Information Systems Control and Audit

advertisement
Dinesh Madan
In today’s business environment, it is almost impossible to conduct business activities without using computer
based information system. Accounting professionals are the primary users of computer based information
systems.
In today’s globalized business operations and complex accounting environment, role of accounting
professionals has changed from users of computer based information system to functional consultants
deigning complex business processes for computer based applications as domain experts.
In addition, information system auditors ensure information system is free from manipulations, errors and
meeting organization’s objectives for using information system. Information system auditors are not only
helping to assess the adequacy and effectiveness of applied information system controls but also helping for
design, implementation and operation of effective and adequate controls for information systems.
Information system controls and audit discipline is gaining more and more importance with increasing use of
complex on-line computing systems by organizations.
You all might be aware about ISA course conducted by Institute of
Chartered Accountant. This course equipped CAs for information
systems audit for complex online information system environments
such banks and stock exchange information systems.
In addition there are certifications courses from ISACA (Information
System Audit and Controls Associations). On information system risks
managements and audit which also help to gain additional knowledge
for information system effective operations and management.
The ISCA syllabus is primarily focused to provide expert knowledge on
information system types and development steps, information security
and Information System Controls and Audit to CA final students.
The ISCA syllabus is primarily focused to provide
knowledge on the following key topics
•
•
•
•
•
Types of Information Systems
Information System Development Methodology
Information System Controls
Information System Security
Information System Audit
Additionally, the syllabus includes audit standards and
best practices in the field of information technology
•
•
•
•
COBIT 5,
ISO 27001
CMM
ITIL V3
Providing knowledge of IT Act and E-governance is
another important aim of ISCA syllabus
Chapter 10:
ISCA
Information System
Information System Controls and
Security
Information Technology
(Amendment) Act 2008
Information System Audit
Chapter #:
Chapter #:
Chapter #:
1. Information Systems Concepts
3. Control Objectives
4. Testing of General and Automated Control
2
5. Risk Assessment Methodologies and
Applications
8. Information Systems Audit Standards,
Guidelines and Best Practices (COBIT, ISO
27001, CMM, ITIL V3)
System Development Life Cycle
Methodology
7. An Overview of Enterprise Resource
Planning (ERP)
6. Business Continuity and Disaster
Recovery Planning
9. Drafting of IS Security Policy, Audit Policy,
and IS Audit Reporting
As this chapter name indicates we have been explained the key
concepts about:
• System
• Types of Information System
• Information Related Concepts
System; this includes:
• Definition of System
• Types of System (Open/Closed, Abstract/Probabilistic, Manual/Automated)
• General Concepts of System: System Boundary, System Environment, System
Interface, Sub-System, System Decomposition, System Simplification, System
Stress, System Decoupling
Types of Information System ; this includes:
• Operational Information System (TPS, MIS and ERP)
• Management Support System (DSS, EIS and ES)
• Office Automation System (Text Processing System, Electronic Document Management
System, Electronic Messaging and Teleconferencing System)
Information Related concepts; this includes:
• Information Definition and Characteristics of Good Information
• Factors which decides information requirements of executives
Tips: While studying this chapter think about how information systems or
computers based systems are used at different levels of management and
for different business activities and objectives.
This chapter explains how a big information system is developed in big
organizations like banks etc. We can imagine that information system
development in organization like banks will be a big project involving
large number of activities: This chapter provides knowledge about
those activities/tasks:
Primarily, this chapter includes the following three key topics to explain
an information system development:
• System Development Approaches
• Steps or Phases of System Developments
• Some miscellaneous concepts about system development
System Development Approaches: This topic provides six
approaches for system development. These approaches are used
based on the type of project. For example if project is to be
developed quickly for some urgent needs then RAD approach can be
used. If project is quite big involving different risks then Spiral Model
can be used. The following six approaches are explained:
•
•
•
•
•
•
Traditional Approach
Proto-type Approach
Incremental Approach
Spiral Mode
Agile Approach
Rapid Application Development (RAD) Approach



◦ Information Related Concepts
System; this includes:
◦ Definition of System
◦ Types of System (Open/Closed, Abstract/Probabilistic, Manual/Automated)
◦ General Concepts of System: System Boundary, System Environment, System Interface,
Sub-System, System Decomposition, System Simplification, System Stress, System
Decoupling
Types of Information System ; this includes:
◦ Operational Information System (TPS, MIS and ERP)
◦ Management Support System (DSS, EIS and ES)
◦ Office Automation System (Text Processing System, Electronic Document Management
System, Electronic Messaging and Teleconferencing System)
Information Related concepts; this includes:
◦ Information Definitionand Characteristics of Good Information
◦ Factors which decides information requirements of executives
Phases of System Developments: This is the key topic of
this chapter and provides a detailed knowledge about the
system development phases also know as System
Development Life Cycle (SDLC) Phases:
•
•
•
•
•
•
•
Phase-1: Preliminary Investigation
Phase-2 : System Analysis
Phase-3: System Design
Phase-4 : system Acquisition and Software Development
Phase-5: System Testing
Phase-6: System Implementation
Phase -7: System Maintenance and Post Implementation Review
Miscellaneous System Development Concepts: This
includes the following:
• Reasons for System Development Failure
• System Development Tools: System Components and Flow Tools,
User Interface Tools, Data Attributes Tools, Detailed System
Process Tools
• Operational Manual
• Auditor’s Roles in SDLC
This chapter imparts knowledge on type of controls and data security
techniques. We are all aware about using login-id/password for providing
computer access to authorized users and using antivirus software for virus
controls. Controls help to provide an error free, reliable, efficient and secured
information system. As auditors, CAs play very important role for auditing
information system controls for effectiveness and adequacy.
Content of this chapter can primarily be divided into three categories:
• Internal Control Framework for Information System
• Type of Internal Controls for Information System
• Information System Security Concepts and Techniques
Internal Control Framework: This explains about controls and audit environment for
computer based information system, such as: why controls are needed for information
system, effects of computers on audit environment, IS audit process etc.
Type of Internal Controls: This includes details on type of controls, such as: Organization
Controls, Information System Organization Controls, Financial Controls, User Controls,
Application Controls, System Development Controls, Controls over System
Implementation and Change, Data Integrity Controls, Access Controls ( Logical Access
and Physical Access Controls) and Environment Controls. This also includes auditor
roles in these controls audit.
Data Security Techniques: This includes security techniques like Data Encryption
Standards (DES), Asymmetric Crypto Systems, Data Encryption Techniques, Firewall
(types of firewall and configuration of firewall), Intrusion Detection System (IDS), Data
Privacy, and details on Hacking and controls for destructive programs
This chapter is an extension of controls objectives chapter. In this audit and
testing procedures for controls are explained. In addition, concurrent audit
techniques which are used for online systems like banking systems audit are
explained.
The chapter content includes the following key topics:
• Testing of Controls Process: Testing of IS controls is part of information system audit process.
With the testing of controls, an auditor provides his/her opinion on adequacy and effectiveness of
applied controls. The testing of controls can be divided into three audit phases:
• Audit Planning
• Testing of Controls
• Audit Reporting
Concurrent Audit Modules or Techniques: This includes details of audit
modules used for audit of online information systems such as banking and
railway systems. The following concurrent audit modules are covered in
this topic:
• ITF (Integrated Test Facility)
• SCARF (System Control Audit Review File)
• Snapshot
• CIS (continuous and Intermittent Simulation)
Finally, audit and review techniques for hardware, operating system and
Local Area Network are explained.
Having knowledge of Risks Assessment and Management framework is an important need for
finance professionals in today complex business environment. Although this chapter provides risks
assessment and management framework for information system but framework and terminologies
explained in this chapter are equally valid for financial and market risks assessment.
This chapter provides knowledge on how an information system’s threats and risks can be analyzed
and managed. We have been explained the key terminologies used in Risk Management, for
example: Threats, Vulnerabilities, Likelihood of Risk, Residual Risks, Risk Identifications, Risk
Analysis Techniques, Risk Ranking and Mitigations techniques etc.
The chapter content includes the following key topics:
Risk Assessment Methodologies and Applications
Risk Definitions
Risk:
Threat:
Exposure:
Vulnerability
Attack
Threats to the
computerized
Environment
Threats due to
cyber crime
Risk
Identifications
Risk
Management
Risk Ranking
Risk Analysis
and Evaluation
Techniques
Risk and
Controls
Risk Mitigation
Risk
Assessment
This chapter includes content related to various plans and protections to be
used for business continuity, particularly related to the IT set-up of an
organization to protect IT set-up from any disaster.
Business Continuity Planning: Planning for continued operation of business
activities or services even in the worst possible events. Here business
continuity planning is related to IT set-up of organization
Disaster Recovery Planning: This is related to developing a plan to recover
immediately from any disaster; such as fire, flood and attack etc. Disaster
recovery plan focuses on restarting operations using a proper plan with
priority list giving minimum economic and reputation loss to organization.
The following key concepts related to BCP and DRP are
the parts of this chapter:
• Objectives of BCP and How a BCP is developed (i.e. BCP Methodology or
Phases of BCP)
• Business Impact Analysis (BIA) study, an important Phase of developing
BCP
• DRP and its key components or sub plans (Emergency Plan, Backup Plan,
Recovery Plan and Test Plan)
• Backup plan related concepts: Data and Software backup techniques,
Alternate Processing Facility Arrangement, Backup media and Backup
planning
• Types of Insurance
• DRP Testing and Testing Methodology
• Audit Tools and Techniques for DRP
• Audit of DRP/BCP
ERP is very popular information system and even considered a good
career option for Chartered Accountants as well. ERP provides very
challenging and satisfying career option to CAs. It allows a CA to
innovate the best processes for managing Accounts and Finance in an
integrated manner for entire organization--in multi currency, multi-facility
and multi-country environment.
ERP is not only a software, it provides solutions or provide best
practices for managing businesses in a global or complex environment.
Banks’ working is ERP based and it helps to provide and manage
banking services from anywhere. ERP is quite extensive subject, we will
study some key concepts about ERP in this chapter:
Some General Concepts about ERP
•
•
•
•
•
Evolution of ERP
Enabling Technologies for ERP
Characteristics ànd Features of ERP.
Why Companies Undertake ERP?
Benefits of ERP
BPR: Business Process Re-engineering
• Business Process Reengineering,
• Business Engineering
• Business Modeling
ERP Implementation
•
•
•
•
•
•
•
•
Key Planning and Implementation Decisions
ERP Implementation Methodology
Implementation steps of ERP Package
Implementation Guideline
Post Implementation Scenario
Life after ERP Implementation
Risk and Governance Issues in ERP
ERP and E-commerce
List of ERP Vendors and ERP Software Packages
Extensive use of computer based information systems has helped to frame best practices for information
system development and management. And, this has also provided different set of auditing standards and
guidelines for audit of information system controls. This chapters provide an overview of popular information
system auditing standards, guidelines and best practices in use. These standards and guidelines help to
maintain efficient and effective information system:
Information System Audit Standards and Guidelines
ISO 27001
SA 315 and SA
330
COBIT 5
CMM
ITIL V3 (IT
Infrastructure
Library)
CoCo
SysTrust and
WebTrust
HIPAA
SA 402
We cannot imagine a big bank working without an online information system. If we
analyze bank’s most important resource I think it will be the customers data or
information managed by an online, distributed information system of bank. Any bank will
simply collapse if information is not protected in bank.
This chapter thrust that that technical controls only cannot protect information.
Organization should establish a proper Information Security Policy and Audit Policy to
achieve information security objectives.
•
•
•
•
•
•
•
•
•
What is Information Security?
Why is Information Security Important?
What Type of Information is Sensitive?
Various Information Protection Methods
What is Information Security and what issues it addresses
Types of Information Security Policies
Information Security Components
Information System Audit Policy and its Purpose
Audit Reporting



This chapter is about Information Technology (Amendment) Act, 2008 also known as Cyber Laws.
This act was originally framed as Information Technology Act, 2000.
The IT Act, 2000 was mainly enacted for providing legal validation to Electronic Transactions and
Digital Signatures for authentication of electronic documents. It also served the purpose of
promoting the electronic working or e-governance in government departments. It also stated
various penalties for electronic offences.
The IT Act, 2000 was amended as IT (Amendment) Act, 2008 to include various new provisions
particularly related to electronic offences and data privacy. Additionally, it includes Electronic
Signature for authentication of electronic transactions and documents instead of technology
based Digital Signature only in the IT Act, 2000. Electronic Signature is a wider term and it
includes Digital Signature as its main component.
PIN
Digital Signature
Digital
Signature
Password
Bio Signs
Electronic Signature Types, IT Act - 2000
Electronic Signature Types, IT Amendment Act, 2008
 In the IT Amended Act, 2008, there are 124 sections divided into 14 chapters. We need to have the
basic understanding of these sections.
Download