret 1. Identification 1. Dial-up Ports
(b) Application Control ● Highly Confidential 2. Authentication 2. Online Terminals
● Proprietary 3. Authorisation 3. Operator Console
● Internal Use only 4. Telecommunication Network
● Public Documents

TECHNICAL EXPOSURES ASYNCHRONOUS COMPUTER CRIME USER CONTROLS

(TECHNICAL RISKS) : ATTACKS : (Pig LTD) EXPOSURES : (Free DISCS) 1. Boundary Control
(Worms Destroyed D Horse (a) Piggybacking (a) Financial Loss 2. Input Control
by Throwing Bombs) (b) Data Leakage (b) Legal Repercussions 3. Processing Control
(a) Worms (c) Wire-Tapping (c) Disclosure of Confidential, 4. Output Control
(b) Data Diddling (d) Shut Down of the Sensitive or Embarrassing 5. Database Control
(c) Rounding Down Computer/Denial of Information 6. Communication Control
(d) Trojan Horse Service (d) Industrial Espionage/
(e) Salami Techniques Blackmail
(f) Bombs (e) Sabotage
(f) Loss of Credibility/
Competitive Edge
(g) Spoofing

BOUNDARY CONTROL INPUT CONTROLS (b) Data Coding Controls (c) Validation Controls
TECHNIQUES ARE (a) Source Document Controls ● Transcription Errors ● Field interrogation
● Personal Identification ● Use pre-numbered source - Addition ● Record interrogation
Numbers (PIN) document - Truncation ● File interrogation
● Passwords ● Use source documents in - Substitution
● Cryptography sequence ● Transposition Errors
● Identification Cards ● Periodically audit source - Single transposition
● Biometric Devices documents - Multiple transposition

311

FIELD INTERROGATION
● Limit Check
● Picture Check
● Valid Code Checks
● Check Digit
● Arithmetic Checks
● Cross Checks
OUTPUT CONTROLS :
(Spoon and Log Require
Retaining, Storing, Reporting
& Printing)
● Spooling/Queuing
● Logging of output program
executions
● Recovery Controls
● Retention controls
● Storage of sensitive critical
RECORD INTERROGATION
● Reasonableness Check
● Valid Sign
● Sequence Check
DATABASE CONTROLS
The update controls are:
● Sequence Check Transaction
and Master Files
● Ensure All Records on Files
are processed
● Process multiple transactions
for a single record in the
correct order
● Maintain a suspense account
FILE INTERROGATION
● Version Usage
● Internal and External
Labeling
● Data File Security
● Before and after Image and
Logging
● File Updating and
Maintenance Authorisation
● Parity Check
COMMUNICATION
CONTROL
(a) Physical Component
Control
(b) Line Error Control
(c) Flow Control
(d) Link Control
(e) Topology Control
(f) Internet Working Control
312
PROCESSING CONTROLS
1. Processor Control
(i) Error detection and
correction
(ii) Multiple execution states
(iii) Timing controls
(iv) Component replication
2. Real Memory Control
3. Virtual Memory Control
4. Data Processing Control :
(REFER)
● Run-to-run totals
● Edit checks
● Field initialization
● Exception reports
● Reasonableness verification
● Existence and Recovery
Control

forms The Report controls are: MANAGERIAL CONTROLS

● Report distribution and (Standard Print Recovery) 1. Top Management and Information Systems Management

Information Systems Control and Audit

collection controls
● Printing Controls
● Standing Data
● Print Run-to-Run control
Totals
● Print Suspense Account
Entries
● Existence/Recovery Controls
Controls
2. Systems Development Management Controls
3. Programming Management Controls
4. Data Resource Management Controls
5. Quality Assurance Management Controls
6. Security Management Controls
7. Operations Management Controls

DATA INTEGRITY : (SID is
on the POT)
● Source data control
● Input validation routines
● On-line Data Entry Controls
● Data Processing and Storage
Controls
● Output Controls
● Data Transmission Controls
FINANCIAL CONTROL
TECHNIQUES
● Authorization
● Budgets
● Cancellation of documents
● Documentation
● Dual control
● Input/ output verification
● Supervisory review
DATA INTEGRITY
POLICIES
● Virus-Signature Updating
● Software Testing
● Division of Environments
● Offsite Backup Storage
● Quarter-End and Year-End
Backups
● Disaster Recovery
PERSONAL COMPUTERS
CONTROLS
Related risks
● Easy to connect and
disconnect
● Pen drives can be very
conveniently transported
● Does not provide inherent
data safeguards
● Segregation of duty is not
possible
● The staff mobility is higher
● The operating staff may not
be adequately trained
Revision
DATA SECURITY
An IS auditor is responsible to evaluate the following when
reviewing the adequacy of data security controls:
● Who is responsible for the accuracy of the data?
● Who is permitted to update data?
● Who is permitted to read and use the data?
● Who is responsible for determining who can read and update
the data?
● Who controls the security of the data?
● If the IS system is outsourced, what security controls and
protection mechanism does the vendor have in place to secure
and protect data?
● Contractually, what penalties or remedies are in place to protect
the tangible and intangible values of the information?
CONTROL
The Security Measures that could be exercised to overcome these
aforementioned risks are given as follows :
● Physically locking the system
● Proper logging of equipment shifting must be done
● Centralised purchase of hardware and software
● Standards set for developing, testing and documenting
● Uses of antimalware software
● The use of personal computer and their peripheral must be
controls.
313
 314
REMOTE AND DISTRIBUTED DATA PROCESSING APPLICATIONS CAN BE CONTROLLED IN MANY WAYS
● Remote access to computer and data files through the network should be implemented.

● Having a terminal lock

● Applications that can be remotely accessed via modems and other devices should be controlled appropriately.

● Terminal and computer operations at remote locations should be monitored carefully and frequently.

● There should be proper control mechanisms over system documentation and manuals.

● Data transmission over remote locations should be controlled.

● When replicated copies of files exist at multiple locations it must be ensured that all are identical copies contain the same information

and checks are also done to ensure that duplicate data does not exist.

LOGICAL ACCESS CONTROL ACROSS THE SYSTEM PHYSICAL ACCESS ISSUES AND EXPOSURES
● User access management The following points elucidate the results due to accidental or
● User responsibilities intentional violation of the access paths:
● Network access control ● Abuse of data processing resources.

● Operating system access control ● Blackmail

● Application and monitoring system access control ● Embezzlement

● Mobile computing ● Damage, vandalism or theft to equipments or documents.

● Modification of semester equipment and information.

● Public disclosure of sensitive information.

● Unauthenticated entry

Information Systems Control and Audit


PHYSICAL ACCESS
CONTROLS
1. Locks on Doors
● Cipher locks
(Combination Door Locks)
● Bolting Door Locks
● Electronic Door Locks
● Biometric Door Locks
2. Physical identification
medium
● Personal Identification
numbers (PIN)
● Plastic Cards
● Cryptographic Control
● Identification Badges
3. Logging on utilities
● Manual Logging
● Electronic Logging
4. Other means of controlling
Physical Access
● Video Cameras
● Security Guards
● Controlled Visitor Access
● Bonded Personnel
● Dead man Doors
● Non–exposure of
Sensitive Facilities
● Computer Terminal
Locks
● Controlled Single Entry
Point
● Alarm System
● Perimeter Fencing
Revision
CONTROLS FOR CYBER FRAUDS CYBER ATTACKS
ENVIRONMENTAL Two types : The major cyber-attacks during
EXPOSURES ● Pure Cyber Frauds the year 2011 are discussed as
● Hand-Held Fire ● Cyber Enabled Frauds follows :
Extinguishers ● Phishing
● Manual Fire Alarms ● Network Scanning
● Fire Suppression Systems ● Virus/Malicious Code
IMPACT OF CYBER FRAUDS
- Dry-Pipe sprinkling ON ENTERPRISES ● Spam
systems ● Financial Loss ● Website Compromise /
- Water based systems ● Legal Repercussions
Malware Propagation
- Halon systems ● Loss of Credibility or
● Others
● Regular Inspection by Fire
Competitive Edge - Cracking
Department ● Disclosure of Confidential, - Eavesdropping
● Water Detectors - E-mail Forgery
Sensitive or Embarrassing
● Smoke Detectors Information - E-mail Threats
● Strategically Locating the ● Sabotage - Scavenging
Computer Room
● Fireproof Walls, Floors and TECHNIQUES TO COMMIT CYBER FRAUDS
Ceilings surrounding the 1. Hacking
Computer Room
2. Cracking
● Electrical Surge Protectors
3. Data Diddling
● Uninterruptible Power
4. Data Leakage
Supply (UPS) / Generator
5. Denial of Service (DoS) Attack
● Power Leads from Two
6. Internet Terrorism
Substations
7. Logic Time Bombs
● Emergency Power-Off Switch
8. Masquerading or Impersonation
● Wiring Placed in Electrical
9. Password Cracking
Panels and Conduit
10. Piggybacking
● Prohibitions against Eating,
11. Round Down
Drinking and Smoking
within the Information 12. Scavenging or Dumpster Diving
Processing Facility 13. Social Engineering Techniques
● Documented and Tested 14. Super Zapping
Emergency Evacuation Plans
315
15. Trap Door
CHAPTER 4 : BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING

316
NEED FOR BUSINESS ADVANTAGE OF BUSINESS BCM POLICY BUSINESS CONTINUITY
CONTINUITY CONTINUITY The objective of this policy is to PLANNING
MANAGEMENT (BCM) 1. is able to proactively assess provide a structure through Business continuity covers the
Some key terms related to the threat scenario and which: following areas:
BCM : potential risks; ● Critical services and activities ● Business resumption

1. Business Contingency 2. has planned response to undertaken by the enterprise planning

2. BCP Process disruptions which can operation for the customer ● Disaster recovery planning

3. Business Continuity contain the damage and will be identified. ● Crisis management
Planning (BCP) minimize the impact on the ● Plans will be developed to
enterprise; and ensure continuity of key
3. is able to demonstrate a service delivery.
response through a process ● Invocation of incident
of regular testing and management and business
trainings. continuity plans can be PHASES OF BUSINESS
managed. CONTINUITY PLANNING :
OBJECTIVES AND GOALS OF BUSINESS CONTINUITY ● Incident Management Plans (Pakistan Vs Bangladesh
PLANNING and Business Continuity Delayed Playing Their Match
The key objectives of the contingency plan should be to: Plans are subject to ongoing In India)
● Provide for the safety and well-being of people on the premises testing, revision and The eight phases are described
at the time of disaster. updation as required. in detail in the following:
● Continue critical business operations. ● Planning and management 1. Pre-Planning Activities
● Minimise the duration of a serious disruption. responsibility are assigned to 2. Vulnerability Assessment

Information Systems Control and Audit

● Minimise immediate damage and losses. a member of the relevant and General Definition of
● Establish management succession and emergency powers. senior management team. Requirements
● Identify critical lines of business and supporting functions. 3. Business Impact Analysis
The goals of the business continuity plan should be to: 4. Detailed Definition of
● Identify weaknesses and implement a disaster prevention Requirements
program. 5. Plan Development
● Minimise the duration of a serious disruption to business 6. Testing Program
operations. 7. Maintenance Program
● Facilitate effective co-ordination of recovery tasks. 8. Initial Plan Testing and Plan
● Reduce the complexity of the recovery effort. Implementation

COMPONENTS OF BCM BCM DOCUMENTATION
PROCESS AND RECORDS
● BCM - Management Process The following documents
● BCM - Information (representative only) are
Collection Process classified as being part of the
● BCM - Strategy Process business continuity
● BCM - Development and
management system :
Implementation Process ● The business continuity
● BCM Testing and
policy;
Maintenance Process ● The business continuity
management system;
● BCM Training Process
● The business impact analysis
report;
● The risk assessment report;
● The aims and objectives of
each function;
● The activities undertaken by
each function;
● The business continuity
strategies;
● The overall and specific
incident management plans;
● The business continuity
plans;
● Change control, preventative
action, corrective action,
document control and record
control processes;
● Local Authority Risk
Register;
● Exercise schedule and
results;
● Incident log; and
● Training program.
BUSINESS IMPACT
ANALYSIS (BIA)
For each activity supporting the
delivery of key products and
services within the scope of its
BCM program, the enterprise
should :
● assess the impacts that would
occur if the activity was
disrupted over a period of
time;
● identify the maximum time
period after the start of a
disruption within which the
activity needs to be resumed;
● identify critical business
processes;
● assess the minimum level at
which the activity needs to be
performed on its resumption;
● identify the length of time
within which normal levels
of operation need to be
resumed; and
● identify any inter-dependent
activities, assets, supporting
infrastructure or resources
that have also to be
maintained continuously or
recovered over time.
Revision
BCM TESTING
In case of Development of BCP,
the objectives of performing
BCP tests are to ensure that:
● The recovery procedures are
complete and workable.
● The competence of personnel
in their performance of
recovery procedures can be
evaluated.
● The resources such as
business processes, IS
systems, personnel, facilities
and data are obtainable.
● The manual recovery
procedures and IT backup
system/s are current and can
either be operational or
restored.
● The success or failure of the
business continuity training
program is monitored.
317
 318
MAINTENANCE PROGRAM REVIEWING BCM ARRANGEMENT
● Determine the ownership and responsibility. An audit or self-assessment of the enterprise's BCM program
● Identify the BCP maintenance triggers to ensure that any should verify that :
organisational, operational, and structural changes are ● All key products and services and their supporting critical

communicated to the personnel. activities and resources have been identified

● Determine the maintenance regime to ensure the plan remains ● The enterprise's BCM policy, strategies, framework and plans

up-to-date. accurately reflect its priorities

● Determine the maintenance processes to update the plan. ● The enterprise's BCM competence

● Implement version control procedures to ensure that the plan is ● The enterprise's BCM solutions are effective

maintained up-to-date. ● The enterprise's BCM maintenance and exercising programs

● BCM strategies and plans incorporate improvements

● The enterprises has an ongoing program for BCM training and

awarenss
● BCM procedures have been effectively communicated to

relevant staff
● Change control processes are in place and operate effectively

TRAINING, AWARENESS AND COMPETENCY TYPES OF PLANS : (Boys SOFTWARE AND DATA
● Actively listens to others, their ideas, views and opinions; Entered the Room) BACK-UP TECHNIQUES -
● Provides support in difficult or challenging circumstances; 1. Back-up Plan TYPES OF BACK-UPS : (I
● Responds constructively to difficult circumstances; 2. Emergency Plan Managed to Draw a Flower)
● Adapts leadership style appropriately to match the 3. Recovery Plan 1. Incremental Backup
circumstances; 4. Test Plan 2. Mirror back-up

Information Systems Control and Audit

● Promotes and positive culture of health, safety and the 3. Differential Backup
environment; 4. Full Backup
● Recognizes and acknowledges the contribution of colleagues;

● Encourages the taking of calculated risks; ALTERNATE PROCESSING FACILITY ARRANGEMENTS

● Encourages and actively responds to new ideas; ● Cold site

● Consults and involves team members to resolve problems; ● Hot site

● Demonstrates personal integrity; and ● Warm site

● Challenges established ways of doing things to identify ● Reciprocal agreement:

improvement opportunities. ● Third party site


DISASTER RECOVERY PROCEDURAL PLAN
● The conditions for activating the plans
● Emergency procedures
● Fallback procedures
● Resumption procedures
● A maintenance schedule
● Awareness and education activities
● The responsibilities of individuals
● Contingency plan document distribution list.
● Detailed description of the purpose and scope of the plan.
● Contingency plan testing and recovery procedure.
● List of vendors doing business with the organisation
● Checklist for inventory
● List of phone numbers of employees
● Emergency phone list for fire, police, hardware, software,
suppliers
● Medical procedure to be followed in case of injury.
● Back-up location contractual agreement
● Insurance papers and claim forms.
● Primary computer centre hardware, software, peripheral
equipment
● Location of data and program files
● Alternate manual procedures to be followed such as
preparation of invoices.
● Names of employees trained for emergency situation
● Details of airlines, hotels and transport arrangements.
Revision
AUDIT OF THE DISASTER RECOVERY / BUSINESS
RESUMPTION PLAN
1. Determine if a disaster recovery plan exists
2. Determine if resources have been made available to maintain
the disaster recovery/business resumption plan and keep it
current.
3. Gain an understanding of the methodology used to develop the
existing disaster recovery/business resumption plan.
4. Interview functional area managers or key employees to
determine their understanding of the disaster recovery/
business resumption plan.
5. Is there a designated emergency operations center where
incident management teams can co-ordinate response and
recovery ?
6. Does the disaster recovery/business resumption plan include
the names and numbers of suppliers of essential equipment and
other material ?
7. Determine if the plan includes prioritisation of critical
applications and systems.
8. Determine if the plan includes time requirements for recovery/
availability of each critical system.
9. Review information backup procedures in general.
10. Determine if information backup procedures are sufficient to
allow for recovery of critical data.
11. Review any agreements for use of backup files.
12. Verify that the backup facilities are adequate based on projected
needs.
319
CHAPTER 5 : ACQUISITION, DEVELOPMENT AND IMPLEMENTATION

320
OF INFORMATION SYSTEMS

Information Systems Control and Audit

Revision 321

SYSTEMS DEVELOPMENT PROCESS:
Systems development refers to the process
of examining a business situation with the
intent of improving it through better
procedures and methods.
● System Analysis
● System Design
APPROACHES TO SYSTEM
DEVELOPMENT
● Waterfall: Linear framework type
● Prototyping: Iterative framework type
● Incremental: Combination of linear and
iterative framework type
● Spiral: Combination linear and iterative
framework type
● Rapid Application Development (RAD):
Iterative Framework Type
● Agile Methodologies
REASONS FOR FAILURE:
● Lack of senior management support for
and involvement in information systems
development
● Shifting user needs
● Development of strategic systems
● New technologies
● Lack of standard project management
and systems development
methodologies
● Overworked or under-trained
development staff
● Resistance to change
● Lack of user participation
● Inadequate testing and user training
SYSTEM DEVELOPMENT LIFE CYCLE
(SDLC): framework provides system
designers and developers to follow a
sequence of activities. It consists of a set of
steps or phases in which each phase of the
SDLC uses the results of the previous one.
322
THE CHARACTERISTICS OF SYSTEM
DEVELOPMENT METHODOLOGY:
● The project is divided into a number of
identifiable processes
● Deliverables must be produced
● Users, managers, and auditors are
required to participate in the project to
provide sign-offs.
● The system must be tested thoroughly
● A training plan is developed
● Formal program change controls are
established
● A post-implementation review of all
developed systems must be performed
THE PHASES INVOLVED IN THE
SDLC: (I Require A Design Developer To
Implement and Maintain)
● Preliminary Investigation
● Systems Requirements Analysis
● Systems Design
● Systems Acquisition & Development
Information Systems Control and Audit
● Systems Testing
● Systems Implementation
● Post Implementation Review and
Maintenance

STAGE - I : PRELIMINARY
INVESTIGATION - OBJECTIVES
Objective:
To determine and analyze the strategic
benefits in implementing the system
through evaluation and quantification of -
productivity gains; future cost avoidance;
cost savings, and Intangible benefits like
improvement in morale of employees.
Document / Deliverable:
A preliminary investigation report/
feasibility study for management.
4. FEASIBILITY STUDY: (LOBSTER Fry)
● Legal
● Operational
● Behavioural
● Schedule / Time
● Technical
● Economical
● Resources
● Financial
Revision
1. IDENTIFICATION OF PROBLEM 3. DELINEATION OF SCOPE
● Clarify and understand the project ● Functionality requirements
request ● Data to be processed
● Determine the size of the project ● Control requirements
● Determine the technical and operational ● Performance requirements
feasibility of alternative approaches ● Constraints
● Assess costs and benefits of alternative ● Interfaces
approaches ● Reliability requirements
● Report findings to the management with
Methods with the help of which the scope
recommendation outlining the of the project can be analyzed are as
acceptance or rejection of the proposal follows:
2. IDENTIFICATION OF OBJECTIVE ● Reviewing internal documents
After the identification of the problem, it ● Conducting Interviews
is easy to work out the objectives of the
proposed solution.
ESTIMATING COST & BENEFIT
COSTS:
● Development
● Operational
● Intangible
BENEFITS:
● Tangible
● Intangible
323

STAGE - II : SYSTEMS
REQUIREMENTS ANALYSIS
FACT FINDING TECHNIQUES: (Doctor
Interviews and Questions while
Observation)
● Documents
● Interviews
● Questionnaires
● Observations
SYSTEM DEVELOPMENT TOOLS:
1. System Components & Flows
● System Flow Chart (SFC)
● Data Flow Diagram (DFD)
- Data Source & destination
- Data Flows
- Transformation Process
- Data Stores
● System Components Matrix
● CASE Tools
2. User Interface
3. Data Attributes & Relationship
4. Detailed System Process
ANALYSIS OF PRESENT SYSTEM
● Review Historical Aspects
● Analyze Inputs
● Review Data Files Maintained
● Review Methods, Procedures & data
Communications
● Analyze Output
● Review Internal Controls
● Model the Existing Physical & Logical
System
● Undertake Overall Analysis
STRUCTURED ENGLISH:
Structured English, also known as
Program Design Language (PDL) or
Pseudo Code, is the use of the English
language with the syntax of structured
programming. Thus, Structured English
aims at getting the benefits of both the
programming logic and natural language.
Program logic that helps to attain precision
and natural language that helps in getting
the convenience of spoken languages.
324
SYSTEMS ANALYSIS OF PROPOSED
SYSTEMS: After each functional area of
the present information system has been
carefully analysed, the proposed system
specifications must be clearly defined.
FLOWCHARTS:
Flowcharting is a graphic technique that
can be used by analysts to represent the
inputs, outputs and processes of a business
in a pictorial form. It is a common type of
chart, that represents an algorithm or
process showing the steps as boxes of
various kinds, and their order by
connecting these with arrows. Flowcharts
are used in analyzing, designing,
documenting or managing a process or
Information Systems Control and Audit
program in various fields.

TYPES OF FLOW CHARTS
● Document flowchart
● Data flowchart
● System flowchart
● Program flowchart
DECISION TREE:
A Decision Tree (or tree diagram) is a
support tool that uses a tree-like graph or
model of decisions and their possible
consequences, including chance event
outcomes, resource costs, and utility.
DECISION TABLE:
A Decision Table is a table which may
accompany a flowchart, defining the
possible contingencies that may be
considered within the program and the
appropriate course of action for each
contingencyCondition Stub - which
comprehensively lists the comparisons or
conditions;
● Condition Stub
● Action Stub
● Condition entries
● Action entries
BENEFITS OF FLOWCHART:
● Communication
● Effective analysis
● Proper documentation
● Efficient Coding
● Proper Debugging
● Efficient Program Maintenance
DATA DICTIONARY: It is a computer
file that contains descriptive information
about the data items in the files of a
business information system. In other
words, it is a computer file about data.
Uses:
● Aids in documentation - To
Programmers & analysts
● File Security
● For Accountant - Planning flow of
transaction data
● For Auditors - Establish audit trail
● Aids in investigation / documenting
internal control procedures
Revision
LIMITATIONS OF USING
FLOWCHARTS:
● Complex logic
● Alterations and Modifications
● Reproduction
● The essentials of what is done can easily
be lost in the technical details of how it is
done.
Data Dictionary Contains:
● Data item’s length, type & range
● Identify of source document used to
create data item
● Names of computer file storing data item
● Names of computer programs that
modify data item
● Identity of individual permitted to access
● Identity of individual not permitted to
access
325

LAYOUT FORM AND SCREEN
GENERATOR, MENU GENERATOR,
REPORT GENERATOR, CODE
GENERATOR
● Layout form and Screen Generator
● Menu Generator
● Report Generator
● Code Generator
STAGE – III: SYSTEM DESIGN
System design involves first logical design
and then physical construction of a system.
Design specifications instruct
programmers about what the system
should do. The programmers, in turn,
write the programs that accept input from
users, process data, produce the reports,
and store data in the files.
326
SYSTEM SPECIFICATION ROLES INVOLVED IN SDLC
At the end of the analysis phase, the ● Steering Committee
systems analyst prepares a document ● Project Manager
called “Systems Requirement ● Project Leader
Specifications (SRS)”, it contains: ● Systems Analyst / Business Analyst
● Introduction
● Module Leader / Team Leader
● Information Description
● Programmer / Coder / Developer
● Functional Description
● Database Administrator (DBA)
● Behavioural Description
● Quality Assurance
● Validation Criteria
● Tester
● Appendix
● Domain Specialist
● SRS Review
● IS Auditor
THE DESIGN PHASE INVOLVES: DESIGN OF DATABASE
● Architectural Design ● Conceptual Modeling
● Design of the Data / Information Flow ● Data Modeling
● Design of the Database ● Storage Structure Design
● Design of the User-interface ● Physical Layout Design
● Physical Design
● Design and acquisition of the hardware/
system software platform
Information Systems Control and Audit
 Revision
DESIGN OF USER-INTERFACE Important factors in Input / Output PHYSICAL DESIGN:
Output Objectives: design: (CM’s Fraud on TV) Design Principles-
● Convey info about past, current, future ● Content ● The recommended procedure is to design

● Signal important events, opportunities, ● Media two or three alternatives and choose the
warnings ● Form best one on pre-specified criteria.
● Trigger an action ● Format ● The design should be based on the

● Confirmation of action ● Timeliness analysis.

● Meets needs of organisation & users ● Volume ● The software functions designed should
be directly relevant to business activities.
● The design should follow standards laid

down.
● The design should be modular.

STAGE – IV – Part 1: SYSTEM ADVANTAGES OF APPLICATION Validation of Vendors’ proposals: (Vice-

ACQUISITION SOFTWARE: (Royal Challengers Quit Chairman Manages Company’s Portfolio)
Acquisition Standards League) ● Vendor Support

● Ensuring security, reliability, and ● Rapid implementation ● Compatibility with Existing Systems
functionality already built into a ● Cost ● Maintainability of the proposed system
product. ● Quality ● Cost benefits of the proposed system
● Ensuring managers complete ● Low risk ● Performance rating of the proposed
appropriate vendor, contract, and METHODS OF VALIDATING system in relation to its cost
licensing reviews. PROPOSAL
● Including invitations-to-tender and ● Checklists
request-for-proposals. ● Point Scoring Analysis
● Establishing acquisition standards to
● Public evaluation Reports
ensure functional, security, and ● Benchmarking problem for vendor’s
operational requirements to be proposal
accurately identified and clearly detailed
● Test problems
in request-for-proposals.

327
 328
STAGE – IV – Part 2 : DEVELOPMENT Characteristics Of A Good Coded Program Debugging
(PROGRAMMING TECHNIQUES AND Program: Debugging refers to correcting
LANGUAGES) ● Reliability programming language syntax and
Objective: ● Robustness diagnostic errors so that the program
To convert the specification into a ● Accuracy compiles cleanly. It consists of:
functioning system. ● Efficiency ● Inputting the source program to the

Activities: ● Usability
compiler,
Application programs are written, tested ● Letting the compiler find errors in the
● Readability
and documented, conduct system testing. program,
Document / Deliverable: ● Correcting lines of code that are

A fully functional and documented erroneous, and

system. ● Resubmitting the corrected source

program as input to the compiler.

STAGE – V: SYSTEM TESTING TYPES OF UNIT TESTING INTEGRATION TESTING

UNIT TESTING ● Static Analysis Testing: ● Bottom-up Integration

Categories of tests that a programmer - Desk Check ● Top-down Integration

typically performs on a program unit: - Structured walk-through ● Regression Testing
(Pooja Patel Feeds Shrey Shah) - Code inspection
● Performance Tests ● Dynamic Analysis Testing:
● Parallel Tests - Black Box Testing
● Functional Tests - White Box Testing
● Stress Tests - Gray Box Testing

Information Systems Control and Audit

● Structural Tests

SYSTEM TESTING FINAL ACCEPTANCE TESTING

● Recovery Testing ● Quality Assurance Testing
● Security Testing ● User Acceptance Testing:

● Stress or Volume Testing - Alpha Testing

● Performance Testing - Beta Testing
 Revision
STAGE - VI : SYSTEM CONVERSION PROCEDURE: System Implementation Conversion
IMPLEMENTATION Activities for successful conversion: Strategies:
EQUIPMENT INSTALLATION (Fifa Played in South Africa) ● Direct Implementation / Abrupt change-

● Site Preparation ● File conversion: over

● Installation of New Hardware/Software ● Procedure conversion ● Phased implementation

● Equipment Checkout ● System conversion ● Pilot implementation

TRAINING PERSONNEL ● Scheduling personnel and equipment ● Parallel running implementation

● System Operators Training ● Alternative plans in case of equipment

● Users Training failure

STAGE - VII : POST- SYSTEM MAINTENANCE OPERATION MANUALS

IMPLEMENTATION REVIEW &
MAINTENANCE
● Development Evaluation
● Operation Evaluation
● Information Evaluation
● Scheduled maintenance
● Rescue maintenance
● Corrective maintenance
● Adaptive maintenance
● Perfective maintenance
● A cover page, a title page and copyright page;
● A preface and information on how to navigate the user
guide;
● A contents page;
● A guide on how to use at least the main functions of

● Preventive maintenance the system;

● A troubleshooting section;

● A FAQ (Frequently Asked Questions);

● Where to find further help, and contact details;

● A glossary and an index.

329
 CHAPTER 6 : AUDIT OF INFORMATION SYSTEMS
NEED FOR CONTROL AND
AUDIT OF INFORMATION
SYSTEMS
● Organisational Costs of Data
Loss
● Incorrect Decision Making
● Costs of Computer Abuse
● Value of Computer
Hardware, Software and
Personnel
● Maintenance of Privacy
● Controlled Evolution of
Computer Use
● System Effectiveness
Objectives
● System Efficiency Objectives
FUNCTIONS OF IS
AUDITOR
(i) Inadequate information
security
(ii) Inefficient use of corporate
resources, or poor
governance
(iii) Ineffective IT strategies,
policies and practices
(iv) IT-related frauds
EFFECT OF COMPUTERS ON
AUDIT
1. Changes to evidence
collection/ in the audit trail /
audit evidence
● Data retention and storage
● Audit Evidence
● Lack of Visible output
● Lack of a Visible audit trail
● Absence of Input
documents
● Legal issues
CATEGORIES OF IS
AUDITS : (MISS Telephone)
(i) Management of IT and
Enterprise Architecture
(ii) Information Processing
Facilities
(iii) Systems and Applications
(iv) Systems Development
(v) Telecommunications,
Intranets, and Extranets
2. Changes to Evidence
Evaluation / New causes and
sources of error:
● System generated
transactions
● Systematic Error
STEPS IN INFORMATION
TECHNOLOGY AUDIT
(i) Scoping and pre-audit
survey
(ii) Planning and preparation
(iii) Fieldwork
(iv) Analysis
(v) Reporting
(vi) Closure
330
RESPONSIBILITY OF IS
AUDITOR
● Sound knowledge of
business operations
● Technical qualification and
certifications
● Understanding of
information Risks and
Controls
● Knowledge of IT strategies,
policy and procedure
controls
● Knowledge of Professional
Standards and Best practices
● Ability to understand
technical and manual
controls relating to business
continuity.
AUDIT TRAILS
Objectives of Audit Trail :
(DR. Audit)
Information Systems Control and Audit
1. Detecting Unauthorized
Access
2. Reconstructing Events
3. Personal Accountability
 Revision
PERFORMING IS AUDIT BASIC PLAN PRELIMINARY REVIEW
Audit Planning The objective of audit planning is to optimize the use of audit The following are some of the
(i) Materiality and resources. Important points are given as follows : critical factors, which should
significance are concepts ● The extent of planning will vary according to the size of the be considered by an IS auditor
the auditor uses to entity as part of his/ her preliminary
determine the planned ● Obtaining knowledge of the business review.
nature, timing, and extent ● The auditor may wish to discuss elements of the overall audit (i) Knowledge of the Business
of audit procedures. plan and certain audit procedures with the entity's audit (ii) Understanding the
(ii) Materiality and committee, the management and staff Technology
significance include both ● The auditor should develop and document an overall audit plan (iii) Understanding Internal
quantitative and describing the expected scope and conduct of the audit. Control Systems
qualitative factors ● The audit should be guided by an overall audit plan and (iv) Legal Considerations and
underlying audit program and methodology. Audit Standards
(v) Risk Assessment and
Materiality

Risks are categorised as DOCUMENTATION BY AUDITOR CONCURRENT OR

follows : As per (SA 200) "Overall Objectives of An Independent Auditor CONTINUOUS AUDIT AND
● Inherent Risk and Conduct of An Audit in Accordance With Standards of EMBEDDED AUDIT
● Control Risk Auditing", any opinion formed by the auditor is subject to inherent MODULES : (She Is Smart
● Detection Risk limitations of an audit, which include : and Cool but Arrogant)
● The nature of financial reporting; 1. Snapshots
● The nature of audit procedures; 2. Integrated Test Facility (ITF)
● The need for the audit to be conducted within a reasonable 3. System Control Audit
period of time and at a reasonable cost. Review File (SCARF)
● The matter of difficulty, time, or cost involved. 4. Continuous and Intermittent
● Fraud, particularly fraud involving senior management or
Simulation (CIS)
collusion. 5. Audit Hooks
● The existence and completeness of related party relationships

and transactions.
● The occurrence of non-compliance with laws and regulations.

● Future events or conditions that may cause an entity to cease to

continue as a going concern.

331

ADVANTAGES
● Timely, comprehensive and
detailed auditing
● Surprise test capability
● Information to system staff
on meeting of objectives
● Training for new users
DISADVANTAGES
● Auditors should be able to
obtain resources
● More likely to be used if
auditors are involved in the
development
● Auditors need the
knowledge and experience of
working with computer
systems
● Continuous auditing
techniques are more likely to
be used where the audit trail
is less visible and the costs of
errors and irregularities are
high.
UNDERSTANDING THE
LAYERS AND RELATED
AUDIT ISSUES
(i) Operational Layer
(ii) Tactical Layer
(iii) Strategic Layer
ROLE OF IS AUDITOR IN
PHYSICAL ACCESS
CONTROLS
1. Risk assessment
2. Controls assessment
3. Planning for review of
physical access controls
332
AUDIT TRAIL FOR
APPLICATION CONTROLS
Boundary Controls
Audit trail includes
● Identify would be user of
system.
● Authentication Information
supplied.
● Resources requested.
● Action privileges requested.
● Start and finish time.
● Number of sign on attempts.
● Log in and log out time.
● Action privileges allowed /
denied.

Input Controls Processing Controls Output Controls

● Identity of person who was source of data. ● To trace the processing ● What output was presented
● Identity of person who entered the data into the system. performed on data item. to users.
● Time and date when data was captured. ● Comprehensive log on ● Who received the output.

● Physical device used to enter data into system. hardware consumption - ● When the output was

● The record to be updated by the transaction.

CPU usage time, storage received.

Information Systems Control and Audit

● Standing data to be updated.
space used and ● What actions were taken
communication facilities with the output.
● Detail of the transaction.
used.
● Physical or logical batch used for processing.
● Comprehensive log on
● Number of keying errors.
software consumption.
● Number of data coding errors.
● Compilers used, file
management systems used
and communication software
used.

Data-Base Controls
● To attach unique time stamp
to all transaction.
● To attach before and after
images of data.
● Any modifications or
corrections to audit trail
transaction accomodating
the change that occur within
an application system.
● To maintain a chronology of
resource consumption
events that affects the data
base.
Revision
Communication Controls
● Unique identifier of the
source.
● Time and date at which
message was received by the
source.
● Time and date at which node
in the network was
transversed by the message.
● Message sequence number
and the image of the
message received at each
node traversed in the
network.
● Log of system restarts.
● Message transit times.
● Queue length at each node.
333
 CHAPTER 7 : INFORMATION TECHNOLOGY REGULATORY ISSUES

334
REQUIREMENTS OF IRDA FOR SYSTEM CONTROLS AND REQUIREMENTS OF RBI FOR SYSTEM CONTROLS AND
AUDIT AUDIT
(i) System Audit (i) System Controls
(ii) Preliminaries ● Duties of system designer should be assigned to persons

(iii) System Controls operating the system and there should be separate persons
● There should be Electronic transfer of Data without manual dedicated to system design.
intervention. ● Contingency plans in case of failure of system should be

● The auditor should comment on the audit trial maintained introduced and tested at periodic intervals.
in the system for various activities. ● An appropriate control measure should be devised.

● The auditor shall also ascertain that the system has separate ● Uniformity of software used by various branches / offices.

logins for each user and maintains trail of every transaction ● Board of Directors and senior management are responsible
with respect to login ID, date and time for each data entry, for ensuring that an institution's system of internal controls
authorisation and modifications. operates effectively.
● Annual review of IS Audit Policy.

● Quality assurance, at least once every three years.

(ii) System Audit

REQUIREMENTS OF SEBI FOR SYSTEM CONTROLS AND

AUDIT
(i) Systems Audit
(ii) Audit Report Norms

Information Systems Control and Audit

(iii) Auditor Selection Norms
(iv) System Controls :
● Further, along with the audit report, Stock Exchanges /
Depositories are advised to submit a declaration from the
MD / CEO certifying the security and integrity of their IT
Systems.
● A proper audit trail for upload / modifications / downloads
of KYC data to be maintained.
 Revision
SECURITY STANDARDS ISO 27001 - INFORMATION SECURITY MANAGEMENT
Major objectives of this policy are given as follows : STANDARD (ISMS)
● To create a secure cyber ecosystem These phases are given as follows : (I Plan to Do Check-up
● To create an assurance framework Actually)
● To strengthen the Regulatory framework ● The Plan Phase

● To enhance and create National and Sectorial level 24*7 ● The Do Phase

mechanisms ● The Check Phase

● To enhance the protection and resilience of Nation's critical ● The Act Phase

information infrastructure by operating a 24*7 National Critical

Information BENEFITS ITIL (IT INFRASTRUCTURE
● To develop suitable indigenous security technologies ● Extension of the current LIBRARY)
● To improve visibility of the integrity of ICT products and quality ● Service Strategy
services ● Opportunity to identify and ● Service Design
● To create a workforce of 5,00,000 professional skilled in cyber manage risks ● Service Transition
security ● Provides confidence and ● Service Operation
● To provide fiscal benefits to businesses assurance ● Continual Service
● To enable protection of information while in process, handling, ● An independent review and Improvement
storage and transit assurance
● To enable effective prevention, investigation and prosecution of

cybercrime;
● To create a culture of cyber security and privacy enabling

responsible user behaviour and actions;

● To develop effective public private patnerships;

● To enhance global cooperation.

HOW STANDARD WORKS Structure of ISO 27001

ISO 27001 requires that management - Clause 1 : Scope Clause 7 : Support
● Systematically examine organisation information security risk. Clause 2 : Normative references Clause 8 : Operation
threats, vulnerabilities and impacts) Clause 3 : Terms of Definitions Clause 9 : Performance
● Design and implement comprehensive security controls and/or Clause 4 : Context of evaluation
other form of risk treatment. organisation Clause 10 : Improvement
● Adopt management process to ensure that information security Clause 5 : Leadership
controls continue to meet organisation information security Clause 6 : Planning
need.

335
 CHAPTER 8 : EMERGING TECHNOLOGIES

336
CLOUD VS GRID GOALS OF CLOUD COMPUTING : (I Saw CAR being Created CLOUD COMPUTING
COMPUTING in front of my Eyes) ARCHITECTURE
● Scalability 1. "Anywhere Access" (AA) ● Front End Architecture

● Multi-tasking 2. To scale the IT ecosystem quickly, easily and cost-effectively. ● Back End Architecture

● Storage 3. To consolidate IT infrastructure into a more integrated and ● Middleware

● Focus manageable environment.

4. To access services and data from anywhere at anytime.
5. To reduce costs related to IT energy/power consumption.
6. To create a highly efficient IT ecosystem.
7. To enable rapidly provision resources as needed.

CLOUD COMPUTING CLOUD COMPUTING MODELS 2. Platform as a Service 3. Software as a Service (SaaS)
ENVIRONMENT 1. Infrastructure as a Service (IaaS) (PaaS) Services
(a) Public Clouds Services Services ● Business Services
(b)Private Clouds ● Storage ● Programming Languages ● Social Network
(c) Hybrid Clouds ● Network ● Framework/Templets ● Document Management
(d) Community Clouds ● Compute ● Database (For Software ● Mail Services

● Load Development) Characteristics

● Balances ● Other Tools ● Web access

Characteristics Characteristics ● Scalable

● Web Access ● Web Access ● High Availability

Information Systems Control and Audit

● Scalable ● Scalable ● Centralised

● Centralised ● Offline ● One to Many

● Shared Infrastructure ● All in One ● Multidevice Support

● Metered Services (Pay per use) ● Collaborative ● API Integration

Instances Instances
● NaaS ● TaaS

● STaaS ● APIaaS

● DBaaS ● EaaS

● BaaS 4. Network as a Service (NaaS)

● DTaaS 5. Communication as a Service (CaaS)

CHARACTERISTICS OF CLOUD COMPUTING : (Multiple
Services Should be Performed and Maintained by ARAV)
1. Multi-Sharing
2. Services in Pay-Per-Use Mode
3. High Scalability
4. Performance
5. Maintenance
6. High Availability and Reliability
7. Agility
8. Virtualisation
CHALLENGES RELATING
TO CLOUD COMPUTING :
(CIA Guys Talks A Lot About
Data Privacy but Manages
Several Incidents
Apathetically)
1. Confidentiality
2. Integrity
3. Availability
4. Governance
5. Trust
6. Audit
7. Legal Issues and
Compliance
8. Application Security
9. Data Stealing
10. Privacy
11. Identity Management and
Access Control
12. Software Isolation
13. Incident Response
14. Architecture
PERTINENT ISSUES : (Teach
Emraan SUSHI)
1. Threshold Policy
2. Environment Friendly Cloud
Computing
3. Security Issues
4. Unexpected Behaviour
5. Software Development in
Cloud
6. Hidden Costs
7. Interoperability
Revision
ADVANTAGES OF CLOUD COMPUTING : (Efficient Iphone
Quickly Stores and Back-up's Automatically)
1. Cost Efficiency
2. Easy Access to Information
3. Quick Deployment
4. Almost Unlimited Storage
5. Backup and Recovery
6. Automatic Software Integration
MOBILE COMPUTING
1. Mobile Computing Benefits
● It provides mobile workforce with remote access to work order
details
● It enables mobile sales personnel to update work order
● It facilitates access to corporate services
● It provides remote access to the corporate knowledgebase
● It enables to improve management effectiveness
2. Components of Mobile Computing
● Mobile Hardware
● Mobile Software
● Mobile Communication
3. Limitations of Mobile Computing
● Security
● Power Consumption
● Health Hazards
● Insufficient Bandwidth
● Transmission Inferences
● Human Intervention with Device
337

4. Issues in Mobile
Computing
● Security Issues
- Confidentiality
- Integrity
- Availability
- Legitimate
- Accountability
● Bandwidth
● Location Intelligence
● Power Consumption
● Revising the Technical
Architecture
● Reliability, Coverage,
Capacity and Cost
● Integration with Legacy
Mainframe and Emerging
Client/Server Applications
● Business Challenges
ADVANTAGES/BENEFITS
OF BYOD
1. Happy Employees
2. Lower IT Budgets
3. Reduced/Lower IT Support
Requirement
4. Early Adoption of New
Technologies
5. Increase Employee
Efficiency
338
BENEFITS AND CHALLENGES FOR SOCIAL NETWORKS BYOD
USING WEB 2.0 Risks can be classified into
Benefits four areas as outlined below :
1. It provides a platform (I Need Apple Devices)
2. No new knowledge skills are required. 1. Implementation Risks
3. Web 2.0 techniques are very people centric activities 2. Network Risks
4. People are coming much closer to another 3. Application Risks
5. Using Web 2.0 also increases the social collaboration to a very 4. Device Risks
high degree
Number of challenges
1. Data security and privacy
2. Privacy of individual users also arises
3. A majority of the social networks are offline
4. This becomes more viable in the areas of the world that are
developing
APPLICATION OF WEB 2.0
1. Social Media
TYPES AND BEHAVIOUR SOCIAL MEDIA AND 2. Marketing
OF SOCIAL NETWORKS WEB 2.0 3. Education
● Social Contract Networks Components of Web 2.0 for
● Study Circles Social Networks APPLICATION OF WEB 3.0
● Social Networks for ● Communities 1. Semantic Web
Specialist Groups ● Blogging 2. Web Services
Information Systems Control and Audit
● Networks for Fine Arts ● Wikis
● Police and Military ● Folksonomy GREEN COMPUTING BEST
Networks ● File Sharing/Podcasting PRACTICES
● Sporting Networks ● Mashups ● Develop a Sustainable Green
● Mixed Networks ● Ajax Computing Plan
● Social Networks for the ● RSS - Generates Syndication ● Recycle
'Inventors' ● Make Environmentally
● Shopping and Utility Service Sound Purchase Decisions
Networks ● Reduce Paper Consumption
● Others ● Conserve Energy