A ChartBook on

INFORMATION
SYSTEM AUDIT
for ISA 3.0 (New Course)

FCA RAJAT AGRAWAL

For Better understanding refer this
ChartBook along with our video lectures
& quiz available in www.prokhata.com

3 rd
Edition
MODULE1 : INFORMATION SYSTEMS
AUDIT PROCESS MODULE  6 EMERGING
1 Concepts of IS Audit 1
TECHNOLOGIES
2 IS Audit in Phases 3 1 Arti cial Intelligence 86
3 IS Audit Tools & Techniques 9 INFORMATION 2 Blockchain 89
3 Cloud Computing 91
4
Application Controls Review of
11 SYSTEM AUDIT 3.0 4 Data Analytics 94
Business Applications
Application Controls Review of 5 Internet of ings 98
5 13
Specialised Systems 6 Robotic Process Automation 101
6 IT Enabled Assurance Services 14

MODULE  2 : GOVERNANCE AND MODULE  5 PROTECTION OF

MANAGEMENT OF ENTERPRISE INFORMATION ASSETS
Concepts of Governance and MODULE  3 SYSTEM DEVELOPMENT, MODULE  4 INFORMATION SYSTEMS Introduction to Protection of
1 17 1 67
Management of Information Systems Information Assets
ACQUISITION, IMPLEMENTATION OPERATIONS AND MANAGEMENT
GRC Frameworks and Risk Administrative Controls of
2 19 1 Project Management for SDLC 34 1 Information Systems Management 54 2 69
Management Practices Information Assets
3 Key Components of A Governance 24 2 SDLC – Need, Bene ts and Phases 39 2 Information Systems Operations 56 3 IS Audit Tools & Techniques 72
4 Performance Management Systems 27 3 Soware Testing and Implementation 45 3 Soware Operations & Management 59 4 Logical Access Controls 76
5 Business Continuity Management 29 4 Application Controls 51 4 Incident Response and Management 64 5 Network Security Controls 80

HOW TO PRACTICE QUESTIONS

IN PROKHATA
FEATURES
MODULE WISE QUIZ
MODULE TOPIC VIDEO • Detailed explanation with my comments
BASIC ADVANCE
WEIGHTAGE WISE QUIZ LECTURE • Aer submitting the quiz - Sort all wrong answers
LEVEL LEVEL
• Increase your analytical skill.
0 - (0%) 0 Topics 0 Ques. 0 Ques. 09:01 Hr
• You can retake quizzes multiple times.
1 - (18%) 150 Topics 140 Ques. 164 Ques. 04:25 Hr
• Practice Topic-wise quiz aer every Chapter lecture.
2 - (16%) 152 Topics 172 Ques. 94 Ques. 06:44 Hr
• Each Module-wise quiz is divided into 2 sections
3 - (18%) 120 Topics 129 Ques. 129 Ques. 05:07 Hr
• basic & advance quiz (MTP)
4 - (18%) 48 Topics 60 Ques. 172 Ques. 03:14 Hr
• Save the quiz in between & continue solving anytime.
5 - (22%) 187 Topics 268 Ques. 114 Ques. 05:03 Hr
• Full mock tests in last week in exam conditions.
6 - (8%) 43 Topics 118 Ques. 43 Ques. 05:04 Hr
• Track your progress with instant evaluation.
700 TOPICS
TOTAL 887 QUES. 716 QUES. 39:00 HR • Get a Brief Overview of each topic in colourful charts.
2900 QUES.
VISIT PROKHATA.COM > DASHBOARD > COURSES > ENROLLED COURSES > START COURSE > START COURSE
 Chapter 1 Concepts of IS Audit Module - 1 Information Systems Audit Process
CHAPTER 1:
CONCEPTS OF IS AUDIT
DEFINITION
Audit Computer System: Risk:
Audit is an inspection of an organization’s accounts, typically by It is a Complete and Functional Computer includes Hardware & Soware. Potential that a given threat will exploit the vulnerabilities of an asset
an Independent Body. Information: to cause loss. Risk is the product of Probability and Impact
Impact. Another
It means Data Processed in a Meaningful Context and has value to user. way of de ning risk would be reat exploiting Vulnerabilities.
Information Systems (IS): Internal Control:
Financial Audit IS Audit
It means Systems designed to Collect, Processs, Store and Distribute Information. Organisational structures designed to provide reasonable assurance
Four Components of IS : Task, People, Structure and Technology. that enterprise objectives will be achieved and undesired events will be
Ind ep endent Independent Review
Secure system: prevented, detected and corrected.
E xamination
A u t o m a t e d Manual Computer hardware, soware & procedures secure from unauthorized access, correct Business Process:
of Financial Interface
Information Systems Systems information processing, perform intended functions, generally accepted security procedures. It is a Collection of tasks that produce a speci c service
Information
CONCEPTS OF AUDIT CONCEPTS OF IT RISK
IS Audit : IT risk is a component of the overall risk universe of the enterprise. In many enterprises, IT-related
(General Standards of auditing are applicable to IS Audit.) risk is considered to be a component of operational risk
As Internal Audit As External Audit As Specialized Audit Enterprise Risk
Penetration Testing
Provide Assurance Part of Statutory Audit
Audit of Data Centre, STRATEGIC ENVIRONMENT MARKET CREDIT COMPLIANCE
Provide Report on ImplementedControl
Scope : Bound By Applicable Audit of Business Continuity Plan RISK RISK RISK RISK RISK
Provide Appropriate Recommendations
Regulatory Requiement Rreview of IT Strategy IT-Risk
for Mitigating Control Weaknesses
Standard on Auditing (SA 200)- Basic principles of audit IT Risk in the Risk Hierarchy
Describes risk in the overall environment and provides a structure for managing IT risk. e Risk Universe :
1. Integrity, Objectivity and Independence 4. Work performed by others • Considers the overall business objectives
e auditor should maintain Impartial Attitude. Should obtain Reasonable Assurance for work Performed by others. • Considers the full value chain of the enterprise
2. Knowledge, Skill and Competence 5. Documentation • Considers a full life-cycle
Auditor should have Adequate Knowledge, Training, Manatin documentary evidence in accordance with IS Auditing • Includes a logical and workable segmentation of the overall risk environment.
Experience and Competence. standards, guidelines and procedures. • Needs to be reviewed and updated on a regular basis
3. Con dentiality 6. Information systems and internal control Risk Management
Not Disclose any such Information to a ird Party Evaluate internal controls to determine the nature, timing and Process of identifying vulnerabilities & threats. Deciding what countermeasures to take to reduce
unless there is any legal or professional duty to disclose. extent of other audit procedures. risk to an acceptable level based on the value of the information assets to the organization. e primary
7. Audit Conclusions and reporting responibility of risk management lies with management. e Risk can be avoided, reduced, transferred,
Reveiw and assess the conclusions drawn from the audit evidence. accepted, rejected/ignored.
Residual Risk - Risk Appetite
AUDITING IN A COMPUTERIZED ENVIRONMENT In case the residual risks aer applying the controls exceed the risk appetite and have not been approved by
Audit in a Computerized Environment the management, these should be reported along with appropriate remedial measures.
Overall scope & Objectives of audit do not change in a computerised environment. Use of computers changes methodology of RISK BASED AUDITING
processing and storage of information. Audit approach and Audit evidence have moved from physical to digital. is approach is used to assess risk & to assist an IS Auditor to focus on high risk areas and in making the
Audit of Computerised Environment decision with regards to the sample size to perform either compliance testing and/or substantive testing. It
e objective of the IS audit is to Evaluate the adequacy of internal controls with regard to speci c computer program and data also help to relate the cost-bene t analysis of the controls to the known risks.
processing environment as a whole.
IS Audit is not only audit of automated information processing systems only but also include audit of non-automated processes
and their interfaces to the automated processes.
It can be performed by Audit and Control professionals who have expertise in understanding of business processes and internal
controls and knowledge of information systems’ risks and associated controls.

www.prokhata.com 1
CA Rajat Agrawal
Module - 1 Information Systems Audit Process Chapter 1 Concepts of IS Audit
AUDIT UNIVERSE CONCEPTS OF INTERNAL CONTROLS
Audit universe consists of all risk areas that could be subject to audit, resulting in a list of possible audit Policies, procedures, practices and organizational Internal Controls IS Controls
engagement that could be performed. It may be organised by: structures which are implemented to reduce risks
in the organisation to an acceptable level. Application IT general
Business Units Product or service lines Processes Programs Systems or controls General Controls Controls Controls
Internal controls are developed to provide reasonable
Bene ts of having an Audit Universe assurance to management that the organization’s business objectives will be achieved and risk will be managed.
It enables the audit activity to be clear about the extent of coverage of key risks and other risk areas each year. Type of IS Controls
Revenue Audit Risk Based Internal High Risk
Tier 1 Low or Full Coverage Preventive Controls: Detective Controls: Corrective Controls:
Stock & Recivable IS Audit Medium Risk
Controls that prevents problems Controls that detect and report the Controls that minimize the impact of
Tier 2 Medium Coverage before they arise. monitor both occurrence a threat. help in Identi cation of the
Credit Forensic Audit operations and inputs. cause of the problem.
Low Risk
Tier 3 Low or No Coverage
ORGANIZATION OF IS AUDIT FUNCTION
e role of the IS Audit function is de ned by the audit charter which de nes the authority, scope and responsibility. Based
AUDIT RISK AND MATERIALITY on the overall guidelines de ned in the audit charter, the audit function is created with speci c roles and responsibilities.
Audit Risk Audit Charter Audit Committee
Risk of Issuing unquali ed report due to the auditor's failure to detect material misstatement. Audit risk is Authority Scope Composition
composed of inherent risk (IR), control risk (CR) and detection risk (DR). Audit risk can be high, moderate or Department
& Responsibility & Constitution
low depending on the sample size selected by the Auditor. (IS Audit Function)
Inherent Risk
Suspectibility of Information resource to material the, destruction or any kind of impairment, assuming that Organization Infrastructure
there are no related internal controls. Inherent risk for audit assignment can be project related, revenues related, Skills and competent human resources CAATs.
resource related. Inherent risk to business can be dependent on nature of business. Aer the implementation of Infrastructure and Orgnization
controls, it is known as residual risk/net risk. • IS audit function should be equipped with sufficient resources to discharge its duties efficiently and effectively.
Control Risk Assurance function perspective: 1002 Organisational Independence
Risk that an error will not be prevented or detected and corrected on a timely basis by the internal control Which organizational structures are required to provide assurance ? e IS audit shall be independent of the area
system. Which information items are required to provide assurance (audit or activity being reviewed to permit objective
Detection Risk universe, audit plan, audit reports, etc.) ? completion of the audit and assurance engagement.
Risk that the IS Auditor’s substantive procedures will not detect an error which could be material. It is the risk
that is in uenced by the actions of an auditor. Internal and External Audit Control Quality Assessment and Peer Reviews
Materiality in case of: Framework • Best auditing practices following the professional standards and
• Ensures the minimum quality of audits. pronouncements,
Finacial Audit Regulatory Audit IS Audit • Policies and procedures for risk • IS Audit function is subject to both internal and external quality
assessment, planning, implementation assessments, peer reviews, certi cation and accreditation.
Value & Volume of Impact of Non- Effect or consequence of and reporting are to be established. • In case of external audit, the audit engagement letter de nes the scope and
Transaction Compliance the risk in terms of potential loss objectives of individual audit assignment.
• Materiality is an important aspect of the professional judgment of the IS Auditor Standards on Audit Performance
• Higher the level of materiality, lower is the risk that an IS auditor is, usually, willing to take. 1004 Reasonable Expectations 1007 Assertions
Measures to assess materiality: • Engagement can be completed in accordance with the IS audit • Assertions against which the subject matter will be
• Criticality of the business processes • Nature, timing and extent of reports and assurance standards. assessed assertions are sufficient, valid and relevant.
• Cost of the system or operation • Nature and quantities of materials handled • Scope of the engagement enables conclusion on the subject
• Potential cost of errors • Service level agreement (SLA) matter and addresses any restrictions. 1006 Pro ciency
• Number of accesses/transactions/inquiries • Penalties for failure to comply • Management understands its obligations and responsibilities • Possess adequate skills and pro ciency in
SA 320 - Audit Materiality is applied when conducting an IS Audit Engagement. with respect to the provision. conducting IS audit
Standards on Materiality as per ITAF (3rd Edition) • Possess adequate knowledge of the subject matter.
1008 Criteria • Maintain professional competence through
1204.3 Select criteria, against which the subject matter will be assessed, appropriate continuing professional education and
1204.1 1204.2 1204.4
Auditor shall consider that are objective, complete, relevant, measurable, understandable, training.
Auditor shall consider Auditor shall consider Auditor shall disclose-
Cumulative effect widely recognised, authoritative and understood by, or available to,
potential weaknesses or audit materiality and its Absence of controls,
of minor control all readers and users of the report. 1005 Due Professional Care
absences of controls which relationship to audit risk control de ciency,
de ciencies or 2 Source of the criteria-relevant authoritative bodies before • Observance of applicable professional audit
could result in a signi cant nature, timing and extent signi cant de ciency or
weaknesses. accepting lesser-known criteria. standards.
de ciency or a material of audit procedures. material weakness.
weakness.

2 www.prokhata.com
CA Rajat Agrawal
 Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
CHAPTER 2:
IS AUDIT IN PHASES
INTRODUCTION AUDIT CHARTER AND TERMS OF ENGAGEMENT
Integral Part of Business Controls IS Audit charter Quality Assurance Process
Information •e scope, authority, and responsibilities of the audit function should be the content of an audit charter. •is process is established to understand
Most Critical Asset
Systems IS Auditor •Senior management should approve the audit charter of an organization. Auditee’s needs and expectations.
More vulnerable to the •Prime reason for review of an organization chart is to get an understanding the authority and responsibility •
e IS Audit standards require IS Auditor
of individuals. to deploy and monitor completion of the
IS Audit Phase •e actions of an IS auditor are primarily in uenced by Audit Charter. assurance assignments with the staff.
Plan Execute Report •Audit charter provides the overall authority for an auditor to perform an audit. •IS
IS auditor should develop standard
•
e audit function should directly report to the audit committee because it should be independent of the approach, documentation and
Understanding the Analytics procedures, Audit report and business function and should have direct access to the audit committee of the board. methodology with appropriate templates
environment and Compliance and recommendations •e audit charter should clearly address the four aspects of purpose, responsibility, authority and for various types of assignments.
setting of objectives Substantive Testing Presentation to accountability.
Risk Assessment & Sampling management Communication with Auditee Audit Engagement Letter
Control Identi cation Using CAATs and Effective communication with Auditee involves: (SA) 210 Agreeing the terms of Audit Engagements requires auditor client
Follow up review
Audit Program and evaluating Audit • Describing the service, its scope and timeliness of delivery to agree on the terms of engagement and document them in the audit
Procedures Evidence • Providing cost estimates engagement letter. IS Audit is performed internally as per audit charter. may
• Describing problems and possible resolutions be outsourced to an external IS Auditor.
CONDUCTING AN IS AUDIT • Providing accessible facilities for effective communication, External Auditor
Internal Auditor
IS Audit is necessary in today’s business environment as business processes • Determining relationship between services offered & needs of the Auditee. Audit Engagement Letter
have been integrated into system and lot of decision is being taken through Audit charter forms a sound basis for communication with Auditee &
+ Purpose = Audit Charter
these integrated system. Conducting IS Audit provides reasonable assurance include references to service level agreements such as: Responsibility Accountability
about coverage of material items. Availability for unplanned work, Delivery of reports, Costs, Response to
Setting up of audit objectives Auditee complaints etc. Authority
• Audit objectives refer to the speci c goals that must be met by the audit. audit AUDIT SCOPE
One of the basic purposes of any IS audit is to identify control objectives and Scope and objectives are determined through discussion with the auditee management and a speci c risk assessment. scope of audit determined by the
the related controls that address these objectives. management in case of internal audit and is set by statute if it is as per regulatory requirement.
• In absence of established audit objectives, auditor will not be able to determine
key business risks. AUDIT PLANNING Before Audit Document
• Control objective refers to how an internal control should function. • Audit Planning ensures that the audit is performed in an effective way and completed in a timely manner. RFP
• ey oen focus on substantiating the existence of internal controls & the • Planning also assists in proper assignment of work to assistants and in coordination of work done by other Response to RFP
appropriateness of functioning. Auditors and experts.
• ey are invariably set down at the beginning of the audit process. When Audit begins (Communication
• To plan an audit, the IS auditor is required to have a thorough understanding of business processes,
• A major purpose of Information Systems audit is whether the internal control between auditor & orgnisation
business applications, and relevant controls.
system design is robust and is operated effectively. • IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when Audit Charter
Request for proposal (RFP) planning individual engagements and consider subject matter risk, audit risk and related exposure to the Audit Engagement Letter
An RFP is Standard solicitation document to acquire services. A successful enterprise. en 2 new document/process develop
RFP supports principles of fair, open, and transparent procurement. e best • e rst step in risk-based auditing is to identify areas of high risk.
proposal is awarded the contract though it may, or may not, quote the lowest Audit Scope
• Utilization of resources for high-risk areas is the major bene t of risk based audit planning.
price. IS Auditor can play an important role in preparation and evaluation of • Identifying threats and vulnerabilities is the most important step in a risk assessment. Audit Planning
responses to RFP. • e evaluation of vulnerabilities and threats to the data should be the rst step to conduct a data center
RFP is most oen used to acquire services
services, although it may be used in some review.
circumstances to acquire goods. • Once threats and vulnerabilities are identi ed identifying and evaluating existing controls should be the next
step.
Note:-
Points to Remember :

www.prokhata.com 3
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
OBJECTIVES OF IS CONTROLS
Ensure risk management processes implemented as per the risk management strategy involves risk avoidance, elimination transfer acceptance.
Objectives of IS Controls

Principles of Fiduciary Principles of Quality Principles of Security

Reliability Compliance Efficiency Effectiveness Con dentiality Integrity Availability

Information Complying with Right amount of resources Objectives of a process, Ability to control or Means it is accurate and reliable Available when it is needed. preventing service disruptions
processes should be laws, regulations to deliver a Process, service or activity have restrict access principles of not been changed or tampered. due to power outages, hardware failures, and system
reliable and accessible and contractual needed to determine value been achieved. needed to con dentiality is "need-to- Authenticity, Non-repudiation upgrades. Ensuring availability also involves preventing
as and when needed. regulations. for money. determine value for money. know" or "least privilege". & Accountability. denial-of-service attacks.

UNDERSTANDING THE IT ENVIRONMENT OF AUDITEE

Business of the Entity Regulations, Standards, Policy, Procedures, Guidelines & Practices LODR – Listing Obligations & Disclosure Requirements of SEBI on
IS Auditor should obtain a e IS auditor should ensure that speci c regulatory requirements as applicable for the assignment are included as Corporate Governance
preliminary knowledge of one of the primary criteria for evaluation. Identify regulations applicable to the organisation, Identify compliance Audit Committee:
the entity and of the nature requirements. e role of audit committee has sharpened with speci c responsibilities including
of ownership, management, SA 250 “Considerations of laws and regulations in conducting an Audit”: recommending appointment of Auditors and monitoring their independence and
regulatory environment and Auditor has to obtain just a general understanding of the laws and regulations and he should alert the management performance, approval of related party transactions, scrutiny of intercorporate
operations of the entity. of the material non compliances applicable penalties. loans and investments, valuation of undertaking/assets etc.
Organization Structure Information Technology Act 2000 (Amended in 2008): ISO/IEC 27001:
Organizational structure Section 7A:: Audit of Documents etc. maintained in Electronic Form. ISO/IEC 27001:2013 formally speci es an Information Security Management
activities are task allocation, Section 43A: It provides that a body corporate possessing, sensitive personal data and is negligent resulting in System (ISMS), a suite of activities concerning the management of information
coordination and wrongful loss or wrongful gain may be held liable to pay damages no upper limit for the compensation. security risks.
supervision. Organizational Section 66 to 66F and 67: Sending offensive messages using electronic medium IT for unacceptable purposes, ISO/IEC 27001 is basically an Information security management system
structure allows the Dishonestly stolen computer resources, Unauthorized Access to computer resources, Identity the/Cheating established by the International Standards Organization in association with the
allocation of responsibilities by impersonating using computer, Violation of privacy, Cyber terrorism/Offences using computer, Publishing International Electro technical Commission.
for different functions and or transmitting obscene material. e ISMS ensure that the security arrangements are ne-tuned to keep pace with
processes. Section 72A: Disclosure of information, without the consent of the person concerned and in breach of changes to the security threats, vulnerabilities and business impacts.
IT Infrastructure lawful contract has been also made punishable with imprisonment for a term extending to three years or ne ISO/IEC 27001:2013 is a formalized speci cation with two distinct purposes:
IS Auditor has to keep extending to INR 5,00,000 or with both. • It lays out, what an organization can do to implement ISMS.
in mind the present IT Section 404 of Sarbanes Oxley Act, 2002 (SOX) • Can be used as basis for formal compliance assessment.
infrastructure capacities, e independent Auditor is required to opine on the effectiveness of internal controls over nancial reporting ISO/IEC 27002:
the age of hardware in addition on the fair presentation of organization's nancial statements. ISO/IEC 27002: 2013 is a code of practice - a generic, advisory document, not
and soware, licensing Public Company Accounting Oversight Board (PCAOB) a formal speci cation It recommends information security controls addressing
agreements, third party Standard 5 of the PCAOB establishes requirements and provides direction that applies when an Auditor is information security control objectives arising from risks to the con dentiality,
vendor agreements. engaged to perform an audit of management's assessment of the effectiveness of internal control over nancial integrity and availability of information.
reporting.
FRAMEWORK AND BEST PRACTICES OF IS AUDIT
ITAF (3rd edition)
Information Technology Assurance Framework (ITAF) is a comprehensive good-practice-setting reference model that: Establishes standards, De nes terms and concepts, Provides guidance and tools for audit and assurance.
ITAF audit and assurance standards are divided into three categories:

General standards (1000 series) Performance standards (1200 series) Reporting standards (1400 series)
Are the guiding principles under which the IS assurance profession operates. deal with the Deal with the conduct of the assignment assignment management, audit and Address the types of reports, means of communication and the
IS audit and assurance professional’s ethics, independence, objectivity and due care as well assurance evidence, and the exercising of professional judgment and due care. information communicated.
as knowledge, competency and skill.
Note:-

4 www.prokhata.com
CA Rajat Agrawal
 Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
Cobit 2019 Framework Principles, Components and Core Models
COBIT 2019 is a globally accepted framework and caters for the governance and management of enterprise information and technology. It helps ensure effective enterprise governance and management of Information and Technology

Governance System Principles of COBIT 2019

1: Provide Stakeholder Value: 2: End to End Governance 3: Tailored to Enterprise Needs: 4: Holistic Approach: 5: Governance distinct from 6: Dynamic Governance System:
By maintaining a balance between the realization System: Governance system should be Efficient and effective Management: Each time one or more of the design
of bene ts and the optimization of risk and use of Governance system should customized to the enterprise governance and management of Different types of factors changes impact of these
resources. COBIT 2019 provides all of the required focussing on not only the IT needs, using a set of design factors enterprise I&T require a holistic activities require different changes on the Enterprise Governance
processes and other enablers to support business function but on all technology customise and prioritise the approach, taking into account organizational structures and of Information and Technology
value creation. and information processing. Governance system components. several integrating components. serve different purposes. (EGIT) system must be considered.
Components/Enablers of Governance system are: Using COBIT 2019 for IS Assurance Evaluating the System of Internal Controls Core Governance and Management Objectives
• Processes It is written in a non-technical language and usable “MEA 02 Managed System of Internal Control”, which provides in COBIT 2019
• Organizational structures not only by IT professionals and consultants but guidance on evaluating and assessing internal controls e key
1. Align, Plan and Organise (APO)
• Information ows and items also by senior management. Globally from the GRC management practices evaluating the system of internal controls are:
• People, skills and competence perspective, COBIT has been widely used with COSO by • Monitor internal controls, 2. Build, Acquire and Implement (BAI)
• Policies and procedures management, IT professionals, regulators and Auditors • Review business process controls effectiveness,
3. Deliver, Service and Support (DSS)
• Culture, ethics and behaviour (internal/external) for evaluating governance and • Perform control self-assessment,
• Services, infrastructure and applications management practices from an end to end perspective. • Identify and report control de ciencies. 4. Monitor, Evaluate and Assess (MEA)
RISK ASSESSMENT
IS Auditor should identify all the risks present in the IT Environment. Based on this the required audit strategies, materiality levels and resource requirements can then be developed. IS Auditor can focus on the high-risk areas and decide the
sampling

Guidance on Risk Assessment by ISACA Risk Assessment Use of Risk Assessment in Audit Planning
• Conduct and document, at least annually Procedures and ere are many risk assessment methodologies, computerized and non-
• Quantify and justify the amount of IS audit resources needed related Activities computerized from which the IS Auditor may choose. ese range from
• Seek approval of the risk assessment from the audit stakeholders, Risk assessment simple classi cations of high, medium and low, based on the IS Auditor’s
• Prioritise and schedule IS audit and assurance work based on assessments of risk. procedures shall judgment, to complex scienti c calculations that provide a numeric risk
• Develop a plan that: acts as a framework, considers non-IS audit and, addresses responsibilities set by the audit charter. include: Inquiries of rating. Scoring system is useful in prioritizing audits based on an evaluation
• When planning an individual engagement, professionals should: assess risks & conduct a preliminary assessment of the risks management, Analytical of risk factors. Combination of techniques may be used as well. IS Auditor
relevant to the area, procedures, Observation should consider the level of complexity and detail appropriate for the
• Objectives for each speci c engagement should re ect the results of the preliminary risk assessment., & Inspection. organization.
• Consider prior audits, reviews and ndings, including any remedial activities., Steps of Risk Assessment
• Attempt to reduce audit risk to an acceptable level, and meet the audit objectives, • Identify Relevent Assets or Critical Assets. • Risk Prioritization
• Recognise that the lower the materiality threshold, the more precise the audit expectations and the greater the audit risk., • Identify Vulnerabilities & reats. (Relevant Risks) • Risk Treatment.
• To reduce risk for higher materiality, compensate by either extending the test of controls or substantive testing procedures. • Analyze identi ed relevant risks.

Note:-

Points to Remember :

www.prokhata.com 5
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
GOVERNANCE AND MANAGEMENT CONTROLS
IT General Controls areas
A general controls’ review attempts to gain an overall impression of the controls that are present in the environment surrounding the information systems. IT General controls are controls that are not speci c to any application, but exist in
an IT environment. A general controls’ review would also include the infrastructure and environmental controls such as review of the data centre or information processing facility should cover the adequacy of air conditioning, power supply
and smoke detectors/ re suppression systems, etc. Some of IT General Controls are discussed below:
1.Operating System Controls: 2. Organisational Controls:
It performs the main tasks of ese controls are concerned with the decision-making processes that lead to management and authorization of transactions.
scheduling jobs, managing
hardware and soware resources, (i) Responsibilities and objectives: (ii) Policies, standards, procedures and practices: iii) Job Descriptions: (iv) Segregation of Duties:
maintaining system security, IS functions must be clearly de ned and documented, including systems Policies establish the rules or boundaries of authority ese communicate It refers to concept of distribution of work
enabling multiuser resource soware, application programming and systems development, database delegated to individuals Procedures establish the m a n a g e m e n t ’ s responsibilities. e main purpose is to
sharing, handling interrupts and administration, and operations. e senior manager are responsible for instructions that must be followed for completing the speci c expectations prevent or detect errors or irregularities
maintaining usage records. the effective and efficient utilization of IS resources. assigned tasks. for job performance. by applying suitable controls.
3. Management Controls 4. Financial Controls
Segregation of Duties
Controls adapted to ensure that the information systems function correctly and they meet the strategic business Control over transactions processing using reports
It is concept of distribution of work responsibilities. e
objectives and needs. e controls ow from the top of an organization to down; the responsibility still lies with generated by the computer applications. ere are numerous
main purpose is to prevent or detect errors or irregularities
the senior management. e control consideration includes : nancial control techniques. A few examples are :
by applying suitable controls.
• Authorisation which entails obtaining the authority to
Responsibility : An IT Organization Structure : An IT Steering Committee : Separate who can
perform some act typically accessing assets.
Senior management personnel ere should be a prescribed IT ese communicate • Budgets are estimates of the amount of time or money
responsible for the IS within the organizational structure with management’s speci c expected to be spentduring a particular period, Run live programs Change Programmes
overall organizational structure. documented roles and responsibilities expectations for job performance. project, or event. Access Data Run Programs
Input Data Approve/Reconcile Data
5. Data Management Controls 6. Data Processing Controls Test Programmers Develop Programmes
Access controls are designed to prevent unauthorized individuals from viewing, retrieving, Controls are related to hardware and soware controls are applicable to Enter error in a log Correct the error
computing or destroying data. Back up controls are designed to ensure the availability of data in the on-line transaction processing systems,database administration, media Enter Data Access the database
event of its loss. library, etc.
Following controls are discussed in 11. System Development 12. Computer Centre Security Controls Personal Computers Controls Internet and Intranet Controls
further chapters in detail Controls Physical security attempts to restrict breach of access. Soware and Safeguard mechanisms for personal ese controls includes building component level
7. Physical Access Controls Ensure that proper documentation data security ensures that there is use of passwords, authorizations, computers, pen drives and external redundancy, avoiding single point of failures,
8. Logical Access Controls and authorizations are available screening and logs of all activity of the entity. Data communication drives etc. against the risk of the using tested and robust systems, hardening of
9. Business Continuity Planning for each phase of the system security is implemented by terminal locks, encryption of data, of hardware, data/information. systems, patch management, use of updated anti
Controls development process. network administration, sign on user identi ers etc. -virus solutions, rewalls, IDS, encryption etc.
10. System Maintenance Controls
IT Application Controls
Soware could be a payroll system, a retail banking system, an inventory system, and a billing system or, possibly, an integrated ERP. First question to ask application soware review is, "What does the application soware do; what business
function or activities does it perform?" the IS auditor's knowledge of the intricacies of the business is as important. Once this is done, identify the potential risks associated with the business activity/function and to see how these risks are
handled by the soware. IT application controls are, indeed, controls which are in-built in the soware application itself.
Objectives of application controls: 1. Boundary Controls: 2. Input Controls: 3. Processing Controls:
•Input
Input data is accurate, complete, authorized, Controls to ensure that application is restricted only to authorized users. Controls to ensure Controls to ensure that only authorized processing
•Data
Data is processed acceptable time period, Data may be in any stage - in input, processing, transit or output or at that only complete, and integrity of processes and data is ensured.
•Data
Data stored is accurate and complete, rest. accurate and valid Performs validation checks to identify errors during
•Output
Output is accurate and compete. Access controls may be implemented by using any of the logical security data and instructions processing of data. ey are required to ensure both
A record is maintained to track the data from input to storage and to the eventual techniques embedded in the application soware. Separate access control form an input to the the completeness and accuracy of the data being
output categories of application control are. mechanism is required for controlling access to application. application. processed.
4. Data File Controls: 5. Output Controls: 6. Existence Controls: Scope and steps of IS Audit of Application soware
Controls to ensure that data resident Controls to ensure that output is Ensure the continued availability. Existence controls should •Mainly cover: Adherence to business rules,
in the les are maintained consistently delivered to the users in a consistent include backup and recovery procedures of data & also controls •Validations of various data inputs,
with the assurance of integrity & and timely manner in the format that recover the process from a failure. Existence controls should •Logical access control and authorization,
con dentiality of stored data. prescribed/required by the user. also be exercised over output to prevent loss of output in any form. •Exception handling and logging.

6 www.prokhata.com
CA Rajat Agrawal
 Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
CREATION OF RISK CONTROL MATRIX RCM AUDIT SAMPLING, DATA ANALYSIS AND BUSINESS INTELLIGENCE
RCM details the risks that have been identi ed in the Risk Assessment phase. A Audit Sampling
typical RCM would consist of the following: Application of audit procedures to less than 100 percent of the population. IS auditor should consider selection techniques that result in a statistically based
• Series of spreadsheets marking a single process, application (Custom Business representative sample for performing compliance or substantive testing. Statistical sampling should be used when the probability of error is objectively
Application), area (Information security, Logical Security, Physical security). quanti ed. It also helps in mitigating sampling risk. When testing for compliance , attribute sampling is most useful. Discovery sampling is a method
• Each Spread sheet would contain: Risk No, Risk in depth control(s) that is which would best assist auditors when there is concerns of fraud
ideal to counter identi ed risk, control number, control that is implemented
Methods for Sampling SA 530 – Audit Sampling:
by the enterprise to counter the risk
Applies when the auditor has decided to use audit sampling
RCM may be used as Audit Notebook containing details of control owner, process Statistical Non Statistical in performing audit procedures. It deals with the auditor’s use
owner, testing plans and results, evidences, risk ranking, recommendations etc.
of statistical and non-statistical sampling when designing and
SUBSTANTIVE TESTING Random Systematic Haphazard Judgmental selecting the audit sample, performing tests of controls and tests of
Evidence is gathered to evaluate the integrity of individual transactions, data or Sampling Sampling Sampling Sampling details, and evaluating the results from the sample.
other information. Substantive Procedures are tests designed to obtain evidence
to ensure the completeness, accuracy and validity of the data. Substansive tests While designing the sample consider the objectives of the test and attributes. Based on the initial assessment, the sample size can be increased or decreased
can be reduced if internal controls are strong Ex: examining the trial balance. to achieve the objective of assessing the tests of existence and adequacy of control for the IT environment.
cash veri cation, balance con rmation etc. Data Analytics Business Intelligence
COMPLIANCE TESTING e use of Data analytics tools and techniques helps the IS auditor to improve audit approaches. e IS auditor BI can handle enormous amount of
Compliance testing is the process of evidence gathering for the purpose of testing can use data analytics by which insights are extracted from nancial, operational and other forms of electronic structured as well unstructured data to
an organization’s compliance with control procedures. Compliance review data, internal or external to the organization. Determining the objective and scope of analytics will be the rst help identify, develop and otherwise
determines if controls are being applied in accordance with organizational step of conducting data analytics. create new opportunities.
policies. Compliance Procedures help obtain reasonable assurance that those Analytical Review Procedures: CAAT Tools
internal controls on which audit reliance is to be placed are operating effectively. Analytical review procedures may be de ned as substantive tests for a study of comparisons and relationship among data. Underlying attributes of computer
By performing Compliance tests, the IS Auditors can ascertain the existence, based transactional systems make the task of auditing more complex, auditors may be required to rely upon use of CAAT tools.
effectiveness and continuity of the internal control system. Ex: Review of system
access rights, review of rewall settings etc. • Absence of input documents: Data may be entered directly into the computer system without supporting documents.
Difference between Compliance and Substansive testing • Lack of visible transaction trail: e transaction trail may be partly in machine-readable form, or it may exist only for a limited period of time.
Objective of substantive testing is to test individual transactions whereas • High volume of transactions being processed
objective of compliance testing is to test the presence of controls. • Different sources of input and distributed processing.
DESIGN AND OPERATIONAL EFFECTIVENESS
Design Effectiveness Operational Effectiveness System controls:
A walkthrough of a business Testing of Operating Effectiveness refers to actual performance of the Control e evidence of the control will be obtained through obtaining appropriate reports and screen shots.
process and the risks and controls in the IT Environment. Manual controls:
within it can help evaluate its design Sample based self-testing: is Involves the selection of samples, Documented Are subject to human error, auditor should test the quality of the control to gain assurance. Manual controls the
effectiveness for compliance. evidence must be obtained to ascertain that the control has been performed. evidence that the control has been performed should be available through physical records created.

AUDIT DOCUMENTATION Standards on Evidence

Standards By ICAI: (SA) 230, “Audit documentation” deals with the
Auditor’s responsibility to prepare audit documentation for nancial
Audit documentation generally includes: Test working papers: Documentation Controls: statements. (SA) 500, “Audit Evidence” deals with the Auditor’s
Basic documents relating to control Testing work papers are obtained as a result of the compliance Each working paper (or work responsibility to design and perform audit procedures to obtain sufficient
environment, Documents relating to laws, and substantive testing procedures performed by the IS Auditor. paper) should be: Dated and appropriate audit evidence to be able to draw reasonable conclusions
regulations, Preliminary review, Risk analysis, Each working paper should follow a naming convention and manually or digitally signed by on which to base the Auditor’s conclusions. (SA) 580 “Written
Audit plan, Audit ndings, observations, numbering convention. Referenced with a unique number. Representations” deals with the Auditor’s responsibility to obtain written
inspection reports, Interpretation of audit Substantive test les require the same elements as compliance
representations from the management and, where appropriate, those
evidence, Audit Report issued. test les except for the review of existing internal controls. Organization of audit working charged with governance.
papers: Standards by ISACA, 1205 Evidence: 1205.1 professionals shall obtain
Points to Remember : Audit working papers: Each document must describe sufficient and appropriate evidence to draw reasonable conclusions on
Aid in the planning and performance of the audit, Aid in the supervision and review, Provide evidence of the audit work. Objective, Work done, Finding, which to base the engagement results. 1205.2 professionals shall evaluate
IS Auditor’s work must be documented and organized in a standardized fashion for easy reference in future audits. Risk, Recommended action, Action. the sufficiency of evidence.

www.prokhata.com 7
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
AUDIT EVIDENCE: METHODS Using Work of Another Auditor and Expert
Evidence is any information used by the IS Auditor to determine whether As per area of specialization such as banking, securities trading, insurance, legal experts etc. Based on the nature of assignment, special consideration, Access to
the entity follows the established criteria or objectives, and supports audit systems, Con dentiality restrictions, Use of CAATs, Non-disclosure agreements. Responsibility of the IS Auditor to: Clearly communicate the audit objectives,
conclusions. It is a requirement that the IS Auditor’s conclusions be based scope and methodology , place a monitoring process, Assess appropriateness of reports. ISACA standard 1206: Using the work of other experts.
on sufficient, relevant, competent and appropriate audit evidence. Audit Even though a part of or whole of the audit work may be delegated to the related professional liability is not necessarily delegated. Responsibility of the IS
ndings should be supported by sufficient and appropriate audit audience. Auditor is to Clearly communicate the audit objectives, scope and methodology, place a monitoring process, Assess appropriateness of report.
1. Evaluating Audit Evidance Evaluation of Strengths and Weaknesses: Judging by Materiality
A control matrix is oen utilized in assessing the proper level of controls. Known types of errors that can occur in the area under review are placed on the top
axis and known controls to detect or correct errors are placed on the side axis. e IS Auditor should be aware of compensating controls in areas where controls
Independence of the Quali cations of the Objectivity have been identi ed as weak. Where a compensating control situation occurs when one stronger control supports a weaker one, overlapping controls may exit.
provider of the audit individual providing the of evidence Where two strong cntrols exist.
evidence information/evidence Judging the Materiality of Findings: e IS Auditor must use judgment when deciding which ndings to present to various levels of management. Key to
Timing
of the determining the materiality of audit ndings is the assessment of what would be signi cant to different levels of management.
outside sources is more Objective evidence is more
evidence
reliable than from reliable than evidence that
within the organization requires considerable judgment
*Inventory
2. Types *Cash
of Physical *Securities Risk Ranking
Evidence examination *Tangible FA Risks are typically measured in terms of impact and likelihood of occurrence. Risk rating scales may be de ned in quantitative and/or qualitative terms.
*Notes receivable Quantitative rating scales bring a greater degree of precision and measurability to the risk assessment process.
Con rmation Qualitative terms need to be used when risks do not lend themselves to quanti cation, when credible data is not available, or when obtaining and analysing
3rd party verifying the accuracy
data is not cost-effective.
INTERNAL Substantiate
Documentation Information
Ordinal scales de ne a rank order of importance (e.g., low, medium, or high), interval scales have numerically equal distance(e.g., 1 equals lowest and 3 equals
EXTERNAL included FS highest, but the highest is not 3 times greater than the lowest), and ratio scales have a “true zero” allowing for greater measurability (e.g., a ranking of
10 is 5 times greater than a ranking of 2).
Analytical Comparisons
An example of a Risk Rating Model is : Green Areas identi ed as being low risk, Orange Areas identi ed as medium risk & Red Areas considered to be
procedures Relationships inherently high risk.
Inquiries of Written
Audit Report Structure and Contents
the Client Oral ISACA standards require IS audit professionals shall provide a report to communicate the results including: Identi cation of the enterprise, e scope, nature,
Recalculation timing and extent of the work performed, ndings and recommendations, quali cations or limitations. Exit interview, conducted at the end of the audit
Independent tests
Procedures provides IS Auditor chance to discuss ndings and recommendations with management.
Performance Controls
Observation Presentation techniques could include:
Executive summary an easy to read concise report that presents ndings to management in an understandable manner & Visual presentation: may include
Evidence Preservation slides or computer graphics .
It is also important to preserve the chain of custody. Chain of custody is IS Auditors should be aware that ultimately, they are responsible to senior management and the audit committee of the board of directors. Before communicating
a term that refers to documenting, in detail, how evidence is handled and the results of an audit to senior management, the IS Auditor should discuss the ndings with the management staff of the audited entity. A summary of audit
maintained, including its ownership, transfer and modi cation. is is activities will be presented periodically to the Audit Committee.
necessary to satisfy legal requirements that mandate a high level of con dence Audit Deliverables & Communicating Audit Results
regarding the integrity of evidence. ere is no speci c format for IS audit report. Audit reports will usually have the following structure and content:
Sufficiency and Competency of Audit Evidence 1. Introduction to the report, including audit objectives, limitations audit and scope, the period of audit coverage.
e quality and quantity of evidence must be assessed by the IS Auditor. 2. A good practice is to include audit ndings in separate sections.
ese two characteristics are referred to be competent and sufficient. 3. e IS Auditor’s overall conclusion and opinion on the adequacy of controls
Evidence is competent when it is both valid and relevant. Audit judgment is 4. IS Auditor’s reservations or quali cations.
used to determine when sufficiency is achieved 5. Detailed audit ndings and recommendations.
Management Implementation of Recommendations 6. IS Auditor may choose to present minor ndings to management in an alternative format such as by memorandum.
Auditing is an ongoing process. IS Auditors should have a follow IS Auditor should be concerned with providing a balanced report,describing not only negative issues ndings but positive constructive comments. IS Auditor
up program to determine if agreed on corrective actions have been should exercise independence in the reporting process.
implemented. Although IS Auditors who work for external audit rms may
not necessarily follow this process.

8 www.prokhata.com
CA Rajat Agrawal
 Chapter 3 IS Audit Tools & Techniques Module : 1 - Information System Audit Process
CHAPTER 3:
COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES
Computer Assisted Audit Techniques
CAAT is a signi cant tool for auditors to gather evidences independently. It provides means to gain access and to analyse data for predetermined audit objectives, and report the audit ndings with evidences. CAAT is the most effective tool
for obtaining audit evidence through digital data. It also provide assurance about data reliability.
Needs for CAAT Types of CAATs
In computerised environments evidence exists on magnetic media and it may not be possible to analyze While selecting the CAAT, IS Auditor is faced with certain critical decisions be required to make, while balancing on the quality and
data without the help of some soware tool(s). ICAI Guidance note on CAAT CAATs may be used in cost of audit:
performing various auditing procedures including:
A. Audit soware developed by the B. Develop his /her own audit C. Use a standard off the shelf
(a) Tests of details of transactions and balances, (d) Sampling programs client. soware. Generalised Audit Soware
(b) Analytical procedures, (e) Tests of application controls,
(c) Tests of general controls, (f) Re-performing calculations First two options requires auditors to be technically competent in programming. Computer audit soware also known as Generalised
Audit Programs (GAS) is readily available with speci c features useful for data interrogation and analysis. Auditors do not require
Purpose of CAATs much expertise and knowledge to be able to use these for auditing purpose. Different types of CAAT are:
It gives auditors ability to maximize their efficiency and effectiveness during audit. IS auditors can use
CAATs to perform tests that would normally be impossible or time consuming to perform manually.
Functional Capabilities of CAATs Generalised Audit Soware (GAS) Specialised Audit Soware (SAS) Utility Soware
•File access : Enables the reading of different record formats and le structures. “e processing of a client’s live les by the Written for special audit purposes Utilities usually come as part of
•File reorganization : Enables the indexing, sorting, merging and linking with another le. auditor’s computer programs”. Computer audit or targeting specialized IT office automation soware, operating
•Data selection: Enables global ltration conditions and selection criteria. soware may be used either in compliance or environments. Speci c to the systems, and database management
•Statistical functions: Enables sampling, strati cation and frequency analysis. substantive tests. Perform functions such as type of business, transaction or IT systems useful in performing
•Arithmetical functions: Enables arithmetic operators and functions. reading data, selecting and analyzing information, environment. Such soware may common data analysis functions such
performing calculations, creating data les and be either developed by the auditee as searching, sorting, appending,
How to use CAATs reporting in a format speci ed by the auditor. or embedded as part of the client’s joining, analysis etc. Utilities
Approach for using CAATs is given below: GAS has standard packages for auditing data. mission critical application soware. are extensively used in design,
1. Set the objective of the CAAT application Typical operations using GAS include: Such soware may also be developed development, testing and auditing
2. Determine the content and accessibility of the entity's les Sampling Items, Extraction Items, Totalling the by the auditor independently. Auditor of application soware, operating
3. De ne the transaction types to be tested total value, Ageing Data, Calculation Input data should take care to get an assurance systems parameters, security
4. De ne the procedures to be performed on the data is manipulated prior to applying selection criteria. on the integrity and security of the soware parameters, security testing,
5. De ne the output requirements soware developed by the client. debugging etc.
6. Identify audit and IT personnel to be involved in design and use of tests for CAATs.
Typical Steps in using GAS
General Uses and Applications of CAATs
i. De ne the audit objectives. vi. Obtain copies of application les be tested.
1. Exception identi cation: Identifying exceptional transactions
ii. Identify the tests vii. Execution of the package
2. Control analysis: Identify whether controls as set have been working as prescribed.
iii. Package input forms viii. Maintain security of output
3. Error identi cation: Identify data which is inconsistent or erroneous.
iv. Compile the package ix. Check test results draw audit conclusions.
4. Statistical sampling: Perform various types of statistical analysis.
v. Programmer’s work must be tested. x. Interface test results with subsequent manual audit work to be done.
5. Fraud detection: Identify potential areas of fraud
6. Veri cation of calculations: Perform various computations to con rm the data stored. Selecting, implementing and using CAATs
7. Existence of records: Identify elds, which have null values. CAATs provide a means to gain access and analyse data for a predetermined audit objective and to report audit ndings with evidence.
8. Completeness of data: Identify whether all elds have valid data. ey help the auditor to obtain evidence directly on the quality of the records produced and maintained in the system.
9. Consistency of data: Identify data, which are inconsistent Some examples of CAATs, which can be used to collect evidence:
10. Duplicate payments: Establish relationship between two or more tables as required and • ACL, IDEA, Knime etc.
identify duplicate transactions. • Utility Soware such as Find, Search, Flowcharting utilities
• Spreadsheets such as Excel
Strategies for using CAATs
• SQL Commands, OS commands
•Identify the goals and objectives of the investigation/audit
• ird party access control soware
•Identify what information will be required
•Determine what the sources of the information
•Identify who is responsible for the information What: When: Where: Why: How:
•Review documentation Objectives Period Sources Reason Types of analysis
•Understand the system generating the data
•Develop a plan for analyzing the data (What, When, Where, Why, and How)

www.prokhata.com 9
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 3 IS Audit Tools & Techniques
Continuous Auditing Approach
Continuous auditing is a process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis.
Techniques for Continuous Auditing
Snapshot Integrated Test Facility (ITF) Systems Control Audit Review File
• e snapshot technique uses a series of sequential data captures referred to as snapshots. Integrated Test Facility (ITF) is a system in which a test pack is pushed through (SCARF)
• Digital pictures of procedures are saved and stored in the memory the production system affecting “dummy” entities. is technique involves embedding
• It is useful when an audit trail is required. Advantages of ITF specially written audit soware in the
Employed for: • Useful in identifying errors and problems that occur in the live environment and organisation’s host application systems
• Analysing and tracking down the ow of data that cannot be traced in the test environment so that the application systems are
• Documenting the logic, input/output controls of the application program sequence of processing. • Validate the accuracy of the system processing. monitored on a continuous basis.
Continuous and Intermittent Simulation Audit Audit Hook System Activity File Interrogation Embedded Audit Facilities
• In this technique, a simulator identi es transactions • Embedding audit modules in application system Producing a log of every event occurring in the system, Consist of program audit procedures inserted into the client’s
as per the prede ned criteria. to capture exceptions or suspicious transaction. both user and computer initiated. Report exceptional application programs and executed simultaneously. is technique
• It is most useful when transaction are to be • Helpful to auditor in identifying irregularities, items of possible audit interest such as unauthorised helps review transactions as they are processed and select items
identi ed as per pre-de ned criteria in a complex such as fraud or error before they gets out of access attempts, unsuccessful login attempts, changes according to audit criteria automatically write details of these items
environment. hand. to master records and the like. to an output le for subsequent audit examination.

Note:-

10 www.prokhata.com
CA Rajat Agrawal
 Chapter 4 Application Controls Review of Business Applications Module : 1 - Information System Audit Process
CHAPTER 4:
APPLICATION CONTROLS REVIEW OF BUSINESS APPLICATIONS
Application Control Safeguard assets Application Controls
ese applications are the Help To Maintain data integrity “Application controls" are a subset of internal controls that relate to an application system the information managed by that application. Timeliness,
interface between the user Achieve organisational goals accuracy & reliability of information dependent on application systems used to generate, process, store and report the information. Information conforms
and business functions. Effectively Efficiently to certain criteria what COBIT refers to as business requirements for information.
Internal Controls
Business Application Soware: Selection Parameters A process, affected by an organisation’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the
Key parameters of selection of business application soware achievement of objectives in the following categories:
Business Goal Effectiveness efficiency of operations, Reliability of nancial reporting & Compliance with laws regulations.
E.g. Customer driven, social causes, capitalist mind-set COSO de nes control activities as the policies and procedures that help ensure management directives are carried out.
Nature of Business Objectives of Application Controls
E.g. Generate daily cash Application controls are intended to provide reasonable assurance that management’s objectives relative to a given application will be achieved.
Geographical spread Examples include:
More spread more robust soware required (i) Completeness: Processes all transactions and the resulting information is complete.
Robust means capability to work 24/7 (ii) Accuracy: Processing is accurate & resulting information is accurate.
Volume of transactions (iii) Validity: Only valid transactions are processed.
As the transaction volumes increase organisation business application (iv) Authorisation: Only appropriately authorised transactions are processed.
sowares that can support business for the next few years. (v) Segregation of duties: Application provides for appropriate segregation of duties and responsibilities.
Regulatory structure
Soware which is capable to cater to the compliance requirements. Information Criteria
Key business requirements for information also called as information criteria need to be present in information generated. ese are:
Types of Business Application
Classi cation of Business Application 1. Effectiveness:: Information being relevant and pertinent to the process as well as being delivered in a timely, correct, consistent and
usable manner.
Processing Type Source Function 2. Efficiency: Provision of information through the optimal (most productive and economical) use of resources.
• Batch • Online • Real Time • In house • Brought-in Covered 3. Con dentiality: Protection of sensitive information from unauthorised disclosure.
Type of Business Application on basis of function 4. Integrity: Relates to the accuracy and completeness of information & its validity in accordance with business values and expectations.
5. Availability
Availability: Availability of information as and when required & also with the safeguarding of necessary resources.
6. Compliance
Compliance: Complying with the laws, regulations and contractual arrangements to which the process is subject.
Accounting Banking Application ERP Application Payroll 7. Reliability: Provision of appropriate information for management to operate the organisation and exercise its duciary and governance
Application Banking system has Manage resources Application responsibilities.
• Used for accounting of shied to core banking optimally maximize Software
day to day transactions business applications Economy, Efficiency & that process
• Generate Financial (referred to as CBS) E.g. Effectiveness payrolls for
Information FINACLE, FLEXCUBE, employees
• (E.g. Tally, Tally EX, TCS BaNCS
UDYOG)

Other Business Applications:

i. Office Management Soware v. Logistics Management Soware
ii. Compliance Applications vi. Legal matter management
iii. Customer Relationship vii. Industry Speci c Applications
Management Soware
iv. Management Support Soware

Note:-

www.prokhata.com 11
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 4 Application Controls Review of Business Applications
Application Control Objectives and Control Practices

Source Data Source Data Collection Accuracy, Processing Integrity and Validity Output Review, Reconciliation and Transaction
Preparation and and Entry Completeness and Error Handling Authentication and
Authorisation Authenticity Checks Integrity
Prepared by authorised and Correction and resubmission Validate data that were input, Detection of erroneous transactions not dis- Output is handled in an authorised manner, de- Before passing transaction
quali ed personnel taking in of data that were erroneous- or send back for correction as rupt the processing of valid transactions. livered to the appropriate recipient and protected check the data for proper ad-
a/c segregation of duties re- ly input should be performed close to the point of origina- during transmission; dressing, authenticity of or-
garding the origination & ap- without compromising original tion as possible. Veri cation, detection and correction of the accura- igin and integrity of content.
proval of documents. transaction authorisation levels. cy of output occur.
•Design source documents to •Communicate criteria for •Transaction data are veri ed •Authorise
Authorise the initiation of transaction pro- •Follow de ned procedures and consider privacy •Establish an agreed-upon
increase accuracy with which timeliness, completeness ac- as close to the data entry cessing. Only appropriate and authorised and security requirements. standard of communication
data can be recorded, control curacy of source documents. point as possible. applications and tools are used. •Take
Take a physical inventory of all sensitive output. and mechanisms necessary
the work ow and facilitate •Use only pre-numbered source •Controls may include se- •Processing
Processing is completely and accurately •Match
Match control totals in the header and/or trailer for mutual authentication,
subsequent reference check- documents. quence, limit, range, valid- performed with automated controls. records of the output to balance with the control •Tag output from transaction
ing. •Communicate who can input, ity, reasonableness, table •Transactions
Transactions failing validation routines totals produced by the system to ensure complete- processing applications to
•Document procedures for edit, authorise, accept and re- look-ups, existence, key ver- are reported and posted to a suspense le. ness. facilitate counterparty au-
preparing source data entry, ject transactions. Implement i cation, check digit, com- Valid transactions is not delayed. Process- •Validate completeness and accuracy of processing thentication, and allow for
ensure proper communication access controls and establish pleteness duplicate and logi- ing failures is kept to allow for root cause before operations performed. content integrity veri ca-
to appropriate and quali ed accountability. cal relationship checks, time analysis. •Business owners review the nal output for reason- tion.
personnel. •Procedures to correct errors, edits. Validation criteria and •Transactions
Transactions failing validation routines are ableness, accuracy and completeness. •Determine authenticity of
•Maintain list of authorised per- override errors and handle parameters should be sub- follow-up until transaction is cancelled. •Application produces sensitive output, de ne who origin. Maintenance of the
sonnel, including signatures. out-of-balance conditions. ject to periodic reviews and •Correct
Correct sequence of jobs has been docu- can receive it, label the output Where necessary, integrity during transmis-
•Source documents include •Generate
Generate error messages as con rmation. mented and communicated to IT opera- send it to special access-controlled output devices. sion.
standard components, contain close to the point of origin as •Establish access control.
control tions.
proper documentation & au- possible. Transactions not be •Segregation
Segregation of duties for •Unique
Unique and sequential identi er every Information Criteria
thorised by management. processed unless errors are entry, modi cation and au- transaction.
•Assigns a unique and sequen- corrected. thorisation of transaction •Maintain the audit trail of transactions pro-
tial identi er every transac- •Errors
Errors and out-of-balance re- data. cessed. For sensitive data listing should- Application and Control Objectives and
tion. ports reviewed by appropriate •Report
Report transactions failing contain before and aer images. Information Criteria
•Return
Return documents that are not personnel. Automated moni- validation and post them to •Maintain the integrity of data during un-
properly authorised /incom- toring tools should be used to a suspense le. expected interruptions in data processing
plete to the submitting orig- identify, monitor and manage •Transactions failing edit and with system and database utilities. Any 1 Source Data Preparation and S P S P S
inators for corrections & log errors. validation routines subject changes approved by the business owner. Authorisation
the fact that they have been •Source
Source documents are safe- to appropriate follow-up un- •Adjustments, overrides and high-value 2 Source Data Collection and S S S P S
returned. stored. til errors are remediated. Al- transactions are reviewed by a supervisor. Entry
low for root cause analysis. •Reconcile le totals. 3 Accuracy, Completeness and S P S P S P P
Authenticity Checks
4 Processing Integrity and P P P P P
Validity
5 Output Review, Reconciliation P S P P P P P
and Error Handling
6 Transaction Authentication S P P P
and Integrity
P= S = Secondary
Primary

12 www.prokhata.com
CA Rajat Agrawal
 Chapter 5 Application Controls Review of Specialised Systems Module : 1 - Information System Audit Process
CHAPTER 5:
APPLICATION CONTROLS REVIEW SPECIALISED SYSTEMS
As per SA200 ,Compliance procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect. As per ISACA ITAF 1007 “Assertions”, IS Audit and assurance professional
shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
Review of Application Controls Review of Business Application Controls through use of Audit Procedures
Implemented for a speci c business purpose. Assess whether the business objectives from implementing will be achieved. SA 500 "Audit Evidences"- Auditor while designing tests of controls shall see whether controls so put in place
Need for Application Controls Procedures used to obtain evidance include: are effective.
To draw conclusion on : 1. Inquiry and con rmation 5. Analytical Procedures
• How much reliance to put on entities’ 2. Re-performance 6. Inspection Inquiry and con rmation: Re-performance:
business application system 3. Recalculation 7. Observation Checklist enquire and con rm whether controls are in place. Process test data to see how itresponds.
• Planning IS audit procedures. 4. Computation 8. Other Generally Accepted Methods Evaluate existence of controls.

Application Controls Review for Specialised Systems

1. Arti cial Intelligence (AI) 4. Electronic Funds Transfer (EFT)
AI is the theory and development of computer systems so as to be able to perform tasks normally (RBI) has issued detailed guidelines for banks to follow for EFT transactions. RBI has speci ed Banks need to create procedural guidelines,
requiring humanintelligence, such as visual perception, speech recognition, decision-making, for the purpose of:
and translation between languages. Knowledge base is the most important component of the 1.Verifying that a payment instruction, NEFT Data File is authorised 2. Detecting errors in the transmission.
arti cial intelligence. IS Auditor’s role:
AI can be classi ed into three major categories: e major concern shall be: (i) Authorisation of payments, (ii) Validation of receivers’ details (iii) Verifying the payments made. (iv) Getting
Cognitive Science: Robotics: Natural Languages: acknowledgement (v) Obligation against which the payment was made has been ful lled
It focuses on how human brain A p p l i c a t i o n s 'Converse' with computers in 5. E-Commerce
works and how humans think that give robots human languages. Interactive E Commerce involves information sharing, payment, ful lment of contractual obligations of the parties & service and support.
and learn.Ex: Expert Systems, visual perception, voice response and natural Risks of E-commerce
Learning Systems, Neural capabilities to feel programming languages, closer to (i) Identity & nature of Relationships, (ii) Integrity of Transactions (iii) Electronic Processing of Transactions, (iv) Systems' Reliability, (v)
Networks, Intelligent Agents and by touch, dexterity human conversation are some of Privacy Issues, (vi)Return of Goods, (vii) Taxation & Regulatory Issues.
Fuzzy Logic. and locomotion. the applications. IS Auditor’s role:
IS Auditor’s responsibility shall be to assess whether the transactions have:-
IS Auditor's Role: 1. Authorisation, 2. Authentication, 3. Con rmation, 4. Whether the payment gateway is secured or not.
IS auditor has to be conversant with the controls relevant to these systems when used as the 6. Point of Sales System (PoS):
integral part of the organizations business processes. Capture data at the time and place of transaction. oen attached to scanners to read bar codes and magnetic cards for credit card payment
2. Data Warehouse and electronic sales. ey provide signi cant cost and time saving as compared to the manual methods.
It is a Central Repository of clean, consistent, integrated & summarized information, extracted IS Auditor's Role:
from multiple operational systems, for on-line query processing.” Generally, data is processed (i) Evaluate the batch controls implemented by the organization. (ii) Check if they are in operation (iii) Review exceptional transaction logs.
by TPS (Transaction Processing Systems), also known as operational systems. Customers (iv)Check whether internal control system is effective to ensure the accuracy and completeness of the transactions.
depositing and withdrawing money, applying for loans, opening accounts in a bank are examples 7. Automatic Teller Machines (ATM)
of Transactions Processing Systems.
IS Auditor's Role: A Specialized form of POS terminal Function
IS Auditor should consider the following while auditing data warehouse:
1. Credibility 4. Accuracy of extraction and transformation T Designed for unattended use by custormer Cash Other operations like
accepting request for
2. Accuracy 5. Access control rules M System provide high level of logical & physical security Deposits Withdrawals
3. Complexity 6. Network capacity for speedy access
3. Decision Support System (DDS) Guidelines for Internal Controls of ATM System which the Auditor shall Evaluate and Report
DSS are information systems that provide interactive information support to middle management
through analytical models. Ad hoc systems for speci c decisions by individual-managers. ese Authorized Exception ATM • Card PIN
systems answer queries that are not answered by the transactions processing systems. individuals reports liability • Issue against valid • Controls on unused PINs
Examples: Comparative sales gures, Revenue and Cost projections, Evaluation of different Access coverage application • Control over activation of PINs
Points to Remember : (attempts
alternatives. exceed limits) • Custody of unissued cards • Procedure for issue of PINs
IS Auditor's Role: Onsite Offsite • Return of old/ unclaimed • Ensure PINs not appear in printed
1. Credibility, 2. Accuracy source data, 3.Accuracy extraction and transformation process, 4. Machine Machine cards • Control over retrieval of PINs
Accuracy correctness, 5. Access control rules.

www.prokhata.com 13
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
CHAPTER 6:
IT ENABLED SERVICES
Classi cation of Audits IT Enabled Servises
Systems and Applications: Inadequate IT management Practices:
Secure input, processing, and output, Solution Opportunity for an IS Auditor
Information Processing Facilities:
Ensure timely, accurate, and efficient processing. Policies should be draed Create appropriate policies
Systems Development: Procedures arise from the policies Assist in development of the procedures
Developed in accordance with generally accepted
standards. Appropriate application soware selected Assist in implementation. Participate in Project Management. Assist as scope Manager in the SDLC process
Management of IT and Enterprise Architecture: Business work ows enforced in the applications Design, develop necessary work ows. Perform a BPR
Ensure a controlled and efficient environment.
Compliance Audits: Perform risk assessment and rank the risks Identify those areas of high risk that need a higher attention.
Conducted to evaluate whether speci c regulatory or Ensure appropriate segregation of duties by ensuring right access is given to Designing roles responsibilities. Review existing roles responsibilities. Identify con icts
industry standards are complied with. the right employees
Examples- Training to be provided Regarding new work ows, procedures
Payment card industry Data security standard audits,
Health insurance portability and accountability act Fraud
audit (HIPAA) etc. Establishment of a strong internal control environment is necessary to deter against fraud perpetration. For internal controls to be effective, they must be constantly evaluated
Operational Audit: for effectiveness and changed as business processes change.
Evaluates the accuracy of internal controls of Fraud Detection
application in operation or logical security systems. Management is primarily responsible for design of IT controls. A well-designed internal control system provides a good deterrence against frauds opportunity for their timely
Financial Audit: detection. Internal controls may fail where these are circumvented by exploiting vulnerabilities or through management facilitated weaknesses in controls or collusions. Legislations
Assess the accuracy of nancial reporting. It oen cast signi cant responsibilities on management, IS Auditors and the audit committee regarding detection and disclosure of any fraud. IS Auditors should observe and exercise due
involves detailed, substantive testing. professional care. IS Auditors should be aware of the possibility and means of perpetrating fraud, IS Auditor may communicate the need for a detailed investigation
Integrated Audits:
Combines nancial ,operational and other types of 1.Information Technology (Amendment) Act 2008: 2. LODR of SEBI: 3. CARO 2003:
audit to assess the overall objectives to safeguard an Casts responsibility on body corporates to protect sensitive Makes the top management accountable Requires verifying the adequacy of internal control procedures and
asset's efficiency and compliance. It can be performed personal information by implementing reasonable security for weaknesses in the internal control determining whether there were any continuing failures to correct
by internal as well as external auditors. practices and procedures. It also recognises and punishes systems. It requires CEOs and CFOs major weaknesses in internal controls. It also requires to report
Administrative Audits: offences committed by companies and individuals through to certify on the effectiveness of the whether any frauds on or by the company had been noticed or reported
Efficiency of operational productivity. the misuse of IT. Internal Controls. during the year.
IS Audits:
National Cyber Security Policy. aims at protecting information and information infrastructure in cyberspace and building capabilities to prevent and respond to cyber threats.
Forensic Audit:
Discovering, disclosing and following up on frauds Standard on Internal Audit (SIA) 11 (SA) 505 “External Con rmations” (SA) 580 “Written SIA 2 SA 240
and crimes. de nes Fraud as: Deals with the Auditors’ use of external Representations” Requires internal auditors Requires an auditor to
Specialized Audit: “An intentional act involving the use con rmation procedures to obtain Deals with the Auditor’s to use their knowledge evaluate whether the
Examine areas such as services performed by third of deception to obtain unjust or illegal audit evidence in accordance with responsibility to obtain and skills to reasonably information obtained
parties. advantage”. A fraud that involves use of the requirements of SA 330 and SA written representations enable them to identify from risk assessment
Control Self-Assessment: Computers and Computer Networks is 500. e reliability of audit evidence from the management and, fraud indicators. procedures and related
Conducted by the business process owners but called a Cyber fraud. ey need to have is in uenced by its source and is where appropriate, those SIA 11 activities indicate
facilitated by the auditors. setting the evaluation appropriate knowledge of relevant standards dependent on the circumstances in charged with governance.
SIA 11 de nes fraud and presence of fraud risk
criteria and executing the evaluation are carried out by and regulations as well as the various data which it was obtained. Audit evidence Written representations do
lays the responsibility factors.
the business owners themselves. analysis tools and techniques available. is more reliable when it is obtained not absolve the IS Auditor
for prevention and SA 315 requires an
Internal Audit/Compliance Reviews: Strengthening the system of internal controls from independent sources outside of from performing his duties
detection of frauds on the auditor to identify risks
Performed by a third party who is not involved in the is the best deterrence to frauds the entity being audited. while conducting the audit.
management and those of material misstatement
functioning of the enabler. More independent than a charged with governance. arising due to fraud.
self-assessment because the auditor is not involved in
SA 315 – Standard on Risk Assessment procedures issued by ICAI is also applicable for risk
the functioning of the enabler.
Functional Audit: assessment pertaining to IS Audit assignment. is requires that the IS Auditor perform Risk
Conducted to evaluate and determine the accuracy of Assessment Activities.
soware functionality.

14 www.prokhata.com
CA Rajat Agrawal
 Chapter 6 IT Enabled Assurance Services Module : 1 - Information System Audit Process
Cyber Fraud Investigation
Cyber fraud investigation procedures are:
1. Collecting and analysing documentation. 2. Conducting interviews. 3. Data mining & digital forensics.
Assessment essentially involves: 1. Identifying signi cant risk 2. Assessing their likelihood impact 3.Determining where, how & by whom they may be committed 4. Assessing existing controls would prevent their occurrences.
Cyber Fraud Likelihood Impact Internal Controls
e - Unauthorised access to computer Hardware. (e .g. Data centers, server rooms, network 1. Key Cards, 2. Security Guards, 3. Visitor Logs, 4. Circuit Cameras, 5. Back up & Recovery Plans ,
Low High
devices, etc.) 6. Physical access controls through biometrics,etc.
Identity the - Unauthorised access to personal information of Customers and Employees. 1. Unique user IDs, 2. Strict password policy, 3. IDS & Firewalls, 4. Incident response policy,
Medium High
{e.g. Credit card information of customers, Login IDs & Passwords of employees, etc.) 5. Delete ex-employee access
Information the - Unauthorised access to con dential information of Company. (e.g. 1. Segregation of Duties, 2. Access Logs, 3. Transact ion Logs, 4. Security violation logs, 5.
Medium High
Strategic Plans, Unpublished nancial reports, etc.) Encryption
Copyright Infringement - Unauthorised access to Soware and Databases. {e.g. Soware 1. Block peer-to-peer sharing, 2. Internet Surveillance, 3. Soware Licensing, 4. Information
Medium High
piracy, Peer-to-peer le sharing, etc.) Sharing Policy, 5. Protection of Soware code
Questions for assessments and reviews for each of seven components adapted from COBIT 2019 are given below:

1. Policies and Procedures: 2. Processes: 3. Organisation 4. Culture, Ethics and 5. Information Flows and 6. Services, 7. People, Skills and Competencies:
Documented and approved Approved security policy that senior management Structures: Behaviour: Items: Infrastructure and Expert teams to conduct periodic fraud
Cyber Fraud Governance and conduct cyber fraud risk assessment regularly Clearly de ned roles Employee awareness Proper reporting mechanism Applications: investigations.
Management Program. remedial measures are implemented. andresponsibilities. programs and training. for notifying fraud concerns. Use of technology.
Cyber Forensics: Digital Forensics
Cyber fraud investigation procedures are:
For evidence to be admissible in a court of law, the chain of custody needs to be maintained professionally:
Computer Forensics is a process of
Any electronic document can be used as digital evidence, provided contents of digital evidence are in their original state and have not been tampered with or
Identifying Preserving Analysing modi ed during the process of evidence collection and analysis. e chain of evidence essentially contains information regarding:
• Who had access to the evidence (chronological manner)?
Digital Evidence
• e procedures followed in working with the evidence (such as disk duplication, virtual memory dump etc.)
• Providing assurance that the analysis is based on copies that are identical to the original evidence.
Presenting in a Manner
Fraud investigation Tools and Techniques
Legally acceptable in legal proceedings (CAAT) are the mosteffective tools and techniques to detect fraud. Useful functions available in CAAT are:
1. Strati cation: identify abnormal strata, 6. Trend Analysis,
Integrity and Reliability of evidence can be maintained through: 2. Classi cation: identify abnormal patterns, 7. Gap Test,
•Identi
Identi cation of information that is available and might form the evidence. 3. Summarisation: compute totals, 8. Duplicate Test,
•Retrieving
Retrieving identi ed information and preserving it. Requires being able to 4.Outliers: outside normal range, 9. Relation,
document chain of custody. 5. Benford Law: identify possible fraud areas, 10. Compare.
•Involves
Involves extracting, processing and interpreting the evidence. Control Self Assessment
•Presantation
Presantation to relevant parties for acceptance of evidence. •Allows teams and its managers to directly assess the risk management & control processes .
•Major bene ts of CSA are Early detection of risks, more effective and improved Internal Controls.
•IS Auditor's in CSA is of facilitator.

Note:-

Points to Remember :

www.prokhata.com 15
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
1. THE $ 54 MILLION FRAUD 2. COSMOS BANK FRAUD
What happened? Malware
She opened a secret account in the name of city in which she was only signatory, created false state invoices , wrote checks in name Sent to
of "Treasurer" from city funds, and transfered the amount the the secret account.
ATMs of Cosmos Bank (Intended Target)
How it happened?
• Malware created a proxy server which helped cloned Debit cards to surpass CBS.
Treasurer of a town, Rita Crundwell, embezzle nearly $54 million over two decades & remained undetected in annual audits by
• Fraudsters approved 14800 transactions to withdraw Rs. 80.5 cr (2.5 cr in India).
two independent accounting rms and in annual audit reviews by state regulators.
• Another amt of 13.5 cr transfered to Hongkong based entity through SWIFT.
Why it happened?
Due to lack of segregation of duties. In absence of a city manager, Crundwell had a wide rein over city's nances and set the stage Points to be noted:
for her massive fraud. • is happened because ATMs were running on Microso Xp or other unsupported sowares.
Lesson and tips: • RBI instructed banks to upgrade their soware by June 2019
Roles and responsibilities must be clearly de ned and proper segregation of duties must be done to ensure that no single person 4. WORLDCOM FRAUD
can be maker as well as the checker of a particular transaction ow. Auditors must ensure the existence of internal controls with Assessee recorded expenses as investment and made bogus revenue entries to hide the falling
systems designed to prevent or deter these types of frauds. pro t.
3. e Satyam Fraud
AUDITORS OF WORLDCOM
A case of manipulation of the books of account by in ating revenues through fake invoices.
• Applied data mining techniques to search data using small scrips and ms access.
e Company’s standard billing systems were subverted to generate false invoices to show in ated sales. 7,561 invoices worth Rs.51
• ey searched entire population and found $500 million of debit in ppe account for which
billion (US$1.01 billion) were found hidden in the invoice management system using a Super User ID.
invoices couldn't be found.
e charge framed against the Auditors was that they did not bring the internal control de ciencies to the notice of audit committee.
• Lesson: sampling is not recommended in fraud detection rather analysis of entire population
Lesson to Auditor: is required.
Auditors must remember that anything can be faked in this modern technology driven world and that they need to continuously update
their skills and knowledge in order to keep up with the new challenges.
5. Bangladesh Central Bank Fraud
What Happened
• An Malware attack was waged against Bangladesh Bank, the nation's central bank.
• 35 fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US $1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank.
• e perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers.
• ey used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account of Bangladesh Bank.

• e key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems.
• e Governor of Bangladesh Bank stated that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security rm to bolster the rewall, network and overall cyber security of the bank. However,
the bureaucratic hurdles prevented the security rm from starting its operations
Note:-

16 www.prokhata.com
CA Rajat Agrawal
 Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
CHAPTER 1:
CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
KEY CONCEPTS OF GOVERNANCE
Process + Structures Enterprise Governance Conformance or Corporate Governance Dimension Enterprise Governance Framework
Governance ISO/IEC 38500 : “e system by which • e conformance dimension of governance covers corporate governance issues such Corporate governance Performance
Implemeted by Board
TO organisations are directed and controlled.” ‘e as: roles of the chairman and CEO, role and composition of the board of directors, management Internal Controls Enterprise Risk
Inform Direct Manage Monitor set of responsibilities and practices exercised by Board committees, Controls assurance and Risk management for compliance. Management.
the board and executive management with the • Established oversight mechanisms for the board to ensure that good corporate Risk management strategy has to be adapted,
Activities of Orgnisation
goal of providing strategic direction, ensuring that governance processes are effective. which should be designed and promoted
objectives are achieved, ascertaining that risks are • Include committees composed of independent non-executive directors, particularly by the top management.Objectives of
Achivement of objectives
managed appropriately and verifying that the the audit committee or its equivalent in countries where the two-tier board system Enterprise Governance Bene t realisation Risk
organization’s resources are used responsibly.’ is the norm. Optimisation Resourse Utilisation
Performance or Business Governance Dimension Corporate Governance and Regulatory Requirements Need for Corporate Goveranace
• e performance dimension of governance is pro-active • Companies Act, 2013 - Mandatory Internal Audit and reporting on Internal Financial Controls [sections 138]. Corporate Governance is de ned as the system by company
in its approach. Act requires auditor report to include “whether the company has adequate internal nancial controls system in or enterprise is directed and controlled to achieve the
• Focuses on strategy and value creation with the objective place and the operating effectiveness of such controls objective of increasing shareholder value by enhancing
of helping the board to make strategic decisions, • e Information Technology Act - Provisions relating to maintaining privacy of information and imposed economic performance.
understand its risk appetite and key performance drivers. compliance requirements on management with penalties for non-compliance. Some key concepts of corporate governance are:
• is dimension does not lend itself easily to a regime of • e Sarbanes Oxley Act (SOX) - Implementation and review of internal controls as relating to nancial audit • It provides strategic direction.
standards and assurance as this is speci c to enterprise • SEBI introduced a mandatory audit to ensure that this is maintained as per its norms by all listed companies • Clear assignment of responsibilities incorporating a
goals and varies based on the mechanism to achieve them. as part of corporate governance.. hierarchy of required approvals.
Corporate Governance • Mechanism for the interaction among the board of
De ned as the system by which a company or enterprise is directed and controlled to achieve the objective of increasing shareholder value by enhancing economic performance. directors, senior management and the auditors;
It concerns relationships among the management, Board of Directors, the controlling shareholders and other stakeholders. • Implementing strong internal control systems, including
Good corporate governance requires sound internal control practices such as segregation of incompatible functions, elimination of con ict of interest, establishment of audit internal and external audit functions, risk management
committee, risk management and compliance with the relevant laws and standards including corporate disclosure requirements. Directors of a company are accountable to the functions
shareholders • Monitoring of risk exposures
Corporate Governance Participants • Financial and managerial incentives to act in an
• Board of Directors & Committees appropriate manner.
• Risk & Performance Management • Monitoring
• Business Practices & Ethics • Appropriate information ows internally and to the public.
• Communication • Legal & Regulatory
• Disclosure & Transparency
Enterprise Governance of Information and Technology (EGIT) Implementing EGIT
Sub-set of corporate governance and facilitates implementation of a framework of IS controls within an enterprise as relevant and encompassing all key areas. e key bene ts EGIT in organizations requires understanding concepts
of using EGIT is that it provides a consistent approach integrated and aligned with the enterprise governance approach. of Governance, IT deployment and how IT can be used
IT also acts as a strategic partner which helps enterprises in achieving both competitive and strategic advantage. to implement Governance. EGIT is a blend of these
Reserve Bank of India issues guidelines covering various aspects of secure technology deployment. Guidelines are prepared based on various global best practices such as concepts. Implementing EGIT requires establishing the
COBIT 2019 and ISO 27001. Information technology Rules, 2011 outlines the need for maintaining secrecy of personal and sensitive information and identi es ISO 27001 as right structures with de ned roles and responsibilities,
“Reasonable Security Practices and Procedures” for implementing best practices. implementing relevant processes using best practices.
Implementing EGIT from conformance (corporate)
Conformance Structures Processes perspective would require viewing the enterprise at macro
Area Perfomance (Business) Roles and responsibilities. IT Strategic Information Systems Planning,
(Corporate) level and consider not only the business but also the external
orgnisation structure. CIO on Board. (IT) BSC, Information Economics, linkages. In case of performance (business) the enterprise
Scope Boarc Structure, Roles Strategic decision making and IT strategy sommittee. IT steeriing SLA, COBIT and ITIL, IT Alignment/
and Remuneration value creation has to be viewed at internal level and the focus on the
committee(s) governance maturity models processes and activities within the enterprise.
Addressed via Standards and Codes Best practices, tools and
techniques IT Governance Framework Guidelines for Implementing EGIT
COBIT 2019 implementation guide provides a systematic
Auditability Can be audited for Not easily auditable Relational mechnisms approach with de nes phases and speci c roles and
compiances Active participation and collaboration between principle stakeholders, Partnership responsibilities for implementing EGIT. is approach can
Ovesinght Audit Committee Balnce score cards rewards and incentives, Business/IT co-location, Cross-functional business/IT traning be customized and used by any organization.
Mechanism and rotation.

CA Rajat Agrawal www.prokhata.com 17

Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
Systemic Approach to Implementing EGIT
Focus should be rst on implementing the systems and processes rst and then automating rather than expecting that automation will implement systems and processes as required. Frameworks such as COBIT 2019 also provide a systematic
approach for implementing the relevant frameworks. General guidelines on implementing EGIT
1. Aligning IT Goals with Business Goals 2.Formalise and Implement Right IT Governance 3. Establish Required IT 4. Involve Board of 5. Govern and Manage Roles and Responsibilities
IT goals set out in the IT strategy plan should clearly Processes Organisation and Decision Directors/Executive Board should ensure that governance and
support the achievement of one or more business Aer aligning, implementation of required set of efficient Structure Management in IT Related management structures are established involving
goals. Achieved through: and effective IT governance and management processes. Effective Governance of enterprise Matters the organisation, the location of the IT function, the
• Clear goals, communicated to entire organisation. It is important to select the most critical process based IT is determined by the way the IT Executive management has existence of clearly de ned roles and responsibilities
• Involvement of IT in business strategy process on business priorities, assign process owners, develop department is organised and where to be aware and actively and a diversity of IT/business committees. e
• Align IT goals to business goals metrics and monitor the achievement of process as per the IT decision-making authority participating in the existing ultimate responsibility for IT governance lies with
• Derive IT strategy from business strategy set objectives. is located within the organisation. governance activities. management.
Establish IT Strategy and IT Steering Plan, Align and Manage IT Enabled Investment as a Implement Performance Measurement System Establish Sustainability rough Support, Monitoring and
Committee Portfolio Integrated with Regular Process Regular Communication
IT strategy committee has to operate at the board Clear responsibility has to be allocated between IT Performance management system could be integrated Aligning business goals with IT goals requires ongoing and
level and the IT steering committee has to operate who would be responsible for execution of IT enabled using the balanced scorecard technique with the complete constant interaction between IT and business function. is
at executive level with each committee having projects, but business has to be responsible for analysing set of metrics which is consolidated for different levels requires a constant communication channel and mechanism to
speci c responsibility, authority and membership. the anticipated bene ts and making decisions. and areas as required. encourage the relationship between business and IT.

Enterprise Risk Management

Management to ensure that the enterprise risk management strategy considers information and its associated risks while formulating IT security and controls as relevant. IT security and controls are a subset of the overall enterprise
risk management strategy and encompass all aspects of activities and operations of the enterprise.
Governance Objectives Internal Controls
Speci ed in COBIT 2019 are these governance objectives “An effective internal control system is an essential part of the efficient management of
Bene t Realisation Risk Optimisation a company” established through the governance system.
Value that I&T delivers should be Value delivery focuses on the creation of It is an Element of the management system rather than an aspect of the governance
aligned directly with the values value, risk management focuses on the system.
on which the business is focussed preservation of value. Auditor provide appropriate recommendations for mitigating control weaknesses. e Process of
and measured in a way that
Resource Optimisation
IS Auditors may be required to review and evaluate the system of governance, risk
management and controls
INTERNAL CONTROL
transparently shows the impacts
e main objective of IT governance is
and contribution of the I&T-
optimal use of technology resources.
enabled investments
Right capabilities are in place to execute the
strategic plan and sufficient, appropriate and
effective resources are provided.

Governance, Risk and Compliance is a regulatory requirement, and this can be effectively implemented using well established frameworks. ere is need to adapt a macro level and architecture perspective for securing information and
information systems. senior management have to be involved in providing direction on how governance, risk and control are implemented using a holistic approach encompassing all levels from strategy to execution. e Board of directors
have to evaluate, direct and monitor effective use of I&T to achieve enterprise objectives. Best practices framework can be customized to meet stakeholder requirements. IS Auditors can assist management in implementing these frameworks
management have to certify whether Risk management and internal controls have been implemented as per organisation needs and auditors have to certify whether this implementation is appropriate and adequate.
Note:-

18 www.prokhata.com CA Rajat Agrawal