Information Systems Control and Audit

FINAL COURSE STUDY MATERIAL
PAPER : 6
Information Systems
Control and Audit
Volume – I
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
© The Institute of Chartered Accountants of India
This study material has been prepared by the faculty of the Board of Studies. The objective of
the study material is to provide teaching material to the students to enable them to obtain
knowledge and skills in the subject. Students should also supplement their study by reference
to the recommended text books. In case students need any clarifications or have any
suggestions to make for further improvement of the material contained herein, they may write
to the Director of Studies.
All care has been taken to provide interpretations and discussions in a manner useful for the
students. However, the study material has not been specifically discussed by the Council of
the Institute or any of its Committees and the views expressed herein may not be taken to
necessarily represent the views of the Council or any of its Committees.
Permission of the Institute is essential for reproduction of any portion of this material.
© THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
All rights reserved. No part of this book may be reproduced, stored in retrieval system, or
transmitted, in any form, or by any means, Electronic, Mechanical, photocopying, recording, or
otherwise, without prior permission in writing from the publisher.
Revised Edition
:
January, 2013
Website
:
www.icai.org
Department/
Committee
:
Board of Studies
E-mail
:
bosnoida@icai.org
ISBN No.
:
Price
:
Published by
:
The Publication Department on behalf of The Institute of Chartered
Accountants of India, ICAI Bhawan, Post Box No. 7100, Indraprastha
Marg, New Delhi-110 002, India.
Typeset and designed at Board of Studies.
Printed by
:
Sahitya Bhawan Publications, Hospital Road, Agra- 282 003
© The Institute of Chartered Accountants of India
A WORD ABOUT STUDY MATERIAL
In today’s business world, accounting professionals have to interact with computer-based
Information systems on a regular basis. As primary users of information systems in
organizations, accountants must participate in their design and understand their operation.
Accounting managers must measure and evaluate the performance of information systems.
Internal and external auditors must assess the quality of information systems and evaluate the
accuracy of information input and output. The major share of the work of accounting
consultants is in the design, implementation, evaluation and control of information systems.
The new system of Chartered Accountancy course recognizing the importance of Information
Technology has included it as part of the course curriculum both at IPCC and Final levels. A
paper on Information Systems Control and Audit forming a part of the final syllabus helps the
students to understand how to evaluate controls and standards for information systems in an
organizational environment. The basic knowledge about Information Technology gained at
IPCC level is sought to be built up further through this paper.
The course Study Material covers the theoretical framework in detail. In addition to this,
students can also refer the recommended reading books available on this paper. Students are
also advised to update themselves with the latest changes in the IT sector. For this, they may
refer to academic updates in the monthly journal ‘The Chartered Accountant’ and the Students
‘Journal’ published by the Institute and also other IT Journals/Magazines of repute e. g.
ISACA’s Journal. Chapter-wise coverage of this Study material is as follows:
Chapter 1 of the study material is devoted to the discussion on basic concepts of system and
various types of information systems.
Chapter 2 deals with systems development process for an information system. Various stages
of systems development life cycle are also discussed. In this chapter, students will also get an
idea how computerized business applications are conceived and designed. Various tools and
techniques of systems analysis and design and programming are also briefly covered in this
Chapter.
Chapter 3 discusses the objectives and functions of various controls for information systems.
Understanding of these controls is essential to the Chartered Accountant’s ability to audit
‘through’ the company’s information systems.
Chapter 4 discusses various levels of testing for automated controls. This chapter has been
revised with audit perspective.
Chapter 5 is devoted to the topic of Risk assessment methodologies and their application in
information systems.
© The Institute of Chartered Accountants of India
Chapter 6 outlines Business continuity planning and disaster recovery planning in case such a
situation arises in any organization.
Chapter 7 extensively deals with ERP system.
Chapter 8 outlines the framework for Information Systems auditing standards, guidelines and
best practices such as ISO 27001, COBIT and HIPPA. Current version of COBIT is added in
this revised edition.
Chapter 9 discusses various aspects related with information system security policy, audit
policy and audit reporting from practical perspective.
Chapter 10 is devoted to the discussion on Information Technology (Amendment) Act, 2008.
The significant additions in the revised edition are highlighted in Bold and Italics in the study
material and have also been consolidated in the form of a table entitled “Significant Changes
in the Revised Edition” in subsequent page.
In case you need any further clarification/guidance, please send your queries at e-sahaayataa portal
at ICAI website (www.icai.org) or bosnoida@icai.org/ santosh.pandey@icai.org.
Happy Reading and Best Wishes!
© The Institute of Chartered Accountants of India
Significant Changes in the Revised Edition
Chapter
No.
5
8
Name of the
Chapter
Risk
Assessment
Methodologies
and Applications
Section/Sub-Sections wherein major
additions/deletions have been done
5.1 Introduction
5.2 Related Terms
5.3 Threats to the Computerized Environment
5.4 Threats due to Cyber Crimes
5.5 Risk Assessment
5.6 Risk Management
5.7.1 Techniques for Risk Evaluation
5.9 Risk Mitigation
5.9.1 Common Risk Mitigation Techniques
8.3 ISO 27001- Information Security
Management Standard
Page
Numbers
5.1
5.2
5.5
5.6
5.7
5.9
5.22
5.26
5.26
8.2
8.3.1 Four Phases of ISMS
8.3.2 Other Standards related to Information
Security
8.3
8.5
8.3.3. Areas of focus of ISMS
8.5
8.4 Capability Maturity Model-CMM
8.4.2 Five Levels of Software Process Maturity
Information
8.4.3 Behavioral Characterization of the
Systems
Maturity Levels
Auditing
8.5 COBIT- IT Governance Model
Standards,
Guidelines, Best 8.5.1 Need for Enterprises to use COBIT 5
Practices
8.5.2 Benefits
8.5.3 Integrating COBIT 5 with other
frameworks
8.5.4 Customizing COBIT 5 as per need
8.5.5 Five Principles of COBIT 5
8.5.6 COBIT 5 Enablers
8.5.7 COBIT 5 Process Reference Model
8.6 CoCo
8.7 ITIL
8.7.1 Details of the ITIL Framework
8.10 SA 402 (Revised)
© The Institute of Chartered Accountants of India
8.11
8.12
8.13
8.16
8.17
8.17
8.17
8.18
8.18
8.21
8.22
8.22
8.23
8.24
8.29
SYLLABUS
PAPER 6 : INFORMATION SYSTEMS CONTROL AND AUDIT
(One Paper- Three hours - 100 marks)
Level of Knowledge: Advanced knowledge
Objective:
To gain application ability of necessary controls, laws and standards in computerized
Information system.
Contents:
1.
Information Systems Concepts
General Systems Concepts – Nature and types of systems, nature and types of
information, attributes of information.
Management Information System – Role of information within business
Business information systems –various types of information systems – TPC, MIS, DSS,
EIS, ES
2.
Systems Development Life Cycle Methodology
Introduction to SDLC/Basics of SDLC
Requirements analysis and systems design techniques
Strategic considerations : Acquisition decisions and approaches
Software evaluation and selection/development
Alternate development methodologies- RAD, Prototype etc
Hardware evaluation and selection
Systems operations and organization of systems resources
Systems documentation and operation manuals
User procedures, training and end user computing
System testing, assessment, conversion and start-up
Hardware contracts and software licenses
System implementation
Post-implementation review
System maintenance
System safeguards
Brief note on IS Organisation Structure
© The Institute of Chartered Accountants of India
3.
Control objectives
(a) Information Systems Controls
Need for control
Effect of computers on Internal Audit
Responsibility for control – Management, IT, personnel, auditors
Cost effectiveness of control procedure
Control Objectives for Information and related Technology (COBIT)
(b) Information Systems Control Techniques
Control Design: Preventive and detective controls, Computer-dependent control,
Audit trails, User Controls (Control balancing, Manual follow up)
Non-computer-dependent (user) controls: Error identification controls, Error
investigation controls, Error correction controls, Processing recovery controls
(c) Controls over system selection, acquisition/development
Standards and controls applicable to IS development projects
Developed / acquired systems
Vendor evaluation
Structured analysis and design
Role of IS Auditor in System acquisition/selection
(d) Controls over system implementation
Acceptance testing methodologies
System conversion methodologies
Post implement review
Monitoring, use and measurement
(e) Control over System and program changes
Change management controls
Authorization controls
Documentation controls
Testing and quality controls
Custody, copyright and warranties
Role of IS Auditor in Change Management
© The Institute of Chartered Accountants of India
(f)
Control over Data integrity, privacy and security
Classification of information
Logical access controls
Physical access controls
Environmental controls
Security concepts and techniques – Cryptosystems, Data Encryption Standards
(DES), Public Key Cryptography & Firewalls
Data security and public networks
Monitoring and surveillance techniques
Data Privacy
Unauthorised intrusion, hacking, virus control
Role of IS Auditor in Access Control
4.
Audit Tests of General and Automated Controls
(a) Introduction to basics of testing (reasons for testing);
(b) Various levels/types of testing such as: (i) Performance testing, (ii) Parallel testing,
(iii) Concurrent Audit modules/Embedded audit modules, etc.
5.
Risk assessment methodologies and applications: (a) Meaning of Vulnerabilities,
Threats, Risks, Controls, (b) Fraud, error, vandalism, excessive costs, competitive
disadvantage, business, interruption, social costs, statutory sanctions, etc. (c) Risk
Assessment and Risk Management, (d) Preventive/detective/corrective strategies
6.
Business Continuity Planning and Disaster recovery planning: (a) Fundamentals of
BCP/DRP, (b) Threat and risk management, (c) Software and data backup techniques,
(d) Alternative processing facility arrangements,(e) Disaster recovery procedural plan, (f)
Integration with departmental plans, testing and documentation, (g) Insurance
7.
An over view of Enterprise Resource Planning (ERP)
8.
Information Systems Auditing Standards, guidelines, best practices (ISO27001,
HIPPA, CMM etc.)
9.
Drafting of IS Security Policy, Audit Policy, IS Audit Reporting - a practical
perspective
10. Information Technology (Amendment) Act, 2008
© The Institute of Chartered Accountants of India
CONTENTS
CHAPTER 1 – INFORMATION SYSTEMS CONCEPTS
1.1
Introduction ............................................................................................................ 1.1
1.2
Definition of a system .............................................................................................. 1.1
1.3
Types of System ..................................................................................................... 1.1
1.4
General Model of a System ..................................................................................... 1.6
1.5
System Environment ............................................................................................... 1.6
1.6
Information ............................................................................................................ 1.11
1.7
Information System and its role in Management .................................................... 1.13
1.8
Types of Information Systems at different levels ................................................... 1.18
1.9
Operations Support Systems (OSS) ...................................................................... 1.19
1.10
Management Support Systems (MSS)................................................................... 1.33
1.11
Office Automation Systems (OAS) ........................................................................ 1.45
CHAPTER 2 – SYSTEM DEVELOPMENT LIFE CYCLE METHODOLOGY
2.1
Introduction ............................................................................................................ 2.1
2.2
Systems Development Process ............................................................................... 2.1
2.3
Systems Development Methodology ....................................................................... 2.4
2.4
System Development Life Cycle (SDLC) ............................................................... 2.15
2.5
The Preliminary Investigation ................................................................................ 2.17
2.6
System Requirement Analysis ............................................................................... 2.23
2.7
Systems Design .................................................................................................... 2.33
2.8
System Acquisition ................................................................................................ 2.39
2.9
Development : Programming Techniques and Languages ..................................... 2.42
2.10
System Testing ..................................................................................................... 2.43
2.11
Systems Implementation ....................................................................................... 2.47
2.12
Post Implementation Review and System Maintenance ......................................... 2.50
2.13
Operation Manuals ................................................................................................ 2.52
2.14
Auditors' Role in SDLC ......................................................................................... 2.53
© The Institute of Chartered Accountants of India
CHAPTER 3 – CONTROL OBJECTIVES
3.1
Information Systems Controls ................................................................................. 3.1
3.2
Need for Control and Audit of Information Systems ................................................. 3.1
3.3
Effect of Computers on Internal Controls ................................................................. 3.3
3.4
Effect of Computers on Audit .................................................................................. 3.5
3.5
Responsibility for Controls ...................................................................................... 3.7
3.6
The IS Audit Process .............................................................................................. 3.9
3.7
Information Systems Control Techniques .............................................................. 3.17
3.8
User Controls ........................................................................................................ 3.29
3.9
System Development and Acquisition Controls ..................................................... 3.36
3.10
Control Over System and Program Changes ......................................................... 3.42
3.11
Quality Control ...................................................................................................... 3.49
3.12
Controls Over System Implementation .................................................................. 3.54
3.13
System Maintenance ............................................................................................. 3.58
3.14
Post Implementation Review ................................................................................. 3.60
3.15
Control Over Data Integrity, Privacy and Security.................................................. 3.63
3.16
Security Concepts and Techniques ....................................................................... 3.68
3.17
Data Security and Public Networks ...................................................................... 3.71
3.18
Unauthorized Intrusion .......................................................................................... 3.75
3.19
Hacking ................................................................................................................. 3.76
3.20
Data Privacy ......................................................................................................... 3.79
3.21
Controlling Against Viruses and Other Destructive Programs ............................... 3.81
3.22
Logical Access Controls ...................................................................................... 3.83
3.23
Physical Access Controls ...................................................................................... 3.98
3.24
Environmental Controls ....................................................................................... 3.108
CHAPTER 4 : TESTING – GENERAL AND AUTOMATED CONTROLS
4.1
Introduction to basics of testing (Reasons for testing) ............................................. 4.1
4.2
Audit Planning ......................................................................................................... 4.2
4.3
Audit Testing ........................................................................................................... 4.2
4.4
Testing critical control point .................................................................................... 4.9
4.5
Test effectiveness of Information System Control .................................................. 4.10
4.6
Test of general controls at the entitywide and system level ................................... 4.10
© The Institute of Chartered Accountants of India
4.7
Tests of general controls at the business process-application level ....................... 4.11
4.8
Tests of business process application controls and user controls .......................... 4.11
4.9
Appropriateness of control tests ............................................................................ 4.12
4.10
Multiyear testing plans .......................................................................................... 4.13
4.11
Documentation of control testing phase ................................................................ 4.14
4.12
Audit reporting ...................................................................................................... 4.14
4.13
Concurrent or continuous audit and embedded audit modules .............................. 4.20
4.14
Hardware testing ................................................................................................... 4.24
4.15
Review of hardware .............................................................................................. 4.25
4.16
Operating system review ....................................................................................... 4.27
4.17
Reviewing the network .......................................................................................... 4.29
CHAPTER 5 – RISK ASSESSMENT METHODOLOGIES AND APPLICATIONS
5.1
Introduction ............................................................................................................. 5.1
5.2
Related Terms ........................................................................................................ 5.2
5.3
Threats to the computerized environment ............................................................... 5.5
5.4
Threats due to cyber crimes .................................................................................... 5.6
5.5
Risk Assessment .................................................................................................... 5.7
5.6
Risk Management ................................................................................................... 5.9
5.7
Risk Identification .................................................................................................. 5.21
5.8
Risk Ranking ......................................................................................................... 5.24
5.9
Risk Mitigation ...................................................................................................... 5.26
5.10
Risk and Controls.................................................................................................. 5.28
CHAPTER 6 – BUSINESS CONTINUITY PLANNING AND DISASTER RECOVERY
PLANNING
6.0
Introduction ............................................................................................................ 6.1
6.1
Business Continuity Planning .................................................................................. 6.1
6.2
Developing a Business Continuity Plan ................................................................... 6.3
6.3
Types of Plans ........................................................................................................ 6.7
6.4
Test Plan ................................................................................................................ 6.8
6.5
Threats and Risk Management ............................................................................... 6.9
© The Institute of Chartered Accountants of India
6.6
Software and Data Back-up Techniques ............................................................... 6.12
6.7
Alternate Processing Facility Arrangements .......................................................... 6.12
6.8
Back-Up Redundancy ........................................................................................... 6.13
6.9
Disaster Recovery Procedural Plan ....................................................................... 6.16
6.10
Insurance .............................................................................................................. 6.17
6.11
Testing Methodology and Checklist ....................................................................... 6.19
6.12
Audit Tools and Techniques .................................................................................. 6.23
6.13
Audit of the Disaster Recovery/Business Resumption Plan ................................... 6.23
CHAPTER 7 – AN OVERVIEW OF ENTERPRISE RESOURCE PLANNING (ERP)
7.0
Introduction ............................................................................................................ 7.1
7.1
ERP-Definition ....................................................................................................... 7.2
7.2
Business Process Reengineering (BPR) ................................................................. 7.7
7.3
ERP Implementation ............................................................................................. 7.11
7.4
Post Implementation ............................................................................................. 7.17
7.5
Risk and Governance Issues in an ERP ................................................................ 7.17
7.6
How does EPR fit with E-Commerce ..................................................................... 7.19
7.7
Life after Implementation....................................................................................... 7.20
7.8
Sample List of ERP Vendors ................................................................................. 7.21
7.9
ERP Software Package (SAP)............................................................................... 7.22
7.10
Case Study ........................................................................................................... 7.39
CHAPTER 8 – INFORMATION SYSTEMS AUDITING STANDARDS, GUIDELINES, BEST
PRACTICES
8.0
Introduction ............................................................................................................. 8.1
8.1
IS Audit Standards .................................................................................................. 8.2
8.2
SA 315 and SA 330................................................................................................. 8.2
8.3
ISO 27001 – Information Security Management Standard ....................................... 8.2
8.4
Capability Maturity Model (CMM) .......................................................................... 8.11
8.5
COBIT – IT Governance Model ............................................................................. 8.16
8.6
CoCo .................................................................................................................... 8.22
8.7
ITIL (IT Infrastructure Library) ............................................................................... 8.23
8.8
Systrust and Webtrust ........................................................................................... 8.25
© The Institute of Chartered Accountants of India
8.9
HIPAA ................................................................................................................... 8.26
8.10
SAS 402(Revised)................................................................................................. 8.29
CHAPTER 9: DRAFTING OF IS SECURITY POLICY, AUDIT POLICY, IS AUDIT
REPORTING- A PRACTICAL PERSPECTIVE
9.0
Introduction ............................................................................................................ 9.1
9.1
Important of Information System Security ................................................................ 9.1
9.2
Information System Security ................................................................................... 9.2
9.3
Protecting Computer-held Information Systems ...................................................... 9.5
9.4
Information Security Policy ...................................................................................... 9.6
9.5
Types of Information Security Policies and their Hierarchy ...................................... 9.7
9.6
Audit Policy ........................................................................................................... 9.14
9.7
Audit Working Papers and Documentation ............................................................ 9.17
9.8
IS Audit Reports .................................................................................................... 9.20
Annexure – I : Sample IS Security Policy .............................................................. 9.21
CHAPTER 10 – INFORMATION TECHNOLOGY (AMENDMENT) ACT, 2008
10.0
Brief History .......................................................................................................... 10.1
10.1
The IT Act 2000 and its Objectives ........................................................................ 10.3
10.2
Preliminary [Chapter I] .......................................................................................... 10.3
10.3
Digital Signature And Electronic Signature (Amended Vide ITAA 2008)
Chapter-II] ............................................................................................................. 10.7
10.4
Electronic Governance [Chapter III] ...................................................................... 10.9
10.5
Attribution, Acknowledgment And Dispatch Of Electronic Records
[Chapter IV] ........................................................................................................ 10.13
10.6
Secure Electronic Records And Secure Electronic Signatures
[Chapter V] ......................................................................................................... 10.15
10.7
Regulation Of Certifying Authorities (Chapter VI) ................................................ 10.16
10.8
Electronic Signature Certificates [Chapter VII] .................................................... 10.22
10.9
Duties Of Subscribers [Chapter VIII] ................................................................... 10.25
10.10
Penalties And Adjudication [Chapter IX] .............................................................. 10.27
10.11
The Cyber Appellate Tribunal (Amended Vide ITAA-2008) [Chapter X] ............... 10.31
10.12
Offences [Chapter XI].......................................................................................... 10.37
10.13
Intermediaries Not To Be Liable In Certain Cases
(Substituted Vide ITAA-2008) [Chapter XII] ......................................................... 10.49
10.14
Miscellaneous [Chapter XIII] ............................................................................... 10.50
© The Institute of Chartered Accountants of India