Dinesh Madan In today’s business environment, it is almost impossible to conduct business activities without using computer based information system. Accounting professionals are the primary users of computer based information systems. In today’s globalized business operations and complex accounting environment, role of accounting professionals has changed from users of computer based information system to functional consultants deigning complex business processes for computer based applications as domain experts. In addition, information system auditors ensure information system is free from manipulations, errors and meeting organization’s objectives for using information system. Information system auditors are not only helping to assess the adequacy and effectiveness of applied information system controls but also helping for design, implementation and operation of effective and adequate controls for information systems. Information system controls and audit discipline is gaining more and more importance with increasing use of complex on-line computing systems by organizations. You all might be aware about ISA course conducted by Institute of Chartered Accountant. This course equipped CAs for information systems audit for complex online information system environments such banks and stock exchange information systems. In addition there are certifications courses from ISACA (Information System Audit and Controls Associations). On information system risks managements and audit which also help to gain additional knowledge for information system effective operations and management. The ISCA syllabus is primarily focused to provide expert knowledge on information system types and development steps, information security and Information System Controls and Audit to CA final students. The ISCA syllabus is primarily focused to provide knowledge on the following key topics • • • • • Types of Information Systems Information System Development Methodology Information System Controls Information System Security Information System Audit Additionally, the syllabus includes audit standards and best practices in the field of information technology • • • • COBIT 5, ISO 27001 CMM ITIL V3 Providing knowledge of IT Act and E-governance is another important aim of ISCA syllabus Chapter 10: ISCA Information System Information System Controls and Security Information Technology (Amendment) Act 2008 Information System Audit Chapter #: Chapter #: Chapter #: 1. Information Systems Concepts 3. Control Objectives 4. Testing of General and Automated Control 2 5. Risk Assessment Methodologies and Applications 8. Information Systems Audit Standards, Guidelines and Best Practices (COBIT, ISO 27001, CMM, ITIL V3) System Development Life Cycle Methodology 7. An Overview of Enterprise Resource Planning (ERP) 6. Business Continuity and Disaster Recovery Planning 9. Drafting of IS Security Policy, Audit Policy, and IS Audit Reporting As this chapter name indicates we have been explained the key concepts about: • System • Types of Information System • Information Related Concepts System; this includes: • Definition of System • Types of System (Open/Closed, Abstract/Probabilistic, Manual/Automated) • General Concepts of System: System Boundary, System Environment, System Interface, Sub-System, System Decomposition, System Simplification, System Stress, System Decoupling Types of Information System ; this includes: • Operational Information System (TPS, MIS and ERP) • Management Support System (DSS, EIS and ES) • Office Automation System (Text Processing System, Electronic Document Management System, Electronic Messaging and Teleconferencing System) Information Related concepts; this includes: • Information Definition and Characteristics of Good Information • Factors which decides information requirements of executives Tips: While studying this chapter think about how information systems or computers based systems are used at different levels of management and for different business activities and objectives. This chapter explains how a big information system is developed in big organizations like banks etc. We can imagine that information system development in organization like banks will be a big project involving large number of activities: This chapter provides knowledge about those activities/tasks: Primarily, this chapter includes the following three key topics to explain an information system development: • System Development Approaches • Steps or Phases of System Developments • Some miscellaneous concepts about system development System Development Approaches: This topic provides six approaches for system development. These approaches are used based on the type of project. For example if project is to be developed quickly for some urgent needs then RAD approach can be used. If project is quite big involving different risks then Spiral Model can be used. The following six approaches are explained: • • • • • • Traditional Approach Proto-type Approach Incremental Approach Spiral Mode Agile Approach Rapid Application Development (RAD) Approach ◦ Information Related Concepts System; this includes: ◦ Definition of System ◦ Types of System (Open/Closed, Abstract/Probabilistic, Manual/Automated) ◦ General Concepts of System: System Boundary, System Environment, System Interface, Sub-System, System Decomposition, System Simplification, System Stress, System Decoupling Types of Information System ; this includes: ◦ Operational Information System (TPS, MIS and ERP) ◦ Management Support System (DSS, EIS and ES) ◦ Office Automation System (Text Processing System, Electronic Document Management System, Electronic Messaging and Teleconferencing System) Information Related concepts; this includes: ◦ Information Definitionand Characteristics of Good Information ◦ Factors which decides information requirements of executives Phases of System Developments: This is the key topic of this chapter and provides a detailed knowledge about the system development phases also know as System Development Life Cycle (SDLC) Phases: • • • • • • • Phase-1: Preliminary Investigation Phase-2 : System Analysis Phase-3: System Design Phase-4 : system Acquisition and Software Development Phase-5: System Testing Phase-6: System Implementation Phase -7: System Maintenance and Post Implementation Review Miscellaneous System Development Concepts: This includes the following: • Reasons for System Development Failure • System Development Tools: System Components and Flow Tools, User Interface Tools, Data Attributes Tools, Detailed System Process Tools • Operational Manual • Auditor’s Roles in SDLC This chapter imparts knowledge on type of controls and data security techniques. We are all aware about using login-id/password for providing computer access to authorized users and using antivirus software for virus controls. Controls help to provide an error free, reliable, efficient and secured information system. As auditors, CAs play very important role for auditing information system controls for effectiveness and adequacy. Content of this chapter can primarily be divided into three categories: • Internal Control Framework for Information System • Type of Internal Controls for Information System • Information System Security Concepts and Techniques Internal Control Framework: This explains about controls and audit environment for computer based information system, such as: why controls are needed for information system, effects of computers on audit environment, IS audit process etc. Type of Internal Controls: This includes details on type of controls, such as: Organization Controls, Information System Organization Controls, Financial Controls, User Controls, Application Controls, System Development Controls, Controls over System Implementation and Change, Data Integrity Controls, Access Controls ( Logical Access and Physical Access Controls) and Environment Controls. This also includes auditor roles in these controls audit. Data Security Techniques: This includes security techniques like Data Encryption Standards (DES), Asymmetric Crypto Systems, Data Encryption Techniques, Firewall (types of firewall and configuration of firewall), Intrusion Detection System (IDS), Data Privacy, and details on Hacking and controls for destructive programs This chapter is an extension of controls objectives chapter. In this audit and testing procedures for controls are explained. In addition, concurrent audit techniques which are used for online systems like banking systems audit are explained. The chapter content includes the following key topics: • Testing of Controls Process: Testing of IS controls is part of information system audit process. With the testing of controls, an auditor provides his/her opinion on adequacy and effectiveness of applied controls. The testing of controls can be divided into three audit phases: • Audit Planning • Testing of Controls • Audit Reporting Concurrent Audit Modules or Techniques: This includes details of audit modules used for audit of online information systems such as banking and railway systems. The following concurrent audit modules are covered in this topic: • ITF (Integrated Test Facility) • SCARF (System Control Audit Review File) • Snapshot • CIS (continuous and Intermittent Simulation) Finally, audit and review techniques for hardware, operating system and Local Area Network are explained. Having knowledge of Risks Assessment and Management framework is an important need for finance professionals in today complex business environment. Although this chapter provides risks assessment and management framework for information system but framework and terminologies explained in this chapter are equally valid for financial and market risks assessment. This chapter provides knowledge on how an information system’s threats and risks can be analyzed and managed. We have been explained the key terminologies used in Risk Management, for example: Threats, Vulnerabilities, Likelihood of Risk, Residual Risks, Risk Identifications, Risk Analysis Techniques, Risk Ranking and Mitigations techniques etc. The chapter content includes the following key topics: Risk Assessment Methodologies and Applications Risk Definitions Risk: Threat: Exposure: Vulnerability Attack Threats to the computerized Environment Threats due to cyber crime Risk Identifications Risk Management Risk Ranking Risk Analysis and Evaluation Techniques Risk and Controls Risk Mitigation Risk Assessment This chapter includes content related to various plans and protections to be used for business continuity, particularly related to the IT set-up of an organization to protect IT set-up from any disaster. Business Continuity Planning: Planning for continued operation of business activities or services even in the worst possible events. Here business continuity planning is related to IT set-up of organization Disaster Recovery Planning: This is related to developing a plan to recover immediately from any disaster; such as fire, flood and attack etc. Disaster recovery plan focuses on restarting operations using a proper plan with priority list giving minimum economic and reputation loss to organization. The following key concepts related to BCP and DRP are the parts of this chapter: • Objectives of BCP and How a BCP is developed (i.e. BCP Methodology or Phases of BCP) • Business Impact Analysis (BIA) study, an important Phase of developing BCP • DRP and its key components or sub plans (Emergency Plan, Backup Plan, Recovery Plan and Test Plan) • Backup plan related concepts: Data and Software backup techniques, Alternate Processing Facility Arrangement, Backup media and Backup planning • Types of Insurance • DRP Testing and Testing Methodology • Audit Tools and Techniques for DRP • Audit of DRP/BCP ERP is very popular information system and even considered a good career option for Chartered Accountants as well. ERP provides very challenging and satisfying career option to CAs. It allows a CA to innovate the best processes for managing Accounts and Finance in an integrated manner for entire organization--in multi currency, multi-facility and multi-country environment. ERP is not only a software, it provides solutions or provide best practices for managing businesses in a global or complex environment. Banks’ working is ERP based and it helps to provide and manage banking services from anywhere. ERP is quite extensive subject, we will study some key concepts about ERP in this chapter: Some General Concepts about ERP • • • • • Evolution of ERP Enabling Technologies for ERP Characteristics ànd Features of ERP. Why Companies Undertake ERP? Benefits of ERP BPR: Business Process Re-engineering • Business Process Reengineering, • Business Engineering • Business Modeling ERP Implementation • • • • • • • • Key Planning and Implementation Decisions ERP Implementation Methodology Implementation steps of ERP Package Implementation Guideline Post Implementation Scenario Life after ERP Implementation Risk and Governance Issues in ERP ERP and E-commerce List of ERP Vendors and ERP Software Packages Extensive use of computer based information systems has helped to frame best practices for information system development and management. And, this has also provided different set of auditing standards and guidelines for audit of information system controls. This chapters provide an overview of popular information system auditing standards, guidelines and best practices in use. These standards and guidelines help to maintain efficient and effective information system: Information System Audit Standards and Guidelines ISO 27001 SA 315 and SA 330 COBIT 5 CMM ITIL V3 (IT Infrastructure Library) CoCo SysTrust and WebTrust HIPAA SA 402 We cannot imagine a big bank working without an online information system. If we analyze bank’s most important resource I think it will be the customers data or information managed by an online, distributed information system of bank. Any bank will simply collapse if information is not protected in bank. This chapter thrust that that technical controls only cannot protect information. Organization should establish a proper Information Security Policy and Audit Policy to achieve information security objectives. • • • • • • • • • What is Information Security? Why is Information Security Important? What Type of Information is Sensitive? Various Information Protection Methods What is Information Security and what issues it addresses Types of Information Security Policies Information Security Components Information System Audit Policy and its Purpose Audit Reporting This chapter is about Information Technology (Amendment) Act, 2008 also known as Cyber Laws. This act was originally framed as Information Technology Act, 2000. The IT Act, 2000 was mainly enacted for providing legal validation to Electronic Transactions and Digital Signatures for authentication of electronic documents. It also served the purpose of promoting the electronic working or e-governance in government departments. It also stated various penalties for electronic offences. The IT Act, 2000 was amended as IT (Amendment) Act, 2008 to include various new provisions particularly related to electronic offences and data privacy. Additionally, it includes Electronic Signature for authentication of electronic transactions and documents instead of technology based Digital Signature only in the IT Act, 2000. Electronic Signature is a wider term and it includes Digital Signature as its main component. PIN Digital Signature Digital Signature Password Bio Signs Electronic Signature Types, IT Act - 2000 Electronic Signature Types, IT Amendment Act, 2008 In the IT Amended Act, 2008, there are 124 sections divided into 14 chapters. We need to have the basic understanding of these sections.