Professional Documents
Culture Documents
29012sm Finalnew Isca Cp-Ipages
29012sm Finalnew Isca Cp-Ipages
29012sm Finalnew Isca Cp-Ipages
PAPER : 6
Information Systems
Control and Audit
Volume I
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
This study material has been prepared by the faculty of the Board of Studies. The objective of
the study material is to provide teaching material to the students to enable them to obtain
knowledge and skills in the subject. Students should also supplement their study by reference
to the recommended text books. In case students need any clarifications or have any
suggestions to make for further improvement of the material contained herein, they may write
to the Director of Studies.
All care has been taken to provide interpretations and discussions in a manner useful for the
students. However, the study material has not been specifically discussed by the Council of
the Institute or any of its Committees and the views expressed herein may not be taken to
necessarily represent the views of the Council or any of its Committees.
Permission of the Institute is essential for reproduction of any portion of this material.
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
All rights reserved. No part of this book may be reproduced, stored in retrieval system, or
transmitted, in any form, or by any means, Electronic, Mechanical, photocopying, recording, or
otherwise, without prior permission in writing from the publisher.
Revised Edition
January, 2013
Website
www.icai.org
Department/
Committee
Board of Studies
bosnoida@icai.org
ISBN No.
Price
Published by
Printed by
Chapter 6 outlines Business continuity planning and disaster recovery planning in case such a
situation arises in any organization.
Chapter 7 extensively deals with ERP system.
Chapter 8 outlines the framework for Information Systems auditing standards, guidelines and
best practices such as ISO 27001, COBIT and HIPPA. Current version of COBIT is added in
this revised edition.
Chapter 9 discusses various aspects related with information system security policy, audit
policy and audit reporting from practical perspective.
Chapter 10 is devoted to the discussion on Information Technology (Amendment) Act, 2008.
The significant additions in the revised edition are highlighted in Bold and Italics in the study
material and have also been consolidated in the form of a table entitled Significant Changes
in the Revised Edition in subsequent page.
In case you need any further clarification/guidance, please send your queries at e-sahaayataa portal
at ICAI website (www.icai.org) or bosnoida@icai.org/ santosh.pandey@icai.org.
Happy Reading and Best Wishes!
Name of the
Chapter
Risk
Assessment
Methodologies
and Applications
Page
Numbers
5.1
5.2
5.5
5.6
5.7
5.9
5.22
5.26
5.26
8.2
8.3
8.5
8.5
8.11
8.12
8.13
8.16
8.17
8.17
8.17
8.18
8.18
8.21
8.22
8.22
8.23
8.24
8.29
SYLLABUS
PAPER 6 : INFORMATION SYSTEMS CONTROL AND AUDIT
(One Paper- Three hours - 100 marks)
Level of Knowledge: Advanced knowledge
Objective:
To gain application ability of necessary controls, laws and standards in computerized
Information system.
Contents:
1.
2.
3.
Control objectives
(a) Information Systems Controls
Need for control
Effect of computers on Internal Audit
Responsibility for control Management, IT, personnel, auditors
Cost effectiveness of control procedure
Control Objectives for Information and related Technology (COBIT)
(b) Information Systems Control Techniques
Control Design: Preventive and detective controls, Computer-dependent control,
Audit trails, User Controls (Control balancing, Manual follow up)
Non-computer-dependent (user) controls: Error identification controls, Error
investigation controls, Error correction controls, Processing recovery controls
(c) Controls over system selection, acquisition/development
Standards and controls applicable to IS development projects
Developed / acquired systems
Vendor evaluation
Structured analysis and design
Role of IS Auditor in System acquisition/selection
(d) Controls over system implementation
Acceptance testing methodologies
System conversion methodologies
Post implement review
Monitoring, use and measurement
(e) Control over System and program changes
Change management controls
Authorization controls
Documentation controls
Testing and quality controls
Custody, copyright and warranties
Role of IS Auditor in Change Management
(f)
4.
5.
6.
7.
8.
9.
CONTENTS
CHAPTER 1 INFORMATION SYSTEMS CONCEPTS
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
3.10
3.11
3.12
3.13
3.14
3.15
3.16
3.17
3.18
3.19
3.20
3.21
3.22
3.23
3.24
4.2
4.3
4.4
4.5
4.6
Test of general controls at the entitywide and system level ................................... 4.10
4.7
4.8
Tests of business process application controls and user controls .......................... 4.11
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17
5.2
5.3
5.4
5.5
5.6
5.7
5.8
5.9
5.10
6.1
6.2
6.3
6.4
6.5
6.6
6.7
6.8
6.9
6.10
6.11
6.12
6.13
7.1
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
8.1
8.2
8.3
8.4
8.5
8.6
8.7
8.8
8.9
8.10
9.1
9.2
9.3
9.4
9.5
9.6
9.7
9.8
10.1
10.2
10.3
10.4
10.5
10.6
10.7
10.8
10.9
10.10
10.11
The Cyber Appellate Tribunal (Amended Vide ITAA-2008) [Chapter X] ............... 10.31
10.12
10.13
10.14