FINAL COURSE STUDY MATERIAL PAPER : 6 Information Systems Control and Audit Volume – I BOARD OF STUDIES THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA © The Institute of Chartered Accountants of India This study material has been prepared by the faculty of the Board of Studies. The objective of the study material is to provide teaching material to the students to enable them to obtain knowledge and skills in the subject. Students should also supplement their study by reference to the recommended text books. In case students need any clarifications or have any suggestions to make for further improvement of the material contained herein, they may write to the Director of Studies. All care has been taken to provide interpretations and discussions in a manner useful for the students. However, the study material has not been specifically discussed by the Council of the Institute or any of its Committees and the views expressed herein may not be taken to necessarily represent the views of the Council or any of its Committees. Permission of the Institute is essential for reproduction of any portion of this material. © THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA All rights reserved. No part of this book may be reproduced, stored in retrieval system, or transmitted, in any form, or by any means, Electronic, Mechanical, photocopying, recording, or otherwise, without prior permission in writing from the publisher. Revised Edition : January, 2013 Website : www.icai.org Department/ Committee : Board of Studies E-mail : bosnoida@icai.org ISBN No. : Price : Published by : The Publication Department on behalf of The Institute of Chartered Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha Marg, New Delhi-110 002, India. Typeset and designed at Board of Studies. Printed by : Sahitya Bhawan Publications, Hospital Road, Agra- 282 003 © The Institute of Chartered Accountants of India A WORD ABOUT STUDY MATERIAL In today’s business world, accounting professionals have to interact with computer-based Information systems on a regular basis. As primary users of information systems in organizations, accountants must participate in their design and understand their operation. Accounting managers must measure and evaluate the performance of information systems. Internal and external auditors must assess the quality of information systems and evaluate the accuracy of information input and output. The major share of the work of accounting consultants is in the design, implementation, evaluation and control of information systems. The new system of Chartered Accountancy course recognizing the importance of Information Technology has included it as part of the course curriculum both at IPCC and Final levels. A paper on Information Systems Control and Audit forming a part of the final syllabus helps the students to understand how to evaluate controls and standards for information systems in an organizational environment. The basic knowledge about Information Technology gained at IPCC level is sought to be built up further through this paper. The course Study Material covers the theoretical framework in detail. In addition to this, students can also refer the recommended reading books available on this paper. Students are also advised to update themselves with the latest changes in the IT sector. For this, they may refer to academic updates in the monthly journal ‘The Chartered Accountant’ and the Students ‘Journal’ published by the Institute and also other IT Journals/Magazines of repute e. g. ISACA’s Journal. Chapter-wise coverage of this Study material is as follows: Chapter 1 of the study material is devoted to the discussion on basic concepts of system and various types of information systems. Chapter 2 deals with systems development process for an information system. Various stages of systems development life cycle are also discussed. In this chapter, students will also get an idea how computerized business applications are conceived and designed. Various tools and techniques of systems analysis and design and programming are also briefly covered in this Chapter. Chapter 3 discusses the objectives and functions of various controls for information systems. Understanding of these controls is essential to the Chartered Accountant’s ability to audit ‘through’ the company’s information systems. Chapter 4 discusses various levels of testing for automated controls. This chapter has been revised with audit perspective. Chapter 5 is devoted to the topic of Risk assessment methodologies and their application in information systems. © The Institute of Chartered Accountants of India Chapter 6 outlines Business continuity planning and disaster recovery planning in case such a situation arises in any organization. Chapter 7 extensively deals with ERP system. Chapter 8 outlines the framework for Information Systems auditing standards, guidelines and best practices such as ISO 27001, COBIT and HIPPA. Current version of COBIT is added in this revised edition. Chapter 9 discusses various aspects related with information system security policy, audit policy and audit reporting from practical perspective. Chapter 10 is devoted to the discussion on Information Technology (Amendment) Act, 2008. The significant additions in the revised edition are highlighted in Bold and Italics in the study material and have also been consolidated in the form of a table entitled “Significant Changes in the Revised Edition” in subsequent page. In case you need any further clarification/guidance, please send your queries at e-sahaayataa portal at ICAI website (www.icai.org) or bosnoida@icai.org/ santosh.pandey@icai.org. Happy Reading and Best Wishes! © The Institute of Chartered Accountants of India Significant Changes in the Revised Edition Chapter No. 5 8 Name of the Chapter Risk Assessment Methodologies and Applications Section/Sub-Sections wherein major additions/deletions have been done 5.1 Introduction 5.2 Related Terms 5.3 Threats to the Computerized Environment 5.4 Threats due to Cyber Crimes 5.5 Risk Assessment 5.6 Risk Management 5.7.1 Techniques for Risk Evaluation 5.9 Risk Mitigation 5.9.1 Common Risk Mitigation Techniques 8.3 ISO 27001- Information Security Management Standard Page Numbers 5.1 5.2 5.5 5.6 5.7 5.9 5.22 5.26 5.26 8.2 8.3.1 Four Phases of ISMS 8.3.2 Other Standards related to Information Security 8.3 8.5 8.3.3. Areas of focus of ISMS 8.5 8.4 Capability Maturity Model-CMM 8.4.2 Five Levels of Software Process Maturity Information 8.4.3 Behavioral Characterization of the Systems Maturity Levels Auditing 8.5 COBIT- IT Governance Model Standards, Guidelines, Best 8.5.1 Need for Enterprises to use COBIT 5 Practices 8.5.2 Benefits 8.5.3 Integrating COBIT 5 with other frameworks 8.5.4 Customizing COBIT 5 as per need 8.5.5 Five Principles of COBIT 5 8.5.6 COBIT 5 Enablers 8.5.7 COBIT 5 Process Reference Model 8.6 CoCo 8.7 ITIL 8.7.1 Details of the ITIL Framework 8.10 SA 402 (Revised) © The Institute of Chartered Accountants of India 8.11 8.12 8.13 8.16 8.17 8.17 8.17 8.18 8.18 8.21 8.22 8.22 8.23 8.24 8.29 SYLLABUS PAPER 6 : INFORMATION SYSTEMS CONTROL AND AUDIT (One Paper- Three hours - 100 marks) Level of Knowledge: Advanced knowledge Objective: To gain application ability of necessary controls, laws and standards in computerized Information system. Contents: 1. Information Systems Concepts General Systems Concepts – Nature and types of systems, nature and types of information, attributes of information. Management Information System – Role of information within business Business information systems –various types of information systems – TPC, MIS, DSS, EIS, ES 2. Systems Development Life Cycle Methodology Introduction to SDLC/Basics of SDLC Requirements analysis and systems design techniques Strategic considerations : Acquisition decisions and approaches Software evaluation and selection/development Alternate development methodologies- RAD, Prototype etc Hardware evaluation and selection Systems operations and organization of systems resources Systems documentation and operation manuals User procedures, training and end user computing System testing, assessment, conversion and start-up Hardware contracts and software licenses System implementation Post-implementation review System maintenance System safeguards Brief note on IS Organisation Structure © The Institute of Chartered Accountants of India 3. Control objectives (a) Information Systems Controls Need for control Effect of computers on Internal Audit Responsibility for control – Management, IT, personnel, auditors Cost effectiveness of control procedure Control Objectives for Information and related Technology (COBIT) (b) Information Systems Control Techniques Control Design: Preventive and detective controls, Computer-dependent control, Audit trails, User Controls (Control balancing, Manual follow up) Non-computer-dependent (user) controls: Error identification controls, Error investigation controls, Error correction controls, Processing recovery controls (c) Controls over system selection, acquisition/development Standards and controls applicable to IS development projects Developed / acquired systems Vendor evaluation Structured analysis and design Role of IS Auditor in System acquisition/selection (d) Controls over system implementation Acceptance testing methodologies System conversion methodologies Post implement review Monitoring, use and measurement (e) Control over System and program changes Change management controls Authorization controls Documentation controls Testing and quality controls Custody, copyright and warranties Role of IS Auditor in Change Management © The Institute of Chartered Accountants of India (f) Control over Data integrity, privacy and security Classification of information Logical access controls Physical access controls Environmental controls Security concepts and techniques – Cryptosystems, Data Encryption Standards (DES), Public Key Cryptography & Firewalls Data security and public networks Monitoring and surveillance techniques Data Privacy Unauthorised intrusion, hacking, virus control Role of IS Auditor in Access Control 4. Audit Tests of General and Automated Controls (a) Introduction to basics of testing (reasons for testing); (b) Various levels/types of testing such as: (i) Performance testing, (ii) Parallel testing, (iii) Concurrent Audit modules/Embedded audit modules, etc. 5. Risk assessment methodologies and applications: (a) Meaning of Vulnerabilities, Threats, Risks, Controls, (b) Fraud, error, vandalism, excessive costs, competitive disadvantage, business, interruption, social costs, statutory sanctions, etc. (c) Risk Assessment and Risk Management, (d) Preventive/detective/corrective strategies 6. Business Continuity Planning and Disaster recovery planning: (a) Fundamentals of BCP/DRP, (b) Threat and risk management, (c) Software and data backup techniques, (d) Alternative processing facility arrangements,(e) Disaster recovery procedural plan, (f) Integration with departmental plans, testing and documentation, (g) Insurance 7. An over view of Enterprise Resource Planning (ERP) 8. Information Systems Auditing Standards, guidelines, best practices (ISO27001, HIPPA, CMM etc.) 9. Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - a practical perspective 10. Information Technology (Amendment) Act, 2008 © The Institute of Chartered Accountants of India CONTENTS CHAPTER 1 – INFORMATION SYSTEMS CONCEPTS 1.1 Introduction ............................................................................................................ 1.1 1.2 Definition of a system .............................................................................................. 1.1 1.3 Types of System ..................................................................................................... 1.1 1.4 General Model of a System ..................................................................................... 1.6 1.5 System Environment ............................................................................................... 1.6 1.6 Information ............................................................................................................ 1.11 1.7 Information System and its role in Management .................................................... 1.13 1.8 Types of Information Systems at different levels ................................................... 1.18 1.9 Operations Support Systems (OSS) ...................................................................... 1.19 1.10 Management Support Systems (MSS)................................................................... 1.33 1.11 Office Automation Systems (OAS) ........................................................................ 1.45 CHAPTER 2 – SYSTEM DEVELOPMENT LIFE CYCLE METHODOLOGY 2.1 Introduction ............................................................................................................ 2.1 2.2 Systems Development Process ............................................................................... 2.1 2.3 Systems Development Methodology ....................................................................... 2.4 2.4 System Development Life Cycle (SDLC) ............................................................... 2.15 2.5 The Preliminary Investigation ................................................................................ 2.17 2.6 System Requirement Analysis ............................................................................... 2.23 2.7 Systems Design .................................................................................................... 2.33 2.8 System Acquisition ................................................................................................ 2.39 2.9 Development : Programming Techniques and Languages ..................................... 2.42 2.10 System Testing ..................................................................................................... 2.43 2.11 Systems Implementation ....................................................................................... 2.47 2.12 Post Implementation Review and System Maintenance ......................................... 2.50 2.13 Operation Manuals ................................................................................................ 2.52 2.14 Auditors' Role in SDLC ......................................................................................... 2.53 © The Institute of Chartered Accountants of India CHAPTER 3 – CONTROL OBJECTIVES 3.1 Information Systems Controls ................................................................................. 3.1 3.2 Need for Control and Audit of Information Systems ................................................. 3.1 3.3 Effect of Computers on Internal Controls ................................................................. 3.3 3.4 Effect of Computers on Audit .................................................................................. 3.5 3.5 Responsibility for Controls ...................................................................................... 3.7 3.6 The IS Audit Process .............................................................................................. 3.9 3.7 Information Systems Control Techniques .............................................................. 3.17 3.8 User Controls ........................................................................................................ 3.29 3.9 System Development and Acquisition Controls ..................................................... 3.36 3.10 Control Over System and Program Changes ......................................................... 3.42 3.11 Quality Control ...................................................................................................... 3.49 3.12 Controls Over System Implementation .................................................................. 3.54 3.13 System Maintenance ............................................................................................. 3.58 3.14 Post Implementation Review ................................................................................. 3.60 3.15 Control Over Data Integrity, Privacy and Security.................................................. 3.63 3.16 Security Concepts and Techniques ....................................................................... 3.68 3.17 Data Security and Public Networks ...................................................................... 3.71 3.18 Unauthorized Intrusion .......................................................................................... 3.75 3.19 Hacking ................................................................................................................. 3.76 3.20 Data Privacy ......................................................................................................... 3.79 3.21 Controlling Against Viruses and Other Destructive Programs ............................... 3.81 3.22 Logical Access Controls ...................................................................................... 3.83 3.23 Physical Access Controls ...................................................................................... 3.98 3.24 Environmental Controls ....................................................................................... 3.108 CHAPTER 4 : TESTING – GENERAL AND AUTOMATED CONTROLS 4.1 Introduction to basics of testing (Reasons for testing) ............................................. 4.1 4.2 Audit Planning ......................................................................................................... 4.2 4.3 Audit Testing ........................................................................................................... 4.2 4.4 Testing critical control point .................................................................................... 4.9 4.5 Test effectiveness of Information System Control .................................................. 4.10 4.6 Test of general controls at the entitywide and system level ................................... 4.10 © The Institute of Chartered Accountants of India 4.7 Tests of general controls at the business process-application level ....................... 4.11 4.8 Tests of business process application controls and user controls .......................... 4.11 4.9 Appropriateness of control tests ............................................................................ 4.12 4.10 Multiyear testing plans .......................................................................................... 4.13 4.11 Documentation of control testing phase ................................................................ 4.14 4.12 Audit reporting ...................................................................................................... 4.14 4.13 Concurrent or continuous audit and embedded audit modules .............................. 4.20 4.14 Hardware testing ................................................................................................... 4.24 4.15 Review of hardware .............................................................................................. 4.25 4.16 Operating system review ....................................................................................... 4.27 4.17 Reviewing the network .......................................................................................... 4.29 CHAPTER 5 – RISK ASSESSMENT METHODOLOGIES AND APPLICATIONS 5.1 Introduction ............................................................................................................. 5.1 5.2 Related Terms ........................................................................................................ 5.2 5.3 Threats to the computerized environment ............................................................... 5.5 5.4 Threats due to cyber crimes .................................................................................... 5.6 5.5 Risk Assessment .................................................................................................... 5.7 5.6 Risk Management ................................................................................................... 5.9 5.7 Risk Identification .................................................................................................. 5.21 5.8 Risk Ranking ......................................................................................................... 5.24 5.9 Risk Mitigation ...................................................................................................... 5.26 5.10 Risk and Controls.................................................................................................. 5.28 CHAPTER 6 – BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY PLANNING 6.0 Introduction ............................................................................................................ 6.1 6.1 Business Continuity Planning .................................................................................. 6.1 6.2 Developing a Business Continuity Plan ................................................................... 6.3 6.3 Types of Plans ........................................................................................................ 6.7 6.4 Test Plan ................................................................................................................ 6.8 6.5 Threats and Risk Management ............................................................................... 6.9 © The Institute of Chartered Accountants of India 6.6 Software and Data Back-up Techniques ............................................................... 6.12 6.7 Alternate Processing Facility Arrangements .......................................................... 6.12 6.8 Back-Up Redundancy ........................................................................................... 6.13 6.9 Disaster Recovery Procedural Plan ....................................................................... 6.16 6.10 Insurance .............................................................................................................. 6.17 6.11 Testing Methodology and Checklist ....................................................................... 6.19 6.12 Audit Tools and Techniques .................................................................................. 6.23 6.13 Audit of the Disaster Recovery/Business Resumption Plan ................................... 6.23 CHAPTER 7 – AN OVERVIEW OF ENTERPRISE RESOURCE PLANNING (ERP) 7.0 Introduction ............................................................................................................ 7.1 7.1 ERP-Definition ....................................................................................................... 7.2 7.2 Business Process Reengineering (BPR) ................................................................. 7.7 7.3 ERP Implementation ............................................................................................. 7.11 7.4 Post Implementation ............................................................................................. 7.17 7.5 Risk and Governance Issues in an ERP ................................................................ 7.17 7.6 How does EPR fit with E-Commerce ..................................................................... 7.19 7.7 Life after Implementation....................................................................................... 7.20 7.8 Sample List of ERP Vendors ................................................................................. 7.21 7.9 ERP Software Package (SAP)............................................................................... 7.22 7.10 Case Study ........................................................................................................... 7.39 CHAPTER 8 – INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST PRACTICES 8.0 Introduction ............................................................................................................. 8.1 8.1 IS Audit Standards .................................................................................................. 8.2 8.2 SA 315 and SA 330................................................................................................. 8.2 8.3 ISO 27001 – Information Security Management Standard ....................................... 8.2 8.4 Capability Maturity Model (CMM) .......................................................................... 8.11 8.5 COBIT – IT Governance Model ............................................................................. 8.16 8.6 CoCo .................................................................................................................... 8.22 8.7 ITIL (IT Infrastructure Library) ............................................................................... 8.23 8.8 Systrust and Webtrust ........................................................................................... 8.25 © The Institute of Chartered Accountants of India 8.9 HIPAA ................................................................................................................... 8.26 8.10 SAS 402(Revised)................................................................................................. 8.29 CHAPTER 9: DRAFTING OF IS SECURITY POLICY, AUDIT POLICY, IS AUDIT REPORTING- A PRACTICAL PERSPECTIVE 9.0 Introduction ............................................................................................................ 9.1 9.1 Important of Information System Security ................................................................ 9.1 9.2 Information System Security ................................................................................... 9.2 9.3 Protecting Computer-held Information Systems ...................................................... 9.5 9.4 Information Security Policy ...................................................................................... 9.6 9.5 Types of Information Security Policies and their Hierarchy ...................................... 9.7 9.6 Audit Policy ........................................................................................................... 9.14 9.7 Audit Working Papers and Documentation ............................................................ 9.17 9.8 IS Audit Reports .................................................................................................... 9.20 Annexure – I : Sample IS Security Policy .............................................................. 9.21 CHAPTER 10 – INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008 10.0 Brief History .......................................................................................................... 10.1 10.1 The IT Act 2000 and its Objectives ........................................................................ 10.3 10.2 Preliminary [Chapter I] .......................................................................................... 10.3 10.3 Digital Signature And Electronic Signature (Amended Vide ITAA 2008) Chapter-II] ............................................................................................................. 10.7 10.4 Electronic Governance [Chapter III] ...................................................................... 10.9 10.5 Attribution, Acknowledgment And Dispatch Of Electronic Records [Chapter IV] ........................................................................................................ 10.13 10.6 Secure Electronic Records And Secure Electronic Signatures [Chapter V] ......................................................................................................... 10.15 10.7 Regulation Of Certifying Authorities (Chapter VI) ................................................ 10.16 10.8 Electronic Signature Certificates [Chapter VII] .................................................... 10.22 10.9 Duties Of Subscribers [Chapter VIII] ................................................................... 10.25 10.10 Penalties And Adjudication [Chapter IX] .............................................................. 10.27 10.11 The Cyber Appellate Tribunal (Amended Vide ITAA-2008) [Chapter X] ............... 10.31 10.12 Offences [Chapter XI].......................................................................................... 10.37 10.13 Intermediaries Not To Be Liable In Certain Cases (Substituted Vide ITAA-2008) [Chapter XII] ......................................................... 10.49 10.14 Miscellaneous [Chapter XIII] ............................................................................... 10.50 © The Institute of Chartered Accountants of India