Disa Book

ISA Background Material
ISA
INFORMATION SYSTEMS AUDIT 3.0 COURSE

(Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 1
Information Systems Audit Process
Module - 1
Digital Accounting and Assurance Board
The Institute of Chartered Accountants of India August | 2020 | P2724 (Revised)
ICAI Bhawan,Hostel Block, 7th Floor
A-29, Sector-62 Digital Accounting and Assurance Board
Noida - 201309, India The Institute of Chartered Accountants of India
Tel (Direct): +91 120 3045992/961
Web: www.icai.org (Set up by an Act of Parliament)
New Delhi
Background Material
on
Information Systems Audit 3.0 Course
Module-1:
Information Systems Audit Process

The Institute of Chartered Accountants of India
(Set up by an Act of Parliament)
New Delhi
© The Institute of Chartered Accountants of India
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted, in any form, or by any means, electronic mechanical, photocopying, recording, or
otherwise, without prior permission, in writing, from the publisher.
DISCLAIMER
The views expressed in this material are those of author(s). The Institute of Chartered Accountants
of India (ICAI) may not necessarily subscribe to the views expressed by the author(s).
The information in this material has been contributed by various authors based on their expertise
and research. While every effort have been made to keep the information cited in this material error
free, the Institute or its officers do not take the responsibility for any typographical or clerical error
which may have crept in while compiling the information provided in this material. There are no
warranties/claims for ready use of this material as this material is for educational purpose. The
information provided in this material are subject to changes in technology, business and regulatory
environment. Hence, members are advised to apply this using professional judgement. Please visit
34& portal for the latest updates. All copyrights are acknowledged. Use of specific
hardware/software in the material is not an endorsement by ICAI.
Revised Edition : August, 2020
Committee/Department : Digital Accounting and Assurance Board
Email : gdaab@icai.in
Website : www.icai.org/ https://pqc.icai.org
Price : ` 750/- (For Complete Set)
ISBN : 978-81-8441-995-5
Published by : The Publication Directorate on behalf of

ICAI Bhawan, Post Box No. 7100,
Indraprastha Marg, New Delhi - 110002
Printed by : Sahitya Bhawan Publications,

Hospital Road, Agra – 282 003
August | 2020 | P2724 (Revised)
Foreword
The digital revolution is transforming the traditional ways of doing business, necessitating
realignment of profession to leverage the multipliers of digital technology - enhanced efficiency,
scale and speed, effectiveness, agility and giving access to newer markets. In view of the rapid
technological changes, it is imperative for Information System Auditors to adapt, be innovative
in aiding organizations to improve its control environment and strengthen governance of IT risks.
Adoption of emerging technologies will help them to assimilate vast amount of data and provide
value added analysis in the form of data analysis and business intelligence. Chartered
Accountants possess unique blend of systems and process understanding and expertise in
controls and governance, thereby best suited to be the perfect Information Systems Auditor.
The Institute of Chartered Accountants of India (ICAI), through its Digital Accounting and
Assurance Board (DAAB), is continuously monitoring technological developments and taking
initiatives to disseminate updated knowledge amongst our members and other stakeholders. In
this direction, it is heartening to note that the DAAB is bringing out next version of “Educational
Material” for Post Qualification Course on Information Systems Audit. This updated and revised
Material combines technology, information assurance and information management expertise
that enable Chartered Accountants to be an advisor and handling assurance assignments.
In this updated course curriculum various aspects of emerging technologies like, Blockchain,
Robotics Process Automation, etc., have also been introduced to keep members fully abreast.
With focus on increased practical aspects, case studies and lab manuals at appropriate places
this material is a great learning guide for members aspiring to be Information Systems Auditor.
I compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and other
members of the Digital Accounting and Assurance Board for generation next material in digital
era by taking up this timely initiative.
I am confident that our members would take benefit of these updated modules of post
qualification course on Information Systems Audit, so as to render their professional
responsibility as Information System Auditor more efficiently and highest standards to achieve
global recognition.
CA. Atul Kumar Gupta

President, ICAI
Place: New Delhi
Date: April 12, 2020
iv
Preface
Evolution of digital economy and ever-changing dynamic ecosystem presents significant
challenges, including new competition, new business and service delivery models,
unprecedented transparency, privacy concerns and cyber threats. With a goal to keep members
abreast of impact of emerging technologies, Digital Accounting and Assurance Board has come
out with the updated Post Qualification Course on Information Systems Audit Modules to equip
members with specialised body of knowledge and skill sets so that they become Information
Systems Auditors (ISAs) who are technologically adept and are able to utilize and leverage
technology to provide reasonable assurance that an organization safeguards it data processing
assets, maintains data integrity and achieves system effectiveness and efficiency. This updated
syllabus facilitates high level understanding about the role and competence of an IS Auditor to
analyse, review, evaluate and provide recommendations on identified control weaknesses in
diverse areas of information systems deployment.
Revised Modules of Post Qualification Course on Information Systems Audit has specific
objective, i.e., “To provide relevant practical knowledge and develop skills for planning and
performing various types of assurance or consulting assignments in the areas of Governance,
Risk management, Security, Controls and Compliance of Information Systems.” The core of
DISA 3.0 lies in inculcating competence to add to service delivery of the members. The updated
course would help the members to apply appropriate strategy, approach, methodology and
techniques for auditing information system and perform IS Assurance and consulting
assignments by using relevant best practices, IS Audit standards, frameworks, guidelines and
procedures.
The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies
and lab manuals, project work in addition to class room lectures. This updated background
material also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO CAAT
software, useful checklists and sample audit reports. New Module on “Emerging Technology
and Audit” has been added which covers Information System Assurance and Data Analytics,
Assurance in Block chain Ecosystem, and Embracing Robotic Process Automation in Assurance
Services. In addition to this Artificial Intelligence and Internet of Things (IoT) has also been
inducted in the new modules.
We would like to take this opportunity to place on record our deep appreciation for the efforts
put in by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules,
viz., CA Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, CA
Pranay Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh Maheshwari, CA
Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also appropriate to express our
thanks to all the ISA faculties for giving their inputs/ suggestions for the implementation of DISA
3.0.
We would like to express gratitude to CA. Atul Kumar Gupta, President, ICAI, and CA. Nihar
Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to
the initiatives of the Board. We would also like to place on record our gratitude for all the Board
members, co-opted members and special invitees for providing their valuable guidance and
support in this initiative of the Board. We also wish to express my sincere appreciation for CA.
Amit Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in
finalization of the updated Modules.
We are sure that these updated Modules on Post Qualification Course on Information Systems
Audit would be of immense help to the members and enable them to enhance service delivery
not only in compliance, consulting and assurance of IT services, but also provide new
professional avenues in the areas of IT Governance, Cyber Security, Information System
Control and assurance services.
CA. Manu Agrawal CA. Dayaniwas Sharma

Chairman Vice-Chairman
Digital Accounting and Assurance Board Digital Accounting and Assurance Board
vi
Contents
Chapter 1: Concepts of IS Audit 1–22
1.1 Learning Objectives 1
1.2 Introduction 1
1.3 Definitions 2
1.4 Concepts of IS Audit 3
1.5 Concepts of IS Audit and Auditing in a computerised environment 4
1.5.1 Audit in a computerised environment 4
1.5.2 IS Audit and Audit of computerised environment 5
1.6 Concept of IT Risk 6
1.6.1 IT Risk in the risk hierarchy 6
1.6.2 Risk Management 7
1.7 Risk based auditing 7
1.8 Audit Universe 8
1.8.1 Benefits of having an Audit universe 8
1.9 Audit Risk and materiality 10
1.9.1 Audit Risk 10
1.9.2 Materiality 11
1.10 Concepts of Internal Controls 13
1.10.1 Types of internal controls 13
1.10.2 Types of IS Controls 14
1.11 Organisation of IS Audit Function 14
1.11.1 Infrastructure and organisation 15
1.11.2 Internal and external audit control framework 15
1.11.3 Quality assessment and peer review 16
1.11.4 Standards on audit performance 16
1.12 Summary 17
1.13 Case studies 17
1.14 Questions 19
1.15 Answers and explanation 21
Chapter 2: IS Audit in phases 23–91

2.1 Learning objectives 23
2.2 Introduction 23
2.3 Conducting an IS Audit 24
2.3.1 Setting up of Audit objectives 24
2.3.2 Request for proposal and submitting response 24
2.4 Audit charter and terms of Engagement 25
2.4.1 IS Audit Charter 25
2.4.2 Audit Engagement letter 27
2.4.3 Communication with Auditee 28
2.4.4 Quality assurance process 28
2.5 Audit scope 29
2.6 Audit planning 30
2.6.1 Risk assessment in planning 31
2.7 Objectives of IS Controls 32
2.7.1 Principles of Fiduciary 33
2.7.2 Principles of quality 33
2.7.3 Principles of security (CIA) 34
2.8 Understanding the auditee environment 35
2.8.1 Business of the entity 35
2.8.2 Organisation structure 36
2.8.3 IT Infrastructure 36
2.8.4 Regulations, standards, policy, procedures, guidelines & statements 36
2.9 Framework and best practices of IS Audit 39
2.9.1 ITAF – 3rd edition 39
viii
2.9.2 COBIT 2019 Framework: principles, components and core models 40
2.10 Risk Assessment 44
2.10.1 Guidance on Risk assessment by ISACA 45
2.10.2 Risk Management steps 46
2.10.3 Risk assessment procedures and related activities 48
2.10.4 Use of Risk assessment in audit planning 48
2.11 Governance and Management controls 49
2.11.1 IT General Controls 49
2.11.2 IT Application controls 57
2.11.3 Scope and steps of IS Audit of application software 60
2.12 Creation of Risk control Matrix 62
2.13 Audit sampling, Data Analysis and business intelligence 63
2.13.1 Audit sampling 63
2.13.2 Data Analysis 64
2.13.3 Business Intelligence 65
2.13.4 Analytical review procedures 66
2.14 Compliance Testing 66
2.15 Substantive Testing 67
2.16 Design and operational effectiveness 67
2.16.1 Design effectiveness 67
2.16.2 Operational effectiveness 68
2.17 Audit Evidence: Methods 69
2.17.1 Evaluating audit evidence 69
2.17.2 Types of evidence 70
2.17.3 Evidence preservation 71
2.17.4 Standards on evidence 71
2.18 Audit Documentation 74
2.18.1 Test working papers 75
ix
2.18.2 Organisation of audit working papers 75
2.18.3 Documentation controls 76
2.19 Using work of another auditor and expert 77
2.20 Evaluation of strength and weaknesses: judging by materiality 79
2.21 Risk ranking 80
2.22 Audit report structure and content 81
2.23 Management implementation of recommendation 84
2.24 Follow up review 84
2.25 Summary 85
2.26 Case studies 86
2.27 Questions 88
2.28 Answers with explanation 90
Chapter 3: Computer Assisted Audit Tools and Techniques 92–104

3.2 CAAT 92
3.2.1 Need for CAAT 92
3.2.2 Types of CAAT 95
3.2.3 Typical steps in using CAATs 97
3.2.4 Selecting, implementing and using CAATs 97
3.3 Continuous auditing approach 98
3.3.1 Techniques for continuous auditing 98
3.4 Summary 100
3.5 Questions 100
Chapter 4: Application Controls Review 105–118

4.2 Introduction 105
x
4.3 Business application software – parameters for selection 105
4.4 Types of business application 106
4.5 Key features and controls of business application 107
4.6 Application controls 107
4.6.1 Internal controls 107
4.7 Objectives of application controls 108
4.7.1 Objectives 108
4.7.2 Information criteria 108
4.7.3 Application controls objectives 109
4.7.4 Control practices 110
4.8 Summary 115
4.9 Questions 115
Chapter 5: Application controls review- Specialised systems 119–129

5.2 Review of application controls for various business applications 119
5.2.1 Need for application control review 119
5.2.2 How to perform application review 119
5.3 Review of business application controls 120
5.4 Application control review for specialised system 120
5.4.1 Artificial intelligence (AI) 120
5.4.2 Data Warehouse 121
5.4.3 Decision support system 122
5.4.4 Electronic fund transfer 122
5.4.5 E-commerce 123
5.4.6 Point of sale system (POS) 124
5.4.7 Automated Teller Machines (ATM) 124
5.5 Summary 125
xi
5.6 Questions 125
Chapter 6: IT Enabled services 130–147

6.3 Classification of audits 130
6.4 IT enabled services 133
6.5 Frauds 134
6.5.1 Fraud detection 134
6.5.2 Cyber fraud investigation 136
6.5.3 Cyber Forensics: Digital forensics 138
6.5.4 Fraud investigation tools and techniques 139
6.6 Case studies of frauds and lessons 140
6.7 Overview of lessons learned 143
6.7 Summary 143
6.8 Questions 143
6.9 Answers with explanations 145
6.10 References 146
Appendix 1: RFP from Bank for IS Audit of application software 148

Appendix 2: Response to RFP for logical access controls review of SAP 150
Appendix 3: Sample IS Audit Findings 157
Appendix 4: CAAT Report using SQL 159
Appendix 5: Sample IS Audit Report 161
Appendix 6: Questionnaire for providing assurance services 165
Appendix 7: Specimen Report Format 167
xii
Chapter 1
Concepts of IS Audit
1.1 Learning Objectives
The objective of this chapter is to provide sufficient knowledge about the fundamental concepts
of information systems audit. This chapter provides insight into all the key concepts relating to
IS audit such as IS Audit methodology, enterprise risk management, risk-based auditing,
materiality, internal controls and the roles and responsibilities of the IS audit function. A good
understanding of these concepts will enable auditors to plan, perform and provide report on IS
Assurance and consulting assignments. The concepts covered are the building blocks for
execution and reporting of IS audit.
1.2 Introduction
In the present age of globalization, Information Systems have become the backbone for any
organization whether the field of its operations is manufacturing, education, trading, technology
or entertainment, etc. Nowadays, the success of any organization thrives on information that is
generated within the information systems. IT is used by enterprises for providing greater
satisfaction to customers, to access wider range of information, to handle business changes as
real time events, and create more efficiency within the enterprise. Further, with the development
of automated information systems there has been a simultaneous increase in the threats to the
security of information systems which has led to financial losses to the enterprise and most
importantly loss of critical information. Hence, in the current competitive world, the enterprises
strive not only to attain more efficiency and effectiveness of business through implementation
of information systems but also secure the information which has become the most valuable
asset to the enterprise.
As an IS auditor, the scope of work can vary from assisting the enterprise in selection and
implementation of information systems to providing assurance services. The engagements can
go beyond just implementing some basic IT level security. It is important for organisations to
take a holistic approach and implement security from a governance perspective with
involvement of board in directing and monitoring the use of IT for achieving business objectives.
Regulatory requirements also demand involvement of senior management in effective decision
making in all key aspects of IT security. Senior management look for assurance from IS Auditors
on the availability, adequacy and appropriateness of IT controls as implemented and also seek
advice on best deployment of IT for achieving business objectives. Hence, the role of IS auditor
has expanded to review not only whether IT is deployed in a safe and secure environment but
also to provide advisory services on optimum use of technology to enable organizations to
survive and thrive in the competitive environment while complying with regulatory requirements.
Background Material on Information Systems Audit 3.0 Course (Module 1)
1.3 Definitions
Audit: In simple terms, audit is an inspection of an organization’s accounts, typically by an
independent body. In case of financial audit, audit is an independent examination of financial
information of any entity, whether profit oriented or not, and irrespective of its size or legal form
with a view to expressing an opinion thereon. In case of IS Audit, the audit encompasses
independent review and evaluation of automated information systems, related manual systems
and the interfaces between them.
Computer System: A computer is an electronic device that processes data by following a set
of instructions. It has the ability to receive input, process data, and with the processed data,
create information for storage and/or output. A computer system is a complete and functional
computer that includes required hardware and software.
Information: As per IT Act 2000, information includes data, messages, images, sound, voice,
codes, computer programs, software and databases or microfilm or computer-generated micro
fiche. In general, data processed in a meaningful context is information. Information has value
to user. Information is data that is (1) accurate and timely, (2) specific and organized for a
purpose, (3) presented within a context that gives it meaning and relevance, and (4) can lead
to an increase in understanding and decrease in uncertainty.
Information Systems (IS): Information systems are formal, sociotechnical, organizational
systems designed to collect, process, store, and distribute information. In a sociotechnical
perspective, information systems are composed by four components: task, people, structure,
and technology. In general, Information Systems refer to hardware and software, that people
and organizations use to collect, filter and process, create, and distribute data. Specifically in
the context of IT, Information systems support data-intensive applications and include the
design and implementation of languages, data models, process models, algorithms, networks
etc.
Secure system: It means computer hardware, software and procedures that are reasonably:
(a) Secure from unauthorized access and misuse;
(b) Provide assurance for correct information processing;
(c) Suited to perform intended functions; and
(d) Adhere to generally accepted security procedures.
Risk: It is the potential of uncertain event resulting in losing something of value, weighed against
the potential to gain something of value. In IT parlance, it can be an uncertain event or
something going wrong, which affects enterprise from achieving its objectives. Risk is the
potential that a given threat will exploit the vulnerabilities of an asset or a group of assets to
cause loss or damage to the assets.
Internal Control: It is a process implemented in an organization to help in achieving specific
2
goals. Internal controls include the policies, standards, practices & procedures, and
organisational structures designed to provide reasonable assurance that enterprise objectives
will be achieved and undesired events will be prevented, detected and corrected.
Business Process: A business process is a collection of related, structured activities
or tasks that produce a specific service or product (serve a particular goal) for a particular
customer or customers. It often can be visualized with a flowchart as a sequence of activities,
decision points or with a Process Matrix showing interrelated activities based on data flow in the
process.
1.4 Concepts of Audit

The general standards of auditing are applicable to IS Audit also as IS Audit is a type of internal
audit or a requirement of the statutory audit. As per the general guidelines on Internal Auditing
issued by ICAI, Auditing is defined as a systematic and independent examination of data,
statements, records, operations and performances of an enterprise for a stated purpose. In an
auditing situation, the IS Auditor perceives and recognizes the propositions before him for
examination, collects evidence, evaluates the same and on this basis formulates judgment
which is communicated through the report.
Internal auditing is defined as an independent, objective assurance and consulting activity
designed to add value and improve an organization's operations. It helps an organization
accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control, and governance processes.
Standard on Auditing (SA 200) describes the basic principles of audit and these principles
are applicable for IS Audit also and have to be complied with. IS Audit is primarily an internal
audit conducted for providing assurance after evaluation of risks and provides report on the
implemented controls. Based on such evaluation, the IS Auditor would provide appropriate
recommendations for mitigating control weaknesses in IT related areas. IS Audit can be carried
out by external auditors as part of statutory audit to review internal controls in automated
information systems. However, the scope would be bound by the objectives of the
applicable regulatory requirements. IS Audit could also be carried out as a part of internal
audit or as a specialized audit of IT environment such as penetration testing, audit of data
centre, audit of Business Continuity Plan or review of IT strategy etc.
Integrity, Objectivity and Independence: IS Auditors should be straight forward, honest and
sincere in their approach to the professional work. The auditor must be fair and must not allow
prejudice or bias to override objectivity. The auditor should maintain an impartial attitude and
appear to be free from any interest which might be regarded as being incompatible with integrity
and objectivity.
Knowledge, Skill and Competence: The IS audit should be performed and the report prepared
with due professional care by persons who have adequate knowledge, training, experience and
3
competence. This can be acquired through a combination of general education, technical

knowledge obtained through study and formal courses concluded by a qualifying examination
recognized for this purpose and practical experience under proper supervision.
Confidentiality: The IS Auditor should respect the confidentiality of information acquired during
the course of work and should not disclose any such information to a third party without specific
authority or unless there is any legal or professional duty to disclose.
Work performed by others: When the IS Auditor delegates work to assistants or uses work
performed by other IS Auditors or experts, he continues to be responsible for forming and
expressing his opinion on auditee environment as per the scope and objectives of audit.
However, at the same time IS Auditors are entitled to rely on the work performed by others
provided latter have adequate skills and exercise due care and the former are not aware of any
reasons to believe that they should not have relied upon the work of the latter. The IS Auditors
should carefully direct, supervise and review work delegated to assistants. They should obtain
reasonable assurance that work performed by other IS Auditors or experts are adequate and in
accordance with set audit objectives.
Documentation: The IS Auditor should maintain documentary evidence that the audit was
carried out in accordance with IS Auditing standards, guidelines and procedures and is adhering
to the regulatory requirements.
Information systems and internal control: The IS Auditor should gain an understanding of
the information systems and related internal controls. They should study and evaluate the
operation of those internal controls upon which they wish to rely to determine the nature, timing
and extent of other audit procedures.
Audit conclusions and reporting: The IS Auditor should review and assess the conclusions
drawn from the audit evidence obtained and from their knowledge of business of the entity as
the basis for the expression of their opinion.
1.5 Concept of IS Audit and Auditing in a Computerized

Environment
1.5.1 Audit in a Computerized Environment
Historically, all kinds of accounting and data processing jobs were conducted manually which
involved preparation of physical records and the auditor had no choice but to conduct audit
manually. With the increased use of internet, data analytics and e-commerce technologies,
enterprises are relying more and more on computer systems for much of accounting and all
other critical business processes leading to most of the auditee information being available in
electronic format rather than manual format.
However, the overall scope and objectives of audit do not change in a computerised
environment. The use of computers changes the methodology of processing and storage of
4
information that may affect the organization and the procedures employed by it to implement
adequate and appropriate internal controls. Accordingly, the procedures followed by the auditors
in their review and evaluation of the information systems, related internal controls, nature, timing
and extent of audit procedures are directly impacted by the computerised information systems
environment. Hence, the audit approach and the audit evidence have moved from physical to
digital and it may become necessary for auditors to use computers to audit this digital
information.
1.5.2 IS Audit and Audit of Computerised Environment

The IS Audit of an Information Systems Environment may include one or both of the following:
 Assessment of internal controls within the IS environment to ascertain the degree of
confidentiality, integrity and availability of information and information systems.
 Assessment of the efficiency and effectiveness of the IS environment to evaluate whether
it achieves the organization’s goals and objectives
The objective of IS audit process is to evaluate the adequacy of internal controls with regard to
both specific computer program and the data processing environment as a whole. ISACA
defines IS Audit as: “any audit that encompasses wholly or partly, review and evaluation of
automated information processing systems, related non-automated processes and the
interfaces between them”. Although IS Audit is often misunderstood as a mere technical audit
and a domain of IT professionals, it is clear that IS Audit involves evaluating the adequacy and
efficiency of internal controls in business processes that are either partly or fully computerized.
Hence, Audit and Control professionals who have expertise in understanding of business
processes and internal controls and knowledge of information systems’ risks and associated
controls are considered the most appropriate professionals to conduct most of the information
systems audits.
An IS Audit cannot be viewed from a narrow perspective of audit of automated information
processing systems only but would include audit of non-automated processes and their
interfaces to the automated processes. Therefore, depending on the audit environment,
objectives and scope, the audit could involve audit of entire business processes - partially or
fully automated, or audit of specified applications, technology and related controls. IS Audit
being a focused audit about auditing an information systems area whereas Audit in a
Computerized Environment is a regular audit engagement performed in process area that uses
computers.
5
1.6 Concept of IT Risk

There are numerous changes in IT and its operating environment that emphasizes the need to
better manage IT related risks. This has increased the level of dependency of organizations on
electronic information which are processed by IT systems. These IT systems are now essential
to support critical business processes. Risk is an event which has a potential to impact
organization’s goals and strategy implementation in a negative manner. Another way of defining
risk would be Threat exploiting Vulnerabilities.
IT risk has significant impact on the overall business risk as failure of IT could impact the
business. IT risk is a component of the overall risk universe of the enterprise, as shown in the
figure given below. Other risks that an enterprise faces include strategic risk, environmental
risk, market risk, credit risk, operational risk and compliance risk. In many enterprises, IT-related
risk is considered to be a component of operational risk, e.g., in the financial industry in the
Basel II framework. However, even strategic risk can have an IT component to it, especially
where IT is the key enabler of new business initiatives. The same applies for credit risk, where
poor controls on IT and IT security can lead to lower credit ratings of organizations. For this
reason, it is better not to depict IT risk with a hierarchic dependency on one of the other risk
categories.
IT–Risk
1.6.1 IT Risk in the Risk Hierarchy
Managing the IT risk of the enterprise starts with defining the risk universe; a risk universe
describes risk in the overall environment and provides a structure for managing IT risk. The Risk
universe:
 considers the overall business objectives, business processes and their dependencies
throughout the enterprise. It describes which IT applications and infrastructure support
the business objectives through the provision of IT services. It is worth highlighting that
IT risk needs to be seen from an end-to-end business activity perspective, crossing IT
function silos (IT operations, project management, application development, disaster
recovery, security, etc.).
 considers the full value chain of the enterprise. This can include not only the enterprise
and its subsidiaries/business units, but also clients, suppliers and service providers.
6
 considers a full life-cycle of IT related business activities, including transformation

programs, investments, projects and operations.
 includes a logical and workable segmentation of the overall risk environment. This sounds
relatively easy but often it is not – the hierarchical organizational of the enterprise
business, business processes and supporting IT infrastructure and services often are not
aligned, and it is highly probable that different views along different dimensions exist for
the overall environment. It is up to the enterprise to determine which view will be the most
meaningful to support the business objectives of the enterprise while considering the
potential overlaps and omissions.
 needs to be reviewed and updated on a regular basis due to the constantly changing
internal and external requirements.
1.6.2 Risk Management

Risk management is the process of identifying vulnerabilities and threats to the information
assets used by an organization in achieving business objectives and deciding what
countermeasures, if any, to take in reducing risk to an acceptable level, based on the value of
the information assets to the organization. Risk can be avoided, reduced (mitigated), transferred
or accepted. An organization can also choose to reject risk by ignoring it, which can be
dangerous and should be considered a red flag by the IS Auditor. The counter-measures for
mitigating risks are also called controls and these need to be implemented as appropriate. In
reviewing an IS environment, the primary focus of the IS Auditor would be to review the risk
assessment done by the organisation, assess whether these risks have been mitigated by
implementing appropriate controls and the residual risk is knowingly accepted and is within the
risk appetite. In case the residual risks after applying the controls exceed the risk appetite and
have not been approved by the management, these should be reported along with appropriate
remedial measures.
Here onwards, the word Risk should be interpreted as IT Risk and Audit would be referred to as
IS Audit.
1.7 Risk Based Auditing

A risk-based audit approach is usually adapted to develop and improve the audit process on a
continuous basis so that the focus is on high risk areas and maximum value addition is derived
from audit resources deployed. This approach is used to assess risks and to assist an IS Auditor
to focus on high risk areas and in making the decision with regards to the sample size to perform
either compliance testing and/or substantive testing. It is important to note that the risk-based
audit approach efficiently assists the IS Auditor in focusing on the risk areas which are most
critical and also in determining the nature and extent of testing.
Within this concept, inherent risk, control risk or detection risk are of major concern for the IS
Auditor. In a risk-based audit approach, IS Auditors are not just relying on risk; they also are
7
relying on internal and operational controls as well as knowledge of the business of the
company. This type of risk assessment decision can help relate the cost-benefit analysis of the
controls to the known risks, allowing practical choices.
Business risks include concerns about the probable effects of an uncertain event in achieving
established business objectives. The nature of these risks maybe financial, regulatory or
operational, and may also include risks derived from specific technology deployment. For
example, an airline company is subject to extensive safety regulations and economic changes,
both of which impact the continuing operations of the company. In this context, the availability
of IT services and their reliability are critical.
By understanding the nature of business, IS Auditors can identify and categorize the types of
risks associated with the business and identify the risks applicable to specific situations. On the
other hand, risk assessment refers to the methodology where risks have been given elaborate
weights based on the nature of the business or the significance of the risk and risks are
categorized as high, medium or low based on which appropriate decisions are taken by the
management.
SA 315, the standard for risk identification and assessment requires IS Auditors to assess risk
that is part of the business environment and the internal control system. SA 330 requires IS
Auditors to review whether management has designed and implemented appropriate risk
remediation measures and provide recommendations on the residual risks that have been
identified as critical and are not appropriately mitigated. Usually the IS Auditor would provide
recommendations for risk remediation as part of the Audit Report.
1.8 Audit Universe

Audit universe consists of all risk areas that could be subject to audit, resulting in a list of
possible audit engagement that could be performed. The audit universe includes projects and
initiatives related to the organisation’s strategic plan, and it may be organised by business
units, product or service lines, processes, programs, systems or controls or by risk category/
prioritisation.
Organisation should identify and keep up to date all the possible audits that can be done.
1.8.1 Benefits of having an Audit Universe

One of the advantages of having an audit universe is that it enables the audit activity to be
clear about the extent of coverage of key risks and other risk areas each year. It can also
provide a degree of rigour around areas not being audited. This means that for those audit
committees and senior managers who value a degree of cyclical assurance, the audit universe
could be used to inform this. The benefits of an audit universe could also be extended to
organisations with a network of retail outlets, depots, branches, regional operations,
subsidiaries where managers are mitigating risks on a day to day basis at the front line of
service provision.
8
In these situations, individual engagements in the audit plan, drawn from the audit universe, can
be organised to address the top risks to the organisation focused on those aspects managed at
the location. The important issue here is making sure regular or cyclical audit reviews result in
auditing the management of significant risks rather than risks that have little or no significance.
Thus, entities or areas within the audit universe with a lower risk ranking would be audited at
a different frequency than those with a higher risk rating. Indeed it is possible that some areas
within the audit universe will never be audited, highlighting the importance of other assurance
providers for those areas.
An audit universe can be a useful aid to help communicate the amount of coverage of the
organisation by internal audit, which can be invaluable during resourcing discussions. The table
below shows an example of planned coverage by audit against the total audit universe (in this
case, ranked into tiers 1, 2 and 3, as per their risk impacts).
In practice, other considerations may override the simplified tier classification. Those
include, but are not limited to:
1. Board/senior management requested review(s)
2. Regulator requested review(s)
In these circumstances, those considerations would be incorporated into the risk assessment
and therefore form part of the risk rating to facilitate tier classification.
The audit universe can be valuable to assist the head of internal audit consider all of the relevant
areas in forming an "overall audit opinion".
1.9 Audit Risk and Materiality

9
1.9.1 Audit Risk

In general, audit risk refers to the risk that an auditor may issue unqualified report due to the
auditor's failure to detect material misstatement either due to error or fraud. This risk is
composed of inherent risk (IR), control risk (CR) and detection risk (DR). Audit risk can be high,
moderate or low depending on the sample size selected by the Auditor. In the context of IS
Audit, the meaning of audit risk is still relevant but it would vary depending on the specific scope
and objectives of audit.
Inherent risk means overall risk of management which is on account of entity’s business
operations as a whole. Inherent risk is the susceptibility of information resources or
resources controlled by the information systems to material theft, destruction, disclosure,
unauthorized modification, or other impairment, assuming that there are no related
internal controls. Inherent risk is the risk that has natural association. The inherent risk
for audit assignment can be project related risks, revenues related risks, and resource
related risks. Inherent risk to business can be dependent on nature of business. If the IS
Auditor concludes that there is a high likelihood and consequence of risk exposure,
ignoring internal controls, the IS Auditor would conclude that the inherent risk is high.
Control risk is the risk that an error which could occur in an audit area, and which could
be material, individually or in combination with other errors, will not be prevented or
detected and corrected on a timely basis by the internal control system. Control risk is a
measure of the IS Auditor's assessment of the likelihood that risk exceeds a tolerable
level and will not be prevented or detected by the client's internal control system. This
assessment includes an assessment of whether a client's internal controls are effective.
For example: the enterprise has good system of segregation of duties but two employees
could collaborate and still commit fraud.
Detection risk is the risk of the IS Auditor when he is not able to detect the inherent risk
or the controllable risk. It means higher the level of non-detection by the IS Auditor, higher
is the detection risk. Detection risk is the risk that the IS Auditor’s substantive procedures
will not detect an error which could be material, individually or in combination with other
errors. For example, the detection risk associated with identifying breaches of security in
an application system is ordinarily high if the audit logs for the whole period of audit are
not available at the time of the audit. Detection risk is a measure of the IS Auditor's
assessment of the likelihood that the vulnerability or gaps will not be detected by the IS
Auditors. IS Auditor will carry out more detailed audit to detect material vulnerabilities or
gaps if the inherent risks and control risks are high. Detection risk primarily refers to the
fact that there exists a control weakness that auditor fails to detect.
Assessing inherent, control and detection risks gives the final assessment of the overall Audit
Risk i.e. the risk which the IS Auditor is ready to accept in an audit assignment. Audit risk is the
product of inherent risk, control risk and detection risk. The extent of audit effort is dictated by
10
the degree of audit risk, the assessment of which is critical to the effectiveness of the audit
effort. Amongst the critical factors affecting the audit risk is the appropriate assessment of the
control environment. The preliminary review of audit environment enables the IS Auditor to gain
understanding of the business, technology and control environment and also gain clarity on the
objectives of the audit and scope of audit. Risk assessment allows the IS Auditor to determine
the scope of the audit and assess the level of audit risk.
1.9.2 Materiality
The concept of materiality in the case of financial audit is based on value and volume of the
transactions and the relevant error or discrepancy or control weakness detected. In case of
regulatory audit, materiality is based on impact of non-compliance and in case of IS Audit,
materiality is based on the effect or consequence of the risk in terms of potential loss. Hence,
materiality varies based on the scope and objectives of the audit and specific auditee
environment. Materiality is an important aspect of the professional judgment of the IS Auditor
as he/she has to decide whether the information is material or immaterial. With regards to the
materiality of the financial statements, information is regarded as material if it changes the
decision of the users of the financial statement i.e. if the misstatement is of a high value and
quantity. The IS Auditor should have a good understanding of these audit risks when planning
an audit. An audit sample may not detect every potential error in a population. When evaluating
internal controls, the IS Auditor should realize that a given system may not detect a minor error.
However, that specific error, combined with others, could become material to the overall system.
The concept of materiality requires sound judgment from the IS Auditor. The IS Auditor may
detect a small error that could be considered significant at an operational level, but may not be
viewed as significant to upper management. Materiality considerations combined with an
understanding of audit risk are essential concepts for planning the areas to be audited and the
specific tests to be performed in the audit. Higher the level of materiality, lower is the risk that
an IS auditor is, usually, willing to take.
For systems and operations not affecting financial transactions, following are the examples of
measures that should be considered to assess materiality:
 Criticality of the business processes supported by the system or operation
 Cost of the system or operation (i.e., hardware, software, staff, third-party services,
overheads, and a combination of these). As for example a virus has been detected and
cleaned and there was no impact on business or operations. Apparently, this may not be
a material risk. However, materiality can be correctly determined only when root cause
analysis is done to ascertain as to how and from where the virus entered the
organisation’s information systems. The analysis may reveal that there is a weakness in
control process. Hence, although the incident per se is not material but inherent cause of
weakness is definitely material as the virus problem can recur and cause harm to the
11
organisation’s information systems. If auditor fails to detect this weakness, it might result
in detection risk.
 Potential cost of errors (possibly in terms of lost sales, warranty claims, irrecoverable
development costs, cost of publicity required for warnings, rectification costs, health and
safety costs, unnecessarily high costs of production, high wastage, etc.)
 Number of accesses/transactions/inquiries processed per period
 Nature, timing and extent of reports prepared and files maintained
 Nature and quantities of materials handled (e.g., where inventory movements are
recorded without values)
 Service level agreement (SLA) requirements and cost of potential penalties
 Penalties for failure to comply with legal and contractual requirements.
SA 320 is the Auditing standard for Audit Materiality. It requires the Auditor to report those
items that create an impact on the financial statements and which changes the decision that
would be made by the stakeholder. The same concept is applied even when conducting an IS
Audit Engagement. The ITAF (Information Technology Assurance Framework) 3rd edition issued
by ISACA has the following standards on “Materiality” which have to be complied by the IS
Auditor.
1204.1 IS audit and assurance professionals shall consider potential weaknesses or absences
of controls while planning an engagement, and whether such weaknesses or absences of
controls could result in a significant deficiency or a material weakness.
1204.2 IS audit and assurance professionals shall consider audit materiality and its relationship
to audit risk while determining the nature, timing and extent of audit procedures.
1204.3 IS audit and assurance professionals shall consider the cumulative effect of minor
control deficiencies or weaknesses and whether the absence of controls translates into a
significant deficiency or a material weakness.
1204.4 IS audit and assurance professionals shall disclose the following in the report:
a. Absence of controls or ineffective controls
b. Significance of the control deficiency
c. Likelihood of these weaknesses resulting in a significant deficiency or material weakness.
1.10 Concepts of Internal Controls
12
The increasing use of IT in organizations has made it imperative that appropriate information
systems are implemented in an organization. IT should cover all key aspects of business
process of an enterprise which have an impact on its strategic and competitive advantage for
its success. Control is defined by ISACA as: “the policies, procedures, practices and the
organisation structure that are designed to provide reasonable assurance that the business
objectives will be achieved and undesired events are prevented or detected and corrected”. This
definition of control is applied for all IS Audits. Internal Controls are normally composed of
policies, procedures, practices and organizational structures which are implemented to reduce
risks in the organisation to an acceptable level. Internal controls are developed to provide
reasonable assurance to management that the organization’s business objectives will be
achieved and risk events will be prevented or detected and corrected.
Internal control activities and supporting processes are either manual or driven by automated
computer information resources. Thus, IS audit includes reviewing the implemented systems or
providing consultation and evaluating the reliability of operational effectiveness of controls. The
objective of controls is to reduce or if possible, eliminate the causes of the exposure to potential
loss.
1.10.1 Types of Internal Controls

Internal Controls is said to be a mechanism that is established by organizations which is a sum
of General Controls and IS Controls. IS controls is said to be a sum of IT Application Controls
and IT General Controls. General Controls refers to internal controls that encompass all
administrative areas in general including IT implementation whereas application controls are
implemented in specific application softwares. In general, it can be said that IS Controls are
controls that are present on the enterprise’s IT Infrastructure. IT Infrastructure includes
hardware and software.
General
Controls
Internal
Controls
IS
Controls
13
IS Controls
Information Systems Controls
Application IT General
Controls Controls
Apply to IT environment in
Specific to application software
general
1.10.2 Types of IS Controls

IS Controls can also be classified in the following manner:
Preventive Controls: Controls that prevents problems before they arise. They monitor both
operations and inputs. They attempt to predict potential problems before they occur and make
adjustments. They also help in preventing an error, omission or malicious act from occurring;
e.g. Firewalls.
Detective Controls: Controls that detect and report the occurrence of an error, omission or
malicious act; e.g. Audit Trails.
Corrective Controls: Controls that minimize the impact of a threat. They remedy problems that
are discovered by Detective controls. They help in identification of the cause of the problem.
They correct errors arising from the problem. They modify the processing systems to minimize
future occurrences of the problem; e.g. backups.
1.11 Organization of IS Audit Function

The IS audit function should be placed in the organization so as to ensure its objectivity and
independence. The composition and constitution of the IS audit function should ideally be
decided by the Audit Committee which should be the prime reporting authority for the IS Audit
function. The role of the IS Audit function is defined by the audit charter which defines the
authority, scope and responsibility. The audit charter provides mandate for performing the audit
function. Based on the overall guidelines defined in the audit charter, the audit function is
created with specific roles and responsibilities. The appointment of external auditors should also
be governed by stipulations for independence and objectivity, which is the foundation for an
effective audit function.
14
1.11.1 Infrastructure and Organization

IS audit function should be equipped with sufficient resources to discharge its duties efficiently
and effectively. An important determinant in the quality of the IS audit function is the quality of
human resources that staff the audit function. The skills and competence requirements should
be clearly established and the IS Audit function should collectively possess the skills and
knowledge necessary for performing an effective and professional audit. Even in cases where
external agencies are engaged, the professional competences and skills of such agencies
should be ensured. Continuing Professional Education should be included as part of the IS audit
management plan.
Assurance function perspective: It describes what is needed in an enterprise to build and provide
assurance function(s). The assurance function perspective describes how each factor
contributes to the overall provisioning of assurance, for example:
d. Which organizational structures are required to provide assurance (board/audit
committee, audit function, etc.)?
e. Which information items are required to provide assurance (audit universe, audit plan,
audit reports, etc.)?
The function might require special infrastructure for using CAATs. If so, availability of
appropriate tools and infrastructure should be ensured.
ITAF 3rd edition issued by ISACA provides the following standard regarding independence of IS
Auditor.
1002 Organisational Independence
1002.1 The IS audit and assurance function shall be independent of the area or activity being
reviewed to permit objective completion of the audit and assurance engagement.
1003 Professional Independence
1003.1 IS audit and assurance professionals shall be independent and objective in both attitude
and appearance in all matters related to audit and assurance engagements.
1.11.2 Internal and External Audit Control Framework

The internal and external audit control framework ensures the minimum quality of audits. This
forms the basis for the organization to implement appropriate audit control framework.
Accordingly, policies and procedures for risk assessment, planning, implementation and
reporting are to be established. The audit control framework assures the effectiveness and
efficiency of operations, reliability of reporting and compliances with laws and regulations. The
standards and professional pronouncements should be strictly adhered to, and this should be
reflected in the organization and operations of the audit function. Specific guidelines have to be
issued to ensure the qualitative work under control environment.
15
1.11.3 Quality Assessment and Peer Reviews

Quality Assessment ensures that the IS audit function is delivering in line with the best auditing
practices and following the professional standards and pronouncements, it also ensures that
the IS Audit function is subject to both internal and external quality assessments, peer reviews,
certification and accreditation. Though the objective of the internal and external IS audit remains
same, the scope and approach might vary. In case of an internal IS audit, the IS Auditor reviews
the internal control environment in detail whereas an external IS Auditor takes an overall view
of internal control environment and focuses on substantive testing as per the specific scope and
objective of the assignment. In case of external audit, the audit engagement letter defines the
scope and objectives of individual audit assignment.
1.11.4 Standards on Audit Performance

IS auditors are expected to comply with the following standards of ITAF 3rd Edition issued by
ISACA.
1004 Reasonable Expectation
1004.1 IS audit and assurance professionals shall have reasonable expectation that the
engagement can be completed in accordance with the IS audit and assurance standards and,
where required, other appropriate professional or industry standards or applicable regulations
and result in a professional opinion or conclusion.
1004.2 IS audit and assurance professionals shall have reasonable expectation that the scope
of the engagement enables conclusion on the subject matter and addresses any restrictions.
1004.3 IS audit and assurance professionals shall have reasonable expectation that
management understands its obligations and responsibilities with respect to the provision of
appropriate, relevant and timely information required to perform the engagement.
1005 Due Professional Care
1005.1 IS audit and assurance professionals shall exercise due professional care, including
observance of applicable professional audit standards, in planning, performing and reporting on
the results of engagements.
1006 Proficiency
1006.1 IS audit and assurance professionals, collectively with others assisting with the
assignment, shall possess adequate skills and proficiency in conducting IS audit and assurance
engagements and be professionally competent to perform the work required.
1006.2 IS audit and assurance professionals, collectively with others assisting with the
assignment, shall possess adequate knowledge of the subject matter.
1006.3 IS audit and assurance professionals shall maintain professional competence through
appropriate continuing professional education and training.
16
1007 Assertions
1007.1 IS audit and assurance professionals shall review the assertions against which the
subject matter will be assessed to determine that such assertions are capable of being audited
and that the assertions are sufficient, valid and relevant.
1008 Criteria
1008.1 IS audit and assurance professionals shall select criteria, against which the subject
matter will be assessed, that are objective, complete, relevant, measurable, understandable,
widely recognised, authoritative and understood by, or available to, all readers and users of the
report.
1008.2 IS audit and assurance professionals shall consider the source of the criteria and focus
on those issued by relevant authoritative bodies before accepting lesser-known criteria.
1.12 Summary
This chapter has provided brief overview of the fundamental concepts of Audit, IS audit, risks,
controls and internal controls. We have also provided the distinction between audit in an IS
environment and audit of a computerized environment. Further, the conceptual understanding
of IT risk and risk-based auditing has been provided with an overview of types of audit risks and
their categorization as: Inherent Risk, Control Risk and Detection Risk. The concept of
materiality and internal controls with overview of types of internal controls has been provided.
Controls can be classified as, IS Controls and General Controls and IS controls are bifurcated
as IT Application Controls which are specific to application softwares and IT General Controls
which pertain to the IT environment in general. The classification of controls as preventive,
detective and corrective has been explained. The overall objective of this chapter is to provide
an understanding of the key concepts of information systems, audit function, materiality and the
attached risks.
1.13 Case Study

Case Background:
M/s InfoTech Solutions have been assigned to review effectiveness of existing controls of Online
Portal of a large Retail Chain. One of the clauses of service level agreement is stated below:
“InfoTech Solutions to submit final audit report within 1 month from date of agreement. In case
of deviation following penalty to be impacted:
Turn Around Time Penalty

Within 30 days Nil
31-40 days 10% of total fees payable
17

Above 60 days 50% of total fees payable
To adhere to SLA, M/s InfoTech Solutions detailed out following audit program:
(i) Detailed Risk Assessment will not be carried out. Audit will be assigned to a Senior IS
Auditor and he will decide audit area and sampling techniques as per his prior
experiences.
(ii) Initially, 2 associates will be allotted for the assignment. More resources will be provided
as and when required.
(iii) Senior Auditor will have to submit his draft report to Partner by 25th day and final report
to be issued to client by 30th day.
(iv) To preserve time, working papers and evidence gathering will be structured once the final
report is submitted.
Questions:
(1) While planning an audit M/s InfoTech Solutions should have FIRST identified:
(a) Areas of High risk.
(b) Skill sets of the audit staff.
(c) Test steps in the audit.
(d) Time allotted for the audit.
Correct Answer: A, areas of high risk
Explanation:
(a) When designing an audit plan, it is important to identify the areas of highest risk to
determine the areas to be audited.
(b) Skill sets of audit staff is an important consideration. However, unless risks are
identified it will not be known how and where to utilize the skills.
(c) Compliance test and substantial test can be effectively carried out only once
auditor is aware about areas of high risk.
(d) Allotment of time is important but not the first & primary step like identification of
high-risk areas.
(2) M/s InfoTech Solutions has decided to Skip Risk Assessment Process. What is the
Primary Risk involved here?
(a) Resources may not be allocated to the areas of highest concern.
18
(b) Budgets are more likely to be met by the IS audit staff.

(c) May not able to complete assignment as per timelines defined in SLA.
(d) Senior Auditor may not take responsibility of Audit Observations.
Correct Answer: A, Resources may not be allocated to areas of highest concern
Explanation: Primary Risk involved here is critical risks are not identified and may remain
unnoticed. Other areas are not of that concern.
(3) The decisions and actions of Senior Auditor of M/s InfoTech Solutions are MOST likely to
affect which of the following risks?
(a) Detection
(b) Inherent
(c) Control
(d) Business
Correct Answer: A, Detection Risk
Explanation:
(a) Detection risks are directly affected by the auditor's selection of audit procedures
and techniques.
(b) Inherent risks usually are not affected by the IS auditor.
(c) Control risks are controlled by the actions of the company's management.
(d) Business risks are not affected by the IS auditor.
1.14 Questions
1 The primary purpose and existence of an audit charter is to:
A. Document the audit process used by the enterprise
B. Formally document the audit department’s plan of action
C. Document a code of professional conduct for the auditor
D. Describe the authority and responsibilities of the audit department
2 Which of the following control classifications identify the cause of a problem and
minimize the impact of threat?
A. Administrative Controls
B. Detective Controls
19
C. Preventive Controls
D. Corrective Controls
3. To conduct a system audit, the IS auditor should
A. Be technically at par with client’s technical staff
B. Be able to understand the system that is being audited
C. Possess knowledge in the area of current technology
D. Only possess a knowledge of auditing.
4 Which of the following are most commonly used to mitigate risks discovered by
organizations?
A. Controls
B. Personnel
C. Resources
D. Threats
5 The rate of change in technology increases the importance of:
A. Outsourcing the IS function
B. Implementing and enforcing good processes
C. Hiring personnel willing to make a career within the organisation
D. Meeting user requirements
6 What means the rate at which opinion of the IS Auditor would change if he selects
a larger sample size?
A. Audit Risk
B. Materiality
C. Risk Based Audit
D. Controls
7 Which of the following cannot be classified as Audit Risk?
A. Inherent Risk
B. Detection Risk
C. Controllable Risk
20
D. Administrative Risk
8 After you enter a purchase order in an on-line system, you get the message, “The
request could not be processed due to lack of funds in your budget”. This is an
example of error?
A. Detection
B. Correction
C. Prevention
D. Recovery
9 When developing a risk-based audit strategy, an IS auditor should conduct a risk
assessment to ensure that:
A. Controls needed to mitigate risks are in place.
B. Vulnerabilities and threats are identified.
C. Audit risks are considered.
D. Gap analysis is appropriate
10 Reviewing management's long-term strategic plans helps the IS auditor:
A. Gains an understanding of an organization's goals and objectives.
B. Tests the enterprise's internal controls.
C. Assess the organization's reliance on information systems.
D. Determine the number of audit resources needed.
1.15 Answers and Explanations

1 An audit charter describes the authority, responsibility of the audit department. These
are established by the senior management. Correct answer is D.
2 Corrective Controls classification identify the cause of a problem and minimize the
impact of threat. The goal of these controls is to identify the root cause of an issue
whenever possible and eliminate the potential for that occurring again. The other
controls are useful but perform other functions instead. Correct answer is D.
3 To conduct IS Audit by the IS Auditor, the primary requirement is that he should be
able to understand the system and technology being audited. He is not required to be
the expert in all subjects. There is no comparison of his knowledge with that of
21
auditee’s staff. He should have the knowledge of audit along with the technology in
the related subject of audit. Correct answer is B.
4 Controls are most commonly used to mitigate risks discovered by organizations. This
is what organizations implement as a result of the risks an organization discovers.
Resources and personnel are often expended to implement controls. Correct answer
is A.
5 Rate of change of technology increases the importance of implementing and enforcing
good practices. Correct answer is B.
6 Audit risk means the rate at which opinion of the IS Auditor would change if he selects
a larger sample size. Audit risk can be high, moderate or low depending on the sample
size selected by the IS Auditor. A risk-based audit approach is usually adapted to
develop and improve the continuous audit process. Materiality means importance of
information to the users. It is totally the matter of the professional judgment of the IS
Auditor to decide whether the information is material or immaterial. Correct answer is
A.
7 Inherent risk means overall risk of management which is on account of entity’s
business operations as a whole. Controllable risk is the risk present in the internal
control system and the enterprise can control this risk completely and eliminate it from
the system. Detection risk is the risk of the IS Auditor when he is not able to detect
the inherent risk or the controllable risk. Correct answer D
8 To stop or prevent a wrong entry is a function of error prevention. All other options
work after an error. Prevention works before occurrence of error. Correct answer is C.
9 In developing a risk-based audit strategy, risks and vulnerabilities are to be
understood. This determines areas to be audited and the extent of coverage.
Understanding whether appropriate controls required to mitigate risks are in place is
a resultant effect of an audit. Audit risks are inherent aspects of auditing, are directly
related to the audit process and are not relevant to the risk analysis of the environment
to be audited. Gap analysis would normally be done to compare the actual state to an
expected or desirable state. Correct answer B.
10 Strategic planning sets corporate or departmental objectives into motion. It is time and
project-oriented, but must also address and help determine priorities to meet business
needs. Reviewing long-term strategic plans will not achieve objectives by other
choice. Correct answer is A.
22
Chapter 2
IS Audit in Phases
This chapter provides detailed insights into various phases of IS audit. The fundamental
concepts which were discussed in earlier chapter are connected to their practical aspects in
terms of how to define the audit scope and objectives, gain knowledge of the organisation’s
business, assessment of risk, IT application controls and IT general controls of the enterprise.
Sampling and testing methodologies using CAAT as used by the IS auditor are also discussed.
How to develop audit programs and approach and design appropriate tests for compliance and
substantive testing for reviewing the design effectiveness and operational effectiveness of the
Information Systems are explained. The need for IS auditor to obtain sufficient evidence as a
part of the audit process which forms critical part of the assurance services as well as use of
global best practices as benchmarks for performing and reporting IS audit findings are discussed
in this chapter. Please note that ‘organisation’ and ‘enterprise’ words are used inter-changeably.
2.2 Introduction
Information systems have become an integral part of business processes. The growth of
technology has made IT an indispensable part of our day to day functioning. Organizations value
information as the most critical asset and hence it has become more vulnerable to theft causing
loss to the enterprise. There is a risk that the information may be stolen fraudulently and
fraudsters can use it for financial gains. Information systems are helping organizations in
improving efficiency in customer delivery and also opening up new delivery channels. In order
to adapt to these technological advancements organizations have reengineered their processes
which has potential of introducing new vulnerabilities. There is critical requirement of enhancing
value of information by making it available online but this should be coupled with right level of
security. In the networked world, the fraudsters can intrude the systems anytime and from
anywhere. It is important that the management not only has systems and processes in place to
ensure that adequate controls exist and are working effectively but also having an independent
evaluation by IS Audit professionals. The IS auditor has to plan the audit keeping in mind the
scope and objectives of the audit including the auditee environment, regulatory requirements
and technology deployment. The IS Audit phases are summarized in the following diagram.
IS Audit Phases
Plan Execute Report

Understanding the Analytical procedures,
environment and Compliance and Audit report and
Setting up of objectives Substantive testing recommendations
Risk assessment & Presentation to

control identification Sampling
management
Audit program and Using CAATs and

procedures evaluating Audit Follow up review
Evidence
2.3 Conducting an IS Audit

2.3.1 Setting up of audit objectives
Audit objectives refer to the specific goals that must be met by the audit. In contrast, a control
objective refers to how an internal control should function. An audit may, and generally does,
incorporate several audit objectives. Audit objectives often focus on substantiating that internal
controls exist to mitigate business risks, and that they function as expected. These audit
objectives include assuring compliance with legal and regulatory requirements as well as the
confidentiality, integrity, reliability and availability of information and IT Resources. Auditee
management may give the IS Auditor a general control objective to review and evaluate when
performing an audit.
One of the basic purposes of any IS audit is to identify control objectives and the related controls
that address these objectives. The objective of an information systems audit (design and
operating effectiveness of the internal control system) is to enable the IS Auditor to express an
opinion on whether the internal control system set up and operated by the organisation for the
purpose of managing risks to the achievement of the objectives was suitably designed and
operated effectively in the period. If there are control weaknesses, these should be reported
with appropriate recommendations for mitigating these risks by improving controls and thus add
value.
2.3.2. Request for proposal (RFP)

Many a times, organizations may need to engage outside agencies i.e. external auditors for
24
IS Audit in Phases
some audit assignments. An RFP is a standard solicitation document used by various

organisations to compete for contract opportunities. An RFP is most often used to acquire
services, although it may be used in some circumstances to acquire goods. A successful RFP
process will support the principles of fair, open, and transparent procurement and will satisfy
the business requirements. Well-prepared RFPs can go a long way in creating effective
solutions and programs for business development and associations. With an RFP, proposals
are evaluated against multiple criteria such as price, qualifications and experience, and the
proposed solution or approach. The best proposal is awarded the contract though it may, or may
not, quote the lowest price. IS Auditor can play an important role in preparation and
evaluation of responses to RFP.
2.4 Audit Charter and Terms of Engagement

2.4.1 IS Audit charter
The IS Audit charter is like the constitution for the IS Audit function as it mandates the authority,
scope and responsibility of IS Audit in the organisation. The IS Auditor should have a clear
mandate to perform the IS audit function as authorized through the audit charter. This mandate
should be formally accepted and approved by senior management. Where an audit charter
exists for the audit function as a whole, the IS audit mandate should be included therein.
The IT Auditing Assurance Framework has the following standards for audit charter;
1001.1: The IS audit and assurance function shall document the audit function appropriately in
an audit charter, indicating purpose, responsibility, authority and accountability.
1001.2: The IS audit and assurance function shall have the audit charter agreed upon and
approved at an appropriate level within the enterprise.
Contents of the Audit Charter
The audit charter should clearly address the four aspects of purpose, responsibility, authority
and accountability. Aspects to consider are set out in the following sections.
Purpose
 Role
 Aims/goals
 Mission statement
 Scope
 Objectives
25
Responsibility
 Operating principles
 Independence
 Relationship with external audit
 Auditee requirements
 Critical success factors
 Key performance indicators
 Risk assessment
 Other measures of performance
Authority
 Right of access to information, personnel, locations and systems relevant to the
performance of audits
 Scope or any limitations of scope
 Functions to be audited
 Auditee expectations
 Organizational structure, including reporting lines to board and senior management
 Grading of IS audit staff
Accountability
 Reporting lines to senior management
 Assignment performance appraisals
 Personnel performance appraisals
 Staffing/career development
 Auditee rights
 Independent quality reviews
 Assessment of compliance with standards
 Benchmarking performance and functions
 Assessment of completion of the audit plan
 Comparison of budget to actual costs
 Agreed actions, e.g., penalties when either party fails to carry out their responsibilities
26
IS Audit in Phases
2.4.2 Audit Engagement Letter

Purpose: Engagement letters are often used for individual assignments or for setting the scope
and objectives of a relationship between external IS audit and an organization.
Content: The engagement letter should clearly address the three aspects of responsibility,
authority and accountability. Aspects to consider are set out in the following paragraphs.
Responsibility
 Scope
 Objectives
 Independence
 Risk assessment
 Specific Auditee requirements
 Deliverables
Authority
 Right of access to information, personnel, locations and systems relevant to the
performance of the assignment
 Scope or any limitations of scope
 Evidence of agreement to the terms and conditions of the engagement
Accountability
 Intended recipients of reports
 Auditee rights
 Quality reviews
 Agreed completion dates
 Agreed budgets/fees, if available
The standards of auditing (SA) 210 Agreeing the terms of Audit Engagements requires the
auditor and the client to agree on the terms of engagement and document them in the audit
engagement letter. It requires that the engagement letters be renewed if necessary, before the
commencement of the audit in succeeding years.
The IS Audit is performed internally as per audit charter or it may be outsourced to an external
IS Auditor. In case it is outsourced, an audit engagement letter is issued as per details discussed
earlier. It is critical to note that external IS audits would have specific scope, objectives, timelines
and deliverables whereas in case of internal IS Audit, these may be flexible and could vary
depending on the needs of the enterprise. The audit assignment requires continuing involvement
27
of client personnel. Hence, on-going communication with the auditee is critical.
2.4.3 Communication with Auditee

Effective communication with Auditee involves:
 Describing the service, its scope and timeliness of delivery
 Providing cost estimates or budgets
 Describing problems and possible resolutions for them
 Providing adequate and readily accessible facilities for effective communication
 Determining relationship between services offered and needs of the Auditee.
The audit charter forms a sound basis for communication with Auditee and should include
references to service level agreements for things such as:
 Availability for unplanned work
 Delivery of reports
 Costs
 Response to Auditee complaints
 Quality of service
 Review of performance
 Communication with Auditee
 Needs assessment
 Control risk self-assessment
 Agreement of terms of reference for audits
 Reporting process
 Agreement of findings
2.4.4 Quality Assurance Process

The IS Auditor should consider establishing a quality assurance process (e.g., interviews,
customer satisfaction surveys, assignment performance surveys) to understand Auditee’s
needs and expectations relevant to the IS audit function. These needs should be evaluated
against the charter with a view to improving the service or changing the service delivery or audit
charter, as necessary. The IS Audit standards require IS Auditor to deploy and monitor
completion of the assurance assignments with the staff having required competencies and skill-
sets. If required, external experts may be used in the assignment as required. However, the IS
Auditor continues to remain responsible for the assignment. IS auditor should develop standard
28
IS Audit in Phases
approach, documentation and methodology with appropriate templates for various types of
assignments. Best practices and frameworks along with the required standards, guidelines and
procedures should be used in developing quality assurance process and all the staff should be
trained in the process to be followed in all stages of planning to execution and reporting of
various types of assignments.
According to SA 220 of ICAI, Quality Control Systems, policies and procedures are the
responsibility of the audit firm. Under SQC 1, the firm has an obligation to establish and maintain
a system of quality control to provide it with reasonable assurance that: (a) The firm and its
personnel comply with professional standards and regulatory and legal requirements; and (b)
The reports issued by the firm or engagement partners are appropriate in the circumstances.
This SA 220 is premised on the basis that the firm is subject to SQC 1. Within the context of the
firm’s system of quality control, engagement teams have a responsibility to implement quality
control procedures that are applicable to the audit engagement and provide the firm with
relevant information to enable the functioning of that part of the firm’s system of quality control
relating to independence. Engagement teams are entitled to rely on the firm’s system of quality
control, unless information provided by the firm or other parties suggests otherwise.
2.5 Audit Scope

A determination of the range of the activities and the period (of records that are to be subjected
to an audit examination) is the scope of audit. The scope and objectives for every audit are
determined through discussion with the auditee management and a specific risk assessment.
The scope of audit would be specifically determined by the management in case of internal audit
and is set by statute if it is as per regulatory requirement.
While each audit is unique, there are some general or common objectives applied to most audits.
Once planning work begins, clearly defining the audit scope is important in determining the
budget, human resources, and time required for audit and in determining what will have to be
specifically reported and in which format. Scoping the audit involves narrowing the audit to
relatively few matters of significance that pertain to the audit objective and that can be audited
with resources available to the audit team. In a multi-entity audit, the scope includes identifying
the specific departments or applications that will be included in the audit.
To identify matters of significance, the IS auditor should conduct research on competitive
environment, nature of business, technology used and the regulatory requirements to
understand the auditee environment so as to plan and execute the assignment as per scope
and objectives of the assignment including:
 Are there areas that have an important impact on the organisation’s results?
 Will the audit of the issue make a difference; that is, will it result in improved performance,
accountability, or value for money?
 Are there issues with high visibility or of current concern?
29
 Are there areas that have undergone a significant degree of change? Examples of
changes within an entity are new technology deployed, increased staff turnover, and
reorganization. Examples of changes to an entity’s environment are new regulatory
requirements, change in senior management and budget cuts etc.
 Is the timing appropriate for auditing the issue?
 Are there any examples of past non-compliances?
 What is the management style and the risk appetite and approach to risk management?
 Are there any cases of past fraud or material errors?
Carefully scoping the audit early in the process helps increase efficiency and effectiveness of
the audit. The statement of scope should be clear about any areas excluded from audit.
2.6 Audit Planning

One of the primary and important phases in an IS Audit is planning which ensures that the audit
is performed in an effective way and completed in a timely manner. Planning takes on more
significance in case of IS Audit since audit risks in case of IS audits are significantly impacted
by inherent risks. Hence, for the audit effort to be successful, a good audit plan is a critical
success factor. In case of IS audit done by the internal IS Audit function, annual audit plan is
developed based on the audit schedule, materiality, risk rating, business and regulatory
requirements and previous audits done. Based on this and resource availability, teams and
individuals with specific skills are assigned to specific assurance reviews as per time plan. The
audit planning process has to consider budgets of time and costs, and management priorities
as per organizational goals and policies. The objective of audit planning is to optimize the use
of audit resources. In case of independent assurance assignments, audit planning is done by
external firm as per scope of audit engagement letter considering available resource
requirements, auditee availability and reporting timings to regulatory authorities.
As per SA 300 on “Planning” issued by ICAI:
 Adequate planning of the audit work helps to ensure that appropriate attention is devoted
to important areas of the audit, that potential problems are identified and that the work is
completed expeditiously. Planning also assists in proper assignment of work to assistants
and in coordination of work done by other Auditors and experts.
 The extent of planning will vary according to the size of the entity, the complexity of the
audit and the IS Auditor’s experience with the entity and knowledge of the business.
 Obtaining knowledge of the business is an important part of planning the work. The IS
Auditor’s knowledge of the business assists in the identification of events, transactions
and practices which may have a material effect on the financial statements.
 The IS Auditor may wish to discuss elements of the overall audit plan and certain audit
procedures with the entity’s audit committee, management and staff to improve the
30
IS Audit in Phases
effectiveness and efficiency of the audit and to coordinate audit procedures with work of
the entity’s personnel. The overall audit plan and the audit program; however, remain the
IS Auditor’s responsibility.
The IS Auditor should develop and document an overall audit plan describing the expected
scope and conduct of the audit. While the record of the overall audit plan will need to be
sufficiently detailed to guide the development of the audit program, its precise form and content
will vary depending on the size of the entity, the complexity of the audit and the specific
methodology and technology used by the IS Auditor.
Audit should be guided by an overall audit plan and underlying audit program and methodology.
Audit planning is often mistaken as a one-time activity to be taken and completed in the
beginning of the audit. While for all practical purposes, planning is a continuous activity which
goes on throughout the entire audit cycle. Many a times changes in conditions or circumstances
or unexpected findings during the course of audit require changes in the audit procedures and
methodology initially planned. Hence, IS Auditor is expected to modify the audit plan as
circumstances may require. The documentation of the audit plan is also a critical requirement.
All changes to the audit plan should follow a change management procedure with every change
being recorded with the reason for the change. Information Technology Assurance Framework
(ITAF) 3rd edition issued by ISACA provides the following standards to be followed by IS
Auditors:
1201.1 IS audit and assurance professionals shall plan each IS audit and assurance
engagement to address:
 Objective(s), scope, timeline and deliverables
 Compliance with applicable laws and professional auditing standards
 Use of a risk-based approach, where appropriate
 Engagement-specific issues
 Documentation and reporting requirements
1201.2 IS audit and assurance professionals shall develop and document an IS audit or
assurance engagement project plan, describing the:
 Engagement’s nature, objectives, timeline and resource requirements
 Timing and extent of audit procedures to complete the engagement
Risk Assessment in Planning
1202.1 The IS audit and assurance function shall use an appropriate risk assessment approach
and supporting methodology to develop the overall IS audit plan and determine priorities for the
effective allocation of IS audit resources.
31
1202.2 IS audit and assurance professionals shall identify and assess risk relevant to the area
under review, when planning individual engagements.
1202.3 IS audit and assurance professionals shall consider subject matter risk, audit risk and
related exposure to the enterprise.
Steps for Audit Planning
 Gain an understanding of the business’s mission, objectives, purpose and processes,
which include information and processing requirements such as availability, integrity,
security and business technology and information confidentiality.
 Understand changes in business environment of the auditee
 Review prior work papers
 Identify stated contents such as policies, standards and required guidelines, procedures
and organisation structure
 Perform a risk analysis to help in designing the audit plan
 Set the audit scope and audit objectives
 Develop the audit approach or audit strategy
 Assign personnel resources to the audit
 Address engagement logistics.
2.7 Objectives of IS Controls

IS audit requiring primarily review of Controls in the IS environment and provide
recommendations on areas of weaknesses. The objective of IS controls is to ensure risk
management processes are implemented as per the risk management strategy which involves
risk avoidance, risk elimination where possible, risk reduction or risk transfer and finally risk
acceptance. Hence, controls should result in risk remediation. IS Controls can be classified into
3 broad categories: Fiduciary which focuses on regulatory requirements, quality which focuses
on efficiency and effectiveness and security which covers confidentiality, integrity and
availability of information. These are the seven information criteria for implementing controls as
per COBIT 2019. It is important for IS Auditors to understand controls and control objectives as
these forms the most important criteria used for evaluation. Every IS Audit would have a
combination of these controls which are used at the time of scoping the assignment.
32
IS Audit in Phases
Reliability
Fiduciary
Compliance
Efficiency
Objectives of IS Quality
Controls Effectiveness
Confidentiality
Security Integrity
Availability
2.7.1 Principles of Fiduciary

Reliability: It relates to the provision of appropriate information for management to operate the
entity and exercise its fiduciary and governance responsibilities. The objective behind the
rationale being that information and the information processes should be reliable at any given
point of time and the same are accessible as and when needed.
Compliance: It deals with complying with laws, regulations and contractual regulations to which
the business is subjected to e.g. externally imposed business criteria as well as internal policies.
For any business to succeed, there is a need for compliance with regulations, hence one of the
principles embedded in the framework deals with compliance parameters for all regulations at
any given point of time.
2.7.2 Principles of Quality

Efficiency: It is a measure of whether the right amount of resources have been used to deliver
a Process, Service or Activity. An Efficient Process achieves its Objectives with the minimum
amount of time, money, people or other resources. Efficiency is one of the measures needed to
determine value for money. It concerns the ratio of inputs (economy) to outputs (effectiveness)
and is sometimes referred to as 'bangs per buck'. Typical measures will include money, time,
people and quality.
Effectiveness: It is a measure of whether the objectives of a process, service or activity have
been achieved. An Effective Process or Activity is one that achieves its agreed Objectives.
Effectiveness, or Cost Effectiveness, is one of the measures needed to determine value for
money. It concerns the cost of the outputs from an activity and the conformance of those outputs
to a specification or need. Any investment that increases the cost of providing IT services should
33
result in an enhancement to service quality or quantity. If this is not so, then the business case
must be quite clear about why the change is necessary.
2.7.3 Principles of Security (CIA)

Confidentiality: It refers to preventing the disclosure of information to unauthorized individuals
or systems and maintain Privacy i.e. the ability to control or restrict access so that only
authorized individuals can view information. One of the underlying principles of confidentiality
is "need-to-know" or "least privilege". In effect, access to vital information should be limited only
to those individuals who have a specific need to see or use that information. Confidentiality is
necessary for maintaining the privacy of the people whose personal information a system holds.
For example, a credit card transaction on the Internet requires the credit card number to be
transmitted from the buyer to the merchant and from the merchant to a transaction processing
network. The system attempts to enforce confidentiality by encrypting the card number during
transmission, by limiting the places where it might appear (in databases, log files, backups,
printed receipts, and so on), and by restricting access to the places where it is stored. If an
unauthorized party obtains the card number in any way, a breach of confidentiality has occurred.
Integrity: Integrity of Information means it is accurate and reliable and has not been subtly
changed or tampered with by an unauthorized party or program. Integrity includes:
 Authenticity: The ability to verify that content has not changed in an unauthorized manner.
 Non-repudiation & Accountability: The origin of any action on the system can be verified
and associated with a user.
The term Integrity is used frequently when considering Information Security as it represents one
of the primary indicators of security (or lack of it). The integrity of data is not only whether the
data is 'correct', but whether it can be trusted and relied upon. Integrity involves maintaining the
consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be
changed in transit, and steps must be taken to ensure that data cannot be altered by
unauthorized persons.
Availability: For any information system to serve its purpose, the information must be available
when it is needed. This means that the computing systems used to store and process the
information, the security controls used to protect it, and the communication channels used to
access it must be functioning correctly. High availability systems aim to remain available at all
times, preventing service disruptions due to power outages, hardware failures, and system
upgrades. Ensuring availability also involves preventing denial-of-service attacks. It is the
assurance that the systems are available when needed by those who need them.
It is important to note that confidentiality, integrity and availability are not the exclusive concern
of information security. Business continuity planning places a significant emphasis on protecting
the availability of information as part of the overall objective of business recovery. Common
back office procedures, such as maker/checker, quality assurance, change control, etc. along
34
IS Audit in Phases
with such regulatory areas as SOX 404(LODR of SEBI - the Indian version of Sarbanes Oxley
Act i.e. SOX 2002) focus on ensuring the integrity of information.
The CIA Triad is entirely concerned with information. While this is the core factor of most IT
security, it promotes a limited view of security that tends to ignore some additional, important
factors. For instance, while Availability might serve to ensure that one does not lose access to
resources that are needed to provide information when it is needed but thinking in terms of
information security, Availability in itself in no way guarantees that someone else isn't making
unauthorized use of your hardware resources.
2.8 Understanding the IT Environment of Auditee

IS Auditors will have to understand the business processes of the enterprise and organization
structure to be able to perform an effective audit. This understanding of the business process
has to be coupled with understanding of the enterprise’s policies, procedures and practices as
implemented. An enterprise executes its business operations through its staff. The staff needs
to have defined job responsibilities, which are provided in the organizational structure. The
organization structure needs to have internal control structure. IT implementation in the
enterprise makes it imperative that the internal control structure is built into the IT as deployed.
Further, IT impacts the way business operations could be performed and internal controls are
implemented. Hence, it is critical for auditors to understand the organization structure of the
enterprise being audited as relevant to the objectives and scope of the assignment. The four
key areas which have to be specifically understood by the IS Auditors are explained here.
Auditor may follow the guidelines mentioned in SA 315 of ICAI to understand the entity and its
environment.
2.8.1 Business of the Entity

The IS Auditor should obtain a preliminary knowledge of the entity and of the nature of
ownership, management, regulatory environment and operations of the entity. Industry factors
and indicators affecting the entity, e.g. market and competitive forces, technology or service
delivery mechanism, key business risk, legislation and regulatory framework should be
understood.
Entity specific information of management, ownership, board composition with key personnel,
corporate ethics and policies, details on information systems of financial package and Enterprise
Resource Planning (ERP) systems (wherever implemented) and IT controls are few areas, not
exclusive, which the IS Auditors should acclimatize with, which shall enable them to plan and
perform the audit.
2.8.2 Organization Structure

Some of the organizational structure activities are task allocation, coordination and supervision,
35
which are directed towards the achievement of organizational aims. It can also be considered
as the viewing glass or perspective through which individuals see their organization and its
environment. Organizational structure allows the allocation of responsibilities for different
functions and processes to different sub sets of organisation such as
the branch, department, workgroup and individual. The IS Auditor has to factor in the manner in
which the organization is setup to understand roles and responsibilities, policy frameworks, etc.
to ensure efficiency and effectiveness of audit.
2.8.3 IT Infrastructure
The IS Auditor has to obtain understanding of the IT infrastructure of the entity. As a part of
developing the audit plan, the IS Auditor has to keep in mind the present IT infrastructure
capacities, the age of hardware and software, licensing agreements, third party vendor
agreements etc. which all information is essential during the development of the IS audit plan.
This ensures that the plan is effective and efficient. IS Auditors can accordingly plan their
assessment testing on various areas like architecture testing, vulnerability testing, and other
control tastings etc.
2.8.4 Regulations, Standards, Policy, Procedures, Guidelines &

Practices
The IS auditor should ensure that specific regulatory requirements as applicable for the
assignment are included as one of the primary criteria for evaluation. The specific steps for
understanding this would include:
 Identify various regulations that are applicable to the organisation, depending on the
nature of the organisation
 Identify compliance requirements under all the regulations as identified above for the
organisation.
SA 250 “Considerations of laws and regulations in conducting an Audit” mentions that the auditor
has to obtain just a general understanding of the laws and regulations applicable to the
organisation and he should alert the management of the material non compliances and the
applicable penalties thereof, found during the engagement.
The auditor can exclusively perform engagements under any of the regulatory enactments to
ensure compliance depending on the nature of business organisation.
Information Technology Act 2000 (Amended in 2008)
Section 7A Audit of Documents etc. maintained in Electronic Form states that where in any law
for the time being in force, there is a provision for audit of documents, records or information,
that provision shall also be applicable for audit of documents, records or information processed
and maintained in electronic form.
36
IS Audit in Phases
Section 43A of the (Indian) Information Technology Act, 2000 provides that a body corporate
possessing, dealing or handling any sensitive personal data or information in a computer
resource which it owns, controls or operates and is negligent in implementing and maintaining
reasonable security practices and procedures resulting in wrongful loss or wrongful gain to any
person, then such body corporate may be held liable to pay damages by way of compensation
to the person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.
The IT Amendment Act 2008 recognizes and punishes offences by companies and individual
(employee) actions. For example: Section 66 to 66F and 67 deal with the following crimes:
 Sending offensive messages using electronic medium or using body corporate’s IT for
unacceptable purposes
 Dishonestly stolen computer resources
 Unauthorized Access to computer resources
 Identity theft/Cheating by impersonating using computer
 Violation of privacy
 Cyber terrorism/Offences using computer
 Publishing or transmitting obscene material
Under Section 72A of the (Indian) Information Technology Act, 2000, disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of the
lawful contract has been also made punishable with imprisonment for a term extending to three
years or fine extending to INR 5,00,000 or with both.
Sarbanes Oxley Act, 2002 (SOX)
As per section 404 of Sarbanes Oxley Act, 2002 (SOX), the independent Auditor of the
organization is required to opine on the effectiveness of internal controls over financial reporting
in addition to the Auditor's opinion on the fair presentation of the organization's financial
statements.
Section 404 draws attention to the significant processes that feed and comprise the financial
reporting process for an organization. In order for management to make its annual assessment
on the effectiveness of its internal controls, the management is required to document and
evaluate all controls that are deemed significant to the financial reporting processes.
Public Company Accounting Oversight Board (PCAOB)
PCAOB released Auditing Standard 5 “An audit of Internal Control over Financial Reporting that
is integrated with an Audit of Financial Statements”. This standard establishes requirements and
provides direction that applies when an Auditor is engaged to perform an audit of management's
assessment of the effectiveness of internal control over financial reporting ("the audit of internal
37
control over financial reporting") that is integrated with an audit of the financial
statements. Effective internal control over financial reporting provides reasonable assurance
regarding the reliability of financial reporting and the preparation of financial statements for
external purposes. If one or more material weaknesses exist, the company's internal control
over financial reporting cannot be considered effective.
LODR – Listing Obligations & Disclosure Requirements of SEBI on

Corporate Governance
Audit Committee
As per the above regulation of SEBI, the role of the Audit Committee has sharpened with specific
responsibilities including recommending appointment of Auditors and monitoring their
independence and performance, approval of related party transactions, scrutiny of inter-
corporate loans and investments, valuation of undertaking/assets etc. Audit committee is
contemplated as a major vehicle for ensuring controls, sound financial reporting and overall
good corporate governance.
Some of the reviews done by the Audit committee are as follows:
 Internal audit reports relating to internal control weaknesses; and
 The appointment, removal and terms of remuneration of the Chief internal Auditor shall
be subject to review by the Audit Committee
ISO/IEC 27000 Family
ISO/IEC 27000 describes the overview and the vocabulary of information security management
systems, which form the subject of the ISMS family of standards, and defines related terms and
definitions.
ISO/IEC 27001:2013 formally specifies an Information Security Management System (ISMS), a
suite of activities concerning the management of information security risks. The ISMS is an
overarching management framework through which the organization identifies, analyses and
addresses its information security risks. The ISMS ensure that the security arrangements are
fine-tuned to keep pace with changes to the security threats, vulnerabilities and business
impacts - an important aspect in such a dynamic field, and a key advantage of ISO/IEC
27001:2013 flexible risk-driven approach.
ISO/IEC 27001:2013 is a formalized specification for an Information System Management
System (ISMS) with two distinct purposes:
1. It lays out, at a high level, what an organization can do in order to implement an ISMS.
2. It can (optionally) be used as the basis for formal compliance assessment by accredited
(certified) IS Auditors in order to certify an organization.
ISO/IEC 27002:2013 is a code of practice - a generic, advisory document, not a formal
38
IS Audit in Phases
specification such as ISO/IEC 27001:2013. It recommends information security controls

addressing information security control objectives arising from risks to the confidentiality,
integrity and availability of information.
The standard is structured logically around groups of related security controls. Many controls
could have been put in several sections but to avoid duplication and conflict, they were arbitrarily
assigned to one and, in some cases, cross-referenced from elsewhere. For example, a card-
access-control system for, say, a computer room or archive vault is both an access control and
a physical control that involves technology plus the associated management/administration and
usage procedures and policies.
Regulators’ guidelines
Financial regulators Reserve Bank of India & SEBI have issued various guidelines over the last
few years and all of them bear various control procedures and directives for implementing
security and best practices in the financial organisations. Some of the important guidelines are
mentioned below:
 Working Committee Guidelines on Cyber Security, IS Audit, IT Security, BCP etc.
(Gopalakrishna Committee report) issued on 29.04.2011
 Cyber Security Guidelines and Framework (02/06/2016)
 IT and Cyber Risk Management (10/10/2016)
 Fraud Risk Management – do’s and don’ts (01/02/2017)
 Report on working group of FinTech and Digital Banking (08/02/2018)
 SEBI circular on Cyber Security Framework
 Section 143 of Companies ACT- requirement of IFC’s.
2.9 Frameworks and Best Practices of IS Audit

2.9.1 ITAF (3rd edition)
ISACA has issued Information Technology Assurance Framework (ITAF) which is a
comprehensive and good-practice-setting reference model that:
 Establishes standards that address audit and assurance professionals’ roles and
responsibilities; knowledge and skills; and diligence, conduct and reporting requirements
 Defines terms and concepts specific to IS assurance
 Provides guidance and tools and techniques on the planning, design, conduct and
reporting of IS audit and assurance assignments
ITAF audit and assurance standards are divided into three categories:
39
 General standards (1000 series)—Are the guiding principles under which the IS
assurance profession operates. They apply to the conduct of all assignments, and deal
with the IS audit and assurance professional’s ethics, independence, objectivity and due
care as well as knowledge, competency and skill.
 Performance standards (1200 series)—Deal with the conduct of the assignment, such
as planning and supervision, scoping, risk and materiality, resource mobilization,
supervision and assignment management, audit and assurance evidence, and the
exercising of professional judgment and due care.
 Reporting standards (1400 series)—Address the types of reports, means of
communication and the information communicated.
ITAF audit and assurance guidelines provide the auditor with information and direction about an
IS audit or assurance area. In line with the three categories of standards outlined above,
guidelines focus on the various audit approaches, methodologies and related material to assist
in planning, executing, assessing, testing and reporting on IS processes, controls and related
IS audit or assurance initiatives. Guidelines also help clarify the relationship between
organisation activities and initiatives, and those undertaken by IT.
2.9.2 COBIT 2019 Framework: Principles, Components and Core

Models
COBIT 2019 is a globally accepted framework and caters for the governance and management
of enterprise information and technology, aimed at the whole enterprise. COBIT defines the
components and design factors to build and sustain a best-fit governance system.
COBIT 2019 framework helps ensure effective enterprise governance and management of
Information and Technology, facilitating easier, tailored implementation and also plays an
important role as a driver of innovation and business transformation.
COBIT 2019 helps organisations to manage IT related risk and ensures compliance, continuity,
security and privacy. It enables clear policy development and good practice for IT management
including increased business user satisfaction. The key advantage in using a generic framework
such as COBIT 2019 is that it is useful for organisations of all sizes, whether commercial, not-
for-profit or in the public sector.
Governance System Principles of COBIT 2019

COBIT 2019 simplifies governance challenges with just 6 principles. The six key principles for
governance and management of enterprise Information and Technology in COBIT taken
together enable the organisation to build an effective governance and management framework
that optimizes information and technology investments and use for the benefit of stakeholders.
Principles 1: Provide Stakeholder Value: Enterprises exist to create value for their
40
IS Audit in Phases
stakeholders by maintaining a balance between the realization of benefits and the optimization
of risk and use of resources. COBIT 2019 provides all of the required processes and other
enablers to support business value creation through the use of IT. Because every enterprise
has different objectives, the enterprise can customize COBIT 2019 to suit its own context
through the goals cascade, translating high level enterprise goals into manageable specific IT
related goals and mapping these to specific processes and practices.
The COBIT 2019 goals cascade is the mechanism to translate stakeholder drivers and needs
to specific, actionable and customised enterprise goals and aligning the Goals; Governance and
Management objectives.
Principle 2: Holistic Approach: Efficient and effective governance and management of
enterprise I & T require a holistic approach, taking into account several integrating components.
COBIT 2019 defines a set of seven components of Governance system to support the
implementation of a comprehensive governance and management system for enterprise I & T.
Enablers are broadly defined as anything that can help to achieve objectives of the enterprise.
Principle 3: Dynamic Governance System: A Governance system should be dynamic. This
means that each time one or more of the design factors changes (e.g., a change in strategy or
technology), the impact of these changes on the Enterprise Governance of Information and
Technology (EGIT) system must be considered. A dynamic view of EGIT will lead towards a
viable and future proof EGIT system.
Principle 4: Governance distinct from Management: The COBIT 2019 framework makes a
clear distinction between governance and management. These two disciplines encompass
different types of activities that require different organizational structures and serve different
purposes.
 Governance: It ensures that stakeholders needs, conditions and options are evaluated
to determine balanced, agreed on enterprise objectives to be achieved; setting direction
through prioritization and decision making, and monitoring performance and compliance
against agreed on direction and objectives. In most organizations the governance is the
responsibility of the board of directors under the leadership of the chairperson. Specific
governance responsibilities many be delegated to special organizational structures at an
appropriate level, especially in larger, complex organizations.
 Management: It plans, builds, runs and monitors activities in alignment with the
directions set by the governing body to achieve the objectives. In most of the enterprises;
management is the responsibility of the executive management under the leadership of
the Chief Executive Officer (CEO).
From the definition of governance and management it is clear that they comprise different types
of activities, with different responsibilities. However, given the role of governance to evaluate,
direct and monitor, a set of interactions is required between governance and management to
41
result in an efficient and effective governance system.

Principle 5: Tailored to Enterprise Needs: A Governance system should be customized to the
enterprise needs, using a set of design factors as parameters to customise and prioritise the
Governance system components.
Principle 6: End to End Governance System: A governance system should cover the
enterprise from end to end, focussing on not only the IT function but on all technology and
information processing the enterprise puts in place to achieve its goals, regardless of its location
in the enterprise.
Governance Framework Principles
COBIT-2019 talks about three governance framework principles in addition to the above six
Governance Systems principles. They are:
1. Based on conceptual model
2. Open and flexible
3. Aligned to major standard
Components of Governance System
Components are enablers and are factors that, individually and collectively, influence whether
something will work, in this case, governance and management over enterprise IT. Enablers are
driven by the goals cascade, i.e. higher-level IT related goals defining what the different
enablers should achieve.
The seven components of Governance system are:
 Processes
 Organizational structures
 Information flows and items
 People, skills and competence
 Policies and procedures
 Culture, ethics and behaviour
 Services, infrastructure and applications
Core Governance and Management Objectives in COBIT 2019
The Governance and Management objectives are grouped into 5 domains. There are 40 core
objectives.
Governance objectives are grouped in the Evaluate, Direct and Monitor domain. Basic five
objectives are Ensured Governance Framework Setting and Maintenance, Ensured Benefit
Delivery, Ensured Risk Optimisation, Ensured Resource Optimisation and Ensured Stakeholder
Engagement.
42
IS Audit in Phases
Management Objectives are grouped into 4 domains.

1. Align, Plan and Organise (APO)
This domain addresses the overall organization, strategy and supporting activities for I&T. The
objectives are Managed IT & Management framework, strategy, enterprise architecture,
innovation, portfolio, budget & costs, human resources, relationships, service agreements,
vendors, quality, risk, security and finally data.
2. Build, Acquire and Implement (BAI)
This domain treats the definition, acquisition and implementation of I&T solutions and their
integration in business processes. The objectives are managed programs, requirement
definition, solution identification & build, availability & capacity, organisational change, IT
changes, IT change acceptance & transitioning, Knowledge, Assets, configuration and projects.
3. Deliver, Service and Support (DSS)
This domain addresses the operational delivery and support of I&T services, including security.
The objectives are managed operations, service requests & incidents, problems, continuity,
security services and business process controls.
4. Monitor, Evaluate and Assess (MEA)
This domain addresses performance monitoring and conformance of I&T with internal
performance targets, internal control objectives and external requirements. The objectives are
managed performance & conformance monitoring, system of internal controls, compliance with
external requirements and assurance.
Using COBIT 2019 for IS Assurance
COBIT 2019 has been engineered to meet expectation of multiple stakeholders, it is designed
to deliver benefits to both an enterprise’s internal stakeholders, such as the board, management,
employees, etc. as well as external stakeholders – customers, business partners, external IS
Auditors, shareholders, consultants, regulators, etc. It is written in a non-technical language and
is therefore, usable not only by IT professionals and consultants but also by senior management
personnel, assurance providers, regulators for understanding and addressing IT related issues
as relevant to them. Globally from the GRC perspective, COBIT has been widely used with
COSO by management, IT professionals, regulators and Auditors (internal/external) for
implementing or evaluating governance and management practices from an end to end
perspective.
In the rapidly changing digital world, enterprises are inundated with new demands, stringent
regulations and risk scenarios emerging daily, making it critical to effectively govern and
manage information and related technologies. This has resulted in enterprise leaders being
under constant pressure to deliver value to enterprise stakeholders by achieving business
objectives. This has made it imperative for management to ensure effective use of information
43
and technology investments and related IT for not only supporting enterprise goals but also to
maintain compliance with internally directed and externally imposed regulations. This dynamic
changing environment provides a challenge for Chartered Accountants (as assurance providers)
to provide assurance with the required level of confidence. However, with the right type of skills
and toolsets, this provides an excellent opportunity for Chartered Accountants to act as
consultants, who provide relevant IT enabled services. A key component of this knowledge base
is usage of globally accepted good practices and frameworks and developing a holistic
approach, which meets the needs of stakeholders.
Evaluating the System of Internal Controls
COBIT 2019 has specific process: “MEA 02 Managed System of Internal Control”, which
provides guidance on evaluating and assessing internal controls implemented in an enterprise.
Such review would provide assurance on the transparency for key stakeholders on the adequacy
of the system of internal controls and this provides trust in operations, confidence in the
achievement of enterprise objectives and understanding of residual risks. The key management
practices for assessing and evaluating the system of internal controls in an enterprise are as
follows:
 Monitor internal controls
 Review business process controls effectiveness
 Perform control self-assessment
 Identify and report control deficiencies
2.10 Risk Assessment

As soon as the audit engagement begins, the IS Auditor should identify all the risks that are
present in the IT Environment. IS Auditors have to perform a risk assessment to provide
reasonable assurance that all material items will be adequately covered during the assignment.
Based on this the required audit strategies, materiality levels and resource requirements can
then be developed. The IS Auditor should perform this step bearing in mind that the risks
identified in this stage would be evaluated for the controls that have been incorporated to treat
the risk. Thus, the IS Auditor can focus on the high-risk areas and decide the sampling that
would be performed on the identified areas. The risks can be identified by reviewing the factors
implemented by the enterprise:
1. Reviewing IT principles, policies and frameworks.
2. Reviewing processes, including risk, function-specific details and activities.
3. Reviewing organizational structures.
4. Observing culture, ethics and behavioural factors of the employees.
5. Risk-specific information types for enabling risk governance and management within the
44
IS Audit in Phases
enterprise.
6. With regard to services, infrastructure and applications, review service capabilities
required to provide risk and related functions to an enterprise.
7. For the people, skills and competencies enabler, review the skills and competencies
specific for risk.
The key business applications in use at a client are identified and addressed at a high level, in
order to incorporate them into the future planning process. The controls within the client
business application systems residing on the various platforms are evaluated during the course
of the review. The management of the enterprise is expected to continually examine and make
judgment on - the effect of risk on the current and future use of IT in the enterprise, consider
whether the enterprise risk appetite is appropriate and that risk to enterprise value related to
the use of IT is identified and managed.
2.10.1 Guidance on Risk Assessment by ISACA

The guidance provided by ISACA on risk assessment to be performed by IS Auditor is outlined
here. When planning ongoing activities, the IS audit and assurance function should:
 Conduct and document, at least annually, a risk assessment to facilitate the development
of the IS audit plan.
 Include, as part of the risk assessment, the organisational strategic plans and objectives
and the enterprise risk management framework and initiatives.
 For each IS audit and assurance engagement, quantify and justify the amount of IS audit
resources needed to meet the engagement requirements.
 Use risk assessments in the selection of areas and items of audit interest and the
decisions to design and conduct particular IS audit and assurance engagements.
 Seek approval of the risk assessment from the audit stakeholders and other appropriate
parties.
 Prioritise and schedule IS audit and assurance work based on assessments of risk.
 Based on the risk assessment, develop a plan that:
— acts as a framework for IS audit and assurance activities
— considers non-IS audit and assurance requirements and activities
— is updated at least annually and approved by those charged with governance
— addresses responsibilities set by the audit charter
When planning an individual engagement, IS audit and assurance professionals should:
 Identify and assess risks relevant to the area under review.
45
 Conduct a preliminary assessment of the risks relevant to the area under review for each
engagement.
Objectives for each specific engagement should reflect the results of the preliminary risk
assessment.
 In considering risk areas and planning a specific engagement, consider prior audits,
reviews and findings, including any remedial activities. Also consider the board’s
overarching risk assessment process.
 Attempt to reduce audit risk to an acceptable level, and meet the audit objectives by an
appropriate assessment of the IS subject matter and related controls, while planning and
performing the IS audit.
 When planning a specific IS audit procedure, recognise that the lower the materiality
threshold, the more precise the audit expectations and the greater the audit risk.
 To reduce risk for higher materiality, compensate by either extending the test of controls
(reduce control risk) and/or extending the substantive testing procedures (reduce
detection risk) to gain additional assurance.
2.10.2 Risk Management steps

Risk management process practices, input/output and activities describe the following steps to
be undertaken to assess risk:
Collect Data
1. Identify and collect relevant data to enable effective IT related risk identification, analysis
and reporting.
2. Establish and maintain a method for the collection, classification and analysis of IT risk-
related data, accommodating multiple types of events, multiple categories of IT risk and
multiple risk factors.
3. Record relevant data on the enterprise’s internal and external operating environment that
could play a significant role in the management of IT risk.
4. Survey and analyse the historical IT risk data and loss experience from externally
available data and trends, industry peers through industry-based event logs, databases,
and industry agreements for common event disclosure.
5. Record data on risk events that have caused or may cause impacts to IT benefit/value
enablement, IT program and project delivery, and/or IT operations and service delivery.
Capture relevant data from related issues, incidents, problems and investigations.
6. For similar classes of events, organize the collected data and highlight contributing
factors. Determine common contributing factors across multiple events.
46
IS Audit in Phases
7. Determine the specific conditions that existed or were absent when risk events occurred
and the way the conditions affected event frequency and loss magnitude.
8. Perform periodic event and risk factor analysis to identify new or emerging risk issues
and to gain an understanding of the associated internal and external risk factors.
Analyze Risk
1. Develop useful information to support risk decisions that consider the business relevance
of risk factors.
2. Define the appropriate breadth and depth of risk analysis efforts, considering all risk
factors and the business criticality of assets. Set the risk analysis scope after performing
a cost-benefit analysis.
3. Build and regularly update IT risk scenarios, including compound scenarios of cascading
and/or coincidental threat types, and develop expectations for specific control activities,
capabilities to detect and other response measures.
4. Estimate the frequency and magnitude of loss or gain associated with IT risk scenarios.
Consider all applicable risk factors, evaluate known operational controls and estimate
residual risk levels.
5. Compare residual risk to acceptable risk tolerance and identify exposures that may
require a risk response.
6. Analyze cost-benefit of potential risk response options such as avoid, reduce/mitigate,
transfer/share or accept and exploit/seize. Propose the optimal risk response.
7. Specify high-level requirements for projects or programmers that will implement the
selected risk responses. Identify requirements and expectations for appropriate key
controls for risk mitigation responses.
8. Validate the risk analysis results before using them in decision making, confirming that
the analysis aligns with enterprise requirements and verifying that estimations were
properly calibrated and scrutinized for bias.
SA 315 – Standard on Risk Assessment procedures issued by ICAI is also applicable for risk
assessment pertaining to IS Audit assignment. This requires that the IS Auditor perform Risk
Assessment Activities.
2.10.3 Risk Assessment Procedures and related Activities

The IS Auditor shall perform risk assessment procedures to provide a basis for the identification
and assessment of risks and assertion levels. Risk assessment procedures by themselves,
however, do not provide sufficient appropriate audit evidence on which to base the audit opinion.
The risk assessment procedures shall include:
47
(a) Inquiries of management and of others within the entity who in the IS Auditor’s judgment
may have information that is likely to assist in identifying risks.
(b) Analytical procedures.
(c) Observation and inspection.
When the IS Auditor intends to use information obtained from the IS Auditor’s previous
experience within the entity and from audit procedures performed in previous audits, the IS
Auditor shall determine whether changes have occurred since the previous audit that may affect
its relevance to the current audit. The IS Auditor shall then assess the risks which are present
in the business environment and in the internal control system that influence the information
systems and determine the nature and extent of the audit engagements on the relevant subjects.
2.10.4 Use of Risk Assessment in Audit Planning

When determining the functional areas to be audited, the IS Auditor could face a large variety
of audit subjects. Each of these subjects may represent different types of risk. The IS Auditor
should evaluate these various risk candidates to determine the high-risk areas to audit.
There are many risk assessment methodologies, computerized and non-computerized from
which the IS Auditor may choose. These range from simple classifications of high, medium and
low, based on the IS Auditor’s judgment, to complex scientific calculations that provide a
numeric risk rating.
One such risk assessment approach is a scoring system that is useful in prioritizing audits based
on an evaluation of risk factors. The system considers variables such as technical complexity,
level of control procedures in place and level of financial loss. These variables may or may not
be weighted. The risk values are then compared to each other and audits are scheduled
accordingly. Another form of risk assessment is judgmental, where an independent decision is
made based on business knowledge, executive management directives, historical perspectives,
business goals and environmental factors. A combination of techniques may be used as well.
Risk assessment methods may change and develop over time to best serve the needs of the
organization. The IS Auditor should consider the level of complexity and detail appropriate for
the organization being audited.
2.11 Governance and Management Controls

2.11.1 IT General Controls areas
A general controls’ review attempts to gain an overall impression of the controls that are present
in the environment surrounding the information systems. These include the organizational and
administrative structure of the IS function, the existence of policies and procedures for the day-
to-day operations, availability of staff and their skills and the overall control environment. It is
48
IS Audit in Phases
important for the IS auditor to obtain an understanding of these as they are the foundation on
which other controls are built.
A general controls’ review would also include the infrastructure and environmental controls. A
review of the data centre or information processing facility should cover the adequacy of air
conditioning (temperature, humidity), power supply (uninterruptible power supplies, generators)
and smoke detectors/fire suppression systems, a conducive clean and dust free environment,
protection from floods and water seepage as well as neat and identifiable electrical and network
cabling.
Physical access control is another important area for review. Today in a highly networked world,
logical access to computer systems is literally universal, yet there is a necessity to control
physical access too. There are certain commands and settings that can be executed only from
the console of the server and hence it is important to enclose all servers in a secure location
protected by suitable mechanisms like locked doors, access swipe cards, biometric access
devices or a combination of these. Further, the IS auditors should also review the overall access
control measures to the entire facility for controls like security guards at the entry gates,
displaying of identification badges and logging visitors’ access.
IT General controls are controls that are around the applications. These controls support the
healthy maintenance and general security of the applications and the IT processes present.
These processes include Change Management, Logical and Physical Access Management,
Backup and Recovery procedures, Incident Management, Job and Batch Scheduling,
procedures for review of security within Operating systems and databases etc.
IT General controls are controls that are not specific to any application, but exist in an IT
environment. The general controls are designed for the environment as a whole and are all
pervasive. If the IT General controls are not effective it may not be possible to rely on other
controls within the IT environment i.e. the application controls. Some of the IT General Controls
are as follows:
Operating System Controls
Operating System (OS) is the computer control program. It allows users and their applications
to share and access common resources, such as processor, main memory, database and
printers. It performs the main tasks of scheduling jobs, managing hardware and software
resources, maintaining system security, enabling multiuser resource sharing, handling interrupts
and maintaining usage records. To enhance usability, the Operating System must manage these
resources so that these are available to each authorized user. Moreover, each user must be
able to execute a job without regard to the other users.
Auditors often pay little attention to Operating System controls. Breaches of operating systems
controls could have catastrophic effect. The OS must be protected from user processes and
should be robust. Among various controls of OS, limiting administrator account access,
safeguarding domain controller, implementing adequate password policy and access control
49
mechanism for OS, deactivating default accounts, regular patch management, implementing
updated anti-virus solution, hardening of OS etc. would help the system to remain secure.
Organisational Controls
These controls are concerned with the decision-making processes that lead to management and
authorization of transactions. Companies with large data processing facilities separate data
processing from business units to provide control over its costly hardware, software, and human
resources. Combining data processing into the business units would be too much responsibility
for one manager. Organizational control techniques include documentation of:
 Definition of responsibilities and objectives of each function,
 Policies and procedures,
 Job descriptions, and
 Segregation of duties.
(i) Responsibilities and objectives: Each IS function must be clearly defined and documented,
including systems software, application programming and systems development, database
administration, and operations. The senior manager of all these groups, and managers of the
individual groups make up the IS management team responsible for the effective and efficient
utilization of IS resources. Their responsibilities include:
 Providing information to senior management on the IS resources, to enable senior
management to meet strategic objectives;
 Planning for expansion of IS resources;
 Controlling the use of IS resources; and
 Implementing activities and functions that support accomplishment of company’s
strategic plan.
(ii) Policies, standards, procedures and practices: Policies establish the rules or boundaries
of authority delegated to individuals in the enterprise. Procedures establish the instructions that
must be followed for completing the assigned tasks. Mandating all requests for changes to
existing programs must be approved by user and IS management before programmers and
analysts can work on them is an example of a policy. Documented instructions for filling out a
standard change request form, how to justify the costs of the change, how to specify the changes
needed, how to obtain approvals, and from whom obtain the approvals are examples of
procedures. Documented policies should exist in IS for:
 Use of IS resources,
 Physical security,
 Data security
50
IS Audit in Phases
 On-line security,
 Use of Information Systems (Acceptable use policy),
 Reviewing, evaluating, and purchasing hardware and software,
 System development methodology, and
 Application program changes.
Documented procedures should exist for all data processing activities.
(iii) Job Descriptions
These communicate management’s specific expectations for job performance. Job procedures
establish instructions on how to do the job and policies define the authority and responsibility of
the employee. All jobs must have a current documented job description readily available to the
employee. Job descriptions establish responsibility and the accountability of the employee’s
actions.
(iv) Segregation of Duties
Segregation of duties refers to the concept of distribution of work responsibilities such that
individual employees are performing only the duties stipulated for their respective jobs and
positions. The main purpose is to prevent or detect errors or irregularities by applying suitable
controls. It reduces the likelihood of errors and wrongful acts. Organization structure and allied
controls should be structured in a manner that ensure the highest level of separation of duties.
Critical factors to be considered in segregation of duties in a computerized information system
are:
 Nature of business operations;
 Managerial policy;
 Organization structure with job description; and
 IT resources deployed such as: Operating system, Networking, Database, Application
software, technical staff available, IT services provided in-house or outsourced,
centralized or decentralized IT operations etc.
Segregation of duties is the most common control technique aimed at separating conflicting job
duties, primarily to discourage fraud, because separating duties makes collusion necessary to
commit a fraud. Such separation can also force an accuracy check of one-person’s work by
another, so that employees to some extent police each other. Examples of segregation of duties
are, separating:
 Systems software programming group from the application programming group;
 Database administration group from other data processing activities;
 Computer hardware operations from other groups;
51
 Systems analyst functions from the programming function;

 Application programming group from operations and data preparation group.
 Physical, data, and online security group(s) from the other IS functions; and
 IS Audit from business operations groups.
It is the responsibility of the senior management to implement division of roles and
responsibilities, which should exclude the possibility for a single individual to subvert a critical
process. Management should also make sure that personnel are performing only those duties
stipulated for their respective jobs and positions. From a functional perspective, segregation of
duties should be maintained between the following functions:
 Information systems use,
 Data entry,
 Computer operations,
 Network management,
 System administration,
 Data Base administration
 Systems development and maintenance,
 Change management,
 Security administration, and
 Security audit.
Guidelines on Segregation of Duties
There are various general guidelines on ‘Segregation of Duties’, which may be followed in
addition to the basic concepts like, maker should not be the checker:
 Separate those, who can run live programs e.g. operations department, from those who
can change programs e.g. programmers. This is required in order to ensure that
unauthorized programs are prevented from running.
 Separate those, who can access the data e.g. data entry and the DBA, from those who
can run programs e.g. computer operators. This is required in order to ensure that
unauthorized data entry cannot take place.
 Separate those, who can input data e.g. data entry, from those, who can reconcile or
approve data e.g. data authorization persons. This is required in order to ensure that
unauthorized data entry cannot take place.
 Separate those, who can test programs e.g. users, quality assurance and security, from
those, who can develop programs e.g. application programmers. This is required in order
52
IS Audit in Phases
to ensure that unauthorized programs cannot be allowed to run.

 Separate those, who can enter errors in a log e.g. data entry operator, who transfer the
data to an error log, from those who can correct the errors like the end user departments.
This is required in order to ensure that unauthorized data entry cannot take place.
 Separate those, who can enter data e.g. data entry personnel, from those who can access
the database e.g. the DBA. This is required in order to ensure that unauthorized data
entry or data modification cannot take place.
Management Controls
The controls adapted by the management of an enterprise are to ensure that the information
systems function correctly and they meet the strategic business objectives and needs. The
management has the responsibility to determine whether the controls that the enterprise system
has put in place are enough to ensure that the IT activities are adequately controlled. The scope
of control here includes framing high level IT policies, procedures and standards on a holistic
view and in establishing a sound internal controls framework within the organization. The high-
level policies establish a framework on which the controls for lower hierarchy of the enterprise
follow. The controls flow from the top of an organization to down; the responsibility still lies with
the senior management. The control considerations while reviewing management controls in an
IS system shall include:
 Responsibility: The strategy to have a senior management personnel responsible for
the IS within the overall organizational structure.
 An IT Organization Structure: There should be a prescribed IT organizational structure
with documented roles and responsibilities and agreed job descriptions.
 An IT Steering Committee: The steering committee shall comprise of representatives
from all areas of the business, and IT personnel. The committee would be responsible for
the overall direction of IT. Here the responsibility lies beyond the accounting and financial
systems; for example, the telecommunications system (phone lines, videoconferencing)
office automation, and manufacturing processing systems.
Financial Controls
These controls are generally defined as the procedures exercised by the system user personnel
over source, or transactions origination, documents before system input and control over
transactions processing using reports generated by the computer applications to reflect un-
posted items, non-monetary changes, item counts and amounts of transactions for settlement
of transactions processed and reconciliation of the applications (subsystem) to general ledger.
The financial control techniques are numerous. A few examples are highlighted here:
 Authorization: This entails obtaining the authority to perform some act typically
accessing assets such as accounting or application entries.
53
 Budgets: These are estimates of the amount of time or money expected to be spent
during a particular period, project, or event. The budget alone is not an effective control.
Budgets must be compared with the actual performance, including isolating differences
and researching them for a cause and possible resolution.
 Cancellation of documents: This marks a document in such a way to prevent its reuse.
This is a typical control over invoices marking them with a “paid” or “processed” stamp or
punching a hole in the document.
 Documentation: This includes written or typed explanations of actions taken on specific
transactions. It also refers to written or typed instructions, which explain the performance
of tasks.
 Dual control: This entails having two people simultaneously access an asset. For
example, the depositories of banks’ 24-hour teller machines should be accessed and
emptied with two people present, many people confuse dual control with dual access, but
these are distinct and different. Dual access divides the access function between two
people: once access is achieved, only one person handles the asset. With teller
machines, for example, two tellers would open the depository vault door together, but
only one would retrieve the deposit envelopes.
 Input/ output verification: This entails comparing the information provided by a
computer system to the input documents. It can be monetary (dollar value) or non-
monetary fields like item counts/item sequence number.
 Safekeeping: This entails physically securing assets, such as computer disks, under lock
and key, in a desk drawer, file cabinet storeroom, or vault.
 Sequentially numbered documents: These are working documents with pre-printed
sequential numbers, which enables the detection of missing documents.
 Supervisory review: This refers to review of specific work by a supervisor but this control
requires a sign-off on the documents by the supervisor, in order to provide evidence that
the supervisor at least handled them. This is an extremely difficult control to test after the
fact because the auditor cannot judge the quality of the review unless he or she witnesses
it, and, even then, the auditor cannot attest to what the supervisor did when the auditor
was not watching.
Data Management Controls
Data management controls fall in two categories – Access Controls and Back up Controls.
 Access controls are designed to prevent unauthorized individuals from viewing, retrieving,
computing or destroying the entity’s data.
 Back up controls are designed to ensure the availability of data in the event of its loss
due to unauthorized access, equipment failure or physical disaster. The organization can
54
IS Audit in Phases
restore its files and databases from backups.

Data Processing Controls
These controls are related to hardware and software and include procedures exercised in the
IS environment. These controls are applicable to on-line transaction processing systems,
database administration, media library, application program change procedures, data centre
operations etc.
Physical Access Controls
These controls are procedures exercised to control access to IT resources by
employees/outsiders. The controls relate to establishing appropriate physical security and
access control measures for IT facilities, including off-site use of information devices in
conformance with the general security policy. These Physical security and access controls
should also cover supporting services (such as electric power), backup media and any other
elements required for the system’s operations. Access should be restricted to authorized
individuals only. Where IT resources are located in public areas; they should be appropriately
protected to prevent or deter loss or damage from theft or vandalism.
Logical Access Controls
Logical access controls are implemented to ensure that access to systems, data and programs
is restricted to authorized users so as to safeguard information against unauthorized use,
disclosure or modification, damage or loss. The key factors considered in designing logical
access controls include confidentiality and privacy requirements, authorization, authentication
and incident handling, reporting and follow-up, virus prevention and detection, firewalls,
centralized security administration, user training and tools for monitoring compliance, intrusion
testing and reporting.
System Development Controls
These controls are targeted to ensure that proper documentation and authorizations are
available for each phase of the system development process. It includes controlling new system
development activities and includes six activities of System authorization activities, user
specification activities, technical design activities, internal IS Auditor’s participation, program
testing and user test & acceptance procedures as a part of the system development controls.
These are covered in detail in module-3.
Business Continuity Planning Controls
These controls are related to having an operational and tested IT continuity plan, which is in line
with the overall business continuity plan, and its related business requirements so as to make
sure IT services are available as required and to ensure a minimum impact on business in the
event of a major disruption. The controls include criticality classification, alternative procedures,
back-up and recovery, systematic and regular testing and training, monitoring and escalation
processes, internal and external organizational responsibilities, business continuity activation,
55
fall-back and resumption plans, risk management activities, assessment of single points of
failure and problem management. These are covered in detail in subsequent module.
System Maintenance Controls
System maintenance controls include controls on changes to program logic, additional controls
insertions and regular data base maintenance activities. These are needed for efficient
functioning of present systems/ correction/ upgradation of software solutions.
Computer Centre Security Controls
Computer centre security aims at restricting access to computer systems, infrastructure, data
and network components and also protection from natural and environmental threats housing
the above in a computer centre. The controls can be: Physical security controls, software & data
security controls, data communication security controls and environmental security controls.
Physical security attempts to restrict breach of access to computers and unauthorized access
to records. Software and data security ensures that there is use of passwords, authorizations,
screening and logs of all activity of the entity. Data communication security is implemented by
terminal locks, encryption of data, network administration, sign on user identifiers etc.
Internet and Intranet Controls
There are two major exposures in the communication sub-system - 1. Component failure and 2.
Subversive threats. Component failure can cause failure of transmission between sender and
receiver. Subversive threats are invasion attempts to violate the integrity of some
components/data in the system. These can provide intruders with important information about
messages being transmitted and the intruder can manipulate these messages. The controls
against component failures include building component level redundancy, avoiding single point
of failures, using tested and robust systems. Controls against subversive threats include
hardening of systems, patch management, use of updated anti -virus solutions, firewalls, IDS,
encryption etc.
Personal Computers Controls

The major risks related to personal computers are the physical theft/damage as logical controls
are very weak or missing. The controls refer to safeguard mechanisms for personal computers,
pen drives and external drives etc. against the risk of theft of hardware, data/information.
Audit Trails
Audit trails are logs that can be designed to record activity at the system, application, and user
level.
2.11.2 IT Application Controls

Application software is the software that processes business transactions. The application
56
IS Audit in Phases
software could be a payroll system, a retail banking system, an inventory system, and a billing
system or, possibly, an integrated ERP (enterprise resource planning) system. It is the
application software that understands data in reference to their business context. The rules
pertaining to the business processes are implemented in the application software.
Most users interact with the computer systems only through the application software.
Application Controls are controls within the application. These controls can be effective only if
the aggregate evaluation on the ITGC (Information Technology General Controls) processes
are concluded as effective and support the applications adequately. This is so, as IT General
controls are pervasive in nature and if they are not effective, effective operation of application
controls cannot be ensured.
There are two types of application controls - i.e. Automated Controls (Fully automated, no
human judgement or requirement), the other being Manual controls (these are semi-automated
controls requiring an input or action from a human in addition to the execution by IT systems).
It is very important to subject application software to a thorough audit because the business
processes and transactions involving money, material and services flow through the application
software.
The first question to ask in an application software review is, "What does the application
software do; what business function or activities does it perform?" In this context it is very
necessary for the IS auditor to know the business. For application reviews, the IS auditor's
knowledge of the intricacies of the business is as important, if not more so, as the technical
knowledge. Hence the first step in an application review is to understand the business
function/activity that the software serves. This can be done through the study of the
operating/work procedures of the organization or other reference material. The other alternative
is by interviewing the personnel.
Once this is done, it is necessary to identify the potential risks associated with the business
activity/function served by the application (i.e. what can go wrong?) and to see how these risks
are handled by the software (i.e. what controls are in place to mitigate those risks).
IT Applications controls are the controls over input, processing and output functions. The
objectives of application controls are:
 Input data is accurate, complete, authorized and correct.
 Data is processed in an acceptable time period.
 Ensure that the internal processing produces the expected results.
 Processing accomplishes the desired tasks
 Data stored is accurate and complete
 Output is accurate and compete and protected from unauthorized disclosure
A record is maintained to track the data from input to storage and to the eventual output.
57
Some of the categories of application control are as follows:

1. Boundary Controls
Controls to ensure that access to the application is restricted only to authorized users and that
it protects systems from unauthorized access.
The objective of boundary controls is to prevent unauthorized access to applications and their
data. Such data may be in any stage - in input, processing, transit or output or at rest. The
controls restrict user access in accordance with the business policy of an organization and its
structure; and protect other associated applications, systems softwares, databases and utilities
from unauthorized access.
Access controls may be implemented by using any of the logical security techniques embedded
in the application software. Besides access security implemented at the operating system and/or
database management systems level, a separate access control mechanism is required for
controlling access to application. The application is to have boundary controls to ensure
adequate access security to prevent any unauthorized access to:
 Applications themselves
 Application data during communication or transit
 Stored application data
 Resources shared with other processes
2. Input Controls
Controls to ensure that only complete, accurate and valid data and instructions form an input to
the application.
Input controls address the following:
(a) Source Document Design
(b) Data entry screen design
(c) Data code controls
(d) Batch Controls
(e) Data Input Validation Controls
(f) Data Input Error Handling and Reporting controls
(g) Instruction Input Controls
3. Processing Controls
Controls to ensure that there is only authorized processing and integrity of processes and data
is ensured. Data processing controls perform validation checks to identify errors during the
58
IS Audit in Phases
processing of data. They are required to ensure both the completeness and accuracy of the
data being processed. Some of the data processing controls are as follows:
 Run to run totals
 Reasonableness verification
 Edit checks
 Exception reports
4. Data File Controls
Controls to ensure that data resident in the files are maintained consistently with the assurance
of integrity and confidentiality of the stored data.
Some of the data file controls are as follows:
 Version usage
 Internal and external labelling
 Data file security
 Before and after image and logging
 File updating and maintenance authorization
 Parity checking
5. Output Controls
Controls to ensure that output is delivered to the users in a consistent and timely manner in the
format prescribed/required by the user. Output controls ensure that the data delivered to users
will be presented, formatted and delivered in a consistent and secured manner. Output can be
in any form: either printed data report or a database file in a removable media such as a floppy
disk, CDROM or removable hard disk. Whatever be the type of output, its confidentiality,
integrity, and consistency is to be maintained. The following form a part of output controls:
 Storage and logging of sensitive, critical forms
 Logging of output program executions
 Spooling / queuing
 Controls over printing
 Report distribution and collection controls
 Retention controls
6. Existence Controls
59
Existence controls ensure the continued availability of the application system and data in a
consistent manner to the users. These form an integral part of the input, processing and output
controls. Recovery of the application system from failures and restoration of both standing data
as well as transaction data is very critical. Therefore, existence controls should include backup
and recovery procedures of data. This requires secure storage of data files. Existence controls
over processing of data should include adequate checkpoint/restart controls that recover the
process from a failure without having to repeat the entire process from the beginning. Existence
controls should also be exercised over output to prevent loss of output in any form.
As noted earlier, If IT General Controls are not effective, we cannot proceed to rely on the
Application controls and the auditor is required to execute substantive procedures i.e. detailed
procedures to obtain the necessary comfort required to provide assurance.
2.11.3 Scope and steps of IS Audit of Application software

The information systems audit of application software should mainly cover the following areas:
 Adherence to business rules in the flow and accuracy in processing
 Validations of various data inputs
 Logical access control and authorization
 Exception handling and logging
The steps to be performed in carrying out an application software review are as follows:
 Study and review of documentation relating to the application. However, the IS auditor
may find situations in real life where documentation is not available or is not updated. In
such cases, the auditor should obtain technical information about the design and
architecture of the system through interviews.
 Study key functions of the software at work by observing and interacting with operating
personnel during work. This gives an opportunity to see how processes actually flow and
also observe associated manual activities that could act as complementary controls.
 Run through the various menus, features and options to identify processes and options
for conformance to business rules and practices. (Studying the documentation before this
can significantly hasten the activity.) To illustrate with an example, it is a well-accepted
rule in financial accounting that once an accounting transaction has been keyed in and
confirmed on the system to update the ledgers, it should not be editable. The correct
method would be to pass a reversal transaction to correct errors, if any. However, if the
IS auditor observes that there is an option in the software to "edit/modify transactions,"
this would be noted as a control deficiency for correction. This kind of run-through can be
done more effectively if a development/test system is made available to the IS auditor. In
the absence of such a facility, the auditor only can watch the system run by the system
administrator and make notes. The auditor is advised not to do any testing on a production
60
IS Audit in Phases
system as this could affect adversely a "live" system.

 Validate every input to the system against the applicable criteria. Such validations go a
long way in eliminating errors and ensuring data integrity. Apart from simple validations
for numeric, character and date fields, all inputs should be validated with range checks,
permissible values, etc. Validation checks that are built on application-specific logic can
act as powerful controls not only for ensuring data accuracy but also to prevent
undesirable data manipulations. The IS auditor can check validations by actually testing
them out in the test system. Alternatively, looking at the database definitions, the
associated triggers and stored procedures would be the way for a technically savvy IS
auditor to review the validations.
 Verify access control in application software. This consists of two aspects--the inherent
design of the access control module and the nature of access granted to various users
and its maintenance. Every application software has several modules/options/menus that
cater to different functionalities provided by the software. Different users will need access
to various features based on their responsibilities and job descriptions. All access should
be strictly based on the need to know and do. The design of the access control module
may be of varied types. Most software would check a combination of user id and
passwords before allowing access. Access may be controlled for each module, menu
option, each screen or controlled through objects. Often the matrix of users versus the
options/actions becomes too large and complex to maintain hence it is normal to define
certain roles for different classes of employees and group them together and assign them
similar access. The IS auditor should review the design of the access control module
keeping in mind the criticality of the functions/actions possible in the software and
evaluate whether the design provides the level of control and granularity to selectively
and strictly allows access as per the job requirements of all the users.
Having done this, the auditor should proceed to verify whether all existing users have
appropriate access as evidenced by their job descriptions and whether access to certain
critical activities are allowed only to select personnel duly authorized. It is also necessary
to verify who has administrator/Super-user rights and how such rights are
used/controlled. Ideally, no one in the development group should have any access to the
production data. All actions on the data by the Super-User should be logged and verified
by the data owners regularly.
 Verify how errors and exceptions are handled. At times, software provides options and
ways to reverse transactions, correct errors, allow transactions under special
circumstances, etc. Each one of these is special to the business and based on the rules
and procedures defined by the organization. The IS auditor needs to see how the software
handles these. Are these circumstances properly authorized in the software? Does it
capture the user id and time stamp for all transactions to provide suitable trails? Are the
exceptions and critical activities like updates to global parameters logged for independent
review at a later stage.
61
 Identify all weaknesses found at the end of an applications review in the software that
could lead to errors or compromises in security. These would need to be corrected by
either changes in design and/or some recoding. While this would be addressed by the IT
department, the user or owner of the application from the functional area would want to
know if any of these weaknesses have been exploited by anyone and whether there have
been any losses. To provide an answer to this question, the IS auditor should download
all the data for the period in question and run a series of comprehensive tests using an
audit software and determine if any error or fraud really occurred or not.
 Evaluate the environment under which the application runs. The audit of the application
software alone is not enough. Generally, it is prudent to conduct a security review of the
operating system upon which the application runs and the databases it uses/updates
while doing an application review.
All critical applications used in an organization need to be subjected to detailed review by an IS
auditor. This is one of the most important aspect of IS audit for a business. The job of application
review becomes more complex as the application becomes larger and integrated. While auditing
complex applications, it is always good to start with a generic industry-based template of an
audit work program and slowly customize the work program to the specific situation as the audit
progresses. Such audit programs and templates can be obtained from various resources
including ISACA.
2.12 Creation of Risk Control Matrix (RCM)

An IS Audit is performed using the Risk Based approach. An IS Auditor charts a Risk and Control
Matrix and uses the same for the audit engagement. The risk matrix details the risks that have
been identified in the Risk Assessment phase. A typical RCM would consist of the following:
 A series of spreadsheets marking a single process (Purchase Process), application
(Custom Business Application), area (Information security, Logical Security, Physical
security) etc.
 Each Spread sheet would contain generally the following columns –
o Risk No, Risk in depth
o Control Objective – This column would contain the control(s) that is ideal to counter
the identified risk.
o Control number
o Control Implemented – The control that is implemented by the enterprise to counter
the risk.
In addition to the above columns, the RCM may also be used as an Audit Notebook which
contains the details of the control owner, process owner, testing plans and results, audit
62
IS Audit in Phases
observations, evidences, risk ranking, recommendations etc.

By using the RCM Methodology, an IS Auditor would be able to effectively identify and evaluate
the controls that are in place. This way adequacy of the controls would be evaluated better and
thus the IS Auditor would be able to provide better assurance with regards to the controls that
are in place and their sufficiency.
2.13 Audit Sampling, Data Analysis and Business Intelligence

2.13.1 Audit Sampling
Audit sampling is defined as the application of audit procedures to less than 100 percent of the
population to enable the IS auditor to evaluate audit evidence about some characteristic of the
items selected to form or assist in forming a conclusion concerning the population.
ISACA has issued guideline on audit sampling which may be referred and used for sampling. It
states that the IS auditor should consider selection techniques that result in a statistically based
representative sample for performing compliance or substantive testing. Examples of
compliance testing of controls, where sampling could be considered, include user access rights,
program change control procedures, procedures for documentation, program documentation,
follow-up on exceptions, review of logs and software licenses audits. Examples of substantive
tests, where sampling could be considered, include re-performance of a complex calculation
(e.g., interest) on a sample of accounts or sample of transactions, etc.
SA 530 – Audit Sampling: This Standard on Auditing (SA) applies when the auditor has decided
to use audit sampling in performing audit procedures. It deals with the auditor’s use of statistical
and non-statistical sampling when designing and selecting the audit sample, performing tests of
controls and tests of details, and evaluating the results from the sample.
The IS auditor can use the following methods for sampling:
1. Statistical Sampling which includes methods of random sampling & systematic Sampling
2. Non-Statistical sampling which includes haphazard sampling, judgmental sampling.
While designing the sample the auditor should consider the objectives of the test and attributes
of the population from which the sample would be drawn. Also, the IS auditor has to keep in
mind the conditions that constitute errors in reference to the objectives of the test. When using
either statistical or non-statistical sampling methods, the IS auditor should design and select an
audit sample, perform audit procedures, and evaluate sample results to obtain sufficient,
reliable, relevant and useful audit evidence. The IS auditor can use the sampling technique
while assessing the controls designed in the environment. Based on the initial assessment, the
sample size can be increased or decreased to achieve the objective of assessing the tests of
existence and adequacy of control for the IT environment.
2.13.2 Data Analysis
63
In the digital decade, the need for IT governance and IS assurance services is gaining increasing
prominence. Rapid deployment of Information systems is making it imperative that Auditors have
practical knowledge of using IT as a tool for drawing inferences and gathering relevant and
reliable evidence as per requirements of the assignment. Computer Assisted Audit Techniques
(CAATs) provide the tools for Auditors to directly access digital information and facilitate in
conducting an effective and efficient audit. The need for understanding and auditing IT is not
only relevant for specialist IS Auditors but is imperative even for non-IS Auditors. Understanding
of data analysis tools and techniques will help auditors to not only perform their existing audits
more efficiently and effectively but also facilitate the auditors in knowing how to create and
execute new types of IT related audit assignments.
CAATs are a significant tool for auditors to gather information independently. CAATs can be
used in various types of Audits including IS Audits. CAATs provide a means to gain access and
to analyze data for a predetermined audit objective and to report the audit findings with
emphasis on the reliability of the records produced and maintained in the system. The reliability
of the source of the information used provides reassurance on findings generated. Auditors and
more particularly IS Auditors should have a thorough understanding of CAATs and know where
and when to apply them. Auditors to be effective in auditing IT environments need to gain
practical experience in using CAATs for various audit and assurance assignments.
The use of Data analytics tools and techniques helps the IS auditor to improve audit approaches,
unlike in the traditional approach which is based on a cyclical process involving manually
identifying controls, performing tests and sampling a small population to measure the
effectiveness. Data analytics can also help in fraud detection.
The IS auditor can use data analytics by which insights are extracted from financial, operational
and other forms of electronic data, internal or external to the organization. These insights can
be historical, real time or predictive and can also be risk-focused enabling the IS auditor to cover
the audit from all dimensions and ensure effectiveness of audit.
An IS auditor can use data analytics for the following purposes:
 Determination of the operational effectiveness of current control environment
 Determination of the effectiveness of anti-fraud procedures and controls
 Identification of business process improvements and efficiencies in the control
environment and errors, if any
 Identification of exceptions or unusual business results
 Identification of frauds
 Identification of areas where poor data quality exists
 Performance of risk assessment at the planning phase of an audit
Data Analytics can be effective for an IS Auditor in both planning and fieldwork phases of the
64
IS Audit in Phases
audit. Data analytics can be used to accomplish the following:

 Comparing logical access files with the human resources employee master files for
authorised users
 Comparing file library settings with data from change management systems and dates of
the file changes that can be matched to date of authorised events
 Reviewing table or system configuration settings
 Reviewing system logs for unauthorised access or unusual activities
 Testing system conversion/ migration.
2.13.3 Business Intelligence

Business intelligence (BI) is a set of theories, methodologies, architectures, and technologies
that transform raw data into meaningful and useful information for business purposes. BI
encompasses the collection and analysis of information to assist decision making and assess
organizational performance. BI can handle enormous amount of structured as well unstructured
data to help identify, develop and otherwise create new opportunities.
2.13.4 Analytical Review Procedures: CAAT Tools

Analytical Review Procedures
Analytical review procedures may be defined as substantive tests for a study of comparisons
and relationship among data. An accounting system, whether it is manual or computer-based,
is subject to mismanagement, error, fraud, and general abuse. The most direct way to combat
these potential problems is to implement and maintain a strong system of internal controls for
preventing and for detecting errors and irregularities.
The underlying attributes of computer based transactional systems make the task of auditing
more complex and therefore, the auditors may be required to rely upon use of CAAT tools.
 Absence of input documents: Data may be entered directly into the computer system
without supporting documents. In some on-line transaction systems written evidence of
data entry authorization (for example, approval for order entry) may be replaced by other
procedures, such as authorization controls contained in computer programs (for example,
credit limit approval).
 Lack of visible transaction trail: Certain data may be maintained on computer files only.
In a manual environment, it is normally possible to follow a transaction through the system
by examining source documents, books of account and reports. In a computerized
environment, however, the transaction trail may be partly in machine-readable form, or it
may exist only for a limited period of time.
 High volume of transactions being processed.
65
 Dispersed and different sources of input and distributed processing.
2.14 Compliance Testing

Compliance testing is the process of evidence gathering for the purpose of testing an
organization’s compliance with control procedures. Compliance review determines if controls
are being applied in accordance with organizational policies. For example, if the IS Auditor is
concerned about whether production program library controls are working properly, the IS
Auditor might select a sample of programs to determine if the source and object versions are
the same. The broad objective of any compliance test is to provide IS Auditors with reasonable
assurance that the control on which the IS Auditor plans to rely is operating as perceived in the
preliminary evaluation. Compliance Procedures help obtain reasonable assurance that those
internal controls on which audit reliance is to be placed are operating effectively.
It is important that the IS Auditor understands the specific objective of a compliance test and of
the control being tested. Compliance tests can be used to test the existence and effectiveness
of a defined process, which may include a trail of documentary and/or automated evidence, for
example, to provide assurance that only authorized modifications are made to production
programs.
The IS Auditor needs to ensure that internal controls exist, are operating effectively and being
operating continuously throughout the period under audit to ensure that they can be relied upon.
By performing Compliance tests, the IS Auditors can ascertain the existence, effectiveness and
continuity of the internal control system. Examples of compliance testing of controls where
sampling could be considered include user access rights, program change control procedures,
documentation procedures, program documentation, follow up of exceptions, review of logs,
software license audits, etc.
Test of controls are audit procedures executed to ascertain the design effectiveness and
operating effectiveness of the controls and the attributes. This is evaluation at a process level
and not at a transactional level (which is more granular level as transaction is a result of
execution of a process). If the IS Auditor conclude a control as ineffective, then the auditor has
no option but to exercise substantive audit procedures on the application/process.
2.15 Substantive Testing

In substantive testing, evidence is gathered to evaluate the integrity of individual transactions,
data or other information. Substantive Procedures are tests designed to obtain evidence to
ensure the completeness, accuracy and validity of the data. A substantive test verifies the
integrity of actual processing. It provides evidence of the validity and integrity of financial
statements, and the transactions that support these balances. IS Auditors could use substantive
tests to test for monetary errors directly affecting financial statement balances, or other relevant
data.
66
IS Audit in Phases
Substantive testing validates the details of financial transactions and balances. In contrast,
compliance testing concentrates on validating the internal control procedures in place over
those financial transactions. Substantive testing validates the amounts of the transactions
themselves. Substantive Testing are performed in every audit and are sometimes known as
default procedures. These procedures relate to checking the completeness, accuracy and
validity of the data produced by the enterprise. Further, if auditor concludes that a compliance
test is ineffective then the auditor has no option but to exercise substantive audit procedures on
the application/process.
Examples of substantive tests where sampling could be considered include performance of a
complex calculation on a sample of accounts or a sample of transactions to vouch for supporting
documentation, etc.
2.16 Design and Operational Effectiveness

2.16.1 Design Effectiveness
Testing of Design and Operational Effectiveness would be performed by the IS Auditor on every
identified control. Testing of Design Effectiveness refers to the working design of the control as
documented. It is a blueprint of the control. The IS Auditor evaluates in general that the
documented control is effective to mitigate the risk. It can be evaluated by reviewing the policies,
procedure documents, brainstorming sessions etc.
A walkthrough of a business process and the risks and controls within it can help evaluate its
design effectiveness for compliance. Performing a walkthrough of the relevant functions or
transactions and tracing them all the way through the whole process, from initiation, through
authorization, recording, processing and reporting will assist with the identification or existence
of control activities to establish whether control activities are being performed (i.e. are in place),
and appraisal of the design of the controls, as well as substantiating the accuracy of process
documentation.
A walkthrough is an end to end evaluation, step-by-step of a process and its controls to verify
and validate understanding on the operations of the process and its associated controls and to
evaluate whether the controls, if operated as designed can effectively mitigate risk to an
acceptable level. In conducting the walkthrough, it would be ensured that sufficient evidence
exists, and that reconciliations are being prepared and reviewed. Where there is such an
evidence, it can be concluded that the control is operatively effective and that its design is
effective.
Evaluation of design effectiveness is critical because only properly designed controls are
capable of operating effectively. A control deficiency exists when the design or operation of a
control, does not prevent or detect failures on a timely basis.
2.16.2 Operational Effectiveness
67
Testing of Operating Effectiveness refers to actual performance of the Control in the IT

Environment. The IS Auditor should evaluate the key controls that he intends to rely on for the
purpose of audit. The purpose of operational self-testing is to gather sufficient documented
evidence to enable a conclusion and testimony whether or not the controls are operating in
practice.
The IS Auditor will evaluate the effectiveness and efficiency of the control and would gain
reasonable assurance whether the said control is sufficient to counter the identified risk. The IS
Auditor would primarily check that the control is working to its expectations in accordance with
its documented design.
Sample based self-testing. This involves the selection of samples (for each control tested)
from the entire population of the particular control being tested, and the performance of specific
test procedures on the selected sample. Testing requires accurately documented controls that
are tested to ensure conformance to a requirement and, therefore, compliance.
The test will begin either from initiating documents in a process such as purchase order /
requisitions, for the Purchasing Process or from the end of the process, i.e. the records in the
accounting system. This flow of the test is determined by the assertions that need to be
addressed. Once the sample has been selected from the complete population, evidence must
be obtained that the control has been performed. For example, for a manual authorization
control, the evidence will be the signature of the person who executes that control.
Documented evidence must be obtained to ascertain that the control has been performed as
designed. For manual controls; the evidence that the control has been performed should be
available through physical records created.
For system controls, the evidence of the control will be obtained through obtaining appropriate
reports and screen shots to prove that the system configuration, system access, and system
reports are as documented within the design. System controls, once established either they
work, or they do not. Evidence gathered to prove that a system control operated also proves
that the control operated consistently and effectively.
Manual controls, however, are subject to human error, and therefore auditor should test the
quality of the control to gain assurance that the control has operated consistently and effectively.
For example, a signature on a User Access request does not necessarily mean that the person
has carefully reviewed it. The signature itself does not provide sufficient evidence that the
control has operated as intended; therefore, we also need to test that the control that has been
implemented performs correctly.
This would involve selecting a sample of the user access request process that is being tested
and inspecting that the details on user access requests followed the process, so as to provide
after the fact evidence that the individual carefully reviewed the user access request before
approving it and was authorized to do so.
68
IS Audit in Phases
2.17 Audit Evidence: Methods

Evidence is any information used by the IS Auditor to determine whether the entity or data being
audited follows the established criteria or objectives, and supports audit conclusions. It is a
requirement that the IS Auditor’s conclusions be based on sufficient, relevant, competent and
appropriate audit evidence. When planning the IS audit, the IS Auditor should consider the type
of audit evidence to be gathered, its use as audit evidence to meet audit objectives and its
varying levels of reliability.
Audit evidence may include the IS Auditor’s observations, notes taken from interviews, results
of independent confirmations obtained by the IS Auditor from different stakeholders, material
extracted from correspondence and internal documentation or contracts with external partners,
or the results of audit test procedures. While all evidence will assist the IS Auditor in developing
audit conclusions, some evidence is more reliable than others. The rules of evidence and
sufficiency as well as the competency of evidence must be considered as required by audit
standards.
2.17.1 Evaluating Audit Evidence

Determinants for evaluating the reliability of audit evidence include:
 Independence of the provider of the audit evidence: Evidence obtained from outside
sources is more reliable than from within the organization. This is why confirmation letters
are used for verification of accounts receivable balances.
 Qualifications of the individual providing the information/evidence: Whether the
providers of the information/evidence are inside or outside of the organization, the IS
Auditor should always consider the qualifications and functional responsibilities of the
persons providing the information. This can also be true of the IS Auditor. If an IS Auditor
doesn’t have a good understanding of the technical area under review, the information
gathered from testing that area may not be reliable, especially if the IS Auditor doesn’t
fully understand the test.
 Objectivity of evidence: Objective evidence is more reliable than evidence that requires
considerable judgment or interpretation. An IS Auditor’s review of media inventory is
direct, objective evidence. An IS Auditor’s analysis of the efficiency of an application,
based on discussions with certain personnel, may not be objective audit evidence.
 Timing of the evidence: The IS Auditor should consider the time during which
information exists or is available in determining the nature, timing and extent of
compliance testing and, if applicable, substantive testing.
The IS Auditor gathers a variety of evidence during the audit. Some evidence may be relevant
to the objectives of the audit, while other evidence may be considered as peripheral. The IS
Auditor should focus on the overall objectives of the review and not the nature of the evidence
gathered.
69
The quality and quantity of evidence must be assessed by the IS Auditor. These two
characteristics are referred to be competent and sufficient. Evidence is competent when it is
both valid and relevant. Audit judgment is used to determine when sufficiency is achieved in the
same manner that is used to determine the competency of evidence.
2.17.2 Types of Evidence

Physical examination: Is the inspection or count by the IS Auditor of a tangible asset. Most
often associated with inventory and cash, but it is also applicable to the verification of securities,
notes receivable and tangible fixed assets.
Confirmation: Is the receipt of a direct written response from a third party verifying the accuracy
of information that was requested by the IS Auditor. The request is made to the client, and the
client asks the third party to respond directly to the IS Auditor.
Documentation: Is the IS Auditor's inspection of the client's documents and records to
substantiate the information that is, or should be, included in the Financial Statements.
Documents can be INTERNAL (have been prepared or used within the client's organization and
are retained without going to an outside party) or EXTERNAL (have been handled by someone
outside the client's organization who is a party to the transaction being documented, which are
either currently held by the client or readily accessible).
Analytical procedures: Use comparisons and relationships to assess whether account
balances or other data appear reasonable compared to the IS Auditor's expectations. An IS
Auditor may compare the gross margin in the current year with the preceding years.
Inquiries of the Client: Is the obtaining of written or oral information from the client in response
to questions from the IS Auditor. This type of evidence is usually not conclusive because it is
not from an independent source. The IS Auditor must obtain additional evidence through other
procedures.
Recalculation: Involves rechecking a sample of calculations made by the client. Rechecking
client calculations consists of testing the client's arithmetical accuracy and includes such
procedures as extending sales invoices and inventory, adding journals and subsidiary records,
and checking the calculation of the depreciation expense and prepaid expenses etc.
Performance: Is the IS Auditor's independent tests of client accounting procedures or controls
that were originally done as part of the entity's accounting and internal control systems.
Observation: Is the use of the senses to assess client activities. Observation is rarely sufficient
by itself because of the risk of auditee changing their behaviour because of the IS Auditor's
presence.
SA 580 talk details about the written documentation as audit evidences.
70
IS Audit in Phases
2.17.3 Evidence Preservation

The evidence of a computer fraud/crime exists in the form of log files, file time stamps, contents
of memory, etc. Rebooting the system or accessing files could result in such evidence being
lost, corrupted or overwritten. Therefore, one of the first steps taken should be copying one or
more images of the attacked system. Memory content should also be dumped to a file before
rebooting the system. Any further analysis must be performed on an image of the system and
on copies of the memory dump and not on the original.
In addition to protect the evidence, it is also important to preserve the chain of custody. Chain
of custody is a term that refers to documenting, in detail, how evidence is handled and
maintained, including its ownership, transfer and modification. This is necessary to satisfy legal
requirements that mandate a high level of confidence regarding the integrity of evidence.
2.17.4 Standards on Evidence

Standards by ICAI
Standard on Auditing (SA) 230, “Audit documentation” deals with the Auditor’s responsibility to
prepare audit documentation for financial statements. As a good practice, the Auditor must
document work in all stages which helps in maintaining the same not only as a progress report
but later it can be used as evidence in courts of law.
Standard on Auditing (SA) 500, “Audit Evidence” explains what constitutes audit evidence in an
audit of financial statements, and deals with the Auditor’s responsibility to design and perform
audit procedures to obtain sufficient appropriate audit evidence to be able to draw reasonable
conclusions on which to base the Auditor’s conclusions. Hence, the Auditor should clearly
understand the importance of what constitutes as audit evidence and then the same should be
preserved as a part of audit procedure.
Standard on Auditing (SA) 580 “Written Representations” deals with the Auditor’s responsibility
to obtain written representations from the management and, where appropriate, those charged
with governance. The Auditor should document all the written representations as obtained from
the management as a part of working papers and the same can be produced in the court of law,
if the need arises.
Standards by ISACA
The standards by ISACA on evidence require following compliance by IS Auditors,
1205 Evidence
1205.1 IS audit and assurance professionals shall obtain sufficient and appropriate evidence to
draw reasonable conclusions on which to base the engagement results.
1205.2 IS audit and assurance professionals shall evaluate the sufficiency of evidence obtained
to support conclusions and achieve engagement objectives.
71
Guidance by ISACA on evidence covers following key aspects

In performing an engagement, IS audit and assurance professionals should:
 Obtain sufficient and appropriate evidence, including:
 The procedures as performed
 The results of procedures performed
 Source documents (in either electronic or paper format), records and corroborating
information used to support the engagement
 Findings and results of the engagement
 Documentation that the work was performed and complies with applicable laws,
regulations and policies
 Prepare documentation, which should be:
 Retained and available for a time period and in a format that complies with the
audit or assurance organisation’s policies and relevant professional standards,
laws and regulations.
 Protected from unauthorised disclosure or modifications throughout its preparation
and retention.
 Properly disposed of at the end of the retention period.
 Consider the sufficiency of the evidence to support the assessed level of control risk when
obtaining evidence from a test of controls.
 Appropriately identify cross-references and catalogue evidence.
 Consider properties such as the source, nature (e.g., written, oral, visual, electronic) and
authenticity (e.g., digital and manual signatures, stamps) of the evidence when evaluating
its reliability.
 Consider the most cost-effective and timely means of gathering the necessary evidence
to satisfy the objectives and risk of the engagement. However, difficulty or cost is not a
valid basis for omitting a necessary procedure.
 Select the most appropriate procedure to gather evidence depending on the subject
matter being audited (i.e., its nature, timing of the audit, professional judgement).
Procedures used to obtain the evidence include:
 Inquiry and confirmation
 Re-performance
 Recalculation
 Computation
72
IS Audit in Phases
 Analytical procedures
 Inspection
 Observation
 Other generally accepted methods
 Consider the source and nature of any information obtained to evaluate its reliability and
further verification requirements. In general terms, evidence reliability is greater when it
is:
 In written form, rather than oral expressions
 Obtained from independent sources
 Obtained by the professional rather than by the entity being audited
 Certified by an independent party
 Kept by an independent party
 The results of inspection
 The results of observation
 Obtain objective evidence that is sufficient to enable a qualified independent party to re-
perform the tests and obtain the same results and conclusions.
 Obtain evidence commensurate with the materiality of the item and the risk involved.
 Place due emphasis on the accuracy and completeness of the information when
information obtained from the enterprise is used by the IS audit or assurance
professionals to perform audit procedures.
 Disclose any situation where sufficient evidence cannot be obtained in a manner
consistent with the communication of the IS audit or assurance engagement results.
 Secure evidence against unauthorised access and modifications.
 Retain evidence after completion of the IS audit or assurance work as long as necessary
to comply with all applicable laws, regulations and policies.
2.18 Audit Documentation

As in any other audits, documentation of audit work forms a critical task which the IS Auditor
should retain in support of his audit work. Significant amount of information may be generated
during the course of the IS Auditor’s work. The IS Auditor is required to ensure that the evidence
obtained by him on which he bases his audit opinion is sufficient, reliable, relevant and useful
and enables effective achievement of audit objectives. The audit documentation generally
includes:
 Basic documents relating to the business, technology and control environment
73
 Documents relating to laws, regulations and standards applicable

 Preliminary review and how the audit objectives and scope were evaluated and agreed
upon.
 Documents relating to Risk analysis
 Audit plan and progress against plan, Audit programs
 Audit procedures as applied to the audit
 Audit findings, observations, inspection reports, management representations, logs, audit
trails and other related evidence
 Interpretation of audit evidence
 Audit Report issued
 Auditee observations and response to findings and recommendations.
 Reports by third party experts
 Peer Reviews
The audit working papers:
 Aid in the planning and performance of the audit
 Aid in the supervision and review of the audit work
 Provide evidence of the audit work performed to support the IS Auditor’s opinion
The IS Auditor’s work must be documented and organized in a standardized fashion for easy
reference in future audits and reference by other IS Auditors. For purposes of easy reference,
the documents may be organized as follows:
 Test work papers
 Permanent work papers
 Pending files
 Report files
Test working papers
The testing work papers, either electronic or otherwise are those prepared or obtained as a
result of the compliance and substantive testing procedures performed by the IS Auditor,
relevant to the audit engagement. Each working paper should follow a naming convention and
numbering convention for naming and numbering of the work papers. The files should also
contain a brief description of the content.
The compliance test files should contain documentation of:
74
IS Audit in Phases
 Review of the existing internal controls

 A summary of the tests conducted
 Documentation of procedures performed and tools used, if any.
 Supporting documentation of detailed tests
Substantive test files require the same elements as compliance test files except for the review
of existing internal controls.
Organization of audit working papers
Each document must describe the following:
 Objective – why the work was done?
 Work done – what was done?
 Finding – What issues arose?
 Risk – what are the risks associated with the finding, expressed in terms of impact on
business?
 Recommended action – what is being recommended?
 Action – what action was agreed with management?
Each working paper should be supported by evidence of the weaknesses observed.
Documentation Controls
Information systems audit documentation is the record of the audit work performed and the audit
evidence supporting the IS Auditor’s findings and conclusions.
Each working paper (or work paper) should be:
 Dated and manually or digitally signed by the person completing the work, and
 Referenced with a unique number
In case of work papers and evidence in electronic format, special care must be taken to ensure
their recoverability at any subsequent date with sufficient controls to prove the date of creation
and ensure protection against any modifications to the content or the state of such documents.
This would require the IS Auditor to use necessary technology such as use of appropriate media
for storage of electronic evidence and their assured recoverability, use of digital signatures for
protecting authenticity of documents, use of encryption techniques to safeguard the
confidentiality of such documents. The IS Auditor should also take care to ensure retention of
such audit documentation to be retained for sufficient length of period such that it complies with
legal, regulatory, professional and organizational requirements.
Audit documentation should include, at a minimum a record of
75
 Planning and preparation of the audit scope and objectives

 Description and/or walkthroughs on the scoped audit areas
 Audit program
 Audit steps performed and audit evidence gathered
 Use of services of other IS Auditors and experts
 Audit findings, conclusions and recommendations
 Audit documentation relation with document identification and dates
 A copy of the report issued as a result of the audit work.
 Evidence of audit supervisory review
Documents should include audit information that is required by laws and regulations, contractual
stipulations and professional standards. Audit documentation is the necessary evidence
supporting the conclusions reached, and hence should be clear, complete, easily retrievable
and sufficiently comprehensible. Audit documentation is generally the property of the auditing
entity and should be accessible only to authorized personnel under specific or general
permission. Where access to audit documentation is requested by external parties, the IS
Auditor should obtain appropriate prior approval of senior management and legal counsel.
The IS Auditor/IS Audit Department should also develop policies regarding custody, retention
requirements and release of audit documentation. The documentation format and media are
optional, but due diligence and best practices require that work papers are dated, initialled,
page-numbered, relevant, complete, clear, self-contained and properly labelled, filed and kept
in custody. Work papers may be automated. IS Auditors should particularly consider how to
maintain integrity and protection of audit test evidence to preserve their proof value in support
of audit results.
Audit documentation or work papers can be considered the bridge or interface between the audit
objectives and the final report. They should provide a seamless transition with traceability and
accountability from objectives to report and from report to objectives. Audit documentation
should support the findings and conclusions/opinion. Time of evidence sometimes will be crucial
to supporting audit findings and conclusions. The IS Auditor should take enough care to ensure
that the evidence gathered and documented will be able to support audit findings and
conclusions. An IS Auditor should be able to prepare adequate working papers, narratives,
questionnaires and system flowcharts.
IS Auditors being a scarce and expensive resource, any technology capable of increasing the
audit productivity is welcome. Automating work papers affects productivity directly and
indirectly. The quest for integrating work papers in the IS Auditor’s environment has resulted in
all major audit and project management packages, CAATs and expert systems offering a
complete array of automated documentation and import-export features.
76
IS Audit in Phases
2.19 Using work of another Auditor and Expert

Due to the scarcity of IS Auditors and the need for IT security specialists and other subject
matter experts to conduct audits of highly specialized areas, the audit department or IS Auditors
entrusted with providing assurance may require the services of other IS Auditors or experts.
Outsourcing of IS assurance and security services is increasingly becoming a common practice.
External experts could include experts in specific technologies such as networking, ATM switch
services, VAPT, wireless technologies, systems integration and digital forensics, or subject
matter experts such as specialists in a particular industry or area of specialization such as
banking, securities trading, insurance, legal experts etc.
When a part or all IS of audit services are proposed to be outsourced to another audit or external
service provider, the following should be considered about using the services of other IS
Auditors and experts:
 Restrictions on outsourcing of audit/security services provided by laws and regulations
 Audit charter or contractual stipulations
 Impact on overall and specific IS audit objectives
 Impact on Is audit risk and professional liability
 Independence and objectivity of other auditors and experts
 Professional competences, qualifications and experience
 Scope of work proposed to be outsourced and approach
 Supervisory and audit management controls
 Method and modalities of communication of results of audit work
 Compliance with legal and regulatory stipulations
 Compliance with applicable professional standards
Based on the nature of assignment, the following may also require special consideration:
 Testimonials/references and background checks
 Access to systems, premises and records
 Confidentiality restrictions to protect customer related information
 Use of CAATs and other tools to be used by the external audit service provider
 Standards and methodologies for performance of work and documentation
 Non-disclosure agreements
The IS Auditor or entity outsourcing the services should monitor the relationship to ensure the
objectivity and independence throughout the duration of the engagement. It is important to
77
understand that often, even though a part of or whole of the audit work may be delegated to an
external service provider, the related professional liability is not necessarily delegated.
Therefore, it is the responsibility of the IS Auditor or entity employing the services providers to:
 Clearly communicate the audit objectives, scope and methodology through a formal
engagement letter.
 Put in place a monitoring process for regular review of the work of the expert/external
service provider with regard to planning, supervision, review and documentation.
 Assess the usefulness and appropriateness of reports of such external providers, and
assess the impact of significant findings on the overall audit objectives.
ISACA standards require the following to be complied with by IS Auditor in using services of
external experts.
1206 Using the work of other Experts
 1206.1 IS audit and assurance professionals shall consider using the work of other
experts for the engagement, where appropriate.
 1206.2 IS audit and assurance professionals shall assess and approve the adequacy of
the other experts’ professional qualifications, competencies, relevant experience,
resources, independence and quality-control processes prior to the engagement.
 1206.3 IS audit and assurance professionals shall assess, review and evaluate the work
of other experts as part of the engagement, and document the conclusion on the extent
of use and reliance on their work.
 1206.4 IS audit and assurance professionals shall determine whether the work of other
experts, who are not part of the engagement team, is adequate and complete to conclude
on the current engagement objectives, and clearly document the conclusion.
 1206.5 IS audit and assurance professionals shall determine whether the work of other
experts will be relied upon and incorporated directly or referred to separately in the report.
 1206.6 IS audit and assurance professionals shall apply additional test procedures to
gain sufficient and appropriate evidence in circumstances where the work of other experts
does not provide sufficient and appropriate evidence.
 1206.7 IS audit and assurance professionals shall provide an appropriate audit opinion
or conclusion, and include any scope limitation where required evidence is not obtained
through additional test procedures.
SA 600, 610, 620 may also be referred for covering the reports of other experts.
78
IS Audit in Phases
2.20 Evaluation of Strengths and Weaknesses: Judging by

Materiality
The IS Auditor will review evidence gathered during the audit to determine if the operations
reviewed are all well controlled and effective. This is also an area that requires the IS Auditor’s
judgment and experience. The IS Auditor should assess the strengths and weaknesses of the
controls evaluated and determine if they are effective in meeting the control objectives
established as part of the audit planning process.
A control matrix is often utilized in assessing the proper level of controls. Known types of errors
that can occur in the area under review are placed on the top axis and known controls to detect
or correct errors are placed on the side axis. Then, using a ranking method the matrix is filled
with the appropriate measurements. When completed the matrix will substrate areas where
controls are weak or lacking.
In some instances, one strong control may compensate for a weak control in another area. For
example, if the IS Auditor finds weaknesses in a system’s transaction error report, the IS Auditor
may find that a detailed manual balancing process over all transactions compensates for the
weaknesses in the error report. The IS Auditor should be aware of compensating controls in
areas where controls have been identified as weak.
Where a compensating control situation occurs when one stronger control supports a weaker
one, overlapping controls may exit. Normally a control objective will not be achieved by
considering one control adequate. Rather the IS Auditor will perform a variety of testing
procedures and evaluate how these relate to one another. Generally, a group of controls when
aggregated together may act as compensating controls and thereby minimize the risk. An IS
Auditor should always review for compensating controls prior to reporting a control weakness.
The IS Auditor may not find each control procedure to be in place but should evaluate the
comprehensiveness of controls by considering the strengths and weaknesses of control
procedures.
Judging the Materiality of Findings
The concept of materiality is a key issue when deciding which findings to bring forward in an
audit report. Key to determining the materiality of audit findings is the assessment of what would
be significant to different levels of management. Assessment requires judging the potential
effect of the finding if corrective action is not taken. A weakness in computer security physical
access controls at a remote distributed computer site may be significant to management at the
site, but may not necessarily be material to senior management at headquarters. However, there
may be other matters at the remote site that could be material to senior management.
The IS Auditor must use judgment when deciding which findings to present to various levels of
management. For example, the IS Auditor may find that the transmittal form for delivering tapes
to the offsite storage location is not properly initialled or authorization evidenced by
management as required by procedures. If the IS Auditor finds that management otherwise pays
79
attention to this process and that there have been no problems in this area, the IS Auditor may
decide that the failure to initial transmittal documents is not material enough to bring to the
attention of upper management. The IS Auditor might decide to discuss this only with local
operations management. However, there may be other control problems that will cause the IS
Auditor to conclude that this is a material error because it may lead to a larger control problem
in other areas. The IS Auditor should always judge which findings are material to various levels
of management and report them accordingly.
2.21 Risk Ranking

Risks are typically measured in terms of impact and likelihood of occurrence. Impact scales of
risk should mirror the units of measure used for organizational objectives, which may reflect
different types of impact such as financial, people, and/or reputation. Similarly, the time horizon
used to assess the likelihood of risks should be consistent with the time horizons related to
objectives.
Risk rating scales may be defined in quantitative and/or qualitative terms. Quantitative rating
scales bring a greater degree of precision and measurability to the risk assessment process.
However, qualitative terms need to be used when risks do not lend themselves to quantification,
when credible data is not available, or when obtaining and analysing data is not cost-effective.
Organizations typically use ordinal, internal, and/or ratio scales. Ordinal scales define a rank
order of importance (e.g., low, medium, or high), interval scales have numerically equal distance
(e.g., 1 equals lowest and 3 equals highest, but the highest is not 3 times greater than the
lowest), and ratio scales have a “true zero” allowing for greater measurability (e.g., a ranking of
10 is 5 times greater than a ranking of 2). Risk rating scales are not one-size-fits-all and should
be defined as appropriate to enable a meaningful evaluation and prioritization of the risks
identified and facilitate dialog to determine how to allocate resources within the organization.
An example of a Risk Rating Model is given below -
Green Areas: These are areas that have been identified as being low risk, from a business as
well as an audit perspective. It is not critical that the controls over these areas are reviewed in
detail on an annual or a rotational basis. However, the decision not to rotate is a management
decision.
Orange Areas: These are areas that have been identified as medium risk (i.e., an important
risk exists, but it is not so material that it is likely to result in significant loss or embarrassment
should the required controls not operate effectively). The controls over these areas should be
reviewed at least once every two to three years on a rotational basis.
Red Areas: These are areas considered to be inherently high risk from either a business or
audit perspective and therefore capable of resulting in significant financial loss or
embarrassment. The controls over these systems should be reviewed on an annual basis to
confirm that the controls are in place and continue to be adequate to mitigate the inherent risks.
80
IS Audit in Phases
2.22 Audit Report Structure and Contents

ISACA standards require IS audit and assurance professionals shall provide a report to
communicate the results upon completion of the engagement including:
 Identification of the enterprise, the intended recipients and any restrictions on content
and circulation
 The scope, engagement objectives, period of coverage and the nature, timing and extent
of the work performed
 The findings, conclusions, and recommendations
 Any qualifications or limitations in scope that the IS audit and assurance professional has
with respect to the engagement
 Signature, date and distribution according to the terms of the audit charter or engagement
letter
Further, it is required that IS audit and assurance professionals shall ensure that findings in the
audit report are supported by sufficient and appropriate audit evidence.
The exit interview, conducted at the end of the audit, provides the IS Auditor with the opportunity
to discuss findings and recommendations with management. During the exit interview the IS
Auditor should:
 Ensure that the facts represented in the report are correct
 Ensure that the recommendations are realistic and cost effective, and if not, seek
alternatives through negotiation with Auditee management.
 Recommend implementation dates for agreed on recommendations.
The IS Auditor will frequently be asked to present the results of audit work to various levels of
management. The IS Auditor should have a thorough understanding of the presentation
techniques necessary to communicate the results. Presentation techniques could include the
following:
 Executive summary: an easy to read concise report that presents findings to
management in an understandable manner. Findings and recommendations should be
communicated from a business perspective. Detailed attachments can be more technical
in nature since operations management will require the details to correct the reported
situations.
 Visual presentation: may include slides or computer graphics
IS Auditors should be aware that ultimately, they are responsible to senior management and the
audit committee of the board of directors. IS Auditors should feel free to communicate issues or
concerns to such management. An attempt to deny access by levels lower than senior
81
management would limit the independence of the audit function.

Before communicating the results of an audit to senior management, the IS Auditor should
discuss the findings with the management staff of the audited entity. The goal off such a
discussion would be to gain agreement on the findings and develop a course of corrective action.
In cases where there is disagreement, the IS Auditor should elaborate on the significance of the
findings, risks and effects of not correcting the control weakness. Sometimes the auditee’s
management may request assistance form the IS Auditor in implementing the recommended
control enhancements. Here the IS auditor’s role is that of a consultant, and, therefore, he
should give careful consideration to how assisting the Auditee may adversely affect the IS
Auditor’s independence.
Once agreement has been reached with the auditee, IS audit management should brief senior
management of the audited organization. A summary of audit activities will be presented
periodically to the Audit Committee. Audit Committees typically are composed of individuals who
do not work directly for the organization and thus provide the IS Auditors with an independent
route to report sensitive findings.
2.22.1 Audit Deliverables & Communicating Audit Results

Main deliverable of audit is the audit report. These are used by the IS Auditors to report findings
and recommendations to the management. The contents of audit report will vary by organization.
However, the skilled IS Auditor should understand the basic components of an audit report and
how the report communicates audit findings to the management.
There is no specific format for an IS audit report; the organization’s audit policies and
procedures will dictate the general format. Audit reports will usually have the following structure
and content:
 An introduction to the report, including a statement of audit objectives, limitations to the
audit and scope, the period of audit coverage, and a general statement on the nature and
extent of audit procedures conducted and processes examined during the audit, followed
by a statement on the IS audit methodology and guidelines.
 A good practice is to include audit findings in separate sections. These findings can be
grouped in sections by materiality and/or intended recipient.
 The IS Auditor’s overall conclusion and opinion on the adequacy of controls and
procedures examined during the audit, and the actual potential risks identified as a
consequence of detected deficiencies.
 The IS Auditor’s reservations or qualifications with respect to the audit. This may state
that the controls or procedures examined were found to be adequate or inadequate. The
balance of the audit report should support that conclusion and the overall evidence
gathered during the audit should provide an even greater level of support for the audit
82
IS Audit in Phases
conclusions.
 Detailed audit findings and recommendations – the IS Auditor would decide whether to
include specific findings in an audit report. This should be based on the materiality of the
findings and the intended recipients of the audit report.
 There would be a variety of findings some of which may be quite material while others
minor in nature. The IS Auditor may choose to present minor findings to management in
an alternative format such as by memorandum.
The IS Auditor, however, should make the final decision about what to include or exclude from
the audit report. Generally, the IS Auditor should be concerned with providing a balanced report,
describing not only negative issues in terms of findings but positive constructive comments
regarding improved processes and controls or effective controls already in place. Overall, the
IS Auditor should exercise independence in the reporting process.
Auditee management evaluates the findings, stating corrective actions to be taken and timing
for implementing these anticipated corrective actions. Management may not be able to
implement all audit recommendations immediately. For example, the IS Auditor may recommend
changes to an information system that is also undergoing other changes or enhancements. In
such a case, all recommendations may be implemented at the time of implementing changes.
The IS Auditor should discuss the recommendations and any planned implementation dates
while in the process of releasing the audit report. The IS Auditor must realize that various
constraints, such as staff limitations, budget or other projects may limit immediate
implementation. Management should develop a firm program for corrective actions. It is
important to obtain a commitment from the Auditee/management on the date by which the action
plan will be implemented and the manner in which it will be performed since the corrective action
may result in certain risks being avoided, if identified while discussing and finalizing the audit
report. If appropriate, the IS Auditor may want to report to senior management on the progress
of implementing recommendations. Sample format of IS Audit finding, audit report and executive
summary of audit report are given in Appendix-7.
2.23 Management Implementation of Recommendations

IS Auditors should realize that auditing is an ongoing process. The IS Auditor is not effective if
audits are performed and reports issued but no follow up is conducted to determine whether
management has taken appropriate corrective actions. IS Auditors should have a follow up
program to determine if agreed on corrective actions have been implemented. Although IS
Auditors who work for external audit firms may not necessarily follow this process, they may
achieve these tasks if agreed to by the audited entity.
2.24 Follow up Review

ISACA standards require that IS audit and assurance professionals shall monitor relevant
83
information to conclude whether management has planned/taken appropriate, timely action to

address reported audit findings and recommendations. An IS Audit will be effective only if the
action points and recommendations committed and agreed to by the Auditee management are
implemented. Hence an important task of the IS Auditor is to review the previous audit reports
and follow up on the corrective actions and recommendations implemented within the time
schedules committed by the Auditee management. It is a limited scope review and does not
entail going beyond the examination of actions agreed upon by the client to correct deficiencies.
Normally, the status of follow up activities is included in a separate Compliance Audit Report
which is issued after the completion of follow-up review.
The Institute of Internal Auditors defines a follow-up as: "a process by which the internal Auditors
determine the adequacy, effectiveness and timeliness of actions taken by management on
reported audit findings." Where agreed action plans are not completely implemented the IS
Auditor asks the following questions:
 What remains to be done?
 By whom and when?
 Have alternatives been implemented that may be more appropriate?
 Has the agreed action plan ceased to be of value?
 If no action was taken, why not?
 What is the issue or concern causing inaction?
The end result should be a brief summary of the status of every action plan agreed upon. The
final summary is reviewed with the person responsible for clearing the audit report before the
follow-up report is issued.
2.25 Summary
This chapter has provided detailed explanation of how an IS Audit is executed in all its phases
from planning to execution to issuing reports. IS auditors, to be able to perform IS Audit
assignments need to have a good understanding of concepts of auditing, IT and management.
This chapter has covered, in detail, the following concepts along with extracts from relevant
standards and guidelines as applicable.
 How to conduct various types of IS audit as per scope and objectives of assignment after
understanding the auditee environment including the nature of business, organisation
structure, technology environment, applicable regulations using relevant standards and
best practices framework.
 How to review and evaluate various types of risks and their assessment which forms the
basis on which the audit conclusions can be made.
84
IS Audit in Phases
 How to use analytical procedures, compliance and substantive testing methods for
performing the audit.
 How to review the design effectiveness and control effectiveness.
 How to collect and evaluate evidence and maintain relevant documentation during the
course of IS audit.
 How to perform risk ranking and prepare the final audit report with recommendations and
follow up procedures.
The primary objective of this chapter was to provide understanding of both the concepts and
practices of IS audit and the various phases involved covering the planning of audit process,
understanding of the risks involved, conducting the audit, obtaining and evaluating evidence
and issuing the final audit report containing recommendations.
2.26 Case Study

Case Study Scenario
Client company, AIA Aircrafts Ltd., a Company engaged in the manufacturing of private jets and
aviation accessories has implemented a newly conceptualized Firewall System over its legacy
ERP Suite. The company has appointed an IS Auditor to audit the effectiveness of the Firewall
system along with its interfaces with the ERP System.
The IS Auditor, while carrying out the IS Audit, was verifying a sample of Firewall Operation
Logs and found that 2 users were constantly trying to access a particular external source which
was denied by the Firewall system as per the security policy of the company. The Auditor
immediately issued an audit finding and went to seek explanations from the management.
Moreover, while verifying the Firewall Operations Logs further, he observed that a particular site
was not prevented by the Firewall which, ideally should be prevented as per the company’s
security policy. When, it came to the notice of IT Management, they immediately fixed the
Firewall. Yet, the IS Auditor included the same in his IS Audit Report.
As an IS auditor performing the IS audit, respond to the following:
1. What should an IS Auditor do FIRST, when he observed that two users are constantly
trying to access some external sources?
A) Inform the management and expand the sample to get further evidences.
B) Issue an Audit Finding
C) Seek Explanations from Management
D) Ask for clarification from the Firewall Vendor
Correct Answer is A.
85
Explanation
A) IS Audit and Assurance Standards suggest that an IS Auditor should gather
sufficient and appropriate audit evidence on which his opinion is based. Here the
IS Auditor needs to determine whether this is an isolated incident or a systematic
failure. It would be a good practice to make management informed about the
incident.
B) Directly issuing an Audit Finding, without gathering sufficient and appropriate audit
evidence is not the proper practice as per the Standards.
C) Directly seeking explanations from management, without gathering sufficient and
appropriate audit evidence is not the proper practice as per the Standards.
D) Directly asking clarifications from Firewall Vendor without investigating the matter
further is not the proper practice on the part of IS Auditor. (Note: As per information
detailed in question, Vendor is not managing the firewall configuration files.
Rushing to Vendor means the auditor is overstepping the premise and is not in line
with auditor’s responsibilities).
2. An IS Auditor found one security loophole in the System. However, when the IT
Management got to know about it, immediately corrected it. The IS Auditor should:
A) Report the same in his Audit Report if the finding is material.
B) Don’t include in the Audit Report as the same is corrected.
C) Don’t include in the Audit Report but discuss the same in Exit Interview for
recommendation.
D) Don’t include in the Audit Report and send a letter of appreciation to IT
Management.
Explanation
A) As per the IS Audit and Assurance Standards, any finding, whether subsequently
corrected or not should be included in the IS Audit Report if it is material.
B) Not including the finding as it is corrected is not the proper treatment as per IS
Audit and Assurance Standards.
C) Not including the finding and discussing the same only at Exit Interview is not the
proper treatment as per IS Audit and Assurance Standards.
D) Not including the material audit finding is not the proper treatment as per IS Audit
and Assurance Standards. A Letter of appreciation has nothing to do with Auditor’s
Responsibilities of including material finding in IS Audit Report.
86
IS Audit in Phases
3. IS Auditor rightly found one weakness in the Firewall implementation and he

recommended the name of sister concern to address the weakness. The IS Auditor has
failed to maintain:
A) Professional Independence
B) Professional Competence
C) Organizational Independence
D) Personal Competence
Explanation
A) Professional Independence carries the highest weight in Assurance Services field.
If due to any action of the IS Auditor, his capacity to carry out audit independently
is hindered then the same amounts to failure to maintain Professional
Independence.
B) Professional Competence is nowhere failed as the diagnosis of the Auditor is
correct.
C) Organizational Independence has no role to play here as in the given question only
one matter is involved which is related to only one of the area of organization.
D) Personal Competence has no role to play here.
2.27 Questions
1. Which of the following forms of evidence would be considered to be the most
reliable when assisting an IS Auditor develop audit conclusion?
A. A confirmation letter received from a third party for the verification of an account
balance.
B. Assurance via a control self-assessment received from the management that an
application is working as designed.
C. Trend data obtained from World Wide Web (Internet) sources.
D. Ratio analysis developed by an IS Auditor from reports supplied by line
management
2. During a review of the controls over the process of defining IT service levels, an IS
auditor would most likely interview the:
A. Systems programmer
B. Legal staff
87
C. Business Unit Manager

D. Programmer
3. Which of the following procedures would an IS Auditor not perform during pre-audit
planning to gain an understanding of the overall environment under review?
A. Tour key organisation activities
B. Interview key members of management to understand business risks
C. Perform compliance tests to determine if regulatory requirements are met.
D. Review prior audit reports.
4. The first step IS Auditor should take when preparing the annual IS audit plan is to:
A. Meet with the audit committee members to discuss the IS audit plan for the
upcoming year.
B. Ensure that the IS audit staff is competent in areas that are likely to appear on the
plan and provide training as necessary.
C. Perform a risk ranking of the current and proposed application systems to prioritize
the IS audits to be conducted.
D. Begin with the prior year's IS audit plan and carry over any IS audits that had not
been accomplished.
5. The purpose of compliance tests is to provide reasonable assurance that:
A. Controls are working as prescribed.
B. Documentation is accurate and current.
C. The duties of users and data processing personnel are segregated.
D. Exposures are defined and quantified.
6. IS Auditors being most likely to perform tests of internal controls if, after their
evaluation of such controls, they conclude that:
A. A substantive approach to the audit is cost-effective
B. The control environment is poor.
C. Inherent risk is low.
D. Control risks are within the acceptable limits.
7. Which of the following is the least important factor in determining the need for an
IS Auditor to be involved in a new system development project?
A. The cost of the system
B. The value of the system to the organization.
88
IS Audit in Phases
C. The potential benefits of the system.

D. The number of lines of code to be written.
8. Each of the following is a general control concern EXCEPT:
A. Organization of the IS Department.
B. Documentation procedures within the IS Department.
C. Balancing of daily control totals.
D. Physical access controls and security measures
9. Which of the following types of audits requires the highest degree of data
processing expertise?
A. Systems software audits
B. General controls reviews
C. Microcomputer application audits
D. Mainframe application audits
10. A manufacturing company has implemented a new client/server system enterprise
resource planning (ERP) system. Local branches transmit customer orders to a
central manufacturing facility. Which of the following controls would BEST ensure
that the orders are accurately entered and the corresponding products produced?
A. Verifying production to customer orders
B. Logging all customer orders in the ERP system
C. Using hash totals in the order transmitting process
D. Approving (production supervisor) orders prior to production

1. Correct answer is: A. The IS Auditor requires documented evidence to be submitted
during audit procedures. Control self-assessment though is a good control but it cannot
work as an evidence. Trend and ratio analysis can be used to justify some conclusion but
cannot be considered as a conclusive evidence whereas a confirmation letter is.
2. Correct answer is: C. Business unit manager is the owner of that business unit and he is
the right authority to provide the required information in this context. First point of
interview should be with the person related to business not the programmer or legal staff
3. Correct answer is: C. During pre-audit planning there is no question of doing any
compliance test. Compliance test starts during the process of audit. All other options are
the process of collecting information during pre-audit process
89
4. Correct answer is: C. IS audit services should be expended only if the risk warrants
it. Answers A, B and D occur after C has been completed. Answer "B" is NOT correct
because the IS Audit Manager does not know what areas are to appear on the IS audit
plan until a risk analysis is completed and discussions are held with the Audit Committee
members. Answer "A" is NOT correct because the IS Audit Manager would not meet with
the audit committee until a risk analysis of areas of exposure has been
completed. Answer "D" is NOT correct because a risk analysis would be the first step
before any IS audit services are expended.
5. Correct answer is: A. The compliance tests determine whether prescribed controls are
working as intended. Answer "B" is NOT the best choice. Current and accurate
documentation may be a good procedure but it is only one type of control procedure,
therefore, answer 'A' is a better choice as more control procedures are
evaluated. Answer "C" is NOT the best choice because segregation of duties is only one
type of control procedure; therefore, answer 'A' is a better choice as more control
procedures are evaluated. Answer "D" is NOT the correct choice. Exposures are defined
and quantified to determine audit scope. Compliance tests provide reasonable assurance
that controls are working as prescribed.
6. Correct answer is: B. IS auditor will most probably perform the test of internal control
when control environment is poor. When inherent risks are low and control risks are within
acceptable limit, likelihood of testing internal controls get reduced. Concluding the cost-
effectiveness of substantive approach is not the outcome of testing internal controls.
7. Correct answer is: D. The size of the system is the least important of the factors listed. All
other factors have specific financial implications and an IS Auditor can be used to help
mitigate the risk to the corporation with the development of a new system.
8. Correct answer is: C. Balancing of daily control totals relates to specific applications and
is not considered an overall general control concern. Answer "B" is NOT the correct
answer since documentation procedures within the IS Department are an important
general control concern. Answer "A" is NOT the correct answer since organization of the
IS Department is an important general control concern. Answer "D" is NOT the correct
answer since physical access controls and security measures are important general
control concerns.
9. Correct answer is: A. The IS Auditor needs specialized type of education in hardware and
operating system software. Options at B, C and D can be performed when an IS auditor
has a basic level of data processing technical knowledge and usually requires no special
training.
10. Correct answer is: A. Verification will ensure that production orders match customer
orders. Logging can be used to detect inaccuracies, but does not in itself guarantee
accurate processing. Hash totals will ensure accurate order transmission, but not
accurate processing centrally. Production supervisory approval is a time-consuming
90
IS Audit in Phases
manual process that does not guarantee proper control.
91
Chapter 3
IS Audit Tools & Techniques
Computer Assisted Audit Tools and Techniques are important tools for collecting and evaluating
evidences during the Audit Process. Selection of right tools and characteristics, category and
uses of various available tools are discussed in this chapter.
3.2 Computer Assisted Audit Techniques

CAAT is a significant tool for auditors to gather evidences independently. It provides means to
gain access and to analyse data for predetermined audit objectives, and report the audit findings
with evidences. It helps the auditor to obtain evidence directly on the quality of records produced
and maintained in the system. The quality of the evidence collected gives reassurance on the
quality of the system processing such transactional evidences.
3.2.1 Needs for CAAT

During the course of the audit, an IS auditor should obtain sufficient, relevant and useful
evidence to effectively achieve the audit objectives. The audit findings and conclusions have to
be supported by appropriate analysis and interpretation of this evidence. Computerised
information processing environments pose challenges to the IS auditor to collect sufficient,
relevant and useful evidence, since the evidence exists on magnetic media and it may not be
possible to analyze data without the help of some software tool(s). With systems having different
hardware and software environments, different data structures, record formats, processing
functions etc., it is almost impossible for the auditors to collect evidence and analyse the records
without a software tool. Owing to resource constraints it becomes very difficult, if not impossible,
to quickly develop audit capabilities, without using audit software like CAATs.
The ICAI Guidance note on CAAT describes CAATs as important tools for the auditor in
performing audits. CAATs may be used in performing various auditing procedures including the
following:
(a) Tests of details of transactions and balances, for example, the use of audit software for
recalculation of interest or the extraction of invoices over a certain value from the
computer records.
(b) Analytical procedures, for example, identifying inconsistencies or significant fluctuations.
(c) Tests of general controls, for example testing the setup or configurations of the operating
system or access procedures to the program libraries or by using code comparison
software to check that the version of the program in use is the version approved by
management.
(d) Sampling programs to extract data for audit testing
(e) Tests of application controls, for example, testing the functionality of a programmed
control
(f) Re-performing calculations performed by the organisation’s accounting system.
Purpose of CAATs
CAATs give auditors ability to maximize their efficiency and effectiveness in performing audit.
These are considered to be essential part of Auditors’ Toolkit. CAATS can greatly enhance
effectiveness and efficiency in the audit process during the planning, fieldwork, and reporting
phases. IS auditors can use CAATs to perform tests that would normally be impossible or time-
consuming to perform manually, for example sorting, calculations, matching, and extracting of
information as required. CAATs can allow an auditor to interrogate and analyze data more
interactively, by removing the boundaries that can be imposed by a fixed audit program. For
example, an auditor can analyze data and react immediately to the results of the analysis by
simply modifying the parameters
Functional Capabilities of CAATs
1. File access: Enables the reading of different record formats and file structures. All
common formats of data such as database, text formats, excel files are accessible
through the import function.
2. File reorganization: Enables the indexing, sorting, merging and linking with another file.
These functions facilitate the auditor to get an instant view of the data from different
perspectives.
3. Data selection: Enables global filtration conditions and selection criteria. These functions
enable selection of data based on defined criteria.
4. Statistical functions: Enables sampling, stratification and frequency analysis. These
functions facilitate analysis of data.
5. Arithmetical functions: Enables arithmetic operators and functions. These functions
facilitate re-computations and re-performance of results.
How to use CAATs
IS Auditors need to have adequate computer knowledge, expertise and experience in using
CAATs. They need to formulate appropriate methodology for using CAATs. This includes having
a walkthrough of the system to identify areas of weakness. Based on the results, Auditors will
perform compliance tests, evaluate the results and if required, design substantive tests. CAATs
can also be used to carry out detailed testing and collect evidences. Based on the results of
these tests, Auditors would recommend suitable control measures as relevant. The step-by-step
approach for using CAATs is given below:
93
1. Set the objective of the CAAT application

2. Determine the content and accessibility of the entity's files
3. Define the transaction types to be tested
4. Define the procedures to be performed on the data
5. Define the output requirements
6. Identify audit and IT personnel to be involved in design and use of tests for CAATs.
General Uses and Applications of CAATs
CAATs can be used for various types of tests. Some examples of tests are given below:
1. Exception identification: Identifying exceptional transactions based on set criteria
2. Control analysis: Identify whether controls as set have been working as prescribed.
3. Error identification: Identify data, which is inconsistent or erroneous.
4. Statistical sampling: Perform various types of statistical analysis.
5. Fraud detection: Identify potential areas of fraud/ identify and match patterns.
6. Verification of calculations: Perform various computations to confirm the data stored.
7. Existence of records: Identify fields, which have null values.
8. Completeness of data: Identify whether all fields have valid data.
9. Consistency of data: Identify data, which are inconsistent. For example: identify data,
which is not in a particular sequence.
10. Duplicate payments: Establish relationship between two or more tables as required and
identify duplicate transactions.
11. Undeserved discounts for rapid payment: Identify this based on analysis of set criteria.
12. Obsolescence of inventory: Identify obsolescence of inventory based on stratification,
classification or aging.
13. Accounts exceeding authorized limit: Identify data beyond specified limit.
14. Overdue invoices: Identify data based on aging of invoices.
Strategies for using CAATs
CAATs are important tools for Auditors. Auditors need to work out effective strategies to ensure
their effective use.
The key strategies for using CAATs are:
1. Identify the goals and objectives of the investigation or audit. This may not always mean
94
that CAATs will be used for a particular audit. The point is to keep in mind all relevant
techniques and technologies and to avoid traditional attitudes and thinking.
2. Identify what information will be required, to address the goals and objectives of the
investigation or audit.
3. Determine what the sources of the information are (Accounts payable system, payroll
master file system, contracts system).
4. Identify who is responsible for the information (supervisors, department leaders, IT
personnel).
5. Review documentation that describes the type of data in the system.
6. Review documentation that describes how the information flows. Take time to understand
the data. Know what each field in the data set represents and how it might be relevant to
performing the audit. Review the record layout for the file. Verify that the data is complete
(Compare it to a hard copy).
7. Understand the system generating the data, which is the best defense against
misunderstanding how the system processes data.
8. Review documentation on the system, for example, user manuals, flowcharts, output
reports.
9. Develop a plan for analyzing the data (What, When, Where, Why, and How)
 What: Specific objectives that should be addressed by the analysis
 When: Define the period that will be audited, and arrange with IT personnel to
secure the data for that period
 Where: Define the sources of the data to be analyzed (Accounts payable, payroll)
 Why: Reason for performing the tests and analysis (general review, fraud audit,
VFM: Value for Money)
 How: The types of analysis planned to be carried out by the auditor (Note- Because
of the nature of CAATs, the analysis plan should be viewed as a framework and
not set in stone. For example, additional ad-hoc test might be performed, based on
preliminary findings)
3.2.2 Types of CAATs

While selecting the CAAT, IS Auditor is faced with certain critical decisions that he / she may
be required to make, while balancing on the quality and cost of audit:
a. Use the audit software developed by the client.
b. Design and develop his /her own audit software.
95
c. Use a standard off the shelf Generalised Audit Software

The first two options require the auditor to be technically competent in programming and its
methodology, which may not be his area of expertise. Computer audit software also known as
Generalised Audit Programs (GAS) is readily available off-the-shelf with specific features useful
for data interrogation and analysis. The auditors do not require much expertise and knowledge
to be able to use these for auditing purpose
Different types of CAATs can be categorized as follows:
1. Generalised Audit Software
2. Specialised Audit Software
3. Utility Software
A brief description of the types of software is given below:
3.2.2.1 Generalised Audit Software (GAS)
Computer audit software may be defined as: “The processing of a client’s live files by the
auditor’s computer programs”. Computer audit software may be used either in compliance or
substantive tests. Generalised Audit software refers to generalized computer programs
designed to perform data processing functions such as reading data, selecting and analyzing
information, performing calculations, creating data files and reporting in a format specified by
the auditor. The use of Generalised Audit Software is perhaps the most widely known computer
assisted audit technique.
GAS has standard packages developed by software companies exclusively for auditing data
stored on computers. These are economical and extensively used by auditors the world over.
Available off the shelf, GAS can be used for a wide range of hardware, operating systems,
operating environments and databases.
Typical operations using GAS include:
a. Sampling Items are selected following a value based or random sampling plan.
b. Extraction Items that meet the selection criteria are reported individually.
c. Totalling the total value and number of items meeting selection criteria are reported.
d. Ageing Data is aged by reference to a base date.
e. Calculation Input data is manipulated prior to applying selection criteria,
3.2.2.2 Specialised Audit Software (SAS)
Specialised Audit software, unlike GAS, is written for special audit purposes or targeting
specialized IT environments. The objective of these softwares is to achieve special audit
procedures which may be specific to the type of business, transaction or IT environment e.g.
testing for NPAs, testing for UNIX controls, testing for overnight deals in a Forex Application
96
software etc. Such software may be either developed by the auditee or embedded as part of the
client’s mission critical application software. Such software may also be developed by the
auditor independently. Before using the organisation’s specialized audit software, the auditor
should take care to get an assurance on the integrity and security of the software developed by
the client.
3.2.2.3 Utility Software
Utility software or utilities though not developed or sold specifically for audit are often extremely
useful and handy for conducting audits. These utilities usually come as part of office automation
software, operating systems, and database management systems or may even come
separately. Utilities are useful in performing specific system command sequences and are also
useful in performing common data analysis functions such as searching, sorting, appending,
joining, analysis etc. Utilities are extensively used in design, development, testing and auditing
of application software, operating systems parameters, security software parameters, security
testing, debugging etc. Some examples are
a. File comparison: A current version of a file for example, is compared with the previous
year’s version, or an input file is compared with a processed file.
b. Production of circularisation letters.
3.2.3 Typical Steps in using GAS

i. Define the audit objectives.
ii. Identify the tests that the package can undertake to meet the objectives.
iii. Make out the package input forms for the tests identified.
iv. Compile the package on the computer, clearing reported edit errors.
v. If a programmer has been adding coded routines to the package to fill out the input forms
or to advice, the programmer’s work must be tested.
vi. Obtain copies of the application files to be tested.
vii. Attend the execution of the package against these copy files.
viii. Maintain security of the copy files and output until the tests have been fully checked out.
ix. Check the test results and draw audit conclusions.
x. Interface the test results with whatever subsequent manual audit work is to be done.
3.2.4 Selecting, implementing and using CAATs

Computer Assisted Audit Techniques (CAATs) are significant tools for auditors to gather
evidence independently. CAATs provide a means to gain access and analyse data for a
97
predetermined audit objective and to report audit findings with evidence. They help the auditor
to obtain evidence directly on the quality of the records produced and maintained in the system.
The quality of the evidence collected confirms the quality of the system processing. Following
are some examples of CAATs, which can be used to collect evidence:
• ACL, IDEA, Knime etc.
• Utility Software such as Find, Search, Flowcharting utilities
• Spreadsheets such as Excel
• SQL Commands, OS commands
• Third party access control software
• Embedded routines in Application software systems
• Options and reports built in as part of the application/systems software
• Performance monitoring tools
• Network management tools, OS utilities
• High end CAATs
• RSAREF, DES, PGP
• TCP Wrapper, SOCKS, TIS Toolkit
• COPS, Tripwire, Tiger
• ISS, SATAN, etc.
3.3 Continuous Auditing Approach

Continuous auditing is a process through which an auditor evaluates the particular system(s)
and thereby generates audit reports on real time basis. Continuous auditing approach may be
required to be used in various environments. Such environments usually involve systems that
are 24*7 mission critical.
3.3.1 Techniques for Continuous Auditing

3.3.1.1 Snapshot
Most applications follow a standard procedure whereby, after taking in the user input they
process it to generate the corresponding output. The snapshot technique uses a series of
sequential data captures referred to as snapshots. These are taken in a logical sequence that
a transaction follows. Snapshot, thus, produces an audit trail for review by the auditor. Typically,
snapshots are implemented for tracing steps executed by an application software.
Let us consider, for example, a banking transaction. Numerous transactions are performed and
98
processed by various application systems in a banking environment. Snapshot software

installed as part of the production environment would continuously record transactions passing
a particular control point e.g. instruction set executed in the memory of the ATM machine. Hence
the error in code/ instruction can be identified by analyzing the steps recorded by the snapshot
software.
Snapshots are typically employed for:
• analysing and tracking down the flow of data in an application program, so as to know the
underlying logic of the data processing software.
• documenting the logic, input/output controls (or conditions) of the application program
and the sequence of processing.
Snapshots are also deployed for tracking down the reasons for any disruption in the functioning
of application or system software like operating system or database system.
3.3.1.2 Integrated Test Facility (ITF)
Integrated Test Facility (ITF) is a system in which a test pack is pushed through the production
system affecting “dummy” entities. For example, the auditor would introduce certain test
transactions affecting targeting dummy customer accounts and dummy items created earlier for
testing purpose. The approach could also involve setting a separate dummy organisation using
the application software in the live environment. ITF is useful in identifying errors and problems
that occur in the live environment and that cannot be traced in the test environment. However,
the disadvantage in using ITF is that the dummy transactions also append to the live database
and hence will impact the results and reports drawn from the live database. It will, therefore, be
necessary to delete the test transactions from the system once the tests have been performed.
As with all test packs, the output produced is compared with predicted results. This helps to
determine whether the programmed procedures being tested are operating correctly.
3.3.1.3 System Activity File Interrogation
Most computer operating systems provide the capability of producing a log of every event
occurring in the system, both user and computer initiated. This information is usually written to
a file and can be printed out periodically. As part of audit testing of general controls, it may be
useful for the auditor to review the computer logs generated at various points to build an audit
trail. Wherever possible, unauthorised or anomalous activity would need to be identified for
further investigation. Where a suitable system activity file is retained on magnetic media, one
can select and report exceptional items of possible audit interest such as unauthorised access
attempts, unsuccessful login attempts, changes to master records and the like.
3.3.1.4 Embedded Audit Facilities
Embedded audit facilities consist of program audit procedures, which are inserted into the
client’s application programs and executed simultaneously. The technique helps review
transactions as they are processed and select items according to audit criteria specified in the
99
resident code, and automatically write details of these items to an output file for subsequent
audit examination.
This technique generally uses one or more specially designed modules embedded in the
computer application system to select and record data for subsequent analysis and evaluation.
The data collection modules are inserted in the application system or program at points
predetermined by the auditor. The auditor also determines the criteria for selection and
recording. Automated or manual methods may be used to analyse the data later.
3.3.1.5 Continuous and Intermittent Simulation Audit
With significant advancements in technologies, business systems are increasingly driven by
client-server systems with distributed computing and databases. The components of such
systems are networked generally over geographically disparate locations. This has resulted in
the need for auditing systems that not only enable continuous auditing of transactions but also
have a low overhead on the IT resources of the auditee but without compromising on the
independence of such systems. When a transaction meets a pre-defined criterion, the audit
software runs an audit of the transaction (intermittent test). Then the computer waits for the next
transaction that meets the criteria. This provides continuous testing.
3.3.1.6 Systems Control Audit Review File (SCARF)
The use of this technique involves embedding specially written audit software in the
organisation’s host application systems so that the application systems are monitored on a
continuous basis. The technique involves collecting and storing data related to application
system errors, policy and procedural variances and application exceptions etc. for further
examination.
3.3.1.7 Audit Hook
This technique involves embedding audit modules in application systems to function as red flags
as real time notification of suspicious transactions to induce IS security and auditors to act
before an error or irregularity gets out of hand.
3.4 Summary
This chapter describes CAATS, types of CAATs, their uses, their functionalities and how and
when to select them and the benefits of using CAATs.
3.5 Questions
1. What is one of the key tests which can be ideally carried out using Computer Assisted
Audit Tools (CAATs)?
A. Identification of exceptional transactions based upon set criteria
100
B. Projections on future trends for specific parameters

C. Carrying out employees’ reference checks
D. Carry out employee appraisals Key
2. Find out the best process carried out using Computer Assisted Audit Tools (CAATs)?
A. Identify potential areas of fraud
B. Carry out employee appraisals of Information Systems Assurances Services
C. Projections on future trends for specific parameters
D. Carrying out employees’ reference checks Key
3. What can be ideally carried out using Computer Assisted Audit Tools (CAATs)?
A. Identify data which is inconsistent or erroneous
B. Carry out employee appraisals
D. Carrying out employees’ reference checks Key.
A. Perform various types of statistical analysis
D. Carrying out employees’ reference checks Key
A. Establishing whether the set controls are working as prescribed
D. Estimation of competitor activity Key.
A. Establishing relationship between two or more areas & identify duplicate
transactions
B. Carry out market surveys for a new product launch
101

D. Estimation of competitor activity Key
7. Which is one of the most effective tools and techniques to combat fraud?
A. Computer Assisted Audit Techniques (CAAT)
B. Threats of severe punishment
C. Validation by the I.T. dept. of the police
D. Use of authenticated hard copies Key
8. An IS Auditor, concerned that application controls are not adequate to prevent duplicate
payment of invoices, decided to review the data processing files for possible duplicate
payments. Which of the following techniques/tools would be useful to the IS Auditor?
A. An integrated test facility.
B. Statistical sampling.
C. Generalized audit software.
D. The Audit Review File.
9. Many automated tools are designed for testing and evaluating computer systems. Which
one of the following such tools impact the systems performance with a greater load and
stress on the system?
A. Test data generators
B. Statistical software packages
C. Test drivers
D. Network traffic analyzers
10. The most appropriate type of CAAT tool the auditor should use to test security
configuration settings for the entire application systems of any organization is:
A. Generalised Audit Software
B. Test Data
C. Utility Software
D. Expert System
102
1 One of the many key tests that can be carried out by CAATs is identification of
exceptional transactions based upon set criteria. The IS auditor can set the criteria
based upon the sort of transactions which are not expected to occur on the basis of
the controls which presumably have been incorporated in the organization’s systems.
CAATs are more in the nature of audit tools & would not be ideal for the other purposes
listed in Options B to D above. Hence, answer at Option A alone is correct.
2 One of the many key tests that can be carried out by CAATs is identification of potential
areas of fraud. The IS auditor can set the criteria based upon the sort of transactions
which are not expected to occur on the basis of presumably have been incorporated
in the organization’s systems. CAATs are more in the nature of audit tools & would not
be ideal for the other purposes listed in Options B to D above. Correct answer is A.
3 One of the many key tests that can be carried out by CAATs is identification of data
which is inconsistent or erroneous. The IS auditor can set the criteria based upon the
sort of data which are not expected to occur on the basis of the controls which
presumably have been incorporated in the organization’s systems. CAATs are more
in the nature of audit tools & would not be ideal for the other purposes listed in Options
B to D above. Hence, answer at Option A alone is correct.
4 One of the many key tests that can be carried out by CAATs is the carrying out of
various types of statistical analysis which could throw up areas of inconsistencies,
defaults, etc. CAATs are more in the nature of audit tools & would not be ideal for the
other purposes listed in Options B to D above. Hence, answer at Option A alone is
correct.
5 One of the many key tests that can be carried out by CAATs is establishing whether
the set controls are working as intended. CAATs are more in the nature of audit tools
& would not be ideal for the other purposes listed in Options B to D above. Hence,
answer at Option A alone is correct.
6 One of the many key tests that can be carried out by CAATs is establishing relationship
between two or more areas & identify duplicate transactions. CAATs are more in the
nature of audit tools & would not be ideal for the other purposes listed in Options B to
D above. Hence, answer at Option A alone is correct.
7 CAAT is one of the tools useful for carrying out the detection of suspicious transactions
as a pre-emptive or post fraud activity. Hence, answer at Option A is correct.
8 Generalised Audit software is mainly used to find duplicate data. Options A and D are
on line application audit tools and statistical sampling may not be able to find
duplicates. Correct answer is C.
9 Statistical software packages use all data resources impacting the processing time
and response time. Network traffic analyzers also use the system resources but not
putting stress on production data. Test data generator is not resource intensive and
103
test drivers are for specific use without impacting much resources. Correct answer is
B.
10 When testing the security of the entire application system including operating system,
database and application security, the auditor will most likely use a utility software that
assists in reviewing the configuration settings. In contrast, the Auditor may use GAS
to perform a substantive testing of data and configuration files of the application. Test
data are normally used to check the integrity of the data and expert systems are used
to inquire on specific topics. Hence correct answer is C.
104
Chapter 4
Application Controls Review of Business
Applications
To understand the business application controls implemented in an organisation
4.2 Introduction
Business applications are the tools to achieve management goals and objectives. Each
organisation selects the software as per its business goals and needs. The selection of
appropriate software is an important decision for top management to make as it contributes to
success of business.
An application or application system is a software that enables users to perform tasks employing
systems’ capabilities. These applications are the interface between the user and business
functions. For example, a counter clerk at a bank is required to perform various business
activities as part of his job and assigned responsibilities. From the point of view of users, it is
the application that drives the business logic. Application controls relate to individual business
processes including data edits, separation of business functions, balancing, transaction logging,
and error reporting. From an organizational perspective, it is important that application controls
help to:
 Safeguard assets
 Maintain data integrity
 Achieve organisational goals effectively and efficiently
4.3 Business Application Software: Selection Parameters

Organisations need to document the business requirements and business goals. This helps
them to conclude which type and nature of business application(s) to use.
Key parameters of selection of business application software may be:
The business goal: Organisation may have varied business objectives, say for example many
organisations are customer driven, few may be driven by social causes, others may emphasise
capitalist mind-set.
The nature of business: One of the key determinants of the business application software is
the nature of organisation’s business. A few businesses may generate daily cash e.g. petrol
pumps and departmental stores etc. while some others may require daily update of sales like
milk suppliers, newspaper agents etc. while still some others may generate lots of credit
sales.
The geographical spread: As globalisation has spread, many Indian companies have been
able to reap the benefits by becoming Indian MNCs. Few Indian companies are trying to foray
in export markets or increase their global footprint. The more the geographical spread of an
organisation, more robust business application software is needed. Robustness here is intended
to denote the capability of the business application system to work 24/7 as this may become a
critical business need, and it may also denote whether the business application system has
capability to handle multiple currency accounting.
The volume of transactions: As the transaction volumes increase, it is important for
organisation to go for business application softwares that can support business for the next few
years.
The regulatory structure at place of operation: As the number and nature of compliances
increase across the world, organisation shall prefer that software which is capable to cater to
the compliance requirements. A software company selling a product that is SOX compliant is
likely to find more buyers than others.
4.4 Types of Business Applications

Business applications can be classified based on their processing type (batch, online or real-
time) or the source (in-house, brought-in) or based on the functions covered. Following are a
few business application types based on functions they perform.
a. Accounting Applications:
Applications like TALLY, TATA EX, UDYOG used by business entities for purpose of
accounting for day to day transactions, generation of financial information like balance
sheet, profit and loss account, cash flow statements, are classified as accounting
applications.
b. Banking Applications:
Today all public sector banks, private sector banks including regional rural banks have
shifted to core banking business applications (referred to as CBS). CBS used by Indian
banks include FINACLE (by Infosys Technologies Ltd.), FLEXCUBE (by Oracle Financial
Services Software Limited, formerly called i-flex Solutions Limited), TCS BaNCS (by TCS
Limited), and many more such solutions.
c. ERP Applications:
The need for optimising resource utilization while deriving maximum benefit of the
technology deployed has created a separate category of business application systems
called ERP (Enterprise Resource Planning). These application solutions are used by
entities to manage resources optimally and to maximize E^3 i.e. economy, efficiency and
effectiveness of business operations.
106
Application Controls Review of Business Applications
d. Payroll Applications:
Many companies across the world are using application softwares that process payrolls for their
employees. In India also many CA firms are doing good job on payroll outsourcing. TALLY has
a payroll application built into it.
Other Business Applications
i. Office Management Software
ii. Compliance Applications
iii. Customer Relationship Management Software
iv. Management Support Software
v. Logistics Management Software
vi. Legal matter management
vii. Industry Specific Applications
4.5 Key Features and Controls for Business Applications

A business application is selected and implemented for a specific business purpose. The IS
Auditor has to assess whether the business objectives from implementing the particular
business application will be achieved.
4.6 Application Controls

As per COBIT’s management guide: “Application controls are a subset of internal controls that
relate to an application system and the information managed by that application. Timely,
accurate and reliable information is critical to enable informed decision making. The timeliness,
accuracy and reliability of the information are dependent on the underlying application systems
that are used to generate, process, store and report the information. Application controls are
those controls that achieve the business objectives of timely, accurate and reliable information.
They consist of manual and automated activities that ensure that information conforms to certain
criteria what COBIT refers to as business requirements for information. Those criteria are
effectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability.
4.6.1 Internal Controls

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines
internal control as: “a process, affected by an organisation’s board of directors, management
and other personnel, designed to provide reasonable assurance regarding the achievement of
objectives in the following categories:
 Effectiveness and efficiency of operations
107
 Reliability of financial reporting

 Compliance with applicable laws and regulations”
COSO defines control activities as the policies and procedures that help ensure management
directives are carried out.
4.7 Objectives of Application Controls and key Business

Information Requirements
4.7.1 Objectives
Application controls are intended to provide reasonable assurance that management’s
objectives relative to a given application will be achieved. Management’s objectives are typically
articulated through the definition of specific functional requirements for the solution, the
definition of business rules for information processing and the definition of supporting manual
procedures. Examples include:
(i) Completeness: The application processes all transactions and the resulting information
is complete.
(ii) Accuracy: All transactions are processed accurately and as intended and the resulting
information is accurate.
(iii) Validity: Only valid transactions are processed, and the resulting information is valid.
(iv) Authorisation: Only appropriately authorised transactions are processed.
(v) Segregation of duties: The application provides for and supports appropriate
segregation of duties and responsibilities as defined by management.
4.7.2 Information Criteria

Key business requirements for information also called as information criteria need to be present
in information generated. These are:
1. Effectiveness: Deals with information being relevant and pertinent to the process as well
as being delivered in a timely, correct, consistent and usable manner.
2. Efficiency: Concerns the provision of information through the optimal (most productive
and economical) use of resources.
3. Confidentiality: Concerns the protection of sensitive information from unauthorised
disclosure.
4. Integrity: Relates to the accuracy and completeness of information as well as to its
validity in accordance with business values and expectations.
5. Availability: Relates to information being available when required by the process now
108
and in the future. It also concerns the safeguarding of necessary resources and
associated capabilities.
6. Compliance: Deals with complying with the laws, regulations and contractual
arrangements to which the process is subject, i.e., externally imposed business criteria
as well as internal policies.
7. Reliability: Relates to the provision of appropriate information for management to
operate the organisation and exercise its fiduciary and governance responsibilities.
The specific key quality requirements may vary for different organisations based on specific
business needs.
4.7.3 Application Controls Objectives

COBIT provides best practices for application controls which can be used as a benchmark for
implementing or evaluating application controls. The COBIT control objectives and control
practices provide the best collection of controls which are generic and can be customised and
used as benchmark for implementation or used as assessment criteria for any application audit.
COBIT defines six control objectives for application controls:
1. Source Data Preparation and Authorisation: Ensure that source documents are
prepared by authorised and qualified personnel following established procedures, taking
into account adequate segregation of duties regarding the origination and approval of
these documents. Errors and omissions can be minimised through good input form
design.
2. Source Data Collection and Entry: Ensure that data input is performed in a timely
manner by authorised and qualified staff. Correction and resubmission of data that were
erroneously input should be performed without compromising original transaction
authorisation levels. Where appropriate for reconstruction, retain original source
documents for appropriate amount of time.
3. Accuracy, Completeness and Authenticity Checks: Ensure that transactions are
accurate, complete and valid. Validate data that were input, and edit or send back for
correction as close to the point of origination as possible.
4. Processing Integrity and Validity: Maintain the integrity and validity of data throughout
the processing cycle. Detection of erroneous transactions does not disrupt the processing
of valid transactions.
5. Output Review, Reconciliation and Error Handling: Establish procedures and
associated responsibilities to ensure that output is handled in an authorised manner,
delivered to the appropriate recipient and protected during transmission; verification,
detection and correction of the accuracy of output occur; and information provided in the
output is used.
109
6. Transaction Authentication and Integrity: Before passing transaction data between

internal applications and business/operational functions (within or outside the enterprise),
check the data for proper addressing, authenticity of origin and integrity of content.
Maintain authenticity and integrity during transmission or transport.
4.7.4 Control Practices

Illustrative control practices for the control objectives as per COBIT 2019 are given below. Under
each of the control objectives, there are list of control practices which need to be implemented
to meet the control objectives. The control practices are to be customised and implemented as
per specific requirements of the organisation. Once the control practices of specific control
objective are implemented, then it can be said that the application meets the required control
objectives.
4.7.4.1 Source Data Preparation and Authorisation
(i) Design source documents in a way that they increase accuracy with which data can be
recorded, control the workflow and facilitate subsequent reference checking. Where
appropriate, include completeness controls in the design of the source documents.
(ii) Create and document procedures for preparing source data entry, and ensure that they
are effectively and properly communicated to appropriate and qualified personnel. These
procedures should establish and communicate required authorisation levels (input,
editing, authorising, accepting and rejecting source documents). The procedures should
also identify the acceptable source media for each type of transaction.
(iii) Ensure that the function responsible for data entry maintains a list of authorised
personnel, including their signatures.
(iv) Ensure that all source documents include standard components, contain proper
documentation (e.g., timeliness, predetermined input codes, default values) and are
authorised by management.
(v) Automatically assign a unique and sequential identifier (e.g., index, date and time) to
every transaction.
(vi) Return documents that are not properly authorised or are incomplete to the submitting
originators for corrections, and log the fact that they have been returned. Review logs
periodically to verify that corrected documents are returned by originators in a timely
fashion, and to enable pattern analysis and root cause review.
4.7.4.2 Source data collection and entry
(i) Define and communicate criteria for timeliness, completeness and accuracy of source
documents. Establish mechanisms to ensure that data input is performed in accordance
with the timeliness, accuracy and completeness criteria.
(ii) Use only pre-numbered source documents for critical transactions. If proper sequence is
110
a transaction requirement, identify and correct out-of-sequence source documents. If

completeness is an application requirement, identify and account for missing source
documents.
(iii) Define and communicate who can input, edit, authorise, accept and reject transactions,
and override errors. Implement access controls and record supporting evidence to
establish accountability in line with role and responsibility definitions.
(iv) Define procedures to correct errors, override errors and handle out-of-balance conditions,
as well as to follow up, correct, approve and resubmit source documents and transactions
in a timely manner. These procedures should consider things such as error message
descriptions, override mechanisms and escalation levels.
(v) Generate error messages in a timely manner as close to the point of origin as possible.
The transactions should not be processed unless errors are corrected or appropriately
overridden or bypassed. Errors that cannot be corrected immediately should be logged in
an automated suspense log, and valid transaction processing should continue. Error logs
should be reviewed and acted upon within a specified and reasonable period of time.
(vi) Ensure that errors and out-of-balance reports are reviewed by appropriate personnel,
followed up and corrected within a reasonable period of time, and, where necessary,
incidents are raised for more senior-level attention. Automated monitoring tools should
be used to identify, monitor and manage errors.
(vii) Ensure that source documents are safe-stored (either by the business or by IT) for a
sufficient period of time in line with legal, regulatory or business requirements.
4.7.4.3. Accuracy, completeness and authenticity checks
(i) Ensure that transaction data are verified as close to the data entry point as possible and
interactively during online sessions. Ensure that transaction data, whether people-
generated, system-generated or interfaced inputs, are subject to a variety of controls to
check for accuracy, completeness and validity. Wherever possible, do not stop
transaction validation after the first error is found. Provide understandable error
messages immediately to enable efficient remediation.
(ii) Implement controls to ensure accuracy, completeness, validity and compliance to
regulatory requirements of data input. Controls may include sequence, limit, range,
validity, reasonableness, table look-ups, existence, key verification, check digit,
completeness (e.g., total monetary amount, total items, total documents, hash totals),
duplicate and logical relationship checks, and time edits. Validation criteria and
parameters should be subject to periodic reviews and confirmation.
(iii) Establish access control and role and responsibility mechanisms so that only authorised
persons input, modify and authorise data.
(iv) Define requirements for segregation of duties for entry, modification and authorisation of
111
transaction data as well as for validation rules. Implement automated controls and role
and responsibility requirements.
(v) Report transactions failing validation and post them to a suspense file. Report all errors
in a timely fashion and do not delay processing of valid transactions.
(vi) Ensure that transactions failing edit and validation routines are subject to appropriate
follow-up until errors are remediated. Ensure that information on processing failures is
maintained to allow for root cause analysis and help adjust procedures and automated
controls.
4.7.4.4 Processing integrity and validity
(i) Establish and implement mechanisms to authorise the initiation of transaction processing
and to enforce that only appropriate and authorised applications and tools are used.
(ii) Routinely verify that processing is completely and accurately performed with automated
controls, where appropriate. Controls may include checking for sequence and duplication
errors, transaction/record counts, referential integrity checks, control and hash totals,
range checks and buffer overflow.
(iii) Ensure that transactions failing validation routines are reported and posted to a suspense
file. Where a file contains valid and invalid transactions, ensure that the processing of
valid transactions is not delayed and all errors are reported in a timely fashion. Ensure
that information on processing failures is kept to allow for root cause analysis and help
adjust procedures and automated controls, to ensure early detection or prevent errors.
(iv) Ensure that transactions failing validation routines are subject to appropriate follow-up
until errors are remediated or the transaction is cancelled.
(v) Ensure that the correct sequence of jobs has been documented and communicated to IT
operations. Job output should include sufficient information regarding subsequent jobs to
ensure that data are not inappropriately added, changed or lost during processing.
(vi) Verify the unique and sequential identifier to every transaction (e.g., index, date and
time).
(vii) Maintain the audit trail of transactions processed. Include date and time of input and user
identification for each online or batch transaction. For sensitive data, the listing should
contain before and after images and should be checked by the business owner for
accuracy and authorisation of changes made.
(viii) Maintain the integrity of data during unexpected interruptions in data processing with
system and database utilities. Ensure that controls are in place to confirm data integrity
after processing failures or after use of system or database utilities to resolve operational
problems. Any changes made should be reported and approved by the business owner
112
before they are processed.

(ix) Ensure that adjustments, overrides and high-value transactions are reviewed promptly in
detail for appropriateness by a supervisor who does not perform data entry.
(x) Reconcile file totals. For example, a parallel control file that records transaction counts
or monetary value as data should be processed and then compared to master file data
once transactions are posted. Identify report and act upon out-of-balance conditions.
4.7.4.5 Output review, reconciliation and error handling
(i) When handling and retaining output from IT applications, follow defined procedures and
consider privacy and security requirements. Define, communicate and follow procedures
for the distribution of output.
(ii) At appropriate intervals, take a physical inventory of all sensitive output, such as
negotiable instruments, and compare it with inventory records. Create procedures with
audit trails to account for all exceptions and rejections of sensitive output documents.
(iii) Match control totals in the header and/or trailer records of the output to balance with the
control totals produced by the system at data entry to ensure completeness and accuracy
of processing. If out-of-balance control totals exist, report them to the appropriate level
of management.
(iv) Validate completeness and accuracy of processing before other operations are
performed. If electronic output is reused, ensure that validation has occurred prior to
subsequent uses.
(v) Define and implement procedures to ensure that the business owners review the final
output for reasonableness, accuracy and completeness, and output is handled in line with
the applicable confidentiality classification. Report potential errors; log them in an
automated, centralised logging facility; and address errors in a timely manner.
(vi) If the application produces sensitive output, define who can receive it, label the output so
that it is recognisable by people and machines, and implement distribution accordingly.
Where necessary, send it to special access-controlled output devices.
4.7.4.6 Transaction authentication and integrity
(i) Where transactions are exchanged electronically, establish an agreed-upon standard of
communication and mechanisms necessary for mutual authentication, including how
transactions will be represented, the responsibilities of both parties and how exception
conditions will be handled.
(ii) Tag output from transaction processing applications in accordance with industry
standards to facilitate counterparty authentication, provide evidence of non-repudiation
and allow for content integrity verification upon receipt by the downstream application.
113
(iii) Analyse input received from other transaction processing applications to determine
authenticity of origin and the maintenance of the integrity of content during transmission.
(iv) Authentication means identification, i.e. to prove you are the right person to handle or
access resources whereas authorisation refers to the extent to which you can go, for
example ID and password is a means for proving your authentication whereas the
authorisation power will decide on what you can do after authentication. DBA can
add/delete a database user, whereas an auditor is authorised to do view and printing
access.
Information Criteria
Confidentiality
Effectiveness
Compliance
Availability
Reliability
Efficiency
Integrity
APPLICATION AND CONTROL OBJECTIVES
AND INFORMATION CRITERIA
Source Data Preparation and

1 S P S P S
Authorisation
2 Source Data Collection and Entry S S S P S
Control Objective
Accuracy, Completeness and

3 S P S P S P P
Authenticity Checks
4 Processing Integrity and Validity P P P P P
Output Review, Reconciliation and
5 P S P P P P P
Error Handling
Transaction Authentication and
6 S P P P
Integrity
P = Primary S = Secondary
Table to the relationship between the information criteria and how achievement of those criteria
can be enabled by various application control objectives. Primary and secondary are the relative
importance of the information criteria.
4.8 Summary
This chapter describes the selection criteria for application systems, various application control
objectives and practices.
4.9 Questions
1 Application controls shall include all except
114
A. Application controls are a subset of internal controls.

B. The purpose is to collect timely, accurate and reliable information.
C. It is part of the IS Auditor’s responsibility to implement the same.
D. It is part of business application software.
2 As per Income Tax Act, 1961 and banking norms, all fixed deposit holders of banks
need to submit their PAN or form 60/61(a form as per Income Tax Act/Rules). A bank
in its account opening form, has not updated the need for form 60/61 in case PAN is
not there. This defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
3 In a public sector bank while updating master data for advances given, the bank
employee does not update “INSURANCE DATA”. This includes details of Insurance
Policy, Amount Insured, Expiry Date of Insurance and other related information. This
defines which control lapse as per COBIT.
A. Source Data Preparation and Authorisation
B. Source Data Collection and Entry
C. Accuracy, Completeness and Authenticity Checks
D. Processing Integrity and Validity
4 An IS Auditor observed that users are occasionally granted the authority to change
system data. The elevated system access is not consistent with company policy yet is
required for smooth functioning of business operations. Which of the following controls
would the IS Auditor most likely recommend for long term resolution?
A. Redesign the controls related to data authentication
B. Implement additional segregation of duties controls
C. Review policy to see if a formal exception process is required
D. Implement additional logging controls.
5 An IS Auditor, processes a dummy transaction to check whether the system is allowing
cash payments in excess of Rs.20,000/-. This check by auditor represents which of
115
the following evidence collection technique?

A. Inquiry and confirmation
B. Re-calculation
C. Inspection
D. Re-performance
6 An IS Auditor is performing a post implementation review of an organisation’s system
and identified output errors within an accounting application. The IS Auditor
determined that this was caused by input errors. Which of the following controls should
the IS Auditor recommend to management?
A. Recalculations
B. Limit Checks
C. Run-to-run total
D. Reconciliation
7 RBI instructed banks to stop cash retraction in all ATMs across India from April 1,
2013. This was result of few ATM frauds detected. This action by RBI can be best
classified as:
A. Creation
B. Rectification
C. Repair
D. None of above
8 A central antivirus system determines whether each personal computer has the latest
signature files and installs the latest signature file before allowing a PC to connect to
the network. This is an example of a:
A. Directive control
B. Corrective Control
C. Compensating Control
D. Detective Control
9 Company’s billing system does not allow billing to those dealers who have not paid
advance amount against proforma invoice. This check is best called as:
116
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check
10 While posting message on FACEBOOK, if user posts the same message again,
FACEBOOK gives a warning. The warning indicates which control.
A. Limit Check
B. Dependency Check
C. Range Check
D. Duplicate Check

1 C. It represents what auditor verifies but not that what he/she implements. Rest is part
of the definition and purpose of application controls.
2 A. is the correct answer as the source data capture is not proper. Ensure that source
documents are prepared by authorised and qualified personnel following established
procedures, taking into account adequate segregation of duties regarding the
origination and approval of these documents. Errors and omissions can be minimised
through good input form design.
3 C. This ensures that transactions are accurate, complete and valid. Validate data that
were input, and edit or send back for correction as close to the point of origination as
possible.
4 C. is the correct answer. Policy is not a static document. When an exception is a
regular requirement, the best control is to modify the policy accordingly.
5 D. is the correct answer. The IS Auditor may process test data on application controls
to see how it responds.
6 D is correct. For finding the anomaly between input and output, reconciliation is the
best option. Re-calculation and run-to-run total will provide the same result as earlier
and limit check is a data validation control.
7 B. is the right answer. A, is not an answer as action by RBI is based on fraud detection.
Repair is done to rectify an error which has occurred in a working system.
8 B. is the correct answer. After detecting the deficiency, it is correcting the situation
hence it is a corrective control.
117
9 B. Dependency check is one where value of one field is related to that of another.
10 D. is the answer as this is a duplicate check.
118
Chapter 5
Application Controls Review of Specialised
Systems
5.1 Learning objectives
An IS auditor has to be aware of the controls that have been put in place in business
applications. He / She may have to review the same as a part of auditor’s risk assessment
procedure. As per SA200 on ““Overall Objectives of the Independent Auditor and the conduct
of an audit in accordance with standards on Auditing”, compliance procedures are tests
designed to obtain reasonable assurance that those internal controls on which audit reliance is
to be placed are in effect. As per ISACA ITAF 1007 “Assertions”, IS Audit and assurance
professional shall review the assertions against which the subject matter will be assessed to
determine that such assertions are capable of being audited and that the assertions are
sufficient, valid and relevant.
5.2 Review of Application Controls

5.2.1 Need for Application Control Review
The review is necessary for IS auditor to draw the conclusions for:
(a) How much reliance he/she can put on entities’ business application system?
(b) Planning IS audit procedures.
(c) In case application controls are found in-effective to achieve the stated business
objectives, then IS Auditor needs to plan for alternate audit procedure.
5.2.2 How to perform Application Control Review

As per ISACA ITAF 1205.1 “Evidences”, IS audit and assurance professionals shall obtain
sufficient and appropriate evidence to draw reasonable conclusions on which to base the
engagement results. The procedures used to obtain evidence include:
1. Inquiry and confirmation
2. Re-performance
3. Recalculation
4. Computation
5. Analytical Procedures
6. Inspection
7. Observation
8. Other Generally Accepted Methods
5.3 Review of Business Application Controls through use of

Audit Procedures
As per SA 500, “Audit Evidences”, auditor while designing tests of controls shall see whether
the controls so put in place are effective.
(a) Inquiry and confirmation: IS Auditor may prepare a checklist to enquire and confirm
whether the said controls are in place. This process shall evaluate existence of controls.
A sample checklist for IS Auditor is included at end of chapter.
(b) Re-performance: IS Auditor may process test data on application controls to see how it
responds. This process shall evaluate the effectiveness of controls.
5.4 Application Controls Review for Specialised Systems

Changes in technology are very fast. A separate section for these systems has been
incorporated to help IS Auditor put a focused approach to audit these systems.
5.4.1 Artificial Intelligence (AI)

A computer is an electromechanical machine that contains no live elements. However, it is
used for simulating human working in a given situation which involves thinking and reasoning,
solving complex problems, doing calculations, etc. Computer history shows that computers are
good at making calculations of repetitive nature speedily. In fact, in the beginning, computers
were used mainly for this purpose. However, with the advancement in technologies, the
concept of Artificial Intelligence (AI) has found wide applications. AI is the theory and
development of computer systems so as to be able to perform tasks normally requiring human
intelligence, such as visual perception, speech recognition, decision-making, and translation
between languages. The applications of AI can be classified into three major categories:
(i) Cognitive Science: This is an area based on research in disciplines such as biology,
neurology, psychology, mathematics and allied disciplines. It focuses on how human
brain works and how humans think and learn. Applications of AI in the cognitive science
area are Expert Systems, Learning Systems, Neural Networks, Intelligent Agents and
Fuzzy Logic
(ii) Robotics: This technology refers to robot machines with artificial intelligence and human-
like physical capabilities. This includes applications that give robots visual perception,
capabilities to feel by touch, dexterity and locomotion.
(iii) Natural Languages: Being able to 'converse' with computers in human languages is the
120
Application Controls Review of Specialised Systems
goal of research in this area. Interactive voice response and natural programming
languages, closer to human conversation, are some of the applications. Virtual reality is
another important application that can be classified under natural interfaces.
IS Auditor's Role
IS auditor has to be conversant with the controls relevant to these systems when used as the
integral part of the organizations business processes or critical functions and the level of
experience or intelligence used as a basis for developing software. The errors produced by such
systems would be more critical as compared to the errors produced by the traditional systems.
More details are given in Module 6.
5.4.2 Data Warehouse

Dataware house is defined, “as a Subject-oriented, integrated, non-volatile, collection of data to
support management’s decision-making process and help in making future policies based on
actual historical transactional data. It is a Central Repository of clean, consistent, integrated &
summarized information, extracted from multiple operational systems, for on-line query
processing.”
In other words, a core data warehouse is where all or majority of data of interest to an
organisation are captured and organised to assist reporting and analysis. DWs are normally
instituted as large relational databases. In some cases, data warehouse holds fully normalised
data to support the flexibility to deal with complex and changing business structure.
Data Marts represent subsets of information from the core DW selected and organised to meet
the needs of a particular business unit or business line. Data marts may be relational databases
or some form of online analytical processing (OLAP) data structure. Data marts have a simplified
structure compared to normalised DW.
Data warehousing system is used for getting valuable information for making management
decisions and making future policies. Generally, data is processed by TPS (Transaction
Processing Systems), also known as operational systems. These systems are responsible for
day-to-day functioning of business transactions, whereas Data warehouse is used for helping in
decision making process.
Customers depositing and withdrawing money, applying for loans, opening accounts in a bank
are examples of Transactions Processing Systems. In contrast, Data warehouse involves
integration of related data obtained from various sources like TPS, CRM as well external sources
like market trends data etc.
IS Auditor's Role
IS Auditor should consider the following while auditing data warehouse:
1. Credibility of the source data
2. Accuracy of the source data
121
3. Complexity of the source data structure

4. Accuracy of extraction and transformation process
5. Access control rules
6. Network capacity for speedy access
5.4.3 Decision Support System (DSS)

DSS are information systems that provide interactive information support to middle management
through analytical models. DSS are designed to be ad hoc systems for specific decisions by
individual-managers. These systems answer queries that are not answered by the transactions
processing systems. Typical examples are:
1. Comparative sales figures between two consecutive months for different products
with percentage variation to total sales.
2. Revenue and Cost projections on a product mix.
3. Evaluation of different alternatives, leading to the selection of the best one.
IS Auditor’s role
As the system shall be used for decision making purposes of the management, the auditor must
be concerned with the,
1. Credibility of the source data
2. Accuracy of the source data
3. Accuracy of extraction and transformation process
4. Accuracy and correctness of the output generated
5. Access control rules
5.4.4 Electronic Funds Transfer (EFT)

The electronic mode of payment has made a lot of impact on the way business is conducted.
All big, medium and small businesses, banks, users, government departments, logistics
providers, customers, service receivers, service providers, exporters, importers, sellers, buyers
use EFT for their business and personal transactions. Immense growth of EFT has led to a new
set of risks associated with such transactions. Reserve Bank of India (RBI) has issued detailed
guidelines for banks to follow for EFT transactions. RBI has specified in its NEFT guidelines
that Banks need to create procedural guidelines, for the purpose of:
(i) Verifying that a payment instruction, a communication authorising a payment instruction
or an NEFT Data File is authorised by the person from whom it purports to be authorised;
and
(ii) For detecting errors in the transmission or the content of a payment instruction, a
122
communication or an NEFT message.

IS Auditor’s role
The major concern shall be:
1. Authorisation of payments.
2. Validation of receivers’ details, for correctness and completeness.
3. Verifying the payments made.
4. Getting acknowledgement from the receiver, or alternatively from bank about the payment
made.
5. Checking whether the obligation against which the payment was made has been fulfilled
if not whether there are adequate procedures to account for and handle such
transactions.
5.4.5 E-commerce
Other than buying and selling goods on the Internet, E Commerce (Electronic Commerce)
involves information sharing, payment, fulfilment of contractual obligations of the parties
participating in e-commerce transactions, service and support.
Risks of E-commerce
 the identity and nature of relationships with e-commerce trading partners;
 the integrity of transactions;
 electronic processing of transactions;
 systems' reliability;
 privacy issues;
 return of goods and product warranties;
 taxation and regulatory issues.
IS Auditor’s role
IS Auditor’s responsibility shall be to assess whether the transactions have:
1. Authorisation
2. Authentication
3. Confirmation
4. Whether the payment gateway is secured or not.
5.4.6 Point of Sale System (PoS)
123
As the name indicates, a PoS is intended to capture data at the time and place of transaction
which is being initiated by a business user. It is often attached to scanners to read bar codes
and magnetic cards for credit card payment and electronic sales. They provide significant cost
and time saving as compared to the manual methods. They also eliminate errors that are
inherent in manual systems (when the data is subjected to transcription errors while a user
enters data from a document into the system). POS processing may involve batch processing
or online processing. These are generally used in big shopping malls or departmental stores.
IS Auditor’s role
1. In case there is batch processing, the IS auditor should evaluate the batch controls
implemented by the organization.
2. Check if they are in operation,
3. Review exceptional transaction logs.
4. Whether the internal control system is effective to ensure the accuracy and completeness
of the transaction batch before updating.
5. The IS auditor will have to evaluate the controls for accuracy and completeness of on-
line transactions.
6. RBI guidelines regarding “Cash withdrawal at Point of Sale (POS) - Prepaid Payment
Instruments issued by banks: need to be validated in case such transactions are taking
place.
5.4.7 Automatic Teller Machines (ATM)

An ATM (Automated Teller Machine) is a specialized form of the point of sales terminal.
It is designed for unattended use by a customer of a financial institution. ATMs generally allow
cash deposits, cash withdrawals and a range of banking operations like accepting requests for
cheque books or account statements. The facility of ATM can be within a bank, across local
banks and amongst the banks outside a region. ATMs transfer information and money over
communication lines. These systems provide a high level of logical and physical security for
both the customer and the ATM machine.
IS Auditor's Role
The following are the guidelines for internal controls of ATM system which the auditor shall have
to evaluate and report:
(a) Only authorized individuals have been granted access to the system.
(b) The exception reports show all attempts to exceed the limits and reports are reviewed by
the management.
(c) The bank has ATM liability coverage for onsite and offsite machines.
124
(d) Controls on proper storage of unused ATM cards, Controls on their issue only against
valid application form from a customer, Control over custody of unissued ATM cards,
Return of old/ unclaimed ATM cards, Control over activation of PINs
(e) Controls on unused PINs, Procedure for issue of PINs, Return of PINs of returned
ATM cards.
(f) Controls to ensure that PINs do not appear in printed form with the customer’s account
number.
(g) Access control over retrieval or display of PINs via terminals
(h) Process of mailing cards to customers. Whether cards are sent in envelops with a return
address that do not identify the Bank. Whether cards and PINs are mailed separately with
sufficient period of time (usually three days) between mailings.
(i) Procedures of handling retracted/rejected transactions.
Presently, there are more than 2,50,000 ATM machine installations in India. Government of
India has already indicated that it wants to further enhance the usage of ATM in India, as this
allows banks to reach remote corners without being physically present. This creates a scope for
the IS Auditor for a separate ATM Audit. RBI has issued detailed set of instructions for banks to
follow.
Most of the banks manage their ATM Switch ecosystem through shared services of third-party
ATM Switch Application Service Providers (ASPs) for shared services for ATM Switch
applications. Since these service providers also have exposure to the payment system
landscape and are, therefore, exposed to the associated cyber threats, the RBI has directed
that certain baseline cyber security controls shall be mandated by the banks in their contractual
agreements with these service providers. These pertain to implementation of measures to
strengthen the process of deployment and changes in application softwares in the ecosystem;
continuous surveillance; implementation of controls on storage, processing and transmission of
sensitive data; building capacity for forensic examination; and making the incident response
mechanism more robust. The IS auditors undertaking audit of ATM Switch Services may refer
to these guidelines for providing assurance services.
5.5 Summary
This chapter covered various specialized systems and their related audit processes.
5.6 Questions
1 Which of the following business purposes can be met by implementing Data
warehouse in an organisation?
A. Business continuity can be ensured in case of disaster.
125
B. Data in the data ware house can work as a backup

C. The data in the warehouse can be used for meeting regulatory requirements.
D. Business decisions can be taken and future policies can be framed based on
actual transactional data.
2 Which of the following is a characteristic of a decision support system (DSS)?
A. DSS is aimed at solving highly structured problem.
B. DSS combines the use of models with non-traditional data access and retrieval
functions.
C. DSS emphasizes flexibility in decision making approach of users.
D. DSS supports only structured decision-making tasks.
3 Which of the following audit tools is MOST useful to an IS auditor when an audit trail
is required?
A. Integrated test facility (ITF)
B. Continuous and intermittent simulation (CIS)
C. Audit hooks
D. Snapshots
4 A retail company recently installed data warehousing client software in multiple,
geographically diverse sites. Due to time zone differences between the sites, updates
to the warehouse are not synchronized. This will affect which of the following most?
A. Data availability
B. Data completeness
C. Data redundancy
D. Data accuracy
5 The cashier of a company has rights to create bank master in TALLY. This error is a
reflection of poor definition for which type of control:
A. User Controls
B. Application Control
C. Input Control
D. Output Control
6 An employee has left the company. The first thing to do is to:
126
A. Hire a replacement employee.

B. Disable his/her access rights.
C. Ask the employee to clear all dues/advances.
D. Escort employee out of company premises
7 As part of auditing Information Security of a multinational bank, an auditor wants to
assess the security of information in ATM facilities. Under which privacy policy should
he look for details pertaining to security guards and CCTV surveillance of ATM’s?
A. Physical Access and Security Policy
B. Acceptable use of Information Assets Policy
C. Asset Management Policy
D. Business Continuity Management Policy Key.
8 Neural Networks and Fuzzy Logics are classified under which category of Artificial
intelligence?
A. Cognitive Science
B. Robotics
C. Natural Sciences
D. Virtual Reality
9 In an inter school competition on Artificial Intelligence, four children develop software
which performs the following different functions respectively. Which of them is a
correct example of the use of basic Artificial Intelligence?
A. Predictive & self-learning word-processing software
B. A calculation software which arrives at the arithmetic total of figures keyed in
C. A password system which allows access based upon keying in of the correct
password
D. A software which rejects invalid dates like 32nd March 2019.
10 Which are the business activities which are strong contenders for conversion to e-
commerce?
A. Those that are paper-based, time consuming & inconvenient for customers
B. Those relating to software development
C. Those relating to the ‘electronic’ aspects of commerce
D. Those that are not paper-based, speedy & convenient for customers.
127

1 Correct answer is D. Purpose of Data warehouse is to take business decisions and
frame future policies based on the analysis of transactional data. It cannot act as an
alternative to backup. Purpose of the data ware house is not for business continuity
nor is it for regulatory requirements.
2 Correct answer is B. It goes with the purpose and definition of decision support system.
3 Correct answer is D. Snapshot is the right answer as in this technique, IS auditor can
create evidence through IMAGE capturing. A snapshot tool is most useful when an
audit trail is required. ITF can be used to incorporate test transactions into a normal
production run of a system. CIS is useful when transactions meeting certain criteria
need to be examined. Audit hooks are useful when only select transactions or
processes need to be examined.
4 Correct answer is B. One of the major bottlenecks in data ware house is time
synchronisation as the data of different time zones is merged in data ware house. It
ultimately results in in-complete data for decision making purposes.
5 Correct answer is A. User controls are not properly defined. User controls need to be
defined based on NEED TO DO and NEED TO DO basis. The above is reflection of a
greater problem of improper assessment of user profiles created in the system.
6 Correct answer is B. the first thing to do as soon as an employee leaves the company
is to disable his/her access rights in system. This needs to be done to prevent frauds
being committed. Other answers may be valid but are not the first thing to do.
7 Correct answer is A. Physical security describes security measures that are designed
to restrict unauthorized access to facilities, equipment and resources, and to protect
personnel and property from damage or harm (such as espionage, theft, or terrorist
attacks). Physical security involves the use of multiple layers of interdependent
systems which include CCTV surveillance, security guards, Biometric access, RFID
cards, access cards protective barriers, locks, access control protocols, and many
other techniques. B is incorrect - An acceptable use policy (AUP), also known as an
Acceptable Usage policy or Fair Use policy, is a set of rules applied by the owner or
manager of a network, website or large computer system that restrict the ways in which
the network, website or system may be used. C is incorrect – This policy defines the
requirements for Information Asset’s protection. It includes assets like servers,
desktops, handhelds, software, network devices etc. Besides, it covers all assets used
by an organization- owned or leased. D is incorrect – This policy defines the
requirements to ensure continuity of business-critical operations. It is designed to
minimize the impact of an unforeseen event (or disaster) and to facilitate return of
business to normal levels.
128
8 Correct answer is A. Cognitive Science. This is an area based on research in

disciplines such as biology, neurology, psychology, mathematics and allied
disciplines. It focuses on how human brain works and how humans think and learn.
Applications of AI in the cognitive science are Expert Systems, Learning Systems,
Neural Networks, Intelligent Agents and Fuzzy Logic. B, C and D are incorrect. B.
Robotics: This technology produces robot machines with computer intelligence and
human-like physical capabilities. This area includes applications that give robots visual
perception, capabilities to feel by touch, dexterity and locomotion. C. Natural
Languages: Being able to 'converse' with computers in human languages is the goal
of research in this area. Interactive voice response and natural programming
languages, closer to human conversation, are some of the applications. D. Virtual
reality is another important application that can be classified under natural interfaces.
9 Correct answer is A. The word-processing software pops up suggested words based
upon the first few words keyed in by the user. Also, when the user keys in a new word
which is not available in its repertoire, it adds it to its collection & reflects it as an
option the next time similar letters are initiated. In effect, the software is able to
observe & record patterns and improves through ‘learning’. The other answers in
Options B to D involve the basic computing functions of a computer which are based
on a ‘go / no-go’ logic which does not involve pattern recognition or further learning.
Hence, the correct answer is only as in Option A which displays characteristics of
artificial intelligence.
10 Correct answer is A. Maximum mileage can be gained from e-commerce by converting
those business activities which are paper-based, time consuming & inconvenient for
customers as indicated in Option A. This will help us reduce paperwork, accelerate
delivery & make it convenient for customers to operate from the comfort of their homes
as also at any other place of their convenience. Hence, the other options are wrong.
129
Chapter 6
IT Enabled Assurance Services
This chapter provides an overview of different types of audit engagements that can be
undertaken by the IS auditors. Further, there is an insight into the world of frauds and cyber-
crimes which have grown as a part of the technological advances. The IS auditor may also
undertake role of an investigator on behalf of the enterprise to investigate various modes of data
leakage and theft and use digital forensics to retrieve data from damaged hard disks, and other
mediums of data storage. This requires advance technical skills. A brief overview is provided so
that interested ISAs can venture into these new areas.
6.2 Introduction
As information systems presence has become an indispensable part of our day to day living and
as enterprise processes have become inseparable from IT, it is becoming increasingly critical
to ensure safe and secure access to information from a computing environment and make it
available to authorized persons & processes anyone at any point of time. This heavy reliance
on information from information systems has become the very edifice of enterprises today.
Information has to be available with necessary security safeguards as the information misused
can lead to loss of revenue, reputation and non-compliance with regulations thereby impacting
the very survival of enterprises. There are new types of tech-savvy computer fraudsters who by
using their technical expertise can exploit information for committing frauds. Hence, ensuring
security of any IS environment is of utmost importance within the organization as the loss of it
can not only lead to huge financial losses but the enterprise can become liable for damages for
loss of private data of customers as also loss of goodwill and market share. Due to the increase
in sophistication of technology, there has been an unprecedented growth in frauds and cyber-
crimes. On the positive side, using technology effectively can help enterprises to reach out to
customers anytime, anywhere leading to geometric progression growth. Enterprise
managements look for assurance on security and value addition due to the use of IT. This
provides a great opportunity for IS auditors who are equipped with the right competencies and
skill-sets to provide assurance and value-added services.
6.3 Classification of Audits

An information technology audit, or information systems audit, is an examination of the
management controls within an Information technology (IT) infrastructure. The evaluation of
obtained evidence determines if the information systems are safeguarding assets, maintaining
data integrity, and operating effectively to achieve the organization's goals and objectives.
These reviews may be performed in conjunction with a financial statement audit, internal audit,
or other forms of attestation engagements. IT audits are also called IS audits and Computer
audits or IT/IS assurance Services.
The wide range or spectrum of IT audits cover the whole gamut of IT right from conception to
post-implementation review as also consulting on effective deployment. Some examples of
these services are as follows:
 Systems and Applications: An audit to verify that systems and applications are
appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely,
and secure input, processing, and output at all levels of a system's activities.
 Information Processing Facilities: An audit to verify that the processing facility is
controlled to ensure timely, accurate, and efficient processing of applications under
normal and potentially disruptive conditions.
 Systems Development: An audit to verify that the systems under development meet the
objectives of the organization and to ensure that the systems are developed in
accordance with generally accepted standards for systems development.
 Management of IT and Enterprise Architecture: An audit to verify that IT management
has developed an organizational structure and procedures to ensure a controlled and
efficient environment for information processing.
 Client/Server, Telecommunications, Intranets, and Extranets: An audit to verify
that telecommunication controls are in place on the client (computer receiving services),
server, and on the networks connecting the clients and servers.
 Compliance Audits: Compliance audits include specific tests of controls to demonstrate
adherence to specific regulatory or industry standards. These audits focus on particular
systems or data. Examples include Payment card industry Data security standard audits,
Health insurance portability and accountability act audit (HIPAA) etc. HIPPA is a US
legislation that provides data privacy and security provisions for safeguarding medical
information.
 Operational Audit: An operational audit is designed to evaluate the internal control
structure in a given process or area. Audits of application in operation or logical security
systems are some examples of operational audits.
 Financial Audit: The purpose of a financial audit is to assess the accuracy of financial
reporting. A financial audit will often involve detailed, substantive testing, although, IS
Auditors are now placing more emphasis on risk and control-based audit approach. This
kind of audit relates to financial information integrity and reliability.
 Integrated Audits: An integrated audit combines financial and operational audit steps.
An integrated audit is also performed to assess the overall objectives within an
organization, related to financial information and assets’ safeguarding, efficiency and
131
compliance.
 Administrative Audits: These are oriented to assess issues related to the efficiency of
operational productivity within an organization.
 IS Audits: This process collects and evaluates evidence to determine whether the
information systems and related resources adequately safeguard assets, maintain data
and system integrity and availability, provide relevant and reliable information, achieve
organizational goals effectively, consume resources efficiently, and have, in effect,
internal controls that provide reasonable assurance that business, operational and control
objectives will be met and that undesired events will be prevented or detected and
corrected, in a timely manner.
 Specialized Audit: Within the category of IS audits, there are a number of specialized
reviews that examine areas such as services performed by third parties. Because
businesses are becoming increasingly reliant on third party service providers, it is
important that internal controls be evaluated in these environments.
 Forensic Audit: Forensic Auditing has been defined as the audit specialized in
discovering, disclosing and following up on frauds and crimes. The primary purpose of
such a review is the development of evidence for review by law enforcement and judicial
authorities.
 Control Self-Assessment: This is conducted by the business process owners but
facilitated by the auditors. The main difference between this and the other engagement
types is that the auditors as control experts identify with those responsible for
implementing the required controls and assist them in doing self-assessment. Therefore,
setting the evaluation criteria and executing the evaluation are carried out by the business
owners themselves. It is clear that proper guidance and follow-up are required to optimize
the added value of this type of engagement within the enterprise. Especially with regard
to approach, tools and reporting, the auditors should clearly lead the way and verify
whether assessors are using the existing guidelines.
 Internal Audit/Compliance Reviews: Performed by a third party who is not involved in
the functioning of the enabler, but who is employed by the same enterprise as the
business owners of the enablers. Commonly, in a (medium- to large-sized) enterprise,
the evaluation criteria are set and the review is performed by the internal audit or
compliance department. This type of review is more independent than a self-assessment
because the auditor is not involved in the functioning of the enabler and therefore
contributes to the reliability/credibility of the evaluation outcome. Good practices and
consistent guidance are required to optimize the added value of this type of engagement.
6.4 IT Enabled Services

There is a wide variety of services that can be offered by the IS Auditors in every area of IT
132
implementation depending on their areas of technical expertise. IS Auditors can provide

assurance or consulting services at various stages of technology deployment right from
conception to post-implementation. Below is an illustrative sample problem statement with
proposed solutions and listing of service opportunities for IS Auditors.
Problem: There are inadequate IT management practices in the enterprise.
Solution Opportunity for an IS Auditor

Policies should be drafted  Create appropriate policies that meet the business
and enforced around the objectives.
environment  Review IT Policies – part of consulting assignment
Procedures should arise  Assist in development of the procedures that employees
from the policies should follow.
Review procedures and provide recommendations for
improvements.
Appropriate application  Assist in application selection and implementation.
software should be  Participate as a Project Management Office (PMO) in terms
selected and implemented of development and procurement of the applications.
 Assist as scope Manager in the SDLC process in terms of
requirement gathering.
Business workflows should  Design, develop necessary workflows that are to be
be designed and enforced enforced through the application software/information
in the applications systems.
 Perform a BPR (Business Process Re-engineering) on
information system requirements and provide
recommendations.
Perform risk assessment  Perform risk assessment exercise on the existing
and rank the risks workflows and processes and identify those areas of high
risk that need a higher level of attention. This is part of
activities that managements need perform.
Ensure appropriate  Provide advice in designing the roles and responsibilities
segregation of duties by of the employees.
ensuring right access is  Review existing roles and responsibilities and identify
given to the right conflicts in segregation of duties.
employees
Training is to be provided  Provide necessary training to the employees regarding the
new workflows, procedures, applications etc.
133
6.5 Fraud
Fraud is the wrongful or criminal deception intended for personal financial or other gains. Fraud
is a deception deliberately practiced in order to secure unfair or unlawful gain. Defrauding
people or organizations of money or valuables is the usual purpose of fraud. It may sometimes
involves obtaining benefits without actually depriving anyone of money or valuables. For
example, obtaining a driver’s license by way of false statements. The establishment of a strong
internal control environment is necessary to deter against fraud perpetration. For internal
controls to be effective, they must be constantly evaluated for effectiveness and changed as
business processes change.
6.5.1 Fraud Detection

Information technology has immensely benefited enterprises in terms of increased quality of
information delivery. However, widespread use of information technology and Internet has led
to enhanced risks resulting into perpetration of errors and frauds. Fraud is any act meant to
deceive and to obtain illegal, and undue advantage. Detecting frauds in IT environment poses
its own challenges since the data is in digital format and a fraudster can easily erase his tracks.
Management is primarily responsible for establishing, implementing and maintaining a
framework and design of IT controls to meet internal control objectives. A well-designed internal
control system provides a good deterrence against frauds and also an opportunity for their timely
detection. However, internal controls may fail where these are circumvented by exploiting
vulnerabilities or through management facilitated weaknesses in controls or collusions.
Legislations and regulations cast significant responsibilities on management, IS Auditors and
the audit committee regarding detection and disclosure of any fraud, whether material or not.
Understanding the auditee´s business and the risks the organization faces is a critical step for
developing an effective audit plan focussing on most sensitive areas. IS Auditors should observe
and exercise due professional care in all aspects of their work. Entrusted with assurance
functions, IS Auditors should ensure reasonable care while performing their work and be alert
to the potential fraud opportunities.
The presence of internal controls does not altogether eliminate fraud. IS Auditors should be
aware of the possibility and means of perpetrating fraud, especially by exploiting the
vulnerabilities and overriding controls. During the course of assurance assignments, the IS
Auditors may come across instances or fraud indications. The IS Auditor may, after careful
evaluations, communicate the need for a detailed investigation to appropriate authorities within
the organization. In the case of major fraud indications or if the risk associated with the detection
is high the IS Auditor should consider communicating to the audit committee in a timely manner.
Where the IS auditor is aware that management is required to report fraudulent activities to an
outside organisation, the IS auditor should formally advise management of their responsibility.
134
Let us look at the regulatory requirements of fraud as per Indian legislations.

1. Information Technology (Amendment) Act 2008: Casts responsibility on body
corporates to protect sensitive personal information by implementing reasonable security
practices and procedures. It also recognises and punishes offences committed by
companies and individuals through the misuse of IT.
2. LODR of SEBI: Makes the top management accountable for weaknesses in the internal
control systems. It requires CEOs and CFOs to certify on the effectiveness of the Internal
Controls.
3. CARO 2003: Requires verifying the adequacy of internal control procedures and
determining whether there were any continuing failures to correct major weaknesses in
internal controls. It also requires to report whether any frauds on or by the company had
been noticed or reported during the year.
The Government of India has also released the National Cyber Security Policy. This policy aims
at protecting information and information infrastructure in cyberspace and building capabilities
to prevent and respond to cyber threats. It aims to reduce vulnerabilities and minimize damage
from cyber incidents through a combination of factors such as institutional structures, people,
processes and technology.
The Standard on Internal Audit (SIA) 11 defines Fraud as: “an intentional act… involving the
use of deception to obtain unjust or illegal advantage”. A fraud that involves use of Computers
and Computer Networks is called a Cyber fraud. Frauds do not occur randomly, but result from
opportunities available. Thus the goal should be to eliminate the root causes that result in frauds
rather than looking for temporary solutions. Strengthening the system of internal controls is by
and large the best deterrence to frauds and IS auditors have an important role to play here. By
evaluating the adequacy of internal controls and identifying high risk areas in the system they
can provide valuable guidance on dealing with the risk of frauds. They need to have appropriate
knowledge of relevant standards and regulations as well as the various data analysis tools and
techniques available.
Standard on Auditing (SA) 505 “External Confirmations” deals with the Auditors’ use of
external confirmation procedures to obtain audit evidence in accordance with the requirements
of SA 330 and SA 500. The reliability of audit evidence is influenced by its source and is
dependent on the circumstances in which it was obtained. Audit evidence is more reliable when
it is obtained from independent sources outside of the entity being audited. Further, evidence
obtained directly by the IS Auditor is more reliable than obtained indirectly. The IS Auditor should
focus more on obtaining external evidences than internally.
Standard on Auditing (SA) 580 “Written Representations” deals with the Auditor’s
responsibility to obtain written representations from the management and, where appropriate,
those charged with governance. The IS Auditor should obtain formal representations from the
management as and when required. However, it should also be noted that written
135
representations do not absolve the IS Auditor from performing his duties while conducting the
audit.
Standards on Internal Audit: SIA 2 requires internal auditors to use their knowledge and skills
to reasonably enable them to identify fraud indicators. SIA 11 defines fraud and lays the
responsibility for prevention and detection of frauds on the management and those charged with
governance.
Standards on Auditing: SA 240 requires an auditor to evaluate whether the information
obtained from risk assessment procedures and related activities indicate presence of fraud risk
factors. SA 315 requires an auditor to identify risks of material misstatement arising due to fraud.
6.5.2 Cyber Fraud Investigation

Cyber frauds are perpetrated using information technology systems rather than traditional
methods of paper and pen. Cyber fraud investigation procedures are similar to a usual fraud
investigation, such as
1. Collecting and analysing documentation
2. Conducting interviews
3. Data mining & digital forensics
Fraud risk assessment is the tool that helps identifying potential fraud risk areas and also
assessing effectiveness of internal controls. IS Auditors need to confirm that regular risk
management processes are in place, and that commensurate controls have been implemented
to mitigate the risks identified.
 Identifying significant risk areas where an organisation is vulnerable to cyber frauds,
 Assessing their likelihood and impact,
 Determining where, how & by whom they may be committed, and
 Assessing whether the existing controls would be able to prevent their occurrences.
A Sample Cyber fraud risk assessment list is given below:
Cyber Fraud Likelihood Impact Internal Controls
Theft – Unauthorised access to Low High 1. Key Cards

computer Hardware. (e.g. Data 2. Security Guards
centres, Server rooms, network
devices etc.) 3. Visitor Logs
4. Circuit Cameras
5. Back up & Recovery Plans
6. Physical access controls
136
through biometrics `etc.
Identity theft – Unauthorised Medium High 1. Unique user IDs

access to personal information of 2. Strict password policy
Customers and Employees. (e.g.
Credit card information of 3. IDS & Firewalls
customers, Login IDs & 4. Incident response policy
Passwords of employees, etc.) 5. Delete ex-employee access
Information theft - Unauthorised Medium High 1. Segregation of Duties
access to confidential information 2. Access Logs
of Company. (e.g. Strategic
Plans, Unpublished financial 3. Transaction Logs
reports, etc.) 4. Security violation logs
5. Encryption
Copyright Infringement – Medium High 1. Block peer-to-peer sharing
Unauthorised access to Software 2. Internet Surveillance
and Databases. (e.g. Software
piracy, Peer-to-peer file sharing, 3. Software Licensing
etc.) 4. Information Sharing Policy
5. Protection of Software code
A holistic approach to fraud deterrence and prevention would be strengthening the governance
and management framework. IS Auditor could assist in evaluating control framework and
assessing the adequacy thereof and related policies. Sample questions for such assessments
and reviews for each of seven components adapted from COBIT 2019 are given below:
1. Policies and Procedures: Whether the organisation has a documented and approved
Cyber Fraud Governance and Management Program.
2. Processes: Does the organization have approved security policy and direction that senior
management conduct cyber fraud risk assessment regularly and evaluate whether
remedial measures are implemented to address cyber fraud risks.
3. Organisation Structures: Whether the organisation has clearly defined roles and
responsibilities in relation to cyber fraud management which meets both regulatory and
stakeholder requirements.
4. Culture, Ethics and Behaviour: Does management conduct periodic employee
awareness programs and training in relation to corporate governance, compliance and
cyber fraud.
5. Information Flows and Items: Whether the organisation has a proper reporting
mechanism for notifying fraud concerns to the top management and these are escalated
137
to the board and reviewed by audit committee.

6. Services, Infrastructure and Applications: Has the organisation made appropriate use
of technology in preventing and detecting Cyber Fraud.
7. People, Skills and Competencies: Has the organisation formed expert teams or
arranged for services of experts to conduct periodic fraud investigations.
6.5.3 Cyber Forensics: Digital Forensics

By definition, computer forensics is the “process of identifying, preserving, analysing and
presenting digital evidence in a manner that is legally acceptable in any legal proceedings (i.e.
court of law). An IS Auditor may be required or asked to be involved in a forensic analysis in
progress to provide expert opinion or to ensure the correct interpretation of information
gathered. Computer forensics includes activities that involve the exploration and application of
methods to gather, process, interpret and use digital evidence that helps to substantiate whether
an incident happened such as:
 Providing validation that an attack actually occurred
 Gathering digital evidence that can later be used in judicial proceedings
Any electronic document or data can be used as digital evidence, provided there is sufficient
manual or electronic proof that the contents of digital evidence are in their original state and
have not been tampered with or modified during the process of evidence collection and analysis.
It is very important to preserve evidence in any situation. Most organizations are not well
equipped to deal with intrusions and electronic crimes from an operational and procedural
perspective, and they respond to it only when the intrusion has occurred, and the risk is realized.
The evidence loses its integrity and value in legal proceedings if it has not been preserved and
subject to a documented chain of custody. This happens when the incident is inappropriately
managed and responded to in an ad hoc manner. For evidence to be admissible in a court of
law, the chain of custody needs to be maintained professionally. The chain of evidence
essentially contains information regarding:
 Who had access to the evidence (chronological manner)?
 The procedures followed in working with the evidence (such as disk duplication, virtual
memory dump etc.)
 Providing assurance that the analysis is based on copies that are identical to the original
evidence (could be documentation, checksums, timestamps etc.)
It is important to demonstrate integrity and reliability of evidence for it to be acceptable to law
enforcement authorities.
Some terms related with evidence are given below:
Identify: Refers to identification of information that is available and might form the evidence of
138
an incident
Preserve: Refers to practice of retrieving identified information and preserving it as evidence.
The practice generally includes the imaging of original media in presence of an independent
third party. The process also requires being able to document chain of custody so that it can be
established in a court of law.
Analyze: Involves extracting, processing and interpreting the evidence. Extracted data could
be unintelligible binary data after it has been processed and converted into human readable
format. Interpreting the data requires an in-depth knowledge of how different pieces of evidence
may fit together. The analysis should be performed using an image of media and not the original.
Present: Involves a presentation to the various audiences such as management, attorneys,
court, etc. Acceptance of the evidence depends upon the manner of presentation, qualifications
of the presenter, and credibility of the process used to preserve and analyze the evidence.
6.5.4 Fraud investigation Tools and Techniques

Data analysis technologies using Computer Assisted Audit Techniques (CAAT) are the most
effective tools and techniques to detect fraud. CAATs provide powerful software capable of
running through large volumes of data and drawing inferences from them quickly. This makes it
possible to analyse the entire population instead of adopting the sampling approach. CAATs are
extensively used in the process of fraud detection. Some useful functions available in CAAT
are:
1. Stratification: to identify abnormal strata.
2. Classification: to identify abnormal patterns.
3. Summarisation: to compute control totals and identify analysis variances.
4. Outliers: to identify transactions which are outside normal range.
5. Benford Law: to identify possible fraud areas.
6. Trend Analysis: to analyse trends by reviewing patterns which vary from normal.
7. Gap Test: to identify gaps in a sequence.
8. Duplicate Test: to identify duplicate records.
9. Relation: to relate records from different tables.
10. Compare: to compare records and identify differences.
6.6 Some Case Studies of Frauds and Lessons

Case Study 1: Cosmos Bank Fraud
Pune based Cosmos Bank became a victim of cyber-attack in August 2018 that caused the bank
over Rs 90 crore loss. The fraud began with a malware attack. Malware is a malicious software
139
that is normally sent as a link to the intended target. Once clicked, it can install executable codes
and scripts. It is normally avoided by using anti-malware and antivirus software, and firewalls.
In this case, the malware compromised a digital system responsible for settling cash
dispensation requests raised at ATMs. As soon as one swipes a card, a request is transferred
to the core banking system (CBS) of the bank. If the account has enough money, the CBS will
allow the transaction. It is suspected that the fraudsters used cloned debit cards of bank’s
customers. In this case, the malware created a proxy system that bypassed the CBS and
approved a series of 14,800 fraudulent transactions to withdraw Rs 80.5 crore - Rs 78 crore
through 12,000 transactions in 28 countries, the rest in India. Another Rs 13.5 crore was
transferred to a Hong Kong-based entity using SWIFT (Society for Worldwide Interbank
Telecommunications).
One of the control measures against malware is to have upgraded and tested operating system.
RBI, the banking regulator had pointed out that as in August 2018, many ATMs were still running
on Windows XP and other unsupported software. RBI had directed all the banks to upgrade their
software by June 2019.
As per industry experts, continuous monitoring and surveillance and deployment of Incidence
Response Teams is required to prevent such attacks.
Case Study 2: The WorldCom fraud
WorldCom fraud was one of the biggest crime cases in USA. WorldCom was one of the biggest
telecom companies in USA. It had cooked books to hide falling profitability, and inflated net
income and cash flow by recording expenses as investments. This is a popular example of
using technology for fraud detection. The Internal Auditors had found around $500 million debit
in the Property, Plant and Equipment (PP&E) account for which they could not find any invoices
or documentation to back up. As the Company would not provide full access to the financial
system, the Auditors had to apply data mining techniques to search the data by using a small
script and MS Access. Thereby, they were able to search the entire population of data for
anomalies in the trends & patterns. As they followed through the accounts, they discovered
misallocated expenses of several billion dollars and bogus accounting entries that inflated the
revenues. This was one of the crimes that led to the Sarbanes-Oxley Act in July 2002, which
strengthened disclosure requirements and the penalties for fraudulent accounting.
Lessons and Tips
While sampling techniques may be good for identifying weaknesses in internal controls, they
are not recommended in fraud detection. Frauds involve human intelligence and may affect only
a few transactions which may not be represented in a sample. Hence, fraud detection
methodologies require analysis of the entire population, which needs the aid of computer
technology and data analytics techniques.
Case Study 3: The $54 million fraud
This is a typical example of how lack of segregation of duties could lead to a phenomenal fraud.
140
Rita Crundwell, the controller and treasurer of Dixon, an Illinois town, with an annual budget of
$6 million to $8 million, was able to embezzle nearly $54 million over two decades. The fraud
remained undetected in annual audits by two independent accounting firms and in annual audit
reviews by state regulators. She launched the fraud scheme on Dec. 18, 1990, when she opened
a secret bank account in the name of the City of Dixon. Crundwell was the only signatory on the
account, which was called the RSCDA (Reserve Sewer Capital Development Account). She
began transferring funds from city accounts into the RSCDA account in 1991. The city, which
does not have a city manager, gave Crundwell wide rein over its finances and set the stage for
her massive fraud. The failure to segregate duties allowed Crundwell to set up and operate a
fairly simple fraud scheme.
Lessons and Tips
Roles and responsibilities must be clearly defined and proper segregation of duties must be
done to ensure that no single person can be maker as well as the checker of a particular
transaction flow. Auditors must ensure the existence of internal controls with systems designed
to prevent or deter these types of frauds. Also, regular fraud risk assessments should be
conducted to Identify areas of risk where theft or manipulation are likely to occur.
Case Study 4: The Satyam Fraud
This is a case of manipulation of the books of account by inflating revenues through fake
invoices. The Company’s standard billing systems were subverted to generate false invoices to
show inflated sales. 7,561 invoices worth Rs.51 billion (US$1.01 billion) were found hidden in
the invoice management system using a Super User ID. The value of these fake invoices were
shown as receivables in the books of account thereby inflating the revenues of the company.
The charge framed against the Auditors was that they did not bring the internal control
deficiencies to the notice of audit committee and thereby, facilitated the continuance of the
fraudulent practices unabated.
Lessons and Tips
Auditors must remember that anyone of any stature could act with monumental recklessness,
selfishness and self-destructiveness as Ramalinga Raju, the then Chairman of the company,
did. They must also be conscious of the fact that anything can be faked in this modern
technology driven world and that they need to continuously update their skills and knowledge in
order to keep up with the new challenges.
Case Study 5: Bangladesh Central Bank Fraud
Bangladesh Central Bank was defrauded in February 2016, when thirty-five fraudulent
instructions were issued by security hackers via the SWIFT network to illegally transfer close to
US $1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh
Bank. The heist was linked to a customized malware attack that compromised SWIFT software
used to transfer funds. SWIFT is a Belgium-based cooperative of 3,000 organizations that
141
maintains a messaging platform used by banks to transfer money across borders, often in real
time. It was the bank's systems or controls that were compromised, not the SWIFT software.
Five of the thirty-five fraudulent instructions were successful in transferring $101 million, with
$20 million traced to Sri Lanka and $81 million to the Philippines. The Federal Reserve Bank of
New York blocked the remaining thirty transactions, amounting to $850 million, due to
suspicions raised by a misspelled instruction. All the money transferred to Sri Lanka has since
been recovered
The attack was waged against Bangladesh Bank, the nation's central bank. It was the account
of the bank with SWIFT, rather than that of the bank's customers, that was taken over. They
used these credentials to authorise about three dozen requests to the Federal Reserve Bank of
New York to transfer funds from the account of Bangladesh Bank. While hackers can
successfully access many systems without insider assistance, in this case, almost certainly
insider knowledge of how the system operates was used to overcome the fraud detection
controls. This knowledge could easily have come from a current employee at SWIFT or
Bangladesh Bank.
The malware used to compromise a computer used for SWIFT transactions was designed to
hide traces of fraudulent payments from the bank's local database collections. What's more,
once money is transferred via SWIFT, it's typically not reversible. Multiple banks and transfers
may be involved in completing a transaction, all taking place within seconds. And because
multiple banks and accounts are involved, by default, the transfers are not reversible when
disputed. The malware was able to be installed on the SWIFT software computer because the
attacker was in Bangladesh Bank's network with access - presumably with enough access to
override any locally installed security software. The perpetrators managed to compromise
Bangladesh Bank's computer network, observe how transfers are done, and gain access to the
bank's credentials for payment transfers. Later the Governor of Bangladesh Bank stated that he
had foreseen cyber security vulnerabilities one year ago and had hired an American cyber
security firm to bolster the firewall, network and overall cyber security of the bank. However, the
bureaucratic hurdles prevented the security firm from starting its operations in Bangladesh until
after the cyber heist
The key defense against such attack scenarios remains for users to implement appropriate
security measures in their local environments to safeguard their systems - in particular those
used to access SWIFT - against such potential security threats. Such protections should be
implemented by users to prevent the injection of malware into, or any misappropriation of, their
interfaces and other core systems. As per experts, the banks should be using the very same
controls over their own systems that they expect of their own customers. Further, SWIFT
transactions should be conducted only on computers that are isolated from other devices on
banks’ networks. It should be a dedicated computer for its single task.
142
6.7 Overview of lessons learned

More often than not, it is poor governance and mismanagement that makes an organisation
vulnerable to the risk of Cyber Fraud. Managements must ensure they implement adequate and
appropriate internal controls. IS Auditors can assist organisations in not only investigating and
detecting fraud but also play a proactive role in helping them maintain effective fraud
management program that would include fraud deterrence, prevention and detection,
investigation and prompt response.
6.8 Summary
In this chapter, we have learnt various types of assurance and advisory services which can be
provided by IS Auditors. Further, an insight into fraud related activities which may result in loss
of critical information of the enterprise and how to conduct investigation into fraud related
activities by using data analysis and forensic tools was discussed.
6.9 Questions
1 Which of the following factors should not be considered in establishing the priority of
audits included in an annual audit plan?
A. Prior audit findings
B. The time period since the last audit
C. Auditee procedural changes
D. Use of audit software
2 Which of the following is LEAST likely to be included in a review to assess the risk of
fraud in application systems?
A. Volume of transactions
B. Likelihood of error
C. Value of transactions
D. Extent of existing controls
3 An IS auditor discovers evidence of fraud perpetrated with a manager's user id. The
manager had written the password, inside his/her desk drawer. The IS auditor should
conclude that the:
A. Manager’s assistant perpetrated the fraud.
B. Perpetrator cannot be established beyond doubt.
C. Fraud must have been perpetrated by the manager.
143
D. System administrator perpetrated the fraud.

4 Which of the following situations would increase the likelihood of fraud?
A. Application programmers are implementing changes to production programs.
B. Application programmers are implementing changes to test programs.
C. Operations support staff are implementing changes to batch schedules.
D. Database administrators are implementing changes to data structures.
5 Neural networks are effective in detecting fraud, because they can:
A. Discover new trends since they are inherently linear.
B. Solve problems where large and general sets of training data are not obtainable.
C. Attack problems that require consideration of a large number of input variables.
D. Make assumptions about shape of any curve relating variables of output
6 The FIRST step in managing the risk of a cyber-attack is to:
A. Assess the vulnerability impact.
B. Evaluate the likelihood of threats.
C. Identify critical information assets.
D. Estimate potential damage.
7 Which of the following refers to imaging of original media in presence of an
independent third party?
A. Identify
B. Preserve
C. Analyze
D. Present
8 As a measure of IT General controls, an organization decides to separate those who
can input data from those that can reconcile or approve data. Is this a good move?
Why?
A. Yes, it is a good move; it can help prevent unauthorised data entry.
B. No, it is not a good move; the person who inputs the data is the best person to
approve the data too.
C. Yes, it is a good move; inputting data & reconciling data requires different skills.
D. No, it is not a good move; data entry errors would be compounded.
9 A holistic approach to deterrence & prevention of fraud would be:
144
A. Strengthening of Governance and Management framework

B. Focussing on integrity of new recruits
C. Establishing severe punishment for fraud
D. Compensating employees adequately to minimize temptation
10 After initial investigation, IS auditor has reasons to believe that there is possibility of
fraud, the IS auditor has to:
A. Expand activities to determine whether an investigation is warranted.
B. Report the matter to the audit committee.
C. Report the possibility of fraud to top management and ask how they would like to
proceed.
D. Consult with external legal counsel to determine the course of action to be taken.

1 D. Use of audit software merely refers to a technique that can be used in performing
an audit. It has no relevance to the development of the annual audit plan.
2 B. An error is the least likely element to contribute to the potential for fraud. Answer
A and C are incorrect since volume and value of transactions give an indication
of the maximum potential loss through fraud. Answer D is incorrect since gross
risk less existing controls give net risk.
3 B. The password control weaknesses mean that any of the other three options
could be true. Password security would normally identify the perpetrator. In this
case, it does not establish guilt beyond doubt.
4 A. Production programs are used for processing an enterprise's data. It is
imperative that controls on changes to production programs are stringent. Lack
of controls in this area could result in application programs being modified to
manipulate the data. Application programmers are required to implement
changes to test programs. These are used only in development and do not
directly impact the live processing of data. The implementation of changes to
batch schedules by operations support staff will affect the scheduling of the
batches only; it does not impact the live data. Database administrators are
required to implement changes to database structures. This is required for
reorganization of the database to allow for additions, modifications or deletions
of fields or tables in the database.
5 C. Neural networks can be used to attack problems that require consideration of
145
numerous input variables. They are capable of capturing relationships and

patterns often missed by other statistical methods, and they will not discover
new trends. Neural networks are inherently nonlinear and make no assumption
about the shape of any curve relating variables to the output. Neural networks
will not work well at solving problems for which sufficiently large and general
sets of training data are not obtainable.
6 C. The first step in managing risk is the identification and classification of critical
information resources (assets). Once the assets have been identified, the
process moves onto the identification of threats, vulnerabilities and calculation
of potential damages.
7 B. Preserve refers to practice of retrieving identified information and preserving it
as evidence. This practice generally includes the imaging of original media in
presence of an independent third party.
8 A. Segregation of duties is an important control tool whereby, conflicting roles in
particular, are segregated and handled by different individuals. It reduces the
risk of fraud since one person cannot independently commit any fraud but would
need to collude with the second. Also, since the output of one individual may
become the input for another, an independent accuracy check of one person’s
work by another person becomes a built-in reality. Hence, the answer in Option
A is correct.
9 A. A holistic approach to deterrence and prevention of fraud would require
strengthening of governance and management framework. The answers in
options B to D address the issue in bits and pieces and, hence, are not the right
answers. Answer at Option A alone is correct.
10 A. An IS auditor’s responsibility for detecting fraud includes evaluating fraud
indicators and deciding whether any additional action is necessary or whether
an additional investigation should be recommended. The IS auditor should notify
the appropriate authorities within the organization only if it has determined that
the indicators of fraud are sufficient to recommend an investigation. Normally,
the IS auditor does not have authority to consult with external legal counsel.
References
www.icai.org
www.isaca.org
www.csoonline.com
www.businessdictionary.com
146
www.sans.org
CISA Review Manual
Information Systems Control and Audit by Ron Weber
NIST Guidelines
ITAF 3rd edition
ISO/IEC 27001 standards
147
Appendix 1
RFP from Bank for IS Audit of Application
Software
Background: This is a private sector bank with branches all over India. It is using a number of
applications – both developed In-house and Outsourced for its business operations. It wishes
to have these application solutions audited as per the scope of audit given below.
Software Packages to be audited are:
Category A: Developed In-house (Standalone)
1. Bills
2. Remittance
3. Vostro Accounts
4. Preventive Monitoring System
Category B: (Outsourced)
1. Cash Management Services
2. Centralised Banking Solution
The Scope of Audit is as under:
 Evaluation of Efficiency & Effectiveness of the package vis-à-vis business process and
requirements
 Application Security & Controls review
 Database Security and Integrity review
 Review of Interface Controls with other applications
 Review of Network & Communications controls in relation to the application package
Inter-alia, the scope shall include the following:
1. Whether the design of the software conforms to the Requirements Specifications.
2. Objectives of the application - whether these have been fulfilled/ likely to be fulfilled by
implementation.
3. Whether bank’s systems & procedures are being followed in the application.
4. What are the controls built in the application? Whether these take care of bank’s systems
and procedures.
RFP from Bank for IS Audit of Application Software
5. What are the security features available / built into the application package and whether
these are sufficient to take care of the risks in financial transactions?
6. What is the relative efficiency of the application in conduct of transactions vis-à-vis the
performance in similar packages?
7. Testing robustness of the application package by running a specified number of
transactions.
8. Assessment of the Risk component in the package.
9. To test and verify for any bugs in the application package.
10. To specify clearly methodology to be adopted in carrying out each of the above steps.
149
Appendix 2:
Response to RFP for Logical Access
Controls Review of SAP
Introduction
The Client Company (Max Infotech)
Max Infotech began its business operations in 1959. Today the Max Infotech Group is a
significant player in the Indian software industry with a gross sales turnover of Rs 10.20 Billion
in 2018-19. The Max Infotech Group offers a range of IT enabled services. The services of the
Group are divided into the specific business units covering specific business interests. Max
Infotech has over 5000 employees located in 10 ITPs and 20 marketing offices in India and
abroad. Max Infotech has implemented SAP Ver. X and has been using it successfully for more
than 3 years. It has more than 500 SAP users in the group. Max Infotech is also considered as
one of the SAP Competency Centres in India. The primary SAP modules used are SD, FD, PD,
HR, QM and PM. It intends to provide information access to its dealers. Max Infotech intends to
have an IS Audit of SAP implementation covering Logical Access Security encompassing
security at Network, OS, Database and functionality layers.
IS Assurance and Consulting Firm

IS Assurance and Consulting Company (ISACC) is a 20-year-old firm of Chartered Accountants
specializing in Information Systems Assurance, Training and Consulting including Management
consultancy services. ISACC provides services in the areas of Information Systems Audit,
Training, Implementation and Consultancy. ISACC is led by Mr. Abraham who is a Chartered
Accountant and has a diploma in Information Systems Audit of ICAI. The firm has qualified and
trained IS audit personnel. We are enclosing brief profile of the firm. The firm also has on its
panel Technology\Domain experts available, as required. ISACC have been involved in
providing Information Systems Assurances for both the public and private sector in India and
abroad. ISACC’s clients include IT companies, banks and public sector companies.
Background
Objective of SAP Review
Max Infotech Group has been using Information Technology as a key enabler for facilitating
business processes and enhancing services to its customers. The senior management of Max
Infotech has been very proactive in directing the management and deployment of Information
Technology. Most of the mission critical applications in the company have been computerised.
The IT department of Max Infotech has developed Information Systems Controls (Policies,
Procedures, Practices and Organisation Structure) as envisaged by the management for
Response to RFP for Logical Access Controls Review of SAP
ensuring uniformity and standardization in implementation of IT Solutions across the company.

The internal audit team of the company has been well trained in IT and has gained extensive
experience in auditing all IT applications and they have also specific competency in all the key
functionalities of SAP.
Need for SAP Application and Logical Access Review
Max Infotech has successfully implemented SAP covering all its critical operations and has been
using it since more than 2.5 years. The implementation has stabilized and standardized across
all the operational locations \ functions. A functionality assessment was performed by SAP to
confirm the effective usage of SAP about one year ago. The internal audit team now intends to
have a security assessment of SAP implementation, primarily to assess the logical access
security framework. The objective is to identify areas of control weaknesses by benchmarking
against global best practices. The risks identified are expected to be mitigated by implementing
controls as deemed relevant to ensure that SAP implementation is secure and safe and provide
assurance to the senior management of Max Infotech.
Understanding the need
Based on the discussion held with the internal audit team headed by Mr. B.S. Sinha at the Max
Infotech premises at Ghaziabad on 6th March 2019, the scope has been proposed and defined.
This proposal outlines the overall strategy and methodology for this assignment.
Methodology for executing the Assignment

Primary Objective
The primary objective of this assignment is to conduct Logical Access Controls Review of SAP
by using the latest and globally recognised standard COBIT 2019 issued by the ISACA, USA.
The review of SAP would be with the objective of providing comfort on the adequacy and
appropriateness of controls so as to mitigate the system operational risks and ensure that the
information systems are implemented to provide a safe and secure computing environment.
Scope and Terms of Reference
Based on our understanding of Max Infotech's needs for conducting systems audit of SAP, it
was decided to primarily focus on Review of Logical Access Controls in SAP. We propose the
scope of review and the terms of reference as laid down in the following paragraphs. The
envisaged terms of reference are based on the in-person discussions with the internal audit
team of Max Infotech on 7th March 2019 at Bangalore. The detailed scope of review and
methodology to be followed are given in the annexure. The methodology would be further
enhanced and refined as the audit progresses based on specific needs of the audit environment.
Broadly, the scope of review primarily will be from security\controls perspective and would
involve:
A. Review of IT Resources as relevant
151
a. Operating Software - Access controls

b. Telecommunications Software - Access Controls
c. RDBMS - Access Controls
d. SAP - Major focus area – Configuration of Parameters and Access Controls
e. Application controls at various stages such as Input, Processing, Output, Storage,
Retrieval and transmission so as to ensure Confidentiality, Integrity and Availability
of data.
B. Organisation structure policies, procedures and practices as mapped in the information
systems - efficiency\controls.
Our Approach/Methodology
Audit Approach
A. Our approach to the assignment would be as follows:
(i) We propose to deploy a core team of 4 to 6 IS audit personnel for this assignment in
batches of 2 to 3 as per the skill sets required, under the personal direction and liaison
of the Principal, Mr. Abraham.
(ii) Max Infotech should designate a person at a senior level to coordinate between us. Max
Infotech should also depute one personnel each from systems and audit group to form
part of the audit team.
(iii) Detailed systematic audit procedures would be finalized after completing review of the
documentation and discussion with the systems staff and the users.
In tune with terms and scope of reference of the assignment, we will adapt the methodology
from COBIT®. Specific Control Objectives\Management Guidelines of the relevant IT process
of Logical Access controls shall be selected for this assignment after obtaining understanding
of the organisation structure, deployment of information systems and available documented
policies and procedures.
Structured Methodology
The above-mentioned objectives shall be achieved through the following structured
methodology;
 Obtain understanding of IT Resources deployment at Max Infotech
 Obtain understanding of the IT Strategy and internal control system at Max Infotech
 Identification and documentation of IT related Circulars issued by Max Infotech.
 Identification and documentation of Organisation Structure and Information Architecture
 Identification and documentation of existing policies, procedures and practices
152
 Application of COBIT® for formulating IT best practices for the Policy and Procedures of
Max Infotech
 Formulation of draft report on our findings covering our review and benchmarking.
 Presentation of final report with agreed action plan based on feedback of IT management
of Internal Audit team of Max Infotech
Max Infotech shall make available all the required resources on time and provide one
coordinator for interaction and clarifications, as required.
Audit Plan
The audit plan would cover the following activities:
1. Discussions with the
 Internal Audit Team
 Systems\Implementation Team
 Users and user management
2. Review of Operating Systems (OS) documentation
3. Examination of OS access rights
4. Review of Oracle\SAP Manuals
5. Examination of selected Modules access profiles
6. Observation of the Users and the systems in operation
7. Review of access controls over Computers as relevant
8. Examination of computerised processing controls incorporated within the selected
modules.
Audit Program/Procedures
Our audit team would perform the following tasks based on the audit methodologies:
1. Undertake an in-depth study and analysis of all aspects of SAP as implemented at Max
Infotech. We will take steps to identify the way in which the system currently operates. In
doing so, the following objectives would be kept in mind while setting the overall goals:
 Accurate and complete processing of data
 Error messages in case of incomplete/aborting of processing of data
 Optimise data handling and storage
 Better management of information
2. Review the software in operation; understand how the various modules interact within the
153
overall system.
3. Review how each module in the system has been tested including the documentation
prepared in respect of each.
4. Review the methods employed for implementation of the system, including post-
implementation review procedures undertaken to ensure that the objectives set out were
actually achieved.
5. Understand the business processes and review how these have been mapped in the
information systems by tracing the modules with a top down approach.
6. Review the modules by performing detailed documented tests of all the menu options and
their related effects.
7. Review the controls established over the continuity of stored data, necessary to ensure
that once data is updated to a file, the data remains correct and current on the file.
8. Review the in-built controls for stored data so as to ensure that only authorised persons
have access to data on computer files.
9. Review the controls established which ensure that all transactions are input and accepted
for further processing and that transactions are not processed twice.
10. Review the controls established so as to ensure that only valid transactions are
processed.
11. Review the procedures established for back-up and recovery of files in the package.
12. Review controls established for the development, documentation and amendment of
programs so as to ensure that they go live as intended.
Assignment Team
Our approach to selecting the right people for a project is to bring together the necessary skills
and experience for a particular assignment from the rich mix of skills and experience available.
The assignment would be executed under the personal supervision and led by Mr. Abraham.
The team would be a blend of professionals with extensive experience in Management,
Information Systems and Auditing. The team includes Chartered Accountants, IT Professionals,
Management Consultants and Certified Information System Auditors. The senior members of
the team are:
 Abraham
 Ramprakash
 Ravindra Jain
 Hariram
154
Logistic Arrangements
Infrastructure Required
It will be necessary for Max Infotech to appoint one coordinator who will be part of the
discussions on the work plan initially and continue to work with our team till the assignment is
complete. Max Infotech will make available necessary systems, software resources and support
facilities required for completing the assignment within the agreed time-frame. During the course
of the assignment, we will require following:
 Three Nodes with Read only access to SAP.
 One Laptop with Windows 10/Microsoft office 2013 or higher version.
 Access to a laser printer for printing reports as required.
 Adequate seating and storage space for audit team
 Facilities for discussions amongst our team and your designated staff.
Documentation Required
 User Manuals and Technical Manuals relating to System Software and SAP.
 Organisation chart outlining the organisation hierarchy and job responsibilities.
 Access to circulars\guidelines issued to employees.
 Access to user manuals and documentation relating to SAP Implementation by Max
Infotech.
 Any other documentation as identified by us as required for the assignment.
Estimated Timeframe, Deliverables and Fees

Deliverables
1. Draft Report including executive summary of the result of the review along with the
recommendations of findings and recommendations with risk analysis of findings.
2. Final Report incorporating Management Comments and agreed priority plan of action
based on exposure analysis.
3. Soft or hard Copy of Checklist used for the audit.
4. Soft or hard Copy of Audit Methodology and documentation.
Time Frame
The estimated time for the assignment is approximately 12 weeks (three-man months). We
would require lead-time of two weeks for commencing the assignment. The availability of
coordinating team, user involvement, availability of resources and information by the auditee
155
would also impact the audit duration and time schedule, which we would be communicating to
you in advance.
Fees
The Fees for this assignment are Rs. x.xx Lakhs (Rupees xxx only) to be paid as follows:
 50% Advance on Proposal acceptance
 Balance 50% on presentation of Final Report
Out of pocket Expenses
Travelling, Boarding, Lodging and conveyance expenses to be reimbursed on actuals in case
of outstation travel. As our HO is in Bangalore, the assignment may involve one\two trips of Mr.
Abraham from Bangalore to Delhi for the assignment.
Authorised Signatory
Encl: Profile of ISACC
156
Appendix 3
Sample IS Audit Finding
Logical Access Controls Review of Operating System (OS)
We have reviewed procedure of granting access to the Operating system and Toll Operations
Package. Our specific findings and recommendations with agreed action plan are given below:
The overall control objective in implementing OS Access controls:
“The creation of users and their access need to be controlled through appropriate Authorization
levels. Controls have to be laid down and adhered to while granting authorization. Access logs
are to be generated whenever the OS is accessed and Access Logs should show details as to
the users accessing the OS, the period of access and the resources accessed. System must
enforce a systematic procedure for logins and logouts. All access points to the system are to be
monitored by way of access logs and these access points are available only on the
administrators’ console and terminals”.
Findings
1. System Users have blank user-ids:
Issue: Presently, system manager has the system administration rights and toll manager is also
created as a user who can modify the ini settings in PQR. These users have a blank user-id and
passwords have not been changed since installation.
Implication: High
User accountability may not be established on account of lack of documentation. The operations
of PQR may be affected in case of breakdown and non-availability of the relevant personnel.
Recommendations:
 The users of Operating System and Toll Operations Package in PQR Computer need to
be authorized in writing by senior management. Creation of their user ids and passwords
should be documented and accepted by the user and kept by senior management in
sealed cover in safe custody to be available in case of need.
 Password policy has to be formulated and passwords should be changed at least once in
90 days without reusing the previous five passwords.
Management comment: Agreed. System manager will create user ids for all authorized users.
2. PQR Computer is networked to other office computers

Issue: The PQR Computer is linked to other computers in the Network. These computers are
only being used by the Toll Manager and his staff for performing administration jobs such as
preparing Toll Reports. Networking of these office computers with PQR computer makes it
vulnerable to unauthorized access.
Implication: High
PQR System could be accessed by any of the users of the office computers.
Recommendations:
A review of security and operations settings needs to be done and all access to PQR Computer
from any of the office computers has to be removed or restricted.
Management comment: Agreed. Will be reviewed and modified as required.
158
Appendix 4
CAAT Report using SQL
Sample Results of using CAAT
As a part of our audit procedure, we have used SQL to directly access and analyze the data
stored in the tables. Our observations and the related analysis are given below. As these
observations relate to the data stored which could impact financial accounts, we have submitted
this information to Statutory Auditors and user department of ABC with a request to verify these
SQL results and confirm the impact on the financial statements. The detailed tables of SQL
Statements can be obtained from ABC, IT Department. Our observations with implications,
comments and our Risk assessment are given below.
Users available with invalid Employee Codes

Rating: High
There are two user ids within user id 15, which is still being used. The transactions used by live
users will result in user accountability not being established.
Implications
As the employer code is invalid, it will be difficult to establish accountability for transactions
entered using this ID in case of errors or frauds.
IT Department’s feedback and Agreed Action
This user-id was created during the time of data conversion. This user-id has been disabled so
that transactions cannot be entered using this user-id.
Past Employees having ID in User Table
Rating: High
There are 19 users who have user IDs including ex-employees.
Implications
The number of users in the system is much more than the actual users. This is on account of
the fact that past and temporary users have not been disabled.
The number of users will correspond with actual current users. All other users will be
disabled.
Transactions with amount as Null in FA Trans table

Rating: Medium
Transactions with Amount as Null are listed day-wise. There are 181 transactions, which need
to be analyzed.
Implications
This results in dummy transactions, which may not have any value, or genuine transactions
might have been stored without values.
This has occurred on account of transactions where DD charges are deducted from loan amount
for obtaining DD whereas the loan account is debited with the total amount including DD
Charges. This does not have any financial impact.
160
Appendix 5
Sample IS Audit Report
Objectives of the Assignment
The primary objective of this Information Systems Audit assignment was to provide assurance
to the management of ABC Limited (ABC) on the availability, appropriateness and adequacy of
controls in the Financial Accounting and Loan Processing System (FALPS) through review of
 controls of their in-house package - Financial Accounting and Loan Processing System
(FALPS),
 Logical access controls of FALPS, and
Conduct Implementation audit of General Controls at 2 select branches with specific emphasis
on implementation of FALPS.
Scope of Review/Terms of Reference

Based on understanding of ABC's needs for conducting systems audit of FALPS Package, it was
decided to primarily focus on Review of data integrity in FALPS Package. The review of FALPS
Package was with the objective of providing comfort on the adequacy and appropriateness of
controls and data so as to mitigate the system operational risks and ensure that the information
systems are implemented so as to provide a safe and secure computing environment. The
detailed scope of review \ methodology was also agreed to. Broadly the overall scope of review
primarily from security / controls point of view involved the following: Application controls at
various stages such as Input, Processing, Output, Storage, Retrieval and Transmission so as to
ensure Confidentiality, Integrity and Availability of data. Further, organization structure policies,
procedures and practices as mapped in the information systems focusing on efficiency / controls
were also reviewed.
Broad areas reviewed covering the following:
1. Logical Access Controls Review as implemented through:
a. Operating System Software (Unix) - Access controls
b. Telecommunications Software - Access Controls
c. RDBMS (Oracle)- Access Controls
d. FALPS Package - Major focus area - Access, security and effectiveness.
2. Review of General controls at 2 select branches covering Environmental and Physical
Access Controls Review, Logical access Controls review as implemented, Application

Controls as implemented and review of policies, procedures and practices relating to IT
Implementation.
Our Approach/Methodology
The Audit was carried out as per Audit Plan and Program, which were discussed with the
statutory auditors and ABC’s senior management. We have used the COBIT issued by ISACA,
USA for this review. The Key tasks of our Audit plan are highlighted below:
 Discussions with the IT department and user management
 Review of Circulars issued by ABC Ltd relating to IT operations
 Review of Environmental Access and Physical Access controls
 Review of Operating Systems (Unix) and RDBMS (Oracle) Manuals
 Examination of OS and RDBMS access rights
 Review of FALPS Package Technical and User Manuals
 Examination of access profiles and parameter settings in FALPS package
 Review of Application Controls in FALPS package
 Observation of the users and the system in operation
 Examination of processing controls in FALPS using test data
 Review of Reports and Audit Logs in System Software and FALPS package.
Audit Environment
We have conducted IS Audit at the IT department of ABC in a simulated environment using a
Windows 7 Computer connected to Server with SCO UNIX as Operating System and Oracle as
RDBMS using latest version of FALPS with copy of data of Bangalore Branch (up to 31st March
2019). We have also visited and reviewed operations at two branches at Mangalore and Hassan.
Audit Reports
We issued a draft report outlining our issues and recommendations and obtained feedback from
the IT Department. Further, a meeting was held with IT department represented by Mr. Sam,
AGM (IT) and Mr. Ram, AGM (Finance and Accounts) where the issues and recommendations
were discussed in detail. The IT Department has been very proactive in incorporating our
suggestions. The issues rectified so far are given separately in Annexure-3 for the purpose of
record. The report incorporates all the issues, which have been agreed and confirmed. This IS
Audit report includes the following annexures and has to be read in its totality:
1. Summary of Findings: Outlines all key issues with exposures
2. Specific Issues and recommendations: Issues which need to be implemented
162
3. Issues identified which have been rectified by IT deptt and the issues rectified as on date
4. Logical access control Review of Unix: Access Controls issues of Unix
5. Logical access control Review of Oracle: Access Control issues of Oracle
6. Review of Financial data using SQL: Highlighting data integrity issues in existing data
Overall Conclusions
Based on our review, our overall conclusions on specific areas are as follows:
Security and Access Controls
Our review of security and access controls at the IT Environment as reviewed by us and as
implemented in ABC using Unix, Oracle and FALPS confirms that appropriate security and
access controls have been implemented by using related functions and features of the
packages. Our test checks have revealed that systems of security and controls are reliable.
However, there are some areas where controls need to be strengthened and these are given in
annexure.
Business Process Controls
Our review of business process validations and data integrity controls covering all the core
functions of ABC as facilitated by FALPS such as interest computation, allocation and aging,
confirms that all related data have been duly captured, processed and stored correctly and
completely subject to some transaction data not available pertaining to previous years.
However, there are also missing data in master tables which impact the MIS and statements of
accounts. This may also lead to inconsistencies in data and is a major concern area. The issues,
which have come to our notice during the process of our review, are highlighted in annexure.
Further Action
We consider that the recommendations given in annexure to this report would be very useful for
facilitating business process controls of ABC and will aid in improving the effectiveness of
FALPS package and computer operations. We would like to affirm that the matters included in
this report are those which came to our notice during our review by following normal Information
System audit procedures by complying with globally applicable Information Systems Auditing
Standards, Guidelines and Procedures that apply specifically to Information Systems Auditing
issued by ISACA, USA and Security and Control Practices as outlined in COBIT 5 also issued
by ISACA as applied to ABC operations for review of Application software and implementation.
Further, on account of limitations of scope and time, we have used sample test and test check
approach. Hence, certain areas, which are outside the scope of this review such as source code
review, implementation controls and general controls specific to branches are not covered.
163
Appendix 6
Questionnaire for the IS Auditor to Prepare
Himself for Providing Assurance services in
E-Commerce
1. How many (approximately) of the businesses you audit will be electronic in that there is
no paper, or other non-electronic forms of audit trail available?
2. In general, as an auditor, what special steps or approach would you take when auditing
a business that is engaged in eCommerce compared with a comparable business not
engaged in electronic commerce?
3. Which national or international standards or pronouncements would you use or are using
in undertaking an audit of a business engaged in electronic commerce?
4. To what extent would you want that records and audit trails of eCommerce transactions
be maintained and in what form?
5. How would you assure the management that records, and audit trails are being properly
created?
6. To what extent would you recommend that records and audit trails of eCommerce
transactions be maintained over time?
7. To what extent do you foresee that records and audit trails of eCommerce transactions
will be combined with other transactions or otherwise consolidated, so that the
transactional trail is not lost?
8. How do you satisfy yourself that records and audit trails of eCommerce transactions have
not been altered?
9. How would you test the above – through review of system controls or substantive testing?
10. If you find that that records and audit trails of eCommerce transactions are inaccessible
either through being stored remotely, or through the effects of data security mechanisms,
or otherwise, how would you, as auditors, audit the same?
11. What are the minimum types of records that must be archived, by the business entity,
which will allow both external financial or statutory auditors to perform their functions? On
what basis do you expect these records to be maintained? In what form do you want
these records - Digital or manual?
12. How would you address the following issues and problems you could be facing in practice
when carrying out audits of businesses engaged in eCommerce?
 Accessing initial transaction data

 Processing of the transaction by accounting systems
 Identifying suitable sources of confirmation
 Determining the system processing “rules”
 Storage and retrieval of the eCommerce records, and
 Forming an opinion as to the timeliness, completeness and accuracy of the
Transaction data.
13. How many of your present clients do you perceive could be engaged in electronic
commerce?
14. What specific approaches, solutions, methods, procedures or techniques do you need to
develop to assist in the auditing of businesses engaged in electronic commerce?
15. What approaches, solutions, etc. do you anticipate might help you in the future when
auditing businesses engaged in electronic commerce?
16. In what way would the solutions, methods, etc. you devised for auditing non-eCommerce
clients differ from auditing the eCommerce Clients?
17. Do you think there are differences in business-to-business eCommerce compared with
business-to-consumer eCommerce that would warrant different audit considerations and
if so, what are the considerations?
165
Appendix 7
Specimen Report Format
Sr # Reported Area Recommendations Management
Comments
4.0 AUDIT AREA– Asset Management
4.1 Improper Asset Management .
 Fixed asset register does not reflect the clear ownership of
the asset. Asset register
 Many assets were not having tags as required by Asset should reflect the
Name
Tagging Policy. ownership and
tagging should be Desig
Root Technol Proce Peo Othe as per policy. nation
Cause ogy ss ple rs Timeli
nes
 Non-Compliance to security policy PO Yes No
support
Risk Very High Mediu Low Negligi
require
High m ble
d for
Reason for  Risk of Theft/Misuse resoluti
rating  Risk of system crash due to temperature on
and
 humidity
5.0 AUDIT AREA- Physical and Environmental Controls
5.1 Weak Controls on Laptop checking
 On 6/08/2019, it was observed that at M office, Laptops are
not being checked while leaving the office. Visitors’ laptops
 The access control system at the entire 1st Floor at K office should be checked
Name
is not operational. while entering and
leaving the office. Designa
Tech Proc Peo Othe tion
Access control
Root nolo ess ple rs system should be Time
Cause gy made operational. lines
 Non-Compliance to security policy
Very High Mediu Low Negligi PO Yes No
Risk suppo
High m ble
rt
Reason  Risk of Theft/Misuse requir
for rating ed for
resolu
tion
5.2
Monitoring not done for preventive maintenance of AC
Preventive
The preventive maintenance of air conditioning at K office for
maintenance
data centre is not being monitored at all. The Admin deptt. is not
schedule should be
having even copy of preventive maintenance schedule, a pre-
maintained and
requisite for monitoring and compliance, as agreed between Nam
monitored.
Bharti and Nu Tech Engineers e
Root Technol Proce Peop Others Desi
PO Ye No
Cause ogy ss le gnati
sup s
on
 Non-Compliance to security policy port
req Timel
Risk Very High Mediu Low Neglig
uire ines
High m ible
d
Reason Risk of system crash due to temperature for
for and humidity res
rating oluti
on
6.0 AUDIT AREA- Communications and Operations
Management.
6.1 Weak Backup Controls
 The B Backup and Recovery Management version 2.2 is Backup schedule
dated 13/8/2015, with no date of revision should be suitably
 Backup schedules are not drafted so as to give clear amended to provide
Name
direction for storage of backups. clear directions for
backup storage as Designa
 In case of all the servers, except M-KL (10.0.0.0), monthly
per policy. tion
back-up was not kept on-site.
 Offsite backup is not kept in fire proof cabinet. Timelin
 The prescribed format, FM Backup & Recovery Request Offsite backups es
Form, is not being used. should be stored in
fireproof cabinet.
 In case of server (10.0.0.0.), monthly backup is required to
be kept for 7 years. As explained to us, immediate six
months’ data should be kept onsite and rest offsite. PO Yes No
However, it was noticed that some tapes of 2016 and 2017 suppo
were also kept on-site. rt
requir
Tech Proc Peo Others ed for
nolog ess ple resolu
Root y tion
Cause
 Lack of clear directions in back up
schedule and non adherence of policy.
Risk Very High Mediu Low Negligible
High m
167
Reason  Delay in restoration in case of need

for  Offsite backups are at risk.
rating
6.2 Improper Media Management
 Media Dispatch/ Receive Form is not being used for Media should be Name
movement of blank media. managed as per
Designation
 The Inventory Records are not being maintained defined process.
properly. Receipt of media is not being recorded. Timelines
 Annual Media Inventory Reconciliation is not being taken PO Yes No

care, since the Inventory Records were started to suppo
maintain from 7/11/2006 rt
requir
Technolog Proces Peopl Other ed for
Root Cause y s e s resolu
 Non adherence to process. tion
High Mediu Low

Risk
m
Reason for  Delay in restoration in case of need

rating
7.3 Unwanted files on the Servers
 It was observed that file deletion on the server is not All files that are not Name
followed after any activity as unwanted and unspecified required on the
Design
files were found on the server and also in the recycle bin. server should be
ation
 Logs from the months of April, May, June, July and August completely deleted
were found on the Syslog server. G says that logs older from the server. Timelin
than 60 days should be deleted from the servers. es
PO Yes No
Techn Pro Peo suppo
ology ces ple rt
Root s Others requir
Cause ed for
 Lack of security
resolu
 Non-Compliance with security Policy tion
Risk High Medium Low
Reason  These files may contain sensitive

for open information and dangerous executables.
Rating  Performance of the server is impaired.
7.4 Improper Content Filtering for WEB
Internet content filtering is done on the squid proxy and no Consider applying a
dedicated program is used to do this such as (Websense or dedicated program
168
IWSS). Using only the squid proxy for the filtering is not a strong for the Internet Name
measure to do the web filtering. content filtering to
Designa
Database for the web content filtering is not strong enough to reduce the
tion
catch all the websites on the Internet. vulnerabilities and
malicious attacks Timelin
from Internet. es
Tec Pro Peo Oth
hnol ces ple ers
Root Cause ogy s PO Yes No
suppo
 Lack of security focus
rt
High Medi Low requir
Risk
um ed for
resolu
Reason for  It is a Gateway for vulnerabilities
tion
Rating
169
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
ISA (Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 2
Governance and Management of Enterprise
Information Technology, Risk Management,
Module - 2
Compliance & BCM Section
Tel (Direct): +91 120 3045992/961
New Delhi
Background Material
on
Module-2 :
Governance and Management of Enterprise Information
Technology, Risk Management, Compliance & BCM Section

New Delhi
DISCLAIMER
ISBN : 978-81-8441-995-5


Foreword
technological changes, it is imperative for Information System Auditors to adapt, be innovative in
aiding organizations to improve its control environment and strengthen governance of IT risks.
value added analysis in the form of data analysis and business intelligence. Chartered Accountants
possess unique blend of systems and process understanding and expertise in controls and
governance, thereby best suited to be the perfect Information Systems Auditor.
initiatives to disseminate updated knowledge amongst our members and other stakeholders. In this
direction, it is heartening to note that the DAAB is bringing out next version of “Educational
Material combines technology, information assurance and information management expertise that
enable Chartered Accountants to be an advisor and handling assurance assignments.
Robotics Process Automation, etc., have also been introduced to keep members fully abreast. With
focus on increased practical aspects, case studies and lab manuals at appropriate places this
material is a great learning guide for members aspiring to be Information Systems Auditor.
members of the Digital Accounting and Assurance Board for generation next material in digital era
by taking up this timely initiative.
I am confident that our members would take benefit of these updated modules of post qualification
course on Information Systems Audit, so as to render their professional responsibility as
Information System Auditor more efficiently and highest standards to achieve global recognition.

President, ICAI
Place: New Delhi
iv
Preface
Evolution of digital economy and ever changing dynamic ecosystem presents significant
challenges, including new competition, new business and service delivery models, unprecedented
transparency, privacy concerns and cyber threats. With a goal to keep members abreast of impact
of emerging technologies, Digital Accounting and Assurance Board has come out with the updated
Post Qualification Course on Information Systems Audit Modules to equip members with
specialised body of knowledge and skill sets so that they become Information Systems Auditors
(ISAs) who are technologically adept and are able to utilize and leverage technology to provide
reasonable assurance that an organization safeguards it data processing assets, maintains data
integrity and achieves system effectiveness and efficiency. This updated syllabus facilitates high
level understanding about the role and competence of an IS Auditor to analyse, review, evaluate
and provide recommendations on identified control weaknesses in diverse areas of information
systems deployment.
Revised Modules of Post Qualification Course on Information Systems Audit has specific objective,
i.e., “To provide relevant practical knowledge and develop skills for planning and performing
various types of assurance or consulting assignments in the areas of Governance, Risk
management, Security, Controls and Compliance of Information Systems.” The core of DISA 3.0
lies in inculcating competence to add to service delivery of the members. The updated course
would help the members to apply appropriate strategy, approach, methodology and techniques for
auditing information system and perform IS Assurance and consulting assignments by using
relevant best practices, IS Audit standards, frameworks, guidelines and procedures.
The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies and
lab manuals, project work in addition to class room lectures. This updated background material
also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO CAAT software,
useful checklists and sample audit reports. New Module on “Emerging Technology and Audit” has
been added which covers Information System Assurance and Data Analytics, Assurance in Block
chain Ecosystem, and Embracing Robotic Process Automation in Assurance Services. In addition
to this Artificial Intelligence and Internet of Things (IoT) has also been inducted in the new
modules.
We would like to take this opportunity to place on record our deep appreciation for the efforts put in
by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules, viz., CA
Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale, CA Pranay
Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh Maheshwari, CA
3.0.
Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to the
initiatives of the Board. We would also like to place on record our gratitude for all the Board
support in this initiative of the Board. We also wish to express my sincere appreciation for CA. Amit
Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in finalization of
the updated Modules.
Audit would be of immense help to the members and enable them to enhance service delivery not
only in compliance, consulting and assurance of IT services, but also provide new professional
avenues in the areas of IT Governance, Cyber Security, Information System Control and
assurance services.

vi
Contents
Chapter 1: Concepts of Governance and Management of
Information Systems 1
Learning Objective: 1
1.1. Introduction 1
1.2. Key Concepts of Governance 1
1.2.1. Enterprise Governance 2
1.2.2. Conformance or Corporate Governance Dimension 2
1.2.3. Performance or Business Governance Dimension 3
1.2.4. Enterprise Governance Framework 3
1.2.5. Corporate Governance 4
1.2.6. Need for Corporate Governance 5
1.3. Corporate Governance and Regulatory Requirements 6
1.4. Enterprise Governance of Information and Technology (EGIT) 7
1.4.1. Implementing EGIT 8
1.5. Enterprise Risk Management 12
1.5.1. Governance Objectives 12
1.5.2. Internal Controls 13
1.6. Summary 15
1.7. Questions 15
1.8. Answers and Explanations 17
Chapter 2: GRC Frameworks and Risk Management Practices 19

Learning Objective 19
2.1. Introduction 19
2.2. 2.2 GRC Frameworks (including COBIT 2019, ISO 27001, ISO 31000) 20
2.2.1. COBIT 2019 20
2.2.2. ISO 27001 23
2.2.3. ISO 31000 24
2.2.4. ISO 38500:2015 25
2.3. Enterprise Risk Management 26
2.3.1. Risk Management 26
2.3.2. Risk Management in COBIT 2019 27
2.3.3. Risk Factors 29
2.3.4. Categories of Risks 29
2.3.5. Elements of Risk Management 30
2.3.6. Developing Strategies for Information Risk Management 30
2.4. Risk Management Process 31
2.4.1. Risk Identification 31
2.4.2. Risk Evaluation 35
2.4.3. Determine Likelihood of Risk 35
2.4.4. Risk Prioritization 35
2.4.5. Risk Response 36
2.4.6. Risk Monitoring 38
2.5. IS Risks and Risk Management 38
2.6. Compliance in Cobit 2019 39
2.6.1. Key Management Practices of IT Compliance 39
2.6.2. Key Metrics for Assessing Compliance Process 39
2.7. Information Technology Act 2000 40
2.8. General Data Protection Regulation (GDPR) 42
2.9. The Personal Data Protection Bill, 2019 42
2.10. Summary 44
2.11. Questions 44
2.13. Downloads 46
Chapter 3: Key Components of A Governance System 47

Learning Objectives 47
3.2. COBIT 2019 Governance System Principles 48
3.3. Components of the Governance System as per COBIT 2019 50
3.3.1. Principles, Policies, Procedures 51
3.3.2. Processes 52
3.3.3. Organizational Structures 52
3.3.4. Culture, Ethics and Behavior 56
3.3.5. Information 57
3.3.6. Services, Infrastructure and Applications 58
3.3.7. People, Skills and Competencies 59
3.4. Designing a Tailored Governance System of COBIT 2019 59
viii
3.5. Stakeholders in Implementing EGIT 60
3.6. Using systematic Approach for Implementing EGIT 60
3.6.1. Phase 1: Establish the Desire to Change 61
3.6.2. Phase 2: Form an Effective Implementation Team 61
3.6.3. Phase 3: Communicate Desired Vision 62
3.6.4. Phase 4: Empower Role Players and Identify Quick Wins 62
3.6.5. Phase 5: Enable Aperation and Use 62
3.6.6. Phase 6: Embed New Approaches 63
3.6.7. Phase 7: Sustain 63
3.7. Implementing EGIT in Specific Areas 63
3.7.1. Strategic Alignment of IT with Business 63
3.7.2. Aligning IT Strategy with Enterprise Strategy 65
3.7.3. Value Optimization 66
3.7.4. Resource Optimization 66
3.7.5. Sourcing Processes 67
3.7.6. Outsourcing 67
3.7.7. Capacity Management & Growth Planning Processes 67
3.7.8. Capex and Opex 68
3.7.9. Role of IS Auditors 69
3.8. Summary 69
3.9. Questions 70
Chapter 4: Performance Management Systems 72

4.2. Performance Measurement 72
4.3. Performance Measurement System 73
4.4. Goal Setting 74
4.4.1. Goal Setting and Stakeholder Needs 74
4.4.2. Category of Enterprise Goal 75
4.4.3. Enterprise and Alignment Goals 76
4.5. Requirements for Measures 76
4.5.1. Performance Measurement Processes / Indicators 77
4.5.2. Examples of Performance Measures 77
ix
4.5.3. Measures Defined 78
4.6. Balanced Scorecard (BSC) 78
4.6.1. BSC Perspectives 79
4.7. Strategic Scorecard 81
4.8. Summary 83
4.9. Questions 83
Chapter 5: Business Continuity Management 87

5.2. Definitions of Key Terms 87
5.3. Key Concepts of Disaster Recovery, Business Continuity Plan and Business
Continuity Management 89
5.3.1. Contingency Plan 89
5.3.2. Components of Contingency Planning 89
5.3.3. Business Continuity Plan vs. Disaster Recovery Plan 90
5.3.4. Business Continuity Management 90
5.4. Objectives of BCP and BCM 91
5.4.1. Objectives of Business Continuity Plan 91
5.4.2. Objectives of Business Continuity Management (BCM) 92
5.5. Various Types of Disaster 94
5.6. Phases of Disaster 95
5.7. Examples of Disaster 96
5.8. Impact of Disaster 96
5.9. Invoking a DR Phase / BCP Phase 97
5.9.1. Operating Teams of Contingency Planning 97
5.10. Disaster Recovery Plan (DRP) Scope and Objectives 98
5.11. Disaster Recovery Phases 98
5.12. Key Disaster Recovery Activities 99
5.12.1. DRP 100
5.12.2. Disaster Recovery Team 100
5.13. Documentation: BCP Manual and BCM Policy 107
5.13.1. BCM Policy 108
5.13.2. BCP Manual 108
5.14. Data backup, Retention and Restoration Practices 111
x
5.14.1. Back up Strategies 111
5.14.2. Types of Backup 111
5.14.3. Recovery Strategies 112
5.14.4. Strategies for Networked Systems 112
5.14.5. Strategies for Distributed Systems 114
5.14.6. Strategies for Data Communications 114
5.14.7. Strategies for Voice Communications 115
5.15. Types of Recovery and Alternative Sites 115
5.15.1. Mirror Site/ Active Recovery Site 116
5.15.2. Offsite Data Protection 117
5.16. System Resiliency Tools and Techniques 118
5.16.1. Fault Tolerance 118
5.16.2. Redundant Array of Inexpensive Disks (RAID) 119
5.17. Testing of BCP 119
5.18. BCP Audit and Regulatory Requirements 121
5.18.1. Role of IS Auditor in BCP Audit 121
5.18.2. Regulatory Requirements 121
5.18.3. Regulatory Compliances of BCP 121
5.19. ISO 22301:2019 122
5.20. ISO 27031:2011 123
5.21. Services that can be Provided by an IS Auditor in BCM 123
5.22. Summary 124
5.23. Questions 125
5.24. Answers and Explanations Error! Bookmark not defined.
Appendix 1: Checklist and Control Matrix 129
Appendix 2: Sample of BCP Audit Finding 134
xi
xii
Chapter 1
Concepts of Governance and Management of
Information Systems
Learning Objective
Evaluate structures, policies, procedures, practices, accountability mechanisms and
performance measures for ensuring Governance and management of Information Technology,
risk management and compliance as per internal and external stakeholder requirements.
1.1 Introduction
The need for governance and management of information systems can be assessed from the
simple fact that today technology is all pervasive. Organizations are so dependent on
Technology that its failure will bring all key operations to a complete halt. On the positive side,
technology facilitates organizations to offer products or services to anyone across the globe.
The fundamental principle in the current business environment is to use technology to enable
users to access information anytime, anywhere, anyhow by anyone. The objective is to
provide information access to all stakeholders online with real-time access and update. This is
done using enabling technology such as the network, Internet, hardware, operating system
software, database, applications and browser. Modern Technology is empowered by the cloud
and internet access through wireless broadband. Technology is only an enabler but the
backbone for this has to be robust systems and processes for the information systems. Hence,
it is critical to ensure that organizations embed Governance and management processes and
other enablers in the technology deployed. This will ensure that various stakeholder
requirements are met and the management at all levels are able to use technology to perform
their responsibilities. It is important to comply with the requirements of corporate governance
or enterprise governance by implementing Governance of Enterprise IT, enterprise risk
management using appropriate risk management strategy and internal control systems. This
chapter outlines these concepts and provides overview of how to implement EGIT
1.2 Key Concepts of Governance

Enterprises whether they are commercial or non-commercial, exist to deliver value to their
stakeholders. Delivering value is achieved by operating within value and risk parameters that
are acceptable and advantageous, and by using resources including IT responsibly. In the
rapidly changing environment that most enterprises operate in, swift direction setting and
agility to change are essential. Senior management is responsible for ensuring that the right
structure of decision-making accountabilities is shared among many people in the enterprise
and when accountability is shared, governance comes into play. Governance is “the
combination of processes and structures implemented by the board to inform, direct, manage,
and monitor the activities of the organization toward the achievement of its objectives.”
Governance should be in place to ensure IT supports the strategies and objectives of the
organization. The relationship of enterprise Governance and Corporate Governance with IT
governance (EGIT is depicted below)
Figure 1.1: Relationship of types of Governance
1.2.1 Enterprise Governance

ISO/IEC 38500 defined Governance as: “The system by which organisations are directed and
controlled”. A governance system typically refers to all the means and mechanisms that will
enable multiple stakeholders in an enterprise to have an organized mechanism for evaluating
options, setting direction and monitoring compliance and performance, in order to satisfy
specific enterprise objectives. Enterprise governance can be defined as: ‘The set of
responsibilities and practices exercised by the board and executive management with the goal
of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks
are managed appropriately and verifying that the organization’s resources are used
responsibly.’ Enterprise governance is an overarching framework into which many tools and
techniques and codes of best practice can fit. Examples include codes on corporate
governance and financial reporting standards.
The key message of enterprise governance is that an organisation must balance the two
dimensions of conformance and performance needs to ensure long-term compliance and
success. This requires that governance is ideally implemented with the right balance of
conformance and performance dimensions. These two dimensions are briefly outlined here.
1.2.2 Conformance or Corporate Governance Dimension

The conformance dimension of governance provides a historic view and focuses on regulatory
requirements. This covers corporate governance issues such as: roles of the chairman and
2
Concepts of Governance and Management of Information Systems
CEO, role and composition of the board of directors, Board committees, Controls assurance
and Risk management for compliance. Regulatory requirements and standards generally
address this dimension with compliance being subject to assurance and/or audit. There are
established oversight mechanisms for the board to ensure that good corporate governance
processes are effective. These might include committees composed mainly or wholly of
independent non-executive directors, particularly the audit committee or its equivalent in
countries where the two-tier board system is the norm. Other committees are usually the
nominations committee and the remuneration committee. The Sarbanes Oxley Act of US is an
example of providing for such compliances from conformance perspective.
1.2.3 Performance or Business Governance Dimension

The performance dimension of governance is pro-active in its approach. It is business oriented
and takes a forward-looking view. This dimension focuses on strategy and value creation with
the objective of helping the board to make strategic decisions, understand its risk appetite and
key performance drivers. This dimension does not lend itself easily to a regime of standards
and assurance as this is specific to enterprise goals and varies based on the mechanism to
achieve them. It is advisable to develop appropriate best practices, tools and techniques such
as balanced scorecards and strategic enterprise systems that can be applied intelligently for
different types of enterprises as required. The conformance dimension is monitored by the
audit committee. However, the performance dimension in terms of the overall strategy is the
responsibility of the full board but there is no dedicated oversight mechanism as comparable
to the audit committee. Remuneration and financial reporting are scrutinized by a specialist
board committee of independent non-executive directors and referred back to the full board. In
contrast, the critical area of strategy does not get the same dedicated attention. There is thus
an oversight gap in respect of strategy. One of the ways of dealing with these lacunae is to
establish a strategy committee of similar status to the other board committees which will report
to the board. The performance dimension in terms of how to implement performance
management system is covered in more detail in chapter 4 of this module.
1.2.4 Enterprise Governance Framework

Enterprise governance in general is broader and encapsulates corporate governance,
performance management, internal control and enterprise risk management. In implementing
controls, it is important to adapt a holistic and comprehensive approach. Hence, ideally it
should consider the overall business objectives, processes, organization structure, technology
deployed and the risk appetite. Based on this, overall risk management strategy has to be
adapted, which should be designed and promoted by the top management and implemented
at all levels of enterprise operations as required in an integrated manner. The objective of
implementing enterprise governance is to ensure that the governance objectives of benefits
realisation, risk optimisation and resource optimisation are achieved considering the
stakeholder needs and which leads to value creation for the enterprise. This is depicted in the
figure 1.3 given here.
3
Figure 1.2: IT Governance framework and Drivers
1.2.5 Corporate Governance

Corporate governance refers to the structures and processes for the direction and control of
companies. Corporate governance is defined as the system by which a company or enterprise
is directed and controlled to achieve the objective of increasing shareholder value by
enhancing economic performance. Corporate governance concerns the relationships among
the management, Board of Directors, the controlling shareholders and other stakeholders.
Good corporate governance contributes to sustainable economic development by enhancing
the performance of companies and increasing their access to outside capital. It is about doing
good business by ensuring compliance and protecting shareholders’ interest.
Good corporate governance requires sound internal control practices such as segregation of
incompatible functions, elimination of conflict of interest, establishment of audit committee, risk
management and compliance with the relevant laws and standards including corporate
disclosure requirements. These are intended to guide companies to achieve their business
objectives in a manner such that those who are entrusted with the resources or power to run
the companies to meet stakeholder needs without compromising the shareholders’ interest.
Legally, the directors of a company are accountable to the shareholders for their actions in
directing and controlling the business, and for the actions of the company’s employees, who
are in the position of trust to discharge their responsibilities in the best interest of the
company. Corporate governance is thus necessary for the purpose of monitoring and
measuring their performance and is mandated by regulations across the world and across
various industries.
4
Figure 1.3: Corporate Governance Participants
1.2.6 Need for Corporate Governance

Although Governance is not new for enterprises, a spate of frauds in the corporate sector
involving large enterprises across the world including India in the last two decades have
awakened regulators to the need for mandating the implementation of corporate governance
integrated with Enterprise Risk Management and Internal controls. The concept of Corporate
Governance has succeeded in attracting a great deal of public interest because of its
importance for the economic health of companies, protecting the interest of stakeholders
including investors and the welfare of society, in general.
Corporate Governance has been defined as the system by which business corporations are
directed and controlled. The corporate governance structure specifies the distribution of rights
and responsibilities among different participants in the corporation, such as, the Board,
management, shareholders and other stakeholders, and spells out the rules and procedures
for making decisions on corporate affairs. The requirements for corporate governance are built
on the principles of governance and encompass all levels of management including specific
responsibility of board and senior management. Corporate Governance is focused on
protecting the interests of various stakeholders and is compliance oriented. Although the
terms corporate governance and enterprise governance are quite often used inter-changeably,
it can be said that corporate governance is applying the principles of enterprise governance to
corporate structure of enterprises. Some of the key concepts of corporate governance are:
5
 Clear assignment of responsibilities and decision-making authorities, incorporating a

hierarchy of required approvals from individual employees to the board of directors;
 Establishment of a mechanism for the interaction and cooperation among the board of
directors, senior management and the auditors;
 Implementing strong internal control systems, including internal and external audit
functions, risk management functions independent of business lines, and other checks
and balances;
 Special monitoring of risk exposures where conflicts of interest are likely to be
particularly great, including business relationships with borrowers affiliated with the
bank, large shareholders, senior management, or key decision-makers within the firm
(e.g. vendors);
 Financial and managerial incentives to act in an appropriate manner offered to senior
management, business line management and employees in the form of compensation,
promotion and other recognition; and
 Appropriate information flows internally and to the public. For ensuring good corporate
governance, the importance of overseeing the various aspects of the corporate
functioning needs to be properly understood, appreciated and implemented.
1.3 Corporate Governance and Regulatory Requirements

Corporate governance in India is evolving, primarily due to regulatory requirements, but also,
to some extent, due to each enterprise’s specific needs and context. The objectives of
corporate governance are fulfilled by setting up an appropriate structure and functioning
mechanisms for the board of directors and audit committees, as laid down by the Companies
Act, 2013.It is critical for each enterprise to establish its own specific governance system
based on its own specific constraints and business culture.
The Companies Act, 2013 outlines the need for mandatory Internal Audit and reporting on
Internal Financial Controls [sections 138]. The Act requires certain new aspects which need to
be covered in an auditors’ report which include: “whether the company has adequate internal
financial controls system in place and the operating effectiveness of such controls [section
143(3) (i) of the 2013 Act]. The Board of Directors are responsible for governance of their
companies. SEBI introduced a mandatory audit to ensure that this is maintained as per its
norms by all listed companies as part of corporate governance.
Further, the Act deals extensively on the issue of fraud (section 447) and has for the first-time
defined fraud. The new regulations make it more imperative for management to implement a
system of governance integrated with risk management and internal control systems. As IT is
a key enabler of enterprise processes, risk management and controls has to consider
technology and hence the need for implementing a holistic approach of Enterprise
6
Governance of Information and Technology (EGIT) using global best practices and
frameworks.
The Information Technology Act amended in 2008 introduced new provisions which are
specifically applicable to corporates, provisions relating to maintaining privacy of information
and imposed compliance requirements on management with penalties for non-compliance.
These requirements have to be considered as part of compliance by corporates and
individuals as applicable.
In the US, The Sarbanes Oxley Act (SOX) focuses on the implementation and review of
internal controls as relating to financial audit. It highlights the importance of evaluating the
risks, security and controls as related to financial statements. In an IT environment, it is
important to understand whether the relevant IT controls are implemented in the relevant
computerised information systems. The overall reliability of these controls would be dependent
on the overall risk management strategy, risk appetite of the management, use of best
practices and various other enablers.
Corporates across the world for SOX compliance have used COBIT 2019
(www.isaca.org/COBIT 2019) as the primary framework and best practices for implementing
governance, risk management and internal controls. COBIT 2019 is a comprehensive
framework for the governance and management of enterprise I&T, comprising five domains,
40Governance and Management objectives and over 200 management practices and activities
divided into governance and management managed processes. Cobit 2019 has been
discussed in detail in subsequent chapters of this module.
Good corporate governance is vital for all types of enterprises big or small in view of the
benefits which accrues due to its implementation. Governance helps in ensuring that control
failures are mitigated appropriately. However, good corporate governance on its own cannot
make an organisation successful. There is a danger that insufficient attention is paid to the
need for organisations to create wealth or stakeholder value. Strategy and performance are
also important.
1.4 Enterprise Governance of Information and Technology

(EGIT)
Enterprise Governance of Information and Technology is a sub-set of corporate governance
and facilitates implementation of a framework of IS controls within an enterprise as relevant
and encompassing all key areas. The primary objectives of EGIT are to analyse and articulate
the requirements for the governance of enterprise IT, establish and maintain effective enabling
structures, principles, processes and practices, with clarity of responsibilities and authority to
achieve the enterprise's mission, goals and objectives. The key benefits of using EGIT is that
it provides a consistent approach integrated and aligned with the enterprise governance
approach. It ensures that IT-related decisions are made in line with the enterprise's strategies
7
and objectives and the IT-related processes are overseen effectively and transparently.
Implementing a EGIT framework helps in better compliance with legal and regulatory
requirements and ensures that the governance requirements for board members are met. A
few decades back, IT was one of the wagons but now IT is the engine propelling enterprise
growth. IT interfaces all aspects of the enterprise and not just transaction processing. It can be
said that IT has become inseparable from the business. Hence, in a modern enterprise, IT has
moved from being a mere service provider to a strategic partner which helps enterprises in
achieving both competitive and strategic advantage. Considering this huge dependence on IT
and the fact that internal controls are embedded in IT and effective risk management can be
achieved by using IT, implementing Governance of Enterprise IT has become imperative for a
modern enterprise. Regulatory agencies, professional bodies and associates issue guidelines
on use of generic and specific best practices. For example, the Reserve Bank of India issues
guidelines covering various aspects of secure technology deployment. These guidelines are
prepared based on various global best practices such as COBIT 2019 and ISO 27001. The
Information technology Rules, 2011 outlines the need for maintaining secrecy of personal and
sensitive information and identifies ISO 27001 as “Reasonable Security Practices and
Procedures” for implementing best practices.
1.4.1 Implementing EGIT

Enterprise Governance of Information and Technology is built on the principles of Governance
but applied to IT. Hence, implementing EGIT in organizations requires understanding concepts
of Governance, IT deployment and how IT can be used to implement Governance. EGIT is a
blend of these concepts. Implementing EGIT requires establishing the right structures with
defined roles and responsibilities, implementing relevant processes using best practices as
required and establishing the relational mechanisms by active participation of relevant
stakeholders as required in a collaborative effort to achieve enterprise goals.
The improvement of governance of enterprise IT is increasingly recognized by top
management as an essential part of enterprise governance. Effective EGIT will result in
improved business performance as well as compliance to external requirements, yet
successful implementation remains elusive for many enterprises. Effective EGIT requires a
range of enablers with carefully prescribed roles, responsibilities and accountabilities that fit
the style and operational norms specific to the enterprise. Implementing EGIT from
conformance (corporate) perspective would require viewing the enterprise at macro level and
consider not only the business but also the external linkages. In case of performance
(business) the enterprise has to be viewed at internal level and the focus on the processes
and activities within the enterprise.
The key areas of focus in implementing EGIT are summarized in the table here.
Table 1.1: Implementing Governance from Conformance or performance perspective
8
Area Conformance (Corporate) Performance (Business)

Scope  Board Structure, Roles  Strategic decision making and
and Remuneration value creation
Addressed via  Standards and Codes  Best practices, tools and
techniques
Auditability  Can be audited for  Not easily auditable
compliances
Oversight  Audit Committee  Balance score cards
Mechanism
The COBIT 2019 framework can be used for implementing EGIT from any/both the above
perspectives. The seven key components of EGIT which are required for effective
implementation are described in further chapter. Overall, EGIT requires structures, processes
and relational mechanisms.
The components and relationship of IT Governance framework are outlined in figure given
below.
Figure 1.4: Components of Governance Framework

The structures involve the organization, and location of the IT function, the existence of clearly
defined roles and responsibilities and a diversity of IT/ business committees. The processes
refer to strategic decision making, strategic information systems planning (SISP) and
monitoring, control, and process frameworks. The relational mechanisms finally complete the
governance framework and are critical for attaining and sustaining business-IT alignment,
even when the appropriate structures and processes are in place. These mechanisms include
business/IT participation, strategic dialogue, training, shared learning, and proper
9
communication. COBIT 2019 which is the business framework for implementing EGIT can be
used by enterprises of all sizes and types and regardless of technology deployment.
1.4.1.1 Guidelines for Implementing EGIT
The primary objective of implementing EGIT is to ensure IT delivers value to the business and
helps in mitigation of IT-related risk. This is enabled by the availability and management of
adequate resources and the measurement of performance to monitor progress towards the
desired goals. The COBIT 2019 implementation guide provides a systematic approach with
defines phases and specific roles and responsibilities for implementing EGIT. This approach
can be customized and used by any organization regardless of size, nature of business, sector
or technology used.
1.4.1.2 Systemic Approach to Implementing EGIT
Research studies have established that effective implementation of EGIT maximizes the
contribution made by IT to organizational success. There can be multiple approaches to
implementing EGIT as this varies with the needs of the enterprise and the specific framework
used. It is advisable to adapt a systematic and well-proven approach as outlined in some of
the best practices and frameworks. IT solution providers and regulators also provide their own
approaches for implementing EGIT. It is important to remember that the focus should be first
on implementing the systems and processes first and then automating rather than expecting
that automation will implement systems and processes as required. As explained earlier,
frameworks such as COBIT 2019 also provide a systematic approach for implementing the
relevant frameworks. The technology and business frameworks can be easily integrated under
these frameworks. We are giving below some general guidelines on implementing EGIT which
can be adapted as required.
1. Aligning IT Goals with Business Goals
Achieving better governance starts with the business, and more specifically with
understanding its strategy and goals. IT management should be involved early in the business
strategy definition process, especially in those companies that are highly dependent on IT.
The IT goals should be aligned to the business goals. The IT strategy should be an IT
blueprint of the business strategy plan. The IT goals set out in the IT strategy plan should
clearly support the achievement of one or more business goals. It is the responsibility of the
board and senior management to ensure that the IT strategy is aligned with the business
strategy. This could be achieved through:
 Clear business goals, communicated to the entire organisation
 Early involvement of IT in business strategy process
 Align IT goals to business goals
 Derive IT strategy from business strategy
2. Formalise and Implement Right IT Governance Processes
10
After aligning the IT goals with the business goals, it is important to implement required set of
efficient and effective IT governance and management processes. Using best practices such
as COBIT 2019 will facilitate such implementation. It is important to select the most critical
process based on business priorities, assign process owners, develop metrics and monitor the
achievement of process as per set objectives.
3. Establish Required IT Organisation and Decision Structure
Effective Governance of enterprise IT is determined by the way the IT department is organised
and where the IT decision-making authority is located within the organisation. The
responsibility for governance rests with the board of directors as they are responsible for
evaluating, directing and monitoring the governance processes as per stakeholder
requirements. They have to establish the right management structure with the C suite to
ensure there is proper collaboration between business and IT department.
4. Involve Board of Directors/Executive Management in IT Related Matters
Governance initiatives may be initiated by IT or internal auditors but the overall responsibility
vests with the board who assign specific responsibility to senior management from both
business and IT. The executive management has to be aware and actively participating in the
existing governance activities. IT topics and decisions should regularly appear and be
discussed in executive committees or on-board level, especially in organisations where IT
plays a crucial role in keeping the business running. Even when the CIO is not a part of the
executive committees, he should be represented by another executive member or he/she
could be invited whenever an IT related topic is handled.
5. Govern and Manage Roles and Responsibilities
The board should ensure that governance and management structures are established
involving the organisation, the location of the IT function, the existence of clearly defined roles
and responsibilities and a diversity of IT/business committees. The organisation structure
should specify clear responsibilities defined towards the business they work for, and this
throughout all levels, including the CIO and IT management. To make sure individuals adopt
and execute upon their roles and responsibilities, a process of 'formal' evaluation and regular
process of review has to be implemented as part of performance management system.
6. Establish IT Strategy and IT Steering Committee
Effective committees created at the right level with clearly defined roles and responsibilities
play an important role in establishing ensuring alignment of IT with business which is key to
successful implementation of EGIT. IT strategy committee has to operate at the board level
and the IT steering committee has to operate at executive level with each committee having
specific responsibility, authority and membership. The roles and responsibilities of these two
key committees are explained in later chapter of this module.
7. Plan, Align and Manage IT Enabled Investment as a Portfolio
11
Successful implementation of EGIT requires organisation to effectively their IT enabled

investments throughout the economic life cycle of the projects using best practices of project
management as required. Clear responsibility has to be allocated between IT who would be
responsible for execution of IT enabled projects, but business has to be responsible for
analysing the anticipated benefits and making decisions.
8. Implement Performance Measurement System Integrated with Regular Process
Measuring and monitoring the different IT processes at different levels is very important to
review whether the set required service levels are met as set by the functional management.
Goals have to be set at each of the levels starting from activity to process and linked to IT
goals which are in turn linked to business goals. Metrics have to be set and monitored to
ensure implementation and corrective action has to be taken as required. The performance
management system could be integrated using the balanced scorecard technique with the
complete set of metrics which is consolidated for different levels and areas as required. This is
explained in detail in chapter 4.
9. Establish Sustainability Through Support, Monitoring and Regular Communication
IT is most important support function to business activities as most of the service now a days
are delivered through IT. Aligning business goals with IT goals requires ongoing and constant
interaction between IT and business function. There has to be effective collaboration and
interaction between business and IT. This requires a constant communication channel and
mechanism to encourage the relationship between business and IT.
1.5 Enterprise Risk Management

Enterprise risk management deals with risks and opportunities affecting value creation or
preservation and is defined by the Institute of Internal Auditors as: “Enterprise risk
management is a process, effected by an entity’s board of directors, management and other
personnel, applied in strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.” The management to
ensure that the enterprise risk management strategy considers information and its associated
risks while formulating IT security and controls as relevant. IT security and controls are a sub-
set of the overall enterprise risk management strategy and encompass all aspects of activities
and operations of the enterprise
1.5.1 Governance Objectives

It is important to identify specific governance objective in implementing EGIT. Generally, the
focus area of implementing EGIT as specified in COBIT 2019 are these are the governance
objectives:
 Benefit Realisation: Creating new value for the enterprise through I&T, maintaining
12
and increasing value derived from existing I&T investments, and eliminating IT
initiatives and assets that are not creating sufficient value for the enterprise. The
basic principles of I&T value are delivery of fit-for-purpose services and solutions on
time and within budget and generating the financial and nonfinancial benefits that
were intended. The value that I&T delivers should be aligned directly with the values
on which the business is focussed and measured in a way that transparently shows
the impacts and contribution of the I&T-enabled investments in the value creation
process of the enterprise.
 Risk Optimisation: Addressing the business risk associated with the use,
ownership, operation, involvement, influence and adoption of I&T within an
enterprise. I&T-related business risk consists of I&T-related events that could
potentially impact the business. While value delivery focuses on the creation of
value, risk management focuses on the preservation of value. The management of
I&T-related risks should be integrated within the enterprise risk management
approach to ensure a focus on IT by the enterprise and be measured in a way that
transparently shows the impacts and contribution of I&T-related business risk
optimisation in preserving value.
 Resource Optimisation: Ensuring that the right capabilities are in place to execute
the strategic plan and sufficient, appropriate and effective resources are provided.
Resource optimisation ensures that an integrated, economical IT infrastructure is
provided, new technology is introduced as required by the business, and obsolete
systems are updated or replaced. It recognises the importance of people, in addition
to hardware and software, and, therefore, focuses on providing training, promoting
retention and ensuring competence of key IT personnel.

Regulatory requirements and reasonable practices framework require internal control system
to be an integral part of enterprise risk management and governance system. Hence, it is
important to understand how internal control requirements are generally implemented through
management systems. “An effective internal control system is an essential part of the efficient
management of a company” established through the governance system. Such systems
should establish an adequate system of internal control to “support business requirements for
effective and efficiency of operations, reliability of information and compliance with laws and
regulations.” While appropriate internal control is a required outcome of sound governance
and a necessary supporting element of effective governance, it does not in itself represent
governance.
Any audit whether it is compliance or IS oriented would require understanding of internal
control system implemented within the enterprise. Internal control is an element of the
management system rather than an aspect of the governance system. Internal control must be
13
supported by effective risk management process with internal control arrangements

determined by the enterprises level of risks. Risk management requires establishing a sound
system of risk oversight and management and internal control. The Securities and Exchange
Commission (SEC) of USA rules define “internal control over financial reporting” as a “process
designed by, or under the supervision of, the company’s principal executive and principal
financial officers, or persons performing similar functions, and effected by the company’s
board of directors, management and other personnel, to provide reasonable assurance
regarding the reliability of financial reporting and the preparation of financial statements for
external purposes in accordance with generally accepted accounting principles and includes
those policies and procedures that:
 Pertain to the maintenance of records that in reasonable detail accurately and fairly
reflect the transactions and dispositions of the assets of the company;
 Provide reasonable assurance that transactions are recorded as necessary to permit
preparation of financial statements in accordance with generally accepted accounting
principles, and that receipts and expenditures of the company are being made only in
accordance with authorizations of management and directors of the company;
 Provide reasonable assurance regarding prevention or timely detection of unauthorized
acquisition, use, or disposition of the company’s assets that could have a material effect
on the financial statements.
Figure 1.5: Process of Internal Control

Implementing internal controls systems is imperative for effective governance both from
regulatory and management perspective. As auditors are primarily control experts, they can
review the availability, adequacy and appropriateness of implemented controls and provide
appropriate recommendations for mitigating control weaknesses. IS Auditors may be required
to review and evaluate the system of governance, risk management and controls as
14
embedded in IT and information systems and provide assurance on the effectiveness to meet
established objectives.
1.6 Summary
This chapter has provided an overview of concepts and practice of various aspects of
Governance such as enterprise governance, corporate governance and EGIT. The interfaces
between the different levels at which governance is implemented have also been highlighted.
As IT is a key enabler of organization processes, it is critical to implement EGIT as an integral
part of governance. The regulatory and management requirements for implementing
governance start with clearly established objectives and require using a systematic approach
and use of relevant best practices frameworks as required. Corporate Governance and EGIT
are closely inter-linked with enterprise risk management and internal controls. Regulatory
requirement mandates the implementation of governance, enterprise risk management and
internal controls. Organizations are established with the objective of value creation. Hence,
they will implement governance not only from conformance perspective but also to provide
value to the organization. Hence, the two dimensions of conformance and performance have
to be balanced in implementing governance in enterprises. Guidelines for implementing EGIT
have been explained through a generic guideline starting from aligning IT strategy with
enterprise strategy and ending with ensuring sustainability of EGIT implementation and thus
making it an integral part of day to day process.
1.7 Questions
1. Who is responsible for establishing right structure of decision-making accountabilities?
A. Senior management
B. Operational management
C. Chief information officer
D. IT steering committee
2. The MOST important benefit of implementing Governance of Enterprise IT is:
A. Monitor and measure enterprise performance
B. Provide guidance to IT to achieve business objectives
C. Run the companies to meet shareholders’ interest
D. Ensure strategic alignment of IT with business
3. The primary objective of Corporate Governance is:
A. Reduce IT cost in line with enterprise objectives and performance.
B. Optimise implementation of IT Controls in line with business needs
15
C. Implement security policies and procedures using best practices.

D. Increase shareholder value by enhancing economic performance.
4. The ultimate objective Governance of Enterprise IT is to ensure that IT activities in an
enterprise are directed and controlled to achieve business objectives for meeting the
needs of:
A. Shareholders
B. Stakeholders
C. Investors
D. Regulators
5. Which of the following is a key component of Corporate Governance?
A. Employee rights
B. Security policy
C. Transparency
D. Risk assessment
6. Effective Governance of Enterprise IT requires processes to ensure that:
A. risk is maintained at a level acceptable for IT management
B. the business strategy is derived from an IT strategy
C. IT governance is separate and distinct from the overall governance
D. the IT strategy extends the organization's strategies and objectives.
7. Business Governance helps the Board by enabling them to understand:
A. enterprise functions
B. risk assessment
C. key performance drivers
D. Key controls
8. The effectiveness of the IT governance structure and processes are directly dependent
upon level of involvement of
A. Heads of Business units
B. Internal auditor department
C. Technology management
D. Board/senior management
9. Which of the following is one of the key benefits of EGIT?
16
A. Identification of relevant laws, regulations and policies requiring compliance.

B. Improved transparency and understanding of IT’s contribution to business
C. Better utilization of human resources by using automation
D. Increased revenues and higher Return on investments.
10. Which of the following is the primary objective for implementing ERM?
A. Implement right level of controls.
B. Better availability of information.
C. Tighter security at lower cost.
D. Implement IT best practices.

1. A. The senior management is responsible for ensuring right structure of decision-making
accountabilities. The operational management is responsible for ensuring that
operations of the enterprise are run as per enterprise policy. The chief information
officer is responsible for ensuring IT enabled investments provide business value and
the IT steering committee is responsible for steering IT enabled projects toward
successful completion of objectives.
2. D. The MOST important benefit of implementing Governance of Enterprise IT is that it
helps in ensuring strategic alignment of IT with business. Alignment of IT strategy in
tune with enterprise strategy ensures value delivery from IT enabled investments. The
monitoring and measuring of enterprise performance is one of the key processes of
EGIT. EGIT does not provide guidance to IT to achieve business objectives but
provides overall framework and setting for IT to achieve business objectives. Although
EGIT is often implemented from a regulatory perspective and enables enterprises to
meet corporate governance requirements, it does not directly focus on running the
enterprises based on shareholders’ interest. Shareholders are one of the key
stakeholders whose objectives are considered while formulating enterprise goals.
3. C. The primary objective of Corporate Governance is increasing shareholder value by
enhancing economic performance. Reducing IT cost in line with enterprise objectives
and performance is not an objective. Further, optimise implementation of IT Controls in
line with business needs has to be considered as part of EGIT and is not directly
objective of corporate governance. Implementing security policies and procedures
using best practices is not the primary objective of corporate governance.
4. B. The ultimate objective Enterprise Governance of Information Technology (EGIT) is to
ensure that IT activities in an enterprise are directed and controlled to achieve business
objectives for meeting the needs of the stakeholders. There are multiple stakeholders
and EGIT requires balancing the needs of these stakeholders. Shareholders, Investors
17
and Regulators are some of the stakeholders.

5. C. One of the key components of Corporate Governance is ensuring transparency. This
promotes effective governance through establishing, communication and monitoring of
performance. Employee rights are not the focus of corporate governance. Security
policy as prepared by the IT as applicable for the enterprise is approved by the board.
Corporate governance requirements do not provide any specific details of risk
assessment but only outline need for implementing risk management as appropriate for
the enterprise.
6. D. Effective IT governance requires that board and executive management extend
governance to IT and provide the leadership, organizational structures and processes
that ensure that the organization’s IT sustains and extends the organization’s strategies
and objectives, and that the strategy is aligned with business strategy. Risk acceptance
levels are set by senior management, not by IT management. The business strategy
drives the IT strategy, not the other way around. IT governance is not an isolated
discipline; it must become an integral part of the overall enterprise governance.
7. C The primary objective of Business Governance is to ensure performance and hence the
focus by Board is to understand and implement key performance drivers. The other
options are related to operational areas which are dealt by management at their level as
required.
8. D. The Board/senior management play the most critical role in ensuring the effectiveness
of the IT governance structure and processes. Hence, the effectiveness of Governance
is directly dependent upon their level of involvement. The head of business units work
on implementing the directions of the board and are focussed on management. The
internal auditor department play an important role in evaluating how well IT governance
is implemented but their role is providing guidance. The technology management is
responsible for aligning IT strategy in line with the enterprise strategy and implementing
IT solutions which help meet enterprise objectives.
9. B. Implementing EGIT requires active collaboration between the board/senior management
in directing IT towards enterprise objectives and putting a governance framework in
place. Hence, the key benefit of EGIT is the improved transparency and understanding
of IT’s contribution to business which is reflected in the performance management
system. Although identification of relevant laws, regulations and policies requiring
compliance is important in implementing EGIT, this is not the primary benefit. Directly,
the focus of EGIT is neither on better utilization of human resources by using
automation or on increased revenues and higher return on investments although they
are considered as required.
10. A. The primary objective for implementing ERM is it helps in deciding and implementing
the right level of controls. The other 3 options are indirect benefits of implementing
ERM.
18
Chapter 2
GRC Frameworks and Risk Management
Practices
Learning Objective
As IT increasingly becomes a key enabler in enterprises of all types and sizes and there is
transformation of enterprises from “Technology Oriented” to “Business and Technology
oriented, governance and risk management become imperative to ensure value creation and
compliance. In the first chapter, we have understood how EGIT implementation can help in
balancing performance with conformance. Use of best practices framework helps in balancing
risk vs return by implementing the right level of security. Implementing EGIT principles is
critical to strive and thrive in the highly intensive IT era. Governance frameworks provide the
structure within which the management can effectively operate to deliver results as per set
objectives. A governance framework typically set in in motion by the board of directors defines
the rules under which the management system operates to translate the board strategy into
specific actions. Governance is about ensuring that the required authority and responsibility is
allocated appropriately within the organisation. It defines the boundaries of decision making
together with mechanism that ensures that performance is monitored, and risks are identified
and escalated so they are managed at the appropriate level. Risk management at enterprise
level encompassing all levels and all areas is critical for successful implementation of
governance. Governance, Risk and Compliance is a regulatory requirement, and this can be
effectively implemented using well established frameworks. There are a plethora of
frameworks for implementing GRC and EGIT. This chapter provides overview of some of the
key GRC frameworks and also elaborates key concepts of risk management from strategy to
operations.
2.1 Introduction
IT is key enabler of enterprises and forms the edifice on which the information and information
systems are built. Implementing Governance, risk management and internal controls is not
only a management requirement but is also mandated by law. In an IT environment
embedding the right level of controls within the information systems to ensure that users can
access required information securely and safely and as per business requirements is critical
for survival. This not only ensures business success but is also a key requirement for the
continued growth of the enterprise. In implementing internal controls in an IT environment, the
legacy approach of considering IT and its contents as boxes to be secured by the IT
department is fraught with extreme risk as the traditional methods of securing IT from
perimeter perspective is no longer relevant. Users of I&T need to access and use information
from anywhere, anytime. There is need to adapt a macro level and architecture perspective for
securing information and information systems. Hence, both from regulatory as well as
enterprise perspective, senior management have to be involved in providing direction on how
governance, risk and control are implemented using a holistic approach encompassing all
levels from strategy to execution. The Board of directors have to evaluate, direct and monitor
effective use of I&T to achieve enterprise objectives. This governance approach will ensure
harnessing the power of information and information technology for achieving business
objectives in addition to meeting regulatory requirements. Best practices framework provide
management with distilled knowledge of experts and this can be customized to meet
stakeholder requirements which include inter alia management and regulators. Management
has to choose the right mix of frameworks for implementing governance, risk, security and
controls. IS Auditors can assist management in implementing these frameworks in an advisory
capacity or provide assurance on how well the GRC frameworks have been implemented to
meet stakeholder requirements and provide recommendations for improvement. From
regulatory perspective, management have to certify whether Risk management and internal
controls have been implemented as per organisation needs and auditors have to certify
whether this implementation is appropriate and adequate.
2.2 GRC Frameworks (including COBIT 2019, ISO 27001,

ISO 31000)
2.2.1 COBIT 2019
The globally recognized COBIT 2019 Framework, the leader in ensuring effective and
strategic enterprise governance of information and technology (EGIT), has been updated with
new information and guidance—facilitating easier, tailored implementation. As per COBIT
2019, Information is the currency of the 21st century enterprise. Information, and the
technology that supports it, can drive success, but it also raises challenging governance and
management issues. The heart of the COBIT 2019 framework incorporates an expanded
definition of governance and updates COBIT 2019 principles while laying out the structure of
the overall framework. The COBIT 2019 Core Model and its 40 Governance and Management
objectives provide the platform for establishing your governance program; the performance
management system is updated and allows the flexibility to use maturity measurements as
well as capability measurements; introductions to design factors and focus areas offer
additional practical guidance on flexible adoption of COBIT 2019, whether for specific projects
or full implementation.
COBIT 2019 can be used as a benchmark for reviewing and implementing governance and
management of enterprise I&T. COBIT 2019 is a contemporary iteration of the popular I&T
governance framework and certificate. The principles and components of the governance
system make COBIT 2019 an effective tool for implementing EGIT and helps enterprises in
various ways such as: simplify complex issues, deliver trust and value, manage risk, reduce
20
GRC Frameworks and Risk Management Practices
potential public embarrassment, protect intellectual property and maximize opportunities. The
best practices of COBIT 2019 helps enterprises to create optimal value from I&T by
maintaining a balance between realizing benefits and optimizing risk levels and resource use.
COBIT 2019 enables I&T to be governed and managed in a holistic manner for the entire
enterprise, taking in the full end-to-end business and I&T functional areas of responsibility,
considering the I&T related interests of internal and external stakeholders. COBIT 2019 helps
enterprises to manage I&T related risk and ensures compliance, continuity, security and
privacy. COBIT 2019 enables clear policy development and good practice for I&T
management including increased business user satisfaction. The key advantage in using a
generic framework such as COBIT 2019 is that it is useful for enterprises of all sizes, whether
commercial, not-for-profit or in the public sector.
2.1.1.1 Integrating COBIT 2019 with Other Frameworks
There is no single framework which provides all the requirements for all types of enterprises.
Hence, enterprises have to select the right blend of frameworks and best practices. The main
advantage of using COBIT 2019 is that it is provides an enterprise view and is aligned with
enterprise governance best practices enabling EGIT to be implemented as an integral part of
wider enterprise governance. COBIT 2019 also provides a basis to integrate effectively other
frameworks, standards and practices used such as ITIL, TOGAF and ISO 27001. It is also
aligned with The EGIT standard ISO/IEC 38500:2008, which sets out high-level principles for
the governance of I&T, covering responsibility, strategy, acquisition, performance, compliance
and human behaviour that the governing body (e.g., board) should evaluate, direct and
monitor. Thus, COBIT 2019 acts as the single overarching framework, which serves as a
consistent and integrated source of guidance in a non-technical, technology-agnostic common
language.
The Governance and Management objectives in Cobit 2019 are grouped in to five Domains.
Governance objectives are grouped in the Evaluate, Direct and Monitor (EDM) Domain. In this
Domain the Governing body Evaluates strategic options, directs senior management on the
chosen strategic options and monitors the achievement of the strategy. Management
Objectives are grouped into four Domains:
Align Plan and Organise (APO) addresses the overall organization strategy and supporting
activities for I&T.
Build, Acquire and Implement (BAI) treats the definition, acquisition and implementation of
I&T solutions and their integration in business processes.
Deliver, Service and Support (DSS) addresses the operational delivery and support of I&T
Services
Monitor, Evaluate and Assess (MEA) addresses performance monitoring and conformance
of I &T with internal performance targets, internal control objectives and external
requirements.
21
Figure 2.1: COBIT 2019 40 governance & management objectives
Figure 2.2: COBIT 2019 Overview
22
2.2.2 ISO 27001

ISO/IEC 27001 formally specifies an Information Security Management System (ISMS), a suite
of activities concerning the management of information security risks. The ISMS is an
overarching management framework through which the organization identifies, analyses and
addresses its information security risks. The ISMS ensure that the security arrangements are
fine-tuned to keep pace with changes to the security threats, vulnerabilities and business
impacts - an important aspect in such a dynamic field, and a key advantage of ISO27k’s
flexible risk-driven approach. The Standard is designed to help organizations manage their
information security processes in line with international best practice while optimizing costs. It
is technology and vendor neutral and is applicable to all organizations - irrespective of their
size, type or nature.
A part of the ISO 27000 family of standards, ISO 27001 consists of 114 controls and 10
management system clauses that together support the implementation and maintenance of
the standard.
ISO 27001 emphasizes the importance of risk management, which forms the cornerstone of
an ISMS. All ISO 27001 projects evolve around an information security risk assessment - a
formal, top management-driven process which provides the basis for a set of controls that help
to manage information security risks.
ISO/IEC 27001 is a formalized specification for an Information System Management System
(ISMS) with two distinct purposes:
1. It lays out, at a high level, what an organization can do in order to implement an ISMS
2. It can (optionally) be used as the basis for formal compliance assessment by accredited
certification IS Auditors in order to certify an organization.
By implementing an ISO 27001-compliant ISMS, organisations will be able to secure
information in all its forms, increase their resilience to cyber-attacks, adapt to evolving security
threats and reduce the costs associated with information security.
23
Figure 2.3: ISO 27001 Management System Clauses

2.2.2.1 ISO/IEC 27001: 2013 controls
1. A.5 Information security policies
2. A.6 Organisation of information security
3. A.7 Human resources security
4. A.8 Asset management
5. A.9 Access control
6. A.10 Cryptography
7. A.11 Physical and environmental security
8. A.12 Operational security
9. A.13 Communications security
10. A.14 System acquisition, development and maintenance
11. A.15 Supplier relationships
12. A.16 Information security incident management
13. A.17 Information security aspects of business continuity management
14. A.18 Compliance
2.2.3 ISO 31000

ISO has developed a new standard for IT risk management. The standard primarily adopts
24
AS/NZS 4360 for risk management. The modification it has made is that ISO has added
processes for IT risk governance by defining IT risk committee. ISO 31000:2018, Risk
management – Guidelines, provides principles, framework and a process for managing risk. It
can be used by any organization regardless of its size, activity or sector.
Using ISO 31000 can help organizations increase the likelihood of achieving objectives,
improve the identification of opportunities and threats and effectively allocate and use
resources for risk treatment.
However, ISO 31000 cannot be used for certification purposes, but does provide guidance for
internal or external audit programmes. Organizations using it can compare their risk
management practices with an internationally recognised benchmark, providing sound
principles for effective management and corporate governance.
2.2.4 ISO 38500:2015

ISO/IEC 38500 is an international standard for Corporate governance of information
technology published jointly by the International Organization for Standardization (ISO) and
the International Electrotechnical Commission (IEC). It provides a framework for effective
governance of IT to assist those at the highest level of organizations to understand and fulfill
their legal, regulatory, and ethical obligations in respect of their organizations’ use of IT.
ISO/IEC 38500:2015 provides guiding principles for members of governing bodies of
organizations (which can comprise owners, directors, partners, executive managers, or
similar) on the effective, efficient, and acceptable use of information technology (IT) within
their organizations.
It also provides guidance to those advising, informing, or assisting governing bodies. They
include the following:
 executive managers;
 members of groups monitoring the resources within the organization;
 external business or technical specialists, such as legal or accounting specialists, retail
or industrial associations, or professional bodies;
 internal and external service providers (including consultants);
 auditors.
ISO/IEC 38500:2015 applies to the governance of the organization's current and future use of
IT including management processes and decisions related to the current and future use of IT.
These processes can be controlled by IT specialists within the organization, external service
providers, or business units within the organization. ISO/IEC 38500:2015 defines the
governance of IT as a subset or domain of organizational governance, or in the case of a
corporation, corporate governance.
25
ISO/IEC 38500:2015 is applicable to all organizations, including public and private companies,
government entities, and not-for-profit organizations. ISO/IEC 38500:2015 is applicable to
organizations of all sizes from the smallest to the largest, regardless of the extent of their use
of IT.
The purpose of ISO/IEC 38500:20015 is to promote effective, efficient, and acceptable use of
IT in all organizations by
 assuring stakeholders that, if the principles and practices proposed by the standard are
followed, they can have confidence in the organization's governance of IT,
 informing and guiding governing bodies in governing the use of IT in their organization,
and
 establishing a vocabulary for the governance of IT.
2.3 Enterprise Risk Management

2.3.1 Risk Management
Enterprise Risk Management and I&T Risk Management are key components of an effective
I&T governance structure of any enterprise. Effective I&T governance helps to ensure close
linkage to the enterprise risk management activities, including Enterprise Risk Management
(ERM) and I&T Risk Management. I&T governance has to be an integral part of overall
corporate risk management efforts so that appropriate risk mitigation strategies are
implemented based on the enterprise risk appetite. The risk assessment approach adapted
has to consider business impact of IS risk and different types of risks. There has to be timely
and regular communication of status of residual risks to key stakeholders so that appropriate
action is taken to manage the I&T risk profile. This section will provide an overview of related
terms like threats, vulnerabilities etc., IS Risks and exposures and risk mitigation strategies,
which can be adapted by the organizations.
Risk management process is a crux of any business today and it is a day-to-day activity. Risk
management processes primarily focuses on three major areas viz. Market Risk, Credit risk
and Operational Risk. Most organization addresses first two risks i.e. market risk and credit
risks since these are part and parcel of business activities. Whereas operational risks address
the issues and concerns related to operations of a business. Today’s organizations depend
heavily on information and related technology and majority operations have been automated.
Hence, it is important to consider IT risks as these by themselves are very critical but in terms
of impact on other risks, they can impact all areas of enterprise operations. Hence, it is
important to understand how the use of technology has introduced various new types of risks
and their impact specifically in organizations which are heavily dependent on technology. The
Figure below describes the relationship on technology risks in overall risk scenario.
26
Business Risk Strategic Risk IT Risk
Enterprise Risk
Market Risk Competition IT Risk
Management
Operational
IT Risk
Risk
Figure 2.4: Relation of IT risks
2.3.2 Risk Management in COBIT 2019

I&T Risks have to be managed from holistic perspective and this approach is called risk
optimisation. The COBIT 2019 framework provides excellent guidance on risk management
strategy and practices from governance and management perspective. COBIT 2019 aims to
continually examine and evaluate the effect of risk on the current and future use of I&T in the
enterprise. The Governance Domain contains five Governance processes and one of the
Governance process EDM03: Ensured Risk Optimisation primarily focusses on stakeholders’
risk-related objectives. The objective of this process is to ensure that the enterprise’s risk
appetite and tolerance are understood, articulated and communicated and that risk of I&T is
identified and managed. The key benefits of implementing appropriate risk optimisation
process is that it ensures that I&T-related enterprise risk does not exceed risk appetite and
risk tolerance, the impact of I&T risk to enterprise value is identified and managed, and the
potential for compliance failures are minimised. The Cobit framework 2019 has management
domain of Align, Plan and Organise which contains a risk related process APO 12: Managed
Risk. This process requires continually identifying, assessing and reducing I&T related risk
within levels of tolerance set by enterprise executive management. The primary purpose of
this process is to integrate the management of I&T related enterprise risk with overall
enterprise risk management (ERM) and balance the costs and benefits of managing I&T
related enterprise risk.
Key Governance Practices of Risk Management (EDM 03: Ensured Risk Optimisation)
Implementing governance requires that governance practices covering all the aspects of
governance of risk management are covered. There are three broad areas:
 Evaluate Risk Management: Continually examine and make judgment on the effect of
risk on the current and future use of I&T in the enterprise. Consider whether the
27
enterprise's risk appetite is appropriate and ensure that risk to enterprise value related
to the use of I&T are identified and managed;
 Direct Risk Management: Direct the establishment of risk management practices to
provide reasonable assurance that I&T risk management practices are appropriate to
ensure that the actual I&T risk does not exceed the board’s risk appetite; and
 Monitor Risk Management: Monitor the key goals and metrics of the risk management
processes and establish how deviations or problems will be identified, tracked and
reported on for remediation.
Key Management Practices of Risk Management (APO 12: Managed Risk)
Implementing Risk Management requires that the risk management practices are embedded in
all the key organisational processes as required and are performed as part of the day to day
tasks and activities. A process-oriented approach has to be followed for implementing risk
management. The key management practices of effective risk management are:
 Collect Data: Identify and collect relevant data to enable effective I&T related risk
identification, analysis and reporting.
 Analyze Risk: Develop a substantiated view on actual I&T risk in support of risk
decisions.
 Maintain a Risk Profile: Maintain an inventory of known risks and risk attributes,
including expected frequency, potential impact, and responses, and of related
resources, capabilities, and current control activities.
 Articulate Risk: Provide information on the current state of I&T- related exposures and
opportunities in a timely manner to all required stakeholders for appropriate response.
 Define a Risk Management Action Portfolio: Manage opportunities and reduce risk to
an acceptable level as a portfolio.
 Respond to Risk: Respond in a timely manner with effective measures to limit the
magnitude of loss.
Metrics of Risk Management
Enterprises have to monitor the processes and practices of I&T risk management by using
specific metrics. Some of the key metrics are:
 Percentage of critical business processes, I&T services and I&T-enabled business
programs covered by risk assessment;
 Number of significant I&T related incidents that were not identified in risk Assessment;
 Percentage of enterprise risk assessments including I&T related risks; and
 Frequency of updating the risk profile based on status of assessment of risks.
28
2.3.3 Risk Factors

There are unique risks for each organization, given the nature of operations, although
generally organizations within the same sector will have common risk elements. The
appropriate risk response will be different from organization to organization, depending on
how management views the risk in terms of magnitude. Risks are represented in the external
environment in which the organization chooses to operate, as well as those in the internal
environment. Risk factors in the external environment are generally outside of the
organization’s direct control. External risk factors include political situations, the economy,
regulations, natural disasters, competition. Internal risk factors include Organization’s culture,
Internal environment affecting employee’s moral, policies, ethics and values projected by
senior management, process environment, control environment and so on.
2.3.4 Categories of Risks

The risk management process begins with the identification of risk categories. An organization
will have several risk categories to analyse and identify risks that are specific to the
organization. Some examples of risk categories are:
 Business Risks: Also, sometimes referred as inherent risks. These are risk associated
with nature of business. E.g. loss of finished product for food industry
 Market Risks: Risks associated with fluctuations on market affecting the customer base
of organization. E.g. Customer preferring smart phones over traditional phones affecting
Nokia products.
 Financial Risks: Risk associated with financial decisions and environment in which
business operates. E.g. Non-availability of funds, excess expenditure etc.
 Operational Risks: Risks associated with failure of operations of organization. E.g.
failure of assembly-line for car manufacturer, non-availability of IT for banking services
etc.
 Strategic Risks: Associated with incorrect and inappropriate strategy selection and
implementation. E.g. Planning for implementing IT application that is outdated, selecting
application for automation that may not satisfy future growth expectations. Not-
considering effect of smart phones by Nokia management.
 IT Risks: How the company's IT infrastructure relates to business operations and their
impact on business in case risk materializes. E.g. failure of networks affecting
communications, failure of applications impacting operations and service delivery.
 Compliance Risks: Risk when an organization does not comply with legal, regulatory,
contractual or internal compliance requirements E.g. failure of complying with privacy
laws, labour laws, software license agreement.
 Reputational Risk: Reputational risk is the chance of losses due to a declining
29
reputation as a result of practices or incidents that are perceived as dishonest,

disrespectful or incompetent.
E.g. loss of sales and increased costs such as fines or legal fees.
 Process Risk: The business risk associated with a particular process. Process tend to
be a focus of risk management as reducing risk in core business process can often
yield cost reductions and improved revenue. Risk related to P2p cycle or O2c cycle.
2.3.5 Elements of Risk Management

Before establishing a strategy for information risk management, the following elements must
be in place to permit effective risk management:
 Top Management Support: The need for risk management must start and be
supported at the highest level within the company. This includes the governance level
and the CEO.
 Proactive Approach: Risk management efforts must be proactive. This involves the
active identification, measurement and management of the risks, scanning of changes
in the risk profile and reports on managing the risk profile.
 No Ambiguity: There needs to be a clear definition of the risks, and these must be
understood across the organization.
 Accountability: Responsibility for responding to and managing the risks must be
clearly understood and individuals held accountable for fulfilling the roles.
 Resource Allocation: Appropriate resources including people and tools need to be
deployed and available to help managers, executive and the governance level conduct
their obligations within the risk management framework.
 Cultural Change: The organization’s culture must provide for the active management
of risk.
2.3.6 Developing Strategies for Information Risk Management

Some organisations have adopted a centralized model for risk management, while others are
using a decentralized model. The approach depends on:
(a) An organization’s particular operations,
(b) The significant risks,
(c) The culture of the organization,
(d) The management style and
(e) The control environment i.e. the degree of centralization or the delegation of authority
and the infrastructure of the business.
30
In a centralized model it is the Information Risk Management team that develops policies for
the board to consider. Other organizations have decentralized model requiring the involvement
of front-line staff in managing the inherent risks of the company, of the business unit or of the
process.
2.4 Risk Management Process

The Objective of risk management process is to ensure that the organization can manage
risks within acceptable limits. These acceptable limits are decided by Risk Appetite ad Risk
tolerance.
Risk Appetite: It is ability of organization to sustain losses due to materialization of risk. It
also represents the ability of organization to take risk while considering new business
initiatives. It can be defined as ‘the amount and type of risk that an organisation is willing to
take in order to meet their strategic objectives. Organisations will have different risk appetites
depending on their sector, culture and objectives.
Risk Tolerance: It is the limit up to which organization can tolerate to sustain loss of business
in case risk materializes. In other words, in case any risk materializes the organization must
recover from it within specified time decided by risk materialization.
Information Risk Management process involves a continuous cycle to identify, assess,
measure, decide response, assign responsibility and monitor information risk. Organization
may adopt any standard or framework discussed earlier for implementing Information risk
management. Although different framework describes different processes for managing IT
risks, typically IT risk management process follows following steps:
1. Establish the Context
2. Risk identification
3. Risk evaluation
4. Risk prioritization
5. Risk response
6. Risk mitigation
7. Risk monitoring
2.4.1 Risk Identification

As name suggest it is processing to identify risks for organization. Organization may deploy
one or more methods to identify risks. Some methods are:
1. Workshop and brainstorming sessions with stakeholders and process owners: In this
method the process owners and risk practitioners (IS Auditors) meet and discuss the
possible causes for process failures affecting desired outcome. This workshops typically
31
covers risk identification, risk evaluation, control definition steps. In case process
owners does not agree a method called Delphi technique be used to assess the risks.
2. Use of generic risk scenarios based on industry experience and historical data: Generic
scenarios are the list of possible incidents affecting desired outcome of business
process objectives.
3. Review and audit of processes and technology. This includes vulnerability assessment:
Audit findings, lessons learned from Incident response, vulnerability assessments help
organization in identifying possible threats that can impact the normal functioning of
business processes.
2.4.1.1 Risk Components
Risk to be managed effectively have to be understood in totality. Hence, it is important to
understand all the specific components of all identified risks and these are:
 Risk Scenario: A possible event due to materializing of one or more risks for example
Failure of connectivity might be caused due to one or more reasons like physical
damage to cables / devices, malfunction of devices, virus / malware attack, Denial of
service attack, failure of service provider.
 Threat: Reason for risk materialization for example theft of equipment, fire, natural
disaster, non-availability of human resources, Virus
 Vulnerability: Weakness that gets exploited due to threat. For example, absence of
antivirus is a vulnerability that will enable a virus to infect the system or improper
physical security leading to theft
 Likelihood / Probability: Judgment of possibility that threat shall exploit vulnerability.
For example, there is always a possibility of earthquake, however it may not take place
every day. The possibility can be worked out based on historical data and seismic zone
in which facility is located. Or possibility of virus attacking systems can happen multiple
times in a day.
 Impact / Consequences: When threat materializes, it will affect normal functioning
which might result in loss of business, interruption of services. A calculation of possible
loss expressed in monetary terms.
 Response: Acton Plan designed by organization to minimize impact or likelihood of risk
materializing. There are four types of responses and organization may choose one or
more for each risk. The four types are: Accept, Transfer, Avoid and Mitigate. For
example, Management may have process to monitor virus by maintaining antivirus tool
updated and also run a schedule scan. In case cost of process and tool is higher than
impact organization may decide to do nothing and accept the risk.
 Controls / Mitigation: In order to mitigate risk management implements controls. For
32
example, Access controls reduces the likelihood of unauthorized access, Fire

suppression system reduces the impact due to fire.
 Inherent Risk: Total risk without any controls is inherent risk.
 Residual Risk: Controls cannot mitigate the risk completely. It may reduce likelihood
and/or impact. There is a small portion of risk still remains that is known as residual
risk. It also includes accepted risk.
 Risk Aggregation: A risk faced by organization may have different impact on different
business function/ locations. However, from organization’s perspective it is necessary to
present them as total risk for organization. For example, a location on sea shore may
have higher risk of flooding as compared to another location away from seashore.
 Risk Profile: Collective view of all risks an organization likely to face.
 Heat Map: Graphical representation of risk profile.
 Risk Register: A document that is maintained to provide information on identified risks
and contents details of components.
 Risk Owner: Person or entity that is responsible for evaluation and decision of
response for identified risk.
Organizations may adopt various methods for identifying and recording risks some of them are
discussed here.
2.4.1.2 Threat Profile / Inventory
It is a list of all possible threats that might have impact on organization. Organization may
prefer to categorize them based on nature.
 Physical and Environmental for example fire, theft, humidity, temperature
 External threats that are not in control of organization like hackers, Denial of service,
virus, sabotage, targeted attacks
 Internal threats are those are initiated within organization for example disgruntled
employee, unauthorized access by authorised users, confidential data leakage by
employee, misuse of management override. Majority breaches are due to internal
threats
 Natural threats like earthquake, floods, and tsunami
Organization may prepare a list of threats and try to evaluate how they affect organization.
2.4.1.3 Vulnerability Assessment
A vulnerability assessment is one of the process of identifying, the vulnerabilities in a system.
Vulnerability assessment is one process in risk identification. The Vulnerability Assessment is
an evaluation to identify gaps and vulnerabilities in your network, servers, etc. help you
validate your configuration and patch management, and identify steps you can take to improve
33
your information security. The assessment helps you meet your minimum compliance
mandates and security assessment needs. Assessments are typically performed according to
the following steps:
a. Cataloguing assets and resources in a system.
b. Assigning quantifiable value or rank and importance to those resources
c. Identifying the vulnerabilities or potential threats to each resource
Vulnerabilities that may exist across your systems and applications can create an easy path
for hackers to gain access to and exploit your environment. With dozens and even hundreds
of applications and systems across your environment with access to the Internet, maintaining
and updating system operating systems and applications to eliminate vulnerabilities is
paramount - especially when those applications and systems are tied to sensitive customer,
patient or cardholder information.
2.4.1.4 Asset Inventory
Risks when materialize affect the functioning of organization. The impact of a risk can be
different for different business function depending upon the various factors like time of
incident, functions affected etc. For example, in case on a Bank failure of connectivity might
affect ATM network as well as branch network, however if the failure happens after business
hours impact of non-availability of ATM could be higher. In other words, providing protection
for connectivity to ATM shall be different as compared to branch networks. In order to provide
appropriate security organizations may focus on implementing controls over assets that
supports business processes. ISO27001:2005 also recommends implementing controls
around assets by prioritizing them based on results of risk evaluation. (ISO27001:2013
recommend ISO31000 for Risk management and also states that risk management need not
be asset based.)
2.4.1.5 Risk Register and Control Catalogue
It is a collective record of all identified and evaluated risk along with risk owner and risk
response. The structure of risk register may vary organization to organization, however it
must:
1. Contain risk scenario, likelihood, assets impacted, overall impact on business
(assessment), owner, risk response decision, reference to control catalogue, review
date.
2. It must be maintained based on updating process.
3. Generally, it is used to develop risk profile for reporting to management and approval.
IS auditor should use this risk register to review and audit the risk management process and
also ensure that appropriate controls are identified, designed and implemented. Control
catalogue is collective register of all controls designed and implemented within organization
with reference to risk register.
34
2.4.2 Risk Evaluation

Also called risk assessment. It is a process for assessing likelihood and impact of identified
risk. There are two methods used for risk evaluation
1. Quantitative Risk Analysis refers to expressing total risk in monetary terms
2. Qualitative Risk Analysis refers to expressing total risk with qualification like high,
medium, low etc. However, the challenge is perception of these terms differs from
person to person, hence it is necessary to define the meaning of terms high, medium
and low so that they are interpreted uniformly across organization.
2.4.3 Determine Likelihood of Risk

Once threats are identified, the next step is to determine the likelihood that the potential
vulnerability can be exploited by those threats. Several factors need to be considered when
determining this likelihood.
(a) Consider source of the threat, motivation behind the threat, and capability of the source.
(b) Determine the nature of the vulnerability and,
(c) The existence and effectiveness of current controls to deter or mitigate the vulnerability.
The likelihood that a potential vulnerability could be exploited can be described as high,
medium, or low.
Most of the time the likelihood is judgment of analysts hence it is best estimated by risk
owners who are the business process owners as they are likely to be affected due to risk
materialization. This helps in arriving at likelihood.
2.4.4 Risk Prioritization

Based on evaluation of risks, the risks have to be prioritised into high, medium or low or
ranked on scale of 1 to 5. This risk ranking will help enterprises to decide the priority in which
the risks will be mitigated. Based on the decisions taken in this process/stage, the next step of
risk response is implemented. The organizations generally use Risk profile and Heat map to
prioritize evaluated risks based on criticality of risks and priorities of business objectives.
35
Figure 2.5: Risk optimisation
2.4.5 Risk Response

With the potential impact assessment in hand, the next step is to determine what the
appropriate response is to prudently manage the risk.
When risks are identified and analysed, it is not always appropriate to implement controls to
counter them. Some risks may be minor, and it may not be cost effective to implement
expensive control processes for them. Risk management strategy is illustrated below:
Figure 2.6: Risk Response
36
The risk mitigation strategy is explained for each of the options.

 Accept the Risk. One of the primary functions of management is managing risk. Some
risks may be considered minor because their impact and probability of occurrence is
low. In this case, consciously accepting the risk as a cost of doing business is
appropriate, as well as periodically reviewing the risk to ensure its impact remains low.
 Avoid the Risk. It is possible for a risk to be associated with the use of a particular
technology, supplier, or vendor. The risk can be avoided/ eliminated by replacing the
technology with more robust products and by seeking more capable suppliers and
vendors.
 Transfer the Risk. Risk mitigation approaches can be shared with trading partners and
suppliers. A good example is outsourcing infrastructure management. In such a case,
the supplier mitigates the risks associated with managing the IT infrastructure by being
more capable and having access to more highly skilled staff than the primary
organization. Risk also may be mitigated by transferring the cost of realized risk to an
insurance provider.
 Mitigate the Risk. Where other options have been eliminated, suitable controls must be
devised and implemented to prevent the risk from manifesting itself or to minimize its
effects.
For each risk identified, the risk response can be articulated the objective is to bring the
estimated risk below the Risk appetite and risk tolerance of the organization. For example,
where the risk response is to accept the risk, this becomes part of the organization’s risk
tolerance, means the business must recover from impact before tolerance limits.
37
Figure 2.7: Relationship of Risks and Controls
2.4.6 Risk Monitoring

Once the controls are implemented what remains is residual risk i.e. risk remaining after
implementing controls and risk accepted. For example, Organization may implement fire
resistant material to reduce the likelihood of risk. They also implement policies regarding use
of inflammable material and safe electrical design using circuit breakers. Still if the fire breaks
out smoke detectors are implemented to get early warning so that the incident can be
responded to contain damage. Depending upon the level of impact organization may install
fire suppression system that will be automatically activated based on temperature levels and
response time and hence damage is further reduced. However there still remains risk of fire
and hence it needs to be monitored by including processes for testing control equipment,
processes etc. Risk monitoring is process consists of following activities:
1. Periodic review identified and evaluated risks to confirm that the evaluation is
appropriate. This might change due to various factors like changes in environment,
business strategy and focus, Market changes and so on.
2. Review of risks associated with changes in infrastructure, processes and IT. Change
might have effect on risks, for example organization has implemented uninterruptible
power supply system. Subsequently it might have added more equipment and hence
the capacity of UPS may not be sufficient in future. Identifying evaluating this risk in
time shall reduce impact of failure.
3. Incident response and lessons learned is another area that prompts for review of risks
that materialized.
4. Audit findings also requires review of risks since non-effective controls might provide
false comfort of compliance to management.
2.5 IS Risks and Risk Management

There are numerous changes in IT and its operating environment that emphasizes the need to
better manage IT related risks. Dependency on electronic information and IT systems is
essential to support critical business processes. In addition, the regulatory environment is
mandating stricter control over information. Increasing disclosures of information system
disasters and increasing electronic fraud, in turn, drive this. The management of IT related
risks is now being understood as a key part of enterprise governance.
Any Information system based on IT has its inherent risks. These risks cannot be eliminated
but they can be mitigated by appropriate security. This security has to be implemented as per
required control system envisaged by the management of the enterprise. The risks in IT
environment are mitigated by providing appropriate and adequate IS Security. IS security is
defined as "procedures and practices to assure that computer facilities are available at all
required times, that data is processed completely and efficiently and that access to data in
38
computer systems is restricted to authorized people".

IS Auditors are required to evaluate whether the available controls are adequate and
appropriate to mitigate the risks. If controls are unavailable or inadequate or inappropriate,
then there would be a control weakness, which has to be reported to auditee management
with appropriate recommendations to mitigate them.
2.6 Compliance in Cobit 2019

The Management Domain of ”Monitor, Evaluate and Assess” has a compliance focused
process namely:MEA03:Managed Compliance with External Requirements”. This process is
designed to Evaluate that I&T processes and I&T-supported business processes are compliant
with laws, regulations and contractual requirements. This requires that the enterprise has
process in place to obtain assurance that these requirements have been identified and
complied with, and integrate IT compliance with overall enterprise compliance. The primary
purpose of this process is that the enterprise is compliant with all applicable external
requirements.
2.6.1 Key Management Practices of IT Compliance

COBIT 2019 provides key management practices for ensuring compliance with external
compliances as relevant to the enterprise. These practices can be adapted as required:
 Identify External Compliance Requirements: On a continuous basis, identify and
monitor for changes in local and international laws, regulations, and other external
requirements that must be complied with from an I&T perspective.
 Optimize Response to External Requirements: Review and adjust policies,
principles, standards, procedures and methodologies to ensure that legal, regulatory
and contractual requirements are addressed and communicated. Consider industry
standards, codes of good practice, and good practice guidance for adoption and
adaptation
 Confirm External Compliance: Confirm compliance of policies, principles, standards,
procedures and methodologies with legal, regulatory and contractual requirements
 Obtain Assurance of External Compliance: Obtain and report assurance of
compliance and adherence with policies, principles, standards, procedures and
methodologies. Confirm that corrective actions to address compliance gaps are closed
in a timely manner.
2.6.2 Key Metrics for Assessing Compliance Process

Implementing compliance practices requires monitoring of metrics. A list of sample metrics for
reviewing the process of evaluating and assessing compliance are given here for both areas
of compliance with external laws and regulations and IT compliances with internal policies:
39
2.6.2.1 Compliance with External Laws and Regulations:

 Cost of IT non-compliance, including settlements and fines;
 No. of IT related non-compliance issues reported to board or causing public comment or
embarrassment;
 No. of non-compliance issues relating to contractual agreements with IT service
providers;
 Coverage of compliance assessments.
2.6.2.2 IT Compliance with Internal Policies:
 Number of incidents related to non-compliance to policy;
 Percentage of stakeholders who understand policies;
 Percentage of policies supported by effective standards and working practices; and
 Frequency of policies review and updates.
2.7. Information Technology Act 2000

The Information Technology Act 2000, (Amended 2008) provides that any organization is
collecting PII shall be liable in case absence of reasonable security of such information results
in identify theft. It introduced new provisions which are specifically applicable to corporates,
provisions relating to maintaining privacy of information and imposed compliance requirements
on management with penalties for non-compliance. These requirements have to be considered
as part of compliance by corporates and individuals as applicable.
The specific areas of compliance which could be reviewed by the IS Auditor are:
Section 43 A
 Are various components of “sensitive personal data or information” vis-à-vis
users/customers defined by the enterprise?
 Does the enterprise have a security policy?
 Is the security policy documented?
Section 69B
 Has the enterprise adopted/established appropriate policy, procedures and safeguards
for monitoring and collecting traffic data or information?
 Are these documented?
Section 70B
 Does the enterprise have appropriate documented procedure to comply with the
requests of CERT-IN regarding cyber security incidents?
40
Section 72A
 Does the enterprise have an adequate privacy policy?
 Whether the enterprise has provided for opt-in/opt-out clause in the privacy policy?
General
 Has the enterprise appointed designated officer/nodal officer/computer-in-charge to
comply with the directions of competent authority/agency under various provisions of
the Act? Whether details of such designated officer/nodal officer readily available online
(at its website)?
Section 7A Audit of documents i.e. in Electronic Form: Where in any law for the time being in
force, there is a provision for audit of documents, records or information, that provision shall
also be applicable for audit of documents, records or information, processed and maintained
in electronic form.
Under Section 43A of the (Indian) Information Technology Act, 2000, a body corporate who is
possessing, dealing or handling any sensitive personal data or information, and is negligent in
implementing and maintaining reasonable security practices resulting in wrongful loss or
wrongful gain to any person, then such body corporate may be held liable to pay damages to
the person so affected. It is important to note that there is no upper limit specified for the
compensation that can be claimed by the affected party in such circumstances.
The IT Act 2008 recognizes and punishes offences by companies and individual (employee)
actions. For example: Section 66 to 66F and 67 deal with the following crimes:
 Sending offensive messages using electronic medium or using body corporate’s IT for
unacceptable purposes
 Dishonestly stolen computer resource
 Unauthorized Access to computer resources
 Identity theft/Cheating by personating using computer
 Violation of privacy
 Cyber terrorism/Offences using computer
 Publishing or transmitting obscene material
Under Section 72A of the (Indian) Information Technology Act, 2000, disclosure of information,
knowingly and intentionally, without the consent of the person concerned and in breach of the
lawful contract has been also made punishable with imprisonment for a term extending to
three years or fine extending to INR 5,00,000 or with both.
41
2.8 General Data Protection Regulation (GDPR)

The introduction of European Union's ("EU") regulations on protection of natural persons with
regard to processing of personal data and free movement of such data GDPR has brought on
certain significant implications on Indian entities processing personal data of EU Residents.
Basically, since GDPR has extra-territorial application and applies to processing of personal
data of EU residents even by entities situated outside EU, Indian entities who are acting as
either a 'controller' (i.e. the person who determines the purposes and means of the processing
of data) or a 'processor' (i.e. the person who processes the personal data on behalf of the
controller), of personal data of persons of EU, in relation to offering of goods or services to
such persons or monitoring their behaviour in so far as it takes place within EU, become
subject to GDPR.
The concept of "personal data" has been defined in GDPR to refer to any information relating
to an identified or identifiable natural person (i.e. "Data Subject"). An identifiable natural
person is one who can be identified, directly or indirectly, in particular by reference to an
identifier such as a name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person, and therefore all such information is considered as
'personal data' under the GDPR.
For Indian companies dealing with such 'personal data' of EU residents, it then becomes
imperative to implement the data protection requirements stipulated in GDPR within their
systems. This requires a significant overhaul and re-writing of their privacy policies and
contractual arrangements with EU counterparts/Data Subjects and their internal data
protection protocols and systems to make them GDPR compliant.
Compliance with GDPR has become particularly important given the heavy penalties
associated with GDPR non-compliance. Failure to comply with the GDPR requirements can
attract administrative fines of up to EUR 10,00,000 or 20,000,000, or in the case of an
undertaking, up to 2% or 4% of the total worldwide annual turnover of the preceding financial
year, whichever is higher, depending on the nature of provisions breached. Also, for Indian
Company with business dealings with EU companies, their EU counterparts are also likely to
insist on compliance with the GDPR as part of their standard contractual clauses. We may
also add that the Indian Government is also seeking to introduce a more robust regulatory
framework for data protection and privacy. Therefore, companies having business interest in
EU should take comprehensive look at evolving their data protection practices not just to be
GDPR compliant but also in preparation for a more stringer data protection regulatory
framework likely to be introduced in India in the near future.
2.9 The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 seeks to provide for protection of personal data of
42
individuals, and establishes a Data Protection Authority for the same.

The Bill governs the processing of personal data by:
(i) government,
(ii) companies incorporated in India, and
(iii) foreign companies dealing with personal data of individuals in India.
Personal data is data which pertains to characteristics, traits or attributes of identity, which
can be used to identify an individual. The Bill categorises certain personal data as sensitive
personal data. This includes financial data, biometric data, caste, religious or political beliefs,
or any other category of data specified by the government.
Obligations of data fiduciary: A data fiduciary is an entity or individual who decides the
means and purpose of processing personal data. Such processing will be subject to certain
purpose, collection and storage limitations. All data fiduciaries must undertake certain
transparency and accountability measures such as:
(i) implementing security safeguards (such as data encryption and preventing misuse of
data), and
(ii) instituting grievance redressal mechanisms to address complaints of individuals.
Rights of the individual: The Bill sets out certain rights of the individual (or data principal).
These include the right to:
(i) obtain confirmation from the fiduciary on whether their personal data has been
processed,
(ii) seek correction of inaccurate, incomplete, or out-of-date personal data,
(iii) have personal data transferred to any other data fiduciary in certain circumstances, and
(iv) restrict continuing disclosure of their personal data by a fiduciary, if it is no longer
necessary or consent is withdrawn.
Transfer of data outside India: Sensitive personal data may be transferred outside India for
processing if explicitly consented to by the individual, and subject to certain additional
conditions. However, such sensitive personal data should continue to be stored in India.
Certain personal data notified as critical personal data by the government can only be
processed in India.
Offences: Offences under the Bill include:
(i) processing or transferring personal data in violation of the Bill, punishable with a fine of
Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and
(ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the
annual turnover of the fiduciary, whichever is higher.
(iii) Re-identification and processing of de-identified personal data without consent is
43
punishable with imprisonment of up to three years, or fine, or both.
2.10 Summary
This chapter has provided an overview of various types of Governance and risk management
frameworks which can be used by organisations for implementing. There is no single
framework which meets all requirements. Hence, it is important to understand the scope and
coverage of each of these frameworks so that they can adapted as required for
implementation. Risk management is an integral aspect of governance and management.
Risks have both positive and negative attributes. Risks provide challenges but they also
provide opportunities. Risk management requires effective mitigation of risks by adapting the
risk management process strategy thereby balancing risk versus benefits.
2.11 Questions
1. The most important requirement for IT governance function to be effective is:
A. Monitoring
B. Evaluation
C. Directing
D. Managing
2. The MOST important benefit of implementing IT risk management process is that it
helps in:
A. optimizing internal control framework.
B. ensuring residual risk is at acceptable level.
C. prioritizing business functions for audit planning.
D. complying with regulatory requirements.
3. Which of the following is a major risk factor?
A. Existence of inflationary trends.
B. Vendor launches new software.
C. Board of directors elects new chairman.
D. Change in government post elections.
4. The level to which an enterprise can accept financial loss from a new initiative is:
A. Risk tolerance
B. Risk management
C. Risk appetite
D. Risk acceptance
44
5. Designing and implementing a control to reduce the likelihood and/or impact of risk
materializing is a:
A. Risk acceptance
B. Risk transfer
C. Risk treatment
D. Risk transfer
6. Which of the following is a valid risk statement?
A. Network service provider is unable to meet bandwidth.
B. Hacker attempts to launch attack on web site.
C. Application server crash due to power failure.
D. Delay in servicing customers due to network congestion.
7. Which of the following is primary reason for periodic review of risk? The changes in:
A. risk factors
B. risk appetite
C. budget
D. risk strategy
8. Which of the following is a strategic IT risk?
A. IS audit may not identify critical non-compliance.
B. Non-availability of networks impacting services to customers.
C. New application may not achieve expected benefits.
D. Defer replacement of obsolete hardware.
9. Which of the following is the most essential action after evaluation of inherent risks?
A. Evaluate implemented controls.
B. Update risk register.
C. Prepare heat map.
D. Prioritized evaluated risk.

1. C. Directing is the most critical of the Governance function which can be performed by the
Board. Although, governance has three critical functions: Evaluate, direct and monitor,
evaluation and monitoring can be performed against directions.
2. B. The primary function of IT risk management process is to support value creation by
reducing the risk to an acceptable level. The other options are secondary benefits of IT
45
risk management.
3. D. Risk factors are conditions that affect the risk profile of organization. Change in
government is one of major risk factor as compared with other options.
4. C. Risk appetite denotes the level of risk acceptable by management. Risk tolerance is the
time up to which an organization can afford to accept the risk. Risk management is a
process of risk mitigation and risk acceptance is decision of the management and is
considered as risk response.
5. C. Implementing control is a risk treatment.
6. D. Options A, B and C are threats and not risks.
7. A. Changes in risk factors is the primary reason for reviewing changes in risk levels for an
organization. The other options are secondary reasons.
8. D. Deferring replacement of obsolete hardware is strategic decision and hence it is a
strategic IT risk. Others are operational IT risks.
9. A. Once risks are evaluated it is necessary to find out the current state of risk mitigation
(gaps in controls) by evaluating the existing controls. This help in identifying gaps and
implementing controls so as to reduce the total exposure within acceptable limits. Other
activities are required but not as essential as identifying gaps in controls.
Downloads
COBIT 2019 Design Guide
http://www.isaca.org/COBIT/Pages/COBIT-2019-Design-Guide.aspx
46
Chapter 3
Key Components of A Governance System
Learning Objectives
To satisfy governance and management objectives, each enterprise needs to establish, tailor
and sustain a governance system built from a number of components. Components are factors
that, individually and collectively, contribute to the good operations of the enterprise’s
governance system over I&T. Components interact with each other, resulting in a holistic
governance system for I&T. Components of a governance system include organizational
structures; policies and procedures; information items; culture and behavior; skills and
competencies; and services, infrastructure and applications
COBIT 2019 which is based on components can be used for implementing Enterprise
Governance of Information Technology (EGIT). This chapter discusses the key components of
EGIT which facilitate the successful achievement of enterprise goals and IT enabled goals.
3.1 Introduction
Organizations which wish to implement EGIT for achieving enterprise objectives have to
consider various key aspects such as goals, objectives, benefit and value for the organisation.
However, to ensure these are achieved, an appropriate EGIT framework must be
implemented. Implementing EGIT does not occur in a vacuum but has to consider the specific
environment applicable to the enterprise. We have discussed in earlier chapters how
implementation of EGIT can be focussed both on conformance and performance. EGIT
implementation has to be taken as a project with an empowered project champion vested with
responsibility for results. Selecting and implementing the right type of components as required
is the key to successful implementation of a EGIT framework. This implementation takes place
in different conditions and circumstances determined by numerous factors impacting both
internal and external environment and these could be pertaining to:
 Ethics and culture of the organisation
 Laws, regulations and policies
 Applicable standards
 Industry practices
 Competitive environment
Implementing EGIT requires consideration of specific aspects applicable to the enterprise and
these could pertain to:
 Mission, vision, goals and values
 Governance policies and practices

 Culture and management style
 Models for roles and responsibilities
 Business plans and strategic intentions
 Operating model and level of maturity
3.2 COBIT 2019 Governance System Principles

COBIT 2019 simplifies governance challenges with just 6 principles. The six key principles for
governance and management of enterprise IT in COBIT 2019 taken together enable the
organisation to build an effective governance and management framework that optimizes
information and technology investments use for the benefit of stakeholders.
Figure 3.1: Governance Framework Principles under COBIT 2019

Principles 1: Provide Stakeholder Value: enterprises exist to create value for their
stakeholders by maintaining a balance between the realization of benefits and the optimization
of risk and use of resources. COBIT 2019 provides all of the required processes and other
components to support business value creation through the use of I&T. Because every
48
enterprise has different objectives, and enterprise can customize COBIT 2019 to suit its own
context through the goals cascade, translating high level enterprise goals into manageable
specific, IT related goals and mapping these to specific processes and practices.
Principle 2: End-to-End Governance System: COBIT 2019 integrates governance of
enterprise IT into enterprise governance. It covers all functions and processes within the
enterprise; COBIT 2019 does not focus only on the IT function but treats information and
related technologies as assets that needs to be dealt with just like any other asset by
everyone in the enterprise. It considers all IT related governance and management
components to be enterprise wide and end to end i.e. inclusive of everything and everyone
internal and external that is relevant to governance and management of enterprise information
and related IT.
Principle 3: Tailored to Enterprise Needs: A governance system should be tailored to the
enterprise’s needs, using a set of design factors as parameters to customize and prioritize the
governance system components.
Principle 4: Holistic Approach: Efficient and effective Enterprise governance of I&T require
a holistic approach, taking into account several integrating components. COBIT 2019 defines
a set of components to support the implementation of a comprehensive Enterprise governance
system for I&T. Components are broadly defined as anything that can help to achieve
objectives of the enterprise.
Principle 5: Governance Distinct from Management: The COBIT 2019 framework makes a
clear distinction between governance and management. These two disciplines encompass
different types of activities require different organizational structures and serve different
purposes.
 Governance: It ensures that stakeholders needs, conditions and options are evaluated
to determine balanced, agreed on enterprise objectives to be achieved; setting direction
through prioritization and decision making, and monitoring performance and compliance
against agreed on direction and objectives. In most organizations the governance is the
responsibility of the board of directors under the leadership of the chairperson. Specific
governance responsibilities many be delegated to special organizational structures at
an appropriate level, especially in larger, complex organizations.
 Management: It plans, builds, runs and monitors activities in alignment with the
direction set by the governing body to achieve the objectives. In most of the enterprises;
management is the responsibility of the executive management under the leadership of
the Chief Executive Officer (CEO).
Table 3.1: Distinction between Governance and Management
Governance Management
 Evaluate: Stakeholder needs,  Plan, build, run and monitor activities
conditions and options
49
 Determine: Agreed on enterprise  Align with: direction set by the

objectives governance body
 Set direction: Prioritization and  Achieve: Enterprise objectives
decision making
 Monitor: Performance and  Monitor and Report: Performance and
compliance conformance
 Responsibility: Board of directors  Responsibility: Management at all
levels
Principle 6: Dynamic Governance System: A governance system should be dynamic. This
means that each time one or more of the design factors are changed (e.g., a change in
strategy or technology), the impact of these changes on the EGIT system must be considered.
A dynamic view of EGIT will lead toward a viable and future-proof EGIT system.
3.3 Components of the Governance System as per COBIT

2019
Components are broadly defined as anything that can help to achieve the objectives of the
enterprise. They are also the factors that, individually and collectively, influence whether
something will work. There are seven components of COBIT 2019.We will discuss the key
characteristics of each of these seven components.
Figure 3.2: Components of a Governance System
50
3.3.1 Principles, Policies, Procedures

The first component of COBIT 2019 is: “Principles, Policies and Procedures”. It may be noted
that these components although provided in COBIT 2019 from a EGIT perspective can be
equally applicable and adaptable for any new project or initiative.
The purpose of principles policies and procedures is to convey the governing bodies and
management’s direction and instructions. They are instruments to communicate the rules of
the enterprise, in support of the governance objectives and enterprise values as defined by
the board and executive management. The primary reason for implementing principles,
policies and procedures is to translate the desired strategy into practical guidance for day-to-
day management. The key difference between principles and policies are that principles need
to be limited in number. The characteristics of good policies are that they should:
 Be effective: achieve their purpose
 Be efficient: especially when implementing them
 Non-intrusive: Should make sense and be logical to those who have to comply with
them.
Policies should have a mechanism (framework) in place where they can be effectively
managed, and users know where to go. Specifically, they should be:
 Comprehensive, covering all required areas
 Open and flexible allowing for easy adaptation and change.
 Current and up to date
The purpose of a policy life cycle is that it must support a policy framework in order to achieve
defined goals and express clearly as possible the core values of the enterprise. Policies are
more detailed guidance on how to put principles into practice. The good practice requirements
for policies and procedures have to be approved by the Board and senior management. These
are important and should specifically cover the following:
 Scope and applicability.
 Consequences of failing to comply with the policy.
 Means of handling exceptions.
 How they will be monitored.
The links and relationships between principles, policies, Procedures and other components
are:
 Principles, policies and Procedures reflect the cultures, ethics and values of the
enterprise.
 Processes are the most important vehicle for executing policies.
 Organizational structures can define and implement policies.
 Policies are part of information which has to be documented and communicated.
51
3.3.2 Processes
The second component of COBIT 2019 is “Processes”. A process is defined as ‘a collection
of practices influenced by the enterprises policies, and procedures that takes inputs from a
number of sources (including other processes) manipulates the inputs and produces outputs
(e.g. products and services).
 Process practices are defined as the ‘guidance’ necessary to achieve process goals.
 Process activities are defined as the ‘guidance’ to achieve management practices for
successful governance and management of enterprise IT.
 Inputs and Outputs are the process work products/artefacts considered necessary to
support operation of the process.
Process model of COBIT 2019 focuses on generic processes required by organization to
implement within organization. It clearly distinguishes between Governance processes and
management processes.
Each process should provide:
 Process description
 Process purpose statement
 IT-related Goals
 Each IT-related goal is associated with a set of generic related metrics
 Process Goals (also from the Goals cascade mechanism and is referred to as
Component Goals).
 Each process goal is associated or related with a set of generic metrics.
 Each Process contains a set of Management Practices.
 These are associated with a generic RACI chart (Responsible, Accountable, Consulted,
Informed)
 Each management practices contains a set of inputs and outputs (called work products)
 Each management Practice is associated with a set of activities.
In addition, COBIT 2019 identifies the goals for each process and also defines the metrics to
measure the performance of each process.
3.3.3 Organizational Structures

The third component of COBIT 2019 is “Organisational structures”. Establishing accountability
mechanisms through appropriate organisation structure is the corner-stone of governance
implementation. Deployment of IT requires involvement not only from management
(management processes) but also from the Board of directors (governance processes).
52
Hence, the organisation structure has to include establishing specific responsibility for both
governance and management. The key role and responsibilities for most of the typical
functions in an organisation from governance and management perspective is identified for
each of the 200+ management practices covering all the 40 Governance and Management
objectives. This is provided in the RACI chart which will help in defining roles, responsibilities
covering risks and controls for all critical areas as per COBIT 2019 processes and practices.
Using these practices will help organisations to establish a number of good practices of
organizational structure such as:
 Operating Principles: The practical arrangements regarding how the structure will
operate, such as meeting frequency documentation and other rules
 Span of Control: The boundaries of the organization structure’s decision rights.
 Level of Authority: The decisions that the structure is authorized to take.
 Delegation of Responsibility: The structure can delegate a subset of its decision
rights to other structures reporting to it.
 Escalation Procedures: The escalation path for a structure describes the required
actions in case of problems in making decisions.
An organization structure shall vary from organization to organization depending on the level
of authority, responsibility and span of control. A generic structure may look like the following
diagram:
Figure 3.3: Organization Structure
53
Fundamentally, the role of an IT department within an organisation is to design, maintain, and

support an organisation's information technology infrastructure, thus allowing
the organisation to leverage both information and technology in an efficient, productive and
secure manner. The IT Organizational Structure also aims at supporting the organization in its
future growth and evolutionary process, as can be seen from the pictorial representation
below:
Figure 3.4: Organization Structure of IT Department

Implementing right organisation structure from governance perspective requires creation of the
right accountability mechanisms and decision-making system. This requires establishing
committees at different levels covering all areas right from strategy to execution. Two
important committees which are required for implementing effective EGIT are the IT Strategy
committee and the IT Steering Committee. The roles and responsibilities of each of these
committees is explained below.
3.3.3.1 IT Strategy Committee
Enterprise Governance of I&T should be an integral part of corporate governance, and in this
way a primary concern of the board of directors. Boards may carry out their governance duties
through committees and they can consider the criticality of IT through an IT strategy
committee. The IT strategy committee is composed of board and non-board members. They
should assist the board in governing and overseeing the enterprise's IT-related matters. This
54
committee should ensure that IT is a regular item on the board's agenda, where it must be
addressed in a structured way. The IT strategy committee should work in close relationship
with the other board committees and with management in order to provide input to, and to
review and amend the aligned enterprise and IT strategies. The implementation of the IT
strategy must be the responsibility of executive management assisted by one or more IT
steering committees. Typically, such a steering committee has the responsibility for
overseeing major projects and managing IT priorities, IT costs, and IT resource allocation.
While the IT strategy committee operates at the board level, the IT steering committee is
situated at executive level, which implies that they have different responsibility, authority and
membership
3.3.3.2 IT Steering Committee
Planning is essential for determining and monitoring the direction and achievement of the
enterprise goals and objectives. As enterprises are dependent on the information generated
by information systems, it is important that planning relating to information systems is
undertaken by senior management or by the steering committee. Depending on the size and
needs of the enterprise, the senior management may appoint a high-level committee to
provide appropriate direction to IT deployment and information systems and to ensure that the
information technology deployment is in tune with the enterprise business goals and
objectives. This committee called as the IT Steering Committee is ideally led by a member of
the Board of Directors and comprises of functional heads from all key departments of the
enterprise including the audit and IT department.
The role and responsibility of the IT Steering Committee and its members must be
documented and approved by senior management. As the members comprise of function
heads of departments, they would be responsible for taking decisions relating to their
departments as required. The IT Steering Committee provides overall direction to deployment
of IT and information systems in the enterprises. The key functions of the committee would
include:
 To ensure that long and short-range plans of the IT department are in tune with
enterprise goals and objectives;
 To establish size and scope of IT function and sets priorities within the scope;
 To review and approve major IT deployment projects in all their stages;
 To approve and monitor key projects by measuring result of IT projects in terms of
return on investment, etc.;
 To review the status of IS plans and budgets and overall IT performance;
 To review and approve standards, policies and procedures;
 To make decisions on all key aspects of IT deployment and implementation;
55
 To facilitate implementation of IT security within enterprise;

 To facilitate and resolve conflicts in deployment of IT and ensure availability of a viable
communication system exists between IT and its users; and
 To report to the Board of Directors on IT activities on a regular basis.
Appointment: The IS Steering Committee is appointed by the Board in order to oversee the
IS Department’s processes, and it operates at the executive level.
Responsibilities: The duties, responsibilities, authority and accountability of the Steering
Committee should be defined in a formal charter, which should be approved by the Board.
Members should know IS department policies, practices and procedures. Each member
should have the authority to make decisions within the group for his or her respective areas.
Objective: The primary objective of the Steering Committee is to ensure that the IS
department is aligned with the organization’s mission and objectives. It provides planning and
control for the organization’s IS function.
Chairman: It should preferably be chaired by a member of the board of directors who
understands information technology risks and issues.
Representation: The membership of the committee should be broad-based and should
include a cross-section of senior business managers including legal and finance, senior
management, user management and IS department.
Clear job definitions have to be provided for all key IT positions so as to ensure that the
required IT organisation structure is established. It is also important to understand the roles,
responsibilities and risks of key IT personnel.
3.3.4 Culture, Ethics and Behavior

The fourth component of COBIT 2019 is “Culture, ethics and Behavior”. The principles of this
component are inbuilt in the processes and other guidance. Organizational Ethics determine
the values by which the enterprise want to live (its code). Individual ethics determined by each
person’s personal values and dependent to some extent on external factors not always under
the enterprise’s control. Individual behaviours which collectively determine the culture of the
enterprise and is dependent on both organizational and individual ethics. In governance terms,
culture is significantly influenced but what is referred to as “The Tone from the Top”. In other
words, the spoken and unspoken messages sent from the IT executive leadership, which in
turn influences managerial behaviour and directly influences company plans, policies, and
organizational direction. In short, culture is shaped and transformed by consistent patterns of
senior management action. Some examples are:
 Behaviour towards risk taking
 Behaviour towards the enterprise’s principles and policies
 Behaviour towards negative outcomes, e.g. loss events
56
Good practices for creating, encouraging and maintaining desired behaviour throughout the
enterprise include:
 Communication throughout the enterprise of desired behaviours and corporate values.
(This can be done via a code of ethics).
 Awareness of desired behaviour strengthened by senior management example. This is
one of the keys to a good governance environment when senior management and the
executives ‘walk the talk’ so to speak. It is sometimes a difficult area and one that
causes many enterprises to fail because it leads to poor governance. (Typically, this will
be part of a training and awareness sessions based around a code of ethics).
 Incentives to encourage and deterrents to enforce desired behaviour. There is a clear
link to HR payment and reward schemes.
 Rules and norms which provide more guidance will typically be found in a Code of
Ethics.
3.3.5 Information
Information is the fifth component of COBIT 2019. Information is processed using information
technology. The success of an enterprise in the digital world depends on how well information
is harnessed for achieving enterprise objectives. Information is the most valuable asset and
success of an enterprise is determined by how well information is processed and made
available to all the stakeholders with the requisite level of security. Ensuring the right type of
information using information systems in safe and secure environment is the most critical
aspects of technology deployment. As per COBIT 2019, Information is currency of the 21st
century. Process requires information and management at all levels require information for
decision making and monitoring performance. IT maintains information and hence the
attributes of information are most important for business and management. IT supports
business process by generating and processing data. The information is then transformed into
knowledge that creates value for management and helps in decision which affects the
business process. The attributes required to assess the context and quality of information to
the user which need to be considered, specifically are:
 Relevancy: The extent to which information is applicable and helpful for the task at
hand
 Completeness: The extent to which information is not missing and is of sufficient depth
and breath for the task at hand
 Appropriateness: The extent to which the volume of information is appropriate for the
task at hand.
 Conciseness: The extent to which the information is compactly represented.
 Consistency: The extent to which the information is presented in the same format.
57
 Understandability: The extent to which the information is easily understandable

 Ease of Manipulation: The extent to which information is easy to manipulate and apply
to different tasks.
3.3.6 Services, Infrastructure and Applications

The sixth component of COBIT 2019 is: “Services, infrastructure and Applications”. This
refers to the services provided by IT to business and stakeholders to meet internal as well as
external requirements. Application helps in providing services by processing information.
Application is hosted using IT infrastructure. Application software are at the heart of
processing of transaction processing and encompass all mission critical processes. In a
modern enterprise where services are provided an on-line, real-time basis, services,
infrastructure and applications provide the most critical foundation for providing services to
customers. Hence all these three aspects: services, infrastructure and applications must be
considered together. Modern applications are complex and interacts with various technologies,
for example core banking application is hosted on server that processes and provide data in
real time to various delivery channels likes ATM, Mobile banking, Internet banking, Branch
banking. All delivery channels are set of applications focusing on providing services to
customers. Hence a bank must consider all these three objects together.
There are five architecture principles that govern the implementation and use of I&T-Related
resources. This is part of the good practices of this component. Architecture principles are
overall guidelines that govern the implementation and use of I&T-related resources within the
enterprise. Examples of such principles are:
 Reuse: Common components of the architecture should be used when designing and
implementing solutions as part of the target or transition architectures.
 Buy vs. Build: Solutions should be purchased unless there is an approved rationale for
developing them internally.
 Simplicity: The enterprise architecture should be designed and maintained to be as
simple as possible while still meeting enterprise requirements.
 Agility: The enterprise architecture should incorporate agility to meet changing
business needs in an effective and efficient manner.
 Openness: The enterprise architecture should leverage open industry standards.
The services, infrastructure and applications as an component is also designed and built
based on the IT strategic plan which in turn is derived from the enterprise strategic plan. For
most enterprises, the investment and cost of this component would be the highest and hence
needs to be managed both as a one-time projects and as on-going maintenance projects as
relevant. Any new business initiative would require IT enabled change which has to be
supported by required services, infrastructure and applications and once deployed, there is a
need for on-going maintenance to ensure that the required level of services is provided.
58
3.3.7 People, Skills and Competencies

People, Skill and competencies are the most valuable asset of an enterprise. In an
increasingly digital world where most of the routine transaction processing is automated. It is
the people with the required skills and competencies who are the key differentiator. IT is only
enabler and by itself provide value. Value is derived by how IT is harnessed through right
blend of people, process and technology. It is the employees of an enterprise who as
knowledge workers use the power of IT to provide services to customers. In the service
industry, the human resources are the most valuable asset. Technology can be bought but
effective implementation requires people to be trained with the requisite skills and
competencies to provide services. Nothing can move unless supported and managed by
people who use their intrinsic capacity to analyze information and take decisions. Without
people organizations will not exist. People, however, possess different skills and organization
need people with different skills. In order to ensure appropriate skills organization, follow
various people management practices like training, motivational programs, career
progressions, job rotation.
While defining organization structure organizations also define job description, roles and
responsibilities along with competencies required to perform the job. For example, IT related
activities likes business analysis, system design, development and coding, testing.
Organizations also consider outsourcing to ensure appropriate skill and competencies are
available to achieve performance and service delivery objectives. For implementing EGIT,
organizations require skills for developing and executing IT Policy formulation, IT strategy,
enterprise architecture, innovation, financial management, portfolio management and many
such related processes as relevant.
The seven components of COBIT 2019 have to be implemented in enterprises of all sizes
regardless of nature of business or sector or technology deployment. However, the relevance
of each these components would vary across enterprises. For example, in a software
company, the component: people, skills and competencies are extremely important whereas in
the case of highly regulated industry, the component: culture, ethics and behavior is most
important. For successful implementation of EGIT, selecting the right blend of these
components customised as required is most critical. The components also have the openness
of integrating across various frameworks.
3.4 Designing a Tailored Governance System of COBIT

2019
Effective governance over information and technology is critical to business success. The
design guide is a new offering that includes four steps to design a tailored governance system:
1. Understand the enterprise context and strategy. This includes understanding the
enterprise strategy, goals, risk profile, and current information- and technology-related
challenges.
59
2. Determine the initial scope of the governance system. This includes establishing
governance and management priorities.
3. Refine the scope of the governance system. This includes considering the threat
landscape, compliance requirements, the role of IT, the technology adoption strategy,
enterprise size and more.
4. Conclude the governance system design. This includes resolving priority conflicts,
adopting resolution strategies and conclude the governance system design.
3.5 Stakeholders in Implementing EGIT

There are many stakeholders who need to collaborate to achieve the overall objective of
improved IT performance. The most important stakeholders and their specific role and
responsibilities are outlined here:
 Board and executive management: How do we set and define enterprise direction for
the use of I&T and monitor that relevant and required EGIT enablers are established so
that business value is delivered, and I&T-related risks are mitigated?
 Business management and business process owners: How do we enable the
enterprise to define/align I&T-related goals to ensure that business value is delivered
from the use of I&T and I&T-related risks are mitigated?
 Chief information officer (CIO), IT management and IT process owners: How do we
plan, build, deliver and monitor information and IT solutions and service capabilities as
required by the business and directed by the board?
 Risk, compliance and legal experts: How do we ensure that we are in compliance
with policies, regulations, laws and contracts, and risks are identified, assessed and
mitigated?
 Internal audit: How do we provide independent assurance on value delivery and risk
mitigation?
3.6 Using Systematic Approach for Implementing EGIT

COBIT 2019: Implementation provides a systematic approach for implementing EGIT project
within an enterprise with specific phases, tasks and activities and roles and responsibilities
and deliverables of each of these phases. One of the key components of EGIT
implementation is “Culture, ethics and behavior”. This is set by the tone at the top with the
senior management establishing and enforcing the right culture. In implementing EGIT, this is
most critical. The overall enterprise environment should be analysed to determine the most
appropriate change enablement approach. This will include aspects such as the management
style, culture (ways of working), formal and informal relationships, and attitudes. It is also
important to understand other IT or enterprise initiatives that are ongoing or planned, to
60
ensure that dependencies and impacts are considered. It should be ensured from the start that
the required change enablement skills, competencies and experience are available and
utilised: for example, by involving resources from the HR function or by obtaining external
assistance. As an outcome of this phase, the appropriate balance of directive and inclusive
change enablement activities required to deliver sustainable benefits can be designed. Brief
overview of each of the phases of a EGIT implementation is provided. This approach has to be
adapted as per requirements of the project.
3.6.1 Phase 1: Establish the Desire to Change

The purpose of this phase is to understand the breadth and depth of the envisioned change,
the various stakeholders that are impacted, the nature of the impact on and involvement
required from each stakeholder group, as well as the current readiness and ability to adopt the
change. Current pain points and trigger events can provide a good foundation for establishing
the desire to change. The ‘wake-up call’, an initial communication on the programme, can be
related to real-world issues that the enterprise may be experiencing. Also, initial benefits can
be linked to areas that are highly visible to the enterprise, which creates a platform for further
changes and more widespread commitment and buy-in. While communication is a common
thread throughout the implementation or improvement initiative, the initial communication or
wake-up call is one of the most important and should demonstrate the commitment of senior
management— therefore, it should ideally be communicated by the executive committee or
CEO.
3.6.2 Phase 2: Form an Effective Implementation Team

Dimensions to consider in assembling the right core implementation team include involving
the appropriate areas from business and IT as well as the knowledge and expertise,
experience, credibility, and authority of team members. Obtaining an independent, objective
view as provided by external parties, such as consultants and change agent, could also be
highly beneficial and aid the implementation process or could address skill gaps that may
exist within the enterprise. Therefore, another dimension to consider is the appropriate mix
of internal and external resources. The essence of the team should be a commitment to:
 A clear vision of success and ambitious goals
 Engaging the best in all team members, all the time
 Clarity and transparency of team processes, accountabilities and communications
 Integrity, mutual support and commitment to each other’s success
 Mutual accountability and collective responsibility
 Ongoing measurement of its own performance and the way it behaves as a team
 Living out of its comfort zone, always looking for ways to improve, uncovering new
possibilities and embracing change
61
It is important to identify potential change agents within different parts of the business that
the core team can work with to support the vision and cascade changes down.
3.6.3 Phase 3: Communicate Desired Vision

A high-level change enablement plan should be developed in conjunction with the overall
programme plan. A key component of the change enablement plan is the communication
strategy, which should address who the core audience groups are, their behavioural profiles
and information requirements, communication channels, and principles. The desired vision for
the implementation or improvement programme should be communicated in the language of
those affected by it. The communication should include the rationale for and benefits of the
change, as well as the impacts of not making the change (purpose), the vision (picture), the
road map to achieving the vision (plan) and the involvement required of the various
stakeholders (part). Senior management should deliver key messages (such as the desired
vision). It should be noted in the communication that both behavioural/cultural and logical
aspects should be addressed, and that the emphasis is on two-way communication.
Reactions, suggestions and other feedback should be captured and acted upon.
3.6.4 Phase 4: Empower Role Players and Identify Quick Wins

As core improvements are designed and built, change response plans are developed to
empower various role players. The scope of these may include:
 Organisational design changes such as job content or team structures
 Operational changes such as process flows or logistics
 People management changes such as required training and/or changes to performance
management and reward systems
Any quick wins that can be realised are important from a change enablement perspective.
These could be related to the pain points and trigger events discussed in previous chapter.
Visible and unambiguous quick wins can build momentum and credibility for the programme
and help to address any scepticism that may exist. It is imperative to use a participative
approach in the design and building of the core improvements. By engaging those impacted
by the change in the actual design, e.g., through workshops and review sessions, buy-in
can be increased.
3.6.5 Phase 5: Enable Operation and Use

As initiatives are implemented within the core implementation life cycle, the change response
plans are implemented. Quick wins that may have been realised are built on and the
behavioural and cultural aspects of the broader transition are addressed (issues such as
dealing with fears of loss of responsibility, new expectations and unknown tasks). It is
important to balance group and individual interventions to increase buy-in and engagement
and to ensure that all stakeholders obtain a holistic view of the change.
62
Solutions will be rolled out and during this process, mentoring and coaching will be critical to
ensure uptake in the user environment. The change requirements and objectives that had
been set during the start of the initiative should be revisited to ensure that they were
adequately addressed. Success measures should be defined and should include both hard
business measures and perception measures that track how people feel about a change.
3.6.6 Phase 6: Embed New Approaches

As concrete results are achieved, new ways of working should become part of the
enterprise’s culture and rooted in its norms and values (‘the way we do things around here’) -
for example, implementing policies, standards and procedures. The implemented changes
should be tracked, the effectiveness of the change response plans should be assessed, and
corrective measures taken as appropriate. This might include enforcing compliance where
still required. The communication strategy should be maintained to sustain ongoing
awareness.
3.6.7 Phase 7: Sustain

Changes are sustained through conscious reinforcement and an ongoing communication
campaign, and they are maintained and demonstrated by continued top management
commitment. Corrective action plans are implemented, lessons learned are captured and
knowledge is shared with the broader enterprise
3.7 Implementing EGIT in Specific Areas

Specific examples of implementing EGIT in specific areas are explained in the next section of
this chapter. These cover key areas such as: Strategic alignment, value optimisation, resource
optimisation, outsourcing and capacity management.
3.7.1 Strategic Alignment of IT with Business

Strategic alignment and performance measurement are important and apply overall to all the
Governance and management activities to ensure that IT goals are aligned with the
enterprise goals and there are process goals are set for the IT goals and metrics are
designed for these. IT is a key enabler of corporate business strategy. Chief Executive
Officers (CEO), Chief Financial Officers (CFO) and Chief Information Officers (CIO) agree
that strategic alignment between IT and business objectives are a critical success factor for
the achievement of business objectives. Corporate governance drives the corporate
information needs to meet business objectives. IT has to provide critical inputs to meet the
information needs of all the required stakeholders or it can be said that enterprise activities
require information from IT activities in order to meet enterprise objectives. Hence, corporate
governance drives and sets I&T governance.
63
Management Strategy determines at the macro level the path and methodology of rendering
services by the enterprise. Strategy outlines the approach of the enterprise and is formulated
by the senior management. Based on the strategy adapted, relevant policies and procedures
are formulated. From business strategy perspective, I&T is affecting the way in which
enterprises are structured, managed and operated. One of the most dramatic developments
affecting enterprises is the fusion of IT with business strategy. Enterprises can no longer
develop business strategy separate from IT strategy and vice versa. Accordingly, there is a
need for the integration of sound IT planning with business planning and the incorporation of
effective financial and management controls within new systems. Management primarily is
focused on harnessing the enterprise resources towards achievement of business objectives.
This would involve the managerial processes of planning, organizing, staffing, directing,
coordinating, reporting and budgeting.
3.7.1.1 Objective of IT Strategy
The primary objective of IT strategy is to provide a holistic view of the current I&T
environment, the future direction, and the initiatives required to migrate to the desired future
environment by leveraging enterprise architecture building blocks and components to enable
nimble, reliable and efficient response to strategic objectives. Alignment of the strategic IT
plans with the business objectives is done by clearly communicating the objectives and
associated accountabilities so they are understood by all and all the IT strategic options are
identified, structured and integrated with the business plans as required.
IT organizations should define their strategies and tactics to support the organization by
ensuring that day-to-day IT operations are delivered efficiently and without compromise.
Metrics and goals are established to help IT perform on a tactical basis and also to guide the
efforts of personnel to improve maturity of practices. The results will enable the IT function to
execute its strategy and achieve its objectives established with the approval of enterprise
leaders. Internal audit can determine whether the linkage of IT metrics and objectives aligns
with the organization’s goals, adequately measure progress being made on approved
initiatives, and express an opinion on whether the metrics are relevant and useful.
Additionally, auditors can validate that metrics are being measured correctly and represent
realistic views of IT operations and governance on a tactical and strategic basis.
3.7.1.2 IT Strategic Planning
The strategic planning process has to be dynamic in nature and IT management and business
process owners should ensure a process is in place to modify the IT long-range plan in a
timely and accurate manner to accommodate changes to the enterprise's long-range plan and
changes in IT conditions. Management should establish a policy requiring that IT long and
short-range plan are developed and maintained. IT management and business process
owners should ensure that the IT long-range plan is regularly translated into IT short-range
plans. Such short-range plans should ensure that appropriate IT function resources are
allocated on a basis consistent with the IT long-range plan. The short-range plans should be
reassessed periodically and amended as necessary in response to changing business and IT
64
conditions. The timely performance of feasibility studies should ensure that the execution of
the short-range plans is adequately initiated.
3.7.2 Aligning IT Strategy with Enterprise Strategy

The key management practices, which are required for aligning IT strategy with enterprise
strategy, are highlighted here:
 Understand enterprise direction: Consider the current enterprise environment and
business processes, as well as the enterprise strategy and future objectives. Consider
also the external environment of the enterprise (industry drivers, relevant regulations,
basis for competition).
 Assess the current environment, capabilities and performance: Assess the
performance of current internal business and IT capabilities and external IT services
and develop an understanding of the enterprise architecture in relation to IT. Identify
issues currently being experienced and develop recommendations in areas that could
benefit from improvement. Consider service provider differentiators and options and the
financial impact and potential costs and benefits of using external services.
 Define the target IT capabilities: Define the target business and IT capabilities and
required IT services. This should be based on the understanding of the enterprise
environment and requirements; the assessment of the current business process and IT
environment and issues; and consideration of reference standards, best practices and
validated emerging technologies or innovation proposals.
 Conduct a gap analysis: Identify the gaps between the current and target
environments and consider the alignment of assets (the capabilities that support
services) with business outcomes to optimize investment in and utilization of the
internal and external asset base. Consider the critical success factors to support
strategy execution.
 Define the strategic plan and road map: Create a strategic plan that defines, in co-
operation with relevant stakeholders, how IT- related goals will contribute to the
enterprise’s strategic goals. Include how IT will support IT-enabled investment
programs, business processes, IT services and IT assets. IT should define the
initiatives that will be required to close the gaps, the sourcing strategy, and the
measurements to be used to monitor achievement of goals, then prioritize the initiatives
and combine them in a high-level road map.
 Communicate the IT strategy and direction: Create awareness and understanding of
the business and IT objectives and direction, as captured in the IT strategy, through
communication to appropriate stakeholders and users throughout the enterprise.
The success of alignment of IT and business strategy can be measured by reviewing the
percentage of enterprise strategic goals and requirements supported by IT strategic goals,
65
extent of stakeholder satisfaction with scope of the planned portfolio of programs and services
and the percentage of IT value drivers, which are mapped to business value drivers.
3.7.3 Value Optimization

Business value from use of I&T is achieved by ensuring optimization of the value contribution
to the business from the business processes, IT services and IT assets resulting from I&T-
enabled investments at an acceptable cost. The benefit of implementing this process will
ensure that enterprise is able to secure optimal value from I&T-enabled initiatives services and
assets, cost-efficient delivery of solutions and services, and a reliable and accurate picture of
costs and likely benefits so that business needs are supported effectively and efficiently.
The success of the process of ensuring business value from use of I&T can be measured by
evaluating the benefits realized from I&T enabled investments and services portfolio and how
transparency of IT costs, benefits and risk is implemented.
3.7.3.1 Metrics for value optimization
Some of the key metrics, which can be used for such evaluation, are:
 Percentage of I&T enabled investments where benefit realization monitored through full
economic life cycle;
 Percentage of IT services where expected benefits realized;
 Percentage of I&T enabled investments where claimed benefits met or exceeded;
 Percentage of investment business cases with clearly defined and approved expected
IT-related costs and benefits;
 Percentage of IT services with clearly defined and approved operational costs and
expected benefits; and
 Satisfaction survey of key stakeholders regarding the transparency, understanding and
accuracy of I&T financial information.
3.7.4 Resource Optimization

The process of Resource optimisation has to be implemented to ensure that adequate and
sufficient I&T related capabilities (people, process and technology) are available to support
enterprise objectives effectively at optimal cost. The primary objectives of implementing this
process is to ensure that the resource needs of the enterprise are met in the most optimal
manner, I&T costs are optimised, and there is an increased likelihood of benefit realization
and readiness for future change. A key to successful I&T performance is the optimal
investment, use and allocation of I&T resources (people, applications, technology, facilities,
data) in servicing the needs of the enterprise.
66
3.7.5 Sourcing Processes

Sourcing is managed through suppliers and appropriate service agreements.
Sourcing processes refer to the procurement practices of an organization in order to find,
evaluate and engage vendors of goods and services. The purchasing processes should
ensure that the processes are defined and capable of meeting organizational needs. This
involves several activities like:
 Timely identification of needs.
 Evaluation of product cost, performance and delivery and installation logistics.
 Method of evaluating that quality needs have been met.
 Contract administration, guarantee replacement or warranty, access to the vendors
premises, vendor development and
 Reduction of vendor related risks.
3.7.6 Outsourcing
Outsourcing is a strategic decision for management in order to achieve long-term
improvement in business performance, by utilising the vendor’s core competencies. IT is one
of the key areas which is outsourced in part or in totality depending on the criticality of the
processes. Although IT outsourcing has many benefits, it has inherent risks which need to be
mitigated. The risks are much more when IT outsourcing covers strategic use of IT. Hence,
mitigating these risks require all the service provider are managed through an appropriate
structure. This vendor management process should not only monitor performance but also
include specific functional heads who have the appropriate level of authority to hold the
service providers accountable. Some of the important tools which are used to manage, and
monitor IT service providers are performance targets, service level agreements (SLAs), and
scorecards. It is critical to note that senior management cannot abdicate its ultimate
responsibility for IT service delivery just because it has been outsourced as the responsibility
for compliance and ensuring performance vests with the enterprise. The key principles and
guidelines as explained earlier relating to sourcing are applicable to outsourcing as this is also
a form of sourcing.
3.7.7 Capacity Management & Growth Planning Processes

Capacity management is the process of planning, sizing and continuously optimising IS
capacity in order to meet long and short-term business goals in a cost effective and timely
manner. Its primary goal is to ensure that IT capacity meets current and future business
requirements in a cost-effective manner. Capacity management to be effective has to be
supported by an effective process of monitoring and evaluating Performance and
Conformance. The scope of this process is to collect, validate and evaluate business, IT and
67
process goals and metrics. Monitor that processes are performing against agreed performance
and conformance goals and metrics and provide reporting that is systematic and timely. This
helps in providing transparency of performance and conformance and drive achievement of
goals. Capacity management or configuration management process is used in order to assess
the effectiveness and efficiency of the IS operations. Capacity includes:
 Storage space
 Network throughput
 Human resources
 Electronic messaging
 Customer Relationship Management
 Quantum of data processed, etc.
The benefits of good capacity management are:
 Enhanced customer satisfaction
 Better justification of spending on IS resources
 Avoiding incorrect capacity sizing which may lead to inappropriate utilisation of IS
resources and insufficient capacity to process the production workloads
 A reduction in capacity failures
 Better alignment of business needs and IS resources
 Better service level management
3.7.8 Capex and Opex

Outsourcing and capacity management requires effective utilisation of resources thereby
resulting in business value from investments. In the current era, IT is being regarded
increasingly as a utility and there are vendors providing all types of IT outsourcing services.
Use of IT through outside vendors reduces capital expenditure but increases revenue
expenditure or it can be said that Capex is converted to Opex. It is important for management
to understand the key concepts of Capex and Opex as they impact the funds outflow and ROI
on usage of such IT resources. These concepts are briefly explained here.
Capex stands for Capital Expenditures and is the money spent of generating physical assets.
Opex stands for Operating Expenditures and refers to day to day expenses required to
maintain physical assets.
In general, Capex is what needs to be avoided, while Opex is something to be kept under tight
control. Opex can be considered to be (in) efficiency of any business. It has a direct relation
with the value of the business. If you can reduce Opex without hurting day to day operations,
you eventually increase valuation of any business. The concept of Capex and Opex is critical
to consider in making IT enabled investment decisions. The distinction between Capex and
68
Opex has become important as most of the organisations now look at outsourcing as the
preferred option for all non-core activities. Further, in cloud computing environment, critical
activities are outsourced by organisations considering the benefits of converting Capex into
Opex. IS Auditors who are required to evaluate such alternatives have to consider not only the
cost benefit analysis but also the associated risks and how these risks have been mitigated
through implementation of appropriate controls.
3.7.9 Role of IS Auditors

IS auditors could be involved in providing assurance requiring review of Information Systems
as implemented from control perspective. However, auditors may also be required to provide
consulting before, during or after implementation of information systems strategy. It becomes
imperative for the auditor to understand the concepts of the enterprise strategy as relevant.
Hence, auditors must have good understanding of management aspects as relevant to
deployment of I&T and IT strategy. This would include understanding of the IS Strategy,
policies, procedures, practices and enterprise structure, segregation of duties, etc.
3.8 Summary
The seven key components for implementing EGIT are the building blocks for any technology
deployment. This chapter has provided details of key characteristics of each of the seven
components. These seven components are: Principles, policies, Procedures Processes,
Information, Organizational structures, Services, infrastructure and applications, People, skills
and competencies and Culture, ethics and behavior. Each of these components is critical.
However, information is most valuable for most of the enterprises. Each of these enables have
their own characteristics that have to be considered while implementing EGIT. Organization
need to ensure that these components are implemented as appropriate depending on the
requirements of the organization.
In implementing EGIT, it is most important to note that Governance and management are
different concepts. Governance is providing direction and monitoring performance, whereas
management is about implementing, executing and monitoring activities as per the strategy to
ensure that enterprise objectives are achieved. How well these components are effective
would also depend on the involvement of senior management with the governance perspective
of providing direction and channelizing use of technology from strategic perspective. COBIT
2019 provides generic guidance for each of these components and in case of processes and
information, there are specific publications which provide detailed guidance. However,
implementation of these seven components requires integration and use of detailed guidance
from other relevant frameworks as required. However, considering that COBIT 2019 is an
umbrella framework, it provides the overall framework for integration of best practice guidance
from all frameworks.
69
3.9 Questions
1. Which of the following is most important resource of the organization?
A. Policies and procedures
B. IT infrastructure and applications
C. Information and data
D. Culture, ethics and behaviour
2. Which of the following is most important characteristic of policies?
A. Must be limited in number.
B. Requires framework to implement.
C. Reviewed periodically.
D. Non-intrusive and logical.
3. Primary function of a process is to:
A. Act on input and generate output.
B. Define activities to be performed.
C. Focus on achieving business goals.
D. Comply with adopted standards.
4. Effective organizational structure focuses on:
A. Defining designations.
B. Delegating responsibility.
C. Defining escalation path.
D. Deciding span of control.
5. Prioritization of IT initiatives within organization is primarily based on:
A. Results of risk assessments
B. Expected benefit realization
C. Recommendations of CIO
D. Rate of obsolescence of IT
6. Primary objective of IT steering committee is to:
A. Align IT initiatives with business
B. Approve and manage IT projects
C. Supervise IT and business operations
70
D. Decide IT strategy for organization

7. Which of the following is best control for building requisite skills and competencies
within organization?
A. Hiring only highly qualified people
B. Outsourcing the critical operations
C. Conducting skill enhancement training
D. Defining skill requirements in job description

1. C. Entire EGIT implementation focuses on Information and data. Policies are defined
based on nature of information and data, culture and behaviour. IT infrastructure and
applications stores, process and communicates information.
2. D. Policies are vehicle to communicate intent of management and hence must be clear and
easy to implement that will make them effective. B and C are requirements to maintain
policies and A is characteristic of principles.
3. A. Primary function of process is to process received inputs and generate output to
achieve process goals. Process is a set of activities, but it is not primary function to
define activities. Although processes are defined to achieve business goals, these are
broken down to arrive at process goals. Compliance with standards may need certain
processes but the primary function is to process input.
4. B. Effectiveness of organization structure depends on right level of delegation of
responsibilities. Defining designation is only naming of specific role which is not directly
relevant. Other options depend upon level of delegation.
5. B. Although the IT steering committee considers all inputs, the primary consideration is
expected benefits to the organization.
6. A. The primary objective of appointing IT steering committee is to ensure that IT initiatives
are in line with business objectives. D is objective of IT strategy committee. B and C
are secondary objectives derived from A.
7. C. The best control for building requisite skills and competencies within organization is to
ensure skill enhancement training is provided.
71
Chapter 4
Performance Management Systems
Learning Objective
The Governance processes of ISO 38500 and COBIT 2019 primarily focus on “Evaluate,
Direct and Monitor”. Governance is an oversight function and evaluates the business
environment in terms of the business strategy and objectives, the technology environment,
market conditions, competitive environment, regulatory requirements and emerging
innovations that could significantly impact and influence the business strategic and operating
models of the organization.
The governance function thus provides the direction that the IT operation should integrate to
maximize the support and involvement to the business. The governance function also
monitors the performance of the IT operation in terms of its direction and the goals achieved.
The ‘direct’ function provides what is expected from management, whereas ‘monitor’ function
focuses on whether what was expected has been achieved or not. The challenge is to
‘evaluate’ what is actually achieved and validate whether it is as per set objectives. This
evaluation should help enterprise to make a realistic assessment of what was achieved, what
are the gaps and how to monitor the performance not only on reactive but proactive basis.
This chapter provides an overview of key concepts and models of performance management
system.
4.1 Introduction
An effective performance management system is the corner-stone for meeting this challenge
and implementing effective governance. This requires setting goals and metrics which are
integrated across all the key areas and are measured and monitored. The system of
performance measurement can be implemented by use of relevant governance and
performance frameworks such as balanced scorecards, maturity models, and quality systems.
This chapter provides an overview of performance management systems with specific details
of goals cascade from COBIT 2019 and also explains the principles of Balanced Scorecard
and Strategic Scorecard.
4.2 Performance Measurement

Performance measurement is the process of collecting, analysing and/or reporting
information regarding the performance of an individual, group, organization, system or
component. It can involve studying the processes and strategies within organizations or
studying enterprise processes, parameters and phenomena, to evaluate whether the results
are in line with what was intended or should have been achieved. An important principle of
good governance is that management should provide direction using clearly defined and
communicated objectives, and then manage adherence to objectives by applying
appropriate practices. Monitoring of performance using metrics enables management to
ensure that goals are achieved. In developing a performance management system, it is
important to identify the enterprise goals and then obtain understanding of the connection
between the entity’s mission, vision and strategies and its operating environment.
The broad phases of performance measurement system are:
 Plan, establish and update performance measures
 Plan and establish the accountability of persons for the performance measures
 Collect and analyse data on performance
 Report on performance information and
 Take corrective action
Performance indicators or metrics will determine how well the process is performing in
enabling the goals to be achieved. They are also indicators of capabilities and skills of IS
personnel.
4.3 Performance Measurement System

To assess performance against set objectives, it is important to implement a performance
management system which assesses performance against goals by setting right key goals
indicators (KGI) and also implementing key process indicators (KPI) to monitor performance of
process. Performance measurement system is one of the ways of monitoring and evaluating
the business achievements. Getting business value from I&T and measuring that value are,
therefore, important governance domains. They are responsibilities of both the business and
IT and should take both tangible and intangible costs and benefits into account. In this way,
good I&T performance management should enable both the business and IT to fully
understand how I&T is contributing to the achievement of business goals, in the past and in
the future. I&T performance management is aimed at identifying and quantifying I&T costs and
I&T benefits. There are different monitoring instruments available, depending on the features
of the costs and benefits.
Performance is evaluated at various levels such as: at organization level against goals and
objectives, resource level against set performance goals by defining key performance
indicators (KPI), risk level based on key risk indicators (KRI). There are two approaches for
performance measurements:
1. Proactive approach where management implements measure to provide assurance on
achieving goals by implementing best practices and using lead indicators.
2. Reactive approach were achievements are compared with goals using lag indicators.
73
4.4 Goal Setting

Goal setting is the first pre-requisite of performance management. This could be done at
different levels of enterprise and each of these need to be integrated and linked together at all
levels of the enterprise. At a macro level, the Board of directors set the enterprise direction
and goals to be achieved. These are the overall enterprise goals and are derived from the
enterprise strategy. The enterprise goals could be set from a top-down or bottom-up or
combination of these two approaches. Typically, the top management sets the goal
considering the views of the business units. Once the goals are set, the top-level goals need
to be allocated to function/business units and specific goals set for each of them. From a
governance perspective, the enterprise goals will have to be shared by the IT department
which will prepare the IT strategy in alignment with the enterprise strategy. Based on the
enterprise, the IT department will prepare the IT strategic plan and IT related goals. These IT
goals facilitate achievement of enterprise goals.
A performance measurement system will broadly have two types of goals. These are:
 Outcome: These are called as goals and are evaluated through KGI (key goal
indicators). The focus is on achieving the set results. These are also called lag
indicators as the measurement of achievement is after the event or period.
 Performance: These refer to performance and are evaluated through KPI (key
performance indicators). These are also called lead indicators as they measure the
performance.
There are many approaches to performance management. In this chapter, we will understand
some of the performance management practices based on COBIT 2019, Balanced Scorecard
and Quality management.
4.4.1 Goal Setting and Stakeholder Needs

Understanding of current stakeholder needs relating to EGIT and current enterprise goals and
how they impact EGIT is very helpful for three reasons:
 The stakeholder needs and enterprise objectives influence the requirements and
priorities of EGIT. For example, there could be a focus on cost reduction, compliance or
launching a new business product, each of which could put a different emphasis on
current governance priorities.
 The stakeholder needs and enterprise objectives help to focus where attention should
be given when improving EGIT and
 It assists the business and IT functions to do better forward planning of opportunities to
add value to the enterprise.
74
4.4.2 Category of Enterprise Goal

Goals to be effective need to be covering all levels of operations of the enterprise. They also
need to be linked and automated and used as a measure of evaluating how well the
department or employees have performed. Enterprise goals could be categorised as per the
table given below.
Table 4.1: Categories of Enterprise goals
Enterprise Goal Relates to
Category
Strategic High-level goals, aligned with and supporting the enterprise’s
mission or vision
Operational Effectiveness and efficiency of the enterprise’s operations,
including performance and profitability goals, which vary based on
management’s choices about structure and performance.
Reporting The effectiveness of the enterprise’s reporting, including internal
and external reporting and involving financial or nonfinancial
information.
Compliance The enterprise’s compliance with applicable laws and regulations.
Enterprise goals are set by the board of directors based on the strategy and objectives. The
list of enterprise goals are given here. These need to be customised by selecting by what is
relevant for the enterprise and adding specific dates, values and number to the identified
goals. Enterprise goals include:
 EG01: Portfolio of competitive products and services
 EG02: Managed business risk
 EG03: Compliance with external laws and regulations
 EG04: Quality of financial information
 EG05: Customer-oriented service culture
 EG06: Business service continuity and availability
 EG07: Quality of management information
 EG08: Optimization of business process functionality
 EG09: Optimization of business process costs
 EG10: Staff skills, motivation and productivity
 EG11: Compliance with internal policies
 EG12: Managed digital transformation programs
 EG13: Product and business innovation
75
4.4.3 Enterprise and Alignment Goals

Enterprise and alignment goals are used as the basis for setting IT objectives and for
establishing a performance measurement framework. IT objectives are expressed as goals
and need to be aligned with enterprise goals. COBIT 2019 provide structures for defining
goals at three levels: for the enterprise, for IT overall, for IT processes. These goals are
supported by metrics known as outcome measures because they measure the outcome of a
desired goal. The metrics at a specific level also act as performance drivers for achieving
higher-level goals. These goals and metrics can be used to set objectives and monitor
performance by establishing scorecards and performance reports as well as for driving
improvements.
The list of alignment goals are given here. These need to be customised by selecting by what
is relevant for the enterprise and adding specific dates, values and number to the identified
goals. Alignment goals include:
AG01: I&T compliance and support for business compliance with external laws and regulations
 AG02: Managed I&T-related risk
 AG03: Realized benefits from I&T-enabled investments and services portfolio
 AG04: Quality of technology-related financial information
 AG05: Delivery of I&T services in line with business requirements
 AG06: Agility to turn business requirements into operational solutions
 AG07: Security of information, processing infrastructure and applications, and privacy
 AG08: Enabling and supporting business processes by integrating applications and
technology
 AG09: Delivering programs on time, on budget and meeting requirements and quality
standards
 AG10: Quality of I&T management information
 AG11: I&T compliance with internal policies
 AG12: Competent and motivated staff with mutual understanding of technology and
business
 AG13: Knowledge, expertise and initiatives for business innovation
4.5 Requirements for Measures

Measures and performance information need to be linked to strategic management processes.
An effective performance management system produces information that provides following
benefits:
76
• It is an early warning indicator of problems and the effectiveness of corrective action.

• It provides input to resource allocation and planning. It can help enterprises prepare for
future conditions that are likely to impact program and support function operations and
the demands for products and services, such as decreasing personnel or financial
resources or changes in work load. Use of measures can give organizations lead times
for needed resource adjustments, if these conditions are known in advance.
• It provides periodic feedback to employees, customers and stakeholders about the
quality, quantity, cost and timeliness of products and services.
The most important benefit of setting measures is that it builds a common results language
among all decision makers. Selected measures define what is important to an enterprise, what
it holds itself accountable for, how it defines success and how it structures its improvement
efforts.
4.5.1 Performance Measurement Processes / Indicators

This is considered to be an important part of the I&T governance processes. They say that
what cannot be measured cannot be improved on. Therefore, metrics should be generated for
e.g. all products and processes, financial measurement, benchmarking and external party
evaluation, satisfaction of customers, internal staff and stakeholders, in order to ensure that
they are achieving the desired results. Performance measurement is used to:
• Measure and manage products and services
• Assure accountability
• Make budgeting decisions and
• Optimise performance i.e. improve the productivity of IS to its highest possible level
without making unnecessary added investments in the IS infrastructure.
Performance indicators or metrics will determine how well the process is performing in
enabling the goals to be achieved. They are also indicators of capabilities and skills of IS
personnel.
4.5.2 Examples of Performance Measures

• Better use of communications bandwidth and computing power
• Lower number of non-compliance with prescribed processes reported
• Better cost and efficiency of the process
• Lower numbers of complaints made by stakeholders
• Better quality and increased innovation etc.
• Lower number of errors and rework
• Improved staff productivity
77
4.5.3 Measures Defined

In the context of EGIT, goals and metrics are defined at three levels:
1. Enterprise goals and metrics: Define the organizational context and objectives and
how to measure them
2. Alignment goals and metrics: Define what the business expects from IT and how to
measure it
3. Governance and management objectives and metrics: Define what the IT-related
process must deliver to support IT’s objectives and how to measure it
In these three levels, it is important to make a distinction between outcome measures and
performance drivers. Outcome measures indicate whether goals have been met. These can be
measured only after the fact and, therefore, are sometimes called lag indicators.
4.6 Balanced Scorecard (BSC)

A Balanced Scorecard, as defined by Robert S. Kaplan and David P. Norton, groups
objectives, measures, targets, and initiatives into four perspectives: financial, customer,
learning and growth, and internal processes. The BSC focuses the energy of an organization
into achieving strategic goals and objectives that are represented by key performance
indicators (KPIs) customized to every group or business unit of the organisation. BSC is a
methodology to solve challenges in balancing the theories of a strategy with its execution.
BSC has the following characteristics:
• The methodology is suitable for managing business strategy.
• Uses a common language at all levels of the organization.
• Uses a common set of principles to manage day-to-day operations as well as to
framework the organization’s strategy.
• Designed to identify and manage business purposes.
• Provides a balance between certain relatively opposing forces in strategy:
o Internal and external influences
o Leading and lagging indicators and measures
o Financial and non-financial goals
o Organizational silos focused on their own goals and an overarching framework
of goals
o Finance priorities and operations
• Aligns strategic goals with objectives, targets, and metrics.
78
4.6.1 BSC Perspectives

The four perspectives of BSC with examples are explained here.
1. Financial Perspective. The Financial perspective contains measures that indicate
whether a strategy is achieving bottom-line results. Financial metrics are classic lagging
indicators. The more common ones are:
 Profitability
 Revenue growth
 Economic value added
2. Customer Perspective. The Customer perspective defines the organization's target
customers and the value proposition it offers them, whether it is efficiency (low price, high
quality), innovation, or exquisite service. Most customer metrics are lagging indicators of
performance, as follows:
 Customer satisfaction
 Customer loyalty
 Market share, "share of wallet"
3. Internal Process Perspective. Delivering value to customers involves mastering
numerous internal processes, including product development, production, manufacturing,
delivery, and service. Organizations may need to create brand new processes to meet goals
outlined in the Customer perspective. Common metrics are:
 Patents pending, ratio of new products to total products
 Inventory turnover, stock-outs
 Zero defects, on-time deliveries
4. Learning and Growth Perspective. This perspective measures the internal resources
needed to drive the other three perspectives. These include employee skills and information
technology. Typical metrics are:
 Employee satisfaction, turnover rate, absenteeism
 Training hours, leadership development programs
 Number of cross-trained employees, average years of service
79
Figure 4.1: The Balanced Scorecard

BALANCED SCORECARD EXAMPLE – CREDIT CARD COMPANY
Figure 4.2: Balanced Scorecard example
80
4.7 Strategic Scorecard

The CIMA (Chartered Institute of Management Accountants) Strategic Scorecard is a
pragmatic and flexible tool that is designed to help boards to fulfil their responsibilities to
contribute to and oversee strategy effectively. It is the responsibility of the management team
to develop and propose the strategy. However, it is not for the board to undertake the detailed
strategic planning. The board’s focus should be to challenge the strategy constructively,
endorse it and monitor its implementation. The implementation of the scorecard assumes that
the organization has already determined its broad strategic direction and has a strategic plan
in place. The scorecard represents a process for developing and moving this strategy forward
in a dynamic way.
The enterprise governance framework helps understand the importance of both conformance
and performance to the organization’s long-term success. What the scorecard does is to give
the board a simple, but effective process that helps it to focus on the key strategic issues and
– most importantly – to ask the right questions. This means that the board can work
constructively with management to promote the future success of the organization. The
uniqueness of the scorecard lies in the fact that it:
 Summarizes the key aspects of the environment in which an organization is operating to
ensure that the board is aware of changing competitor, economic and other factors.
 Identifies the (key) strategic options that could have a material impact on the strategic
direction of the organization and helps the board to determine which options will be
developed further and implemented.
The primary objectives of using the strategic scorecard are:
 Assist the board in the oversight of a strategic process
 Deal with the strategic choice and transformational change
 Give a true and fair view of the company’s strategic position and progress
 Track the actions into and out from the strategic process
 At the heart of the framework is the argument that good corporate governance can help
to prevent failure, but it does not guarantee good business performance.
The Strategic Scorecard has four basic elements (Figure 4.3) aimed at helping the board to
ensure that all strategic aspects are covered by making the board aware of what work is being
done.
81
Figure 4.3: Strategic Scorecard

1. Strategic Position deals with information on:
 The micro environment e.g. market, competition and customers
 The macro environment e.g. political, economic and regulatory factors
 Threats from changes e.g. strategic inflexion points
 Business position e.g. market share, pricing, quality, service
 Capabilities e.g. core competencies and SWOT analysis which deals with Strengths,
Weaknesses, Opportunities and Threats
 Stakeholders e.g. vendors, employees, shareholders
2. Strategic Options deals with what options are available with respect to:
 Scope change e.g. area, product, market sector
 Direction change e.g. high or low growth, price and quality offers
3. Strategic Implementation deals with:
 Project milestones and timelines
 Pursue or abandon the plan etc.
4. Strategic Risks deals with what can go wrong and what must go right with respect to:
 Informing the board on risks and how they are being managed
 Measurement of risks
 Internal controls
82
4.8 Summary
The purpose of performance measurement is to uncover, communicate and evolve
organizational performance drivers. The choice of measures communicates to stakeholders
what is important, and this affects what gets done. Choosing measures that answer critical
management questions improves management’s visibility into key processes. This chapter has
provided an overview of performance management system with specific details from COBIT
2019 using enterprise goals, alignment goals with examples of specific process with alignment
goals with related metrics and process goals with related metrics. Further, the key concepts of
Balanced score card with the four perspectives with example have been illustrated.
The key to success is setting goals and monitoring them to ensure success with corrective
steps to be taken as required. Use of frameworks helps in setting the right goals with the
metrics to measure and monitor successful achievement of the goals. Performance
measurement is critical for successful implementation of Governance or EGIT. Performance
management helps management in keeping on track towards meeting stakeholder
requirements and also in complying with regulatory requirements on time. IS Auditors with
knowledge of performance management system can provide assurance or advisory services
on the performance management system in place and provide recommendations for improving
the effectiveness.
4.9 Questions
1. Which of the following is best approach for monitoring the performance of IT resources?
A. Compare lag indicators against expected thresholds
B. Monitor lead indicators with industry best practices
C. Define thresholds for lag indicators based on long term plan
D. Lead indicators have corresponding lag indicator.
2. Performance monitoring using balance score card is most useful since it primarily
focuses on:
A. Management perspective
B. Product and services
C. Customer perspectives
D. Service delivery processes
3. Which of the following is considered as an example of a lead indicator?
A. Number of gaps with respect to industry standard.
B. Comparative market position of organization.
83
C. Percentage of growth achieved over three years.

D. Improvement in customer satisfaction survey.
4. The PRIMARY objective of base lining IT resource performance with business process
owners is to:
A. define and implement lead and lag indicators.
B. ensure resource planning is aligned with industry.
C. assess cost effectiveness of outsourcing contracts.
D. benchmark expected performance measurement.
5. Which of the following is BEST measure to optimize performance of skilled IT human
resources?
A. Include personal development plan in job description.
B. Document personal expectations during exit interviews.
C. Implement ‘Bring Your Own Device (BYOD)’ policy.
D. Monitor performance measure against baseline.
6. IT resource optimization plan should primarily focus on:
A. Reducing cost of resources
B. Ensuring availability
C. Conducting training programs
D. Information security issues
7. The PRIMARY objective of implementing performance measurement metrics for
information assets is to:
A. decide appropriate controls to be implemented to protect IT assets.
B. compare performance of IT assets with industry best practices.
C. determine contribution of assets to achievement of process goals.
D. determine span of control during life cycle of IT assets.
8. Which of the following is the PRIMARY purpose of optimizing the use of IT resources
within an enterprise?
A. To increase likelihood of benefit realization.
B. To ensure readiness for future change.
C. To reduce cost of IT investments.
D. To address dependency on IT capabilities.
84
9. While monitoring the performance of IT resources the PRIMARY focus of senior

management is to ensure that:
A. IT sourcing strategies focus on using third party services.
B. IT resource replacements are approved as per IT strategic plan.
C. key goals and metrics for all IT resources are identified.
D. resources are allocated in accordance with expected performance.
10. Organization considering deploying application using cloud computing services provided
by third party service provider. The MAIN advantage of this arrangement is that it will:
A. minimize risks associated with IT
B. help in optimizing resource utilization.
C. ensure availability of skilled resources.
D. reduce investment in IT infrastructure.

1. B. Lead indicators are proactive approach for ensuring performance shall be as expected
and hence are defined using industry best practices. Lag indicators are useful after the
fact (A), Thresholds based on long term plan may not provide input on performance
during execution. (C). All lead indicators may not have lag indicator.
2. C. The Balance score card (BSC) focuses on Financial, Customer, internal and learning
perspective.
3. A. Lead indicators are proactive in nature and helps management in planning.
Identification of gaps with respect to industry standard is beginning of process of
implementing best practices. Other indicators are result of past performance.
4. D. In order to plan resources performance of resource must be determined and compared
with business expectation from IT. This will help management in implementing
performance measures against expected performance. Other options use baselines.
5. A. Motivation helps human resources in performing better. Career progression planning
including in job description along with performance norms shall help in motivating
human resources.
6. B. Resource optimization plan primarily focus on availability of right resources at right time.
Other requirements are secondary.
7. C. Resource performance is essential to measure the performance of business and IT
processes so as to monitor the level of contribution in achieving process goals and
hence business objectives. Performance measurement is performed to measure this
contribution.
85
8. A. IT resource optimization within an enterprise must primarily focus on increasing benefit

realization from IT so as to deliver value to business. B. Ensuring readiness for future
change is essential to meet the growing IT service delivery and is part of resource
optimization requirements, but not the primary purpose. C. Resource optimization may
or may not reduce IT costs, however it will help in increasing return on IT investment. D.
Business dependency on IT depends on capabilities of IT to deliver services to
business. Resource optimization is one of the processes to address this dependency
not objective.
9. D. Management must monitor the performance of IT resources to ensure that the expected
benefits from IT are being realized as per planned performance. This is done by
allocating IT resources in accordance to the planned performance of business process
cascaded down to IT resources supporting business processes.
10. B. Outsourcing shall help organization in optimizing use of existing IT resources by
outsourcing, which in turn shall help in focusing on more critical business requirements
and hence improving benefit realization. However, outsourcing may or may not
minimize risks associated with IT. i.e. it may minimize risks associated with own
investment but may introduce risks associated with outsourcing. Although outsourcing
helps in ensuring availability of skilled resources, it is not main advantage.
Outsourcing may or may not reduce investment in IT, i.e. it may reduce need for
acquisition of IT infrastructure, but there is cost associated with outsourcing and there is
additional cost for SLA monitoring.
86
Chapter 5
Business Continuity Management
Learning Objective
The objective of this chapter is to provide knowledge about the key concepts of Business
Continuity Management (BCM), Business Continuity Planning (BCP), Disaster Recovery
Planning (DRP), Incident Responses, Contingency plan and disaster. It is important to
understand these concepts as they form the base and DISA candidate is expected to have
understanding of the key terms related concepts as this is critical for designing, implementing
or reviewing business continuity. A good understanding and working knowledge in this area
will help DISAs to provide assurance and consulting services in this area. This chapter deals
with the regulatory requirements that make it mandatory for an organisation to have Business
Continuity Management.
5.1 Introduction
A Business Continuity Plan outlines a range of disaster scenarios and the steps the business
will take in any particular scenario to return to regular trade. BCP's are written ahead of time
and can also include precautions to be put in place. Usually created with the input of key staff
as well as stakeholders, a BCP is a set of contingencies to minimize potential harm to
businesses during adverse scenarios.
Organisations around the world have been the victims of all sorts of disruptions. Over the
years, man-made and natural disasters have unveiled the vulnerability of businesses on a
global scale.
Business continuity management (BCM) capabilities enable organisations to restore their
businesses to normal operations following an unanticipated disaster or business interruption.
The disruption of business operation can be due to unforeseen man-made or natural disaster
and this may lead to loss of productivity, revenue and market share among many other
impacts. Hence, organisations have to take necessary steps to ensure that the impact from
such disasters is minimized and build resilience which ensures continuity of critical operation
in the event of disruptions. Modern organisations cannot think of running their business
operations without I&T. I&T is prone to increased risks which can lead to failure of I&T thus
impacting operations. Hence, it is becoming increasingly important for organisations to have a
business contingency plan for their Information Systems.
5.2 Definitions of Key Terms

The concepts of Business Continuity Management are quite simple to understand. However,
to understand and implement BCM or BCP as per needs of organisation requirements, it is
knowing the key terms. Knowledge of definition of these terms will help not only in
understanding the topics but also to provide assurance, consulting or implementation services
in this area.
Business Continuity Planning: Business continuity planning is the process of developing
prior arrangements and procedures that enable an organisation to respond to an event in such
a manner that critical business functions can continue within planned level of disruption. The
end result of the planning is called a Business Continuity Plan.
Crisis: An abnormal situation which threatens the operations, staff, customers or reputation of
the organisation.
Disaster: A physical event which interrupts business processes sufficiently to threaten the
viability of the organisation.
Emergency Management Team (EMT): This team comprising of executives at all levels
including IT is vested with the responsibility of commanding the resources which are required
to recover the enterprises operations.
Incident: An event that has the capacity to lead to loss of or a disruption to an organisation’s
operations, services, or functions – which, if not managed, can escalate into an emergency,
crisis or disaster.
Incident Management Plan: A clearly defined and documented plan of action for use at the
time of an incident, typically covering the key personnel, resources, services and actions
needed to implement the incident management process.
Minimum Business Continuity Objective (MBCO): This refers to the minimum level of
services and/or products that is acceptable to the organization to achieve its business
objectives during an incident, emergency or disaster. As per ISO 22301:2012, clause 3.28,
MBCO is the minimum level of services and/or products that is acceptable to
the organizations to achieve its business objectives during a disruption. MBCO is used to
develop test plan for testing BCP.
Maximum Acceptable Outage (MAO): This is the time frame during which a recovery must
become effective before an outage compromises the ability of an Organization to achieve its
business objectives and/or survival. This refers to the maximum period of time that an
organization can tolerate the disruption of a critical business function, before the achievement
of objectives is adversely affected. MAO is also known as maximum tolerable outage (MTO),
maximum downtime (MD), Maximum Tolerable Period of Disruption (MTPD).
Recovery Time Objective (RTO): The pre-determined time at which a product, service, or
activity must be resumed, or resources must be recovered
Recovery Point Objective (RPO): Maximum data loss, i.e., minimum amount of data used by
an activity that needs to be restored
Resilience: The ability of an organisation to resist being affected by the incident.
88
Risk: The combination of the probability of an event and its consequence.

Vulnerability: The degree to which a person, asset, process, information, infrastructure or
other resources are exposed to the actions or effects of a risk, event or other occurrence.
5.3 Key concepts of Disaster Recovery, Business Continuity Plan

and Business Continuity Management
5.3.1 Contingency Plan
An organisation’s ability to withstand losses caused by unexpected events depends on proper
planning and execution of such plans. Without a workable plan, unexpected events can cause
severe damage to information resources and may affect the business continuity. Contingency
planning is an overall process of preparing for unexpected events. Its main goal is to restore
normal modes of operation with minimal cost and minimal disruption to normal business
activities after unexpected event. It should ideally ensure continuous information systems
availability despite unexpected events.
5.3.2 Components of Contingency Planning

5.3.2.1 Business Impact Analysis (BIA)
BIA includes tasks like Threat Attack identification and prioritization, Business unit analysis,
Attack scenario development, Potential damage assessment, etc. The steps involved in impact
analysis are risk evaluation, defining critical functions in the organisation, identifying critical
facilities required for providing recovery of the critical functions and their interdependencies
and finally setting priorities for all critical business applications which need to be recovered
within defined timelines.
5.3.2.2 Incident Response Plan (IR plan)
IR Plan includes tasks like incident planning, incident detection, incident reaction, incident
recovery etc. Incident Response plan gives an entity a set of procedures and guidelines that is
needed by an entity to handle an incident.
5.3.2.3 Business Continuity Plan (BCP)
BC Plan includes tasks like establishing continuity strategies, planning for continuity of
critical operations, continuity management etc. Business Continuity Plan is a plan that
contains the steps that would be taken by an entity to resume its business functions during its
period of disruption. These plans are executed in parallel with the disaster recovery plans
depending on the impact of the disaster. Business Continuity Plans on a whole is about re-
establishing existing business processes and functions, communications with the business
contacts and resuming business processes at the primary business location.
89
5.3.2.4 Disaster Recovery Plan (DRP)

DR Plan includes tasks like plan for disaster recovery, crisis management, recovery
operations etc. Disaster Recovery Plan is the set of plans which are to be executed initially at
the moment of crisis. These plans include measures to control the disaster, mitigate them and
to initiate the recovery of the resources that is needed for the continuity of business. These
plans are targeted to initiate/recover the resources that have been affected by a disaster.
These are the first plans that would be executed at the time of disaster.
There are three basic strategies that encompass a disaster recovery plan: preventive
measures, detective measures, and corrective measures. Preventive measures will try to
prevent a disaster from occurring. These measures seek to identify and reduce risks. They are
designed to mitigate or prevent an event from turning into a disaster. These measures may
include keeping data backed up and off site, using surge protectors, installing generators and
conducting routine inspections. Detective measures are taken to discover the presence of any
unwanted events within the I&T infrastructure. Their aim is to uncover new potential threats.
They may detect or uncover unwanted events. These measures include installing fire alarms,
using up-to-date antivirus software, holding employee training sessions, and installing server
and network monitoring software. Corrective measures are aimed to restore a system after a
disaster or otherwise unwanted event takes place. These measures focus on fixing or
restoring the systems after a disaster and may include keeping critical documents in the DRP
or securing proper insurance policies.
5.3.3 Business Continuity Plan vs. Disaster Recovery Plan

The primary objective of Business Continuity Plan is to ensure that mission critical functions
and operations are recovered and made operational in an acceptable time frame. A BCP aims
to sustain critical business process during an unplanned interruption period and a DRP is to
re-establish the primary site into operation with respect to all business processes of the
organisation facing the disaster.
5.3.4 Business Continuity Management

BCM is a holistic process that identifies potential threats and the impacts on normal business
operations should those threats actualize. BCM provides a framework to develop and build the
organisation's resilience with the capability for an effective response, therefore ensuring that
critical objectives are met, safeguarding key stakeholder’s interests and the organisation's
reputation, brand and value creating activities. The purpose of BCM is to minimize the
operational, financial, legal, reputational and other material consequences arising from a
disruption due to an undesired event (Basel Committee on Banking Supervision, 2005),
minimizing losses and restoring normal, regular operations in the shortest, possible time.
Coupled with security measures to protect the organisation's assets, BCM requires plans and
strategies that should cater for and allow responses, contingency plans and procedures to
90
recover as quickly as possible. BCM looks at an entirety of the businesses of the entity as a
whole. It is a continuous process whereby risks which are inherent to the business are closely
monitored and mitigated.
Figure 5.1: BCP / DRP
5.4 Objectives of BCP and BCM

5.4.1 Objectives of Business Continuity Plan
The primary objective of a Business Continuity Plan (BCP) is to enable an organisation to
continue to operate through an extended loss of any of its business premises or functions.
The key objectives of BCP are:
 Manage the risks which could lead to disastrous events.
 Reduce the time taken to recover when an incident occurs and
91
 Minimize the risks involved in the recovery process.

 Reduce the costs involved in reviving the business from the incident.
5.4.2 Objectives of Business Continuity Management (BCM)

The objective of BCM is to counteract interruptions to business activities and to protect critical
business processes from the impact of major failures or disasters. The detailed objectives of
BCM are:
 Reduce likelihood of a disruption occurring that affects the business through a risk
management process.
 Enhance organisation’s ability to recover following a disruption to normal operating
conditions.
 Minimize the impact of that disruption, should it occur.
 Protect staff and their welfare and ensure staff knows their roles and responsibilities.
 Tackle potential failures within organisation’s I.S. Environment
 Protect the business.
 Preserve and maintain relationships with customers.
 Mitigate negative publicity.
 Safeguard organisation’s market share and/or competitive advantage.
 Protect organisation’s profits or revenue and avoid financial losses.
 Prevent or reduce damage to the organisation’s reputation and image.
5.4.2.1 Need for BCM at Business Level

The need for BCM arises because of the following present-day requirements of business
 Need to provide access to potentially millions of new customers.
 Need to ensure security, privacy and confidentiality.
 Need to integrate business processes onto web.
 Need to integrate business partners into key business processes.
 Increased pressure on delivering quality customer service 24x7.
 Emerging pervasive computer devices.
Business and organisations of today depend heavily on Information and Communication
Technology (ICT) to conduct business. The ICT plays a central role in the operation of the
business activities. For example, the stock market is virtually paperless. Banks and financial
institutions have become online, where the customers rarely need to set foot in the branch
premises. This dependence on the systems means that all organisations should have
92
contingency plans for resuming operations from disruption. The disruption of business
operation can be due to unforeseen manmade or natural disaster that may result into revenue
loss, productivity loss and loss of market share among many other impacts. Thus,
organisations have to take necessary steps to ensure continuity of operation in the event of
disruptions. Business continuity is the activity performed by an organisation to ensure that
critical business functions will be available to customers, suppliers, regulators, and other
entities that must have access to those functions. These activities include many daily chores
such as project management, system backups, change control, and help desk. Business
continuity is not something implemented at the time of a disaster; Business Continuity refers to
those activities performed daily to maintain service, consistency, and recoverability.
5.4.2.2 Need for BCM at Various Levels of I&T Environment

Disaster Recovery is an essential phase to critical I&T Resources. I&T Infrastructure generally
includes Servers, Workstations, Network and Communication, Operating system software,
business applications software, essential utility software, Data Centres, Support Desks, IT
Personnel, Disks, Tapes etc. In this technologically driven world, I&T Infrastructure has
essentially become an integral part of an entity’s anatomy. Mail Servers and communication
lines like Internet, Phone and Fax are also essentially the important components of the
Infrastructure. It is therefore critical to get these components up and running for a successful
recovery of the business. Therefore, when critical industries like Banks, Insurance Companies,
Stock Exchanges, Airline Companies, Railways, Multinational Companies, Government
Agencies rely on I&T Infrastructure for its daily operations, it is crucial to maintain BCM for
such organisations. Software like the Core Banking Systems, SWIFT Financial Messaging
Services, Airline Communication Services like AMADEUS, Stock Market Trading Applications,
ERP Systems, e-commerce sites and many more are critical where no downtime is tolerated.
These applications are used to conduct transactions worldwide and are run only on extensive
I&T Resources. BCM therefore is a much-needed requirement for a quick recovery from a
crisis to ensure survival of the business.
Figure 5.2: Contingency Plan
93
5.5 Various Types of Disaster

BCM or BCP is all about planning in advance to meet future unforeseen events which may
impact or disrupt business operations. Disasters are the major source of disruptions. As
distinguished from an event which causes disruption for a short period of time and addressed
through incident management plan, disaster is of various types and can have varying and
serious impact. This section will provide an overview of various types of disasters.
A disaster can be defined as an unplanned interruption of normal business process. It can be
said as a disruption of business operations that stops an organisation from providing critical
services caused by the absence of critical resources. An occurrence of disaster cannot always
be foreseen; hence we need to be prepared for all the types of disasters that can arise, handle
them effectively in the shortest time.
A disaster can be natural or man-made (or technological) hazard resulting in an event of
substantial extent causing significant physical damage or destruction, loss of life, or drastic
change to the environment. A disaster can be defined as any tragic event stemming from
events such as earthquakes, floods, catastrophic accidents, fires, or explosions. It can cause
damage to life and property and destroy the economic, social and cultural life of people. For a
clearer understanding of the concept of disasters, disasters can be classified into two major
categories as:
1. Natural disasters
2. Man-made disasters
1. Natural Disasters
Natural Disasters are those which are a result of natural environment factors. A natural
disaster has its impact on the business’s that is present in a geographical area where the
natural disaster has struck. Natural disasters are caused by natural events and include fire,
earthquake, tsunami, typhoon, floods, tornado, lightning, blizzards, freezing temperatures,
heavy snowfall, pandemic, severe hailstorms, volcano etc.
2. Man-Made Disasters
Man-made disasters are artificial disasters which arise due to the actions of human beings.
Artificial disasters has its impact on a business entity specific to which it has occurred.
Artificial disasters arising due to human beings Include Terrorist Attack, Bomb Threat,
Chemical Spills, Civil Disturbance, Electrical Failure, Fire, HVAC Failure, Water Leaks, Water
Stoppage, Strikes, Hacker attacks, Viruses, Human Error, Loss Of Telecommunications, Data
Centre outrage, lost data, Corrupted data, Loss of Network services, Power failure, Prolonged
equipment outage, UPS loss, generator loss and anything that diminishes or destroys normal
data processing capabilities.
94
5.6 Phases of Disaster

It is important to envisage what is the impact when a disaster strikes and decide in advance
the action to be taken for various types of disaster scenarios. A typical disaster will consist of
some or all of the following phases:
1. Crisis phase
2. Emergency response phase
3. Recovery phase
4. Restoration phase
1. Crisis Phase
The Crisis Phase is under the overall responsibility of the Incident Control Team (ICT). It
comprises the first few hours after a disruptive event starts or the threat of such an event is
first identified; and is caused by, for example:
 Ongoing physical damage to premises which may be life threatening, such as a fire; or
 Restricted access to premises, such as a police cordon after a bomb incident. During
the crisis phase, the fire and other emergency evacuation procedures (including bomb
threat and valuable object removal procedures) will apply; and the emergency services
should be summoned as appropriate.
2. Emergency Response Phase
The Emergency Response Phase may last from a few minutes to a few hours after the
disaster. It will start near the end of, or after, the crisis Phase if there has been one, or when a
potentially threatening situation is identified. During the Emergency Response Phase, the
Business Continuity Team (BCT) will assess the situation; and decide if and when to activate
the BCP.
3. Recovery Phase
The Recovery Phase may last from a few days to several months after a disaster and ends
when normal operations can restart in the affected premises or replacement premises, if
appropriate. During the recovery phase, essential operations will be restarted (this could be at
temporary premises) by one or more recovery teams using the BCP; and the essential
operations will continue in their recovery format until normal conditions are resumed.
4. Restoration Phase
This phase restores conditions to normal. It will start with a damage assessment, usually
within a day or so of the disaster, when the cause for evacuation or stopping of operations has
ended, normal working will be restarted. During the restoration phase, any damage to the
premises and facilities will be repaired.
95
5.7 Examples of Disaster

Some examples of disasters and the phases that may impact disaster phases of a business
continuity plan are:
Examples of Disaster Phases
Serious fire during working Hours All phases in full
Serious fire outside during working hours All the phases, however, no staff and public
evacuation
Very minor fire during working hours Crisis Phase only, staff and public evacuation
but perhaps no removal of valuable objects,
Fire Service Summoned to deal with the fire
Gas leak outside or during working hours, Only emergency response phase is
repaired after some hours appropriate
5.8 Impact of Disaster

The impact of a disaster can varies and could result in:
• Total destruction of the premises and its contents. For example, as a result of a terrorist
attack;
• Partial damage, preventing use of the premises. For example, through flooding; or
• No actual physical damage to the premises but restricted access for a limited period,
such as enforced evacuation due to the discovery nearby of an unexploded bomb.
The impact of a disaster may result in one or more of the following:
(i) Loss of Human Life: The extent of loss depends on the type and severity of the
disaster. Protection of human life is of utmost importance and, the overriding principle
behind continuity plans.
(ii) Loss of productivity: When a system failure occurs, employees may be handicapped
in performing their functions. This could result in productivity loss for the organisation.
(iii) Loss of revenue: For many organisations like banks, airlines, railways, stock brokers,
effect of even a relatively short breakdown may lead to huge revenue losses.
(iv) Loss of market share: In a competitive market, inability to provide services in time may
cause loss of market share. For example, a prolonged non-availability of services from
services providers, such as Telecom Company or Internet Service Providers, will cause
customers to change to different service providers.
(v) Loss of goodwill and customer services: In case of a prolonged or frequent service
disruption, customers may lose confidence resulting in loss of faith and goodwill.
96
(vi) Litigation: Laws, regulations, contractual obligation in form of service level agreement
govern the business operations. Failure in such compliance may lead the company to
legal litigations and lawsuits.
When considering the impact of a disaster, it should be remembered that it will never happen
at a convenient time; and is always unpredictable. There is no way of knowing:
 When it will happen;
 What form it will take;
 How much damage it will cause; or
 How big the impact will be?
However, it is important to envisage various types of scenarios to ensure that the coverage is
as comprehensive as feasible covering various types of events with varying impact.
Understanding disaster and their impact is the key to successful business impact analysis
which will result to preparation of an effective business continuity plan.
5.9 Invoking a DR Phase / BCP Phase

5.9.1 Operating Teams of Contingency Planning
Contingency Planning Team: This team collects data about information systems and threats,
conducts business impact analysis, and creates contingency plans for incident response,
disaster recovery, business continuity. The primary role of this team is to conduct research on
data that could lead to a crisis and develop actions that would effectively handle these threats.
Incident Response Team: This team manages/executes IR plan by detecting, evaluating,
responding to incidents. This team is the first team to arrive during the outbreak of an incident.
Incident Response Team evaluates the incident, takes the first action to stop the incident. If
unsuccessful, then summons the Disaster Recovery Team.
Disaster Recovery Team: This team manages/executes DR plan by detecting, evaluating,
responding to disasters; re-establishes primary site operations. This team plays its role in
reducing the impact of the disaster and executes the steps that are defined in the DR Plan to
recover and protect resources that are being impacted by the disaster and to mitigate the
disaster itself. If the impact of the crisis is very high, then the Business Continuity Team steps
in parallel to the DR Team and
Business Continuity Team: This team manages/executes BC plan by establishing off-site
operations to ensure Business Continuity. Business Continuity Team initiates those responses
to the impacts that are being faced by the entity and would bring the entity back to its original
level of business functioning. The disaster recovery plan is composed of a number of sections
that document resources and procedures to be used in the event that a disaster occurs at the
Information Technology Services Locations. Each supported application or platform has a
97
section containing specific recovery procedures. There are also sections that document the
personnel that will be needed to perform the recovery tasks and an organisational structure for
the recovery process. This plan will be updated on a regular basis as changes to the
computing and networking systems are made. Due to the very sensitive nature of the
information contained in the plan, the plan should be treated as a confidential document and
should be shared with specific employees as per the specific responsibilities they have been
assigned.
5.10 Disaster Recovery Plan (DRP) Scope and Objectives

The DRP should inform the user about the primary focus of this document like responding to
disaster, restoring operations as quickly as possible and reducing the number of decisions
which must be made when, and if, a disaster occurs. It should also inform about the
responsibility to keep this document current. It should be approved by appropriate authority.
The overall objectives of this plan are to protect organisation’s computing resources and
employees, to safeguard the vital records of which Information Technology Systems and to
guarantee the continued availability of essential Information Technology services. The role of
this plan is to document the pre-agreed decisions and to design and implement a sufficient set
of procedures for responding to a disaster that involves the data centre and its services.
This plan assumes the most severe disaster, the kind that requires moving computing
resources to another location. Less severe disasters are controlled at the appropriate
management level as a part of the total plan.
The basic approach, general assumptions, and possible sequence of events that need to be
followed are stated in the plan. It will outline specific preparations prior to a disaster and
emergency procedures immediately after a disaster. The plan is a roadmap from disaster to
recovery. Due to the nature of the disaster, the steps outlined may be skipped or performed in
a different sequence. The general approach is to make the plan as threat-independent as
possible. This means that it should be functional regardless of what type of disaster occurs.
For the recovery process to be effective, the plan is organized around a team concept. Each
team has specific duties and responsibilities once the decision is made to invoke the disaster
recovery mode. The plan represents a dynamic process that will be kept current through
updates, testing, and reviews. As recommendations are completed or as new areas of concern
are recognized, the plan will be revised to reflect the current I&T and business environment.
The IS Auditor has to review the process followed for preparation of the DRP and assess
whether it meets the requirements of the organisation and provide recommendations on any
areas of weaknesses identified.
5.11 Disaster Recovery Phases

The disaster recovery process consists of four phases which are outlined here:
98
 Phase 1: Disaster Assessment

 Phase 2: Disaster Recovery Activation
 Phase 3: Alternate Site/Data Centre Rebuild
 Phase 4: Return to Primary site
1. Disaster Assessment: The disaster assessment phase lasts from the inception of the
disaster until it is under control and the extent of the damage can be assessed.
Cooperation with emergency services personnel is critical.
2. Disaster recovery activation: When the decision is made to move primary processing
to another location, this phase begins. The Disaster Recovery Management Team will
assemble and call upon team members to perform their assigned tasks. The most
important function is to fully restore operations at a suitable location and resume normal
functions. Once normal operations are established at the alternate location, Phase 2 is
complete.
3. Alternate site operation/data centre rebuild: This phase involves continuing
operations at the alternate location. In addition, the process of restoring the primary site
will be performed.
4. Return to primary site: This phase involves the reactivation of the primary site at
either the original or possibly a new location. The activation of this site does not have to
be as rushed as the activation of the alternate recovery site. At the end of this phase, a
thorough review of the disaster recovery process should be taken. Any deficiencies in
this plan can be corrected by updating the plan.
5.12 Key Disaster Recovery Activities

The declaring of an incident/event is done by assigned personnel of management. Declaration
of a disaster means:
1. Activating the recovery plan
2. Notifying team leaders
3. Notifying key management contacts
4. Redirecting information technology service to an alternate location
5. Securing a new location for the data centre
6. Ordering and configuring replacement equipment
7. Reconfiguring the network
8. Reinstalling software and data
9. Keeping management informed
99
10. Keeping users informed

11. Keeping the public informed
5.12.1 DRP
The DRP should contain information about the vital records details including location where it
is stored, who is in charge of that record etc. It contains information about what is stored
offsite such as:
1. A current copy of this disaster recovery plan.
2. Copies of install disks for all relevant software and critical software/operating system
licenses. These should be stored electronically rather than relying on Internet-
downloadable versions. When the software is needed the same version of the software
used may not be available on the Internet, or there may be Internet issues that could
negatively affect large downloads or may significantly slow down the recovery process.
5.12.2 Disaster Recovery Team

The disaster recovery plan should contain details about Disaster Recovery Management Team
and its sub-teams like Administration, Supplies, Public relations etc. and their respective
responsibilities. The various types of responsibilities applicable in case of a disaster are
explained here covering specific stages.
5.12.2.1 General Responsibilities
The IT Disaster Recovery Management Team is responsible for the overall coordination of the
disaster recovery process from an Information Technology Systems perspective. The other
team leaders report to this team during a disaster. In addition to their management activities,
members of this team will have administrative, supply, transportation, and public relations
responsibilities during a disaster. Each of these responsibilities should be headed by a
member of the IT Disaster Recovery Management Team.
5.12.2.2 General Activities
 Assess the damage and if necessary, declare a disaster (damage assessment forms
are included in this plan)
 Coordinate efforts of all teams
 Secure financial backing for the recovery effort
 Approve all actions that were not pre-planned
 Give strategic direction
 Be the liaison to upper management
 Expedite matters through all bureaucracy
 Provide counselling to those employees that request or require it
100
 After the Disaster Make recommendations on how the disaster recovery plan can be
improved
5.12.2.3 Administrative Responsibilities
The administrative function provides administrative support services to any team requiring this
support. This includes the hiring of temporary help or the reassignment of other clerical
personnel.
Activities by Phase
Procedures during Disaster Recovery Activation Phase
 Notify all vendors and delivery services of change of address
Procedures during All Phases
 Process expense reports
 Account for the recovery costs
 Handle personnel problems
After the Disaster
 Make recommendations on how the disaster recovery plan can be improved
5.12.2.4 Supply Responsibilities
The supply function is responsible for coordinating the purchase of all needed supplies during
the disaster recovery period. Supplies include all computing equipment and supplies, office
supplies such as paper and pencils, and office furnishings.
Activities by Phase
 Purchase supplies required by the teams at the alternate site.
Procedures during Remote Operation/Data Centre Rebuild Phase
 Work with procurement to order replacement supplies and expedite shipments
 Ongoing distribution of supplies
Procedures during return to primary site Phase
 Restock supplies at the restored site
After the disaster
5.12.2.5 Public Relations Responsibilities
The public relations function will pass appropriate information about the disaster and
associated recovery process to the public and to employees. Every effort should be made to
101
give these groups reason to believe that the organization is doing everything possible to
minimize losses and to ensure a quick return to normalcy.
Activities by Phase
All Phases
 Ensure that employees do not talk to the media
 Control information released to the public and to employees
 Interface with organisation’s Public Relations or defer to Senior Management
 Publish internal newsletters
 Keep everyone aware of recovery progress
After the Disaster
Management Team Call Checklist
The disaster recovery plan should contain disaster recovery management team call checklist.
It should specify the contact information about Team leader as well as team members with the
details on which functionality he/she can be contacted. The disaster recovery plan should
contain details about Technical support Team and its sub-teams like Hardware, Software,
Network, Operations etc. and their respective responsibilities.
5.12.2.6 Hardware Responsibilities
The responsibility of the Hardware Team is to acquire (along with the Facilities Team),
configure and install servers and workstations for organisational information Technology
users.
Activities by Phase
 Determine scope of damage for servers and workstations
 Order appropriate equipment and supplies (coordinate and work with the Facilities
Team for this activity)
 Set up servers and workstations
 Install software as necessary
 Restore data
 Install additional workstations as they arrive
102
Procedures during Return Home Phase

 Notify users
 Ensure data is backed up
 Relocate equipment
After the Disaster
5.12.2.7 Software Responsibilities
The responsibility of the Software Team is to maintain the systems software at the alternate
site and reconstruct the system software upon returning to the primary site. In addition, the
Software Team will provide technical support to the other teams.
Activities by Phase
 Provide technical support to the other teams
 Build servers and workstations
 Reinstall and configure systems at the primary site
 Test the hardware and software
 Work with appropriate vendors to assist in recovery
 Verify that the systems are performing as expected
 Build servers and workstations
 Reinstall and configure systems at the primary site
 Test the hardware and software
 Work with appropriate vendors to assist in recovery
 Verify that the systems are performing as expected
 Verify that the system is performing as expected
After the Disaster
103
5.12.2.8 Network Responsibilities

The Network Team is responsible for preparing for voice and data communications to the
alternate location data centre and restoring voice and data communications at the primary
site.
Activities by Phase
Procedures during disaster recovery activation phase
 Determine the requirements for voice and data communications
 Install the network including lines, routers, switches, controllers and other
communications equipment at the alternate location data centre
 Test the network.
 Operate the backup network
 When the replacement equipment arrives at the primary site, install it
Procedures during Relocation Home Phase
 Support the primary site network
 Dismantle the alternate location data centre network
After the Disaster
5.12.2.9 Operations Responsibilities
The Operations responsibilities include the daily operation of computer services and
management of all backup tapes. When a disaster is declared, the team must secure the
correct tapes for transport to the alternate location. Once operations are established at the
alternate location, arrangements must be made with an offsite storage service.
Activities by Phase
 Inventory and select the correct backup tapes
 Transport the tapes to the alternate data centre
 Assist all teams in restoring the production environment at the alternate data centre
 Establish a production schedule at the alternate location
 Run the daily schedule at the alternate location
 Perform system and production backups at the alternate location
104
 Assist other teams in preparing the primary site

 Establish offsite storage at the alternate location
 Perform system and production backups
 Inventory all tapes at the alternate data centre
 Transport all tapes from the alternate data centre to the primary site
After the Disaster
Technical Support Team Call Checklist
The disaster recovery plan should contain Disaster Recovery Technical Support Team Call
Checklist. It should specify the contact information about Team leader as well as team
members with the details on which functionality he/she can be contacted. The disaster
recovery plan should contain details about Facility Team and its sub-teams like Salvage team,
new data centre, new hardware team etc. and their respective responsibilities.
5.12.2.10 Salvage Responsibilities
The Salvage Team is responsible for minimizing the damage at the primary site and to work
with the insurance company for settlement of all claims. This depends on a quick
determination of what equipment is salvageable and what is not. Repair and replacement
orders will be filed for what is not in working condition. This team is also responsible for
securing the disaster recovery data centre.
Activities by Phase
 Establish the command centre
 Assist in the immediate salvage operations
 Contact Insurance representatives
 Inventory all equipment in the data centre. If necessary, involve the vendors.
 Salvage equipment and supplies
 Settle property claims with the insurance company
 Provide for security at the data centre
After the Disaster
105
5.12.2.11 New Data Centre Responsibilities

The New Data Centre Team is responsible for locating the proper location for a new data
centre and overseeing the construction of it. This includes the environmental and security
controls for the room.
Activities by Phase
 Determine the requirements for a new data centre
 Work with contractors and university staff on the details
 Oversee the construction of the new data centre
 Ensure that all controls are working as designed
After the Disaster
5.12.2.12 New Hardware Responsibilities
The New Hardware Team is responsible for ordering replacement hardware for equipment
damaged in the disaster and installing it in the new or rebuilt data centre. Depending on the
age of the damaged hardware, replacement may not be one-for-one. All types of hardware are
to be handled, including:
1. Servers
2. Printers
3. Switches, Routers, Hubs
4. Work stations
5. Environmental systems
6. UPS Equipment
Activities by Phase
 Obtain a list of damaged and destroyed equipment
 Determine what new hardware should be ordered
 Order new hardware
106
 Arrange for installation and testing of the new hardware

After the Disaster
Resumption of Normal Operations
Once the threat has passed, equipment has been repaired or replaced or a new primary site
has been built and stocked, the disaster recovery team will assess the situation, declare the
disaster over and resume normal operations
5.13 Documentation: BCP Manual and BCM Policy

All documents that form the BCM are to be subject to document control and record control
processes. The following documents (representative only) are classified as being part of the
business continuity management system:
 The business continuity policy;
 The business continuity management system;
 The business impact analysis report;
 The risk assessment report;
 The aims and objectives of each function;
 The activities undertaken by each function;
 The business continuity strategies;
 The overall and specific incident management plans;
 The business continuity plans;
 SLA with alternate site/mirror site with switchover plans
 Change control, preventative action, corrective action, document control and record
control processes;
 Local Authority Risk Register;
 Exercise schedule and results;
 Incident log; and
 Training Program
To provide evidence of the effective operation of the BCM, records demonstrating the
operation should be retained as per policy of the organisation and as per applicable laws, if
any. These records also include reference to all business interruptions and incidents,
irrespective of the nature and length of disruption. This also includes general and detailed
definition of requirements as described in developing a BCP. In this, a profile is developed by
107
identifying resources required to support critical functions, which include hardware

(mainframe, data and voice communication and personal computers), software (vendor
supplied, in-house developed, etc.), documentation (user, procedures), outside support (public
networks, DP services, etc.), facilities (office space, office equipment, etc.) and personnel for
each business unit.
5.13.1 BCM Policy

While developing the BCM policy, the organisation should consider defining the scope, BCM
principles, guidelines and applicable standards for the organisation. They should consider all
relevant standards, regulations and policies that have to be included or can be used as
benchmark. The objective of this policy is to provide a structure through which:
 Critical services and activities undertaken by the organisation will be identified.
 Plans will be developed to ensure continuity of key service delivery following a business
disruption, which may arise from the loss of facilities, personnel, IT and/or
communication or failure within the supply and support chains.
 Invocation of incident management and business continuity plans can be managed.
 Incident Management Plans and BCP are subject to ongoing testing, revision and
updating as required.
 Planning and management responsibility are assigned to members of the relevant
senior management team.
The BCM policy defines the processes of setting up activities for establishing a business
continuity capability and the ongoing management and maintenance of the business continuity
capability. The set-up activities incorporate the specification, end-to-end design, build,
implementation and initial exercising of the business continuity capability. The ongoing
maintenance and management activities include embedding business continuity within the
organisation, exercising plans regularly, and updating and communicating them, particularly
when there is significant change in premises, personnel, process, market, technology or
organisational structure.
5.13.2 BCP Manual

An incident or disaster affecting critical business operations can strike at any time. Successful
organisations have a comprehensive BCP Manual, which ensures process readiness, data
and system availability to ensure business continuity. A BCP manual is a documented
description of actions to be taken, resources to be used and procedures to be followed before,
during and after an event that severely disrupts all or part of the business operations. A BCP
manual consists of the Business Continuity Plan and the Disaster Recovery Plan. The primary
objective of preparing BCP manual is to provide reasonable assurance to senior management
of organisation about the capability of the organisation to recover from any unexpected
incident or disaster affecting business operations and continue to provide services with
108
minimal impact. Further, the BCP should be comprehensive and anticipate various types of
incident or disaster scenarios and outline the action plan for recovering from the incident or
disaster with minimum impact and ensuring ‘Continuous availability of all key services. The
BCP Manual is expected to specify the responsibilities of the BCM team, whose mission is to
establish appropriate BCP procedures to ensure the continuity of organisation's critical
business functions. In the event of an incident or disaster affecting any of the functional areas,
the BCM Team serves as visioning teams between the functional area(s) affected and other
departments providing support services.
5.13.2.1 Elements of BCP Manual
The plan will contain the following elements:
1. Purpose of the plan: Included in this section should be a summary description of the
purpose of the manual. It should be made clear that the manual does not address recovery
from day to day operational problems. Similarly, it must be stressed that the manual does not
attempt to foresee all possible disasters, but rather provides a framework within which
management can base recovery from any given disaster.
2. Organisation of the manual: A brief description of the organisation of the manual, and
the contents of each of the major sections, will provide the reader with the direction to the
relevant section of the manual in an emergency situation. Any information which is external to
the manual but will be required in an emergency should be identified in this section.
3. Disaster definitions: It may assist the user of the manual if a definition of disaster
classification is provided, together with an identification of the relevance of the plan to that
situation. Four types of classification can generally be used:
 Problem/Incident: Event or disruptions that cause no significant damage.
 Minor disaster: Event or disruption that causes limited financial impact,
 Major disaster: Event or disruptions that cause significant impact and may have an
effect on outside clients.
 Catastrophic disaster: Event or disruption that has significant impact and adversely
affect the organisation’s “going concern” status
The BCP manual of each organisation is expected to classify disasters, after taking into
account the size and nature of its business and the time and cost associated to each kind of
disaster should be defined as per the requirement of the individual organisation. It should be
noted, however, that development of a plan based on each classification is not recommended.
The need to invoke the plan should be determined by the length and associated cost of the
expected outage and not the classification of the disaster, although there is a direct
correlation. These definitions will be most useful for communication with senior management.
4. Objectives of the plan: The objectives of the manual should be clearly stated in the
introductory section. Typically, such objectives include:
109
 Safety/security all personnel. The paramount objective of a BCP is to ensure the safety
and security of people (both employees and others who may be affected in the event of
a disaster). The safeguarding of assets/data is always a secondary objective.
 the reduction of confusion in an emergency
 the identification of critical application systems and / or business functions
 the identification of all resources, including personnel, required to recover the critical
business functions
 the identification of alternative means of ensuring that the critical business functions are
performed and
 The establishment of a workable plan to recover the critical business functions, and
subsequently resume normal operations, as quickly as possible after a disaster.
The list should be expanded as necessary to meet the requirements of any given plan.
5. Scope of the plan: In order that there is no confusion as the situations in which the
plan will apply, the scope of the plan must be clearly identified. Any limitations must be
explained.
6. Plan approach / recovery strategy: A step by step summary of the approach adopted
by the plan should be presented. For ease of reference, it may be good to provide this
overview by means of a schematic diagram. In particular, it may be useful to set up the
recovery process as a project plan in this section.
7. Plan administration: The introductory section should also identify the person or
persons, responsible for the business continuity plan manual, and the expected plan review
cycles. These persons will be responsible for issuing revisions which will ensure that the plan
remains current. Because the manual will include staff assignments, it is also advisable that
the personnel or human resource function accept responsibility for notifying the plan
administrators of all personnel changes which must be reflected in the plan.
8. Plan management: Following a disaster, the normal reporting channels and lines of
management are unlikely to be strictly adhered to. During a disaster, reporting by exception
may be the only feasible way to operate. This does not however negate the requirement for
formalized management. The management responsibilities and reporting channels to be
observed, during disaster recovery should be clearly established in advance.
9. Disaster notification and plan activation procedures: The procedures represent the
first steps to be followed when any disaster occurs. It is recommended that the procedures be
written in a task-oriented manner and provide a logical flow to enable ease of management.
110
5.14 Data backup, Retention and Restoration Practices

5.14.1 Back up Strategies
Backup refers to making copies of the data so that these additional copies may be used to
restore the original data after a data loss. Various backup strategies are:
 Dual recording of data: Under this strategy, two complete copies of the database are
maintained. The databases are concurrently updated.
 Periodic dumping of data: This strategy involves taking a periodic dump of all or part
of the database. The database is saved at a point in time by copying it onto some
backup storage medium – magnetic tape, removable disk, Optical disk. The dump may
be scheduled.
 Logging input transactions: This involves logging the input data transactions which
cause changes to the database. Normally, this works in conjunction with a periodic
dump. In case of complete database failure, the last dump is loaded, and reprocessing
of the transactions are carried out which were logged since the last dump.
 Logging changes to the data: This involves copying a record each time it is changed
by an update action. The changed record can be logged immediately before the update
action changes the record, immediately after, or both.
Apart from database backup strategies as mentioned above, it is important to implement email
and personal files backup policies. The policy can be like burning DVDs with the folders and
documents of importance periodically to more detailed and automated functions. The choice
depends and varies with the size, nature and complexity of the situation. For example,
individuals are responsible for taking backups of personal files and folders. However, a policy
may be there whereby individual users may transfer personal files and folders from the PC to
an allocated server space. The data so transferred in the server will be backed up by the IT
department as a part of their routine backup. Email backups should necessarily include the
address book backup. However, the most important and critical part of the backup strategy is
to include a restoration policy. Restoration of the data from the backup media and devices will
ensure that the data can be restored in time of emergency; else a failed backup is a double
disaster. The restoration should be done for all backups at least twice a year.
5.14.2 Types of Backup

When the back-ups are taken of the system and data together, they are called total system’s
back-up. An organisation has to choose the right type of back up for each of the critical
components of IS and data to meet specific business requirements. The various types of back-
ups are:
 Full Backup: A full backup captures all files on the disk or within the folder selected for
backup. With a full backup system, every backup generation contains every file in the
111
backup set. However, the amount of time and space such a backup takes prevents it
from being a realistic proposition for backing up a large amount of data.
 Incremental Backup: An incremental backup captures files that were created or
changed since the last backup, regardless of backup type. This is the most economical
method, as only the files that changed since the last backup are backed up. This saves
a lot of backup time and space. Normally, incremental backup is very difficult to restore.
One will have to start with recovering the last full backup, and then recovering from
every incremental backup taken since.
 Differential Backup: A differential backup stores files that have changed since the last
full backup. Therefore, if a file is changed after the previous full backup, a differential
backup takes less time to complete than a full back up. Comparing with full backup,
differential backup is obviously faster and more economical in using the backup space,
as only the files that have changed since the last full backup are saved. Restoring from
a differential backup is a two-step operation: Restoring from the last full backup; and
then restoring the appropriate differential backup. The downside to using differential
backup is that each differential backup probably includes files that were already
included in earlier differential backups.
 Mirror Backup: A mirror backup is identical to a full backup, with the exception that the
files are not compressed in zip files and they cannot be protected with a password.
Mirror backup is most frequently used to create an exact copy of the backup data.
5.14.3 Recovery Strategies

The backup plan is intended to restore operations quickly so that information system function
can continue to service an organisation, whereas, recovery plans set out procedures to restore
full information system capabilities. Recovery plan should identify a recovery team that will be
responsible for working out the specifics of the recovery to be undertaken. The plan should
specify the responsibilities of the various departments and provide guidelines on priorities to
be followed. The plan might also indicate which applications are to be recovered first.
Members of the recovery team must understand their responsibilities. Again, the problem is
that they will be required to undertake unfamiliar tasks. Periodically, they must review and
practice executing their responsibilities so they are prepared should a disaster occur. If
employees leave the organisation, new employees must be assigned the responsibility
immediately and briefed about their responsibilities. The recovery strategies for various types
of information systems are outlined here.
5.14.4 Strategies for Networked Systems

Most organisations use networked systems. There is heavy dependence on main server and
network in case of networked systems. The recovery strategy would vary depending on the
type of network architecture and implementation. For example, LANs can be implemented in
two main architectures:
112
5.14.4.1 LAN Systems

Peer-to-Peer: Each node has equivalent capabilities and responsibilities. For example, five
PCs can be networked through a hub to share data.
Client/Server: Each node on the network is either a client or a server. A client can be a PC or
a printer where a client relies on a server for resources. A LAN's topology, protocol,
architecture, and nodes will vary depending on the organisation. Thus, contingency solutions
for each organisation will be different. Listed below are some of the strategies for recovery of
LANs.
1. Eliminating Single Points of Failure (SPOC): When developing the LAN contingency
plan, the organisation should identify single points of failure that affect critical systems or
processes outlined in the Risk Assessment. These single points of failures are to be
eliminated by providing alternative or redundant equipment.
2. Redundant Cabling and Devices: Contingency planning should also cover threats to
the cabling system, such as cable cuts, electromagnetic and radiofrequency interference, and
damage resulting from fire, water, and other hazards. As a solution, redundant cables may be
installed when appropriate. For example, it might not be cost-effective to install duplicate
cables to every desktop. However, it might be cost-effective to install a redundant cable
between floors so that hosts on both floors could be reconnected if the primary cable were cut.
Contingency planning also should consider network connecting devices such as hubs,
switches, bridges, and routers.
3. Remote Access: Remote access is a service provided by servers and devices on the
LAN. Remote access provides a convenience for users working off-site or allows for a means
for servers and devices to communicate between sites.
Remote access can be conducted through various methods, including dialup access and
virtual private network (VPN). Remote access may serve as allocation that can access the
corporate data even when they are not in a position to reach the physical premises due to
some calamity. If remote access is established as a contingency strategy, data bandwidth
requirements should be identified and used to scale the remote access solution. Additionally,
security controls such as one-time passwords and data encryption should be implemented, if
the communication traffic contains sensitive information.
5.14.4.2 Wireless LANs
Wireless local area networks can serve as an effective contingency solution to restore network
services following a wired LAN disruption. Wireless networks do not require the cabling
infrastructure of conventional LANs; therefore, they may be installed quickly as an interim or
permanent solution. However, wireless networks broadcast the data over a radio signal,
enabling the data to be intercepted. When implementing wireless network, security controls,
such as data encryption, should be implemented, if the sensitive information is to be
communicated.
113
5.14.5 Strategies for Distributed Systems

A distributed system is an interconnected set of multiple autonomous processing elements,
configured to exchange and process data to complete a single business function. To the user,
a distributed system appears to be a single source. Distributed systems use the client-server
model to make the application more accessible to users in different locations. Distributed
systems are implemented in environments in which clients and users are widely dispersed.
These systems rely on LAN and WAN resources to facilitate user access and the elements
comprising the distributed system require synchronization and coordination to prevent
disruptions and processing errors. A common form of distributed systems is a large database
management system (DBMS) that supports organisation wide business functions in multiple
geographic locations. In this type of application, data is replicated among servers at each
location, and users access the system from their local server. The contingency strategies for
distributed system reflect the system's reliance Nolan and WAN availability. Based on this
fact, when developing a distributed system contingency strategy, the following methods
applicable to system backups should be considered for decentralized systems. In addition, a
distributed system should consider WAN communication link redundancy and possibility of
using Service Bureaus and Application Service Providers (ASPs).
5.14.6 Strategies for Data Communications

(i) Dial-up: Using Dial-up as a backup to normal leased or broadband communications
lines remains the most popular means of backing up wide-area network communications in an
emergency. This approach requires compatible modems at each remote site and at the
recovery location. Ideally, the modems should be full duplex modems which will permit
transmission and receipt down the same line. The half-duplex option will require two telephone
lines for each data line lost.
(ii) Circuit extension: Circuit extension techniques are usually applied to high bandwidth
communications services, such as high speed leased lines. This technique builds redundancy
into the client’s network, by including the recovery site as a defined and serviced node. This is
by, where the communications from the remote sites can be directed to the primary site or the
recovery site from the carrier’s central office. This is effective duplication of equipment and
facilities, but with some potential for sharing the costs of the equipment at the recovery site.
(iii) On-demand service from the carriers: Many carriers now offer on-demand services
which provide the mechanisms to switch communications to the recovery site from the primary
site on client notification.
(iv) Diversification of services: The use of diverse services provides the best solutions to
the loss of a carrier central office. Diversity can be achieved in a number of manners,
including: Use of more than one carrier on a regular basis. If the organisation uses two or
more carriers, it will likely pay above the odds for its regular service and require investment in
114
some additional equipment. For this approach to communications recovery to work, there must
also be some redundancy accommodated following any carrier outage.
(v) Microwave communications: The regular communications can be backed up by the
use of microwave communications. This could be used to: backup communications from the
central office to the primary site, in case of breakage in the land lines; backup communications
from the central office to the recovery centre; or a backup link from a company-controlled
communications centre direct to the recovery centre.
(vi) VSAT (Very Small Aperture Terminal) based satellite communications: Companies
are increasingly looking to VSAT communications as a cost-effective means of communicating
large volumes of information. This technique could similarly be used to back up the primary
carrier service. The use of this technology requires VSAT terminals to be installed at each
remote location and at the recovery centre if it does not currently provide such a service.
5.14.7 Strategies for Voice Communications

Many of the techniques and concerns above relate to voice communications as wells data,
and this will continue with the expansion of ISDN services for integrated voice and data
communications. Other techniques available for voice recovery include:
(i) Cellular phone backup: If the regular voice system is inoperative, key employees can
be provided with cellular phones as a backup. Given that cellular phones are not run by
the major carriers from the same central offices, this also provides coverage for the loss
of the central office. Such phones could also be used on an on-going basis and could
be used to balance the load on the main PBX switch. Cellular services can also be
extended to data and facsimile transmission.
(ii) Carrier call rerouting systems: Most of the major carriers now provide customers with
call rerouting services such that all calls to a given number can be rerouted to another
number temporarily. While this will not be possible in the case of a carrier outage, it can
be used for the rerouting of critical business communications following a disaster at a
client’s offices. Calls can be rerouted to call management service, for example, to
support the client in the interim.
5.15 Types of Recovery and Alternative Sites

The traditional focus of BCP/DRP was the recovery of the corporate computer system, which
was almost always a mainframe or large minicomputer. Mainframe centric disaster recovery
plans often concentrated on replacing an inaccessible or non-functional mainframe with
compatible hardware. A backup site or work area recovery (alternate processing site) site is a
location where an entity can easily function out of immediately following a disaster. This is an
integral part of a DRP or BCP. Types of alternate processing sites are outlined along with
some of the widely adopted strategies for centralized system recovery.
115
5.15.1 Mirror Site/ Active Recovery Site

5.15.1.1 Mirror Site
The single most reliable system backup strategy is to have fully redundant systems called an
active recovery or mirror site. While most companies cannot afford to build and equip two
identical datacentres, those companies that can afford to do so have the ability to recover from
almost any disaster. This is the most reliable and also the most expensive method of systems
recovery.
5.15.1.2 Hot Site
A dedicated contingency centre, or ‘hot site’ is a fully equipped computer facility with electrical
power, heating, ventilation and air conditioning (HVAC) available for use in the event of a
subscriber’s computer outage. These facilities are available to a large number of subscribers
on a membership basis and use of site is on a ‘first come, first served’ basis. In addition to the
computer facility, these facilities offer an area of general office space and computer ready
floor space on which the users can build their own long-term recovery configuration. Some of
the vendors also offer remote operations facilities for use in tests or emergency. Where the
recovery centre is in a city other than the subscriber’s home location, this can be used to
reduce the need to transport staff and resources.
A hot site is a duplicate of the original site of the organisation, with full computer systems as
well as near-complete backups of user data. Real time synchronization between the two sites
may be used to completely mirror the data environment of the original site using wide area
network links and specialized software. Following a disruption to the original site, the hot site
exists so that the organisation can relocate with minimal losses to normal operations. Ideally,
a hot site will be up and running within a matter of hours or even less. Personnel may still
have to be moved to the hot site so it is possible that the hot site may be operational from a
data processing perspective before staff has relocated. The capacity of the hot site may or
may not match the capacity of the original site depending on the organisation's requirements.
This type of backup site is the most expensive to operate. Hot sites are popular with
organisations that operate real time processes such as financial institutions, government
agencies and ecommerce providers.
5.15.1.3 Cold Site
A cold site is the least expensive type of backup site for an organisation to operate. It does not
include backed up copies of data and information from the original location of the organisation,
nor does it include hardware already set up. The lack of hardware contributes to the minimal
start-up costs of the cold site, but requires additional time following the disaster to have the
operation running at a capacity close to that prior to the disaster.
5.15.1.4 Warm Site
A warm site is a compromise between hot and cold. These sites will have hardware and
connectivity already established, though on a smaller scale than the original production site or
116
even a hot site. Warm sites will have backups on hand, but they may not be complete and may
be between several days and a week old. An example would be backup tapes sent to the
warm site by courier.
5.15.1.5 Near Site
A near site is a backup storage location in close proximity to the primary processing location
that provides easy access to the data
5.15.2 Offsite Data Protection

Offsite data protection is the strategy of sending critical data out of the main location as a part
of DRP. Data is usually transported off-site using removable storage media such as magnetic
tape or optical storage. Data can also be sent electronically via a remote backup service,
which is known as electronic vaulting or e-vaulting. Sending backups off-site ensures systems
and servers can be reloaded with the latest data in the event of a disaster, accidental error, or
system crash. Sending backups off-site also ensures that there is a copy of pertinent data that
isn’t stored on-site. Off-site backup services are convenient for companies that backup
pertinent data on a daily basis. The different types of Offsite Data Protection are outlined here.
5.15.2.1 Data Vaults
Backups are stored in purpose-built vaults. There are no generally recognized standards for
the type of structure which constitutes a vault. Commercial vaults fit into three categories:
1. Underground vaults
2. Free-standing dedicated vaults
3. Insulated chambers sharing facilities
5.15.2.2 Hybrid Onsite and Offsite Vaulting
Hybrid on-site and off-site data vaulting, sometimes known as Hybrid Online Backup, involve a
combination of Local backup for fast backup and restore, along with Off-site backup for
protection against local disasters. This ensures that the most recent data is available locally in
the event of need for recovery, while archived data that is needed much less often is stored in
the cloud. Hybrid Online Backup works by storing data to local disk so that the backup can be
captured at high speed, and then either the backup software or a D2D2C (Disk to Disk to
Cloud) appliance encrypts and transmits data to a service provider. Recent backups are
retained locally, to speed data recovery operations. There are a number of cloud storage
appliances on the market that can be used as a backup target, including appliances from
CTERA Networks, Naquin, StorSimple and Twin Strata.
117
Figure 5.3: Site Selection Criteria
5.16 System Resiliency Tools and Techniques

5.16.1 Fault Tolerance
Fault-tolerance is the property that enables a system (often computer-based) to continue
operating properly in the event of the failure of (or one or more faults within) some of its
components. The basic characteristics of fault tolerance require:
1. No single point of failure.
2. No single point of repair.
3. Fault isolation to the failing component.
4. Fault containment to prevent propagation of the failure.
5. Availability of reversion modes.
In addition, fault tolerant systems are characterized in terms of both planned service outages
and unplanned service outages. These are usually measured at the application level and not
just at a hardware level. The figure of merit is called availability and is expressed as a
percentage. A five nines system would therefore statistically provide 99.999% availability. A
spare component addresses first fundamental characteristic of fault-tolerance in three ways:
(i) Replication: Providing multiple identical instances of the same system or subsystem,
directing tasks or requests to all of them in parallel, and choosing the correct result on
the basis of a quorum;
(ii) Redundancy: Providing multiple identical instances of the same system and switching
to one of the remaining instances in case of a failure (failover);
(iii) Diversity: Providing multiple different implementations of the same specification and
using them like replicated systems to cope with errors in a specific implementation.
118
5.16.2 Redundant Array of Inexpensive Disks (RAID)

RAID provides fault tolerance and performance improvement via hardware and software
solutions. It breaks up the data to write it in multiple disks to improve performance and / or
save large files. There are many methods of RAID which are categorized into several levels.
There are various combinations of these approaches giving different trade -offs of protection
against data Loss, capacity, and speed.
RAID levels: Levels 0, 1, and 5 are the most commonly found, and cover most requirements.
Generally, most organisations use RAID-1and RAID-5 for data redundancy.
Electronic vaulting: Electronic vaulting is a backup type where the data is backed up to an
offsite location. The data is backed up, generally, through batch process and transferred
through communication lines to a server at an alternate location.
Remote journaling: Remote journaling is a parallel processing of transactions to an alternate
site, as opposed to batch dump process like electronic vaulting. The alternate site is fully
operational at all times and introduces a very high level of fault tolerance.
Database shadowing: Database shadowing is the live processing of remote journaling but
creates even more redundancy by duplicating the database sites to multiple servers.
5.17 Testing of BCP

The effectiveness of BCP has to be maintained through regular testing. The five types of tests
of BCP are:
1. Checklist test
2. Structured walk through test
3. Simulation test
4. Parallel test
5. Full interruption test
1. Checklist test: In this type of test, copies of the plan are distributed to each business unit’s
management. The plan is then reviewed to ensure that the plan addresses all procedures and
critical areas of the organisation. In reality, this is considered as a preliminary step to real test
and is not a satisfactory test in itself.
2. Structured walk through test: In this type of test, business unit management
representatives meet to walk through the plan. The goal is to ensure that the plan accurately
reflects the organisation’s ability to recover successfully, at least on paper. Each step of the
plan is walked through in the meeting and marked as performed. Major faults with the plan
should be apparent during the walkthrough.
3. Simulation test: In this type of test, all of the operational and support personnel who are
expected to perform during an actual emergency meet in a mock practice session. The
119
objective is to test the ability and preparedness of the personnel to respond to a simulated
disaster. The simulation may go to the point of relocating to the alternate backup site or
enacting recovery procedures but does not perform any actual recovery process or alternate
processing.
4. Parallel test: A Parallel test is a full test of the recovery plan, utilizing all personnel. The
difference between this and the full interruption test is that the primary production processing
of the business does not stop, the test processing runs in parallel to the real processing. The
goal of this type of test is to ensure that critical systems will actually run at the alternate
processing backup site. Systems are relocated to the alternate site, parallel processing
backup site, and the results of the transactions and other elements are compared. This is the
most common type of disaster recovery plan testing.
5. Full interruption test: During a full interruption test, a disaster is replicated event the point
of ceasing normal production operations. The plan is implemented Asif it was a real disaster,
to the point of involving emergency services. This is a very severe test, as it can cause a
disaster on its own. It is the absolute best way to test a disaster recovery plan, however,
because the plan either works or doesn’t.
Documentation of results: During every phase of the test, a detailed documentation of
observations, problems and resolutions should be maintained. This documentation can be of
great assistance during an actual disaster. They are also helpful in improving and maintaining
the plan as they reveal the strengths and weaknesses of the plan. No test is ever a failure
because, however badly it may seem to have gone lessons can still be learnt from it. However,
it should be remembered that if a test is not planned properly, it could actually create a
disaster. Live tests especially could create disaster if not planned properly because they use
real people and real resources in real conditions, probably during normal working hours. Live
tests should only be considered after the BCP has been tested in full and all Recovery Team
members fully trained. The worst way to test a Plan is to turn off the power suddenly, for
example, and tell people to exercise their Recovery Plans, the interruption and delay to normal
work could well become a disaster in itself.
Results Analysis: The results of each test should be recorded to identify:
I. What happened;
II. What was tested successfully; and
III. What needs to be changed?
If a test indicates that the BCP needs to be changed, the change should be made, and the test
repeated until all aspects are completed satisfactorily. When all the components have been
tested satisfactorily, the whole BCP is ready for testing. It should not be assumed that
because the components work individually there is no need to test the whole BCP. Putting it
all together may reveal problems which did not show up in lower level testing. When preparing
for testing, the participants should be given all the information and instruction they need.
120
5.18 BCP Audit and Regulatory Requirements

Business Continuity Planning (BCP) refers to ability of organisations to recover from a disaster
and continue operations with least impact. It is imperative that every organisation whether
profit-oriented or service-oriented has a business continuity plan as relevant to the activities of
the organisation. It is not enough that organisation has a BCP, but it is also important to have
an independent audit of BCP to confirm its adequacy and appropriateness to meet the needs
of the organisation.
5.18.1 Role of IS Auditor in BCP Audit

In a BCP Audit, the IS auditor is expected to evaluate the processes of developing and
maintaining documented, communicated, and tested plans for continuity of business
operations and IS processing in the event of a disruption. The objective of BCP review is to
assess the ability of the organisation to continue all critical operations during a contingency
and recover from a disaster within the defined critical recovery time period. IS Auditor is
expected to identify residual risks which are not identified and provide recommendations to
mitigate them. The plan of action for each type of expected contingency and its adequacy in
meeting contingency requirements is also assessed in a BCP audit. BCP of an organisation is
also to be reviewed to a limited extent for the assessment of an auditee organisation from the
perspective of going concern.
5.18.2 Regulatory Requirements

A business continuity plan audit should provide management an evaluation of the
organisation’s preparedness in the event of a major business disruption. It should identify
issues that may limit interim business processing and restoration of same. It should also
provide management with an independent assessment of the effectiveness of the business
continuity plan and its alignment with subordinate continuity plans. The business continuity
plan audit should be programmed to cover the applicable laws, standards and Frameworks
etc. Understanding of the applicable Regulatory requirements are essential while doing the
audit of any BCP environment to ensure whether the information technology arrangement
related to Business continuity and disaster recovery plans are in conformity with the applicable
Laws and regulations. It is also necessary to understand whether the information technology
related to BCP/DRP arrangements are supporting the business compliance with external laws
and regulations. Hence before designing the audit scope and programs all external
compliance requirements are to be identified and External compliance requirements are
adequately addressed.
5.18.3 Regulatory Compliances of BCP

Regulatory requirements play an important role in outlining the need for BCP for organisations
which provide critical services. These regulations also provide generic guidelines for
121
implementing BCP. Some of the sample laws and regulations that are applicable are given
here:
5.18.3.1 Basel Committee on E Banking
The Basel Committee on E-Banking outlines the principles for electronic banking as; “Banks
should have effective capacity, business continuity and contingency planning processes to
help ensure the availability of e-banking systems and services”. The Committee underlines
that banks should also ensure that periodic independent internal and/or external audits are
conducted about business continuity and contingency planning. These requirements are spelt
out in Appendix VI relating to “Sound Capacity, Business Continuity and Contingency Planning
Practices for E-Banking”:
5.18.3.2 Indian legislations
There are various Indian legislations such as the Information Technology Act, Indian Income
Tax act, Goods and Services Tax Act etc. which require data retention for specific number of
years. Organisations which have to comply with these requirements have to ensure that they
have a proper business continuity plan which meets these requirements. The Reserve bank of
India provides regular guidelines to financial institutions covering various aspects of IT
deployment. These guidelines cover business continuity and disaster recovery procedures for
various types of business operations which are dependent on I&T environment.
Bank Audit
The Long Form Audit report in the case of statutory audit of banks contains two key points
relating to business continuity and disaster recovery which need to be evaluated and
commented by the statutory auditor.
 Whether regular back-ups of accounts and off-site storage are maintained as per the
guidelines of the controlling authorities of the bank?
 Whether adequate contingency and disaster recovery plans are in place for
loss/encryption of data?
The first point may be irrelevant in case of audit of branches where core banking solution is
implemented. However, a general review of the contingency and disaster recovery plans has
to be made by auditor and required comments provided. In case of internal audit or concurrent
audit of banks, there are specific areas of BCP which need to be reviewed by the auditors.
5.19 ISO 22301:2019

ISO 22301:2019 Security and resilience – Business continuity management systems –
Requirements is an international standard published by the International Organization for
Standardization (ISO), and it describes how to manage business continuity in an organization.
The focus of ISO 22301 is to ensure continuity of business delivery of products and services
after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This
122
is done by finding out business continuity priorities (through business impact analysis), what
potential disruptive events can affect business operations (through risk assessment), defining
what needs to be done to prevent such events from happening, and then defining how to
recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk
treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and
managing risks: find out which activities are more important and which risks can affect them,
and then systematically treat those risks.
The strategies and solutions that are to be implemented are usually in the form of policies,
procedures, and technical/physical implementation (e.g., facilities, software, and equipment).
In most cases, organizations do not have all the facilities, hardware, and software in place –
therefore, ISO 22301 implementation will involve not only setting organizational rules (i.e.,
writing documents) that are needed in order to prevent disruptive incidents, but also
developing plans and allocating technical and other resources to make the continuity and
recovery of business activities possible.
5.20 ISO 27031:2011

ISO/IEC 27031:2011 describes the concepts and principles of information and communication
technology (ICT) readiness for business continuity, and provides a framework of methods and
processes to identify and specify all aspects (such as performance criteria, design, and
implementation) for improving an organization's ICT readiness to ensure business continuity. It
applies to any organization (private, governmental, and non-governmental, irrespective of
size) developing its ICT readiness for business continuity program (IRBC), and requiring its
ICT services/infrastructures to be ready to support business operations in the event of
emerging events and incidents, and related disruptions, that could affect continuity (including
security) of critical business functions. It also enables an organization to measure
performance parameters that correlate to its IRBC in a consistent and recognized manner.
The scope of ISO/IEC 27031:2011 encompasses all events and incidents (including security
related) that could have an impact on ICT infrastructure and systems. It includes and extends
the practices of information security incident handling and management and ICT readiness
planning and services.
5.21 Services that can be Provided by an IS Auditor in BCM

1. Management Consultancy Services in providing guidance in drafting of a BCP/DRP.
CAs can provide insight to the organisation on the development of a BCP/DRP.
Appropriate guidance in drafting a BCP such as scoping of the BCP as per the policy
etc. Development of a BCP Manual.
2. Management Consultancy Services in designing and implementing a BCP/DRP. CAs
can provide guidance in the actual design of the BCP that is relevant to the
organisation’s nature and size. They can assist the management in implementing the
123
BCP in the organisation. They can design the phases for implementation of the BCP
and thus ensure correct and effective implementation of the BCP in the organisation.
3. Designing Test Plans and Conducting Tests of the BCP/DRP. CAs can design plans
that can be used by the management for regular testing of the BCP. He can also
evaluate the tests that have been conducted by the management.
4. Consultancy Services in revising and updating the BCP/DRP. Maintenance of the BCP
is a periodic process. Technologies evolve, and the Business Environment often
changes and hence it is necessary to revise and update the BCP.
5. Conducting Pre-Implementation Audit, Post Implementation Audit, General Audit of the
BCP/DRP.
A Chartered Accountant can provide assurance whether the BCP would suffice to the
organisation.
6. Consultancy Services in Risk Assessment and Business Impact Analysis. Conducting a
proper Business Impact Analysis and assessing the risks that are present in the
organisation’s environment is really crucial for the correct development of the
BCP/DRP. CAs can help in the development stages by conducting BIA and Risk
Assessment for the organisation.
7. CAs can be involved in any/all areas of BCP implementation or review. These areas
could be pertaining to:
(a) Risk Assessment
(b) Business Impact Assessment
(c) Disaster Recovery Strategy Selection
(d) Business Continuity Plan Development
(e) Fast-track Business Continuity Development
(f) BCP / DRP Audit, Review and Health-check Services
(g) Development and Management of BCP / DRP Exercises and Rehearsals
(h) Media Management for Crisis Scenarios
(i) Business Continuity Training
5.22 Summary
This chapter has provided an overview of the key concepts relating to management of BCP,
DRP and Incident Responses. Together, these are to be implemented as part of Business
Continuity management. The ultimate objective of a BCM is to recover from a crisis as fast as
possible and at the lowest possible cost. The development of a Business Continuity Plan can
be done with the support of BCP Policy existing in an organisation. BCP Policy sets the scope
124
of the plan. Development of BCP involves planning BCP as a project includes conducting a
Business Impact Analyses, Risk Assessment, testing of the BCP, providing training and
awareness and continuous maintenance of the BCP Plan. IS Auditor having to understand
BCP processes and key activities for each of the key processes. This chapter has provided an
overview of the BCP processes. Audit Process that are to be followed by an IS Auditor. A
control is placed always against an identified risk by the management. It is essential for an IS
Auditor to verify the controls that have been put in place by the management for adequacy and
existence.
5.23 Questions
1. Which of the following is MOST important to have in a disaster recovery plan?
A. Backup of compiled object programs
B. Reciprocal processing agreement
C. Phone contact list
D. Supply of special forms
2. Which of the following BEST describes difference between a DRP and a BCP? The
DRP:
A. works for natural disasters whereas BCP works for unplanned operating incidents
such as technical failures.
B. works for business process recovery and information systems whereas BCP
works only for information systems.
C. defines all needed actions to restore to normal operation after an un-planned
incident whereas BCP only deals with critical operations needed to continue
working after an un-planned incident.
D. is the awareness process for employees whereas BCP contains procedures to
recover the operation?
3. The MOST significant level of BCP program development effort is generally required
during the:
A. Early stages of planning.
B. Evaluation stage.
C. Maintenance stage.
D. Testing Stage.
4. An advantage of the use of hot sites as a backup alternative is:
A. The costs related with hot sites are low.
125
B. That hot sites can be used for a long amount of time.

C. That hot sites do not require that equipment and systems software be compatible
with the primary installation being backed up.
D. That hot sites can be made ready for operation within a short span of time.
5. All of the following are security and control concerns associated with disaster recovery
procedures EXCEPT:
A. Loss of audit trail.
B. Insufficient documentation of procedures.
C. Inability to restart under control.
D. Inability to resolve system deadlock.
6. As updates to an online order entry system are processed, the updates are recorded on
a transaction tape and a hard copy transaction log. At the end of the day, the order
entry files are backed up onto tape. During the backup procedure, the disk drive
malfunctions and the order entry files are lost. Which of the following are necessary to
restore these files?
A. The previous day's backup file and the current transaction tape
B. The previous day's transaction file and the current transaction tape
C. The current transaction tape and the current hardcopy transaction log
D. The current hardcopy transaction log and the previous day's transaction file
7. An IS auditor reviewing an organisation's information systems disaster recovery plan
should verify that it is:
A. Tested every 1 month.
B. Regularly reviewed and updated.
C. Approved by the chief executive officer
D. Approved by the top management
8. Which of the following offsite information processing facility conditions would cause an
IS auditor the GREATEST concern?
A. Company name is clearly visible on the facility.
B. The facility is located outside city limits from the originating city.
C. The facility does not have any windows.
D. The facility entrance is located in the back of the building rather than the front.
9. Which of the following methods of results analysis, during the testing of the business
continuity plan (BCP), provides the BEST assurance that the plan is workable?
126
A. Quantitatively measuring the results of the test

B. Measurement of accuracy
C. Elapsed time for completion of prescribed tasks
D. Evaluation of the observed test results

1. A. Of the choices, a backup of compiled object programs is the most important in a
successful recovery. A reciprocal processing agreement is not as important, because
alternative equipment can be found after a disaster occurs. A phone contact list may aid
in the immediate aftermath, as would an accessible supply of special forms, but neither
is as important as having access to required programs.
2. C. The difference pertains to the scope of each plan. A disaster recovery plan recovers all
operations, whereas a business continuity plan retrieves business continuity (minimum
requirements to provide services to the customers or clients). Choices A, B and D are
incorrect because the type of plan (recovery or continuity) is independent from the sort
of disaster or process and it includes both awareness campaigns and procedures.
3. A. A company in the early stages of business continuity planning (BCP) will incur the most
significant level of program development effort, which will level out as the BCP program
moves into maintenance, testing and evaluation stages. It is during the planning stage
that an IS Auditor will play an important role in obtaining senior management's
commitment to resources and assignment of BCP responsibilities.
4. D. Hot sites can be made ready for operation normally within hours. However, the use of
hot sites is expensive, should not be considered as a long-term solution and does
require that equipment and systems software be compatible with the primary installation
being backed up.
5. D. The inability to resolve system deadlock is a control concern in the design of database
management systems, not disaster recovery procedures. All of the other choices are
control concerns associated with disaster recovery procedures.
6. A. The previous day's backup will be the most current historical backup of activity in the
system. The current day's transaction file will contain all of the day's activity. Therefore,
the combination of these two files will enable full recovery up to the point of interruption.
7. B. The plan must be reviewed at appropriate intervals, depending upon the nature of the
business and the rate of change of systems and personnel, otherwise it may quickly
become out of date and may no longer be effective (for example, hardware or software
changes in the live processing environment are not reflected in the plan). The plan must
be subjected to regular testing, but the period between tests will depend on nature of
the organisation and relative importance of IS. Three months or even annually may be
127
appropriate in different circumstances. Although the disaster recovery plan should

receive the approval of senior management, it need not be the CEO if another executive
officer is equally, or more appropriate. For a purely IS-related plan, the executive
responsible for technology may have approved the plan. the IS disaster recovery plan
will usually be a technical document and relevant to IS and communications staff only.
8. A. The offsite facility should not be easily identified from the outside. Signs identifying the
company and the contents of the facility should not be present. This is to prevent
intentional sabotage of the offsite facility should the destruction of the originating site be
from malicious attack. The offsite facility should not be subject to the same natural
disaster that affected the originating site. The offsite facility must also be secured and
controlled just as the originating site. This includes adequate physical access controls
such as locked doors, no windows and human surveillance.
9. A. Quantitatively measuring the results of the test involves a generic statement measuring
all the activities performed during BCP, which gives the best assurance of an effective
plan. Although choices B and C are also quantitative, they relate to specific areas or an
analysis of results from one viewpoint, namely the accuracy of the results and the
elapsed time.
128
Appendix 1
Checklist and Control Matrix
Appendix 1: Checklist for a Business Continuity Plan and Audit
Process Objectives:
 To seamlessly recover from the disaster situation.
 To reduce the impact of the damage of the assets, in turn reducing the data loss.
 To assure compliances
 To sustain operations so that customer service and corporate image can be maintained.
Using this Checklist:
This checklist is to be used by the IS Auditor who is conducting the BCP Audit. This checklist
covers the entire BCP Process, but it has to be customized as per the specific needs of the
assignment. An IS Auditor can use this checklist as a basis for recording observations and for
collecting evidences for the Audit engagement. This checklist is an illustrative example as to
how an IS Auditor could conduct a BCM Audit at an organisation. It can be taken as a base for
conducting such audit engagements.
Policy and Procedure
1. Is business continuity plan documented and implemented?
2. Whether the scope and objectives of a BCP are clearly defined in the policy
document?
(Scope to cover all critical activities of business. Objectives should clearly spell out
outcomes of the BCP)
3. Whether there exist any exceptions to the scope of BCP i.e. in terms of location or
any specific area, and whether the management has justifications for exclusion of
the same.
4. What is the time limit for such exclusion and what is the current strategy of covering
such exclusions
5. Are the policy and procedure documents approved by the Top Management?
(Verify sign off on policy and procedure documents and budget allocations made by
the management for a BCP)
6. Does the business continuity plan ensure the resumption of IS operations during
major information system failures?
(Verify that the IS disaster recovery plan is in line with strategies, goals and
objectives of corporate business continuity plan).
7. Are users involved in the preparation of business continuity plan?

(Managerial, operational, administrative and technical experts should be involved in
the preparation of the BCP and DRP).
8. Does the policy and procedure documents include the following?
List of critical information assets.
List of vendors for service level agreements.
Current and future business operations.
Identification of potential threats and vulnerabilities.
Business impact analysis.
Involvement of technical and operational expert in preparation of BCP and Disaster
recovery plans.
Recovery procedure to minimize losses and interruptions in business operations.
Disaster recovery teams.
Training and test drills.
Compliance with statutory and regulatory requirements
9. Are the BCP policy and procedures circulated to all concerned?
(Verify availability and circulation of the BCP & DRP to all concerned, including
onsite and offsite storage).
10. Is the business continuity plan updated and reviewed regularly?
(Verify minutes of meeting where policy and procedures are reviewed. Verify
amendments made to the policy and procedure documents due to the change in
business environment).
Risk Assessment
1. Has the management identified potential threats/vulnerabilities to business
operations?
(Verify the business environment study report. Risk Assessment Report?)
2. Are the risks evaluated by the Management?
(Verify the probability or occurrence of the threat / vulnerability review carried out by
the management).
3. Has the organisation selected the appropriate method for risk evaluation?
4. Has the organisation carried out the assessment of internal controls?
(Verify the internal controls mitigating the risk).
5 Has the organisation taken an appropriate decision on the risks identified?
(Verify the decision-making on the options - accepted, reduced, avoided or
transferred – for the risks identified).
130
6. Is the risk assessment carried out at regular interval?

(Verify the review frequency.)
Business Impact Analysis
1. Does the organisation carry out business impact analysis (BIA) for business
operations?
2. Has the organisation identified a BIA team?
3. Are RTO and RPO defined by the management?
4. Whether the SDO has been defined based upon RTO & RPO
5. Whether the organisation has measured BIA?
(Impact of risks on business operations can be measured in the form of business
loss, loss of goodwill etc.)
6. Is the business impact analysis carried out at a regular interval?
Development and Implementation of the BCP and DRP
1. Has the organisation prioritized recovery of interrupted business operations?
(Prioritization of activities is based on RTO and RPO)
2. Has the organisation identified the various BCP and DRP Teams?
(Verify employees are identified, informed and trained to take an action in the event
of disaster).
3. Are the responsibilities for each team documented?
(Verify the roles and responsibilities assigned to employees for actions to be taken
in the event of incident/disaster)
4. Does the BCP document(s) include the following?
Scope and objective.
Roles and responsibilities of BCP and DRP Teams.
Incident declaration.
Contact list.
Evacuation and stay-in procedure.
Activity priorities.
Human resource and welfare procedure.
Escalation procedures.
Procedure for resumption of business activities.
Media communication.
Legal and statutory requirements.
Backup and restore procedures.
Offsite operating procedures
131
5. Are the copies of up-to-date BCP Documents stored offsite?

6. Does the offsite facility have the adequate security requirements?
(Verify the logical access, physical access and environmental control of the offsite).
7. Does the BCP include training to employees?
(Verify the evidences of training given).
8. Whether the organisation has an adequate media and document backup and
restoration procedures?
(Verify the backup and restoration schedules adopted by the organisation)
9. Are logs for backup and restoration maintained and reviewed?
(Verify the logs maintained and review of the same by an independent person).
10. Whether the media library has an adequate access control?
(Verify the physical and logical access controls to the media library).
11. Are the BCP and DRP communicated to all the concerned?
(Verify availability and circulation of BCP & DRP to all concerned, including
Onsite and offsite storage).
Maintenance of BCP and DRP
1. Whether the business continuity plan is tested at regular interval?
2. Has the organisation reviewed the gap analysis of testing results?
(Review process that includes a comparison of test results to the planned results).
3. How has the organisation decided to reduce the gaps identified, what is the time
limit set for addressing the same?
4. Has the organisation got a testing plan?
(Verify copy of test plan and updates).
5. Are test drills conducted at appropriate intervals?
6. Do organisation documents and analyses have testing results?
(Verify the corrective copies of test results and analysis of the report).
7. Has the organisation prepared action points to rectify the testing results?
(Verify the corrective action plan for all problems encountered during the test drill).
8. Does the organisation carry out retesting activity for action points?
(Verify the evidences of retesting activities).
9. Does the organisation review the BCP and DRP at regular intervals?
10. Whether a review of the BCP includes following?
BCP policy and procedure
132
Scope and exclusion of BCP

Inventory of IS assets
Validating assumption made while risk assessment and preparation of BCP
and DRP
Risk assessment
Business impact analysis
Back up of system and data
Training to employees
Test drills
133
Appendix 2
Sample of BCP Audit Finding
Max Infotech should have an alternate disaster recovery site and documented procedures and
policies for disaster recovery.
Observation
Max Infotech does not have an alternate disaster recovery site. Also documented Disaster
Recovery Plan (DRP) and business continuity plan are not there.
Exposure
The DRP is a key plan ensuring availability of resources critical to the business operations. In
the absence of documented procedures and policies for the same, it may be difficult to recover
from a disaster resulting in non-availability of data and applications to the users for
unacceptable period of time thereby interrupting business processes and impacting the
business.
Cause
This is due to lack of documented Disaster Recovery Plan (DRP).
Recommendation
Ensure that the Max Infotech has an alternate disaster recovery site and a documented
procedures and policies for disaster recovery. This document should include:
• Provision for back up and restoration of resources identified as critical to recovery;
• Provision for back up and off-site location of non-critical application software, data files
and system software to facilitate their restoration following the recovery of critical
application;
• Frequency of back up and off-site rotation and number of generations maintained, of
production data files including databases;
• Back up and off-site copies of system software, updated or replaced with each upgrade
or revision;
• Off-site copies of systems, program, user and operations documentation updated to
reflect system revision;
Instructions on how to restore from back-up copies of program and data files.
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
ISA

(Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 3
System Development, Acquisition,
Implementation and Maintenance
Module - 3
Application System Audit
Tel (Direct): +91 120 3045992/961
New Delhi
Background Material
on
Module-3 :
System Development, Acquisition,
Implementation and Maintenance
Application System Audit

New Delhi
DISCLAIMER
ISBN : 978-81-8441-995-5


Foreword

President, ICAI
Place: New Delhi
iv
Preface

systems deployment.
modules.
3.0.
assurance services.

vi
Contents
Learning Objectives xi
Chapter 1: Project Management for SDLC 1
Objectives 1
1.1 Introduction 1
1.2 Project Management Frameworks 1
1.2.1 Capability Maturity Model Integration (CMMI) 2
1.3 Key concepts of Project Management 3
1.4 Program and Project Management and Organization 4
1.4.1 Portfolio/Program Management 4
1.4.2 Program/Project Management Organization Forms 5
1.5 Project Initiation 6
1.5.1 Project Management Methodology 7
1.5.2 Project Context and Environment 8
1.5.3 Project Communication and Culture 8
1.5.4 Project Objectives 9
1.5.5 Project Management Practices 9
1.6 Project Planning 10
1.7 Project Controlling 11
1.7.1 Management of Scope 11
1.7.2 Resource Management 12
1.7.3 Project Risk Management Standards and Methods 13
1.8 Project Closing 14
1.9 Roles and Responsibilities 15
1.9.1 Steering Committee 15
1.9.2 Project Sponsor 16
1.9.3 Project Manager 16
1.9.4 Senior Management 17
1.9.5 Business Management 17
1.9.6 Systems Development Project Team 17
1.9.7 Business Function Representatives/Domain Specialists 17
1.9.8 Security Officer 18
1.9.9 Quality Assurance (QA) 18
1.9.10 Technology Specialist 18
1.9.11 Systems Analyst 19
1.9.12 Programmers/Developers 19
1.9.13 Testers 19
1.9.14 Documentation Specialist 19
1.9.15 Database Administrator (DBA) 19
1.9.16 Data Administrator (DA) 19
1.9.17 User Manager 19
1.9.18 IS Auditor 19
1.10 SDLC Project Management Techniques and Tools 20
1.11 Summary 27
1.12 Questions 28
1.13 Answers and Explanations 30
Chapter 2 : SDLC – Need, Benefits and Phases 32

2.1 What is SDLC? 32
2.2 Relevance of SDLC for Business Process Automation 32
2.3 Need for SDLC 33
2.4 Benefits of SDLC 33
2.5 Phases of SDLC 34
2.5.1 Feasibility Study 34
2.5.2 Requirement Definition 35
2.5.3 System Analysis 35
viii
2.5.4 System Design 36
2.5.5 Development 37
2.5.6 Testing 39
2.5.7 Implementation 41
2.5.8 Maintenance 42
2.6 Types of SDLC Model 43
2.6.1 Waterfall Model 43
2.6.2 Incremental Model 45
2.6.3 Software Reengineering and Reverse Engineering 47
2.6.4 Object Oriented Software Development 49
2.6.5 Component Based Development 51
2.6.6 Web Based Application Development 52
2.7 Selection of SDLC Model 53
2.8 New Development Iterative Models- Prototype, Spiral, Rapid & Agile etc. 54
2.8.1 Prototype Methodology 54
2.8.2 Spiral Model 57
2.8.3 Rapid Application Development 59
2.8.4 Agile Software Development Methodology 61
2.8.5 DevOps 64
2.8.6 DevSecOps 64
2.9 Secure SDLC 65
2.10 Summary 66
2.11 Questions 67
Chapter 3 Software Testing and Implementation 71

3.1 Introduction 71
3.2 Importance of Software Testing 71
ix
3.3 Methods of Software Testing 72
3.3.1 Black Box Testing 72
3.3.2 White Box Testing 73
3.3.3 Grey Box Testing 73
3.3.4 A Comparison of Testing Methods 74
3.4 Levels of Testing 75
3.4.1 Functional Testing 75
3.4.2 Non-Functional Testing 76
3.5 Strategies of Software Testing 76
3.5.1 What is the Test Strategy 76
3.5.2 Different Test Approaches 76
3.5.3 Factors to be Considered 77
3.6 Types of Software Testing 77
3.6.1 Unit Testing 77
3.6.2 Static Testing 78
3.6.3 Load Testing 79
3.6.4 Usability Testing 79
3.6.5 Portability Testing 79
3.6.6 Integration Testing 80
3.6.7 Regression Testing 81
3.6.8 System Testing 81
3.6.9 Other Types of Testing 82
3.7 Final Testing 83
3.7.1 Quality Assurance Testing 84
3.7.2 User Acceptance Testing 84
3.8 Implementation 85
3.8.1 Implementation Strategies 85
3.8.2 Preparing for Implementation 87
3.8.3 Conversion 88
x
3.9 Change Management Process 90
3.9.1 Emergency Change 92
3.9.2 Implementing Changes to Production 93
3.9.3 Segregation of Duties 93
3.9.4 Configuration Management 94
3.10 Summary 95
3.11 Questions 95
Chapter 4 Application Controls 100

4.2 What is Application Control? 100
4.2.1 Features and Benefits of Application Controls 101
4.3 Types of Application Controls 102
4.3.1 Input Controls 102
4.3.2 Processing Controls 103
4.3.3 Output Controls 104
4.3.4 Business Process Control Assurance 104
4.4 Application Controls Objectives 105
4.5 Design and Implementation of Application Controls 106
4.6 Application Controls and the System Development Life Cycle 107
4.7 Business Processes and Application Controls 108
4.7.1 Business Risk and Information Processing 109
4.8 Application Controls Assurance 109
4.8.1 Assurance over Application Controls 110
4.9 Summary 112
4.10 Questions 113
xi
Learning Objectives
 Evaluate whether proposed changes to information system are meeting business
objectives.
 Evaluate policies and practices about the organization’s project management.
 Evaluate the effectiveness of controls at all stages of SDLC
 Evaluate the process for migration of new system to the production
 Post implementation review of system to ensure that new system met business
requirement, controls and project deliverables.
 Evaluate change management, configuration management, release management and
patch management.
Chapter 1
Project Management for SDLC
Learning Objectives
This chapter provides insights on Project management aspect of System Development. This
includes initiation of program/project, establishing project management methodology, defining
objective, project risk management, planning, resource management, monitoring and
controlling project, managing changes, closing project and tools and techniques required for
software project management.
1.1 Introduction
In this chapter basic understanding about project management has been given. Unless the
proposed system becomes operational and organization begins deriving benefit out of it,
SDLC project cannot be treated as complete.
Control aspect of the proposed information system is planned at the design stage. IS Auditor
should ensure that appropriate controls are designed at analysis and design stage.
1.2 Project Management Frameworks

Project is initiated once it is approved. In order to ensure that proposed project is successful,
i.e. it meets its predefined objectives and delivers value, the organization must adopt effective
and efficient project management practices. Without project management practices, tools and
control frameworks, it is not possible to manage all the relevant aspects like planning,
scheduling, resource management, risk management, sizing and estimation of efforts,
milestone achievements, quality, deliverables and budget monitoring, of a large project. IS
Auditor must understand the need for a project management framework within the
organization, and associated elements required to establish a standard methodology. This
chapter covers the various project management practices and how these are executed within
the organization.
There are many approaches for project management defined by various professional bodies.
The most commonly used approaches are:
 Project Management Body of Knowledge (PMBOK®) version 6, i.e. IEEE standard 1490
from the Project Management Institute (PMI),
 Projects in a Controlled Environment (PRINCE2TM) from the Office of Government
Commerce (OGC) in the UK, and the International Project Management Association
(IPMA).
Since there are significant differences in scope, content and wording in each of these
standards, an auditor has to be familiar with the standard adopted by auditee organization,
prior to involvement in project. Although each project management approach has its own pros
and cons, several elements are common across all project management methodologies. Some
are focused on software development, others have a more general approach; some
concentrate on a holistic and systemic view, others provide a very detailed workflow including
templates for document creation
1.2.1 Capability Maturity Model Integration (CMMI)

Capability Maturity Model Integration (CMMI) is a process improvement approach that
provides enterprise with the essential elements of effective processes. It can be used to guide
process improvement across a project, division or entire organizational CMMI helps integrate
traditionally separate organizational functions, set process improvement goals and priorities,
provide guidance for quality processes and a point of reference for appraising current
processes.
Table 1.1 – CMMI Levels
CMMI Levels Description of Capability maturity levels Context

Level 5 The previously described predictable process Enterprise view/
Optimized is continuously improved to meet relevant Corporate knowledge
current and projected business goals
Level 4 The previously described established process
Predictable now operates within defined limits to achieve
its process outcomes
Level 3 The previously described managed process is
Established now implemented using a defined process that
is capable of achieving its process outcomes
Level 2 The previously described performed process is Instance view/ Individual
Managed now implemented in a managed fashion knowledge
(planned, monitored and adjusted) and its work
products are appropriately established,
controlled and maintained
Level 1 The implemented process achieves its process
Performed purpose
Level 0 The process is not implemented or fails to
Incomplete achieve its process purpose. At this level, there
is little or no evidence of any systematic
achievement of the process purpose
2
1.3 Key Concepts of Project Management

 Project is a temporary activity undertaken to generate defined outcome (like creating a
service or product). Temporary need not be short, what it means is it has predefined
beginning and end. For example, a project can be initiated to build a housing complex,
that is completed once tenants have occupied it, or it can be for building infrastructure,
or designing a new product, e.g. Tata motors designing the Nano car. The project is
closed once the expected outcome is delivered or results are achieved or if the project
becomes technically or economically unviable. In short projects can be initiated for any
reason. Developing Software and deploying it can be a project or depending upon size,
it can be group of projects.
 A project management refers to the practice of managing a project. Management may
not want to initiate a project as it involves providing resources and waiting till the end to
get deliverables. Management has to monitor the progress of project and intervene
periodically to ensure that the project finally achieves the defined objectives. Project
management practice is a set of multiple processes grouped in five major process
groups:
o Project Initiation
o Project Planning
o Project Execution
o Project Controlling and Monitoring
o Project Closing
Although these processes are grouped, they are not executed in sequence, Process groups
under project planning, project execution and controlling are executed in iteration. (Figure 1.1)
Figure 1.1: Project process groups
3
Each group mainly consists of processes; however, all processes may not be applicable to all
projects.
Project initiation group consists of mainly processes related to developing project charter
based on scope of project. In SDLC project, it is business case that help in Identifying
beneficiaries and stakeholders of project.
Project planning consists of processes related to developing project execution plan, finalizing
requirements, defining work breakdown structure and modules to be developed, estimating
efforts and cost, resource planning, risk management, procurement planning and plan for
communications with stakeholders.
Project execution consists of processes related to direct project teams, ensuring quality
assurance and testing, managing requirements and changes in requirements, ensuring timely
procurements and manage resources.
Project monitoring and controlling consists of processes related to monitoring risks, Scope
Creeps, quality of deliverables, costs and budgets, performance reporting.
Project closing has processes for handing over deliverables or terminating project. SDLC
project management is further discussed in ensuing sections.
1.4 Program and Project Management and Organization

1.4.1 Portfolio/Program Management
A program is a group of projects and/or time-bound tasks that are linked together through
common objectives. It may share a common budget and can have intertwined schedules. Like
projects, programs have a limited time frame (start and end date), predetermined budget,
defined deliverables/outcomes and at many times organizational boundaries. A program is
more complex than a project and many times consists of multiple projects. For example,
implementing ERP at all plants can be a program consisting of multiple projects for
implementing ERP at each plant. (Figure 3.2 explains the relationship of portfolio, programs
and projects)
A portfolio is group of all projects/programs (related or unrelated) being carried out in an
organization at a given point in time.
A project/program management office (popularly referred as PMO) controls and manages
Portfolios, programs and projects. PMO also governs the processes of project management
but not involved in management of project content.
The program management includes management of:
 Program scope
 Program financials (costs, resources, cash flow, etc.)
4
 Program schedules
 Program objectives and deliverables
 Program context and environment
 Program communication and culture
 Program organization
Figure 1.2: Portfolio, program and project
1.4.2 Program/Project management Organization Forms

A project may be considered as a group of complex tasks executed by a temporary
5
organization. However, depending upon the nature of business, from a project management
perspective, organizations can be categorized as follows:
 Functional organization that is influenced by the projects: These are business
organizations that are involved in production of goods and services. Projects are
undertaken to support the functional activities. For example, a manufacturing
organization may want to automate administrative processes (like finance, HR, pay roll
etc.) using IT. In such organizations, Project Manager has only a staff function without
formal management authority. The Project Manager is only allowed to advise peers and
team members as to which activities should be completed. In such organization project
team consist of staff that report to functional manager, except for the purpose of project
activities assigned, reports to Project Manager.
 Projectile organization: These are pure project organizations that execute projects.
For example, an infrastructure development organization or consulting organizations
that executes projects. In such organizations Project Manager has formal authority over
those taking part in the project. Often, this is bolstered by providing a special working
area for the project team that is separated from their normal office space.
 Matrix project organization: The organization that provides product and services and
also executes projects. Most IT companies falls under such categories where these
organizations undertake project to manage business functions for other organizations
and also executes projects for customer organization. In such organizations,
Management Authority is shared between the Project Manager and the Department
Heads.
IS Auditor has to understand these organizational forms and their implications on
controls in SDLC project management activities.
1.5 Project Initiation

Whenever a business entity decides (i.e. stakeholders in the business or senior management)
to undertake computerization, a project will have to be initiated. Some examples of a formal
project initiation are:
1. A new business application is required to be developed to address a new or existing
business process e.g. HR management system, billing system, order processing etc.
2. Adoption of a new technology invented or available becomes advantageous to the
business e.g. Internet based advertising for an advertising company.
3. The application software to be developed, is expected to rectify the present problem
related to existing business e.g. computerization of college admissions.
4. The application software to be developed, is expected to rectify the present problem
related to existing technology e.g. migrating from text-based computerized system to
6
GUI based system as in case of old COBOL / XBASE based distributed banking to
RDBMS based Core Banking system.
A project may be initiated from any part of the organization, including the IS department. A
project is time bound, with specific start and end dates, a specific objective and a set of
predetermined deliverables. Once a project is initiated, a project sponsor and project manager
is appointed to execute the further activities. This also includes gathering information related
to gaining approvals for the project. This will often be compiled into terms of reference or a
project charter that states the objective of the project, the stakeholders in the system to be
produced, and the Project Manager and sponsor. Approval of a project initiation or project
request is authorization for a project to begin.
During the project initiation phase, several activities are performed by Project Manager
starting from assessing the size, scope, as well as project complexity, and further establishes
procedures to supporting subsequent activities. IS Auditor has to understand the implications
on controls in SDLC project management activities. The major activities to be performed in the
project initiation are:
 Establishment of project initiation team: In this activity an initial core of project team
members are organized to complete the project initiation activities.
 Establishment of relationship with customer: A good understanding of the customer is
needed to build stronger customer partnerships and also higher trust level.
 Establishment of plan for project initiation: This step provides the definition of activities
required to organize the initiation team, who define the scope of the project.
 Establishment of management procedures: Without developing effective management
procedure, it not possible to achieve successful completion of project.
 Establishment of project workbook and project management environment: The objective
of this activity is to organize and collect the tools that will be used for managing the
project and will help to develop the project workbook. For example, major portion of the
project workbook is derived from charts, diagrams and description of the system. Thus,
the project workbook serves as a repository for all project deliverables, inputs, outputs,
correspondence, procedures, and standards established by the project team.
Many organizations that follow standard process for project management prepare a formal
Project Initiation Report that is presented to Senior Management or Board of Directors. Once
accepted this becomes formal charter for the project and triggers next phases of SDLC.
1.5.1 Project Management Methodology

IT projects are divisible into pre-defined phases. The project management process begins with
the project charter and ends with the closure of the project. Since the project management can
be complex, like other business processes, it also requires a standardized approach.
7
Organizations may adopt standard processes prescribed by globally accepted standards

developed by organizations like PMI or can define a project management process within
organization based on such prescribed standards. Organizations following a standard project
management process have higher possibility of completing projects in time, within budget and
deliverables meeting with expected quality. The following section explains general project
management practices used by various organizations.
1.5.2 Project Context and Environment

Organization may be running several projects at the same time. These projects need not be
SDLC projects or IT projects. At organization level the relationships between these projects
have to be established to identify common objectives for the business, which is a function of a
project portfolio management and/or a program management. This helps in consolidating
common activities (e.g. identify and manage risks) and managing of common resource
requirements. (Refer Figure 1.1)
A context of the project may be determined based on:
 Importance of the project deliverables to organization’s objectives
 Connection between the organization’s strategy and the project outcome
 Relationship with other projects
 Priority based on the business case In addition while considering the time context of the
project, following aspects must be considered:
 Start and end time of the project, particularly if it is expected that the outcome of project
has linkages to other projects.
The objective is to determine whether all relevant environments for the project, which will have
a significant influence on overall project planning and project success, have been considered.
1.5.3 Project Communication and Culture

Success of project depends upon timely communication with stakeholders and affected
parties. This can be achieved by:
 One-on-one meetings
 Kick-off meetings
 Project start workshops
 Periodic reporting
Communication helps in obtaining cooperation from all team members and buy-in from
stakeholders. One of the major activities for Project Manager during execution of project is to
8
develop and execute communication plan so as to inform issues, concerns, if any and to
report project progress.
1.5.4 Project Objectives

Primary objective of project is to deliver the defined outcome/deliverables/product in time,
within budget and of desired quality. The measurement of success depends upon clearly
defining results that are specific, measurable, attainable, realistic and timely (SMART). The
main objectives of project are always directly coupled with business expectations. Additional
objectives are objectives that are not directly related to the main results of the project but may
contribute to project success (e.g., business unit reorganization in a System Development
project).
A commonly accepted approach to define project objectives is to start with a work breakdown
structure (WBS) with each work module having its own objectives derived from main
objectives. The WBS is a tool used for the project in terms of manageable and controllable
units of work and forms the baseline for cost and resource planning. Detailed specifications
regarding the WBS can be used to develop work packages (WP). Each WP must have a
distinct owner and a list of main objectives, and may have a list of additional objectives. The
WP specifications should include dependencies on other WPs and a definition of how to
evaluate performance and goal achievement.
A task list is a list of actions to be carried to complete each work package and includes
assigned responsibilities and deadlines. The task list aids the individual project team members
in operational planning and scheduling, that when merged together forms a project schedule.
Project schedules are work documents containing the start and finish dates, percentage
completed, task dependencies, and resource names of individuals planned to work on tasks.
1.5.5 Project Management Practices

Every organization uses project/program to implement new concepts, changes, business
strategies etc. Collective knowledge of executing projects may be used to execute the
projects; however, it is a prudent for the organization to adopt a standard project management
practice, across entire organization. Many organizations prefer to adopt the practices based
on global standards/best practices e.g. PMBOK, Prince2 etc.
Project management is the application of knowledge, skills, tools and techniques to a broad
range of activities to achieve organizational objectives. For example: meeting user
requirements by developing/acquiring new software within budget and timelines. Project
management practices consist of defined processes for initiating, planning, executing,
controlling and closing a project.
A successful project planning is a risk-based management process that is iterative in nature.
Project management practices for SDLC projects also provide standards for systematic
9
quantitative and qualitative approaches to software size estimating, scheduling, allocating

resources and measuring productivity. There are numerous project management tools
available (e.g. MS project) that can be adapted to implement techniques to assist the Project
Manager in controlling the time and resources utilized during execution of project.
1.6 Project Planning

To plan and control SDLC projects, Project Manager needs to determine:
 The various project tasks and management tasks that need to be performed to
develop/acquire and implement business application system.
 The order in which these tasks should be performed.
 The estimated duration for each task.
 The priority of each task.
 The IT resources, available, transferred/loaned or to be acquired to perform these
tasks.
 Budget or costing for each of these tasks. This can be notional for internal resources
and  monetary for outsourced projects.
In complex projects the planning is dynamic and has to be reviewed/adjusted at the beginning
and end of each project phase. This is to ensure that resources are available, quality of work
during earlier phase has been as expected (i.e. no rework is required, or if required adjusting
the plan by considering the delay and so on.)
There are some techniques like Gantt chart, Program Evaluation Review Technique (PERT),
Critical Path Method (CPM) etc., that are useful in creating and monitoring project plan. The
major activities which are performed during project planning are:
 Measure the development efforts. (Different software sizing techniques are discussed in
section 1.8.)
 Another activity is to identify resources (e.g., people with requisite skills, development
tools, facilities) for high level software development.
 Budgeting is next activity. Although overall budget for the project has been allocated at
high- level during business case development, Project Manager need to prepare
granular budget for monitoring. This is done by considering the cost for each resource
and their expected use. For example, group of testing professionals might be required
in the project, however they need not be available from the beginning of project and
thus can be inducted (on boarded) at a later date thus optimizing the cost associated
with their release from another project.
 Scheduling and establishing the time frame is another activity. While budgeting involves
adding up the cost for human and machine resource usage involved in each task,
10
scheduling involves establishing when these resources are required in the project. This
is achieved by arranging tasks according to:
1. The logical sequential and parallel tasks relationship and determining earliest
start date.
2. Based on estimated efforts (section 1.7) for each resource arriving at latest
expected finish date.
3. Schedules are presented using PERT, CPM diagrams and Gantt Charts.
(Discussed in section 1.7.)
1.7 Project Controlling

The controlling activities of a project include:
 Management of Scope
 Monitoring of Resource Usage
 Risk Management.
It is critical to ensure that new requirements for the project are documented and, if approved,
appropriate resources are allocated. Control of changes during a project ensures that projects
are completed meeting stakeholder requirements of: time, use of funds and quality objectives.
Stakeholder satisfaction should be addressed with effective and accurate requirements
capture, proper documentation, baselining and skilled steering committee activity.
During mid-term project review IS Auditor should focus on project planning and
controlling activities to ensure that these are not deviating from primary objectives of
the project.
1.7.1 Management of Scope

Quite often, it is noticed that the majority of the SDLC projects suffer from “Scope Creep”. This
happens particularly when the requirement analysis is incomplete or the dynamic nature of
business environment forces users to include these requirements and all these requirements
cannot be put on hold. The Scope Creep affects the project planning seriously. This can be
controlled by:
 Baselining the requirements before project planning.
 Establishing process for change management to decide which requirements must be
included during development and how it is affecting the project time, cost, quality and
outcome. Change management process must define who can request for change, how
a formal change request be made, what it should contain and the reasons for the
change. For complex deliverables, it is best to document the work breakdown structure.
11
 The Project Manager then assesses the impact of change request on project activities,
schedule and budget.
 A change advisory board is appointed to evaluate change requests and decide on
approving changes.
 If the change is accepted, the Project Manager should update the project plan.
 The updated project plan must be formally confirmed by the project sponsor—accepting
or  rejecting the recommendation of the change advisory board.
1.7.2 Resource Management

Monitoring resource usage in project execution is the process to control budget and ensure
that cost plan is on track. Budget and project plan assume certain productivity of resources.
For example, if a program development is expected and hence planned to take 16 person-
hours, then it is supposed that the resource being deployed is capable of finishing that task in
16 person-hours with expected quality level. (Using coding standards might help in improving
productivity). Whether this is actually happening can be verified using Earned Value Analysis
(EVA).
Earned Value Analysis consists of comparing expected budget till date, actual cost,
estimated completion date and actual completion at regular intervals during the project. In
above example the program development is expected to take two working days, with eight
hours spent each day. At the end of first day cost is as per budget but EVA cannot be
determined unless 50% or more work has been completed. The other alternative is to get
information on how much time is required to complete remaining program. If the answer is 8
hours, the project is on track. If it is less, resource might be idle and if it is more, the project
might be delayed. In short, at the end of first day, the resource spent is according to budget,
but the “Earned Value” will be based on time remaining to complete the task. (Figure 1.3)
12
Figure 1.3: Earned Value Analysis 
1.7.3 Project Risk Management Standards and Methods

Project Management practices require that the Project Manager invariably adopts the risk
management frameworks. PMBOK of PMI specifies following activities for Project Manager:
Project Planning Phase
 Plan Risk
 Identify Risk,
 Qualitative Analyses of Risks
 Quantitative Analysis of Risks
 Plan Risk Response
Project Monitoring Phase
 Control Risks
Risk in Project Management
Risk is defined as a possible negative event or condition that would disrupt relevant aspects of
the project. There are two main categories of project risk: the category that impacts the
business benefits (and therefore endangers the reasons for the project’s very existence) and
the category that impacts the project itself. The project sponsor is responsible for mitigating
the first category of risk and the Project Manager is responsible for mitigating the second
13
category. The risk management process consists of five steps that are repeatedly executed
during a project. Phase-end milestones are a good anchor points in time at which the review
and update of the initial risk assessments and related mitigations can be done.
Risk Management Process
 Identify Risk: Perform a brainstorming session with your team and create an inventory
of possible risks.
 Assess and Evaluate Risk: Quantify the likelihood (expressed as a percentage) and
the impact of the risk (expressed as an amount of money). The “insurance policy” (total
impact) that needs to be in the project budget is calculated as the likelihood multiplied
by the impact.
 Manage Risk: Create a Risk Management Plan, describing the strategy adopted and
measures to deal with the risk. Generally, the more important the risk, the more budget
should be made available for counter-measures. Counter-measures could include
prevention, detection and damage control/reconstruction activities. Any risk can be
mitigated, avoided, transferred or accepted depending on its severity, likelihood and
cost of counter-measures and the organization’s policy.
 Monitor risk: Discover risk that materializes, and act accordingly.
 Evaluate the Risk Management Process: Review and evaluate the effectiveness and
costs of the Risk Management Process.
IS Auditor has to focus on the Risk Management Process as it provides detailed insight
on the effectiveness of Project Management.
1.8 Project Closing

Projects should be formally closed to provide accurate information on project results, improve
future projects and allow an orderly release of project resources. The closure process should
determine whether project objectives were met or excused, and should identify lessons
learned to avoid mistakes and encourage repetition of good practices. Project closure is to be
planned in two situations:  
1. Project deliverables are completed and are ready to be implemented:
1. The Project Sponsor should be satisfied that the system produced is acceptable and
ready for implementation/delivery.
2. Custody of contracts may need to be assigned, and documentation archived or passed
on to those who will need it.
3. Survey the project team, development team, users and other stakeholders to identify
any lessons learned that can be applied to future projects.
14
4. Achievement of objectives of project and performance fulfilment, adherence to the

schedule, costs, and quality of the project.
5. Post project review in which lessons learned and an assessment of project
management processes used are documented.
6. Release of project teams either to other projects or line functions.
2. Project is suffering from Risk Materialization and has to be terminated.
These are generally exceptional situations like changes in functional requirements,
obsolescence of planned technology, availability of new technology, unforeseen budget
constraints, strategy changes etc. In rare cases the project may have to be terminated due to
non-performance of project teams. In such situations closure of project may have to be
planned depending upon the status of project. For example, based on project planning,
organization may have placed order for required software and hardware or might have made
some changes to its existing infrastructure. These need to be undone or planned so as to
minimize the impact on organization.
IS Auditor conducting review after project closure has to consider the overall project
execution on various parameters such as objectives achieved, time overrun, cost
overrun, quality of deliverables, etc. If the review is being done immediately after
implementation, IS Auditor may also review the challenges faced by the users and the
resolution methods.
Achieving business objectives must be the focus of project review. Accordingly, the
auditor may review and comment on budget and time overrun situations.
1.9 Roles and responsibilities

The various roles and responsibilities of groups/individuals that are associated with the project
and program management for SDLC project are described below:
1.9.1 Steering Committee

Project Steering Committee provides overall direction and monitors the project execution. This
is assured by representation of major stakeholders. The project steering committee is
ultimately responsible for all deliverables, project costs and schedules.
This committee should comprise of senior representatives having authority for decision
making, from business areas likely to be impacted by the proposed system or change. Mostly
Project Sponsor will chair the steering committee. The Project Manager is a member of
steering committee.
15
Role of Project Steering CommitteeProject Steering Committee performs the following

functions:
1. Reviews project progress periodically (fortnightly or monthly or as required)
2. Serves as co-ordinator and advisor to the project. Members of the committee should be
available to make user-related decisions about system and program design.
3. Takes corrective action based on reviews. The committee should evaluate progress and
take action or make recommendations to resolve project issues related to budget,
schedules, resources, and scope and project objectives.
4. Assess risks and decide upon mitigation plan. Also resolve issues that are escalated
and cannot be resolved at the project level.
5. Take decision on and if required recommend the project be halted or discontinued.
6. Work closely with the Project Manager to define project success factors and metrics in
measurable and quantifiable terms.
1.9.2 Project Sponsor

Head of Business Function or Senior Management (generally who has the highest stake in
benefit realization from the project) is designated as Project Sponsor. Project Sponsor
provides funding and assumes overall ownership and accountability of the project. Project
Sponsor is also responsible for providing funding and budget for the project execution.
1.9.3 Project Manager

A Project Manager should be identified and appointed by the IS steering committee. The
Project Manager, who need not be an IS staff member, should be given complete operational
control over the project and be allocated the appropriate resources, including IS professionals
and other staff from user departments, for the successful completion of the project. A Project
Manager is appointed for execution of project. The Project Manager can be from the user
department, or from IS department or hired separately to handle the project. Primary functions
of Project Manager are:
1. Provide day-to-day management and leadership.
2. Ensure that project activities are in line with pre-determined objectives.
3. Involve affected departments.
4. Follow organization’s Project Management Standards.
5. Ensure expected quality of deliverables.
6. Resolve conflicts.
7. Monitor and controls costs, schedules and associated risks.
16
1.9.4 Senior Management

Demonstrates commitment to the project and approves the necessary resources to complete
the project. This commitment from senior management helps ensure involvement by those
needed to complete the project. Generally senior management representative is appointed by
the steering committee
1.9.5 Business Management

Business Management, most of the times, assumes ownership of the project and resulting
system, allocates qualified representatives to the team, and actively participates in business
process redesign, system requirements definition, test case development, acceptance testing
and user training. Business Management should review and approve system deliverables as
they are defined and implemented.
Business Management is concerned particularly with the following questions:
1. Are the required functions available in the software?
2. How reliable is the software?
3. How efficient is the software?
4. Is the software easy to use?
5. How easy is it to transfer or adapt old data from pre-existing software to this
environment?
6. How easy is it to transfer the software to another environment?
7. Is it possible to add new functions?
8. Does it meet regulatory requirements?
1.9.6 Systems Development Project Team

System development team consist of System Analyst, Developers, Testing Professionals,
Control Consultants (IS Auditor), Hardware and Network Consultants, The team members
complete the assigned tasks, communicate effectively with users by actively involving them in
the development process, work according to local standards and advises the Project Manager
of necessary project plan deviations.
1.9.7 Business Function Representatives/Domain Specialists

Consists of Subject Matter Experts (SME) that provides inputs to developers and system
analysts on requirements, business related controls, and sometime approves the low-level
design specifications.
17
1.9.8 Security Officer

Ensures that system controls and supporting processes provide an effective level of
protection, based on the data classification set in accordance with corporate security policies
and procedures; consults throughout the life cycle on appropriate security measures that
should be incorporated into the system; reviews security test plans and reports prior to
implementation; evaluates security- related documents developed in reporting the system’s
security effectiveness for accreditation; and periodically monitors the security system’s
effectiveness during its operational life.
1.9.9 Quality assurance (QA)

Quality assurance function consists of following key activities:
 Develop test plan and test the code.
 Review and ensure that Project Documentation is complete.
 Review deliverables of the project.
The objective is to ensure that the quality of the project by measuring the adherence by the
project staff to the organization’s standard methodology of System Development Life Cycle
(SDLC), advise on deviations, and propose recommendations for process improvements or
greater control points when deviations occur.
Specific Objectives of the QA function include:
1. Ensuring the active and coordinated participation by all relevant parties in the revision,
evaluation and dissemination, and application of standards, management guidelines
and procedures
2. Ensuring compliance with the agreed-on systems development methodology
3. Reviewing and evaluating large system projects at development milestones, and
making appropriate recommendations for improvement
4. Establishing, enhancing and maintaining a stable, controlled environment for the
implementation of changes within the production software environment
5. Defining, establishing and maintaining a standard, consistent and well-defined testing
methodology for applications
6. Reporting to management on systems that are not performing as defined or designed
1.9.10 Technology Specialist

IT is developing so rapidly that even IT professionals find it difficult to keep track of all
developments, let alone develop expertise. This has resulted in experts in specific technology
areas, such as Microsoft technology, Web-enablement and the like.
18
1.9.11 Systems Analyst

The System Analyst also has a responsibility to understand existing problem/system/data flow
and new requirements. System Analysts convert the user’s requirements in the system
requirements to design new system.
1.9.12 Programmers/Developers
Programmers convert design into programs by coding using programming language. They are
also referred to as Coders or Developers.
1.9.13 Testers
Testers are junior level quality assurance personnel attached to a project. They test programs
and subprograms as per the plan given by the module / project leaders and prepare test
reports.
1.9.14 Documentation Specialist

These professionals are responsible for the creation of user manuals and other
documentation.
1.9.15 Database Administrator (DBA)

The data in a database environment has to be maintained by a specialist in Database
Administration so as to support the application program. The Database Administrator handles
multiple projects; and ensures the integrity and security of information stored in the database.
1.9.16 Data Administrator (DA)

Data administrator gathers and analyzes business requirements and develops conceptual and
logical models of business. He/she defines and enforces standards and naming conventions
of database. Management and administration of metadata repository and data administration
tools are entrusted to Data Administrator. He/she also keeps interface with business users for
data definition.
1.9.17 User Manager

User Manager is the immediate manager or reporting manager of an employee. They have
ultimate responsibility for all user IDs and information assets owned by company employees.
In the case of non-employee individuals such as contractors, consultants, etc., User Manager
is responsible for the activity and for the company assets used by these individuals.
1.9.18 IS Auditor
The IS Auditor can be a part of SDLC project team as consultant for internal controls or for
19
the review of the project activities. They may also provide an independent, objective review to
ensure appropriate level of commitment of the responsible parties.IS Auditor has to
understand the systems development; acquisition and maintenance methodologies used by
the organization and identify potential vulnerabilities. If auditor observes control weakness
either as a result of review due to organizational structure or the software methods used, or
weakness in process execution, it is the IS auditor’s role to advise the project team and Senior
Management of the deficiencies in project management and provide recommendations for
improvement.
Role of IS Auditor in SDLC
Throughout the project management process, IS Auditor should analyze the associated risks
and exposures inherent in each phase of SDLC. He should assure that appropriate control
mechanisms are in place to minimize the risks in a cost-effective manner, while reviewing
SDLC various phases as well as the project team meetings Minutes. He will also assess the
project development team’s ability to produce key deliverables by the promised dates.
Adequate and complete documentation of all phases should be collected and reviewed by
processes, IS Auditor is expected to obtain necessary and available documentation from the
Project Manager The specific areas of review are:
1. Understand standards adopted and followed by the organization through the process of
inquiry, observation and documentation review.
2. To determine significant phases for the various size and type.
3. To assess efficiency and effectiveness of each function to satisfy the users goals and
organization objectives.
4. To test methodology adopted and determine compliance with the organization
standards by reviewing the documentation produced.
5. To evaluate controls designed for compliance with internal control principles and
standards.
6. To determine compliance with common security, auditability and change control
standards.
If IS Auditor is part of project team not for performing an audit, but is participating on
the project in an advisory role then depending on the level of involvement, IS Auditor
may become ineligible to perform audits of the application when it becomes
operational.
1.10 SDLC Project Management Techniques and Tools

System Development process may be associated with various automated tools that help in
improving productivity and maintaining record and documentation of application being
20
developed. Tools that help in improving productivity include code generators, development
environments (also referred to as developer’s workbench) like Visual Studio and Computer-
Aided Software Engineering (CASE) applications that help in documenting the SDLC process.
In addition, Project Managers may use project management tools like MS Project. This section
provides information about these tools. This section covers following three areas:
1. CASE tools
2. Software size estimation covering various techniques used like LOC, FPA analysis etc.
3. Project controlling tools like PERT, CPM and Gantt Charts.
1. Computer-Aided Software Engineering (CASE) tools
SDLC requires collecting, organizing and presenting information required at application
systems and program level. This involves building data flows, documenting design of
application system, identifying modules/functions/program required to be developed and
sometimes developing prototypes to capture requirements. These are essential but time-
consuming processes that are required for developing, using and maintaining computer
applications.
Computer-Aided Software Engineering (CASE) are automated tools that aid in the software
development process. Their use may include tools for capturing and analyzing requirements,
software design, code generation, testing, document building and other software development
activities.
Although IS Auditor is not expected to have detailed knowledge of how to use CASE
tools, they may have to learn how to use CASE tools for effective audit of SDLC project,
as required.
Code Generators
Code generators are tools that are a part of CASE tools or development environment like
Visual Studio. These tools generate program source code based on parameters provided.
These products significantly reduce the development (particularly coding) time; however,
maintaining or changing these programs might be painful and time consuming.
Development Environments and Non-Procedural Languages
Developer’s Workbench: Provides environment to developer for editing, simulating code,
temporary storage, file management and sometimes code generation. It may also provide
Software facilities that include the ability to design or paint retrieval screen formats, develop
computer-aided training routines or help screens, and produce graphical outputs. It is often
referred to as an Integrated Development Environment (IDE).
Non-procedural languages: These are event driven and make extensive use of Object-
Oriented Programming concepts such as objects, properties and methods. These languages
21
cannot perform data intensive or online operations. However, they are best suited to provide
an environment to the end user for generating their own views and reports that are required
for data analysis and decision making. These languages provide environmental independence
(portability) across computer architectures, operating systems and tele-communications
monitors. These languages generally have simple language subsets that can be used by less-
skilled users.
These languages are classified in the following ways:
1. Query and Report Generators: These languages can extract and produce reports and
sometimes can access database records, produce complex online outputs.
2. Embedded Database Languages are more user-friendly but also may lead to
applications that are not integrated well with other production applications.
3. Relational Database Languages are usually an optional feature on a vendor’s DBMS.
These allow the applications developer to make better use of the DBMS product, but
they often are not end-user-oriented.
2. Software Size Estimation
Once the work breakdown structure is completed and SDLC methodology (discussed in
chapter 4) is finalized Project Manager must perform Software size estimation, i.e. determining
the physical size of application (number of programs, modules, reusable function/modules
etc.). This helps the Project Manager in deciding resource and skills requirements, to judge
the time and cost required for development, and to compare the total effort required by the
resources.
Source Lines Of Code (SLOC)
Traditionally, particularly when COBOL like languages was used, software sizing used to be
performed using number of Source Lines of Code (SLOC). However, it does not work well for
complex systems using different types of programs and automated tools like Source Code
Generators. This puts limitation on planning for cost, schedule and quality metrics.
With new technologies, Multi-Point Estimations Techniques were developed that now uses
diagrams, objects, spreadsheet cells, database queries and Graphical User Interface (GUI)
widgets. These technologies are more closely related to functionality that needs to be created
rather than lines of code.
Function Point Analysis (FPA)
The Function Point Analysis (FPA) technique has evolved over the years and is widely used
for estimating complexity in developing large business applications. The results of FPA are a
measure of the size of an information system based on the number and complexity of the
inputs, outputs, files, interfaces and queries with which a user views and interacts with the
22
data. This is an indirect measure of software size and the process of development. It is based
on the number and complexity of inputs, outputs, files, interfaces and queries.
Function points (FPs) are computed by considering various parameters like number of users,
number of inputs, number of outputs, expected user actions, data elements to be processed
and external interfaces to determine whether a particular module/program is simple, average
or complex. This information is used to compute function point using an algorithm that takes
into account complexity adjustment values (i.e., rating factors) based on responses to
questions related to reliability, criticality, complexity, reusability, changeability and portability.
Function points (FP) derived from this equation are then used as a measure for cost,
schedule, productivity and quality metrics (e.g. Productivity = FP/Person-Month, Quality =
Defects/FP, and Cost = Monetary Value/FP).
IS Auditor should be familiar with the use of Function Point Analysis. However, IS
Auditors are not expected to be experts in this technique.
FPA Feature Points
In web-enabled applications, the development effort depends on the number of forms, number
of images; type of images (static or animated), features to be enabled, interfaces and cross-
referencing that is required. Thus, from the point of view of web applications, the effort would
include all that is mentioned under Function Point Estimation, plus the features that need to be
enabled for different types of user groups. The measurement would involve identification or
listing of features, access rules, links, storage, etc.
A slightly different approach for System Software such as Operating Systems, Telephone
Switching Systems, etc. was developed. To differentiate from FPA it is called “Feature Points”.
It is used for software that has well-defined algorithms like Systems Software, Embedded
Software, Real Time Software, CAD, Artificial Intelligence and some traditional MIS software.
Cost Budgets
Cost estimates of a SDLC project are based on the amount of effort likely to be required to
carry out each task. The estimates for each task contain one or more of the following
elements:
1. Person-hours for all type of resources e.g. System Analyst, Programmers, Support
Staff, Testing Teams etc. (Pl. refer section 3.9 roles and responsibilities)
2. Infrastructure (Hardware, Software, Networks etc.), other specialized software, if any
and communication equipment
3. Other costs such as third-party services, automation tools required for the project,
consultant or contractor fees, training costs, etc.
Based on estimates following steps are used in arriving at cost budget:
23
 Prepare estimate of human and machine effort by for all tasks.

 Determine hourly rate for each type of person-hours and arrive total person cost.
3. Project Controlling Tools and Techniques
Project Manager uses various tools and techniques to control the project. The graphical
techniques used to represent schedule are:
1. Project Evaluation Review Technique (PERT)
2. Critical Path Method (CPM)
3. Gantt Chart
A. Program Evaluation Review Technique (PERT)
PERT is a technique to estimate the efforts and time required to complete the work/task
described by Work Breakdown Structure (WBS). Project Manager lists out the major tasks and
arrives at three different duration estimates of each activity. The three estimates are then used
to derive single estimate applying a mathematical formula. PERT is often used in projects with
uncertainty about the duration. Table 1.1 illustrates one such formula for a hypothetical project
where activities are named from A to L. The first is the most optimistic time (if everything went
well) and the third is the pessimistic or worst-case scenario. The second is the most likely
scenario. This estimate is based on experience attained from projects that are similar in size
and scope. To calculate the PERT time, estimate for each given activity, the following
calculation is applied: [Optimistic + Pessimistic + 4(most likely)]/6
Table 1.1: PERT table
24
Figure 1.4 illustrates use of the PERT Network Management Technique. (Each circle
represents milestones and the arrow represents activities. Number after activity shows the
number of days required to complete the activity.)
Figure 1.4: PERT Diagram

Some Project Managers show all estimates in the PERT diagram.
B. Critical Path Methodology
All project schedules have a critical path. Activities of a project are in sequence or
independent or parallel. A project can be represented as a network of activities is shown in
PERT diagram. (Some Project Managers refer to PERT diagram as PERT Network).
A path through the network is any set of successive activities which go from the beginning to
the end of the project. Associated with each activity in the network is a single number that
represents estimates the amount of time that the activity will require to complete.
The critical path is the sequence of activities whose sum of activity time is highest than that for
any other path through the network. Critical paths represent the shortest possible project
completion time, if everything goes according to schedule. In other words, delay in completing
any activity on critical path delays the overall project.
Activities which are not in the critical path have slack time, i.e. delay in performing these
activities may not affect the overall project schedule. Activities on critical path have zero slack
time.
The PERT diagram shown in figure 1.4 has following 4 paths:
1. A – C – E – G – I – L
2. A – C – E – H – J – K
25
3. B – D – F – H – J – K
4. B – D – F – G – I – L
Using the time estimates the total time required for each path is 28, 30, 34 and 32 days
respectively. Third path hence is Critical Path. (Shown by thick arrows in figure 1.5
Figure 1.5: Critical Path Method (CPM)

Project Manager can use the slack time on non-critical path for scheduling resources
optimally, since slack time provides flexibility to start activity late than scheduled start date.
The slack times for a project are computed by working forward through path, computing the
earliest possible completion time for each activity, until the earliest possible completion time
for the total project is found. Then by working backward through the network, the latest
completion time for each activity is found, the slack time computed and the critical path
identified.
Most CPM packages facilitate the analysis of resource utilization per time unit (e.g., day,
week, etc.) and resource levelling, which is a way to level off resource peaks and valleys.
C. Gantt Charts
Gantt Charts are aid for scheduling activities/tasks needed to complete a project. These
charts show details related to activities calculated during PERT and CPM. The charts also
show which activities are in progress concurrently and which activities must be completed
sequentially. Gantt Charts may reflect the resources assigned to each task and by what
percent allocation. The charts aid in identifying activities that have been completed early or
late. Progress of the entire project can be tracked from the Gantt Chart. Gantt Charts can also
be used to track the milestones for the project.
26
Figure 1.6: Gantt chart
1.11 Summary
Every project has unique success criteria based on the expectations of stakeholders.
Generally, success criteria are measurable and manageable such as cost, time and scope.
However, some criteria, such as meeting business needs, are subjective but essential. The
project sponsor is a key stakeholder who defines such success criteria. The project team
should capture project requirements and document them at the initial stage to complete the
project successfully. Activity of capturing requirements is usually difficult because it involves
subjective decisions and extensive interaction between users and developers. Requirements
should be formally approved and then frozen (baselined) to prevent Scope Creep. Success
criteria allow the Project Manager to focus on managing risks that can affect desirable
outcome and successful completion of the project.
IS Auditor should review adequacy of the following project management activities:
 Levels of oversight by Project Committee/Board
 Risk Management methods within the project
 Issue Management
 Cost Management
 Processes for Planning and Dependency Management
27
 Reporting processes to Senior Management

 Change Control processes
 Stakeholder Management involvement
 Sign-off process
 Adequate documentation of all phases of the SDLC process such as:
 Availability of clearly defined objectives on what is to be accomplished during
each phase.
 Key deliverables of each phase with project personnel assigned direct
responsibilities for these deliverables.
 A project schedule with highlighted dates for the completion of key deliverables.
 An economic forecast for each phase, defining resources and the cost of the
resources required to complete the phase.
1.12 Questions
1. Who among the following is responsible for ongoing facilitation of a SDLC
project?
A. Project Sponsor
B. Project Manager
C. Steering Committee
D. Board of Directors
2. A Multi-National organization has decided to implement an ERP solution across
all geographical locations. The organization shall initiate a:
A. Project
B. Program
C. Portfolio
D. Feasibility study
3. Which of the following primarily helps Project Manager in mitigating therisk
associated with change in scope of software development project?
A. Change Management Process
B. Use of Prototyping
28
C. Revising Effort Estimates

D. Baselining requirements
4. Monitoring which of the following aspect of SDLC project shall help organization
in benefit realization over sustained period of time?
A. Quality
B. Budget
C. Schedule
D. Methodology
5. Which of the following tools and techniques primarily help in improving
productivity of SDLC project team members?
A. Use of Standard Methodology
B. Software Sizing using FPA
C. Developers’ Workbench
D. Appropriate HR Policies
6. While performing mid-term review of SDLC project, the IS Auditor primarily
focuses on:
A. Project Risk Management Process
B. Adherence to the schedule
C. Reviewing minutes of Steering Committee Meeting
D. Cost Management is as per budget
7. A Project Manager's main responsibility in a project meant to create a product is:
A. Ensuring it is high grade
B. To pack exciting features in the product
C. Ensuring it is high quality
D. Creating a product within allocated cost and schedule
8. The Project Manager should be able to fulfill the role of:
A. An Integrator
B. A Functional Manager
29
C. A Line Manager
D. A Sponsor
9. The most successful Project Manager usually:
A. Works his/her way up from Assistants in the project office to full-fledged Project
Managers, supplementing that experience with formal education.
B. Comes right from Harvard's MBA program into managing very large projects.
C. Are the Technical Experts.
D. Have considerable experience as a Functional Manager before moving into the
Project Management arena.

1. A is the correct answer. Project Sponsor is a stake holder having maximum interest /
stake in the success of project and his primary responsibility is to coordinate with
various stakeholders for success of project. Option B: Project Manager is responsible
for executing the project activities. Option C: Steering Committee monitors project
progress but is not ongoing activity. Option D: Board of Directors provides direction.
2. B is the correct answer. A program is concerned with the benefits received, from
implementing it, whereas project deals with specific deliverables. The scope of
the program is wider in comparison to the project. The project works on a single
functional unit, while the program works on various functional units. A portfolio contains
both projects and programs and is managed by a portfolio manager. Option D:
Feasibility study either has been completed or shall be initiated as part of program.
3. D is the correct answer. Scope Creep of continued changes in requirements during
SDLC project is most common risk. If not properly handled the project may be delayed
and benefit realization from the project shall be affected. The Project Manager
therefore, must freeze the scope by base-lining requirements. Any change after base-
lining shall follow. Option A: Change Management process without base-lining may not
help. Project Manager may or may not. Option B: is used for freezing the requirements.
Option D: revised effort estimate is applicable after change is approved.
4. A is the correct answer. Quality is most important aspect for SDLC project, since it
minimizes errors that can impact operations. Options B, C and D are of prior to
monitoring phase.
5. C is the correct answer. Automated tools help team in improving productivity as these
tools help in managing mundane and structure activities and developers can focus on
core activities. Developers’ workbench provides various functions that help in improving
30
productivity. Option A: Use of standards help in following uniform methods and reducing
rework. Option B: Software Sizing is the main input parameter to cost estimation
models. Option D: HR policies may help in motivating team but it is secondary.
6. A is the correct answer. Auditor should primarily focus on risk management that will
provide inputs on events that has impact on all aspects of project. Options B, C and D
help in confirming the findings from review of Risk Management process.
7. C is the correct answer. A Project Manager is responsible to ensure high quality in a
way that the final product meets the specifications and quality benchmarks. Options A,
B and C are not the main responsibility of a Project Manager.
8. A is the correct answer. The Project Manager is responsible for collective project
success. The Project Manager integrates a project as a whole. He/she unifies various
aspects and processes of initiating, planning, executing, monitoring, control and
closure. Options B, C and D is not the role of the Project Manager.
9. A is the correct answer. A Project Manager must have experience in working on
projects in various roles including the role of a Project Manager. Options B, C and D are
secondary aspect.
31
Chapter 2
SDLC – Need, Benefits and Phases
Learning Objectives:
After completion of this chapter you should have conceptual clarity on the basic concepts of
System Development Life Cycle (SDLC), changes in SDLC due to change of technology and
business environment. This chapter will also help to understand the inclusion of newer phases
in SDLC. This chapter covers:
 Traditional SDLC phases and overview of the main activities;
 Additional phases due to availability of outsourcing and generic customizable software;
and
 Steps added in different phases due to security requirements (Secure SDLC or
SSDLC).
2.1 What is SDLC?

SDLC refers to the process of examining a business case with the intent of improving it
through better procedures and methods. This is required when there is need to change
business processes due to requirements arising out of customers/stakeholder’s expectations
and business strategy. These changes are generally attributed to need to automate the
service delivery using information and related technology. System development involves
developing or acquiring and maintaining application systems that are used for various day-to-
day business process activities. Generally, these systems process data of business
transactions.
A standard set of steps used for developing systems is called a SDLC. SDLC generally uses
various methods depending upon the type and nature of application. For example, a batch
processing application that processes historical data to generate reports for management’s
information may use a model where activities are performed one after another (waterfall
model), where as if there is no clear understanding of what functions can be automated, an
iterative (spiral) model may be used. Similarly, depending upon the availability of skilled
resources, the development team may adopt different methodology for developing software.
2.2 Relevance of SDLC for Business Process Automation

Business Application System, also called Application Software, is designed to support a
specific function or process of an organization, such as management of inventory, payroll, or
analysis of market. The objective of application system is to process data to produce
information. For example, a software developed for the managing inventory at a bookstore
may keep track of the inventory of books in stock for the latest bestseller. Application System
for the Human Resource Department may keep track of the changing payroll information of the
employees.
System Development involves developing or acquiring and maintaining Application Systems
which are used for various day-to-day business activities. These business activities are called
as Business Processes and they process data. The effective management and control of this
System Development is critical as the business systems process and control information
assets of the organization. The use of standard set of steps to develop and support business
applications is called Systems Development Methodology.
2.3 Need for SDLC

The need for business development or acquisition of new applications may arise to due to
following situations:
 New service delivery opportunity that relates to a new or existing business process (e.g.
e-commerce);
 Issues and problems with an existing systems/business process (complaints from
customers/users);
 Change in strategic focus leading to an opportunity that will provide benefits to the
organization (Mergers and Acquisitions, or new Service Delivery Channels like ATM for
Banks);
 New opportunity due to advancement of existing technology or availability of new
technology (e.g. use of Mobile Technology for Banking Services); and
 Use of automation by competitors to enhance quality of services.
All of these situations directly affect the business drivers. Business drivers can be stated as
the attributes of a business function (service delivery) that arise out of strategic objectives to
enhance targets and goals of business function to achieve the strategic goals of the business.
In other words, business objectives defined by strategy gets translated into drivers for
business operations which require new application software or upgrading of existing
application software. This results in initiating an SDLC project.
2.4 Benefits of SDLC

There are many benefits for deploying a SDLC including the ability to pre-plan and adopt a
structured approach for its’ phases and goals. The goal-oriented processes of SDLC are
comprehensive in applicability and can be modified to meet changing needs. However, if
SDLC is well-defined for the business, one can:
33
 Have a clear view of the entire project, the personnel involved, staffing requirements, a
defined timeline, and precise objectives to close each phase.
 Base costs and staffing decisions on concrete information and need.
 Provide verification, goals, and deliverables that meet design and development
standards for each step of the project, developing extensive documentation throughout.
 It usually begins with the analysis of cost and timelines and provides developers a
measure of control through the phased and iterative approach.
 Improvement may be brought in the quality of the final system through verification at
each stage.
2.5 Phases of SDLC

System Development life cycle is a sequence of activities performed by group of users and IT
Development experts. These set of activities are grouped together to form phases and
generally each phase has pre-determined set of deliverables and/or a milestone to be
reached. Typically, a SDLC consists of 7 phases.
The number of phases might vary for each SDLC project depending upon milestones and/or
deliverables. For example: if an organization is developing a software using internal
development team, it may not lay much emphasis on User Acceptance Testing (UAT) and may
club this activity with Testing Phase, whereas in case of outsourced development or acquired
software, UAT is a major milestone and has pre-defined deliverables that are signed off. In
the diagram below, considering the criticality of outsourced applications, UAT has been shown
as a separate phase
2.5.1 Phase 1: Feasibility Study

The feasibility study is based on technical, economical and social aspects and this helps in
determining strategic benefits of using system. These benefits can be either in productivity
gains or in future cost avoidance. The study has to also identify and quantify the cost savings
and estimate the probable Return on Investment. This information is used to build a business
case covering both tangible as well as intangible factors such as readiness of the business
users and maturity of the business processes. The business case provides inputs for business
justification for moving to the next phase and is also used for reviewing progress or evaluating
success of SDLC project.
Detailed steps of feasibility study are discussed in chapter 2. The feasibility study shall be
different for different applications depending upon the expected benefits for the organization.
For example, if an organization intends to implement an application that is already
implemented by various organizations of similar type, it may use a generic feasibility study
34
and focus only on the benefits to the organization, such as providing Internet Banking services
or Mobile Banking services.
Role of IS Auditor in project initiation and feasibility study phase:
 Review of documentation for the reasonableness.
 Review cost justification/benefits with schedule of when the anticipated benefits may be
realized.
 Identify if the business needs used to justify the system actually exist.
 Justification for going for a development or acquisition.
 Review the alternate solutions for reasonableness.
 Review the reasonableness of the chosen solution.
2.5.2 Phase 2: Requirements Definition

This phase involves preparing the statement of intent explaining the problem or the need for
new application to provide functional, service and quality requirements of the solution system.
The user needs to be actively involved in requirements definition. This involves:
 Studying needs of the users
 Obtaining inputs from employees and managers on their expectations
 Determining information requirements of the users
Several fact-finding techniques and tools such as questionnaires, interviews, observing
decision-maker behaviour and their office environment etc. are used for understanding the
requirements.
Role of IS Auditor in Requirements Definition phase:
 Identify the affected users and the key team members on the project to verify that they
are having an appropriate representation.
 Review detailed requirements definition document and verify its accuracy and
completeness through interviews with the affected and requested user departments.
 Review existing Data Flow Diagrams (DFD) and other related specifications like forms,
Data Descriptions, Output Formats, etc., to ensure that they cover the user
requirements.
2.5.3 Phase 3a: System Analysis

This refers to the process of gathering and analyzing the facts, diagnosing problems, and
using the outcome to recommend improvements to the proposed system. Before arriving at
35
new design, one must thoroughly understand existing process/system and map them against
new requirements to understand changes and rationale for changes. Analysis is also important
to decide upon system design approach. Traditional system development generally adopts a
data oriented approach, since it had been focused on processing and presenting of business
data., However, due to extensive use of technology in modern organizations, the focus now is
more on service oriented approach where the objective of the system is to provide services
using data models.
Role of IS Auditor in System Analysis phase:
 Verify that Management has approved the initiation of the project and the cost.
 In case of acquisition, determine that an appropriate number of vendors have been
given proposals to cover the true scope of the project and requirements of the users.
 Determine whether the application is appropriate for the user of an embedded audit
routine or modules and if so, request may be made to incorporate the routine in
conceptual design of the system.
2.5.4 Phase 3b: Design

This phase takes primary inputs from Phase 1, i.e. Requirement Definition. Based on the
requirements identified, the team may need to finalize requirements by multiple user
interactions and establish a specification baseline for development of system and subsystem.
These specifications describe:
 Parts of the System
 How they interface
 How the System need to be implemented
 Type of Hardware, Operating System and other Software
 Network facilities
 Program and Database Specifications
 Security considerations
Additionally, a formal change management process should be established to prevent
uncontrolled entry of new requirements during development process.
Role of IS Auditor in design phase:
 Review system flowcharts for adherence to the general design
 Review input, processing and output controls and ensure that they have been
appropriately included in the system.
36
 Assess adequacy of the audit trails which provide traceability and accountability.
 Verify key calculations and processes for correctness and completeness.
 Interview users to ascertain their level understanding of the system design, input to the
system, screen formats and output reports.
 Verify that system can identify erroneous data correctly and can handle invalid
transactions.
 Review conceptual design to ensure the existence of appropriate controls.
 Review quality assurance and quality control results of programs.
 Verify the design for its completeness and correctness and ensure that it meets the
defined requirements.
 Verify that the functional data created during requirement phase is complete and test
plans are developed.
2.5.5 Phase 4: Development

In this phase, efforts are made to use the design specifications to begin programming, and
formalizing support for operational processes of the system. After the system design details
are resolved, the resource needs such as specific type of hardware, software, and other
services are determined. The choices depend on many factors such as time, cost and
availability of skilled resources, i.e. programmers and testers. The analyst works closely with
the programmers. During this phase, the analyst also works with users to develop required
documentation for software, including various procedure manuals. In the development phase,
the design specifications are converted into a functional system that will work in planned
system environment. Application programs are written, tested and documented. Finally, this
results in development of a fully functional and documented system. A very well coded
application program should have the following characteristics:
 Reliability: It refers to the consistency with which a program operates over a period of
time. However, poor setting of parameters and hard coding of some data subsequently
could result in the failure of a program after some time.
 Robustness: It refers to the applications’ strength to perform operations in adverse
situations by taking into account all possible inputs and outputs of a program
considering even the least likely situations.
 Accuracy: It refers not only to what program is supposed to do’, but also the ability to
take care of ‘what it should not do’. The second part is of great interest for quality
control personnel and auditors.
37
 Efficiency: It refers to the performance per unit cost with respect to relevant
parameters and it should not be unduly affected with the increase in input values.
 Usability: It refers to a user-friendly interface and easy-to-understand internal/external
documentation.
 Readability: It refers to the ease of maintenance of program even in the absence of the
program developer.
Some key aspects of development:
1. Program Coding Standards: The logic of the program outlined in the flowcharts is
converted into program statements or instructions. For each language, there are specific rules
concerning format and syntax. Syntax means vocabulary, punctuation and grammatical rules
available in the language manuals that the programmer has to follow strictly and pedantically.
Different programmers may write a program using different sets of instructions but each giving
the same results. This might create a problem for changes to be done to the program which
has been written by another programmer. Therefore, the coding standards are to be defined
so as to serve as a method of communication between teams, amongst the team members
and users resulting in better controls. Coding standards minimize the system development
issues due to programmer turnover. These standards provide simplicity, interoperability,
compatibility, efficient utilization of resources and reduce processing time.
2. Programming Language: Depending upon the development approach, the analyst
decides the programming language to be used. Application programs are coded in the form of
statements or instructions and the same is converted by the compiler to object code for the
computer to understand and execute. The programming languages commonly used are:
 High-level general-purpose programming languages such as COBOL and C;
 Object oriented languages such as C++, JAVA etc.;
 Scripting language such as JavaScript, VBScript; and
 Decision Support or Logic Programming languages such as LISP and PROLOG.
The choice of a programming language may depend on various pertinent parameters. In
general, language selection may be made on the basis of application area; algorithmic
complexity; environment in which software has to be executed; performance consideration;
data structure complexity; knowledge of System Development staff; and capability of in-house
staff for maintenance.
Role of IS Auditor in development phase:
 Ensure that documentation is complete.
 Review QA report on adopting coding standards by developers.
 Review the testing and bugs found are reported and sent for rework to developers.
38
2.5.5.1 Software Escrow

A Software Escrow arrangement requires the developer of a software product to place
proprietary materials necessary to maintain the product in escrow with a neutral party known
as the Escrow Agent. Should the software vendor, or licensor, fail to support the product, the
Escrow Agent agrees to release the proprietary materials (such as source code) to the end-
user. The end-user or licensee is then allowed to employ the deposit materials to support the
licensed product. A partial list of recommended deposit materials includes:
 Two copies of the Source Code for each version of the licensed software on magnetic
media
 All manuals not provided to the licensee (technical, operator/user, installation)
 Maintenance tools and necessary third-party system utilities
 Detailed descriptions of necessary non- licenser proprietary software, descriptions of
the programs required for use and/or support that the developer does not have the right
to offer to the licensee
 Names and addresses of key technical employees that a licensee may hire as a sub-
contractor in the event the developer ceases to exist
 File listings generated from any magnetic media
 Compilation instructions in written format or recorded on video format.
2.5.6 Phase 5: Testing

Before the information system can be used, it must be tested. Systems testing are done at
various stages during development till implementation. There are primarily two types of
testing:
1. Quality Assurance Testing, that includes Unit Testing, Interface Testing, Integration
Testing and Peer Reviews.
2. User Acceptance Testing (UAT) also known as Final Acceptance Testing.
Testing establishes the actual operation of the new information system, with the final iteration
of User Acceptance Testing and user sign-off. Organization may consider going for a
certification and accreditation process to assess the effectiveness of the business application.
This provides assurance to the management about:
 Mitigating risks to an appropriate level.
 Providing accountability over the effectiveness of the system in meeting objectives.
 Establishing an appropriate level of internal control.
39
UAT supports the process of ensuring that the system is production-ready and satisfies all
documented requirements. The methods include:
 Definition of test strategies and procedures.
 Design of test cases and scenarios.
 Execution of the tests.
 Utilization of the results to verify system readiness.
Acceptance criteria are defined so that a deliverable satisfies the pre-defined needs of the
user. A UAT plan must be documented for the final test of the completed system. The tests
are written from a user perspective and should test the system in a manner as close to
production as possible. For example, tests may be based around typical pre-defined, business
process scenarios. If new business processes have been developed to accommodate the new
or modified system they should also be tested at this point. A key aspect of testing should also
include testers seeking to verify that supporting processes integrate into the application in an
acceptable manner. Successful completion would generally enable a project team to hand
over a complete integrated package of application and supporting procedures.
Ideally, UAT should be performed in a secure testing or staging environment. A secure testing
environment where both source and executable code are protected helps to ensure that
unauthorized or last-minute changes are not made to the system without going through the
standard system maintenance process. The nature and extent of the tests will depend on the
magnitude and complexity of the system change.
Testing primarily focuses on ensuring that the software does not fail i.e. it will run according to
its specifications and in the way users expect. Special test data are input for processing and
the results are examined against pre-determined output. If it is found satisfactory, it is
eventually tested with actual data from the current system.
Role of IS Auditor in testing phase:
 Review the test plan for completeness and correctness.
 Review whether relevant users have participated during testing phase.
 Review error reports for their precision in recognizing erroneous data and for resolution
of errors.
 Verify cyclical processes for correctness (example: year-end process, quarter-end
process)
 Interview end-users of the system for their understanding of new methods, procedures
and operating instructions.
40
 Review the system and end-user documentation to determine its completeness and
correctness.
 Review whether reconciliation of control totals and converted data has been performed
to verify the integrity of the data after conversion.
 Review all parallel testing results.
 Test the system randomly for correctness.
 Review unit test plans and system test plans to determine that tests for internal control
are addressed.
 Verify that the system security is functioning as designed by developing and executing
access tests.
 Ensure test plans and rest results are maintained for reference and audit
2.5.7 Phase 6: Implementation

This involves roll out of the application which has been developed or acquired for the business
function based on the current state. The approach for implementation will be decided based
on this state. One of the following approaches may be adopted: (This is discussed in more
detail in chapter 6)
1. Cut-off: Where old system/process is discontinued and new application is made live
(operational).
2. Phased implementation: Where new application is started in logical phases for
different functions.
3. Pilot: Where a part function is implemented using new application and based on result
either phased or cut-off approach is followed.
4. Parallel: Where both the old and new system run simultaneously and based on problem
resolution and reliability of processing by the new system, the old system is
discontinued.
Role of IS Auditor in Implementation Phase:
 Ensure that test plans, test data and rest results are maintained for reference and audit.
 Determine that the formal acceptance has been signed by the Project Development
team, User Management team, Quality Assurance team and Security Professional/
Auditor.
 Verify that the system has been installed according to the organization’s change control
procedures.
41
 Review programmed procedure used for scheduling and running the system along with
the system parameters that are used in executing the production schedule.
 Review all system documentation to ensure its completeness and verify whether all
recent updates from the testing phase have been incorporated.
 Verify that data conversion is correct and complete and is confirmed by the respective
User Departments before the system is implemented and Final User Sign-off is
obtained.
2.5.8 Phase 7: Maintenance

This is the post-implementation stage following the successful implementation of a new or
extensively modified system. This requires, implementation of a formal process that:
1. Provides support and assistance to users in smooth operations and end-user
management.
2. There is a mechanism to record, review and implement deficiencies and future changes
required.
3. Assess adequacy of the system and projected ROI measurements as per business
case.
4. Update project management process based on lessons learned and recommendations
for future projects regarding system development.
Role of IS Auditor in Maintenance and Post-Implementation Phase:
Sufficient time should be allowed before post-implementation review for the system to stabilize
in the live environment. Then only there may be significant problems that would have
surfaced. Some prominent roles of the IS Auditor are:
 Determine that the systems objective requirements were achieved
 Determine if the cost benefits identified in the feasibility study are being measured.
 Review that the required controls have been built into the system to ensure that they
are operating as designed.
 Review error logs to determine if there is any resource or operating problems inherent
with the system. Logs may indicate the inappropriate planning or testing of the system
prior to implementation.
 Review input and output control balances and reports to verify that system is
processing data correctly and completely.
 Evaluate adequacy of procedures for authorizing, prioritizing and tracking system
changes.
42
 Identify system changes and verify that appropriate authorization was given to make the
change in accordance with organizational standards.
 Review permanent program documentation to ensure that evidence (Audit Trail) is
retained regarding program changes.
 Evaluate adequacy of the security access restrictions over production source and
executable modules.
 Evaluate adequacy of the organization’s procedures for dealing “emergency” program
changes.
 Evaluate the adequacy of the security access restrictions over the use of the
“emergency” logon-ids.
 Verify existence and adequacy of the records for system changes.
 Evaluate adequacy of the access protection of maintenance records.
2.6 Types of SDLC Model

2.6.1 Waterfall Model
The Waterfall Approach is a traditional development approach in which each phase is
executed in sequence or in linear fashion. These phases include requirements analysis,
specifications and design requirements, coding, final testing, and release. Fig. 2.1 shows
representative model of this method. When the traditional approach is applied, an activity is
undertaken only when the prior step is completed.
Fig. 2.1: Waterfall Approach
43
The characterizing features of this model have influenced the development community in big
way. Some of the key characteristics are:
 Project is divided into sequential phases, with some overlap and splash back
acceptable between phases.
 Emphasis is on planning, time schedules, target dates, budgets and implementation of
an entire system at one time.
 Tight control is maintained over the life of the project through the use of extensive
written documentation, as well as through formal reviews and approval/signoff by the
user and information technology management occurring at the end of most phases
before beginning the next phase.
Strengths:
 It is ideal for supporting less experienced project teams and Project Managers, or
project teams whose composition fluctuates.
 The orderly sequence of development steps and design reviews help to ensure the
Quality, Reliability, Adequacy and Maintainability of the developed software.
 Progress of system development can be tracked and monitored easily.
 It enables to conserve resources.
Weaknesses:
 It is criticized to be Inflexible, slow, costly, and cumbersome due to significant structure
and tight controls.
 Project progresses forward, with only slight movement backward.
 There is a little to iterate, which may be essential in situations.
 It depends upon early identification and specification of requirements, even if the users
may not be able to clearly define ‘what they need early in the project’.
 Requirement inconsistencies, missing system components and unexpected
development needs discovered during design and coding are most difficult to handle.
 Problems are often not discovered until system testing.
 System performance cannot be tested until the system is almost fully coded, and under
capacity may be difficult to correct.
 It is difficult to respond to changes, which may occur later in the life cycle, and if
undertaken it proves costly and are thus discouraged.
 Written specifications are often difficult for users to read and thoroughly appreciate.
 It promotes the gap between users and developers with clear vision of responsibility.
44
2.6.2 Incremental Model

The Incremental model is a method of software development where the model is designed,
implemented and tested incrementally (a little more is added each time) until the product is
finished. The product is defined as finished when it satisfies all of its requirements. This model
combines the elements of the waterfall model with the iterative philosophy of prototyping. It is
pictorially depicted in Fig. 2.2.
The product is decomposed into a number of components, each of which are designed and
built separately (termed as Builds). Each component is delivered to the client when it is
complete. This allows partial utilization of product and avoids a long development time. It also
creates a large initial capital outlay, and the subsequent long wait is avoided. This model of
development also helps to ease the traumatic effect of introducing completely new system all
at once. A few pertinent features are listed as follows:
 A series of mini-Waterfalls are performed, where all phases of the Waterfall
development model are completed for a small part of the system, before proceeding to
the next increment.
 Overall requirements are defined before proceeding to evolutionary, mini–Waterfall
development of individual increments of the system.
 The initial software concept, requirement analysis, and design of architecture and
system core are defined using the Waterfall approach, followed by Iterative Prototyping,
which culminates in installation of the final prototype (i.e. working system).
45
Fig. 2.2: Incremental Model

Strengths:
 Potential exists for exploiting knowledge gained in an early increment as later
increments are developed.
 Moderate control is maintained over the life of the project through the use of written
documentation and the formal review and approval/signoff by the user and information
technology management at designated major milestones.
 Stakeholders can be given concrete evidence of project status throughout the life cycle.
 It is more flexible and less costly to change scope and requirements.
 It helps to mitigate integration and architectural risks earlier in the project.
 It allows the delivery of a series of implementations that are gradually more complete
and can go into production more quickly as incremental releases.
 Gradual implementation provides the ability to monitor the effect of incremental
changes, isolated issues and make adjustments before the organization is negatively
impacted.
46
Weaknesses:
 When utilizing a series of mini-Waterfalls for a small part of the system before moving
onto the next increment, there is usually a lack of overall consideration of the business
problem and technical requirements for the overall system.
 Each phase of an iteration is rigid and do not overlap each other.
 Problems may arise pertaining to system architecture because not all requirements are
gathered up front for the entire software life cycle.
 Since some modules will be completed much earlier than others, well-defined interfaces
are required.
 It is difficult to demonstrate early success to management.
2.6.3 Software Reengineering and Reverse Engineering

Software Reengineering
Reengineering as name suggest is a process of updating an existing system by reusing
design and program components. Although it updates existing software as it is used in case of
major changes in existing system, it differs from change management due to the extent of
changes. These changes typically prompt for new software development project, however as
an interim solution a reengineering project is initiated. A number of tools are now available to
support this process.
What is SoftwareRreengineering?
 Restructuring or rewriting part or all of a system without changing its functionality
 Applicable when some (but not all) subsystems of a larger system require frequent
maintenance
 Reengineering involves putting in the effort to make it easier to maintain
 The reengineered system may also be restructured and re-documented
When to Reengineer?
 When system changes are confined to one subsystem, the subsystem needs to be
reengineered
 When hardware or software support becomes obsolete
 When tools to support restructuring are readily available
 When some business processes or functions are reengineered
47
Software Reengineering Activities

 Inventory Analysis – Listing and identifying active software applications and
components required by business. The attributes of applications can be criticality,
longevity, current maintainability. This helps in identifying reengineering criteria.
 Document Restructuring – Identify documentation for identified applications/modules.
(Identifying poor or weak documentation for re-documentation sometimes considered as
reengineering activity)
 Design Recovery –Identify the design of the application module to be reengineered. (In
case it is not available it may have to be built based on code or using Reverse
Engineering method)
 Reverse Engineering – Process of design recovery - Analyzing a program in an effort
to create a representation of the program at some abstraction level higher than source
code
 Code Restructuring – Source code is analysed and violations of structured
programming practices are noted and repaired, the revised code also needs to be
reviewed and tested
 Data Restructuring – Usually requires full Reverse Engineering, current data
architecture is dissected and data models are defined, existing data structures are
reviewed for quality
 Forward Engineering – also called reclamation or renovation, recovers design
information from existing source code and uses this information to reconstitute the
existing system to improve its overall quality and/or performance.
Figure 2.3: Reengineering and reverse Engineering
48
Reverse Engineering
Reverse Engineering is the process of studying and analysing an application, a software
application or a product to see how it functions and to use that information to develop a similar
system. This process can be carried out in several ways:
 Decompiling object or executable code into source code and using it to analyze the
program
 Black Box testing: The application to be reverse-engineered to unveil its functionality
The major advantages of Reverse Engineering are:
 Faster development and reduced SDLC duration
 The possibility of introducing improvements by overcoming the reverse-engineered
application drawbacks
The IS Auditor should be aware of following risks:

• Software license agreements often contain clauses prohibiting the licensee from
reverse engineering the software so that any trade secrets or programming techniques
are not compromised.
• De-compilers are relatively new tools with functions that depend on specific
computers, operating systems and programming languages. Any change in one of
these components may require developing or purchasing a new de-compiler.
2.6.4 Object Oriented Software Development (OOSD)

OOSD differs from traditional SDLC approach which considers data separately from the
procedures that act on them (e.g., program and database specifications). OOSD is the
process of solution specification and modelling where data and procedures can be grouped
into an entity known as an object. An object’s data are referred to as its attributes and its
functionality is referred to as its methods. Proponents of OOSD claim the combination of data
and functionality is aligned with how humans conceptualize everyday objects.
Objects usually are created from a general template called a Class. The template contains
the characteristics of the Class without containing the specific data that need to be inserted
into the template to form the Object.
Classes are the basis for most design work in Objects. Classes are either Super-Classes (i.e.,
Root or Parent Classes) with a set of basic attributes or methods, or Sub-Classes which
inherit the characteristics of the Parent Class and may add (or remove) functionality as
required. In addition to inheritance, Classes may interact through sharing data, referred to as
aggregate or component grouping, or sharing objects.
49
Aggregate Classes interact through messages, which are requests for services from one
Class (called a client), to another Class (called a server). A Polymorphism is termed as the
ability of two or more Objects to interpret same message differently during execution,
depending upon the superclass of the calling Object.
For example, consider a car owned by you as an object. The object is complete in itself and all
necessary data (components and specifications) are embedded into the object. The object can
be specifically used for the purpose it has been designed. However, there are different
objects either having similar data (same model, same company) or different data (Different
model, different companies etc.) All these objects belong to class cars. All object cars have
common attributes (i.e. steering, gear, break, wheels etc.) that are inherited from class cars
(or may be from superclass vehicles). One can modify the object car by keeping basic
common attributes and add few more functions to it. (Polymorphism)
There are many programming languages that are used for developing object-oriented
systems. To realize the full benefits of using object-oriented programming, it is necessary to
employ object-oriented analysis and design approaches. Dealing with objects should permit
analysts, developers and programmers to consider larger logical chunks of a system and
clarify the programming process. Although it is possible to do object-oriented development
using a waterfall model in practice most object-oriented systems are developed with an
iterative approach. As a result, in object-oriented processes "Analysis and Design" are often
considered at the same time. OOSD being a programming method, use of a particular
programming language or a particular programming technique does not imply or require use of
a particular software development methodology.
Advantages of OOSD:
 The ability to manage an unrestricted variety of data types
 Provision of a means to model complex relationships
 It has capability to meet the demands of a changing technology and environment
A significant development in OOSD has been the decision by some of the major players in
object-oriented development to join forces and merge their individual approaches into a
unified approach using the Unified Modelling Language (UML). UML is a general-purpose
notational language which helps developers to specify and visualize complex software for
large object-oriented projects. This signals a maturation of the object-oriented development
approach. While object-orientation is not yet pervasive, it can be accurately said to have
entered the computing mainstream.
Applications that use object-oriented technology are:
 Web Applications
 E-Business applications
50
 CASE for Software Development

 Office Automation for email and work orders
 Artificial Intelligence
 Computer-Aided Manufacturing (CAM) for production and process control
2.6.5 Component Based Development

Component-Based Development is an outgrowth of Object-Oriented Development.
Component-Based Development is in fact assembling packages of executable software that
make their services available through defined interfaces. These packages also called as
enabling pieces of programs are called Objects. These objects are independent of
programming languages or operating system. The basic types of Components are:
 In-Process Client Components: These components must run from within defined
program (called as ‘Container’) such as a web browser; they cannot run on their own.
 Stand-Alone Client Components—Applications (like Microsoft’s Excel and Word) that
work as service.
 Stand-Alone Server Components—Processes running on servers that provide
services in standardized way. These are initiated by remote procedure calls or some
other kind of network call. Technologies supporting this include Microsoft’s Distributed
Component Object Model (DCOM), Object Management Group’s Common Object
Request Broker Architecture (CORBA) and Sun’s Java through Remote Method
Invocation (RMI).
 In-Process Server Components: These components run on servers within containers.
Examples include Microsoft’s Transaction Server (MTS) and Sun’s Organization Java
Beans (EJB)
A number of different component models have emerged. E.g. Microsoft’s Component Object
Model (COM). MTS when combined with COM allows developers to create components that
can be distributed in the Windows environment. COM is the basis for ActiveX technologies,
with ActiveX Controls being among the most widely used components. Alternative component
models include the CORBA Component Model and Sun’s EJB.
COM/DCOM, CORBA and RMI are sometimes referred to as Distributed Object
Technologies or also termed Middleware. (Middleware is a broad term, but a basic
definition is software that provides run-time services where by programs/ objects/
components can interact with one another).
Visual tools are now available for designing and testing Component-Based Applications.
Components play a significant role in web-based applications.
51
Advantages of Component-Based Development are:

 This reduces development time as application system can be assembled from pre-
written components and only code for unique parts of the system needs to be
developed.
 Improves quality by using pre-written and tested components.
 Allows developers to focus more strongly on business functionality.
 Promotes modularity by encouraging interfaces between discrete units of functionality.
 Simplifies re-use and avoids need to be conversant with procedural or class libraries.
 Combining and allowing reusable code to be distributed in an executable format—i.e.,
no source is required.
 Reduces development cost as less effort is required for designing and developing the
software.
 Supports multiple development environments due to platform independent components.
 Allows a satisfactory compromise between build and buy options i.e. instead of buying a
complete solution, it could be possible to purchase only needed components and
incorporate these into a customized system.
Disadvantages:
 Attention to software integration should be provided continuously during the
development stage.
 If system requirements are poorly defined or the system fails to adequately address
business needs, the project will not be successful.
2.6.6 Web-Based Application Development

Web based development has modified client-server architecture and made it more light weight
and easy to implement. It has eliminated the need to implement client module on end-user’s
desktop, and is delivered via internet-based technologies. User need to know URL to access
the application and if need be the same is delivered on users’ desktop or executed from web
server. The technology can be deployed within organization also. For example, many
organizations have implemented internal user services using intranet portal, which essentially
uses internet (web) based technologies.
Historically, software written in one language on a particular platform has used a dedicated
Application Programming Interface (API). The use of specialized APIs has caused difficulties
in integrating software modules across platforms. Component Based Technologies such as
CORBA and COM that use Remote Procedure Calls (RPCs) have been developed to allow
52
real-time integration of code across platforms. However, using these RPC approaches for
different APIs still remains complex. Web-based application development is designed to
further facilitate and standardize code module and program integration.
Web-based application development enables users to avoid the need to perform redundant
computing tasks with redundant code. For example, installing client on all users after making
changes or change of address notification from a customer need not be updated separately in
multiple databases. For example, entering and maintaining same data in contact
management, accounts receivable etc. Web application development though is different than
traditional developments (e.g. users test and approve the development work), but the risks of
application development remain the same.
With web-based application development, an XML language known as Simple Object Access
Protocol (SOAP) is used to define APIs. SOAP will work with any operating system and
programming language that understands XML. SOAP is simpler than using the more complex
RPC-based approach, with the advantage that modules are coupled loosely so that a change
to one component does not normally require changes to other components. The second key
component of web development is the Web Services Description Language (WSDL), which is
also based on XML. WSDL is used to identify the SOAP specification that is to be used for the
code module API and the formats of the SOAP messages used for input and output to the
code module. The WSDL is also used to identify the particular web service accessible via a
corporate intranet or across the Internet by being published to a relevant intranet or Internet
web server.
2.7 Selection of SDLC Model

Assess the needs of Stakeholders
We must study the business domain, stakeholders’ concerns and requirements, business
priorities, our technical capability and ability, and technology constraints to be able to choose
the right SDLC against their selection criteria.
Define the criteria
Some of the selection criteria or arguments that you may use to select an SDLC are:
 Is the SDLC suitable for the size of our team and their skills?
 Is the SDLC suitable for the selected technology we use for implementing the solution?
 Is the SDLC suitable for client and stakeholders’ concerns and priorities?
 Is the SDLC suitable for the geographical situation (distributed team)?
 Is the SDLC suitable for the size and complexity of our software?
 Is the SDLC suitable for the type of projects we do?
53
 Is the SDLC suitable for our software engineering capability?

 Is the SDLC suitable for the project risk and quality insurance?
2.8 New Development Iterative Models- Prototype, Spiral,

Rapid & Agile etc.
2.8.1 Prototyping Methodology
The traditional approach sometimes may take long time to analyze, design and implement a
system. More so, many a times we know a little about the system until and unless we go
through its working phases, which are not available. In order to avoid such bottlenecks and
overcome the issues, organizations are increasingly using prototyping techniques to develop
smaller systems such as DSS, MIS and Expert systems. The goal of prototyping approach is
to develop a small or pilot version called a prototype of part or all of a system. A prototype
may be a usable system or system component that is built quickly and at a lesser cost, and
with the intention of modifying/replicating/expanding or even replacing it by a full-scale and
fully operational system. As users work with the prototype, they learn about the system
criticalities and make suggestions about the ways to manage it. These suggestions are then
incorporated to improve the prototype, which is also used and evaluated. Finally, when a
prototype is developed that satisfies all user requirements, either it is refined and turned into
the final system or it is scrapped. If it is scrapped, the knowledge gained from building the
prototype is used to develop the real system.
Prototyping can be viewed as a series of four steps, symbolically depicted in Fig. 2.4 wherein
implementation and maintenance phases followed by full-blown developments take place once
the prototype model is tested and found to be meeting users’ requirements.
Generic Phases of Model
 Identify Information System Requirements: In traditional approach, the system
requirements are to be identified before the development process starts. However,
under prototype approach, the design team needs only fundamental system
requirements to build the initial prototype, the process of determining them can be less
formal and time-consuming than when performing traditional systems analysis.
 Develop the Initial Prototype: The designers create an initial base model and give
little or no consideration to internal controls, but instead emphasize system
characteristics such as simplicity, flexibility, and ease of use. These characteristics
enable users to interact with tentative versions of data entry display screens, menus,
input prompts, and source documents. The users also need to be able to respond to
system prompts, make inquiries of the information system, judge response times of the
system, and issue commands.
54
 Test and Revise: After finishing the initial prototype, the designers first demonstrate
the model to users and then give it to them to experiment and ask users to record their
likes and dislikes about the system and recommend changes. Using this feedback, the
design team modifies the prototype as necessary and then re-submits the revised
model to system users for re-evaluation. Thus, iterative process of modification and re-
evaluation continues until the users are satisfied.
 Obtain User Signoff of the Approved Prototype: Users formally approve the final
version of the prototype, which commits them to the current design and establishes a
contractual obligation about what the system will, and will not do or provide. Prototyping
is not commonly used for developing traditional MIS and batch processing type of
applications such as accounts receivable, accounts payable, payroll, or inventory
management, where the inputs, processing, and outputs are well known and clearly
defined.
Fig. 2.4: Prototyping Model

Strengths:
 It improves both user participation in system development and communication among
project stakeholders.
 It is especially useful for resolving unclear objectives and requirements; developing and
validating user requirements; experimenting with or comparing various design solutions,
or investigating both performance and the human computer interface.
 Potential exists for exploiting knowledge gained in an early iteration as later iterations
are developed.
 It helps to easily identify confusing or difficult functions and missing functionality.
 It enables to generate specifications for a production application.
 It encourages innovation and flexible designs.
55
 It provides for quick implementation of an incomplete, but functional application.

 It typically results in a better definition of these users’ needs and requirements than
does the traditional systems development approach.
 A very short time period is normally required to develop and start experimenting with a
prototype. This short time period allows system users to immediately evaluate proposed
system changes.
 Since system users experiment with each version of the prototype through an
interactive process, errors are hopefully detected and eliminated early in the
developmental process. As a result, the information system ultimately implemented
should be more reliable and less costly to develop than when the traditional systems
development approach is employed.
Weaknesses:
 Approval process and control are not formal.
 Incomplete or inadequate problem analysis may occur whereby only the most obvious
and superficial needs will be addressed, resulting in current inefficient practices being
easily built into the new system.
 Requirements may frequently change significantly.
 Identification of non-functional elements is difficult to document.
 Designers may prototype too quickly, without sufficient upfront user needs analysis,
resulting in an inflexible design with narrow focus that limits future system potential.
 Prototype may not have sufficient checks and balances incorporated.
 Prototyping can only be successful if the system users are willing to devote significant
time in experimenting with the prototype and provide the system developers with
change suggestions. The users may not be able or willing to spend the amount of time
required under the prototyping approach.
 The interactive process of prototyping causes the prototype to be experimented with
quite extensively. Because of this, the system developers are frequently tempted to
minimize the testing and documentation process of the ultimately approved information
system. Inadequate testing can make the approved system error-prone, and inadequate
documentation makes this system difficult to maintain.
 Prototyping may cause behavioural problems with system users. These problems
include dissatisfaction by users if system developers are unable to meet all user
demands for improvements as well as dissatisfaction and impatience by users when
they have to go through too many interactions of the prototype.
 In spite of above listed weaknesses, to some extent, systems analysis and development
has been greatly improved by the introduction of prototyping. Prototyping enables the
56
user to take an active part in the systems design, with the analyst acting in an advisory
role. Prototyping makes use of the expertise of both the user and the analyst, thus
ensuring better analysis and design, and prototyping is a crucial tool in that process.
Prototype has one major drawback. Many-a-time users do not realize that prototype
is not actual system or code but is just a model. Users may think that the system is
ready. Whereas actual development starts only after the prototype is approved.
Hence, the actual system may require time before it is ready for implementation
and use. In the meantime, users may get restless and wonder why there is so much
delay.
2.8.2 Spiral Model

The Spiral model is a repetitive software development process combining elements of both
design and prototyping within each of the iterations. It combines the features of the
prototyping model and the waterfall model (given in Fig. 2.5). Initially spiral model was
intended for large, expensive and complicated projects like Game development because of
size and constantly shifting goals of large projects. Spiral model when defined was
considered as the best model and further models were developed using spiral models.
Key characteristics
 Spiral model is an iterative model where each iteration helps in optimizing the intended
solution.
 The new system requirements are defined in as much detail as possible. This usually
involves interviewing a number of users representing all the external or internal users
and other aspects of the existing system.
 A preliminary design is created for the new system during initial iterations. This phase is
the most important part of “Spiral Model” in which all possible alternatives that can help
in developing a cost-effective project are analysed and strategies are decided to use
them. This phase has been added specially in order to identify and resolve all the
possible risks in the project development. If risks indicate any kind of uncertainty in
requirements, prototyping may be used to proceed with the available data and find out
possible solution in order to deal with the potential changes in the requirements.
 A first prototype of the new system in constructed from the preliminary design during
first iteration. This is usually a scaled-down system, and represents an approximation of
the characteristics of the final product.
 A second prototype is evolved during next iteration by a fourfold procedure by
evaluating the first prototype in terms of its strengths, weaknesses, and risks; defining
the requirements of the second prototype; planning and designing the second
prototype; and constructing and testing the second prototype.
57
Strengths:
 Enhances the risk avoidance.
 Useful in helping for optimal development of a given software iteration based on project
risk.
 Incorporates Waterfall, Prototyping, and Incremental methodologies as special cases in
the framework, and provide guidance as to which combination of these model’s best fits
a given software iteration, based upon the type of project risk. For example, a project
with low risk of not meeting user requirements but high risk of missing budget or
schedule targets would essentially follow a linear Waterfall approach for a given
software iteration. Conversely, if the risk factors were reversed, the Spiral methodology
could yield an iterative prototyping approach.
Weaknesses:
 It is challenging to determine the exact composition of development methodologies to
use for each of the iterations around the Spiral.
 A skilled and experienced Project Manager is required to determine how to apply it to
any given project.
 Sometimes there are no firm deadlines, cycles continue till requirements are clearly
identified. Hence has an inherent risk of not meeting budget or schedule.
Fig. 2.5: Spiral Model
58
2.8.3 Rapid Application Development (RAD)

RAD refers to a type of software development methodology, which uses minimal planning in
favour of rapid prototyping. (Figure 2.6) The planning of software developed using RAD is
interleaved with writing the software itself. The lack of extensive pre-planning generally allows
software to be written much faster, and makes it easier to change requirements. The key
features are:
 Key objective is fast development and delivery of a high-quality system at a relatively
low investment cost,
 Attempts to reduce inherent project risk by breaking a project into smaller segments
and providing more ease-of-change during the development process.
 Aims to produce high quality systems quickly, primarily through the use of Iterative
Prototyping (at any stage of development), active user involvement, and computerized
development tools like Graphical User Interface (GUI) builders, Computer Aided
Software Engineering (CASE) tools, Database Management Systems (DBMS), Fourth
Generation Programming Languages, Code Generators and Object-Oriented
Techniques.
 Key emphasis is on fulfilling the business need while technological or engineering
excellence is of lesser importance.
 Project control involves prioritizing development and defining delivery deadlines or “time
boxes.” If the project starts to slip, emphasis is on reducing requirements to fit the time
box, not in increasing the deadline.
 Generally, includes Joint Application Development (JAD), where users are intensely
involved in system design, either through consensus building in structured workshops,
or through electronically facilitated interaction.
 Active user involvement is imperative.
 Iteratively produces production software, as opposed to a throwaway prototype.
 Produces documentation necessary to facilitate future development and maintenance.
 Standard systems analysis and design techniques can be fitted into this framework.
Strengths:
 The operational version of an application is available much earlier than with Waterfall,
Incremental, or Spiral frameworks.
 Because RAD produces systems more quickly and to a business focus, this approach
tends to produce systems at lower cost.
59
 Quick initial reviews are possible.

 Constant integration isolates problems and encourages customer feedback.
 It holds a great level of commitment from stakeholders, both business and technical,
than Waterfall, Incremental, or Spiral frameworks. Users are seen as gaining more of a
sense of ownership of a system, while developer are seen as gaining more satisfaction
from producing successful systems quickly.
 It concentrates on essential system elements from user viewpoint.
 It provides for the ability to rapidly change system design as demanded by users.
 It leads to a tighter fit between user requirements and system specifications.
Weaknesses:
 Fast speed and lower cost may affect adversely the system quality.
 The project may end up with more requirements than needed (gold-plating).
 Potential for feature creep where more and more features are added to the system
during development.
 It may lead to inconsistent designs within and across systems.
 It may call for violation of programming standards related to inconsistent naming
conventions and inconsistent documentation,
 It may call for lack of attention to later system administration needs built into system.
 Formal reviews and audits are more difficult to implement than for a complete system.
 Tendency for difficult problems to be pushed to the future to demonstrate early success
to management.
 As some modules are completed much earlier than others, well–defined interfaces are
required.
60
Figure 2.6: RAD

2.8.4 Agile Software Development Methodology
The term “Agile Development” refers to a family of similar development processes that adopt a
non-traditional way of developing complex systems. The term “Agile” refers to characteristic of
processes that are designed to flexibly handle changes to the systems being developed.
Scrum is the first project management approach that fits well with other agile techniques.
Other agile processes such as Extreme Programming (XP), Crystal, Adaptive Software
Development, Feature Driven Development and Dynamic Systems Development Method have
since emerged.
61
Key Characteristics of Agile processes

 Use of small, time-boxed subprojects or iterations where each iteration forms the basis
for planning next iteration.
 Re-planning the project at the end of each iteration (referred to as a “Sprint” in Scrum),
including re-prioritizing requirements, identifying any new requirements and determining
that the delivered functionality should be implemented within which release
 Relatively greater reliance, compared to traditional methods, on the knowledge in
people’s heads (tacit knowledge), as opposed to external knowledge that is captured in
project documentation
 A heavy influence on mechanisms to effectively disseminate tacit knowledge and
promote teamwork. Therefore, teams are kept small in size, comprise both business
and technical representatives, and are located physically together. Team meetings to
verbally discuss progress and issues that occur daily, but with strict time limits.
 At least some of the agile methods stipulate pair-wise programming (two persons code
the same part of the system) as a means of sharing knowledge and as a quality check.
 A change in the role of the Project Manager, from one primarily concerned with planning
the project, allocating tasks and monitoring progress to that of a facilitator and
advocate. Responsibility for planning and control is delegated to the team members.
Exhibit
Figure 2.7: Agile (Sprint) review cycle

The agile methodology may be considered as iterative and incremental development, where
requirements and solutions evolve through collaboration between self-organizing, cross-
functional teams. It promotes adaptive planning, evolutionary development and delivery; time
62
boxed iterative approach and encourages rapid and flexible response to change. It is a
conceptual framework that promotes foreseen interactions throughout the development life
cycle.
Key features of agile methodologies
 Customer satisfaction by rapid delivery of useful software;
 Welcome changing requirements, even late in development;
 Working software is delivered frequently (weeks rather than months);
 Working software is the principal measure of progress;
 Sustainable development, able to maintain a constant pace;
 Close and regular interaction between business representatives and developers;
 Face-to-face conversation is the best form of communication (co-location);
 Projects are built around motivated individuals, who should be trusted;
 Continuous attention to technical excellence and good design;
 Simplicity; Self-organizing teams; and
 Regular adaptation to changing circumstances.
Strengths:
 Agile methodology has the concept of an adaptive team, which enables to respond to
the changing requirements.
 The team does not have to invest time and efforts and finally find that by the time they
delivered the product, the requirement of the customer has changed.
 Face to face communication and continuous inputs from customer representative leaves
a little space for guesswork.
 The documentation is crisp and to the point to save time.
 In general, the end result is of high-quality software in least possible duration leading
finally to a satisfied customer.
Weaknesses:
 In case of some software deliverables, especially the large ones, it is difficult to assess
the efforts required at the beginning of the System Development life cycle.
 There is lack of emphasis on necessary designing and documentation due to time
management. As a result, documentation is generally left out or remains incomplete.
63
 In Agile methodology, there is a possibility of increasing potential threats to the

knowledge transfer and business continuity due to verbal communication and weak
documentation.
 In Agile methodology there is no long-term planning. Also, the approach to the
architecture is lightweight. Hence, it requires more re-work.
 The project can easily go off the track if the customer representative is not having
clarity about the requirements and final deliverables.
 Agile methodology lacks the attention to external integration.
2.8.5 DevOps
Historically, the concept of DevOps came into existence for developing a culture of
collaboration between the teams. DevOps refers to the integration of development and
operations processes to eliminate conflicts and barriers. This integration can create a great
deal of benefits, but it can also create new risk. Decisions to adopt DevOps should be made
based on factors such as an organization’s climate, risk tolerance and culture and on the
scope of the development project. Because DevOps changes the environment and often
impacts an organization’s control environment and accepted level of risk, an IS Auditor
should ensure that there is a proper separation of duties.
DevOps combines the concepts of agile development, agile infrastructure and flexible
operations. It requires a bridge of communication between software development and
operations and the application of agile principles to all functions that support the Software
Development Life Cycle. Implementing DevOps processes can be done in a logical and
systematic manner and used to enhance the maturity of software development.
2.8.6 DevSecOps
DevSecOps means building security into app development from end to end. The adoption
DevSecOps is often closely associated with the adoption of Agile. DevSecOps uses two
distinctive concepts: (1) the confluence of software development, Information Security and IT
operations groups and (2) the use of automation in those activities.
An organization should consider the following controls when embracing a DevOps
development approach:
• Automated Software Scanning
• Automated Vulnerability Scanning
• Web Application Firewall
• Developer Application Security Training
64
• Software Dependency Management

• Access and Activity Logging
• Documented Policies and Procedures
• Application Performance Management
• Asset Management and inventorying
• Continuous Auditing and/or Monitoring
• Encrypt Data between Apps and Services
2.9 Secure SDLC

Earlier security was an afterthought for SDLC; normally developers used to check the security
related aspects through penetration testing, which requires a lot of rework. For example, if a
security related vulnerability, bug or flaw is detected after development then correction of the
same will require re-examining all the aspects starting from requirements till coding. This
entire exercise will increase the cost and efforts of the project, which sometimes may create a
typical situation both for the client and development company. To overcome this issue, latest
research studies suggest that the security should be taken into account right from the
beginning in the SDLC. Information security trends indicate that embedding security within
application development helps in addressing various issues. For example, when multiple users
are expected to access application hosted at central location from different nodes, the
application should be able to provide access depending upon the function the specific users
has to perform. This requires designing role definition and assigning various roles to different
users according to their functionality.
Another example can be in case the application is developed using web-based technologies
and users are expected to access it using different browsers (like internet explorer, Google
chrome etc.), application may not depend upon users to secure their browsers, but embed
security within application. In case the application is hosted on internet, it is subject to various
application level attacks (like OWASP top 10 2017) that need to be closed by adopting secure
development and coding practices.
The following table describes the additional activities that need to be added to the traditional
SDLC phases to make it Secure SDLC.
65
Table 2.1: Security steps in various phases of SDLC

SDLC Phase Security Steps
Requirement To identify security requirements including compliance for privacy and

Definition data loss.
To determine risks associated with security and prepare mitigation
plan.
To train users on identification and fixing of security bugs.
Design Phase To ensure security requirements are considered during design phase
e.g. access controls for privacy sensitive data.
To identify possible attacks and design controls e.g. implementing least
privilege principle for sensitive data, and apply layered principle for
modules.
Development To develop and implement security coding practices such as input data
Phase validation and avoiding complex coding.
To train developers on security coding practices.
Testing Phase To review code for compliance of secure coding practices.
To develop test cases for security requirement testing.
To ensure security requirements are tested during testing.
To test application for identified attacks.
Implementation To analyze all functions and interfaces are secured.
Phase
To perform security scan of application after implementation.
Maintenance To monitor for vulnerabilities on a continuous basis,
Phase
To issue the patches for fixing the reported vulnerabilities, accordingly,
To evaluate the effectiveness of countermeasures periodically.
2.10 Summary
SDLC is an essential aspect of automating business processes using Information Technology.
It has been evolving with changing technology and global proliferation of computers. Today’s
business largely depends on IT and any problem faced has multi-fold repercussions.
Controlling SDLC process helps organizations in mitigating risks associated with
implementation and use of IT. An IS Auditor must be aware of phases and key steps of each
66
of the SDLC phases. There are various models and methods. An IS auditor, while auditing
SDLC process is not required to be an expert in all technologies but should always focus on
associated risks, assessment of these risks and assess whether the implemented solutions
are as per the expected business objectives.
2.11 Questions
1. SDLC primarily refers to the process of:
A. Developing IT based solution to improve business service delivery.
B. Acquiring upgraded version of hardware for existing applications.
C. Redesigning network infrastructure as per service provider’s needs.
D. Understanding expectations of business managers from technology.
2. Organizations should adopt programming/coding standards mainly because, it:
A. Is a requirement for programming using High Level Languages?
B. Helps in maintaining and updating System Documentation.
C. Is required for Security and Quality Assurance function of SDLC.
D. Has been globally accepted practice by large organizations.
3. An organization decided to purchase a configurable application product instead
of developing in-house. Outcome of which of the following SDLC phase helped
organization in this decision?
A. Requirement Definition
B. Feasibility Study
C. System Analysis
D. Development Phase
4. In which of the following phases of SDLC, controls for security must be
considered FIRST?
A. Requirement Definition
B. Feasibility Study
C. System Design
D. Implementation
67
5. IS Auditor has been part of SDLC project team. Which of the following situation
does not prevent IS Auditor from performing post implementation review? The IS
Auditor has:
A. Designed the Security Controls.
B. Implemented Security Controls.
C. Selected Security Controls.
D. Developed Integrated Test facility.
6. An organization has implemented an IT based solution to support business
function. Which of the following situation shall indicate the need to initiate SDLC
project?
A. Vendor has launched a new hardware which is faster.
B. Organizations has unused surplus budget for IT.
C. Regulators have requested additional reports from business.
D. Competitor has launched an efficient IT based service.
7. A “Go or No Go” decision for SDLC project is primarily based on:
A. Feasibility Study
B. Business Case
C. Budget Provision
D. Market Situation
8. Which of the following is the primary reason for organization to outsource the
SDLC project? Non-availability of:
A. Skilled Resources
B. Budgetary Approvals
C. Security Processes
D. Infrastructure
9. Which of the following is an example of addressing social feasibility issue in
SDLC project?
A. Organization decides to use existing infrastructure.
B. Beta version of the application is made available to users.
C. Configuration of purchased software requires more cost.
D. Allowing employees to access social media sites.
68
10. Which of the following is not an indicator to assess benefit realization for internal
application software developed in-house?
A. Increase in number of customers because of new application.
B. Decrease in audit findings related to regulatory non-compliance.
C. Reduced number of virus attacks after implementing new software.
D. Increase in productivity of employees after implementation.

1. A is correct answer. SDLC primarily focuses on identifying IT based solution to improve
business processes delivering services to customers. Other activities may be part of
SDLC however, these are IT projects not SDLC projects.
2. C is correct answer. Adopting coding standards helps organization in ensuring quality of
coding and in minimizing the errors. It also helps in reducing obvious errors which may
lead to vulnerabilities in application. A is not true since it is required for all languages; B
is partially true but is not main reason. D is not main reason.
3. B is the correct answer. Make or buy decision is the outcome of feasibility study where
technical, economical and social feasibilities are considered. Option A is a statement
that indicates what a system needs to do in order to provide a capability. Options C and
D are the phases of developing a software.
4. A is the correct answer. Security requirements must be considered during requirement
definition. Option B is a phase in which technical, economical and social feasibilities are
considered. Option C is the phase during which, the nature of controls to be
implemented for security must be considered first. This will ensure that necessary
security controls are built while developing application.
5. D is the correct answer. Active role of IS Auditor in design and development of controls
affects the independence. Hence, IS Auditor cannot perform review or audit of the
application system. However, developing integrated test facility within the application is
not a control, but a facility to be used by auditors in future. Hence, this does not impact
independence of IS auditor. Options A, B and C affect independence of an IS Auditor.
6. D is correct answer. When a competitor launches new IT based efficient service, it
becomes necessary for management to consider the impact in market place and in
order to remain in competition organization should provide similar or better services.
Option A and C may not require SDLC since it can be adopted with change
management process. B may help in deciding for D, but is not the reason for initiating
SDLC project.
69
7. B is the correct answer. Business case is a document that narrates all aspect including
benefit realization, cost and effort estimates, outcome of feasibility study, available
budget. That helps management in decision on the need of the SDLC project. Rest are
secondary aspects.
8. A is correct answer. Non availability of skilled resources required for application
development is primary reason for outsourcing the SDLC project. Other reasons can be
addressed. i.e. (B) budget can be made available; (C) security processes can be
established. (D) Infrastructure can be acquired, depending upon design of new
application and hence it is not a reason.
9. B is the correct answer. In order to ensure the acceptability by users, beta version of
solution is made available to users. Based on feedback changes are made so that the
solution can be socialized. Option A addresses technical feasibility, Option C addresses
economic feasibility. Option D addresses IT policy that has nothing to do with SDLC.
10. C is the correct answer. Since the application is for internal use and developed in
house it has nothing to do with reduction in virus attacks. This can be benefit realization
for anti-virus solution.
70
Chapter 3
Software Testing and Implementation
Learning Objectives
This chapter will give you a basic understanding on software testing, its importance,
strategies, types, methods, levels, and other related terminologies.
3.1 Introduction
The success of information systems depends upon the quality of software that supports the
system. Testing of software before deploying in production to ensure it delivers as per
requirements is most essential aspect of quality. This is apart from documentation, compliance
with coding standards, version control discipline and user training.
Testing is the process of evaluating a system or its component(s) with the intent to find
whether it satisfies the specified requirements or not. In simple words, testing is executing a
system in order to identify any gaps, errors, or missing requirements in contrary to the actual
requirements.
According to ANSI/IEEE 1059 standard, Testing can be defined as - A process of analyzing a
software item to detect the differences between existing and required conditions (that is
defects/errors/bugs) and to evaluate the features of the software item.
3.2 Importance of Software Testing

The programmer might have made mistakes that need to be tested. Some mistakes come
from bad assumptions and blind spots, which should be tested other persons. There are
several reasons, which clearly indicate the importance of software testing. These are:
 Software testing is really required to point out the defects and errors that were made
during the development phase.
 It’s essential since it makes sure that the user finds the software reliable and their
satisfaction in the application is maintained.
 It is very important to ensure the Quality of the product. Quality product delivered to the
users helps in gaining their confidence.
 Software testing is important in order to provide the facilities to the customers like the
delivery of high-quality product or software application which requires lower
maintenance cost and hence results into more accurate, consistent and reliable outputs.
 Software testing is required for an effective performance of application or product.

 It’s important to ensure that the application should not result into any failures because it
can be very expensive in the future or in the later stages of the development.
 Proper testing ensures that bugs and issues are detected early in the life cycle of the
product or application.
 Users are not inclined to use software that has bugs. They may not adopt a software if
they are not satisfied with the stability of the application.
3.3 Methods of Software Testing

There are different methods that can be used for software testing. This chapter briefly
describes the methods available.
3.3.1 Black-Box Testing

The technique of testing without having any knowledge of the interior workings of the
application is called Black-Box testing. The tester is oblivious to the system architecture and
does not have access to the source code. Typically, while performing a Black-Box test, a
tester will interact with the system's user interface by providing inputs and examining outputs
without knowing how and where the inputs are worked upon.
The following table lists the advantages and disadvantages of black-box testing.
Advantages Disadvantages
Well suited and efficient for large code Limited coverage, since only a selected
segments. number of test scenarios is actually
performed.
Code access is not required. Inefficient testing, due to the fact that the
tester only has limited knowledge about an
application.
Clearly separates user's perspective from the Blind coverage, since the tester cannot target
developer's perspective through visibly specific code segments or error prone areas.
defined roles.
Large numbers of moderately skilled testers The test cases are difficult to design.
can test the application with no knowledge of
implementation, programming language, or
operating systems.
72
3.3.2 White-Box Testing

White-Box testing is the detailed investigation of internal logic and structure of the code.
White-Box testing is also called Glass testing or Open-Box testing. In order to perform White-
Box testing on an application, a tester needs to know the internal workings of the code.
The tester needs to have a look inside the source code and find out which unit/chunk of the
code is behaving inappropriately.
The following table lists the advantages and disadvantages of White-Box testing.
As the tester has knowledge of the source Due to the fact that a skilled tester is needed
code, it becomes very easy to find out which to perform white-box testing, the costs are
type of data can help in testing the increased.
application effectively.
It helps in optimizing the code. Sometimes it is impossible to look into every
nook and corner to find out hidden errors that
may create problems, as many paths will go
untested.
Extra lines of code can be removed which It is difficult to maintain white-box testing, as
can bring in hidden defects. it requires specialized tools like code
analyzers and debugging tools.
Due to the tester's knowledge about the code,
maximum coverage is attained during test
scenario writing.
3.3.3 Grey-Box Testing

Grey-Box testing is a technique to test the application with having a limited knowledge of the
internal workings of an application. In software testing, the phrase “The more you know, the
better” carries a lot of weight while testing an application.
Mastering the domain of a system always gives the tester an edge over someone with limited
domain knowledge. Unlike Black-Box testing, where the tester only tests the application's user
interface; in Grey-Box testing, the tester has access to design documents and the database.
Having this knowledge, a tester can prepare better test data and test scenarios while making a
test plan.
73
Offers combined benefits of Black-Box and Since the access to source code is not
White-Box testing wherever possible. available, the ability to go over the code and
test coverage is limited.
Grey-Box testers don't rely on the source The tests can be redundant if the software
code; instead they rely on interface definition designer has already run a test case.
and functional specifications.
Based on the limited information available, a Testing every possible input stream is
Grey-Box tester can design excellent test unrealistic because it would take an
scenarios especially around communication unreasonable amount of time. As a result,
protocols and data type handling. many program paths will go untested.
The test is done from the point of view of the
user and not the designer.
3.3.4 A Comparison of Testing Methods

The following table lists the points that differentiate Black-Box testing, Grey-Box testing, and
White-Box testing.
Black-Box Testing Grey-Box Testing White-Box Testing

The internal workings of an The tester has limited Tester has full knowledge
application need not be knowledge of the internal of the internal workings of
known. workings of the application. the application.
Also known as Closed-Box Also known as Translucent Also known as Clear-Box
testing, Data-Driven testing, testing, as the tester has testing, Structural testing,
or Functional testing. limited knowledge of the or Code-Based testing.
insides of the application.
Performed by end-users and Performed by end-users and Normally done by testers
also by testers and also by testers and developers. and developers.
developers.
Testing is based on external Testing is done on the basis of Internal workings are fully
expectations - Internal high-level database diagrams known and the tester can
behavior of the application is and data flow diagrams. design test data
unknown. accordingly.
It is exhaustive and the least Partly time-consuming and The most exhaustive and
time-consuming. exhaustive. time-consuming type of
testing.
74
Not suited for algorithm Not suited for algorithm testing. Suited for algorithm
testing. testing.
This can only be done by Data domains and internal Data domains and internal
trial-and-error method. boundaries can be tested, if boundaries can be better
known. tested.
3.4 Levels of Testing

There are different levels during the process of testing. In this chapter, a brief description is
provided about these levels.
Levels of testing include different methodologies that can be used while conducting software
testing. The main levels of software testing are −
 Functional Testing
 Non-Functional Testing
3.4.1 Functional Testing

This is a type of Black-Box testing that is based on the specifications of the software that is to
be tested. The application is tested by providing input and then the results are examined that
need to conform to the functionality it was intended for. Functional testing of software is
conducted on a complete, integrated system to evaluate the system's compliance with its
specified requirements.
There are five steps that are involved while testing an application for functionality.
Steps Description
I The determination of the functionality that the intended application is meant to
perform.
II The creation of test data based on the specifications of the application.
III The output based on the test data and the specifications of the application.
IV The writing of test scenarios and the execution of test cases.
V The comparison of actual and expected results based on the executed test
cases.
An effective testing practice will see the above steps applied to the testing policies of every
organization and hence it will make sure that the organization maintains the strictest of
standards when it comes to software quality. Commonly used functional testing types are; Unit
75
testing, Integration testing, Smoke testing, Sanity testing, System testing, Regression testing,
Acceptance testing (Alpha testing, and Beta testing), and End to End testing.
3.4.2 Non-Functional Testing

This section is based upon testing an application from its Non-Functional attributes. Non-
Functional testing involves testing a software from the requirements which are non-functional
in nature but important such as performance, security, user interface, etc.
Some of the important and commonly used non-functional testing types are Performance
testing, Load testing, Stress testing, Usability testing, Security testing, and Portability testing.
3.5 Strategies of Software Testing

3.5.1 What is a Test Strategy?
Test strategy is a guideline to be followed to achieve the test objective and execution of test
types mentioned in the testing plan. It deals with test objective, test environment, test
approach, automation tools and strategy, contingency plan, and risk analysis.
A Test Strategy is a plan for defining the testing approach as to how testing would be carried
out. Test approach has two techniques:
 Proactive - An approach in which the test design process is initiated as early as
possible in order to find and fix the defects before the build is created.
 Reactive - An approach in which the testing is not started until after design and coding
are completed.
3.5.2 Different Test approaches

There are many strategies that a project can adopt depending on the context and some of
them are:
 Dynamic and Heuristic approaches
 Consultative approaches
 Model-Based approach that uses statistical information about failure rates.
 Approaches based on Risk-Based testing where the entire development takes place
based on the risk
 Methodical approaches which is based on failures.
 Standard-Compliant approach specified by industry-specific standards.
76
3.5.3 Factors to be considered

 Risks of product or risk of failure or the environment and the company
 Expertise and experience of the people in the proposed tools and techniques.
 Regulatory and legal aspects, such as external and internal regulations of the
development process
 The nature of the product and the domain
3.6. Types of Software Testing

3.6.1 Unit Testing
In computer programming, Unit Testing is a verification and validation method in which a
programmer tests whether individual units of source code are fit for use. A Unit is the smallest
functional part of an application often called as Module. It can be an individual program,
function, procedure, or may belong to a base/super class, abstract class or derived/child
class.
Unit Tests are typically written based on requirement specifications and run by testing
professionals or software developers to ensure that code meets these requirements and
behaves as intended. The goal of Unit Testing is to isolate each component of the program
and show that they are correct. A Unit Test provides a strict, written contract that the piece of
code must satisfy.
There are five categories of tests typically performed on a program unit. Such typical tests are
described as follows:
1. Functional Tests: Functional Tests check ‘whether programs do what they are
supposed to do. The test plan specifies operating conditions, input values, and expected
results, and as per this plan, programmer checks by inputting the values to see whether the
actual results and expected results match. These test data values are prepared in advance for
all possible permutations the data can acquire during live run. This can have two types:
(a) Positive Test: Where tester collects the expected values, the data can possess.
Sometimes tester may use sanitized live data for testing.
(b) Negative Test: Where tester provides value sets that data should not possess anytime.
Here the program should flash the error with suitable message.
For example, if data field is used to store amount and can acquire a value between 0 and 1
crore, positive test should provide expected results and negative test should flash error if
values are beyond the specified range.
77
2. Performance Tests: Performance Tests are designed to verify the expected

performance criteria of program.
There are different performance parameters like response time (time required to receive input
and deliver confirmation), execution time (processing of single data value should be less than
100 microseconds), throughput (1000 values must be processed in one second), primary
(RAM/CPU) and secondary memory (Storage) utilization and rate of traffic flow on data
channels and communication links (number of messages per second).
3. Stress Tests: Stress Testing is a form of testing that is used to determine the stability
of a given system or entity. It involves testing beyond normal operational capacity, often to a
breaking point, in order to observe the results. These tests are designed to overload a
program in various ways. The purpose of a Stress Test is to determine the limitations of the
program. (For example, if access to web application is expected to be 10000 hits per second,
whether the program can stand this load. Further, how does it behave when load exceeds. In
another example, during a sort/search operation, available memory can be reduced to find out
whether the program is able to handle the situation.).
4. Structural Tests: Structural Tests are concerned with examining the internal
processing logic of a software system. Particularly when the program is expected to behave
differently depending upon value of data set. Programmer may code for known values and
might forget to code for unknown values where program might misbehave. For example, tax
calculation where depending upon value different rates is applied or if division operation is
involved and data set gets value of zero, program may terminate abruptly or go in loop without
response.
5. Parallel Tests: These are applicable during change management or reengineering
where the same test data is used in the new and old system and the output results are then
compared.
3.6.2 Static Testing

Static Test analysis is conducted on source programs and do not normally require executions
in operating conditions. Typical static analysis techniques include the following:
 Desk Check: This is done by the programmer to check the logical syntax errors, and
deviation from coding standards. As name suggests programmer uses paper and pen to
verify the logic of code by jotting down values of data sets and thinking like computer to
arrive at possible values.
 Structured Walk-through: Desk check performed with team or peers who scan
through the text of the program and try to uncover errors.
 Code Inspection: The program is reviewed by a formal committee. Review is done with
formal checklists.
78
3.6.3 Load Testing

It is a process of testing the behavior of a software by applying maximum load in terms of
software accessing and manipulating large input data. It can be done at both normal and peak
load conditions. This type of testing identifies the maximum capacity of software and its
behavior at peak time.
Most of the time, Load Testing is performed with the help of automated tools such as Load
Runner, App Loader, IBM Rational Performance Tester, Apache JMeter, Silk Performer,
Visual Studio Load Test, etc.
Virtual Users (V Users) are defined in the automated testing tool and the script is executed to
verify the load testing for the software. The number of users can be increased or decreased
concurrently or incrementally based upon the requirements.
3.6.4 Usability Testing

Usability Testing is a Black-Box Technique and is used to identify any error(s) and
improvements in the software by observing the users through their usage and operation.
According to Nielsen, Usability can be defined in terms of five factors, i.e. efficiency of use,
learning-ability, memory-ability, errors/safety, and satisfaction. According to him, the Usability
of a product will be good and the system is Usable if it possesses the above factors.
Nigel Bevan and Macleod considered that Usability is the quality requirement that can be
measured as the outcome of interactions with a computer system. This requirement can be
fulfilled and the end-user will be satisfied if the intended goals are achieved effectively with
the use of proper resources.
Molich in 2000 stated that a user-friendly system should fulfill the following five goals, i.e.,
easy to Learn, easy to remember, efficient to use, satisfactory to use, and easy to
understand.
In addition to the different definitions of Usability, there are some standards and quality
models and methods that define usability in the form of attributes and sub-attributes such as
ISO-9126, ISO-9241-11, ISO-13407, and IEEE std.610.12, etc.
3.6.5 Portability Testing

Portability Testing includes testing a software with the aim to ensure its reusability and that it
can be moved from another software as well. Following are the strategies that can be used for
portability testing −
 Transferring an installed software from one computer to another.
 Building executable (.exe) to run the software on different platforms.
79
Portability Testing can be considered as one of the sub-parts of system testing, as this testing
type includes overall testing of a software with respect to its usage over different
environments. Computer hardware, operating systems, and browsers are the major focus of
portability testing. Some of the pre-conditions for portability testing are as follows −
 Software should be designed and coded, keeping in mind the portability requirements.
 Unit testing has been performed on the associated components.
 Integration testing has been performed.
 Test environment has been established.
3.6.6 Integration Testing

Unit Testing focuses on testing of different modules/functions and programs that are small
part of entire information system being developed. These modules are expected to work
together to achieve objectives of information system. For example, Internet Banking is a
system consisting of various functions like saving account management, time deposit
management, loan account management, third-party fund transfer, standing instruction,
getting statements of accounts etc. While developing programs/functions, each service
function is developed separately and tested in Unit Testing. Now it is necessary to test if
these modules/functions work together seamlessly and communicate appropriately during
execution. Objective is to evaluate the validity of integration of two or more components that
pass information to one another. Integration Testing puts together modules that have been
unit tested and applies tests defined. There are two approaches for Integration Testing:
1. Bottom-up Integration: It is the traditional strategy used to integrate the components
of a software system starting from smallest module/function/program. It consists of Unit
Testing, followed by Sub-system Testing. Bottom-up testing is easy to implement as at the
time of module testing, tested subordinate modules are available. The disadvantage; however,
is that testing of major decision / control points is deferred to a later period. For example in
above example of Internet Banking it will test communication between different modules using
smallest level of module like saving bank account, fund transfer and then statement of
accounts to ensure previous transaction reflects in statement, and so on, however it might not
ensure the overall control on passing parameters required for session time out or inactive
session
2. Top-down Integration: This starts with the main routine followed by the stubs being
substituted for the modules which are directly subordinate to the main module. Considering
above example, the testing will start from opening login screen and then login, then selecting
function one by one. An incomplete portion of a program code is put under a function (called
stub) to allow the function. Here a stub is considered as Black Box and assumed to perform as
expected, which is tested subsequently. Once the main module testing is complete, stubs are
80
substituted with real modules one by one, and these modules are tested. This process
continues till the atomic (smallest) modules are reached. Since decision-making processes
are likely to occur in the higher levels of program hierarchy, the top-down strategy emphasizes
on major control decision points encountered in the earlier stages of a process and detects
any error in these processes. The difficulty arises in the top-down method, because the high-
level modules are tested with stubs and not with actual modules.
3.6.7 Regression Testing

It is a testing performed during change management when a function/module/program is
changed or added to existing software, in order to ensure that new/changed functions
executes properly and integrates with other modules as expected. It is required since new
data flow paths are established, new I/O may occur and new control logic is invoked. These
changes may cause problems with functions that previously worked flawlessly. In the context
of the integration testing, the regression tests ensure that changes or corrections have not
introduced new faults. The data used for the regression tests should be the same as the data
used in the original test.
3.6.8 System Testing

It is a process in which software and other system elements are tested as a whole. System
testing begins either when the software as a whole is operational or when the well-defined
subsets of the software's functionality have been implemented. The purpose of system testing
is to ensure that the new or modified system functions properly. These test procedures are
often performed in a non-production test environment. The types of testing that might be
carried out with various other objectives described below:
 Recovery Testing: This is the activity of testing ‘how well the application is able to
recover from crashes, hardware failures and other similar problems. Recovery Testing
is the forced failure of the software in a variety of ways to verify that recovery is able to
be perform properly, in actual failures
 Security Testing: This is the process to determine that an Information System protects
data and maintains functionality as intended. The three basic security concepts that
required to be covered by Security Testing are – Confidentiality, Integrity and
Availability. In addition, the software may further be tested for user management
requirements require i.e. Authentication, Authorization, and Non-repudiation and Log
maintenance.
 Stress or Volume Testing: Stress Testing is a form of testing that is used to determine
the stability of a given system or entity based on the requirements and expected data
growth. It involves testing beyond normal operational capacity, often to a breaking point,
81
in order to observe the results. Stress Testing may be performed by testing the
application with large quantity of data during peak hours to test its performance.
 Performance Testing: Software Performance Testing is performed on various
parameters like response time, speed of processing, effectiveness use of a resources
(RAM, CPU etc.), network, etc. This testing technique compares the new system's
performance with that of similar systems using available industry benchmarks.
3.6.9 Other types of Testing

When any complex application/software is intended for general and wide spread use
developers want to make sure that product delivers diverse requirements of general users.
Organizations may consider Alpha and Beta testing. For example, Microsoft performs this
type of testing on new product before making it available commercially.
Alpha Testing: This is the first stage, often performed by users within the organization by the
developers, to improve and ensure the quality/functionalities as per users’ satisfaction.
Beta Testing: This is the second stage, generally performed after the deployment of the
system. It is performed by the external users, during the real-life execution of the project. It
normally involves sending the product outside the development environment for real world
exposure and receives feedback for analysis and modifications, if any.
Automated Testing: In software testing, automation of testing is performed using
special software (separate from the software being tested) to control the execution of tests
and the comparison of actual outcomes with predicted outcomes. Test automation can
automate some repetitive but necessary tasks in a formalized testing process already in place,
or add additional testing that would be difficult to perform manually.
Integrated Testing: Some organizations rely on integrated test facilities. Test data usually are
processed in production-like systems. This confirms the behaviour of the new application or
modules in real-life conditions. These conditions include peak volume and other resource-
related constraints. In this environment, IS Auditor will perform their tests with a set of
fictitious data whereas client representatives use extracts of production data to cover the most
possible scenarios as well as some made-up data for scenarios that would not be tested by
the production data.
Some organizations use a subset of production data in a test environment, such
production data may be altered or scrambled to mask the confidential data. This is
often the case where the acceptance testing is done by team members who, under
usual circumstances, would not have access to such production data. These tools help
in building test cases and also generate test data based on conditions. However, using
production data may not help in identifying negative test cases.
82
Accreditation of Software: Although it is not type of testing, many organizations insist on

certification and accreditation of software. Generally, this is done by the software development
houses before taking product to market. In case of tailor-made software
certification/accreditation should only be performed once the system is implemented and in
operation for some time to produce the evidence needed for certification/accreditation
processes. This process includes evaluating program documentation and testing
effectiveness. The process will result in a final decision for deploying the business application
system.
Security Testing: (Application Scans and Penetration Testing) For information security
issues, the evaluation process includes reviewing security plans, the risk assessments results
along with response decision, and the evaluation of processes to be deployed. The result of
security assessment focuses on measuring effectiveness of the security controls. Security
testing provides assurance to the business owner.
Security testing of web application for identified external threats (like SQL injection, cross site
scripting etc.) is necessary to ensure that the application can sustain an attack by the hacker
who is trying to breach the security.
While reviewing testing process IS auditors focus on getting answers to following

questions:
1. Whether the test-suite prepared by the testers includes the actual business
scenarios?
2. Whether test data used covers all possible aspects of system?
3. Whether CASE tools like ‘Test Data Generators’ have been used?
4. Whether test results have been documented?
5. Whether tests have been performed in their correct order?
6. Whether modifications needed based on test results have been done?
7. Whether modifications made have been properly authorized and documented?
Testers generally perform Black Box testing (Penetration Test) by trying to simulate attacks on
hosted application. This is then followed by performing Grey Box and/or White Box testing
that includes code review to identify the issues in coding practices that might introduce the
vulnerabilities in the application. These can be avoided by including secure coding practices in
coding standard developed by the organizations.
3.7 Final Testing

It is conducted if results of system testing are satisfactory and when the system is just ready
for implementation. This testing is performed at two levels:
83
 At technical level Quality Assurance Testing is performed

 At functional level User Acceptance Testing is performed.
3.7.1 Quality Assurance Testing (QAT)

QAT focuses on conforming to the quality standards of the organization accepted before
development. It includes documented specifications, technology employed, use of coding
standards, and the application meets the documented technical specifications and
deliverables. QAT is performed primarily by the technical (IT) department. The participation of
the end user is minimal and on request. QAT does not focus on functionality testing.
3.7.2 User Acceptance Testing (UAT)

It is a user extensive activity and participation of functional user is a primary requirement for
UAT. The objective of UAT is to ensure that the system is production-ready and satisfies all
accepted (baselined) requirements. UAT is a formal process and may include:
 Definition of test strategies and procedures
 Design of test cases and scenarios
 Execution of the tests
 Utilization of the results to verify system readiness
Acceptance criteria defined along with requirement specifications includes that deliverables
must satisfy the predefined needs of the user. A UAT plan must be documented for the final
test of the completed system. The tests are written from a user’s perspective and should test
the system in a manner as close to production as possible. For example, tests may be based
around typical predefined, business process scenarios. If new business processes have been
developed to accommodate the new or modified system they should also be tested at this
point. A key aspect of testing should also include testers seeking to verify that supporting
processes integrate into the application in an acceptable fashion. Successful completion
would generally enable a project team to hand over a complete integrated package of
application and supporting procedures.
 UAT is a stage in SDLC where end users finally accept the developed application
system. This is required for all situations of acquiring software i.e. software developed
in-house, or by outsourced team or purchased and configured by vendor. A formal sign-
off generally marks end of development process.
 UAT should be performed in a secure testing or staging environment where both source
and executable code are protected to ensure that unauthorized or last-minute changes
are not made to the system unless authorized and the standard change management
84
process is followed. In the absence of controls, the risk of introducing unauthorized

changes/malicious patches/Trojan horse programs is very high.
 Users should develop test cases or use data of live operations of a specified period to
confirm whether the processing of data by new application is providing correct results,
has required controls and the reports meet the management requirements.
Many organizations expect a report from IS Auditor after tests are completed. The IS
Auditor should issue an opinion to management as to whether the system meets documented
business requirements, has incorporated appropriate controls, and may be migrated to
production. This report should also identify and explain the risk that the organization might be
exposed by implementing the system.
3.8 Implementation
Application software developed shall be implemented once it is tested and UAT has been
signed off. However, the planning for implementation must start much earlier in SDLC, many
times after feasibility study. Planning involves:
 Selecting Implementation Strategies
 Preparing for implementation
o Deciding on hardware and ordering (if required) in advance so as to be available
in time
o Deciding on site where infrastructure to be made available
 Conversion of data to suit to the requirements of new application.
3.8.1 Implementation Strategies

Considering the nature of business operation appropriate implementation strategy must be
decided, much earlier in SDLC. Generally, it is decided once the design is finalized or in case
of acquisition once the application is selected. Organization can adopt one of the four
strategies, which are described below:
Cut-off or Direct Implementation / Abrupt Change-Over: This is achieved through an
abrupt takeover – an all or no approach. With this strategy, the changeover is done in one
operation, completely replacing the old system in one go. Fig 3.1 depicts Direct
Implementation, which usually takes place on a set date, often after a break in production or a
holiday period so that time can be used to get the hardware and software for the new system
installed without causing too much disruption.
85
Fig. 3.1:Cut-off or Direct implementation

The challenge in cut-off implementation is that roll-back is most difficult and hence planning
must be meticulously done. Also, conversion activity must start well in advance and must be
properly planned.
Phased Changeover: With this strategy, implementation can be staged with conversion to the
new system taking place gradually. This is done based on business operations. For example,
converting one function (e.g. Marketing) on new system, wait for the same to be stabilized and
then take another function (Finance/HR/Production etc.) When one phase is successful the
next phase is started, eventually leading to the final phase when the new system fully replaces
the old one as shown in Fig. 3.2.
Fig. 3.2: Phased changeover

Phase changeover might require more time to implement however it helps in stabilizing one
function before starting another.
Pilot Changeover: With this strategy, the new system replaces the old one in one operational
area or with smaller scale. Any errors can be rectified and new system is stabilized in pilot
area, this stabilized system is replicated in operational areas throughout the whole system.
For example, converting banking operations to centralized systems are done at one branch
and stabilized. The same process is replicated across all branches. Fig. 3.3 depicts Pilot
Implementation.
86
Fig. 3.3: Pilot Changeover

Advantage of pilot implementation is that issues and problems are identified and rectified
during pilot run and a stabilized system is implemented thus saving cost and enabling faster
implementation.
Parallel Changeover: This is considered the most secure method, time and resource
consuming implementation. The new systems is implemented, however the old system also
continues to be operational. The output of new system is regularly compared with old system.
If results match over period of time and issues observed with new system are taken care of,
the old system is discontinued. Fig. 3.4 shows parallel implementation.
Fig. 3.4: Parallel Changeover

However, it is costly and may not be feasible in large and complex systems, since all
transactions must be processed twice. Many times, users may not be conformable in
duplicating the work.
3.8.2 Preparing for Implementation

In order to finally deploy or implement the new system in the operating environment, several
activities are undertaken. A fully functional as well as documented system is a prerequisite for
87
implementation to begin. Moreover, many other issues like defect removal, maintenances,
reengineering may require to be addressed to assure the desirable quality control of the
system in operational environment.
The process of ensuring that the information system is operational and then allowing users to
take over its operation for use and evaluation is called System Implementation.
Implementation includes all those activities that take place to convert from the old system to
the new. The new system may be totally new, replacing an existing manual or automatic
system. Some of the generic key activities involved in System Implementation are:
 Site preparation and hardware installation
 Conversion of data to the new system files;
 Training of end users;
 Completion of user documentation;
 System changeover
 Post implementation review and evaluation
Site Preparation and Installation: The hardware required to support the new system is
selected prior to the implementation phase. The necessary hardware should be ordered in
time to allow for installation and testing of equipment during the implementation phase. An
installation checklist should be developed at this time with operating advice from the vendor
and system development team. In situations, where people are not experienced in the
installation of similar hardware/platform/equipment, adequate time should be planned to allow
completion of required activities.
Site Preparation: An appropriate location as required to provide an operating environment for
system (temperature, humidity and dust control specifications) has to be prepared in time.
Installation of New Hardware / Software: Site preparation also includes receiving, installing
and connecting the hardware and supporting software (like operating systems, middleware
etc.). In case the hardware is available, the same needs to be commissioned for the new
application as per design requirements.
Equipment Checkout: The equipment must be turned on for testing under normal operating
conditions. Though the routine 'diagnostic tests' should be run by the vendor, the in-
house implementation team should test the equipment functionalities in actual working
conditions.
3.8.3 Conversion
Conversion of data is most important activity while implementing new application system or
when there is significant change in technology requiring conversion. The Conversion activity
88
involves converting data, procedures, documentation from old system to new system. Most
important being data conversion.
Data Conversion: The requirement of data conversion depends upon the change. If the new
application is replacing manual operation to automated operation it involves:
1. Capturing of data into electronic form
2. Verification of data
3. Uploading into database
In case change is from old system to new system, it involves:
1. Converting electronic data from old format to new format
2. Verification
3. Uploading into new database.
Since data conversion is a type of input, controls on conversions are essential to ensure
integrity of data. These controls generally include:
1. Completeness Check: Using number of records, control totals, batch totals, hash
totals. For example, verifying number of employee’s record, checking trial balance before and
after conversion etc.
2. Accuracy Check: Manual verification or key verification (manual to electronic
conversion)
Unauthorized changes during conversion are one of the sources of frauds.
Procedure Conversion: Changes in application systems may require changes in operating
procedures and associated controls. Operating procedures should be carefully completed with
sufficient documentation pertaining to operations on how to use the new system. It applies to
both computer-operations and functional area operations. Before conversion activities can
start, conversion procedures must be defined and personnel involved must be trained to cover
input, data files, methods, procedures, output, and internal control.
For example, during manual operation in banking every transaction is verified before being
posted to account and then the effect of transaction is reflected in general ledger. However in
electronic banking system transactions are flagged with type of transaction and posted to
general ledger. Hence verification of transaction is most essential in new system.
System Conversion: After on-line and off-line files have been converted and the reliability of
the new system has been confirmed for a functional area, daily processing can be shifted from
the existing information system to the new one. All transactions initiated after this time are
processed on the new system. System development team members should be present to
89
assist and to answer any questions that might develop. Consideration should be given to
operating the old system for some more time to permit checking, matching and balancing the
total results of both systems.
Scheduling Personnel and Equipment: Scheduling data processing operations of a new
information system for the first time is a difficult task for the system manager. As users
become familiar with the new system, the job becomes easier to perform and becomes part of
the routine work. Schedules should be set up by the system manager in conjunction with
departmental managers of operational units serviced by the equipment. The master schedule
for next period/month should provide sufficient computer time to handle all required
processing.
3.9 Change Management Process

Application maintenance refers to the process of managing changes in the application and IT
triggered or prompted due to changes in processes, regulatory compliances, and strategic
changes in business, technology changes and so on. Changes also arise due to issues,
problems, incidents faced. In order to handle changes organization should have a defined
process. This process generally includes:
1. Raising Change Request: Formal process for requesting change. Anyone can raise
the Change Request with reason for the change, a cost justification analysis, if possible and
the expected benefits of the change. An automated process for raising Change Requests
helps in capturing all associated changes and maintaining record of change requests.
2. Defining Requirements: Defining details of changes required, like functional changes,
appearance changes, processing changes. (e.g. change in tax structure may require
processing changes, if tax slabs are displayed then appearance changes and so on)
3. Analysing Requirements: Getting answers to the questions such as: why change is
required, when it should be effective, who needs it, where the changes are required, what
programs/modules/function is affected, how the changes will be carried out and so on.
4. Impact Analysis: What will be impact of changes on processes and other related
programs that interface with application that need to be changed or how changes in
technology shall affect the processing.
5. Approval of change: Changes must be approved by the asset owners, i.e. application
owners in case of application change and other stakeholders that might be impacted.
Sometimes it is difficult to decide who has appropriate authority to approve change due to
impact on multiple processes. To overcome such situations organizations forms a Change
Approval Board or Committee (CAB) consisting of representatives from multiple business
functions.
90
6. Prioritizing the Change Requests: This is required to resolve the conflict due to
multiple Change Requests from different users.
7. Carrying out Changes: System Analyst shall review the changes and decide
appropriate resources to carry out changes. Records of all program changes should be
maintained. Library management software may help in automating this process and also
maintaining audit trail. The maintenance information usually consists of the programmer ID,
time and date of change, project or request number associated with the change, and before
and after images of the lines of code that were changed. This also helps in preventing and/or
detecting unauthorized changes.
8. System Document Maintenance: All relevant System Documentation updating
sometimes is neglected area during change management. It is essential to ensure the
effective utilization and future maintenance of a system, Documentation requiring revision may
consist of program and/or system flowcharts, program narratives, data dictionaries, entity
relationship models, data flow diagrams (DFDs), operator run books and end-user procedural
manuals. In case of infrastructure changes network diagrams. data centre block diagrams,
electrical and facility diagrams etc. are likely to undergo changes.
9. Testing the Changes: Changes will be tested as per testing process (Please refer
subsection on testing). However, for testing changes, following points must be considered:
o Existing functionalities are not affected by the change
o System performance is as expected
o Security vulnerabilities are not introduced
This also includes conducting user acceptance testing and formal sign-off from users/owners.
(E-mail, electronic approval in automated system, document etc.)
10. Releasing Changes: Changes shall be released to production once approved by
stakeholders (UAT). Ensure fall-back procedures in place in case operations are affected due
to change. Automation of this process shall help management in restricting one person
requiring access to production, test and development environment.
11. Review: Post implementation/release review may be conducted.
12. Record Maintenance: Change Requests should be maintained in a format that will
ensure that all changes associated with primary change requests are considered. This allows
the management to easily track the changes to change requests. The process must be formal
and maintain record of all approvals and rejections.
For acquired systems vendor may distribute periodic updates, patches or new version of the
software. User and systems management should review such changes for impact and
appropriateness before implementing.
91
While reviewing change management IS Auditor should ensure that:

 Access to source program is restricted.
 Change Requests are approved and record is maintained to trace and track the
changes.
 Impact assessment is performed before approving changes.
 The Change Request should be documented in standard format covering at the
minimum:
o Change specifications, benefit analysis developed and a target date.
o Change form has been reviewed and impact assessment is recorded.
o Change Request has been approved formally
 Verify records of changes for sample changes made and trace end-to-end (from request
till closure) confirm that the changes are authorized, approved, and moved to
production after UAT.
3.9.1 Emergency Changes

In exceptional situations there may be need to make changes to production to resolve issues
in time. This requirement can arise due to one or more reasons like:
 Events/incidents
 Short notice requirement changes (due to external incidents/events: terrorist attacks,
natural disasters, etc.)
 Infrastructure failure
 Production issues due to unexpected data conditions
Procedures should focus to ensure that emergency changes can be performed without
compromising the integrity of the system. Organization should have a process for carrying out
emergency changes. The process may consist of following steps:
1. Identify need for emergency change (process issue, incident/event etc.)
2. Determine activities involved. Generally, it may involve providing all accesses to one
person. A special user ID may be created with higher privileges for this purpose and all
activities are logged and reviewed.
3. A post-facto change management process must be followed, so as to ensure
consistency in documents, source-code library, network diagram etc. as applicable.
92
The IS Auditor has to ensure that emergency changes are handled in a controlled
manner.
3.9.2 Implementing Changes into Production

Changes are implemented into production environment once they are approved by the user
management (UAT sign-off). The best practices suggest that this implementation should be
done by independent team not involved in development or testing of changes. In case of
client-server applications or distributed systems, such as point-of-sale systems, the process
should be properly documented and implemented over a period of time to ensure:
 Conversion of data
 Training of users
 Support process for changes
 Rollback plan
 All points are updated
3.9.3 Segregation of Duties

Uncontrolled change management has risk associated with unauthorized changes. An
unauthorized change occurs due to various reasons:
 Developer has access to production libraries containing programs and data including
object code.
 User has not approved change or not aware of the change
 A change procedure has not been formally established.
 A change was updated into production without user approval.
 The change has not been reviewed or tested.
 Developer inserted extra logic for personal benefit (i.e., committed fraud).
 In case of vendor software, changes received were not tested.
In order to control unauthorized changes segregation of duties has to be implemented at
organization level. The typical segregation includes following controls at the minimum:
 Development, Test and Production environments to be physically separated.
 Developers’ team, Testing team and Production user should not have access to other
areas. I.e. developers should not have access to test and production and so on.
 Source code must be maintained by librarian. At least control must be in place to
prevent or detect insertion of unauthorized code.
93
 A separate change control team or release team should be appointed to move

source/object code from development to test and from test to production.
It may not be possible for some organizations to implement strict segregation of duties, in
such situation appropriate compensating controls should be present to prevent or detect and
correct unauthorized changes. Some such situations may arise due to:
1. The developer is also the operator due to small IT department. In this case user
management required to ensure proper authorization and monitoring of changes and
upgrades made by the programmer.
2. Emergency changes to resolve the issues in production.
3. In case separate release team is not possible, compensating control by enabling user
ID of user who moves changes from development to test and/or test to production only
after approval, and monitoring activities may work as compensating control.
4. Developers should not have written, modify or delete access to production data.
Depending on the type of information in production, programmers may not have read-
only access to personally identifiable information.
3.9.4 Configuration Management

Configuration Management refers to automated processes that organizations install to
maintain all information assets and work-flows required to maintain them. The backend of
such system is a data base called a Configuration Management Data Base (CMDB); hence
sometimes the system is also referred to as CMDB.
Configuration Management system helps in maintaining information about system as a
collection of Configuration Items (CI). A CI can be a module/function/program or database
instance of IT asset associated with a system and referenced with an ID. Workflows around
the CMDB consist of workflows for Change Management, configuration management etc.
Change Management requests must be formally documented and approved by a change
control group within CMDB. CMDB then manages the change process via checkpoints,
reviews and sign-off procedures that generates audit trails.
Configuration Management sometimes may provide procedures throughout the software life
cycle (from requirements analysis to maintenance) to identify, define and baseline software
items in the system and thus provide a basis for Problem Management, Change Management
and Release Management. However, though it sounds easy, proper implementation of CMDB
is a necessary requirement (which must follow SDLC process for acquired Software).
Software Configuration Management requires following tasks to be performed:
1. Develop Configuration Management Plan.
94
2. Baseline Application and Associated Assets.

3. Analyze results of Configuration Control.
4. Develop Monitoring of Configuration Status.
5. Develop Release Procedures.
6. Define and implement Configuration Control activities (such as identification and
recording of Change Requests.)
7. Update the Configuration Status Accounting Database.
A Configuration Management Tool supports change and release management by supporting
following activities:
1. Identification of items affected by a proposed change
2. Help in impact assessment by providing information
3. Recording configuration items affected by changes
4. Implementation of changes as per authorization
5. Registering of configuration item changes when authorized changes and releases are
implemented
6. Recording of original configuration to enable rollback if an implemented change fails
7. Preparing a release to avoid human errors and resource costs
3.10 Summary
Testing is a process that focuses on correctness, completeness and quality of developed
computer software. Although the testing phase comes much later in the life cycle, planning for
testing starts with the commencement of System Development Life Cycle i.e. during
requirement gathering phase. Testing should systematically uncover different classes of errors
in a minimum amount of time with a minimum amount of efforts. The data collected through
testing can also provide an indication of the software's reliability and quality. However, testing
cannot show the absence of defect, it can only show that software defects are present.
3.11 Questions
1. Which of the following is main reason to perform User Acceptance Test (UAT)?
A. To train and educate users on features of new solution.
B. To confirm from users that solution meets requirements.
C. To complete formality of sign-off to mark end of project.
D. To finalize the implementation plan for new IT solution.
95
2. An organization has developed a web-based application for the use of internal

users to be hosted on intranet. Before finalizing and making it live it was decided
to make it available to users for providing feedback. This is an example of:
A. Internal Audit
B. Alfa Testing
C. Beta Testing
D. User Training
3. A major concern associated with using sanitized old production data for testing
new application is that:
A. User may not provide sign off.
B. Production data may be leaked.
C. Integration testing cannot be performed.
D. All conditions cannot be tested.
4. A tester is executing a test to evaluate that it complies with the user requirement
that a certain field be populated by using a dropdown box containing a list of values.
Tester is performing __________
A. White-Box Testing
B. Black-Box Testing
C. Load Testing
D. Regression Testing
5. What is the order in which test levels are performed?
A. Unit, Integration, System, Acceptance
B. Unit, System, Integration, Acceptance
C. Unit, Integration, Acceptance, System
D. It depends on nature of a project
6. Which testing is concerned with behavior of whole product as per specified
requirements?
A. Acceptance Testing
B. Component Testing
C. System Testing
D. Integration Testing
96
7. Verifying that whether software components are functioning correctly and

identifying the defects in them is objective of which level of testing?
A. Integration Testing
B. Acceptance Testing
C. Unit Testing
D. System Testing
8. Which technique is applied for usability testing?
A. White Box
B. Black Box
C. Grey Box
D. Combination of all
9. If a company decides to migrate from Windows XP to Windows 7, which type of
testing is done to ensure whether your software works on new platform?
A. Interoperability Testing
B. Portability Testing
C. Usability Testing
D. Performance Testing
10. Boundary value analysis belongs to?
A. White Box Testing
B. Black Box testing
C. White Box & Black Box testing
D. None of the above

1. B is the correct answer. UAT is mainly conducted to confirm from the users and
application owners that application meets their requirements. Option C is a formality to
be completed only if requirements are met. Training and implementation planning are
different activities which are not dependent on UAT.
2. C is the correct answer. Beta testing is making product available to users for feedback
before launching. Option A Internal Audits seek to identify any shortcomings in a
company's internal controls. Option B Alpha Testing is performed by the developers to
97
identify bugs before releasing the product to real or intended users. Option D User
Training helps successful system implementation.
3. D is the correct answer. Sanitized data generally may not cover all paths the data can
take and hence system cannot be tested for all possible cases. Option B leakage of
production data is not a major concern since data is sanitized. Options A and C are not
concerns.
4. B is the correct answer. Black Box testing focuses on the inputs and outputs without
knowing their internal code implementation. Option A White Box testing evaluates the
code and the internal structure of a program. Option C Load Testing is performed to
determine a system's behaviour under both normal and at peak conditions. Option D
Regression Testing is defined as a type of software testing to confirm that a recent
program or code change has not adversely affected existing features.
5. D is the correct answer. Test levels can be combined or reorganized depending upon
nature of a project or system architecture. Unit testing refers to test a function,
individual program or even a procedure. Integration Testing allows individuals to find
interface defects between the modules/functions. System Testing is the first level in
which the complete application is tested as a whole. Acceptance Testing (or User
Acceptance Testing) determines whether the system is ready for release.
6. C is the correct answer. System Testing is based on Functional Requirement
Specification (FRS), which tells about general behavior of a system. Acceptance testing
(or User Acceptance Testing) determines whether the system is ready for release.
Component Testing, also known as Unit, Module or Program Testing, is defined as a
software testing type, in which the testing is performed on each individual component
separately without integrating with other components. Integration testing allows
individuals to find interface defects between the modules/functions.
7. C is the correct answer. Separately testable components are tested in Unit Testing or
Component Testing. A Unit Testing tends to test a function, individual program or even
a procedure. Option B Acceptance Testing (or User Acceptance Testing) determines
whether the system is ready for release. Option A Integration Testing allows individuals
to find interface defects between the modules/functions. Option D System Testing is the
first level in which the complete application is tested as a whole.
8. B is the correct answer. Usability Testing is mostly done by users. They are not familiar
with internal structure of the system and hence Black Box technique is correct answer.
Option A White Box testing evaluates the code and the internal structure of a program.
Option C Grey Box testing is a process for debugging software applications by making
an input through the front-end, and verifying the data on the back-end. Option D does
not exist.
98
9. B is the correct answer. Portability Testing shows the ease with which a computer
software component or application can be moved from one environment to another, e.g.
moving of any application from Windows XP to Windows 7. Option A Interoperability
testing checks whether software can inter-operate with other software component,
software or systems. Option C Usability Testing, is a non-functional testing technique
that is a measure of how easily the system can be used by end users. Option D
Performance Testing is the process of determining the speed, responsiveness and
stability of a computer, network, software program or device under a workload.
10. B is the correct answer. Boundary Value Analysis is based on testing at the boundaries
between partitions and checks the output with expected output. Option A White Box
testing evaluates the code and the internal structure of a program. Option C also known
as Grey Box testing is a process for debugging software applications by making an
input through the front-end, and verifying the data on the back-end. Option D is not
applicable.
99
Chapter 4
Application Controls
Learning Objectives
After studying this chapter, you will be able to have basic understanding of Application
Controls and types of Application Controls. You will also learn the mapping of Application
Controls to business processes, and the role of auditors.
4.1 Introduction
Most Application Control solutions also allow for visibility into applications, users, and content.
This is helpful for understanding the data of the enterprise and controls, its storage locations,
which users have access to it, the access points, and the data transmission process. These
steps are required for data discovery and classification for risk management and regulatory
compliance. Application Control supports these processes and allows organizations to keep
their finger on the pulse of what is happening within their network.
Application Control gives companies and organizations knowledge about key areas regarding
applications, web traffic, threats, and data patterns. Users can also benefit from Application
Control by gaining a better understanding of applications or threats, applications’ key features
and behavioral characteristics, details on who uses an application, and details on those
affected by a threat. Organizations also gain knowledge about traffic source and destination,
security rules, and zones to get a complete picture of application usage patterns, which in turn
allows them to make more informed decisions on how to secure applications and identify risky
behavior. While they are making those decisions, the Application Control solution is
automatically protecting the network with whitelisting and blocking capabilities.
4.2 What is Application Control?

Application Control is a security practice that blocks or restricts unauthorized applications from
executing in ways that may put data at risk. The control functions vary based on the business
purpose of the specific application, but the main objective is to help ensure the privacy and
security of data used by and transmitted between applications.
Application Control includes:
 Logical access controls (i.e., those that limit access to application functionality)
 Data entry/field validations (e.g., validation of entered credit card numbers)
 Business rules
 Work flow rules (e.g., routing and sign-off of purchase requests)

 Field entries being enforced based on predefined values (e.g., pricing information)
 Work steps being enforced based on predefined status transitions (e.g., open >
reviewed > closed)
 Reconciliations
 Review and follow-up of application-generated exception reports
 Automated activity logs
 Automated calculations
 Management and audit trails
Simply put, Application Controls ensure proper coverage and the Confidentiality, Integrity, and
Availability of the application and its associated data. With the proper Application Controls,
businesses and organizations greatly reduce the risks and threats associated with application
usage because applications are prevented from executing if they put the network or sensitive
data at risk.
4.2.1 Features and Benefits of Application Control

Companies have grown increasingly dependent upon applications in day-to-day business
operations. With web-based, cloud-based, and third-party applications at the core of today’s
business processes, companies are faced with the challenge of monitoring and controlling
data security threats while operating efficiently and productively. Most Application Control
solutions include whitelisting and blacklisting capabilities to show organizations which
applications to trust and allow to execute and which to stop. With Application Control,
companies of all sizes can eliminate the risks posed by malicious, illegal, and unauthorized
software and network access.
Key features and benefits of Application Control:
 Identify and control which applications are in your IT environment and which to add to
the IT environment
 Automatically identify trusted software that has authorization to run
 Prevent all other, unauthorized applications from executing – they may be malicious,
untrusted, or simply unwanted
 Eliminate unknown and unwanted applications in your network to reduce IT complexity
and application risk
 Reduce the risks and costs associated with malware
101
 Improve your overall network stability

 Identify all applications running within the endpoint environment
 Protect against exploits of unpatched OS and third-party application vulnerabilities
4.3 Types of Application Controls

Application Controls are controls over input, processing and output functions. Application
Control ensures that:
 Only complete, accurate and valid data are entered and updated in a information
system
 Processing accomplishes the intended task
 Processing results meet expectations and
 Integrity of data is maintained
4.3.1 Input Controls

Input Control procedures must ensure that every transaction to be processed is entered,
processed and recorded accurately and completely. These controls must ensure that only
valid and authorized information is input and that these transactions are processed once only.
In an integrated systems environment, output generated by one system is the input for another
system.
Input Authorization verifies that all transactions have been authorized and approved by
management. Types of authorization include:
 Signature on batch forms and source documents
 Online access controls
 Unique passwords
 Terminal or client workstation identification
 Source documents
Batch Controls group input transactions to provide control totals. The batch control can be
based on total monetary amount, total items, total documents or hash totals.
Input processing require that controls be identified such that only correct data are accepted
into the system and input errors are recognized and corrected.
Input Error Handling can be processed by:
 Rejecting only transactions with errors
102
 Rejecting the whole batch of transactions

 Holding the batch in suspense
 Accepting the batch and flagging error transactions
Ideally all source documents should be appropriately controlled.
4.3.2 Processing Controls

Processing Controls ensure the reliability of application program processing. IS Auditor need
to understand the procedures and controls that can be evaluated.
Data Validation and Editing Procedures should be established to ensure that input data are
validated and edited as close to the time and point of origination as possible. There should be
system of logging in case any override happens and logs should be reviewed.
Processing Controls ensure the completeness and accuracy of accumulated data. Some of the
processing control techniques are:
 Manual recalculation
 Editing
 Run-to-run totals
 Programmed controls
 Reasonable verification of calculated amounts
 Limit check on amounts
 Reconciliation of file totals
 Exception reports
Data File Procedures ensure that only authorized processing occurs to stored data. Data file
controls are:
 Before and after image processing
 Maintenance of error reporting and handling
 Source documentation
 Internal and external labeling
 Version usage
 Data file security
 One-for-one checking
103
 Pre-recorded input
 Transaction logs
 File updating and maintenance authorization
 Parity checking
The control over data files or database tables are of four categories:
 System control parameters
 Standing data
 Master data/ balance data
 Transaction files
4.3.3 Output Controls

Output Controls provide assurance that the data delivered to users will be presented,
formatted and delivered in a consistent and secure manner. These include:
 Logging and storage of negotiable, sensitive and critical forms in a secure place
 Control over computer generated negotiable instruments, forms and signatures
 Report accuracy, completeness and timeliness
 Report generated from the system
 Report distribution
 Balancing and reconciling
 Output error handling
 Output report retention
 Verification of receipt of reports
4.3.4 Business Process Control Assurance

In an integrated application environment, controls are embedded and designed into the
application that supports the processes. Business Process Control Assurance evaluates
controls at process and activity level and may be a combination of management, programmed
and manual controls. In general Business Process Control Assurance considers:
 Process and data flow mapping
 Process controls
 Assessing business risks within the process
104
 Benchmarking with best practices

 Roles and responsibilities
 Activities and tasks
 Data restrictions
4.4 Application Control Objectives

Application Controls are intended to provide reasonable assurance that management’s
objectives relative to a given application have been achieved. Management’s objectives are
typically articulated through the definition of specific functional requirements for the solution,
the definition of business rules for information processing and the definition of supporting
manual procedures. Examples include:
 Completeness—The application processes all transactions and the resulting
information is complete.
 Accuracy—All transactions are processed accurately and as intended and the resulting
information is accurate.
 Application Controls can be viewed as those policies, procedures and activities
designed to provide reasonable assurance that objectives relevant to a given
automated solution are achieved.
 Validity—Only valid transactions are processed and the resulting information is valid.
 Authorization—Only appropriately authorized transactions have been processed.
 Segregation of Duties—The application provides for and supports appropriate
segregation of duties and responsibilities as defined by management.
To satisfy business objectives, information needs to conform to certain control criteria:
 Effectiveness—Deals with information being relevant and pertinent to the process as
well as being delivered in a timely, correct, consistent and usable manner
 Efficiency—Concerns the provision of information through the optimal (most productive
and economical) use of resources
 Confidentiality—Concerns the protection of sensitive information from unauthorized
disclosure.
 Integrity—Relates to the accuracy and completeness of information as well as to its
validity in accordance with business values and expectations.
 Availability—Relates to information being available when required by the process now
and in the future. It also concerns the safeguarding of necessary resources and
associated capabilities.
105
 Compliance—Deals with complying with the laws, regulations and contractual

arrangements to which the process is subject, i.e., externally imposed business criteria
as well as internal policies.
 Reliability—Relates to the provision of appropriate information for management to
operate the entity and exercise its fiduciary and governance responsibilities
4.5 Designs and Implementation of Application Controls

Enterprises regularly consider business and functional requirements as part of application
design, but mostly do not explicitly consider ‘control’ requirements. This can create
implementation and operational challenges if necessary, controls are not built into the solution
from the start and a ‘retrofit’ of control activities post-implementation is required. In addition to
the costs associated with fixing integrity problems, retrofitting controls post-implementation
can be very costly. Management should ensure that control requirements are appropriately
identified, based on the business risks, and included in functional requirements.
Management can optimize the efficiency and effectiveness of its control design through a
balance of various attributes, types and nature of control activities. For example:
 Should a given control activity be a manual activity, automated or some combination of
both—a hybrid control? If automated, should the control be designed to be
‘configurable’ to facilitate changes to business rules over time?
 Is it more cost-effective/efficient to design the control activity to prevent errors from
occurring or to design a procedure that would detect any error situations should they
arise?
 Is the frequency of the control, the proximity of the control activity to the risk event and
the role of the individual performing the activity going to be sufficient to reduce the risk
of error conditions to an acceptable level?
 Will the benefits to be realized from reducing a risk outweigh the cost of building, testing
and performing the added control activity?
Because testing validates whether or not the designed control activities operate as they were
intended, it is essential that the systems accreditation activities include testing of these
Application Control activities. Having a clearly documented trail of testing automated
Application Controls, the automated components of hybrid and configurable controls may also
provide the necessary evidence to demonstrate the effective operation of these controls.
Having a clearly documented trail of testing/ validation of manual controls, the manual
activities associated with hybrid controls can reinforce their viability and user understanding of
the activities.
106
In approving the design and implementation of Application Controls, management needs to

consider the relative efficiency and effectiveness associated with various control design
choices and be satisfied that the controls designed are cost-effective and achieve the control
objectives, and the relevant information criteria are satisfied.
Assessing risks, identifying relevant control objectives and determining the sufficiency of
design of Application Controls are as relevant to existing applications as they are to new
applications being acquired/developed and implemented.
Automated Application Controls should be used wherever possible to provide a more cost-
effective and sustainable system of internal controls, but they require effective IT general
controls.
Responsibility for design and implementation of Application Controls is shared. Business
management is accountable for ensuring that Application Control requirements have been
appropriately designed and implemented to meet the business objectives. IT management is
accountable for developing Application Controls in accordance with business requirements.
4.6 Application Controls and the System Development Life

Cycle
A number of SDLC models exist to develop or acquire the application systems to meet the
needs of enterprises. The ‘Waterfall’ SDLC approach is perhaps the best known of these
models and is based on systematic, sequential phases of application development (or third-
party purchase) in which the output of each stage becomes the input for the next. Iterative
development approaches such as Agile are also becoming popular. Agile includes multiple
repetitions (or iterations) in small, workable pieces of functionality. Each iteration passes
through the development cycle, including planning, requirements analysis, design, coding and
testing, with a focus on delivering measurable business value early, continually improving it
and adding functionality throughout the life cycle of the project. Regardless of the SDLC
approach that enterprises follow, integrating the design, development and implementation of
Application Controls is an important step to ensure that the information criteria and
management’s control objectives are met from the outset of system implementation. Defining
Application Controls should be a discrete step in each SDLC process, along with steps
associated with defining other business functionality requirements.
Some enterprises use enterprise data modeling to generate an integrated view of the data
produced and consumed across the enterprise. An enterprise data model represents a single
integrated definition of data, independent of ‘how’ the data are collected, stored, processed or
accessed. As part of defining its data, an enterprise can include a complete range of business
requirements for those data and associated information systems, including the CobiT 2019
information quality criteria.
107
4.7 Business Processes and Application Controls

Business Process controls are activities designed to achieve the broad range of management
objectives for the process as a whole. Application Controls, on the other hand, are the sub-set
of Business Process controls that relate specifically to the applications and related information
used to enable those business processes. Figure 4.1 illustrates the relationship between
Application Controls and Business Process controls.
Application
Controls
Accomplish
Application
Controls
Enable
Application
Controls
Achieve
Application
Controls
Figure 4.1 Business Goals and Objectives
108
4.7.1 Business Risks and Information Processing

There are a number of risks associated with any business process and complex processing of
business information will introduce further risks. While automated solutions can be much more
reliable than manual procedures, this will be the case only if the key risks within the
automated solutions have been identified and appropriate controls have been implemented.
While not intended to be comprehensive, examples of some key information-related risks and
information processing-related risks include:
Incomplete and/or inaccurate information processing—This risk relates to errors that may
be made during the collection, input or processing of information.
Invalid or unauthorized transactions being processed—While the previous risk relates to
errors that may be made relative to processing legitimate business transactions, this risk
relates to the risk of erroneous or illegitimate transactions being processed.
Unauthorized changes to standing data—This is the risk of unauthorized changes to
information subsequent to processing by the system.
Bypasses, overrides, manual entries that circumvent controls—This is the risk of misuse
of bypasses, overrides or manual entries to avoid automated Application Controls (these
functions are inherent in most, if not all, application systems).
Inefficiencies—This risk relates to incurring unnecessary cost or delays during the collection,
input, processing, output or transfer of information.
Loss of confidentiality—This risk relates to the inadvertent or intentional disclosure of
information that has been identified by management to be sensitive or confidential (such as for
business or regulatory compliance reasons).
Unavailability of information—Information is not available when required, causing
unnecessary processing delays and inability to make appropriate decisions.
Lack of integrity—This risk relates to lack of reliability of data processed.
4.8 Application Controls Assurance

What is Assurance?
Formal standards such as the International Auditing and Assurance Standards Board’s
(IAASB’s) International Framework for Assurance Engagements (IAASB Assurance
Framework) may be referenced for concepts and guidance for assurance. However, these
standards are developed and presented from the perspective of an independent auditor
providing assurance to third parties. In this publication, ‘Assurance’ is used in a broader
context than ‘Audit’ and covers evaluation activities not governed by internal and/or external
auditing standards.
109
Common examples of Assurance

Common examples of situations involving the provision of Assurance include:
 Financial Statement Audit Opinion—The opinion of the independent auditors
(Assurance provider) to the board of directors and shareholders (interested parties) that
the enterprise’s financial statements (subject matter) are fairly stated (conclusion) in
accordance with Generally Accepted Accounting Principles (criteria)
 Internal Audit Report on review of a given business process—Report by the
Internal Auditor (Assurance provider) to management and the board of directors
(interested parties) that the risks within the given business process (subject matter) are
being appropriately mitigated (conclusion) based on the COSO ERM framework
(criteria)
 ISO 27001 Accreditation—An accreditation, often for public display (interested
parties), as a result of an examination conducted by an authorized accreditation
enterprise (Assurance provider) that the enterprise’s Information Security Management
System (subject matter) complies with the criteria established by ISO 27001 (criteria)
 Service Auditor Reports—The audit and corresponding opinion provided by an
independent service auditor (Assurance provider) that the internal control activities of
the service enterprise (subject matter) have been appropriately designed and operate
effectively (conclusion) to achieve control objectives of interest to the user enterprises
and their auditors (interested parties)
 Management Assertion on Internal Controls as required by Sarbanes-Oxley
Section 404—The assertion by management (Assurance provider) to the shareholders
and capital markets (interested parties) that internal controls over financial reporting
have been appropriately designed and are operating effectively (conclusion), in
accordance with an internal control framework such as COSO (criteria)
 CIO ‘Sub-Certification to the Chief Financial Officer (CFO)/CEO as to the reliability
of IT general controls—The ‘Certification’ by the CIO (assurance provider) that the IT
general controls within his/her span of control and relevant to financial reporting
(subject matter) have been appropriately designed (conclusion) in accordance with
CobiIT (criteria) and are operating effectively (conclusion)
4.8.1 Assurance over Application Controls

Application Controls relate to the transactions and master file, or standing data pertaining to
each automated application system, and are specific to each application. They ensure the
accuracy, integrity, reliability and confidentiality of the information and the validity of the
entries made in the transactions and standing data resulting from both manual and automated
processing.
110
The objectives relevant for Application Controls generally involve ensuring that:
 Data prepared for entry are authorized, complete, valid and reliable.
 Data are converted to an automated form and entered into the application accurately,
completely and on time.
 Data are processed by the application accurately, completely and on time, and in
accordance with established requirements.
 Data are protected throughout processing to maintain integrity and validity.
 Output is protected from unauthorized modification or damage and distributed in
accordance with prescribed policies.
Providing assurance over Application Controls typically involves an assurance provider (the
process/application owner, internal auditor, external auditor, etc.) following a process for
gathering sufficient evidence that the Application Controls (subject matter) are appropriately
designed and are operating effectively (conclusion) relative to established criteria (such as
COBIT Application Control objectives).
Materiality
Materiality needs to be considered in determining whether a given set of Application Controls
is sufficient to satisfy the control objectives and criteria. The assessment of what is material is
a matter of professional judgment and includes consideration of the potential effect on the
enterprise’s ability to meet its business objectives in the event of errors, omissions,
irregularities and illegal acts that may arise as a result of control weaknesses. Materiality can
be used as a:
 Factor in determining the amount of evidence necessary to support the assurance
provider’s conclusion
 Measure of the significance of a finding relative to the subject matter
When conducting or supporting financial statement audits, assurance providers ordinarily
measure materiality in monetary terms since what they are auditing is also measured and
reported in monetary terms. Application Control assurance providers may be required to
provide assurance on non-financial systems (e.g., Air Traffic Control system) or records (e.g.,
Healthcare Diagnostic Codes) and, therefore, alternative measures are required. With respect
to a specific control objective, a material control is a control or group of controls without which
control procedures do not provide reasonable assurance that the control objective will be met.
ISACA IS Auditing Guideline G6 Materiality Concepts for Auditing Information Systems
specifies that where the assurance objective relates to systems or operations processing
financial transactions, the value of the assets controlled by the system(s) and the value of
transactions processed per day/week/month/year should be considered in assessing
materiality.
111
For systems and controls not affecting financial transactions, the following are examples of
measures that could be considered to assess materiality:
 Criticality of the business processes supported by the system or operation
 Cost of the system or operation (e.g., hardware, software, staff, third-party services,
overhead costs and/or a combination of these)
 Potential cost of errors (possibly in terms of reputational risk, loss of client/consumer
trust, lost sales, warranty claims, irrecoverable development costs, cost of publicity
required for warnings, rectification costs, health and safety costs, unnecessarily high
costs of production, high wastage)
 Number of accesses/transactions/inquiries processed per period
 Nature, timing and extent of reports prepared and files maintained
 Nature and quantities of materials handled (e.g., where inventory movements are
recorded without values)
 SLA requirements and cost of potential penalties
 Penalties for failure to comply with legal and contractual requirements
 Loss of end-user productivity
 Degradation of end-user efficiencies
Detection Risk is the risk that an incorrect conclusion is reached by the Assurance provider
regarding the presence (or absence) of material misstatement of the subject matter. In the
context of Application Controls, the risk of an incorrect conclusion could, for example, be the
risk of concluding that the Application Controls operated effectively when, in reality, they did
not. Detection risk is a function of the risk of material error or control failure and the risk that
the Assurance provider will not detect associated errors or control failures. The risk of material
error has two components:
 Inherent Risk—The susceptibility of the subject matter (such as an assertion by the
responsible party) to a misstatement that could be material
 Control Risk—The risk that a material misstatement could occur in an assertion and
not be prevented, detected or corrected on a timely basis by the entity’s internal
controls When planning an assurance activity, it is important to consider the inherent
risk associated with the subject matter to determine the nature and extent of procedures
and to design those procedures to reduce detection risk to an acceptable level.
4.9 Summary
Application Control may consist of edit tests, totals, reconciliations and identification and
reporting of incorrect, missing or exception data. Automated controls should be coupled with
manual procedures to ensure proper investigation of exceptions. These controls help ensure
112
data accuracy, completeness, validity, verifiability, and consistency, thus achieving data
integrity and data reliability. Implementation of Application Controls helps ensure system
integrity, that applicable system functions operate as intended, and that information contained
by the system is relevant, reliable, secure and available when needed.
4.10 Questions
1. A company’s labour distribution report requires extensive corrections each
month because of labour hours charged to inactive jobs. Which of the following
data processing input controls appears to be missing?
A. Completeness Test
B. Valid Code Check
C. Limit Test
D. Control Total
2. A customer inadvertently orders part number 1234-8 instead of 1243-8. Which of
the following controls would detect this error during processing?
A. Hash Total
B. Check Digit
C. Limit Check
D. Financial Batch Total
3. Which of the following are not Application Controls?
A. Numerical Sequence Check
B. Access Security
C. Manual follow-up of Exception Reports
D. Chart of Accounts
4. Which of the following ensures completeness and accuracy of accumulated data?
A. Processing Control Procedures
B. Data File Control Procedures
C. Output Controls
D. Application Controls
113
5. An integrated test facility is considered a useful audit tool because it:

A. Is a cost-efficient approach to auditing Application Controls.
B. Enables the financial and IS Auditors to integrate their audit tests.
C. Compares processing output with independently calculated data.
D. Provides the IS Auditor with a tool to analyze a large range of information.

1. B is the correct answer. It may check the validity and concurrency of the job code.
Option A is used for checking the integrity of the data. Option C is used for keeping
input up to a certain limit and option D is a figure calculated by the system, adding the
values in one of the fields in a segment. This field is called the control totals key figure
field.
2 B is the correct answer. It checks the transposition of the digits. Option A is used for
checking the integrity of the data. Option C is used for keeping input up to a certain limit
and option D is used to check the integrity of all records.
3. B is the correct answer. Access Security is not part of application domain. However
options A, C and D are part of the Application Controls.
4. A is the correct answer. Processing controls ensure the completeness and accuracy of
accumulated data, for example, editing and run-to-run totals. Option B data file control
procedures ensure that only authorized processing occurs to stored data, for example,
transaction logs. Option C output controls ensure that data delivered to users will be
presented, formatted and delivered in a consistent and secure manner, for example,
using report distribution. Option D "Application Controls" is a general term comprising
all kinds of controls used in an application.
5. C is the correct answer. Integrated test facility compares processing output with
independently calculated data. Explanation: An integrated test facility is considered a
useful audit tool because it uses the same programs to compare processing using
independently calculated data. This involves setting up dummy entities on an
application system and processing test or production data against the entity as a means
of verifying processing accuracy. Option A, B and D are not the dimensions of
integrated test facility.
114
References
1. ISA2.0 Module 5
2. Selection of SDLC Models (References Software Development Life Cycle Models and
Methodologies. (2012, 3). Retrieved from melsatar.blog: Software Development Life
Cycle Models and Methodologies)
3. CISA Review Manual 26th Edition.
4. CISA Review Manual 27th Edition.
5. https://www.iso.org/standard/35733.html
6. https://www.iso.org/standard/35747.html
7. https://csrc.nist.gov/csrc/media/publications/conferencepaper/1996/10/22/proceeding-
of-the-19th-nissc-1996/documents/paper001/article.pdf
Annexure
A-1 ISO/IEC 25010:2011 defines:
https://www.iso.org/standard/35733.html
1. A quality in use model is composed of five characteristics (some of which are further
sub-divided into sub-characteristics) that relate to the outcome of interaction when a product is
used in a particular context. This system model is applicable to the complete human-computer
system, including both computer systems in use and software products in use.
2. A product quality model is composed of eight characteristics (which are further
subdivided into sub-characteristics) that relate to static properties of software and dynamic
properties of the computer system. The model is applicable to both computer systems and
software products.
The characteristics defined by both models are relevant to all software products and computer
systems. The characteristics and sub-characteristics provide consistent terminology for
specifying, measuring and evaluating system and software product quality. They also provide
a set of quality characteristics against which stated quality requirements can be compared for
completeness.
Although the scope of the product quality model is intended to be software and computer
systems, many of the characteristics are also relevant to wider systems and services.
ISO 25010 has eight product quality characteristics (in contrast to ISO 9126's six), and 31
sub-characteristics.
 "Functionality" is renamed "Functional Suitability". "Functional Completeness" is added
as a sub-characteristic, and "Interoperability" and "Security" are moved elsewhere.
"Accuracy" is renamed "Functional Correctness", and "Suitability" is renamed
"Functional Appropriateness".
 "Efficiency" is renamed "Performance Efficiency". "Capacity" is added as a sub-
characteristic.
 "Compatibility" is a new characteristic, with "Co-existence" moved from "Portability" and
"Interoperability" moved from "Functionality".
 "Usability" has new sub-characteristics of "user error protection" and "accessibility"
(used in people with a wide range of characteristics). "Understandability" is renamed
"Appropriateness Recognizability", and "Attractiveness" is renamed "User Interface
Aesthetics".
 "Reliability" has a new sub-characteristic of "Availability" (when required for use).
Annexure
 "Security" is a new characteristic with sub-characteristics of "Confidentiality" (data

accessible only by those authorized), "Integrity" (protection from unauthorized
modification), "Non-repudiation" (actions can be proven to have taken place),
"Accountability" (actions can be traced to who did them), and "Authenticity" (identity can
be proved to be the one claimed).
 "Maintainability" has new sub-characteristics of "Modularity" (changes in one
component have a minimal impact on others) and "Reusability"; "Changeability" and
"Stability" are rolled up into "Modifiability".
 "Portability" has "Co-existence" moved elsewhere.
ISO/IEC 25012:2008
ISO/IEC 25012:2008 defines a general data quality model for data retained in a structured
format within a computer system.
ISO/IEC 25012:2008 can be used to establish data quality requirements, define data quality
measures, or plan and perform data quality evaluations. It could be used, for example,
 To define and evaluate data quality requirements in data production, acquisition and
integration processes,
 To identify data quality assurance criteria, also useful for re-engineering, assessment
and improvement of data,
 To evaluate the compliance of data with legislation and/or requirements.
ISO/IEC 25012:2008 categorizes quality attributes into fifteen characteristics considered by
two points of view: inherent and system dependent. Data quality characteristics will be of
varying importance and priority to different stakeholders.
ISO/IEC 25023:2016
ISO/IEC 25023:2016 defines quality measures for quantitatively evaluating system and
software product quality in terms of characteristics and sub-characteristics defined in ISO/IEC
25010 and is intended to be used together with ISO/IEC 25010.
ISO/IEC 25023:2016 contains the following:
 a basic set of quality measures for each characteristic and sub-characteristic;
 an explanation of how to apply software product and system quality measures.
117
The proposed quality measures are primarily intended to be used for quality assurance and
improvement of system and software products during or post the development life cycle
process.
The main users of ISO/IEC 25023:2016 are people carrying out quality requirement
specification and evaluation activities as part of the following:
 Development: Including requirements analysis, design specification, coding and testing
through acceptance during the life cycle process;
 Quality Management: Systematic examination of the software product or computer
system, for example, when evaluating system or software product quality as part of
quality assurance, quality control and quality certification;
 Supply: A contract with the acquirer for the supply of a system, software product or
software service under the terms of a contract, for example, when validating quality at
qualification test;
 Acquisition: Including product selection and acceptance testing, when acquiring or
procuring a system, software product or software service from a supplier;
 Maintenance: Improvement of the software product or system based on quality
measurement.
118
ISA

(Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 4
Information Systems Operations
and Management
Module - 4
Tel (Direct): +91 120 3045992/961
New Delhi
Background Material
on
Module-4 :
Information Systems Operations and Management

New Delhi
DISCLAIMER
ISBN : 978-81-8441-995-5


Foreword
realignment of profession to leverage the multipliers of digital technology - enhanced
efficiency, scale and speed, effectiveness, agility and giving access to newer markets. In view
of the rapid technological changes, it is imperative for Information System Auditors to adapt,
be innovative in aiding organizations to improve its control environment and strengthen
governance of IT risks. Adoption of emerging technologies will help them to assimilate vast
amount of data and provide value added analysis in the form of data analysis and business
intelligence. Chartered Accountants possess unique blend of systems and process
understanding and expertise in controls and governance, thereby best suited to be the perfect
Information Systems Auditor.
initiatives to disseminate updated knowledge amongst our members and other stakeholders.
In this direction, it is heartening to note that the DAAB is bringing out next version of
“Educational Material” for Post Qualification Course on Information Systems Audit. This
updated and revised Material combines technology, information assurance and information
management expertise that enable Chartered Accountants to be an advisor and handling
assurance assignments.
Robotics Process Automation, etc., have also been introduced to keep members fully abreast.
With focus on increased practical aspects, case studies and lab manuals at appropriate places
this material is a great learning guide for members aspiring to be Information Systems Auditor.
I compliment CA. Manu Agrawal, Chairman, CA. Dayaniwas Sharma, Vice-Chairman and
other members of the Digital Accounting and Assurance Board for generation next material in
digital era by taking up this timely initiative.
I am confident that our members would take benefit of these updated modules of post
qualification course on Information Systems Audit, so as to render their professional
responsibility as Information System Auditor more efficiently and highest standards to achieve
global recognition.

President, ICAI
Place: New Delhi
iv
Preface
challenges, including new competition, new business and service delivery models,
unprecedented transparency, privacy concerns and cyber threats. With a goal to keep
members abreast of impact of emerging technologies, Digital Accounting and Assurance
Board has come out with the updated Post Qualification Course on Information Systems Audit
Modules to equip members with specialised body of knowledge and skill sets so that they
become Information Systems Auditors (ISAs) who are technologically adept and are able to
utilize and leverage technology to provide reasonable assurance that an organization
safeguards it data processing assets, maintains data integrity and achieves system
effectiveness and efficiency. This updated syllabus facilitates high level understanding about
the role and competence of an IS Auditor to analyse, review, evaluate and provide
recommendations on identified control weaknesses in diverse areas of information systems
deployment.
Revised Modules of Post Qualification Course on Information Systems Audit has specific
objective, i.e., “To provide relevant practical knowledge and develop skills for planning and
performing various types of assurance or consulting assignments in the areas of Governance,
Risk management, Security, Controls and Compliance of Information Systems.” The core of
DISA 3.0 lies in inculcating competence to add to service delivery of the members. The
updated course would help the members to apply appropriate strategy, approach,
methodology and techniques for auditing information system and perform IS Assurance and
consulting assignments by using relevant best practices, IS Audit standards, frameworks,
guidelines and procedures.
The updated ISA Course 3.0 has a blend of training and includes e-learning, live case studies
and lab manuals, project work in addition to class room lectures. This updated background
material also includes a DVD which has e-Learning lectures, PPTs, case studies, DEMO
CAAT software, useful checklists and sample audit reports. New Module on “Emerging
Technology and Audit” has been added which covers Information System Assurance and Data
Analytics, Assurance in Block chain Ecosystem, and Embracing Robotic Process Automation
in Assurance Services. In addition to this Artificial Intelligence and Internet of Things (IoT) has
also been inducted in the new modules.
We would like to take this opportunity to place on record our deep appreciation for the efforts
put in by Convener, Dr. Onkar Nath as well as authors and reviewers of the various modules,
viz., CA Anand Prakash Jangid, Mr. N.D. Kundu, Mr. Inder Pal Singh, Mr. Avinash Gokhale,
CA Pranay Kochar, CA Naresh Gandhi, Dr Manish Kumar Srivastava, Dr. Saurabh
Maheshwari, CA Narasimhan Elangovan and CA Atul Kumar Gupta. It would be also
appropriate to express our thanks to all the ISA faculties for giving their inputs/ suggestions for
the implementation of DISA 3.0.
Niranjan Jambusaria, Vice President, ICAI, for their thought leadership and encouragement to
the initiatives of the Board. We would also like to place on record our gratitude for all the
Board members, co-opted members and special invitees for providing their valuable guidance
and support in this initiative of the Board. We also wish to express my sincere appreciation for
CA. Amit Gupta, Secretary, DAAB, Ms. Nishi Saraf, Section Officer for their untiring efforts in
finalization of the updated Modules.
Audit would be of immense help to the members and enable them to enhance service delivery
not only in compliance, consulting and assurance of IT services, but also provide new
professional avenues in the areas of IT Governance, Cyber Security, Information System
Control and assurance services.

vi
Contents
Chapter 1: Information Systems Management 1-16
1.1 Information Systems Management 1
1.2 Information Systems Organization 2
1.3 Information Systems Service Management 3
1.4 Roles and Responsibilities 6
1.5 Human Resource Management 7
1.6 Training and Education 8
1.7 Supply Chain Management (SCM) 9
1.8 Customer Relationship Management (CRM) 10
1.9 Issues and challenges of IS Management 10
1.10 Summary 11
1.11 Questions 12
1.12 Answers and Explanation 14
Chapter 2: Information Systems Operations 17-35
2.1 Information Systems Operations 17
2.2 Management of IS Operations 18
2.3 Asset Management 19
2.4 Change Management 20
2.5 Configuration Management 22
2.6 Version Control 24
2.7 Log Management 25
2.8 User Management 26
2.9 Operations Helpdesk & User Assistance 29
2.10 IS Operations Performance Measurement 31
2.11 Summary 31
2.12 Questions 32
Chapter 3: Software Operations & Management 36-62
3.1 Introduction to Software Infrastructure 36
3.1.1 System Software 36
3.2 Operating System 37
3.3 Application Software 38
3.4 Software Testing 40
3.5 Software Maintenance 42
3.6 DBMS – Database Management System 44
3.7 Network Services 50
3.8 Backup Strategies 54
3.9 Patch Management 57
3.10 Summary 58
3.11 Questions 58
Chapter 4: Incident Response and Management 63-86
4.1 Incident handling and response 63
4.2 Cyber-Security Framework 68
4.2.1 Security Operation Centre 72
4.2.2 Computer Emergency response Team (CERT) 76
4.2.3 Indian Banks - Centre for Analysis of Risks and Threats (IBCART) 78
4.3 SIEM Tools and their utility 79
4.3.1 Deployment of SEIM Tool 79
4.3.2 SEIM Tools Utility 82
4.4 Summary 82
4.5 Questions 83
Chapter 1
Information Systems Management
Learning Objective
All organisations either big or small are using Information systems for their day to day work
and generate lot of data or information. In this chapter, students will see how this information
is used, who is responsible to provide services to various departments of the organisation.
Students will also learn, how this information is used by the different users in the organisation.
Students will study IS Management, IS Service Management, IS policies, Procedures,
Standards and guidelines, Roles & Responsibilities, Human Resource Management practices
for IT, Training and Education and Issues and challenges of IS Management.
1.1 Information Systems Management

A Business organisation can be viewed as a collection of different Business Functions such as
manufacturing, sales & marketing, accounts and finance, purchasing etc. These functions,
now also known as Lines of Business, are collection of various Business Processes. A
Business Process can be further divided into activities and then an activity into tasks.
Information System is nothing but using computer system (of hardware and software) to
automate (either fully or partly) Business Processes, which result in Business Application
Systems. Thus, today’s business is a complex ecosystem of business functions-processes-
application systems, which are partly or fully automated. E.g. Buying on an e-commerce
website has various processes such as procurement from manufacturers, advertising,
providing web site for customers for buying, delivery and billing, post-sales support for
customers etc. These e-commerce processes run with the help of e-commerce application
system as a web site.
With the advent of past 20 to 30 years of Information Technology, we have today’s complex
ecosystem of businesses having Information Technology components such as hardware,
software, networking and telecommunication integrated with Business processes. The
following processes can be identified for today’s Information Technology, which is also a
Business Function.
1. Strategies for an Organization: Businesses use various strategies to compete in the
market. Information Systems support a business to help in formulating the strategies by
providing information when needed.
2. Support Decision Making: Information Systems process data to produce Information.
Today’s Information Systems are capable of processing data leading to information and then
processing information leading to knowledge. This helps in providing a support to take
business decisions. E.g. an e-commerce web site can know from customers’ buying pattern,
which products the customers regularly buy and take decisions about selling strategies
3. Support the Business Process: Information Systems provide support to business
systems by automating business processes within the business function. E.g. account opening
process in a bank is supported with the account opening application module of the Banking
Application
4. Support Operations of an Organization: Operating a Business Application is a cycle
of entering(capturing) data into Business Application System, processing it and producing
output to be taken for further processing or using by humans. This involves many operations
to be performed with the help of Information Systems. E.g. in a manufacturing company data
is entered and processed through various stages of manufacturing on an ERP application.
This involves operations of data entry, processing, producing output, taking backup of data an
so on.
1.2 Information Systems Organisation

Information Systems can be classified(organised) into following 3 main categories :
1. Based on Decision Making – This category is based on hierarchy of decision making
in an organisation. This is given in Figure - 4.1.1. Note that, the transaction processing system
is the base, upon which the two other systems are dependent.
Information System Decisions

Executive Support System Strategic Decisions
Management Information System Tactical Decisions
Transaction Processing System Operational Decisions
Figure 4.1.1
2. Based on Processing Requirement - This category is based on processing
requirement. Again, note that, at the bottom, there is a transactions processing system, which
captures the basic data. This is shown in the diagram 4.1.2
Information System Requirement

Executive Support System Tacit knowledge
Decision Support System Explicit Knowledge
Management Information System Information
Office Support System Basic Data
Transaction Processing System Basic Data
Figure 4.1.2
2
3. Based on Hierarchy Requirement – This category is based upon the hierarchy of

management levels, which is given in Figure -4.1.3
Information System Requirement

Executive Support System Executives
Decision Support System Senior Managers
Management Information System Middle Managers
Transaction Processing System Operators & Workers
Figure 4.1.3
1.3 Information Systems Service Management

Information Technology is a service-oriented industry. It provides various services to a
business organisation with the help of Information Technology infrastructure consisting of
hardware, software systems which process the data. This is known as Service Delivery
provided by IT Function to other functions in the business organisation.
IS Service Management (ISSM) is an implementation, management and delivery of IT services
to ensure that IT services are aligned with business needs and actively support the
organization/company. ISSM is not only related to the availability of the IT infrastructure, but
also related to the use of the infrastructure, so that the quality of IT service delivery becomes
more effective, efficient and more relevant to the organisation.
Note: Many-a-times Information Systems and Information Technology terms are used
interchangeably. Strictly speaking Information systems are business processes in an
organisation. On the other hand, Information Technology is use of today’s computers and
microprocessor-based devices to automate the Information Systems. In this regard, both these
terms are used in this Module interchangeably. Wherever necessary specific term is used.
There are many frameworks that can be used to implement ISSM. One of them is Information
Technology Infrastructure Library (ITIL), the present being version 4. ITIL framework has is a
proven framework which can integrate and align IT service delivery and business objectives. A
business, by using ITIL, can provide realistic, measurable, predictable, and efficient IT service
delivery. The use of ITIL is expected to improve productivity for company, the improved
customer satisfaction, more optimization of budgets, increase in service availability, and
reduction in the impact of risks. ITIL service lifecycle can be described as follows –
1. Service Strategy - Service strategy is the core of the ITIL Service Lifecycle. Service
strategy has the following components –
1.1. Strategy – For providing value to customer for a product or service
3
1.2. Service Portfolio Management – Inventory of services

1.3. Financial management for IT services
1.4. Demand Management
1.5. Business Relationship management
Service strategy provides guidance to all IT service providers to assist them in establishing a
clear service strategy, especially on how to design, develop, and implement service
management, not only as an organizational capability, but also as a strategic asset. The
strategy used should provide sufficient value to the customer and must meet the strategic
objectives of IT service providers. Therefore, it is necessary for IT service providers to
understand the following questions.
(1) What services should be offered?
(2) To whom the services should be offered?
(3) How the internal and external marketplaces for their services should be developed?
(4) What is the potential competition in the marketplace?
(5) How the customers and stakeholders will perceive and measure value, and how this
value will be created?
(6) How the customer will make the decision in selecting the services of various types of
service providers?
(7) How visibility and control over value creation will be achieved through financial
management?
(8) How robust business cases will be created to secure strategic investment in service
assets and service management capabilities?
(9) How the allocation of available resources will be arranged to provide a more optimal
impact on the portfolio of services?
(10) How service performance will be measured?
2. Service Design - Service Design is the design of IT services, processes and other
aspects of the service management efforts. Service design addresses a planned service
solution which interacts with the larger business and technical environments. Service
management systems require to support the services, processes which interact with the
services, technology, and architecture to support the services along with the supply chain
required to support the planned services. The following process are part of the service
design –
1. Design coordination
2. Service catalogue management
4
3. Service-level management
4. Availability management
5. Capacity management
6. IT service continuity management
7. Security management
8. Supplier management
3. Service Transition - ITIL describes Service Transition as, the role of Service Transition
is to deliver services that are required by the business into operational use. This area also
covers various aspects such as managing changes to the Business environment. List of
processes in service transition are as follows -
1. Transition planning and support
2. Change management
3. Service asset and configuration management
4. Release and deployment management
5. Service validation and testing
6. Change evaluation
7. Knowledge management
4. Service Operation - Service Operation aims to provide best practice for achieving the
delivery of agreed levels of services both to end-users and the customers. Service operation is
the part of the lifecycle where the services and value is directly delivered. Also, the monitoring
of problems and balance between service reliability and cost etc are considered. Processes in
the service operation are as follows -
1. Event Management
2. Incident Management
3. Request Fulfilment
4. Access Management
5. Problem Management
Functions in the service operation are as follows -
1. Service Desk
2. Technical Management
5
3. Application Management
4. IT Operations Management
5. Continual Service Improvement - Continual service improvement (CSI), aims to align
and realign IT services to changing business needs. The perspective of CSI on improvement
is, the business perspective of service quality. CSI aims to improve process effectiveness,
efficiency and cost effectiveness of the IT processes through the whole lifecycle. To manage
improvement, CSI should clearly define what should be controlled and measured.
CSI needs upfront planning, training and awareness, ongoing scheduling, roles created,
ownership assigned, and activities identified, to be successful. CSI must be planned and
scheduled as a process with defined activities, inputs, outputs, roles and reporting. CSI
focuses on improvement, tying together service design, service transition, and service
operation, which in turn, help raise the bar of operational excellence for IT.
1.4 Roles & Responsibilities

Every task in an organisation is divided into processes and each process owner has specific
job to perform. A Role is the defined or expected behaviour associated with a particular
position, function or status in an organization. Responsibility is an obligation to satisfactorily
perform or complete a task.
1. User Data - Data which is owned and created by a user. The term user data explains
the position of the data, in the data hierarchy of the organisation.
2. Data Owner - The data owner is a part of senior management who is in charge of a
specific department, such as Finance, HR, IT, Operations. Data Owner is responsible for the
protection, classification, backup strategies and for use of this information.
3. Data Custodian - The data custodian (who owns the responsibility on behalf of other/s)
is responsible for storing, maintaining, backup, provisioning and protecting the data on behalf
of Data Owner.
4. System Owner – Data generated in an organisation has a specific lifecycle in an
organisation. IT equipment needed to cater throughout the lifecycle of data is called a system.
The person who is responsible for design, development, integration, operation and
maintenance of these equipment is called as a System Owner.
5. System Administrator – System administrator is a technical expert who is responsible
for installing, upgrading, patching, supporting and maintaining computer systems and other
computer equipment.
6. Database Administrator – A database administrator is a technical expert who
maintains the database of an organisation and provides all due care and due diligence to
ensure data security and data integrity.
6
7. Network Administrator - A network administrator is a technical expert responsible for

installing, supporting, maintaining and upgrading computer networks. It is the responsibility of
the network administrator to run the computer networks up and running.
8. Process Owner – As we discussed earlier various processes constitute a business. A
process receives input/s from other processes, does a transformation on the said input/s and
yield an output/s. The person who is ultimately responsible for the effective and efficient
working of a process is called the Process Owner. Process owners use six sigma techniques
(process improvement science) for improving performance of a process leading to
improvement of business operations.
9. User Manager – User manager is either independent, part of system administrator team
or system administrator may also hold this role. Systems Administrator manages system users
of an organisation by creating users, editing user’s data, deleting, provisioning and revocation
of access rights etc.
10. Steering Committee – It is a committee formed of different heads of departments to
drive a project or program (not a computer program). Steering committee usually consists of
heads of finance department for funding, HR department for human resources and IT
department for IT systems and data security. Therefore, a steering committee is a senior level
committee which monitors, drives and controls the project or program.
11. Security Manager – Security Manager is responsible for implementing the Information
and Cyber Security for an organization. Organisations frame and implement security policies,
regulations, rules, procedures and norms related to information technology in coordination
with security managers to protect IT systems and user data.
12. CISO – A Chief Information Security Officer (CISO) is a senior-level officer of the
organization, responsible for Information and Cyber Security and data privacy of the
organisation.
13. CIO – Chief information officer (CIO), or Head of IT is responsible for digital initiatives of
the organisation.
14. CTO – Chief Technology Officer – CTO is responsible for Information and
Communication Technologies (infrastructure) of an organisation.
1.5 Human Resource Management

Human Resource Management (HRM) is the management of personnel in an organisation.
People are key resources to an organisation and are only living component among the other
artefacts of the organisation. HRM performs various tasks related to personnel such as,
recruitment, skills up gradation, promotion and retirement. The role of HRM in Information and
Cyber Security is three-fold, as per ISO 27001, and is given below –
7
1. Prior to employment – Background checking of personnel before employment and

defining functional and Information and Cyber Security related terms of employment
2. During employment – Information Security awareness, education and training apart
from functional training. Rewarding or penalising for security breach
3. Termination or change of employment – Information Security related checks during exit
of employees, terms and conditions in respect of Information Security shall continue
after employee exit as well.
1.6 Training & Education

HR provides functional education and training for employees from time to time. Awareness
and training about Information Security is also provided periodically. Employees can be
trained in following different ways:
1. Instructor led Training – Instructor-led training is the traditional type of employee
training which takes pace in a classroom with a trainer in the role of a teacher.
2. E-Learning – E-Learning is a on-demand Computer Based Training (CBT) given
through videos, presentations, tests and various courses.
3. Simulation based training – Simulation training is most often provided through a
computer software or virtual reality device. Generally, this type of training is available for
highly skilled sectors such as, aviation, energy and power. However, now-a-days, computer
simulation training is also available in schools and colleges. In a simulation training, a
computer simulation software depicts topics of the training as various scenarios and a student
can easily learn with the help of the simulated scenarios. e.g. in Banking ATM simulators are
available which graphically can allow a person to withdraw money as if s/he is using a real
ATM machine.
4. Hands on training – Hands-on training may be given as a next step to simulation
training. In this training a student is given actual equipment or system, which can be used to
become familiar.
5. Coaching or mentoring – In coaching or mentoring, a trainer gives personal attention
to students and guides them to enhance their skills. This is like grooming of a student in such
a way that, the student can handle the work independently.
6. Group Discussions and Activities – In a group discussion-based training, a trainer
gives a case study in the group of students and asks them to discuss the case in the group.
The trainer observes the performance of the groups, analyses and guides them of better ways
of solving the case.
7. Role Playing – In Role playing training, a trainer assigns roles to students and by
providing a real-life situation, asks them to perform these roles. Other students and the trainer
8
observe the role played and then discuss, deliberate and learn the subjects.
8. Management Specific Activities – This training is for finding managerial and
leadership qualities, behavioural skills, project management skills in students.
9. Case studies – In this kind of training, a trainer discusses Case studies for problem-
solving. This can be conducted in groups, as mentioned above or the trainer explains the case
and solution to the students.
1.7 Supply Chain Management (SCM)

Supply Chain Management is the management of the entire chain of producing finished foods
from raw materials. It involves managing suppliers or raw materials, equipment, work-force to
the customers of the finished goods.
Information System (IS) of an organisation provides the integration of areas such as Goods
Receipt Notes (GRN), Stores Indents to Production, Delivery Challan, Despatch Slips. It also
helps organisation in logistics arrangements and monitoring & goods tracking till final delivery
to customers. Information Systems brought dramatic changes in the way in which SCM was
managed prior to Information Systems. These are listed below –
i. E-Commerce – buying and selling on through a web site
ii. Electronic Data Interchange (EDI) – Electronic data exchange between suppliers,
purchasers, bankers etc
iii. Barcode Scanning
iv. Data Warehouse
v. Enterprise Resource Planning (ERP)
vi. Internet Technologies
vii. Mobile Communications
viii. Payment Gateways
ix. Fin-Techs – Financial technology services for exchange of financial information
x. Software & Applications
1.8 Customer Relationship Management (CRM)

Organisations can do business because it has customers. Organisations deliver value to its’
customers through products and services. Customer Relationship Management helps in
delivering this value by exacting customer needs regarding quality, price pre and post sales
support etc.
9
In order to satisfy customer needs, Information Systems have done a substantial progress in
CRM. Today, CRM can be provided with web sites, emails, mobile applications and so on.
Information Systems help businesses to track customer orders, create customer profiles, allow
customers to compare products and pricing, maintain customer history and provide other
support services.
There are various IS components of CRM, which dramatically changed today’s businesses
and are listed below –
i. E-Commerce
ii. Data Warehouse
iii. Enterprise Resource Planning (ERP)
v. Internet Technologies
vi. Payment Gateways
vii. Software & Applications
viii. Data Mining
ix. Artificial Intelligence
x. Business Analytics
1.9 Issues and Challenges of Information Systems

Management
Due to diversity of organisations, Information Systems management is a challenging area.
Following list of challenges can be seen –
1. New Technology – It is found that, the technology is changing double fold every year
whereas other business processes are relatively slower to changes. It is therefore necessary
to keep abreast with changing technology and suitably upgrade organisation’s processes. This
is very challenging.
2. Personal Devices – Due to portable and hand-held devices such as tablets and mobile
phones, organisations find it difficult to control the use of such devices even if organisations
provide these devices.
3. Interoperability – New technologies provide the ease of operation and may increase
the productivity, but at the same time imposes lot of challenges of managing interoperability
with existing or legacy systems.
4. User Systems – Users work in an organisation using Desktops, laptops, notebooks,
tablets and smartphones, which are connected to IT infrastructure of the organisation. Security
hazards such as data leakage, through alternative connectivity poses serious challenges to
the organisation.
10
5. Cyber Security Threats – Cyber security threats in an organisation are due to following
reasons -
i. Weak security policies & procedures
ii. Lack of standardisation
iii. Lack of proper controls
iv. Lack of user training and user awareness about security
6. Data Control – Now-a-days, growth in data in an organisation is tremendous. Managing
this data growth poses the following hazards -
i. Data Corruption
ii Data unavailability
iii. Data leakage
iv. Data Theft
v. Data privacy
To overcome these challenges proper cyber security measures such as Data Leakage
Protection (DLP) solutions need to be implemented. Proper data backup and physical controls
are necessary to protect the data.
7. Trained manpower – Continuous changes in technology poses hurdles in getting
trained manpower. Providing training on latest technology for work-force involves heavy costs
and difficulties are also faced in retaining trained work-force.
8. Management Support - Providing senior management support for monitoring and
supervisory responsibilities also poses challenges for organisations.
9. Service Level Agreements – Service level agreement is a measurable agreement
between a service providing vendor and a service availing customer. There are various
challenges that need to be looked into by both the parties such as clear scope of service,
metrics measurement, responsibilities etc.
10. Fourth Party Risk – Outsourced vendors further outsourcing to their vendors is known
as fourth party outsourcing. Such fourth party outsourcing poses risks of data leakage, data
privacy, non-compliance to the regulatory guidelines etc.
1.10 Summary
In this chapter, we discussed about Information Systems Management which involves
application of people, technologies, and procedures collectively to solve business problems.
We also learned that, organisations can be classified based on decision making, hierarchy and
processes.
11
In the Information Service management, we went through IS Service Management (ISSM)

implementation and management of IT services using ITILv4 to ensure that, IT services are
aligned with business needs and actively support organization. We discussed IS policies,
Procedures, Standards and guidelines for secure working on Information Systems. We also
discussed various roles and responsibilities of employees in an organisation for the realisation
for various processes. HRM has a role to play in Information Systems and security matters.
Lastly, we discussed various issues and challenges in Information Systems management.
References
Control Objectives for Information Technology - COBIT 2019
Open Compliance Ethics Group - OCEG
Information Technology Infrastructure Library – ITIL version 4
DISA Manual 2.0
International Standards Organisation - ISO 27001 for Information Security Management
Systems
1.11 Questions
1. Which of the following is a common feature for all the policies?
A. Encryption
B. Standards
C. Acceptable use policy
D. Process
2. Which of the following is not an HRM function?
A. Recruitment
B. Cyber security training
C. Security Policy approval
D. Appraisal
3. Which of the following training an employee can acquire while working on his/her
desk in the office?
A. E-learning
B. Simulator based training
12
C. Instructor led training

D. Hands on training
4. For an unexpected and sudden changes in technology, organisations need to be
A. Innovative
B. Agile
C. Expert
D. Doer
5. Who owns the data in a department?
A. System owner
B. Process owner
C. Data custodian
D. Data owner
6. The GREATEST challenge in outsourcing data processing is
A. Data confidentiality
B. Distance
C. Data integrity
D. Cost
7. Which one of the following combinations of roles should be of GREATEST
concern for the IS auditor?
A. Network administrators are responsible for quality assurance
B. Security administrators are system programmers
C. End users are security administrators for critical applications
D. Systems analysts are database administrators
8. Accountability for the maintenance of appropriate security measures over
information assets resides with:
A. Security administrator
B. Systems administrator
C. Data and systems owners
D. Systems operations group
13
9. The decision-making environment of an operational level manager can be

characterized as:
A. Structured
B. Semi-structured
C. Unstructured
D. None of these
10. Which department is MOST LIKELY to store Personally identifiable information
(PII) data?
A. Management
B. Information System Department
C. Marketing Department
D. Human Resource Department

1. The correct answer is C
An Acceptable use policy is a set of rules applied by the owner, creator or administrator
of a network, website, or service, that restrict the ways in which the network, website or
system may be used and sets guidelines as to how it should be used. It must be abided
by all employees of the organiztion. Choices A, B, and D are not common to all policies.
Approval of the Policy is responsibility of the Governing Board of the organization. All
other options are the functions of the HRM.
3. The correct answer is A
E-learning is a learning environment which uses information and communication
technologies (ICT's) as a platform for teaching and learning activities. Rest of the
trainings require in person attendance and cannot be done from the office desk.
4. The correct answer is B
Agility is the organization's ability to quickly or proactively react to technological
changes. Choices A, C, and D are based on the need of the organization and not
necessarily due to change in technology or the environment in which the organization
operates.
5. The correct answer is D
14
The data owner has the ability to create, edit, modify, share and restrict access to the
data. Data ownership also defines the data owner’s ability to assign, share or surrender
all of these privileges to a third party. The IT Department acts as the Data Custodian,
responsible for the safe custody, transport, storage of the data and implementation of
business rules. System Owner is a person or department having responsibility for the
development, procurement, integration, modification, operation and maintenance,
and/or final disposition of an information system. Process Owner is a person, who is
accountable for the performance of the process and manages the process on a daily
basis.
The main challenge while choosing outsourcing data processing is data confidentiality.
Companies feel comfortable in sharing data, only with employees whom they trust or
who are bounded by the contractual commitments to keep the data undisclosed.
Majority of the outsourcing firms sign a strict non disclosure agreement with the
companies which assures that the data would be kept confidential and any breach on
the agreement would be punishable under the law. Choices B and D are advantages of
outsourcing. Data integrity is the overall completeness, accuracy and consistency of
data. Data integrity although very important but does not pose a greater challenge than
data confidentiality.
When individuals serve multiple roles, this represents a separation of duties problem
and is associated with risk. Security administrators should not be system programmers,
due to the associated rights of both functions. A person with both security and
programming rights could do almost anything on a system. The other combinations of
roles are valid from a separation of duties perspective. Ideally, network administrators
should not be responsible for quality assurance because they could approve their own
work. However, that is not as serious as the combination of security and programming,
which would allow nearly unlimited abuse of privilege. In some distributed
environments, especially with small staffing levels, users may also manage security.
While a database administrator is a very privileged position and it would not be in
conflict with the role of a systems analyst.
Management should ensure that all information assets (data and systems) have an
appointed owner who makes decisions about classification and access rights. System
owners typically delegate day-to-day custodianship to the systems delivery / operations
group and security responsibilities to a security administrator. Owners, however, remain
accountable for the maintenance of appropriate security measures.
15

Operational level manager is the lowest level of manager and engaged in day-to-day
activities, which require detailed information. Hence the decision-making environment is
required to be structured. For administrative and top management, the decision-making
environment is semistructured and unstructed respectively.
Personally, identifiable information (PII) is any information about an individual that can
be used to distinguish or trace an individual's identity, such as name, PAN, Aadhaar
Number, date and place of birth, mother's maiden name, or biometric records. The HRM
System stores PII of all employee data. Choices A, B, C do not store or process
employee personal information, they have operations or transaction data.
16
Chapter 2
Learning Objectives
Operations management represents support for issues faced in day-to-day business.
Information Systems Operations support is the support given to users. In this Chapter,
students shall study topics such as Information Systems Operations, Management of IS
operations, Asset Management, Change Management, Configuration Management, Version
Control, Log Management, User Management, Operations Helpdesk & User Assistance and IS
Operations Performance Measurement
2.1 Information Systems Operations

An operation is a procedure to set forth or produce a desired result. Operations totally depend
on business and its objectives. Information systems Operations, in this regard are –
i. Procurement of IT Systems
ii. Service to the users
iii. Data Management
iv. Server Administration
v. Configuration Management
vi Security Operations
vii. Log Management
viii. Application and Operating System Support
It is worth mentioning here that, IT function should be capable of, to handle the IT operations
and be able to assess the user’s requirements. Seven areas of interest need to be met are -
1. Availability of IT manpower
2. Approved Policies, Standards, procedures and guidelines
3. Mix of Domain and technical Experts
4. Sustained training programs
5. Cyber Security
6. Data Privacy
7. Management support
2.2 Management of IS Operations

Management of IS operations involves managing the operations of Information systems for
Customers, managing IT Infrastructure (e.g. servers) and managing Computing Devices. This
is depicted in Figure – 4.2.1.
IT Infrastructure includes Data Centre operations, protecting Cabling infrastructure (electrical
and network cabling), Telecommunication Network operations including Local Area Network
(LAN), Wide Area Network (WAN), HVAC (Heating, ventilation & air conditioning of Data
Centre), power systems, fire protection systems etc.
Server operations management includes server administration, log management, user access
management, data backup, Operating system management, application management,
database management etc.
User operations includes, providing service to the users, setting up helpdesk for password
reset, email support, internet support, ERP support etc. User operations also include
peripheral support such as support for printers, scanners, modems, wireless devices etc.
Management of these three i.e. IT Infrastructure, Server operations and User operations
provide following interfaces, detailed as follows-
i. IT Infrastructure - Server operations Interface
ii. IT Infrastructure – User operations Interface
iii. Server operations – User Interface
iv. IT Infrastructure – Server operations – User operations Interface
These above-mentioned interfaces, help IT department to properly manage the IT operations
by segregating of these interfaces.
18
IT
Infrastructure
Server User
Operation
Figure 4.2.1: Constitution of IS Operations Management
2.3 Asset Management

Information Technology Infrastructure Library (ITIL), describes IT Asset Management as all
components of the infrastructure and processes necessary for the effective management,
control and protection of the hardware & software IT assets, within an organization, throughout
all stages of their lifecycle.
As the business processes of an organisation change over time, with the changes in internal
and competitive external environment, IT infrastructure also requires to change. Augmentation
of servers with installation of Operating system, Applications, Network infrastructure like
cabling, Ethernet switches, Routers and cyber security equipment such as antivirus, firewall,
IPS/IDS (Intrusion Protection System, Intrusion Detection System) and SIEM (Security
Incident and Event Management System) tools etc are need to be done.
For better monitoring and tracking of IT assets, it is very important for IT head and respective
administrators to continuously scrutinise and supervise, various process requirements in the
organisation. After scrutinising various process requirements, IT department has to take
decisions as given below -
i. Upgrading existing infrastructure
ii. Phase out the legacy hardware or software
iii. Declare and dispose of E-Waste
19
iv. Procurement of new devices and software

v. Licensing of software
vi. Development of software (either in-house or outsourced)
IT asset management methodology – IT assets can be managed through the process of IT
asset management as follows –
i. With concept of Stores (Physcial or virtual)
ii. Tracing system for assets (ee. g. using RFID (Radio Frequency Identification Device or
Network Management System)
iii. Policy for life of the equipment (e.g. for PCs 3 years, network infrastructure 5 years,
cabling 10 years, security equipment 5 years etc)
iv. Concept of check-in and check-out of an asset from asset inventory.
Benefit of IT asset management – The benefits of having IT asset management are many as
detailed follows –
i. Proper risk assessment & management of assets is possible
ii. Proper decision making is possible (e.g. when to dispose of)
iii. Asset tracking, monitoring and control
iv. Dealing with asset lifecycle
v. Accountability for Asset Acquisition
vi. Proper audit is possible
2.4 Change Management

Managing Change is an important aspect of every organisation. With the changing business
environment, it is necessary to either procure new hardware and/or software or make
necessary changes to existing infrastructure for an organisation to continue its operations.
IT department of the organization must be capable of effectively and efficiently handling
changes. It is necessary for the IT department to manage changes with the following criteria -
i. Minimum cost
ii. Minimum business disruptions
iii. Good Quality
Change management process - Change Management is the process (Figure -4.2.2) to
control the deviation from the normal operations at the time of making changes any equipment
or a process. If done correctly, Change Management results in efficient changes, with proper
documentation and continued stability of operations. Change management process is as
20
follows –
1. Request for Change (RFC) – Any change should be initiated through a Request for
Change (RFC). Such request for change shall be done stepwise, with review and monitoring.
Proper request with proper documentation with proper explanation related to what, why, how
and by whom will have an effective Change Management Process.
RF Categorization Test Change
RFC Analysis Change Implement

Advisory Change
Change
Prioritization Change Schedule Review
Figure – 4.2.2: Change Management Process

2. RFC Analysis – Purpose of RFC Analysis is to conduct initial scrutiny of the request,
sent by the initiator, to check feasibility of the request.
3. Change Prioritization – Based on the risk assessment, the change priority among the
change requests is decided. This change priority list(portfolio of changes) is decided based on
cost of change, time required to effect the change and resources needed, based on impact
analysis.
4. Categorize – Change Categorization is performed to categorize changes requested by
different stakeholders in the following way –
i. Type of Change required
ii. Time when it should be done
iii. Cost of Change
iv. Resources needed (e.g. software, manpower)
vi. Process affected
5. Change Advisory Board (CAB) – RFC after analysis, prioritization and categorization
is put forth for approval of Change Advisory Board (CAB). CAB is constituted from personnel
different departments (general heads or seniors), along with IT and finance department. CAB
21
meets regularly for approval or rejection of the changes.

6. Change Schedule – After the approval, the requested change is taken for the actual
change based on the date and time of change. The schedule of change, depends on the
following –
i. Emergency
ii. Urgent (priority basis)
iii. Normal
7. Test Change – After the change is done, it should be tested in a test environment,
before it is applied in the live system. The reasons for the need for such testing are as
following –
i. To know impact of change – e.g. is there a performance degradation?
ii. Compliance – does the change comply with original requirement?
iii. Satisfaction of the change initiator
8. Implementation – After the testing, the changes are implemented on the live system in
the following manner –
i. Immediately
ii. Scheduled based on certain conditions
iii. Partial immediate or scheduled partial based on certain conditions
9. Review – After the implementation, the production environment needs to be put under
observation for monitoring and any adverse effect, due to the applied change. This
observation is done for the following –
i. Logs – they may give important information about situation
ii. System files
iii. Performance of the system
2.5 Configuration Management

Managing configuration of any computing device, software applications, security products,
mobile or tablets, is the operational and physical characteristics as set forth in the operational
and technical documentation of the product. When configuration of a device or software
undergoes changes, a new release or version of the device or software comes into existence.
Configuration management is planning, identifying, and managing the configuration with
proper procedure and controlled changes, so as to maintain authenticity, accountability and
integrity, throughout the life cycle of the hardware, firmware (in-built into hardware) or
22
software.
To make configuration management successful, it is important for the organisation to
implement following practices -
i. Policy, Standards, Procedures and guidelines.
ii. Formation of Change control board
iii. Documentation
iv. Pre-Launch Testing
v. Proper training and skills upgradation of personnel
vi. Timeliness
vii. Clear Scope of Work
viii. Optimisation
Configuration management constraint – The constraints to the Configuration management
are many, some of them are listed below –
i. Non - availability of the skilled Resources or lack of training to IT manpower
ii. Absence of Change control board
iii. Either absence of Policy, procedure and guidelines or non-adherence to them
iv. Poor Quality of the configuration
v. Incomplete, poor or absence of scope of work
vi. Delayed Responses
vii. No pre-launch testing
viii. No fund availability from the organisation
Configuration management process – Configuration management process in an
organisation is generally based on the industry best practice. Adherence to policies,
standards, guidelines and procedures aligns the configuration management process with the
objectives of IT department, which in turn is aligned to the objectives of the organisation.
The configuration management process is explained as follows -
1. Configuration Items (CI) – IT department, along with data owners, identifies the
Configuration Items required to be configured as per the Configuration Management Policy of
the organisation. The following activities are performed by the IT department for the
identification of Configuration Items –
23
i. Device and Software need to be configured

ii. Present versions
iii. Test bed for testing configuration changes
iv. Tools & Techniques
2. Configuration Control (CC) – Configuration control is the term used throughout the
lifecycle of any hardware or software configuration change management. Configuration control
refers to the following –
i. Description of Change/s
ii. Approver authority
iii. Resources, funds and prescribed downtime
iv. Change in Scope of work
v. Quality Assurance
vi. Time frame
3. Configuration Status Accounting (CSA) – Configuration Status Accounting (CSA) is
more about documentation and communication of information in forms of status report, needed
to control and monitor configuration.
Reports of changed configuration may be used for the following –
i. Operations & Maintenance team
ii. Security Operations Centre team
iii. Information about latest version or configuration information
iv. Project or Program Management Team
v. Audit team
vi. Software Developer and Software testing team
4. Configuration Auditing - Configuration auditing is used to provide quality assurance
for the configuration changes done. Auditing satisfies the respective stakeholders about the
required operational, functional and physical characteristics.
5. Locking the Configuration – Once the configuration is finalised, to avoid unauthorised
changes, configuration can be locked.
2.6 Version Control

As discussed earlier, any change in the business environment forces IT team, to change the
24
configuration of software and/or hardware. In some organisations, such changes required may
be very high, e.g. 10 to 15 changes in a week. As discussed earlier, this is effected through a
Change Management process. Due to changes in hardware or software, a different release or
version of the system is coming in existence. If the changes are quite frequent, such as 10 to
15 changes a week, then it is necessary to keep track of the new releases or versions. This is
done through Version Control.
Characteristics and features of a version are –
a. Version number
b. Date
c. Included and excluded features
To track and control the version of a system, IT department uses Version Control System
(VCS). VCS allows IT department, to keep track of version numbers and their release dates.
VCS provides assistance to IT team with following -
i. Repository of the contents
ii. Record of Previous versions
iii. Provide access to older versions
iv. Maintaining logs for accounting and details of changes
Benefits of having a good version control system (VCS) are given below –
1. Remote team coordination in development, is possible
2. Improvement in Scalability (growth of system)
3. Fast, Efficient and reliable
4. Integrity in Version is maintained
5. Improved Accountability
6. Immutability (locking of version)
7. Atomic Transactions (Atomic – lowest possible unit)
2.7 Log Management

A log is a record of the events generated from computer, peripherals, communication
networks, firewall, IPS/IDS, UTMs etc. Logs provide the following details –
i. Date of event
ii. Time of Event
iii. Details of the user responsible for the event
25
iv. Action details of the user

Therefore, logs record all the actions of an event and review of logs can reveal very important
information about the event. Audit logs are detective in nature and are mandatory for some
organisations (e.g. banking sector) as per the Banking regulations. Log management involves
the following activities –
i. Identification of log events to be recorded (all events may not be recorded in logs)
ii. Log collection – collecting events in a log file
iii. Log Aggregation
iv. Storage of aggregated logs
v. Analysis & Reporting
2.8 User Management

User management requires creating a user profile, user account setup, user account
modification, account termination(suspension) and deleting a user profile on the Information
system (IS) of the organisation.
User profile lifecycle is depicted in (Figure – 4.2.3)
User Profile
Deleting User User Account

Profile Management SHWXS
Account Account
Termination Modification
Figure 4.2.3 User Profile Life cycle

i. Creation of User profile – When an employee joins, HR department creates the
26
employee’s user profile. After completing the necessary induction training in the department,
the employee is assigned a role (for job responsibilities) by the head of the department.
To perform the assigned role, the employee is given a computer (desktop or laptop) to work in
the IT department. The employee logs into the system using his/her user ID as per the profile
assigned. E.g. an employee joining as an Officer will be assigned “Officer” role whereas an
employee joining as a “Manager” will be assigned a “Manager” role.
User profile contains following information such as –
a. Name of the user
b. Department
c. Email address
d. Intercom Number or Mobile number
f. Active Directory (Active Directory is a Microsoft product on Windows Server to manage
user and other services permissions and access to network resources)
g. Computer name as per active directory
ii. User Account types –User account types are given below –
a. User account
b. Guest account
c. Super user account
d. Database account
e. Network user account
f. Network Directory account
g. Internet Access account
h. Email account
i. Biometric Access account
j. ERP or other application account
User account information have the following information which is either in clear text or hashed
(Hash – converting clear text into unreadable or scrambled text which cannot be read as a
clear text. This is done by a software based on algorithms such as Secured Hashing Algorithm
1 or 256 – Sha1 or Sha256), due to privacy and security requirements–
a. User name
27
b. password
c. Mobile number
d. Department code
e. Network/Cloud Drive associated with the account
Benefits of User Management - Benefits of creation of user accounts are many, few are
listed below –
1) Improved User Management
2) Improved Access Controls for a user
3) Improved integration of various systems for a user
4) Optimised performance
5) Improved Accountability
6) Improved Authenticity
7) Improved Authorization
8) Helpdesk setup is easier - either online or offline
9) Improved Security
iii. Account Modification – Account modification may be requested by a user to IT
department, through his/her user management. Depending upon the change of role of a user,
transfer of an employee or promotion of an employee changes are required in the account
profile. There are two types of account modification described as follows –
1. By the Administrative – Based on the request received from the user department
administrator, modifies the account for the following information –
a. Department code
b. Authorisation
c. Drive mapping
d. Transfer of account from one office location to another
2. By the User – Based on the organisation’s policy or in some cases, at the discretion of
the user, a user may change certain information related to his/her account as detailed
below –
a. Password
b. Other demographic details such as contact address, mobile phone etc. However,
this may further require to be approved by competent authority
iv. Account termination – A user Account is terminated by the IT department, only when
the request is approved and sent by the Human Resource department and not by the
28
employee’s parent department. Account termination request sent by the Human Resource
department for the employee is based on the following –
a. Termination of the employee
b. Resignation of the employee
c. Employee on Deputation
d. Employee seriously ill and on long medical leave
e. Death of the employee
v. Deleting user profile – A User profile is deleted by the IT department on the request
sent by the Human Resource department. Account termination request may be based on the
following –
a. Termination of the employee
b. Resignation of the employee
c. Death of the employee
2.9 Operation Helpdesk & User Assistance

Help desk is a resource intensive function implemented by the IT department, to support users
for using Information systems. IT department caters to users with various services such as –
a. Email
b. Internet
c. ERP
d. Database Management System
e. Active Directory
f. PC Desktop and Peripherals
g. Software
h. Network
When a user faces any hurdle pertaining to use IS systems, his/her first point of contact is
helpdesk personnel. Help desk personnel can be contacted by the user in the following
manners–
a. Intercom
b. Call Centre
29
c. Email
d. Chatting
e. Video Conferencing
f. Messenger Chatting
g. Physically attending the user
Helpdesk personnel, help the user for various hurdles related to the Information systems and
try to resolve them as given below –
a. Password reset
b. Software related issues
c. Drive related issues
d. Network related issues
e. Database related issues
f. Email related issues
g. Internet related issues
h. Hardware issues such as PC Desktop and Peripherals issue
Effectiveness and efficiency of Helpdesk is important and is based on incident / problem
resolving capacity of helpdesk personnel.
Levels of Help desk support - There are following types of help desk support categories
available, either through a call centre or in-house help desk facility -
Level 0 Helpdesk – Mostly, Level 0 support is automated and self-service type of support,
wherein a user can solve the problem him/herself. Self-services such password/s resetting fall
in this category of help desk.
Level 1 Helpdesk – Level 1 support is given for other basic services such as configuration
changes, troubleshooting. Users can talk to helpdesk personnel related to issues such as
password reset support, email support, internet support, DBMS support, ERP support and
other application or software level support. If helpdesk personnel is unable to resolve the
issue, then the issue is escalated to the next level i.e. Level 2. Level 1 support is considered
as “first aid” support
Level 2 Helpdesk – Level 2 support is provided by supervisory staff of Level 1 personnel, for
escalated issues such as advance troubleshooting and installation of computing devices or
software. Sometimes, users may be given support by taking remote access of user’s systems.
Most of the user’s problems are solved at this level, however, if a user issue cannot be solved
even at this level, then it is escalated to the next level i.e. Level 3.
30
Level 3 Helpdesk – Level 3 support is next level of advanced trouble shooting. If an incident
is not solved and gets elevated to this level, it is considered as a “Problem” and resolution
may require substantial changes to the system. Change management process may be invoked
for this level of support. If the problem of a user is not resolved even at this level, then in such
cases, help is required from the devices manufacturer or system developer. The issue is, then,
escalated to Level 4.
Level 4 Helpdesk – Level 4 support is generally given by the device manufacturer or system
developer. If an issue has come to this level, it may be required to be resolved by launching a
new release or version of the device or product.
2.10 Operations Performance Measurement

Measuring the operational performance is important to any organisation. Metrics are
quantitative measurement for operational performance measurement. Some important
operations performance metrics are as follows –
1. Availability – Availability is the measurement of continued operation of Information
System for a user. Mean Time Between Failure (MTBF) over a period of time is the metrics of
IS system availability. It measures the system performance and serviceability to the users of
an organisation.
2. Incident – Incident is a deviation from the normal operations of an IS system. Any
incident occurred, needs remedial action to restore back the operations of the IS system. The
restoration time of the system, including incident period, is the measure of downtime of the
system.
3. Quality – Quality of an IS System is a measure of the intended performance in intended
time at intended place
4. Productivity – IS system productivity is a measure of rate of doing work of a resource
such as a system or human resource. This needs to be measured in combination of quality.
5. Return on Investment (ROI) – Return on Investment (ROI), measures the gain or loss
generated on an investment relative to the amount of money invested. ROI is usually
expressed as a percentage.
6. Value Creation – If a system provides desired functioning, is cost effective with desired
productivity and quality, then then the system is said to be creating a “value” for it’s users.
Many organisations consider the value creation as an important parameter of progress of the
organisation.
2.11 Summary
In this chapter, we discussed Information system operations and challenges faced by the
31
Information Technology department. We discussed various functions such as, Asset

Management, Change Management, Configuration Management etc. We also discussed,
importance of these functions and effects of lack of proper implementation of these functions.
Effectiveness and efficiency of the Information Technology department is heavily dependent
on these functions and measurement and continual improvement of these functions is
necessary for value creation for an organisation.
References
NIST – National Institute of Standards and Technology - USA
ISACA – Information System Audit and Control Association - USA
ISC2 – The International Information System Security Certification Consortium
DISA manual 2.0
2.12 Questions
1. Why should organizations want to manage logs?
A. To be informed when something unusual happens involving a system or
application
B. To be able to do take action in response to a security event
C. To keep a record of all the responses to security events
D. All of the above
2. When implementing a log management program, it's BEST to start with:
A. Technology from a trusted vendor
B. The same program and process that organizations with similar business are
using
C. List of top-three vendors from a published report
D. A careful review of the organization's log management and reporting needs
3. The security principle of least privilege is:
A. The practice of limiting permissions to the minimal level that will allow users to
perform their jobs.
B. The practice of increasing permissions to a level that will allow users to perform
their jobs and those of their supervisor.
C. The practice of limiting permissions to a level that will allow users to perform their
jobs and those of their immediate colleagues.
32
D. The practice of increasing permissions to a level that will allow users to use the
cloud services of their choice in order to get their jobs done more quickly.
4. Why does privilege creep pose a security risk?
A. Users privileges don't match their job or role and responsibilities.
B. Because with more privileges there are more responsibilities.
C. Users have more privileges than they need and may use them to perform actions
outside of their job description.
D. Auditors may question about a mismatch between an individual's responsibilities
and their privileges and access rights.
5. Software Configuration management is the discipline for systematically
controlling
A. Changes due to the evolution of work products as the project progresses
B. The changes required due to defects being found which are to be fixed
C. Changes necessary due to change in requirements
D. All of the above
6. Which of the following is the top priority that, companies planning to implement
an asset management system should examine?
A. The visual appeal of websites, internal search pages and marketing collateral
B. Number of videos, audio files and other multimedia assets available
C. Specific data needs and the business problems to be solved
D. All of the above
7. Self-service assistance to users provided by help-desk such as resetting
passwords etc. is considered which level of assistance?
A. Level 4
B. Level 0
C. Level 2
D. Level 1
8. During development of a software system, which of the following will be used to
maintain software integrity?
A. Configuration Management
33
B. Version Control
C. Change Management
D. None of the above
9. Who of the following would approve or reject major changes in configuration?
A. Management
B. Change control board
C. User
D. System Administrator
10. A transaction in a database management system should be atomic in nature. An
Atomic Transaction is:
A. Transaction should be submitted by a user
B. Transaction should be either completed or not completed at all
C. Transaction should fail
D. Transaction can be in-between fail and complete

Log management systems provide insight into a variety of incidents / issues with
systems and devices, as well as being a compliance requirement under many
regulations. For all of the above reasons, log management is a necessity for enterprise
security.
Without understanding what logging capabilities, the organization has (or doesn't have)
and what information is needed from those logs, it's impossible to implement an
effective log management program. Choice A, B and C may help in selection of the
vendor but are not the starting points.
The principle of least privilege is the practice of limiting access rights for users to the
bare minimum permissions they need to perform their work. The users are granted
permission to read, write or execute only the files or resources they need to do their
jobs, or restricting access rights for applications, systems, processes and devices to
only those permissions required to perform authorized activities. Enforcing least
privilege plays a key role in limiting (containing) the damage that malicious users may
34
cause. Choice B, C and D do not indicate the principle of least privilege.

Auditors certainly will question if they find that users have greater privileges than they
need to perform their jobs, but the real risk is that a disgruntled user could abuse their
elevated privileges, so C is the right answer and not A, B and D.
Software Configuration Management is defined as a process to systematically manage,
organize, and control the changes in the software programs, documents, codes, and
other entities during the Software Development Life Cycle. Any change in the software
configuration Items will affect the final product. Therefore, changes to configuration
items need to be controlled and managed. Hence all the options are important.
Asset Management is a process used to keep track of the equipment and inventory vital
to day-to-day operation of the business. Asset management requirements should be
aligned with the business objectives. Choice A and B may assist in selection of an
appropriate system based on the needs of the organization but are not top priority
requirements.
Level 0, because it is self-service. Choice A, C and D are those, where help desk
operator would help the user.
Version Control. Choice A and cCare steps before version control
Projects receive multiple change requests and these must be evaluated by the change
control board. A change control board is a group of individuals responsible for reviewing
and analyzing change requests and recommending or making decisions on requested
changes to the baselined work. Poor change control can significantly impact the project
in terms of scope, cost, time, risk, and benefits. Choice A, C and D do not have
authority to approve or reject major changes.
Atomicity is either a complete transaction or a failed transaction. It does not permit
transient stage or partially complete transactions. Choice A, C and D are not correct.
35
Chapter 3
Software Operations & Management
Learning Objectives
In this chapter, students will learn about importance and functions of System Software,
operating system, application software, data and database management system. Students will
also learn about testing of software, what is meant by network services, what is meant by
(software) patch management and about backup system.
Basic understanding of all these systems and services is introduced, so that, as an IS Auditor,
a student will not find difficulties in their application in conducting audits.
3.1 Introduction to Software Infrastructure

3.1.1 System Software
System software is a set of computer programs that act as interface between hardware and
users. System software is installed on a hardware so that other software and applications can
run on the hardware. Operating System of a computer is also a class of system software.
Refer Figure – 4.3.1 depicts layers of different software as installed on a computer.
System Software Interfacing – Functions of a System Software can be given as follows –
i. User – Application Software Interface – Application Software is the one which is used
by a user – e.g. Tally. However, underlying this Application Software, is the System Software.
Thus, System Software acts as an interface between user and the Application Software which
the user is using. There are five main types of user interfaces -
— Command Line Interpreter (CLI) where user can type a text command
— Graphical User Interface (GUI) e.g. in Windows wherein a user can visually issue
commands
System
Software
User
Hardware
Application
Software
Figure 4.3.1: Layers of Software between users and hardware

ii. Application Software – System Software Interface – Application software is a type of
software which is used by an enduser for solving specific business purpose. The application
software needs to be installed on the System software such as operating system (OS). E.g.
Tally is an Application Software.
System Software provides an Application Programming Interface (API) to the Application
Software, by using which application software and system software communicate with each
other. API provides interfaces to an application programmer, which are used in programs, so
that, application software is able to “connect” to System Software.
iii. System Software – Hardware Interface - System software is installed on hardware or
on the mother board of a computer system (System Software installed on mother board is
called as a “Firmware”). Firmware commands and controls CPU (Central Processing Unit) and
memory of the system. Other System Software (which is installed on hard disk) organises,
commands, controls and coordinates the activities of both hardware and application software.
Various hardware peripherals like printers, scanners, USB hard drives, USB pen drives,
photocopiers etc. are able to connect to operating system through system software using
device driver software. This device driver software is also a system software, which drives the
associated device.
3.2 Operating System

An operating system (OS) is a set of programs that control the execution of application
37
programs and act as an intermediary between a user of a computer and the computer
hardware. OS is a type of system software, that manages computer hardware as well as
providing an environment for application programs to run. Examples of operating system (OS)
are as follows Windows, Unix, Linux, iOS etc
The objectives of OS are as follows -
 Process Management (Processor Management)
 Memory Management
 File Management
 I/O-System Management
 Secondary storage Management
 Networking
 Protection System
 Command-Interpreter System or GUI
3.3 Application Software

Application software is what a user wants to use for day-to-day activities in an organisation.
When a user starts a computer system, operating system is loaded in RAM and it gives the
user access through Command Line Interpreter (e.g. Unix, Linus) or GUI. User should have a
user ID and password created in Operating System. User, then, proceeds to start (by double
clicking) Application Software, in which s/he wants to work, e.g. Tally. All the commands
issued in application software are given to the underlying operating system, which completes
the command on underlying hardware.
In the figure 4.3.2 it is depicted that, various kinds of application software such as E-mail,
Internet, MS office, ERP and tally, are installed on the operating system and through
application program interface (API), all are communicating with underlying operating system
(OS). Operating system (OS) is capable of running any application software for command and
data.
Types of Application Software

Types of application software, depending upon it’s functions and how it has been acquired,
are as follows –
a. Packaged Software – technical use - Sometimes this is referred to as Middle-ware
 Transaction servers – e.g. MTS, COM+
38
 Message queuing software

 Databases – e.g. SQL Server, Oracle
 Readymade web development platforms – e.g. IBM’s Web-sphere, Microsoft
BizTalk, Joomla, Microsoft Sharepoint
b. Packaged Software – Commerce – This type is generally used for routine office work
of typing, calculations, etc.
 MS Office, Open Office – for word processing, spreadsheet, presentations etc
 Office collaboration software e.g. workflow etc
c. Communication Software – Communication software is used by a user to
communicate with others. Examples are Internet browser, Email software, chat software
etc.
d. Engineering Software – Engineering software such as Computer Aided Design (CAD),
Computer Aided Manufacturing (CAM) etc which are used in Engineering.
Email Internet
OS
MS OFFICE
ERP
Tally
Figure 4.3.2: Application Software
39
e. Knowledge Software – Knowledge Management software to provide information

processing such as Knowledge Management System (KMS), Expert System and
Simulation Software etc.
3.4 Software Testing

To check the functionality of the software after the development, organisations conduct
software testing. A team of software testers in an organisation, who perform software testing
rigorously within a stipulated time-frame and generate defaults report for software
development team. Software developers do not test their own programs (apart from Unit
Testing). Other than the functionality, a Software Tester may also check the following –
a. Whether Software meets Scope of work as per specifications
b. Security related testing
c. Check design of the software
d. Check the performance of the software under specified conditions
e. To identify errors or defects for early correction
h. Check any deviations from specifications
Software testing types

Software testing types are as follows –
1. Manual Testing: In this type, a Software Tester, tests the software by manually
entering data, processing and checking the output generated. The tester performs these tests
on a test site by preparing test cases and test data. Results of the test are documented and
undesired functioning is informed to developers (e.g. defects, bugs, invalid cases etc)
2. Automation Testing: In this type, a Software Tester uses a Test Software and submits
test cases and test data to the software to be tested. Automation tools such as Selenium, HP-
UFT and Ranorex etc. are available, to test a software. Automated testing is generally used
for modern web-based systems and where manual testing is cumbersome.
3. Hybrid Testing: In this type of testing, both manual and automated testing is carried
out. Human perspective is tested during manual testing whereas automated testing tests
manually cumbersome tests e.g. performance testing with large data.
Software testing approaches

Software testing approaches are as follows –
1. White Box Testing: In this approach, a tester, who is knowledgeable about internal
working of the software, performs the testing. The tester may perform Black Box testing to
40
start with, but since s/he is knowledgeable about internal working of the software, proceeds to
White Box testing.
2. Black Box Testing: Black box testing is a functional testing. It means that, tester does
not know the internal structure of the software. Tester submits input to the software and
expects specified output. S/he does not look “through” the software.
3. Grey Box Testing: In Grey box testing, tester is partially knowledgeable about the
internal structure of the software. S/he, therefore, performs both Black Box and to some extent
White Box (not fully) testing.
Software testing Levels

Software testing levels, depending upon the development and subsequently testing (depicted
in figure 4.3.3) are as follows –
1. Unit Testing: Each program(unit) is tested in this type of testing. This is generally
performed by the developer him/herself.
2. Integration/Interface Testing: Individual program does not work in a stand-alone
manner. It gets integrated or interfaced with other program/s. Interface or integration testing is
testing programs which have been combined. Integration testing has three approaches
described as follows –
a. Top Down Approach - Top level programs are tested first drilling to down-level
programs
b. Bottom Up Approach – Down level programs are tested first, drilling up to top level
programs
c. Sandwich Approach – Tester may start at top or bottom level and depending on
situation move downward or upward
3. System Testing: System testing, as the name suggests, is testing of a completed
system or module. System testing is generally for technical performance, volume of data etc.
Unit Integration System UAT

Testing Testing Testing
Figure 4.3.3: Levels of Testing

4. User Acceptance Testing (UAT): The user department, for which the software is
developed, is given the software on a test site for user-level testing. User is the best person
who knows various situations in business and day-to-day working.
41
3.5 Software Maintenance

Software maintenance is any changes done to a software after it is in operation. Software
maintenance is very important for an organisation. Business is not static and therefore
software support it is also not static. Business changes with time to cater to new challenges,
new laws, regulations, technology, personnel etc. Therefore, software also needs to be
changed or maintained so as to suit new business needs.
Software maintenance is required due to following reasons -
1. Error corrections surfaced during day-to-day operations
2. Alteration of Features and Functionalities
3. Deletion of Features and Functionalities
4. Software performance Optimization
5. Security patches updation
Categories of maintenance
Software has various category of maintenance. Following are the categories of software
maintenance –
1. Preventive Maintenance: Preventive maintenance is a proactive approach. Software
developer may do preventive maintenance since they know design and/or programming level
shortcomings.
2. Corrective Maintenance: Corrective maintenance is reactive approach. When a defect
or error arises in working of a software, corrective measure is taken by making changes to
program/s. User department may face a down time in some situations.
3. Adaptive Maintenance: Adaptability I making software suitable for new environment,
especially, upgraded hardware and operating system. Software adapts to new environment
due to this type of maintenance activity.
4. Perfective Maintenance: Here again, it may be a proactive approach. Software
developers on their own may keep on changing the software and releasing new versions for
betterment of functionality and security. The following changes may be done as a perfective
maintenance –
a. Making alteration for betterment
b. Fast processing
c. Addition of features,
42
d. Portability
e. Scalability
f. Agile
g. Well documentation
i. Security enhancement
Software Maintenance Process

Software Maintenance process, with detail step are as follows –
1. Scope of Maintenance: It is better to collect and understand software maintenance
requirements. The purpose of software maintenance may be preventive, corrective, adaptive
and perfective.
2. Plan of the Maintenance: User department along with IT department(in-house or
outsourced) make a proposal for the maintenance activity. In this step, business impact of
change, cost, time and resources needed are discussed and planned. Testing requirements
are also specified in the plan.
3. Software Maintenance: Before the activity of software maintenance, all respective
stakeholders are informed about the maintenance schedule and expected window of
downtime. As per the plan and proposal, software maintenance must be done within the
specified time, cost and resources. Any delay or scope creep (additional scope) makes
software maintenance activity unproductive to the organisation.
4. Software testing: After maintenance is done software testing is performed.
5. Go-Live: After successful maintenance and subsequently testing, the software is made
“Go live” and available for user department and various stakeholders for day-to-day use.
Challenges of Maintenance
Organisations usually face the following challenges of software maintenance –
1. Job Change: Due to high manpower turnover in software industry, software
maintenance may become difficult, since the set of programmers who originally developed the
software may not be available and new developers may take time to understand work done by
original developers.
2. Structure of the software: Software development is not a yet stable and structured
similar to other industry (e.g. engineering, chemicals etc). This poses hurdles in maintenance
because developed programs may be person(programmer)-dependent.
3. Understanding of Scope of Work: If requirements gathering (of software) is not done
43
correctly and in an atomic (lowest possible level) manner with users, then software may not
work as desired. Users start adding even some basic missing functionality features during
maintenance phase. This poses problems in software maintenance. Software baselining
should be done along with user department to avoid such situations.
4. Scalability issue: Scalability of a software is it’s adaptability to growing requirements
of business. It may be expected that, the software should be capable to expanding business
and technical situations. E.g. faster or enhanced hardware
3.6 DBMS - Database Management System

Before DBMS, developers were required to deal with individual file in which data is stored. It
was necessary to programmatically process data in these files. This was cumbersome, time
consuming and error-prone. Program-data independence was not achieved. Technological
progress in the area of software development led to Database Management System. Database
Management System is discussed below.
Data – Data is facts and figures about a situation. E.g. customer depositing money in a bank
account. Here, customer details (account number, name etc), amount of money are the data
items. This data needs to be processed with a program (processing instructions) to get
meaningful information.
Database - Database is a collection of data organised in such a way that, processing on the
data is much easier. interrelated database stores users’ data, developers’ programs such as
queries, reporting programs etc. There are different types of database management systems
such as hierarchical, network, relational and object oriented. Out of these, currently, relational
database management system RDBMS is most widely used.
Relational Database Management System – RDBMS stores users’ data in tables of rows
and columns. The tables can be related to each other with the help of common column/s.
Therefore, it is called as “relational”. Different components of a RDBMS are: system data
tables, user data tables, data input forms or web pages, queries, reports etc. Database
Management System or DBMS can be depicted in simple diagram as shown in Figure - 4.3.4
Some famous relational database management systems are Microsoft’s Structured Query
Language or MS-SQL, MySQL, Oracle DB Management, and PostgreSQL etc.
Characteristics of RDBMS – A modern RDBMS has the following characteristics –
1. Entity – An Entity may be a place, person, object, event or a concept. Entity has
attribute/s. e.g. Person entity – employee, student, patient etc. Place entity – State, region,
branch etc. Object entity - Machine, Building, Automobile etc. Event entity - Sale, Registration,
Renewal etc. Concept entity - Account, Course, Work Centre, Desk etc.
44
User Application User Application User Application
DBMS
Database
Data Data Data
Figure – 4.3.4
2. Schema – Schema is the organisation of data in a database. Schema is also the design
of a database. Schema is of 3 types as follows –
i. Physical Schema – The design of data stored in the database on a secondary storage
is called as Physical Schema.
ii. Conceptual Schema – Conceptual schema is the logical design of the database into
rows and columns. This conceptual schema is is mapped to the physical schema. This
schema is used by database designers, DBAs and programmers in software
development.
iii. External Schema – External schema is how a user views the database at user level.
This schema is used to interact with the users.
3. Tables − Database Management System uses table (Refer figure – 4.3.5) to arrange
data of the database. Tables are also called relations. Table has rows and column. Each row
represents a record, while each column represents field or attribute. Each record in the table
has a definitive attribute and that is called tuple.
45
4. Relation – In RDBMS, relation is shown through one or more tables.

5. Metadata – Metadata in RDBMS is data about data. It is similar to index of a book. e.g.
In Fig 4.3.5, Student is a metadata and “Ajinkya” is data. Student column may have column
length of 40 characters. Thus, metadata specifies how data is organised.
Roleno Student Semester_1 Semester_2 Columns
1 Ajinkya 49 50 Rows
2 Aadu 47 50
Tuple
3 Cherry 42 45
Figure -4.3.5
6. Keys – In an RDBMS, a Primary Key is column/s which can uniquely identify a
record(tuple) in a database table. In figure - 4.3.5, attribute student cannot have uniqueness –
there may be more than one Ajinkya. Therefore, we need an additional column as Roleno,
which can be unique and becomes a Primary Key. help a DBMS user to uniquely identify
Ajinkya with his marks. Similarly, refer Fig 4.3.6. Can you identify the Primary Key?
.Employee No Employee Name Designation
7322 Aadu GM
5899 Shini GM
7254 Ajinkya ED
8944 Ajinkya ED
Employee No Salary Age

7322 15000 45
5899 17500 52
7254 20000 42
8944 18750 49
Figure -4.3.6
46
Important rules about a primary key are –

i. No two rows have the same primary key. Primary key should be unique
ii. Primary key cannot be null
iii. If a link (referential link) is established referring to a primary key, in that case, primary
key cannot be deleted or modified.
b. Foreign Key – Foreign key is a column in a table which is the primary key of another
table. This is for a “Referential Integrity” between the two tables. See Fig 4.3.6-a wherein,
Employee Table and Department Table have referential integrity. Dept_Code column in
Employee Table is the “foreign key” because it is the “primary key” of Department Table. Note
that, employee number 7322 – Aadu and employee number 8944 – Ajinkya have the same
department code 01 and therefore both are in HR dept.
Employee_No Employee_Name Dept_Code

7322 Aadu 01
5899 Shini 02
7254 Ajinkya 03
8944 Ajinkya 01
Dept_Code Dept_Name
01 Human Resources
02 Accounts
03 Marketing
04 Purchase
Figure -4.3.6-a
7. Isolation of data and application – Data isolation is possible in an RDBMS because
the conceptual(logical) schema cannot be seen by database designer or DBA or programmer.
It is internally mapped to physical schema by RDBMS software.
8. Normalization – Normalisation Normalisation is a record-design technique developed
by Dr Codd to avoid certain design anomalies. It is a process of breaking down a table into
more tables until the other columns in the table are dependent only on the key/s columns of
the table.
47
9. Transaction - A transaction is a unit of work done on a database. E.g. selecting a

record from a database table is a “Select” transaction. Inserting a record in a table is an
“Insert” transaction.
10. ACID Properties − A transaction in a database should be designed in such a way that,
it satisfies ACID property. A is Atomicity, C is Consistency, I is Isolation and D is Durability.
This means that, when a programmer or DBA defines a transaction (such as Insert or Update),
it should be defined in such a way that it will satisfy ACID. i.e. the transaction will be atomic
(not divisible further), when completed it will keep the database in consistent state, it will be
isolated while it is executing and it will be written on a persistent(permanent) storage such as
secondary storage. ACID property is explained in detail below -
i. Atomicity – as Atomicity means “Either a transaction is completed or not done at all”.
e.g. each business transaction has one or more debit and one or more credit
Transaction should be defined in such a way that both the debit/s and credit/s are
completed or none takes place.
ii. Consistency – A database must be always in consistent state. If a transaction is done
on a database, this consistent state should not be changed after the transaction is over.
Therefore, transaction should be defined in such a way that it leaves the database in
consistent state.
iii. Isolation – RDBMS supports transactions of many users at the same time. Therefore, a
transaction should be defined in such a way that, another transaction does not have
effect on any other transaction.
iv. Durability – Durability in RDBMS is about the longevity of the transactions. It means
that, when a transaction is committed i.e. completed and saved, it is written to the
persistent storage, which is secordary storage or hard disk.
11. Data Integrity – Data Integrity in RDBMS can be maintained by programming various
constraints applied to data which is entered or processed in RDBMS. e.g. a “check” constraint
on age column can be set to 18 to 60 years, thereby allowing a user to enter data within this
range only.
12. Multiuser and Concurrent Access – Many users are working simultaneously on an
RDBMS via application software. Therefore, many transactions are hitting RDBMS
simultaneously or concurrently. Concurrency controls (such as ACID transactions) need to be
ensured so that, transactions are properly updated in database tables.
13. DBMS views – RDBMS allows developers to create views of the database tables.
Developers ensure name dependent, content dependent and context dependent controls
through views. E.g. a payroll clerk will be shown only employee details about salary but
appraisal details will be hidden, whereas appraisal clerk will not be able to see salary but will
be able to see appraisal details. This is done by using views.
48
14. Security − RDBMS provides various ways, through which security can be ensured.
These are –
i. Multiple views – for access controls or restricting access of user only to specific
columns
ii. Key Reference – uniqueness and referential integrity
iii. ACID Test – for ensuring using transactions in correct manner
iv. Data Integrity
Other related security controls which are important are given below –
i. Strong and Multifactor authentication
ii. Segregation of web server and RDBMS server
iii. Encrypted data in database
iv. Use of Web application Firewall to restrict some attacks which are targeted at RDBMS
v. Patching of RDBMS application regularly
vi Audit logging of RDBMS
Structured Query Language (SQL) – Structured Query Language or SQL is a programming
language of RDBM.S.
Programmers use SQL and embed them in application programs. SQL commands work on
RDBMS and can insert, update or delete record/s in RDBMS tables. Data can be fetched with
the help of “Select” command. There are 3 components of SQL or RDBMS programming
language. They are – Data Definition Language - DDL, Data Control Language DCL, Data
Manipulation (i.e. changing data in official manner) Language – DML. E.g.
DDL – Create table, Drop table, Alter table
DCL – Grant access or Revoke access
DML – 4 commands Insert, Update, Delete, Select records in a table
Sequential Query Language (SQL)

Front End | Back end Database
Figure 4.3.7
49
SQL is widely accepted and the most popular due to the following advantages −
System Architecture – So far, we have discussed various components of a system. Let us
see how they are linked to each other in today’s Information Technology.
User is connected to web site which runs on a web server. This is known as front-end of the
system. It is also known as Presentation Tier or Public facing tier.
Web server is connected to an Application Server. This is known as Business Tier or Logic
Tier. Application server processes users’ requests by taking input/s and data from database.
Application Server is connected to a Database Server (generally, RDBMS), which stores all
the data of users and even temporary data.
Thus, today’s systems are 3-tier architecture system, unlike past trend of single tier or 2 tier
architecture, as shown in the following Fig. Some bigger organisations may use additional
tiers such as Transaction servers, message queuing servers etc, which are in between tiers.
Therefore, sometimes, it is referred to as n-tier architecture.
Presentation Tier
Application Tier
Database Tier
Figure – 4.3.8
3.7 Network Services

A computer network is defined as interconnected computers. Interconnected computers can
communicate to each other, can share resources such as printers, files etc. There are
following types of Computer networks –
i. Local Area Network (LAN) – connected computers in a room or a building
ii. Wide Area Network (WAN) – connected computers in different geographic areas.
Requires services of a network service provider.
50
iii. Metropolitan Area Network (MAN) – Network of computers in a metropolitan area such
as a city
iv. Personal Area Network (PAN) – network of computers of a personal workspace
v. Storage area Network (SAN) – For storing large amount of data
vi. Virtual Private Network (VPN)
Network Services - The Defence Advanced Research Projects Agency (DARPA) of USA
designed and proposed Transmission Control Protocol/Internet Protocol. Open Standard
Interconnect OSI of International Standards Organisation (ISO) is also another conceptual
protocol which was proposed. TCP/IP protocol is given in the following. (Figure – 4.3.9)
Application Layer
Transport Layer
Internet Layer
Link Layer
Figure – 4.3.9
A user who is using an Application Software, submits his/her data to be sent to another
connected computer. This data is taken and broken down into packets by the Application
Layer of TCP/IP and moved downward through other layers, packet by packet.
Application layer packets are taken by Transport Layer (TCP) and are sent to the next layer
which is IP. TCP layer assures data delivery to the final receiver by taking acknowledgement
of each data packet.
Internet Layer (IP and other routing protocol) provides a correct path to the packets by routing
them through network of devices such as switches, routers, servers etc. This is done by
51
sending data packets to next device’s IP address. However, before it packets can be sent to
next device, IP gives the data packets to the Link Layer.
Finally, the Link layer comes into picture when packets are sent on the wire. Link layer
converts the packets into bits and puts them on wire (copper wire or fibre optic etc) or through
air, by using Ethernet protocol.
When packets finally reach the destination, they are assembled back into data and are given
to the application software of the final receiver. The packets go through reverse journey from
Link Layer to IP to TCP and then to Application Layer.
Some known network services in an organisation are –
1. Internet Services – Most of the organisations provide Internet services to their users
through their web sites. The Internet setup in an organisation can be depicted as in the figure
4.3.10.
Internet Server ISP
Network Address
User Translation (NAT)
on Private Public
LAN Address Address Router
Figure 4.3.10
Internet service in homes is usually through a broadband network. Service provider provides a
broadband router and we can connect our devices (such as PCs, laptops, mobile phones) to
Internet. In organisations, however, service provider provides leased telephone lines or MPLS
(Multi Protocol Label Switching) lines through organisation users connect to Internet or
application servers.
2. DNS service – When Internet was new, users were connecting t a web site by typing
web site’s IP address in the browser. E.g. http://9.9.9.9. However, as Internet grew, it was
difficult for users to remember IP addresses. Therefore, a DNS (Domain System Service)
server was introduced, which stores in a database, name of all web sites and their respective
IP addresses. When a user types a URL (Uniform Resource Locator) – e.g.
http://anywebsite.com, then DNS server provides the IP address of the website and then
browser connects to that IP address.
52
3. An E-mail service – Organisations reserve a domain name/s to launch a web site. This
reservation of domain name and actually hosting a web site is generally done through a
service provider. The Internet service provider also provides a domain for e-mail service.
Organisations can take multiple e-mail domains and reserve specific domains for specific
purpose. Employee are given a common domain, as per e-mail policy of the organisation.
Email server is needs to be setup with smtp (Simple Mail Transfer Protocol) service for
outgoing mails. IMAP (Internet Message Access Protocol) or POP3(Post Office Protocol
version 3) can be used for incoming emails. Refer Figure - 4.3.11.
POP3
Internet
IMAP
SMTP
Server
Webmail
Figure - 4.3.11
Users connect to email server and access their email through a client software such as
Outlook.
i. POP3 Client – POP3 client is Post Office Protocol used to receive incoming emails. In
the POP3, when a user connects through a client software (such as Outlook) to mail
server, the incoming mails are downloaded from the server. In this protocol, all the
emails, once downloaded are deleted from the server.
ii. IMAP – IMAP client is based on Internet Message Access protocol. It is also used for
incoming mails. Similar to POP3, a user connects through a client software to email
server and downloads incoming mails. However, in this protocol, mails are retained on
the server, even after they are downloaded.
iii. Webmail – Webmail is for the email access over the internet browser.
4. Web service – Organisations can establish integration of web application with another
organisation. This is done through launching a web service with the help of API (Application
Programming Interface). E.g. an aggregator for booking airline or railway reservation,
establishes connectivity to all airlines and railway’s web sites through web services and API.
Customers can connect to aggregator’s web site and book tickets rather than going to
individual web site of airlines.
5. Directory Services – When organisations need to control all the desktops, laptops or
other computing devices, resources and provide proper authentication and security, they
53
implement directory services. Microsoft Active Directory, Sun Microsystem’s iPlanet Directory
services and Novell’s eDirectory, are some popular solutions available for such controlled
access.
6. Print services – Print server runs print service to make a pool of network printers
installed in the organisation. Print server allows authenticated users to connect, either by the
print server itself or get authenticated by directory services.
Print server installation enables an organisation to enforce printing policy for controlling
printing to be done on various printers. Print server also provides monitoring of print jobs and
provides statistics related to it.
7. DBMS Service – DBMS or database management services is already discussed in
section 3.6 of this chapter in detail. DBMS provides efficient and smooth process of data
storage and retrieval.
8. Video Conferencing – Many organisations have established video conferencing
facilities to connect and have video meetings for branches, regional offices with head office or
corporate office, with senior management people. Travelling time and cost can be reduced
substantially with the help of well organised video conferencing facility. With increasing
bandwidth facilities, at reducing costs, provided by service providers and improved
telecommunication technologies, video conferencing can be wide spread and can also be
used by small and medium enterprises.
3.8 Backup Strategies

Backup system involves taking backup of data on to different media and storing the media at
other safe separate geographic location/s. In case of need, when the primary data is not
available, the backup data can be restored and used for regular operations in lieu of the
primary data.
Important Backup Considerations

Following important backup considerations should be taken into account before establishing a
backup (& restore) system –
1. Backup Policy – Organisations should establish backup policy for guiding IT
department and users. Backup policy will also enable IT department to manage the entire
backup-restoration system with adequate resources. Policy should also define retention period
of the backup data. After completion of the retention period, data should be destroyed safely
and securely. To implement the policy, management needs to develop backup procedures as
well.
2. What to Backup – It is necessary to decide which data should be backed up. E.g. E-
commerce data, financial data, employee’s data, email data, data of various applications,
54
system logs and system configuration files etc. are critical in nature and need to be backed up
on priority basis.
3. Backup Frequency – How frequently a backup should be taken, also needs to be
defined. E.g. critical data may be backed up every day, every hour or immediately (known as
mirroring of data).
4. Backup Storage Location – Backup should be stored safely and securely preferably at
a separate geographic location. Another copy of the backup can be kept near the primary site,
so that if needed, it can be easily procured.
5. Backup Retention Period – Backup policy decides how long backup/s should be
retained. After the retention period, the backup is either destroyed securely or it is archived
and then destroyed securely.
6. Testing – Backup needs to be tested regularly so that when needed it can be correctly
restored. Organisations setup separate systems for restoring backup data and test it for
correctness of restoration.
7. Training – Not all data will be backed by IT Department. Users may have their
important data stored in their laptops or desktops. It is the user’s responsibility to backup this
data. Therefore, adequate training must be provided to the users about backup policy and
backup system. IT personnel also needs training on backup policy and backup procedures.
8. Tape Control – Many organisations use magnetic tapes for backing up of data. Some
large organisations have very high number of tapes and may require a tape library
management system. This system allows automated tape backup, management and
restoration of data on tapes.
Backup methods
Organisations use special backup software for taking and restoring backup of data. This
software generally provides 4 types of backup methods, which are explained below –
1. A full backup – Any backup strategy should start with a full or normal backup for the
first backup. Full backup backs up all the data selected for backup. Many system
administrators always take full backup of data as it is safer. However, taking full backup all the
time has following drawbacks –
i. Full back up consumes lot of storage on media.
ii. Reduced disk life (due repeated overwriting)
iii. Increased back up cost since many tapes are required
iv. Longer time is required for full back up
v. Inefficient method if there is a very small change in data
55
2. Incremental Backup – Incremental backup is backup of changes only done to the data.
Every incremental backup is stored on the media as a separate data. Following figure
illustrates incremental backup –
To start with, full backup is taken on Monday. On subsequent days, only incremental backup is
taken. Thus, we have, on backup media, 5 copies for each day plus full backup of Monday. If
on next Monday, it is required to restore the backup, we will have to restore all these backups
i.e. full backup plus incremental backup of Tuesday through Saturday. If any of the
incremental backup or full backup is unavailable, we will not be able to restore the backup
Mon Tue Wed Thurs Fri Sat Sun

Full Back Incremental Incremental Incremental Incremental Incremental Full +
up Incremental
(M+Tu+W+Th+F+S)
Figure - 4.3.12
Incremental backup is the fastest of all the backup methods.
3. Differential Backup – In Differential backup, backup is taken of all the changes
happened after the last full backup. It requires more time than incremental backup but less
time than full backup. Differential backup example is given in figure – 4.3.13.
Mon Tue Wed Thurs Fri Sat Sun

Full Back Differential Differential Differential Differential Differential Full +
up Differential
(M+S)
Figure 4.3.13
Notice that, to start with, on Monday full backup is taken. On each subsequent day, a
differential backup is taken. Unlike incremental backup, differential backup adds all previous
backups while taking current backup. Thus, on Saturday, Tuesday to Saturday’s backup is
taken on the media. If backup needs to be restored, first full backup and last differential
backup will be required.
56
4. Virtual Full Backups – This type of backup is a synchronised backup, wherein first
time a full backup is taken and subsequently whenever change takes place, the backup is
synchronised for the changes.
3.9 Patch Management

A software patch is changes to existing application software, operating system or any other
computer software to improve it for functionality, security, usability etc.
Patch management is part of software maintenance involving the following –
i. Acquiring the patch from vendor or vendor approved agency
ii. Testing the patch on a test site
iii. Installing the patch
iv. Reporting about the updation
v. Audit of patch
We shall se the detail of each in patch management process.
Patch management characteristics

Patch management should have the following characteristics –
1. Sound Policy and Procedure – Organisations should have a Patch Management
Policy for all types of software used in the organisation.
2. Patch Scanner: Patch scanning software help to find out missing patches and generate
a report for review, by IT team. Based on this report, IT team can decide about installing the
patches.
3. Efficient Patch Deployment: Patches need to be tested in a test environment before
they can be applied on production site/s. Patching desktops and laptops can be done
efficiently through Active Directory.
4. Review & Report: Reports provide a comparison between patch scanner report and
patch testing report. Review of these reports indicate benefits of patches installed.
Benefit of Patching
Patching helps achieving following benefits -
1. Risk Mitigation – Patching mitigates security risks related to viruses, Trojans, and
other security flaws which were inadvertently present in the software. Software developers are
continuously improving their software for functionality, security, bugs removal etc.
57
2. Compliances to Standards - Updating software latest patches with is now becoming a

compliance requirement, since more and more organisations are vulnerable to modern
security hazards.
3. Software Integrity – Patch management ensures integrity of the installed software or
operating systems.
4. System Productivity: Patch management improves productivity of a system, since it
may incorporate new technology features.
5. With Latest Features: Patch management improves usage of new features which are
provided by software developers.
3.10 Summary
In this chapter, we discussed various types of software such as system software, application
software and operating systems and their interfaces.
We also discussed importance of software testing and different types of testing which are
used in organisations.
We discussed about Database Management System (DBMS), especially most commonly used
RDBMS RDBMS is an important backbone of every computer system and we looked into a few
details about RDBMS such as schemas, SQL commands etc.
We then discussed today’s networking and linkage between users and software systems.
In the end, we discussed about backup and patch management systems and their importance
to organisations.
References
ISC2 - The International Information System Security Certification Consortium
ISO 22301:2012 - Business Continuity Standard
NIST – National Institute of Standards and Technology - USA
ISACA – Information System Audit and Control Association - USA
DISA Manual 2.0
3.11 Questions
1. The main focus of acceptance testing is
A. Ensuring that the system is acceptable to management
B. Accepting errors & bugs in the system
58
C. Ensuring that the system is acceptable to users

D. Ensuring that the system is acceptable to auditors
2. Which of the following test would be carried out when, individual software
modules are combined together as a group?
A. Integration testing
B. Unit testing
C. System testing
D. White box testing
3. Which of the following should be reviewed to provide assurance of the database
referential integrity
A. Field definition
B. Master table definition
C. Composite keys
D. Foreign key structure
4. When evaluating the effectiveness and adequacy of a preventive computer
maintenance program, which of the following would be considered to be MOST
helpful to an IS Auditor?
A. A system downtime log
B. Vendors' reliability figures
C. Regularly scheduled maintenance log
D. A written preventive maintenance schedule
5. In a relational DBMS a record refers to which of the following
A. Tuple
B. Rows
C. Column
D. Transaction
6. Which of the following will ensure that a column in one table will have a valid
value or shall be “null” in another table’s column?
A. Primary key
B. Secondary key
59
C. SQL
D. Foreign key
7. Database normalization is
A. Data redundancy optimization
B. Data logging and accountability
C. Streamlining data process
D. Deleting temporary files
8. Which of the following is NOT a property of database transactions?
A. Consistency
B. Atomicity
C. Insulation
D. Durability
9. After discovering a security vulnerability in a third-party application that
interfaces with several external systems, a patch is applied to a significant
number of modules. Which of the following tests should an IS auditor
recommend?
A. Stress
B. Black box
C. Interface
D. System
10. An organization has recently installed a security patch, which crashed the
production server. To minimize the probability of this occurring again, an IS
auditor should:
A. Apply the patch according to the patch's release notes.
B. Ensure that a good change management process is in place.
C. Thoroughly test the patch before sending it to production.
D. Approve the patch after doing a risk assessment.

60
Acceptance testing is a testing technique performed to determine whether or not the

software system has met the requirement specifications. The main purpose of this test
is to evaluate the system's compliance with the business requirements and verify if it is
has met the required criteria for delivery to end users. Choices A, B and D are not the
focus of acceptance testing.
Integration testing is a level of software testing where individual units are combined and
tested as a group. The purpose of this level of testing is to expose faults in the
interaction between integrated units. Option B is module testing, while C is complete
system testing and Option D is testing of internal logic as well.
Referential integrity in a relational database refers to consistency between linked tables.
Referential integrity is usually enforced by the combination of a primary key and a
foreign key. For referential integrity to hold, any field in a table that is declared a foreign
key should contain only values from a parent table’s primary key. Option A Field
definitions describe the layout of the table, but are not directly related to referential
integrity. Option B Master table definition describes the structure of the database, but is
not directly related to referential integrity. Option C Composite keys describe how the
keys are created, but are not directly related to referential integrity.
A system downtime log provides information regarding the effectiveness and adequacy
of computer preventive maintenance programs. The log is a detective control, but
because it is validating the effectiveness of the maintenance program, it is validating a
preventive control. Option B Vendor’s reliability figures are not an effective measure of
a preventive maintenance program. Option C Reviewing the log is a good detective
control to ensure that maintenance is being done; however, only the system downtime
will indicate whether the preventive maintenance is actually working well. Option D A
schedule is a good control to ensure that maintenance is scheduled and that no items
are missed in the maintenance schedule; however, it is not a guarantee that the work is
actually being done.
Tuple. Record is called tuple. Choice B, C and D does not represent a record. Choice B
is many rows and not a single row.
Foreign key. Primary key does not represent relation, it is the same key in another table
and represents relation with table where it is the primary key.
61

Normalization is a database design technique that organizes tables in a manner that
reduces redundancy and dependency of data. Normalization divides larger tables into
smaller tables and links them using relationships. The purpose of Normalization is to
eliminate redundant (useless) data and ensure data is stored logically. The main idea
with this is that a table should be about a specific topic and only supporting topics
included. By limiting a table to one purpose you reduce the number of duplicate data
contained within your database. This eliminates some issues stemming from database
modifications.
It is isolation not insulation. A transaction in a database should be designed in such a
way that, it satisfies ACID property. A is Atomicity, C is Consistency, I is Isolation and
D is Durability. This means that, when a programmer or DA defines a transaction (such
as Insert or Update), it should be defined in such a way that it will satisfy the ACID test
i.e. the transaction will be atomic (not divisible further), when completed it will keep the
database in consistent state, it will be isolated while it is executing and it will be written
on a persistent (permanent) storage such as secondary storage.
Given the extensiveness of the patch and its interfaces to external systems, system
testing is most appropriate. System testing will test all the functionality and interfaces
between modules. Option A Stress testing relates to capacity and availability and does
not apply in these circumstances. Option B Black box testing would be performed on the
individual modules, but the entire system should be tested because more than one
module was changed. Option C Interface testing would test the interaction with external
systems, but would not validate the performance of the changed system.
10. The correct answer is B.
An IS auditor must review the change management process, including patch
management procedures, and verify that the process has adequate controls and make
suggestions accordingly. The other choices are part of a good change management
process but are not an IS auditor's responsibility.
62
Chapter 4
Incident Response and Management
Learning Objectives
Students will learn about what is a normal working and what is an incident. Incidents may
occur due to natural causes such as earthquake or man-made such as virus, cyber attack etc.
Incident response and management is important so that they can be reduced in future. This
chapter deals only with man-made incidences.
We will learn what is Incident handling & response, how to build an effective Incident response
capability, different phases of building Incident response capability, steps to build each phase
of Incident response capability. Benefits of Incident response capability, Security Operations
Centre, what are SIEM (Security Incident & Event Management) tools, deployment of SIEM
tools and utility of SIEM tools.
4.1 Incident Handling & Response

An Incident is defined as a deviation from normal operation of a process. Normal operations
may be hampered due to a natural cause or a man-made cause. We shall discuss only the
man-made causes in this chapter. There are many incidents such as –
i. Cyber attack by hackers
ii. Breach in cyber security
iii. Attack on National Critical Infrastructure (IT enabled)
iv. Virus or Malware induction
v. Hacking & Advance Persistent threat
vi Misconfiguration of System
vii. Software malfunction
viii. Human error in IT department
The intensity of an incident can be judged by motive and timing of the incident. Human error,
misconfiguration of a system, software malfunction etc are can be considered as the incidents
due to manual errors and omissions during IS operations of the organisation.
However, incidents such as virus, malware, hacking, cyber attacks etc are man-made
purposeful incidents. These are done with a mala fide intention.
Organisations need to prepare themselves for handling and responding to these types of
incidents in an efficient and consistence manner. Organisations need resources, planning and
systematic preparation in this regard. Organisations usually face lot of challenges such as -
1. Identification of IT assets are susceptible to cyber incident.
2. Identification of an incident.
3. Objective Analysis of incidents
4. Need to scan through bulk of Information and logs
5. Criteria for zeroing on an incident
6. Identification of IT assets actually damaged due to incident/s
7. Identification of loss of data
8. Tracing out the Source of incident
9. Brainstorming for Modus Operandi
10. Impact Analysis
11. Forensic Investigation of incident and collecting evidence
12. Fixing the responsibility
Incident Response Process

Incident Response requires proper planning and procedure. The process of Incident response
is shown in Figure – 4.4.1 and is discussed as follows –
1. Prepare – Preparation helps an organisation to recover in a decided time, lowering the
impact of an incident and saving reputation of the organisation. Reputation risk can be
considered one of the highest risks since it may lead to closure of the business.
Preparation can be of the following types –
1A. Administrative Preparation
i. Incident policy, procedures, standards and guidelines should be established
ii. Identification of the IT Assets which are critical to an organisation
iii. Training for incident response team
iv. Awareness for employees
vi. Impact Analysis
vii Knowledge of business
viii. Brand value
64
ix. Political system of the country

x. Laws & Regulations
Preparatio
Documentation Identification
Follow up
Containment
Recovery
Eradication
Figure -4.4.1
1B. Technical Preparation
i. Risk assessment and Risk Management
ii. Data Classification
iii. Assessment of Confidentiality, Integrity and availability of Data
iv. Technology Infrastructure
v. Dependency on certain technology providers, developers etc
vi. Controls
vii. Possible vulnerabilities
viii. Cyber Threats
ix. Cyber security posture
x. Possible source/s of threat/s
65
2. Identification - The organisation should identify an incident and then take action
accordingly. Most organisations usually fail to properly identify incident/s and unnecessarily
engage manpower and other resources.
Challenges in incident identification are –
i. Knowing that incident is happened or happening
ii. Analysis of data (which may be large) associated with the incident
iii. Declaring an incident
iv. Correctly describing details about the incident
With skills, experience, tools and technology, this difficult task of identifying an incident can be
handled by Incident Response Team.
With Technology and other tools (which sometimes are in-built into the cyber security
equipment and software), an Incident Response Team can do the following -
a. Notice any suspicious events. Sometimes, with the help of outsourced support.
b. Alerts are generated by SIEM (Security Incidents & Event Management System), DLP
(Data Leakage Prevention), IPS/IDS (Intrusion Prevention System/ Intrusion Detection
System) and firewall.
c. Generate cyber-security Audit reports
d. Resolve anomalies reported by SOC (Security Operations Centre)
Incidents can be analysed as given below –
i. Time of occurrence of an incident
ii. How was it detected i.e. either by alert or by IT team or observing anomalies etc.
iii. What impact it is going to have on IT asset
iv. Source of this incident
3. Containment – After the identification of an incident and analysing the same, , the next
job of incident response team shall be containment of the impact of the incident. This involves
isolation of the victimised system and not allowing the incident to spread across many
systems. This should be done promptly. Performance of incident response team can be
judged by how quickly an incident is identified and contained by the team.
Containment can be done in one or more of the following ways –
i. Terminating all sessions of users logged in as well as other sessions
ii. Blocking the source of incident
66
iii. Block the Socket (Socket is entry point i.e. Ip address + porttcp) component of incident
iv. Changing of Administrator or root password
4. Eradication – After the containment of incident, another process which is important is
eradication. Even after the containment, the infected system may still be active with malware
and may spread to other systems.
After containment and isolation of the infected system, eradication activities will start,
consisting of –
i. Marking of infected system
ii. Disconnection from the network
iii. Copying logs manually to a USB drive
iv. Malware/Trojan/Bot etc need to be analysed
v. Disable the infected accounts of Users
vi. Disable carrier ports
vii. Collect the evidence
viii. Clean the system
ix. Re-Scan the system
5. Recovery – After eradication process, the next step in incident response is recovery of
systems, data, software and connectivity. In the recovery process incident response team has
to assure that, the system performance shall be normal i.e. no deviation, all the risks are
mitigated with necessary controls such as patching, antivirus updating, optimisation of ports
and services. The following activities are done for the recovery process –
i. Reconnection of the network of the isolated system
ii. All controls restored
iii. Re-Loading Operating system, applications, antivirus
iv. Re-configuring the part of the infected system
v. Infected files/folders need to be replaced
vi. All disabled accounts of users need to be restored
vii. All logs are directed to SOC again
viii. Check the integrity of the system
ix. Scan the system
67
6. Follow up – Follow up after recovery is an important process for necessary due

diligence. Incident response team of the organisation preserves the evidence (with proper
integrity) for the follow up activities such as -
i. Conducting the root cause analysis
ii. Search for the culprit person/s or organisation/s or country/s
iii. Investigation
iv. Legal action, if required
v. Damage control for reputation restoration
vi. Trend analysis of the incident
7. Lessons learnt – Documenting the lessons learnt about the incident is a post-facto
activity. Learnings can be incorporated in the system and security policies, procedures and
guidelines.
8. Documentation – Incidents should be documented with the inputs received, evidences
collected, facts, figures, lessons learnt etc. Documentation also mentions the reports prepared
of the incident response.
Benefits of Incident Management

The following benefits can be highlighted, for Incident Management –
i. Immediate response ensures quick resolution of the incident
ii. Minimising impact of incident/s
iii. Keeping intact the Reputation of the organisation
iv. Avoiding damage to Brand Image
v. Confidence of the investors / stakeholders
vi. Business continuity
4.2 Cyber-Security Framework

Increasing dependence on cyber space, has also increased security hazards for the
businesses using cyber space for initiating all business transactions, including payments via
banks and financial institutions. However, cyber space is not controlled, like physical world
and therefore, cyber hazards have much more ramifications than earlier physical world or
even non-cyber usage of computers (i.e. using computers without Internet).
Therefore, it is becoming necessary for organisations to have a better cyber security and the
starting point is Cyber Security Framework. Frameworks help in common understanding of all
68
concerned. Therefore, many regulators in India, especially banking sector regulator like
Reserve Bank of India (RBI) and Govt of India have initiated providing guidelines for
developing Cyber Security Framework for various organisations.
India’s National Security Policy 2013 - The National Cyber-Security Policy 2013 was
released on July 2, 2013 by the Government of India. Some of the important parts of the policy
are mentioned here from the policy itself.
Policy Objectives
1. To create a secure cyber ecosystem in the country, generate adequate trust &
confidence in IT systems and transactions in cyberspace and thereby enhance adoption
of IT in all sectors of the economy.
2. To create an assurance framework for design of security policies and for promotion and
enabling actions for compliance to global security standards and best practices by way
of conformity assessment (product, process, technology & people).
3. To strengthen the Regulatory framework for ensuring a Secure Cyberspace ecosystem.
4. To enhance and create at National and Sectoral level, a 24 x 7 mechanism for obtaining
strategic information regarding threats to ICT (Information and Communication
Technology) infrastructure, creating scenarios for response, resolution and crisis
management through effective predictive, preventive, protective, response and recovery
actions.
5. To enhance the protection and resilience of Nation's critical information infrastructure by
operating a 24x7 National Critical information Infrastructure Protection Centre (NCIIPC)
and mandating security practices related to the design, acquisition, development, use
and operation of information resources.
6. To develop suitable indigenous security technologies through frontier technology
research, solution-oriented research, proof of concept, pilot development, transition,
diffusion and commercialisation leading to widespread deployment of secure ICT
products / processes in general and specifically for addressing National Security
requirements.
7. To improve visibility of the integrity of ICT products and services by establishing
infrastructure for testing & validation of security of such products.
8. To create a workforce of 500,000 professionals skilled in cyber security in the next 5
years through capacity building, skill development and training.
9. To provide fiscal benefits to businesses for adoption of standard security practices and
processes.
69
10. To enable protection of information while in process, handling, storage & transit so as to
safeguard privacy of citizen's data and for reducing economic losses due to cyber-crime
or data theft.
11. To enable effective prevention, investigation and prosecution of cyber-crime and
enhancement of law enforcement capabilities through appropriate legislative
intervention.
12. To create a culture of cyber security and privacy enabling responsible user behaviour &
actions through an effective communication and promotion strategy.
13. To develop effective public private partnerships and collaborative engagements through
technical and operational cooperation and contribution for enhancing the security of
cyberspace.
14. To enhance global cooperation by promoting shared understanding and leveraging
relationships for furthering the cause of security of cyberspace.
Strategies
1. To designate a National nodal agency to coordinate all matters related to cyber security
in the country, with clearly defined roles & responsibilities.
2. To encourage all organizations, private and public to designate a member of senior
management, as Chief Information Security Officer (CISO), responsible for cyber
security efforts and initiatives.
3. To encourage all organizations to develop information security policies duly integrated
with their business plans and implement such policies as per international best
practices. Such policies should include establishing standards and mechanisms for
secure information flow (while in process, handling, storage & transit), crisis
management plan, proactive security posture assessment and forensically enabled
information infrastructure.
4. To ensure that all organizations earmark a specific budget for implementing cyber
security initiatives and for meeting emergency response arising out of cyber incidents.
5. To provide fiscal schemes and incentives to encourage entities to install, strengthen
and upgrade information infrastructure with respect to cyber security.
6. To prevent occurrence and recurrence of cyber incidents by way of incentives for
technology development, cyber security compliance and proactive actions.
7. To establish a mechanism for sharing information and for identifying and responding to
cyber security incidents and for cooperation in restoration efforts.
8. To encourage entities to adopt guidelines for procurement of trustworthy ICT products
70
and provide for procurement of indigenously manufactured ICT products that have
security implications.
9. To promote adoption of global best practices in information security and compliance
and thereby enhance cyber security posture.
10. To create infrastructure for conformity assessment and certification of compliance to
cyber security best practices, standards and guidelines (Eg. ISO 27001 ISMS
certification, IS system audits, Penetration testing / Vulnerability assessment,
application security testing, web security testing).
11. To enable implementation of global security best practices in formal risk assessment
and risk management processes, business continuity management and cyber crisis
management plan by all entities within Government and in critical sectors, to reduce the
risk of disruption and improve the security posture.
12. To create National level systems, processes, structures and mechanisms to generate
necessary situational scenario of existing and potential cyber security threats and
enable timely information sharing for proactive, preventive and protective actions by
individual entities.
13. To operate a 24x7 National Level Computer Emergency Response Team (CERT-In) to
function as a Nodal Agency for coordination of all efforts for cyber security emergency
response and crisis management. CERT-In will function as an umbrella organization in
enabling creation and operationalization of sectorial CERTs as well as facilitating
communication and coordination actions in dealing with cyber crisis situations.
14. To operationalize 24x7 sectorial CERTs for all coordination and communication actions
within the respective sectors for effective incidence response & resolution and cyber
crisis management.
15. To implement Cyber Crisis Management Plan for dealing with cyber related incidents
impacting critical national processes or endangering public safety and security of the
Nation, by way of well-coordinated, multi-disciplinary approach at the National, Sectoral
as well as entity levels.
16. To conduct and facilitate regular cyber security drills & exercises at National, sectoral
and entity levels to enable assessment of the security posture and level of emergency
preparedness in resisting and dealing with cyber security incidents.
17. To mandate implementation of global security best practices, business continuity
management and cyber crisis management plan for all e-Governance initiatives in the
country, to reduce the risk of disruption and improve the security posture.
18. To encourage wider usage of Public Key Infrastructure (PKI) within Government for
trusted communication and transactions.
71
19. To engage information security professionals / organisations to assist e-Governance

initiatives and ensure conformance to security best practices.
4.2.1 Security Operation Centre (SOC)

A Security Operations Centre (SOC) is developed by an organisation to continuously monitor,
detect, alert and respond to a cyber-security incident using a team of cyber security experts,
deploy cyber security tools and sophisticated countermeasures. A typical SOC is shown in
Figure - 4.4.2
Security Operation Centre (SOC) is a continuous operation and it functions 24x7 to monitor,
detect, alert and respond to all the activities of IS Infrastructure like Servers, Computers,
Databases, applications and network equipment like router, switches, controllers etc.
Security Operations Centre (SOC) operations and performance is based on logs collected,
which are generated by an organisation’s IS Infrastructure such as Servers, Computers,
Databases, applications and network equipment such as routers, switches, controllers etc.
Help of external agencies can also be sought by SOC.
Logs and external cyber intelligence knowledge (e.g.
Cert-in – Cyber Emergency Response Team – India, which is affiliated to worldwide Cert) are
collected and after processing are sent to tools such as Log Analysers, Network Analysers,
Malware Analysers, Forensic Analysers, Cryptosystems and reverse engineering systems for
further analysis.
In the Figure - 4.4.2, IS infrastructure includes PCs/Desktop, Servers, Databases, Applications
and network equipment like router, switches, controllers etc. All these equipments have ability
of generating logs of activities taking place on these equipments.
All the logs (which may be in different details and different formats) are correlated in an SIEM
tool. We shall describe SIEM system in section 4.3 of this chapter.
72
Figure – 4.4.2
A 24x7 monitoring team gets alerts generated by SIEM tool. The monitoring team checks
these alerts, with pre-set criteria for any deviation. If the monitoring team finds alerts qualify as
an incident, then, it declares the alert as an incident. The declared incident is sent to the
incident response team for further action, as mentioned in earlier.
A copy of incidents is also sent to team of investigators, who are “deep diving” in these
incidents. After completion of the investigation, investigators provide inputs to the cyber-
security team of the organisation for further action.
73
SOC Characteristics
A professionally managed SOC must provide real time alerts and data for investigation, to
make organisation’s security posture current and relevant. A good SOC may have the
following the following characteristics -
i. Policy, Standards and Guidelines – Organisation must have a sound policy related to
the SOC and its activities. A good policy provides various suggestive steps for monitoring
teams and investigators.
ii. Top management support – SOC requires top management support and leadership
accountability by the top management. Top management should provide continuous support in
terms of investment, resources and people to the SOC. Top management should have SOC in
board meeting’s agenda. Top management should have a meeting at least once in a Quarter
with CISO (Chief Information Security Officer).
iii. Investment – SOC requires adequate investment, for 24x7 operations and performs
sophisticated security related operations. Investment may be for purchasing equipment,
devices, software etc (Capex) and day-to-day operational expenditure (Opex). Monthly or
yearly subscriptions to external intelligence knowledge-base and AMC cost of the equipment
needs to be considered for budgetary provisions.
iv. People – SOC requires two levels of employees. Level1 may be required in large
numbers working in shifts. They will be monitoring 24x7 with pre-set criteria of deviation to
identify and declare an alert as an incident.
Level 2 is of investigators, who will be doing deep analysis of alerts and incidents to find the
root cause of incidents and provide inputs to the cyber security team. This team should have
specialised skills in analysis and must be kept abreast about current security hazards and
resolution.
v. Process & Procedures – It is very important to have documented proper procedures
and guidelines for speedy identification and resolution of cyber security incidents. Processes
and procedures will be for start to end for Cyber Security Incident Management.
vi. Technology – With reference to figure-4.4.2, technology plays important role in
operations of SOC for Log Analysis, Network Analysis, Malware Analysis, Forensic Analysis,
Cryptosystems, signature database updates, packet filtering, packet inspection, data analytics
and reverse engineering systems.
Augmentation of technology is not a straight forward process and it takes the following steps
to acquire correct technology –
1. Preparing specifications for technology by SOC team
2. Discussions with various Vendors
74
3. Getting POCs (Proof of Concept) from vendors

4. Preparation of Feasibility study report) by SOC team
5. Getting quotations/tenders from Vendors based on RFP
6. Initiating procurement process
8. Finalising vendor
9. PO (Purchase order) to vendor and getting confirmation
10. Signing Contract with vendor
11. Implementation of Technology by SOC team along with vendor experts
12. Training provided by vendor to SOC
Usually it takes about 3 months to acquire a technology for the SOC after floating of RFP.
vii. Environment – Objectives of the SOC must be understood by SOC team, IT team and
cyber security team. Similarly, objectives of the SOC should align with business objectives.
Refer figure 4.4.3
Log
IS SOC
Result
Figure 4.4.3
IS infrastructure, processes, people etc provide inputs to SOC operations, while reporting and
deep analysis by SOC provides valuable inputs to IS infrastructure.
viii. Analytics & Reporting - Today’s SOCs have to handle enormous data and establish
correlations in data so that a security incident can be identified and treated.
SOC can also use data analytics to create insightful metrics and performance measures. It
can use some metrics to facilitate operational improvements internally, while management can
75
use others, to make more informed decisions for balancing the trade-offs between cost and
risks. Thus, a thoughtful metrics and reporting framework can add value beyond mere security
matters, helping business to achieve business objectives with the help of IT and cyber space.
ix. Physical Controls – SOC should also have general physical controls as well as some
specific physical controls. SOC, usually does not share the space with IT department or Data
Centre. SOCs are augmented with a different physical space with no sign boards of the
organisation. All necessary devices, equipment, hardware, software and team members are
not shared with IT department and Data Centre teams for low latency in response and working
in a closed environment.
x. Continuous Improvement – SOC is always under continuous monitoring of the
organisation for the necessary improvements in the following areas
a. Performance – in terms of identification of incidents and their speedy resolution
b. Efficiency – maximum benefits with optimum cost
c. People
d. Tools
e. Technology
f. Budget
Following actions should be taken for continuous improvement of SOC –
1. Periodic assessment of upgrading skills
2. 360-degree feedback of SOC from various stakeholders
3. Lessons learned by SOC team after every incident
4. Augmentation of new technology as per need
5. Budget provisions as needed
6. Top management support
4.2.2 Computer Emergency Response Team (CERT)

A Computer Emergency Response Team (CERT) is a team of experts in an organisation,
industry, state or country, that is used to monitor alerts and declare incidents. CERT is also
termed as Computer Emergency Readiness Team and Computer Security Incident Response
Team (CSIRT).
After a worm hit the USA industry in 1988, the Carnegie Mellon University (CMU), in
association with US government, started a centre in the university premises for management
of cyber incidents. The centre was named as Computer Emergency Response Team –
76
Coordination Centre (CERT-CC). All countries in world should take copyright permission from
CERT-CC to open CERT in their country. For India it is CERT-In
Government of India, also emphasises the importance of cyber-security in the country and has
started CERT-In, which was operational in January 2004. CERT-in handles incidents within
India and reports for further action to main Cert. Every government, non-government, private
establishment should report incidents to CERT-in, so that, country develops a security posture
database and these incidents can be shared with all organisations, not only within India, but to
the entire world through CERT-CC. CERT-In, has been empowered through IT act 2008, for
the incident management in India. The section 70B of the IT Act 2008, is detailed as follows -
70 B Indian Computer Emergency Response Team to serve as national agency for
incident response
(1) The Central Government shall, by notification in the Official Gazette, appoint an agency
of the government to be called the Indian Computer Emergency Response Team.
(2) The Central Government shall provide the agency referred to in sub-section (1) with a
Director General and such other officers and employees as may be prescribed.
(3) The salary and allowances and terms and conditions of the Director General and other
officers and employees shall be such as may be prescribed.
(4) The Indian Computer Emergency Response Team shall serve as the national agency
for performing the following functions in the area of Cyber Security, -
(a) collection, analysis and dissemination of information on cyber incidents (b) forecast
and alerts of cyber security incidents (c) emergency measures for handling cyber
security incidents (d) Coordination of cyber incidents response activities (e) issue
guidelines, advisories, vulnerability notes and white papers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents (f)
such other functions relating to cyber security as may be prescribed
(5) The manner of performing functions and duties of the agency referred to in sub-section
(1) shall be such as may be prescribed.
(6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section
(1) may call for information and give direction to the service providers, intermediaries,
data centres, body corporate and any other person
(7) Any service provider, intermediaries, data centres, body corporate or person who fails
to provide the information called for or comply with the direction under sub-section (6),
shall be punishable with imprisonment for a term which may extend to one year or with
fine which may extend to one lakh rupees or with both.
(8) No Court shall take cognizance of any offence under this section, except on a complaint
made by an officer authorized in this behalf by the agency referred to in sub-section (1)
77
4.2.3 Indian Banks – Centre for Analysis of Risks and Threat (IB-CART)
As discussed above, after CERT-In most of the organisations and financial sector also started
their CERT and started to report incidents to CERT-in. Banking sector CERT is started with
same functioning of USA ISAC (Information Sharing and Analysis Center). Some important
points from IB-CART are given below -
The Reserve Bank of India's Working Group on Information Security, Electronic Banking,
Technology Risk Management and Cyber Frauds states that "there is a need for a system of
information sharing akin to the functions performed by the Financial Services Information
Sharing Agency (FS-ISAC) in the US" and recommended that IDRBT set up a body like the
FS-ISAC that can enable the sharing of security events amongst banks.
Simultaneously, the National Security Council Secretariat also wanted such centres to be set
up in various critical sectors. As banks were well ahead in implementing information security
and IDRBT had already set up a CISO Forum for banks, the task of setting up this body for
information sharing was entrusted to IDRBT.
Accordingly, IDRBT has established the Indian Banks – Centre for Analysis of Risks and
Threats (IB-CART) in March 2014. This is the first such centre for the country and has become
a model for other critical sectors. The key objectives of the IB-CART are:
— To disseminate and foster the sharing of relevant and actionable threat information
among members to ensure the continued public confidence in the banking sector. IB-
CART will share and disseminate information associated with physical and cyber events
(incidents / threats / vulnerabilities) and resolution or solutions associated with the
bank's critical infrastructures and technologies.
— Utilise the sectors' resources (people, process, and technology) to aid the entire sector
with situational awareness and advance warning of new physical and cyber security
events and challenges.
— Enable infrastructure that enables anonymity and security while capturing and
disseminating information.
— Conduct research and intelligence gathering to alert the members of evolving or existing
events
— Support the development of content that is posted to the IB-CART database, advice on
mitigation steps or best practices to members
— Facilitate cross sector information exchange.
Since its establishment, the IB-CART has played a pivotal role in creating a platform to
develop safety nets to contain(limit) cyber-attacks. It has been constantly engaging with the IT
executives of banks to resolve security concerns of the banking sector. The IB-CART team
78
also performs cyber drills regularly to help banks strengthen their incident management
process.
The IB-CART now has more than 90 users from over 60 public, private and foreign banks in
India. The IB-CART advisory council has 9 members with representation from public and
private sector banks and CERT-IN.
4.3 SIEM Tool and their Utility

SIEM is a most important tool and is the core of SOC. SIEM is termed as Security Information
& Event management and performs two major functions Security Information Management
(SIM) and Security Event Management (SEM) in SOC. Refer to figure-4.2.2, where both the
parts are shown separately without mentioning their technical names to make understand. So
as per functionality of the SIEM,
SIEM = SEM + SIM
The Security Event Management (SEM) is used to provide real time monitoring and
notifications to Level 1 manpower in SOC, while the Security Information Management (SIM)
is used to perform correlation, in-depth analysis, storing the analysis files and reporting (Level
2 manpower of SOC), those files based on requirement by the user organisations.
4.3.1 Deployment of SIEM Tool

SIEM tool, as discussed, is an important part of the SOC, and its deployment in the SOC
needs to be planed as per policy, budget and skillsets of the SOC team. Some SOCs have 2
levels of manpower while some other SOCs have more than 2 levels of manpower. Let us go
through some important decision points for the deployment of SIEM in SOC.
i. Scope of Work (SOW) – As we discussed earlier, SIEM is the core of SOC. Thus
scope of the SIEM will be the scope of the SOC also. The scope of work an SOC team would
define in operations, security and compliance. These are explained as -
a. Operation: The SIEM tool is deployed by an organisation to do continuous monitoring,
detecting, alerting and responding to cyber-security incidents, using a team of cyber
security experts, cyber security tools and sophisticated processes. SIEM tool should
enable SOC for continuous operations for 24x7 throughout year.
SIEM should be able to collect logs of all connected devices, equipment of IS
Infrastructure such as Servers, Computers, Database, application and network
equipment like router, switches, controllers, firewalls etc.
Another scope is about number of correlated files to be stored and kind of reports need
to be provided. SIEM tool always carries two sides of its operations viz one side of
79
sizing of devices which it can cater and the other side of providing output such as alerts,
reports and correlated files.
b. Security: Logs provide the information related to all events of the activities performed
by the devices and equipment. The events usually indicate the vulnerability in the
system and possible development of threats. It is very difficult for SOC team to read
logs of thousands, of devices installed in an organisation.
SIEM tool collects logs from all these thousands of devices, arranges them in a
common format, assesses them, correlates them and then develops the security
posture of the IS infrastructure of the organisation. The security posture is provided to
cyber security team of the organisation as a feedback. The cyber security team takes
necessary action by taking corrective and preventive actions.
c. Compliance –SIEM provided auto generated reports related to security posture of an
organisation can be taken up for audits. Auditors should be able use the reports of
SIEM tool. For the compliance purpose auditee must ensure the following, as per SIEM
deployment in the SOC –
a. Asset list maintained in a company vis-a-vis asset that SIEM is monitoring
b. Scope of work
c. Logs and events
d. SOC detail processes
e. Security posture database
f. Reporting
g. Latency in conversion of alert into incident
ii. Use case details – A use case provides details about laid down procedure/s to
interface a device. As discussed, SIEM tool has two interfaces as shown in figure - 4.4.4
SIEM
IS Infrastructure Report
Figure - 4.4.4
The use case for IS infrastructure related to logs and correlation at one side while reports and
investigation etc on the other.
iii. Installation of SIEM – The IS Infrastructure of the organisation is consisting of various
devices, equipment such as Servers, Computers, Databases, applications and network
equipment like routers, switches, controllers etc. These equipment and devices generate logs
80
of their activity. Logs are very important for security. Logs provides the information related to
all events of the activities performed by the devices and equipment.
SIEM has various components which are used to perform various activities like collection of
logs, arrangement of logs in a common format and correlation. Please refer to figure - 4.4.5.
The components of SIEM are as follows -
a. Agents – All the devices in the IS Infrastructure need to be installed with an agent of
SIEM tool. An agent is a software to collect logs from the device and send them to
collector of the SIEM tool. These agents can be configured remotely from centrl SIEM
tool.
Agents only collect those logs for which they are configured. They can also be used to
filter out some events based on pre-set criteria. An agent is supposed to normalise the
logs, so that no redundant information reaches to central SIEM tool. Agents, after
filtering and normalisation send the logs to the collector of SIEM over a secure
encrypted connection.
b. Collectors – Collector application collects logs from the agents and does further
normalisation and any pre-set filtering criteria. SIEM may be a standalone application
separated from the SIEM or an inbuilt feature of the same.
Servers Firewall PCs IPS/IDS
Agents Agent Agent Agent

s s s
Collector
External Intelligence
SIEM Application
Figure-4.4.5
c. SIEM Core – The SIEM core is the logic of the SIEM, which is composed of multiple
software. It collects all the events and logs from the collector and also collects input
81
from the external intelligence from the outside world continuously. SIEM Core does
processing which are under the scope of the SOC for operations, security and
compliance. SIEM core handles the following areas -
1. Risk Assessment for IS infrastructure
2. Correlation of events collected by the collector and external intelligence
3. Any Deviation in normal operations of IS Infrastructure
4. Data Mining & Data Analysis
5. Real-Time Monitoring and alerts
6. Cyber Security posture
7. Correlated data for Forensic & Investigation
8. Reports
4.3.2 SIEM Tools Utility

SIEM tool provides the following advantages to an organisation –
a. Discover vulnerabilities
b. Uncover threats
c. Monitoring
d. Compliance
e. Security profile
f. Internal Intelligence
g. Alerts
h. Reporting
i. Incident Management
j. Forensic Investigation
4.4 Summary
In this chapter, we discussed about cyber security incidents and how to deal with them.
Incident Management needs to be established by organisations to correctly handle cyber
security incidents and reap benefits of cyber space. Senior management should support
security and incidents handling by setting up policies, procedures and giving adequate
resources and training to employees.
We also discussed about how SOC and SIEM can help in handling incidents and taking
82
preventive and corrective actions on them. Whole Cyber world is under threat from various
security hazards, and CERT is taking efforts in successfully tackling these threats and India is
also contributing.
We learned, in brief, operations of SOC and about SIEM tool and how they help in fighiting
security hazards.
References
ISO 27035:2013
CSIRT- CMU
CERT-In
www.rbi.org.in
IT Act 2008
4.5 Questions
1. Basic operation of the SIEM tools, on the logs collected from the devices is
A. Correlating the log
B. Collecting the log
C. Analysing the log
D. Live Correlating the log
2. Which of the following is not a part of SIEM tools?
A. Sensor
B. Collector
C. Agent
D. Log
3. Which one is not the part of SIEM application?
A. Risk assessment
B. Vulnerability Scanning
C. Real time monitoring
D. Normalization
4. How does a SIEM tool handle the issue of Completeness of log?
83
A. Encryption
B. Hashing
C. Digital Signing
D. Time stamping
5. The computer security incident response team (CSIRT) of an organization
publishes detailed descriptions of recent threats. An IS auditor's GREATEST
concern should be that the users may:
A. Use this information to launch attacks
B. Forward the security alert
C. Implement individual solutions
D. Fail to understand the threat
6. The main goal of Security Operation Centre (SOC) is
A. Detect, analyse and report
B. Detect, analyse and respond
C. Collect, analyse and report
D. Collect, analyse and respond
7. What is the primary purpose of an incident management program?
A. Identify and assess incidents
B. Conduct lessons learned sessions
C. Alert key individuals
D. Assign responsibility
8. SOC shall be ineffective without the support of –
A. Risk
B. Budget
C. Top management
D. Quality
9. Phases of an incident management program
A. Prepare, Respond, and follow up
B. Plan, prepare, and respond
84
C. Plan, prepare and follow up

D. Prepare, plan and respond
10. Within an Incident Response Management program, the Containment phase aims
to
A. Block the event
B. Reduce the impact
C. Remove the event
D. Rise the event

Log correlation is about constructing rules that look for sequences and patterns in log
events that are not visible in the individual log sources. The basic function of an SIEM is
to correlate logs online and perform analysis that would otherwise be done by repetitive
human analysis.
SIEM is defined as a complex set of technologies to provide real-time event collection,
monitoring, correlating, and analyzing events across disparate sources, making it easier
to monitor and troubleshoot IT infrastructure in real time. An Agent is third party tool for
supporting devices. Options A, B and D are part of SIEM tools.
Normalization is a database design technique that organizes tables in a manner that
reduces redundancy and dependency of data. Normalization divides larger tables into
smaller tables and links them using relationships. Option D is not part of SIEM
applications.
A privileged user with some knowledge on the internal structure of the SIEM data can
easily delete logs, backdate logs, or modify existing logs. Hashing log files or log entries
and storing the hash on disk for future verification ensuring integrity and completeness
of the logs. For encryption, signing and time stamping you need a well-managed public
key infrastructure (PKI) with secure hardware storage for keys.
An organization's computer security incident response team (CSIRT) should
85
disseminate recent threats, security guidelines and security updates to the users to
assist them in understanding the security risk of errors and omissions. However, this
introduces the risk that the users may use this information to launch attacks, directly or
indirectly. An IS auditor should ensure that the CSIRT is actively involved with users to
assist them in mitigation of risk arising from security failures and to prevent additional
security incidents resulting from the same threat. Option B Forwarding the security alert
is not harmful to the organization. Option C Implementing individual solutions is unlikely
and inefficient, but not a serious risk. Option D Users failing to understand the threat
would not be a serious concern.
A Security Operation Centre (SOC) is a centralized function within an organization
employing people, processes, and technology to continuously monitor and improve an
organization's security posture while preventing, detecting, analyzing, and responding
to security incidents. Reporting is not the part of SOC.
Incident Response Management Program aims to manage the lifecycle of all Incidents
(unplanned interruptions or reductions in quality of IT services). The primary objective of
this program is to identify, assess, analyze, and correct the incidents to prevent a future
re-occurrence and to make available the IT service to users as quickly as possible.
Without clear executive support, a SOC may be ineffective, and its value will not be
realized. Creating an effective SOC requires support to establish a clear mandate for
the SOC and a long-term strategy, and also a strong SOC leader to drive organizational
change and develop a culture of security. The SOC leader shall take care of Risks and
Quality.
Incident response program can be broken down into four broad phases: (1) Preparation;
(2) Detection and Analysis; (3) Containment, Eradication, and Recovery; and (4) Post-
Event Activity. Hence Option A Prepare, Respond, and follow up, are in correct order.
Options B, C and D are incomplete.
When a breach is first discovered, in the containment phase, the Incident Response
team after having gathered the information and gained an understanding of the incident,
will begin to combat the threat by taking actions to prevent further damage, such as
closing ports or blocking IPs. Hence Option B is the correct answer.
86
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
ISA

(Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 5
Protection of Information Assets
Module - 5
Tel (Direct): +91 120 3045992/961
New Delhi
Background Material
on
Module-5 :
Protection of Information Assets

New Delhi
DISCLAIMER
ISBN : 978-81-8441-995-5


Foreword

President, ICAI
Place: New Delhi
iv
Preface
systems deployment.
modules.
3.0.
assurance services.

vi
Contents
Chapter 1: Introduction to Protection of Information Assets ........................................ 1-15
1.1. Introduction ................................................................................................................... 1
1.2. Risk Response .............................................................................................................. 1
1.2.1. Information Security Objectives ........................................................................... 1
1.3. Threat Modelling Tools .................................................................................................. 2
1.3.1. OWASP Model .................................................................................................... 2
1.3.2. DREAD Model ..................................................................................................... 3
1.3.3. STRIDE Model .................................................................................................... 3
1.4. Cyber/ Computer Attacks .............................................................................................. 3
1.5. Information Systems Controls ........................................................................................ 7
1.5.1. Need for IS Controls ............................................................................................ 7
1.5.2. Objectives of Controls ......................................................................................... 8
1.5.3. Internal Controls .................................................................................................. 8
1.5.4. Types of Controls ............................................................................................... 9
1.6. Risk and Control Ownership ........................................................................................ 10
1.7. Periodic Review and Monitoring of Risk and Controls .................................................. 10
1.7.1. Control Assessment .......................................................................................... 10
1.7.2. Control Self-Assessment ................................................................................... 10
1.7.3. Role of IS Auditor in Information Risk Management ........................................... 11
1.8. Summary ..................................................................................................................... 12
1.9. Questions .................................................................................................................... 12
1.10. Answers and Explanations .......................................................................................... 14
Chapter 2: Administrative Controls of Information Assets .......................................... 16-33
2.1 Information Security Management ............................................................................... 16
2.2 Senior Management Commitment & Support ............................................................... 16
2.3 Critical Success Factors to Information Security Management .................................... 17
2.4 Information Security Organization ............................................................................... 17
2.4.1 Segregation of Duties ........................................................................................ 18
2.4.2 Four Eyes (Two Person) Principle ..................................................................... 18
2.4.3 Rotation of Duties ............................................................................................. 19
2.4.4 Key Man Policy ................................................................................................ 19
2.5 Information Security Policies, Procedures, Standards and Guidelines ........................ 19
2.5.1 Components of Information Security Policies ..................................................... 20
2.5.2 Other Common Security Policies ....................................................................... 20
2.5.3 Control Over Policies ......................................................................................... 22
2.5.4 Exceptions to the Policies.................................................................................. 22
2.6 Information Classification ............................................................................................ 22
2.6.1 Benefits from Classifications ............................................................................. 23
2.6.2 Classification Policy .......................................................................................... 23
2.6.3 Classification Schema ....................................................................................... 24
2.7 The Concept of Responsibility in Information Security ................................................ 24
2.7.1 Ownership ......................................................................................................... 24
2.7.2 Custodianship ................................................................................................... 25
2.7.3 Controlling ......................................................................................................... 25
2.7.4 Human Resource Security ................................................................................. 25
2.8 Training and Education................................................................................................ 26
2.9 Implementation of Information Security Policies .......................................................... 27
2.9.1 Increasing Awareness ...................................................................................... 27
2.9.2 Communicating Effectively ................................................................................ 28
2.9.3 Simplify Enforcement ........................................................................................ 28
viii
2.9.4 Integration with Corporate Culture ..................................................................... 29
2.10 Issues and Challenges of Information Security Management ...................................... 29
2.11 Summary ..................................................................................................................... 30
2.12 Questions .................................................................................................................... 30
2.13 Answers and Explanations .......................................................................................... 32
Chapter 3: Physical and Environmental Controls ........................................................ 34-51

3.1 Introduction ................................................................................................................ 34
3.2 Objectives of Physical Security Controls ..................................................................... 34
3.3 Physical Security Threats and Exposures .................................................................... 34
3.3.1 Sources of Physical Security Threats ................................................................ 34
3.3.2 Physical Security Exposures to Assets .............................................................. 35
3.4 Physical Security Control Techniques.......................................................................... 35
3.4.1 Choosing and Designing a Secure Site ............................................................ 35
3.4.2 Security Management ........................................................................................ 36
3.4.3 Emergency Procedures ..................................................................................... 37
3.4.4 Human Resource Controls ................................................................................ 37
3.4.5 Perimeter Security ............................................................................................. 37
3.4.6 Smart Cards ...................................................................................................... 40
3.5 Auditing Physical Security Controls ............................................................................. 40
3.6 Environmental Controls ............................................................................................... 41
3.7 Objectives of Environmental Controls .......................................................................... 42
3.8 Environmental Threats and Exposures ........................................................................ 42
3.8.1 Natural Threads ................................................................................................ 42
3.8.2 Man Made Threats ............................................................................................ 42
3.9 Environmental Control Techniques .............................................................................. 43
3.9.1 Choosing and Designing a Safe Site ................................................................. 43
3.9.2 Facilities Planning ............................................................................................. 43
3.9.3 Emergency Plan ................................................................................................ 44
ix
3.9.4 Maintenance Plan .............................................................................................. 45
3.9.5 Ventilation and Air Conditioning......................................................................... 45
3.9.6 Power Supplies ................................................................................................. 45
3.9.7 Fire Detection and Suppression ........................................................................ 46
3.10 Auditing Environmental Controls ................................................................................. 48
3.11 Summary ..................................................................................................................... 48
3.12 Questions .................................................................................................................... 49
3.13 Answers and Explanation ............................................................................................ 51
Chapter 4: Logical Access Controls.............................................................................. 52-75

4.1 Introduction ................................................................................................................. 52
4.2 Objective of Logical Access Controls ........................................................................... 52
4.3 Paths of Logical Access Controls ................................................................................ 52
4.4 Logical Access Attacks and Exposures ....................................................................... 53
4.5 Access Control Mechanisms........................................................................................ 54
4.5.1 Identification Techniques ................................................................................... 55
4.5.2 Authentication Techniques ................................................................................ 56
4.5.3 Authorization Techniques – Operating System .................................................. 60
4.6 Logical Access Control Techniques ............................................................................. 62
4.6.1 Logical Access Policy & Procedures .................................................................. 62
4.6.2 Network Access Controls .................................................................................. 64
4.6.3 Application Access Controls .............................................................................. 65
4.6.4 Database Access Controls ................................................................................ 65
4.6.5 Operating System Access Controls ................................................................... 66
4.7 Identity and Access Management ................................................................................ 67
4.8 Single Sign-on ............................................................................................................. 68
4.9 Access Controls in Operating Systems ....................................................................... 69
4.10 Audit Trails .................................................................................................................. 69
4.11 Auditing Logical Access Controls ................................................................................ 70
x
4.12 Summary ..................................................................................................................... 72
4.13 Questions .................................................................................................................... 72
4.14 Answers and Explanation ............................................................................................ 74
Chapter 5: Network Security Controls ........................................................................ 76-109

5.1 Introduction ................................................................................................................. 76
5.2 Objective of Network Security Controls........................................................................ 76
5.3 Network Threats and Attacks ....................................................................................... 76
5.4 Current Trends in Attacks ............................................................................................ 83
5.5 Network Security Control Mechanisms ........................................................................ 85
5.5.1 Network Architecture ......................................................................................... 85
5.5.2 Cryptography ..................................................................................................... 86
5.5.3 Remote Access Controls ................................................................................... 93
5.5.4 Malicious Codes ................................................................................................ 94
5.5.5 Firewall ............................................................................................................ 96
5.5.6 Intrusion Detection System ................................................................................ 97
5.6 Wireless Security Control Mechanisms ........................................................................ 98
5.7 Endpoint Security Controls ........................................................................................ 100
5.8 VOIP Security Controls.............................................................................................. 101
5.9 Vulnerability Assessment and Penetration Testing .................................................... 102
5.10 Monitoring Controls ................................................................................................... 104
5.11 Auditing Network Security Controls ........................................................................... 104
5.12 Summary ................................................................................................................... 106
5.13 Questions .................................................................................................................. 106
5.14 Answers and Explanations ........................................................................................ 108
xi
Learning Objectives
This module focuses on different methods for protecting information assets. This primarily
covers following:
 Risk response and definition of controls for protection of information assets
 Essentials of information security management like objectives, processes, policies,
procedures, and compliance.
 Information asset protection based on information classification
 Essentials of Physical and environmental security
 Logical access controls
 Network and related security processes.
 Audit guidelines for information protection controls
Chapter 1
Introduction to Protection of Information
Assets
1.1 Introduction
It has become imperative for today’s organizations to use technology for their business
process. Technology has inherent risks and hence it has to be adequately responded with the
right level of controls. In order to take benefits of technology, organizations must establish
processes for address the associated with technology.
1.2 Risk Response

There are typically four types of risk responses:
1. Avoid: Organization may consider this response by deciding not to use technology for
select business operation.
2. Transfer: Where organizations pass on the responsibility of implementing controls to
another entity. For example, insuring against financial losses with insurance company
by paying suitable premium. Another example could be using outsourcing option,
however in this, organization transfers technological risk but in turn introduces
managerial risks, hence it may be considered as risk sharing.
3. Accept: If the risk assessed is within the risk appetite, management may decide not to
implement control and accept the risk.
4. Mitigate: Where organizations decide to implement controls, sometimes by incurring
additional cost (like delay in process, acquiring tool, adding manpower etc.) so as to
reduce the assessed impact to bring it within acceptable limits. Organizations may
choose to accept remaining risks.
It is possible that organization may select more than one response to manage a risk, for
example, organization may choose to implement control (Mitigate) and insure against
losses/damage (Transfer). Risk mitigation primarily focuses on designing and implementing
controls to prevent incidents due to risk materialization and/or detect when incident happens
of likely to happen and define process to recover from incidence.
1.2.1 Information Security Objectives

The overall objective of information security is to protect the information assets and process
that supports operations of an organization. This requires maintaining confidentiality, integrity
and availability of information system. This is also known as information security triad.
 Confidentiality preserves authorized restrictions on information access and disclosure,

including means for protecting personal privacy and proprietary information.
 Integrity guards against improper information modification or destruction, and includes
ensuring information non-repudiation and authenticity.
 Availability ensures timely and reliable access to and use of information.
1.3 Threat Modeling Tools

Threat modelling is a process by which potential threats, such as structural vulnerabilities or
the absence of appropriate safeguards, can be identified, enumerated, and mitigations can be
prioritized. The purpose of threat modelling is to provide information professionals with a
systematic analysis of what controls or defences need to be included, given the nature of the
system, the probable attacker's profile, the most likely attack vectors, and the assets most
desired by an attacker. Attack vector is a path or means by which an attacker can gain
unauthorized access to a computer or network to deliver a payload or malicious outcome.
Attack vectors enable hackers to exploit system vulnerabilities, including the human element.
1.3.1 OWASP
The Open Web Application Security Project (OWASP) is a non profit foundation that works to
improve the security of software. Through community-led open source software projects,
hundreds of local chapters worldwide, tens of thousands of members, and leading educational
and training conferences, the OWASP Foundation is the source for developers and
technologists to secure the web.
 Tools and Resources
 Community and Networking
 Education & Training
The OWASP Top 10 is a standard awareness document for developers and web application
security. It represents a broad consensus about the most critical security risks to web
applications.
Globally recognized by developers as the first step towards more secure coding.
Companies should adopt this document and start the process of ensuring that their web
applications minimize these risks. Using the OWASP Top 10 is perhaps the most effective first
step towards changing the software development culture within your organization into one that
produces more secure code.
2
Introduction to Protection of Information Assets
1.3.2 DREAD Model

DREAD is part of a system for risk-assessing computer security threats previously used at
Microsoft and currently used by OpenStack and other corporations.
It takes into account the following items:
Categories Description
D Damage potential How many assets can be affected?
R Reproducibility How easily the attack can be reproduced?
E Exploitability How easily the attack can be launched?
A Affected users What is the number of affected users?
D Discoverability How easily the vulnerability can be found?
The DREAD name comes from the initials of the five categories listed above. It was initially
proposed for threat modeling, but it was discovered that the ratings are not very consistent
and are subject to debate. It was out of use at Microsoft by 2008.
When a given threat is assessed using DREAD, each category is given a rating from 1 to 10.
The sum of all ratings for a given issue can be used to prioritize among different issues.
1.3.3 STRIDE Model

The STRIDE model was initially created as part of the process of threat modelling. STRIDE is
a model of threats, used to help reason and find threats to a system. It is used in conjunction
with a model of the target system that can be constructed in parallel. This includes a full
breakdown of processes, data stores, data flows and trust boundaries.
Each following threat is a violation of a desirable property for a system:
Threat Desired Property

S Spoofing Authenticity
T Tampering Integrity
R Repudiation Non-repudiation
I Information disclosure Confidentiality
D Denial of service Availability
E Elevation of privilege Authorization
1.4 Cyber/ Computer Attacks

Following are some of the crime and attacks in information system environment:
3
 Backdoor: A backdoor is a malicious program that listens for commands on a certain

TCP or UDP port. Most backdoors allow an attacker to perform a certain set of actions
on a host, such as acquiring passwords or executing arbitrary commands. Types of
backdoors include zombies (better known as bots), who are installed on a host to cause
it to attack other hosts, and remote administration tools, which are installed on a host to
enable a remote attacker to gain access to the host’s functions and data as needed.
Use of licensed software, patch updates, disabling default users & debugging function
and using anti-malware software are the controls against backdoor.
 Blue Jacking: It is the sending of unsolicited messages over Bluetooth to Bluetooth-
enabled devices such as mobile phones, PDAs or laptop computers, sending a vCard,
which typically contains a message in the name to another Bluetooth-enabled device.
Turning off Bluetooth, selecting hidden mode, and ignoring and/or deleting messages,
can prevent blue jacking.
 Buffer Overflow: A buffer overflow, or buffer overrun, is an anomaly where a program,
while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent
memory locations. This is a special case of the violation of memory safety. Developing
security measures in the code and run-time protection features of most of the operating
systems are controls for buffer overflow.
 Cyber Stalking: It is the use of the Internet or other electronic means to stalk or harass
an individual, group, or organization. It may include false accusations, defamation,
slander and libel. It may also include monitoring, identity theft, threats, vandalism, or
gathering information that may be used to threaten, embarrass or harass. Maintaining
cyber hygiene and avoid disclosing sensitive information are preventive controls.
 Cyber Terrorism: is the use of the Internet to conduct violent acts that result in, or
threaten, loss of life or significant bodily harm, in order to achieve political or ideological
gains through threat or intimidation. Passive defense for this attack is essentially target
hardening.
 Cyber Warfare: It is the use of technology to attack a nation, causing comparable harm
to actual warfare. Limiting employee access to classified information and installing
software updates may help to prevent this attack.
 Data Diddling: Data diddling is the changing of data before or during entry into the
computer system. Examples include forging or counterfeiting documents used for data
entry and exchanging valid disks and tapes with modified replacements. File encryption
or some type of integrity checks such as checksum or message digest may prevent
such attacks.
 Denial of Service: A Denial-of-Service attack (DoS) is an attempt to make a machine
or network unavailable to its intended users. This causes legitimate users not able to
4
get on the network and may even cause the network to crash. Web application firewall
software may help to prevent DOS attack.
 DNS Spoofing: It is a computer hacking attack, whereby data is introduced into a
Domain Name System (DNS) resolver's cache, causing the name server to return an
incorrect IP address, diverting traffic to the attacker's computer (or any other computer).
Keeping resolver private and protected is one of the controls against DNS spoofing.
 Email Spoofing: It is the creation of email messages with a forged sender address.
The core email protocols do not have any mechanism for authentication, making it
common for spam and phishing emails to use such spoofing to mislead or even prank
the recipient about the origin of the message. Configuring reverse proxy may detect e-
mail spoofing in most of the cases.
 Identity Theft: It is the deliberate use of someone else's identity, usually as a method
to gain a financial advantage or obtain credit and other benefits in the other person's
name, and perhaps to the other person's disadvantage or loss. The person whose
identity has been assumed may suffer adverse consequences, especially if they are
held responsible for the perpetrator's actions. Use of strong password, multi factor
authentication, monitoring transactions of the account are some of the preventive
controls.
 Keystroke Logger: A keystroke logger monitors and records keyboard use. Some
require the attacker to retrieve the data from the host, whereas other loggers actively
transfer the data to another host through email, file transfer, or other means. Use of key
encryption software and installing anti malware may prevent this attack.
 Logic Bomb: These are legitimate programs, to which malicious code has been added.
Their destructive action is programmed to “blow up” on occurrence of a logical event
such as time or a logical event as number of users, memory/disk space usage, etc.
Every time the infected program is run, the logic bomb checks external environment to
see whether the condition to trigger the bomb has been met. Anti-malware and use of
application from trusted source may be preventive controls.
 Piggybacking: Unauthorized access to information by using a terminal that is already
logged on with an authorized ID (identification) and left unattended. In this case, idle
session timeout (i.e. disabling session after specific time period) may be a preventive
control.
 Salami Theft: It is a series of minor attacks those together results in a larger attack.
Computers are ideally suited to automating this type of attack. By having proper
segregation of duties and proper control over code, organization may prevent this.
 Sensitive Data Exposure: Many web applications and APIs (Application Program
5
Interface) do not properly protect sensitive data, such as financial, healthcare, and PII
(Personally Identifiable Information). Attackers may steal or modify such weakly
protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data
may be compromised without extra protection, such as encryption at rest or in transit,
and requires special precautions when exchanged with the browser. Data leakage
prevention tools may prevent sensitive data exposure.
 Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker’s
hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization. Input validation, security audits and vulnerability,
threat and risk (VTR) assessment may help to prevent injection attacks.
 Trojan: A Trojan horse is a self-contained, no replicating program that, while appearing
to be benign, actually has a hidden malicious purpose. Trojan horses either replace
existing files with malicious versions or add new malicious files to hosts. They often
deliver other attacker tools to hosts. Sound policies and procedures should be in place
and anti-malware software should be installed.
 Virus: A virus self-replicates by inserting copies of itself into host programs or data
files. Viruses are often triggered through user interaction, such as opening a file or
running a program. Sound policies and procedure should be in place and anti-malware
software should be installed. Viruses can be divided into the following two
subcategories:
 Compiled Viruses: A compiled virus is executed by an operating system. Types
of compiled viruses include file infector viruses, which attach themselves to
executable programs; boot sector viruses, which infect the master boot records of
hard drives or the boot sectors of removable media; and multipartite viruses,
which combine the characteristics of file infector and boot sector viruses.
 Interpreted Viruses: Interpreted viruses are executed by an application. Within
this subcategory, macro viruses take advantage of the capabilities of
applications’ macro programming language to infect application documents and
document templates, while scripting viruses infect scripts that are understood by
scripting languages processed by services on the OS.
 Worm: A worm is a self-replicating, self-contained program that usually executes itself
without user intervention. Sound policies and procedure should be in place and anti-
malware software should be installed. Worms are divided into two categories:
 Network Service Worms: A network service worm takes advantage of
vulnerability in a network service to propagate itself and infect other hosts.
6
 Mass Mailing Worms: A mass-mailing worm is similar to an email-borne virus

but is self- contained, rather than infecting an existing file.
 Web Defacement: It is an attack on a website that changes the visual appearance of a
website or a web page. These are typically the work of defacers, who break into a web
server and replace the hosted website with one of their own. Security audits and
vulnerability, threat and risk (VTR) assessment are controls for this attack.
1.5 Information Systems Controls

Control is defined as a mechanism that provides reasonable assurance that business
objective will be achieved and undesired events are prevented, detected or corrected. Control
includes policies, procedures, practices and enterprise structure and activities that ensure the
desired outcome from business process is not affected. Thus, an information system auditing
includes reviewing the implemented system or providing consultation and evaluating the
reliability of operational effectiveness of controls.
1.5.1 Need for Control

Use of information system has become imperative for businesses. Information system has
increased the ability to capture, store, analyse and process tremendous amounts of data and
information by empowering the business decision maker. With the advent of affordable
hardware, technology has become a critical component of business. Today’s dynamic global
enterprises need information integrity, reliability and validity for timely flow of accurate
information throughout the organization. Safeguarding information assets to maintain
confidentiality, integrity and availability to achieve system effectiveness and efficiency is a
significant control process.
The factors influencing an organization for control and audit of the information systems are as
under:
 Organizational Costs of Data Loss.
 Incorrect Decision Making
 Costs of Computer Abuse
 High Costs of Computer Error
 Maintenance of Privacy
 Controlled evolution of computer Use
 Information Systems auditing
 Asset Safeguarding
7
 Data Integrity
 System Effectiveness
 System Efficiency
1.5.2 Objectives of Control

Control objective is defined as “A statement of the desired result or purpose to be achieved by
implementing control procedures in a particular IT process or activity”. Control objectives
serves two main purposes:
 Outline the policies of the organization as laid down by the management.
 A benchmark for evaluating whether control objectives are met.
The objective of controls is to reduce or if possible, eradicate the causes of the exposure to
probable loss. All exposures have causes and are potential losses due to threats exploiting
vulnerability. Some categories of exposures are:
 Errors or omissions in data, procedure, processing, judgment and comparison.
 Improper authorizations and improper accountability with regards to procedures,
processing, judgment and comparison.
 Inefficient activity in procedures, processing and comparison.
Some of the critical control considerations in a computerized environment are:
 Lack of management understanding of IS risks and lack of necessary IS and related
controls.
 Absence or inadequate IS control framework.
 Absence of or weak IS controls.
 Lack of awareness and knowledge of IS risks and controls amongst the business users
and even IT staff.
 Complexity of implementation of controls in distributed computing environments and
extended enterprises.
 Lack of control features or their implementation in a highly technology driven
environments.
 Inappropriate information system implementations or inadequate security functionality in
information system.

The basic purpose of an internal control in an organization is to ensure that the business
8
objectives are achieved and undesired risk events are prevented or detected and corrected.
This is achieved by designing an effective internal control framework, which comprises
policies, procedures, practices, and organizational structure that gives reasonable assurance
to achieve the business objectives. Ultimately, all these policies, procedures etc. are broken
into discrete activities and supporting processes, which can be either manual or automated.
Control is not solely a policy or a procedure, which is performed at a certain point of time;
rather it is an ongoing activity, based on the risk assessment of the organization.
1.5.4 Types of Internal Controls

There are three types of internal controls viz. preventive, detective, or corrective (reactive):
1.5.4.1 Preventive Controls
These controls are designed to create a desired level of resistance and its goal is to prevent
the attack actively. These controls are directly related to the resiliency aspect of the
information systems. Input validation, patching, intrusion prevention system (IPS) are some of
the example of preventive controls.
1.5.4.2 Detective Controls
These controls are designed to build a historical evidence of the events or activities in the
information system environment. These controls are directly related to the reliability aspect of
the information systems and in general passive in nature. Recording audit logs, Hash value,
intrusion detection system (IDS) are some of the example of detective controls.
1.5.4.3 Corrective Controls
These controls are designed to reduce the impact or correct an error once it has been
detected. These controls are directly related to bringing back business operations to normal
and reactive in nature. Load balancing, clustering, failover of data and system, contingency
planning are some of the examples of corrective controls.
The controls rating by an auditor can be:
 Very High- Controls are implemented over a cause of exposure/error type and are
extremely effective.
 High- Controls are implemented over a cause of exposure/error type and are highly
effective.
 Moderate- Controls are implemented over a cause of exposure/error type and are
moderately effective.
 Low-Controls are implemented over a cause of exposure/error type but have low
effectiveness.
 Negligible- Controls are not implemented or do not exist to that cause or exposure or
error type.
9
1.6 Risk and Control Ownership

Each risk should have an owner, and the owner should determine the controls that are
necessary to mitigate the risks. Generally, owner is a person or position within the
organization that has close interests in the processes affected due to risks. The concept of a
direct link between risk and control is important to ensure that all risks have been addressed
through appropriate controls and that all controls are justified by the risks that mandate the
requirements for those controls.
The owner/s of the risk/s also own any control/s associated with those risks and is
accountable for monitoring their effectiveness. In some areas, where there are regulations or
laws that apply to risks, the risk owner may have to prepare standard reports on the status of
risks, any incidents that may have occurred and the level of risks currently faced by the
organization.
1.7 Periodic Review and Monitoring of Risk and Controls

After implementation of the risk responses, management needs to monitor the actual activities
to ensure that the identified risk stays within an acceptable threshold. To ensure that risks are
reviewed and updated organizations must have a process that will ensure the review of risks.
The best processes are:
 The risk assessment exercise may be conducted after predefined period say at least
annually.
 All incidents and lesson learned must be used to review the identified risk
 Change management processes should proactively review the possible risks and
ensure that they are part of organization’s risk register.
 New initiatives and projects must be considered only after risk assessment.
1.7.1 Controls Assessment

The first step in controls assessment is to review the risk register and ensure that associated
risk is responded appropriately. Based on this the auditor shall be able to prioritize the
controls to be tested. The next step is to review control procedure documents with an aim of
identifying suitable ways of measuring the effectiveness of controls.
1.7.2 Control Self-Assessment

Control self-assessment (CSA) is a technique that allows business managers and employees
directly involved in business units, functions or processes to participate in assessing the
organization's risk management and control processes. In case organization has implemented
control self-assessment, the actual testing of the controls is performed by staff whose day-to-
10
day role is within the area of the organization that is being examined as they have the greatest
knowledge of how the processes operate. The two common techniques for performing the
evaluations are:
 Workshops, that may be but do not have to be independently facilitated, involving some
or all staff from the business unit being tested;
 Surveys or questionnaires completed independently by the staff.
On completion of the assessment, each control may be rated based on the responses
received to determine the probability of its failure and the impact if a failure occurred. It is
critical to note that both methods can be used for risk assessment and control design.
1.7.3 Role of IS Auditor in Information Risk Management

The role of auditor with regard to Information Risk Management can be:
1. Facilitator for conducting risk assessment workshops as risk professional and also
guide the process owner of designing of controls.
2. As an Auditor, to provide objective assurance to the board on the effectiveness of an
organization’s Risk Management framework to help ensure that key business risks are
being managed appropriately and the system of internal controls is operating
effectively.
3. As IS auditor, plan the audit cycle according to the perceived risk, i.e. plan for higher
frequency for high-risk business processes areas.
Key roles that an auditor can perform are:
1. To give assurance on risk management process
2. To give assurance that the risks are being evaluated correctly
3. Evaluate Risk Management process
4. Review the management of key risks.
There are activities, which an auditor should not perform, to maintain his
independence:
1. Setting the risk appetite
2. Imposing risk management process
3. Taking decision on risk responses
4. To implement risk response on management’s behalf.
11
1.8 Summary
Information Security is a paramount risk management concern. Information Risk Management
follows information as it is created, distributed, stored, copied, transformed and interacted
throughout its lifecycle. It includes understanding which information is critical to key business
initiatives, such as growth through acquisitions or expanding partnerships, where it exists
across the organization, where the points of vulnerability are, and what events could put the
business at risk. Investments are prioritized based on the amount of risk a given activity
entails relative to the potential business reward, and in keeping with the organization’s
appetite for risk. Once enterprise information has been located and a risk assessment
performed, next step is to implement controls — including policies, technologies, and tools —
to mitigate that risk.
1.9 Questions
1. Which of the following shall BEST help in deciding upon the protection level for
information asset?
A. Location of asset.
B. Impact of risk.
C. Vulnerabilities in asset.
D. Inventory of threats
2. Which of the following is a risk response option?
A. Determine likelihood of threat
B. Determine probability of risk
C. Deciding amount of insurance cover
D. Prepare risk profile report
3. After a Tsunami, a business decides to shift the location of data centre from
coastal area to mid land. Which type of risk response option it has exercised?
A. Accept
B. Avoid
C. Mitigate
D. Transfer
12
4. Organizations capacity to sustain loss due to uncertainty and expressed in

monetary terms is best known as:
A. Risk appetite
B. Risk tolerance
C. Risk acceptance
D. Risk mitigation
5. Main use of maintaining and updating risk register is to:
A. Define controls
B. Identify risk owner
C. Built risk profile
D. Maintain evidence
6. Of the following, who is accountable for deciding and implementing controls
based on risk mitigation plan?
A. Chief risk officer
B. Risk owner
C. IT operations manager
D. Board of directors
7. Which of the following is a risk factor that may have impact on organization?
A. Management decides to acquire new application software.
B. A new application required by organization is released.
C. Vendor decides to stop supporting existing application.
D. Organization retires old application that is not in use.
8. While auditing risk monitoring process which of the following IS auditor should
review FIRST?
A. Risk assessment process
B. Risk management framework
C. Alignment with business risks
D. Annual review of risk register
13
9. The quantum of risk after enterprise has implemented controls based on risk
mitigation plan is:
A. Accepted risk
B. Residual risk
C. Inherent risk
D. Current risk
10. Which of the following shall best help in aligning IT risk with enterprise risk?
A. Presenting IT risk results in business terms.
B. Conducting business impact analysis.
C. Making Chief risk officer accountable.
D. Align IT strategy with business strategy.

1. B is the correct answer. Other options i.e. location of asset, existing vulnerabilities in
asset shall be covered during risk assessments. Inventory of threats only will not help;
impact due to threat must be assessed.
2. C is the correct answer. Of the four main risk response options accept, avoid, mitigate
and transfer, Insurance cover is a risk response option of risk transfer
3. B is the correct answer. BY shifting location, the business has avoided the risk
associated with Tsunami.
4. A is the correct answer. It is the definition of risk appetite. Risk tolerance is capacity to
tolerate down time due to risk materialization. Risk acceptance and risk mitigation are
risk response decision based on risk appetite.
5. C is the correct answer. Main use of risk register is to develop risk profile of the
organization for management’s review and enable risk informed decisions.
6. B is the correct answer. Risk owner is primarily accountable for deciding and
implementing on nature of controls. Generally, risk owner is process owner. Chief risk
office guides risk owner, IT head is responsible for responding to risk owned by IT
head. Although board of directors is ultimately accountable, for specific risk, risk owners
are responsible.
7. C is the correct answer. Vendor decides to stop supporting existing software changes
the market situation that will affect organization, since it has to take decision on
replacing application. Release of new application though changes market; it may not
14
affect the organization immediately as the organization may not need to take action.
Options A and D are internal decisions and will be done after risk assessment and
hence these are not risk factors.
8. D is the correct answer. Risk monitoring refers to review of identified and assed risks
based on changes, incidents, and periodically. Other options are part of risk
management framework.
9. B is the correct answer. Accepted risk is where controls are not implemented is part of
residual risk; Inherent risk is total risk before implementing controls. Current risk is
residual risk at a point in time during control implementation.
10. A is the correct answer. Expressing IT risk in business terms i.e. as impact on business
will help business in understating relevance of IT risks. Business impact analysis may
be useful however, it may or may not help depending upon scope of project. Making
chief risk officer accountable may help but best is A. Aligning IT strategy with business
strategy shall help in defining better IT plan, but it is at higher level.
15
Chapter 2
Administrative Controls of Information Assets
2.1 Information Security Management
Protection of information assets includes the key components that ensure confidentiality,
integrity and availability (CIA) of information assets. Controls to protect the assets are
designed, developed, selected and implemented based on risk evaluation and cost-benefit
analysis. The primary control for implementing protection strategy is defining and
implementing information security policy. Organization needs to focus on ensuring that
information security procedures are followed to meet the security objectives of the
organization derived from the stakeholder’s expectations. This requires implementation of
processes for information security management. The key elements of information security
management include:
 Senior management commitment and support,
 Policies and procedures,
 Organization structure and roles and responsibilities,
 Security awareness and education,
 Monitoring,
 Compliance,
 Incident handling and response.
 Continual improvement
2.2 Senior Management Commitment and Support

Commitment and support of senior management are imperative for successful establishment
and continuance of an information security management program. The tone at the top must be
conducive for effective information protection and its management. It is unreasonable to
expect shop-floor personnel to abide by information security policies, if senior management
does not exercise them. Executive management endorsement of essential security
requirements provides the basis for ensuring that security expectations are met at all levels of
the enterprise. Disciplinary actions for non-compliance must be defined, communicated and
enforced from the senior management level. The senior management’s support for security
initiatives is evident from their actions and decisions. Some of the key indicators are:
 Providing support for defining organization structure that supports implementation of
information security initiatives. Establishing Information Security Organization (ISO) and

steering committee and assigning responsibility for information security operations.
 Regularly reviewing information security projects, reports and activities as part of an
agenda item on board meetings.
 Approving risk response decisions and information security policies.
 Observing security practices, as per security policies and procedures
 Ensuring adequate budget
 Review of audit reports
 Continual improvement
2.3 Critical Success Factors to Information Security

Management
Following are critical to the successful implementation of information security program in the
organization:
 Alignment with business objectives: The Management needs to establish security
policy in line with business objectives, to ensure that all Information Security elements
are strategically aligned.
 Organizational culture: Ensure that the framework followed to implement, maintain,
monitor and improve Information Security is consistent with the organizational culture.
 Establish and enforce an information security program: The focus of information
security program is protecting information assets of the organization. Management
should establish and enforce information security program enterprise-wide.
 Adoption of standard: Adoption of standard or framework may enable organization to
have consistent implementation across the enterprise. This also helps in providing
assurance that all required aspects of information security have been covered. Many a
time regulators issue guideline for adoption and certification of standards/ framework
available in public domain.
 Spend resources wisely and transparently: Expenditures on controls to mitigate risks
should be prioritized and unnecessary resource utilization may be avoided.
2.4 Information Security Organization

Information security is responsibility of entire organization and accountability of senior
management and board of director. Chief Information Security Officer (CISO) is facilitator in
implementing security across organization. The CISO plays a critical role in ensuring
17
protection of an Organization’s information and information assets, privacy of information,

managing vulnerabilities, responding to incidents, and compliance of policies, training and
awareness of policies.
The position must be strategically placed within the Organization and visibly supported by top
management while carrying out the duties in an effective and independent manner.
Possessing both a broad range of business management and technical security skills, and a
clear understanding of the Organization’s business is critical to a CISO’s success.
To ensure that information security is implemented across organization CISO requires
creation of the information security organization. This can be best done by defining security
responsibilities for every person and position as part of his/her role within organization and
documented in their job description. While defining roles and responsibilities following aspects
must be considered.
2.4.1 Segregation of Duties

Segregation of duties is the concept of having more than one person required to complete a
task. In business, the separation by sharing of more than one individual in one single task is
an internal control intended to prevent fraud and error. In essence, SoD implements an
appropriate level of checks and balances upon the activities of individuals. A programmer
should not be allowed to operate a computer system, or to gain access to production systems
or data. Similarly, operators should not act as programmers although, in practice, this rule is
becoming undermined by the use of personal computers and small office systems and in
tiny/small companies.
2.4.2 The ‘Four Eyes’ (Two-Person) Principle

This is one of the central principles of authorization in the information systems of financial
organizations. The principle of maker and checker means that for each transaction, there must
be at least two individuals necessary for its completion. While one individual may create a
transaction, the other higher designation should be involved in confirmation/ authorization of
the same. Here the segregation of duties plays an important role. In this way, strict control is
kept over system software and data, keeping in mind functional division of labour between all
classes of employees. In some business systems (e.g. SWIFT), it is necessary to have “six
eyes” principle i.e. maker-checker-approver.
Examples of this include: two signatories required for a cheque, and two people always being
present in a critical computer room. It must be noticed that there is a possibility of collusion
between the maker and checker. Vital functions should be well dispersed amongst staff
members. Although this can be seen, as mistrust to staff but may provide protection too.
18
2.4.3 Rotation of Duties

Some employers to rotate their employees’ assigned jobs throughout their employment use
this technique. Employers practice this technique for a number of reasons. It was designed to
promote flexibility of employees and to keep employees interested into staying with the
company/ organization, which employs them. There is also research that shows how job
rotations help relieve the stress of employees who work in a job that requires manual labour.
Rotation of duties may also place a limit on any fraudulent activities. The replacement of an
individual may well reveal any dishonesty or inefficiency, which has been continuing over a
period of time. A similar rule should insist that staff should take at least two consecutive
weeks holiday in every year as industry experience has shown that many frauds need
continual masking by the perpetrator and may surface when the individual is away.
2.4.4 ‘Key Man’ Policy

Key employee or key man is a term used specifically for an important employee or executive
who is core to the operation of the business and his death, disability or absence could prove
to be disastrous for the company or organization. In cases where a single individual is critical
to the business, insurance policies may be taken out to cover losses resulting from his or her
death or incapacity. Key man policies also cover issues such as the protection of groups of
key staff such as senior managers and lays down rules under which they will not travel in the
same vehicle (aircraft and cars) to limit the impact on the organization, should there be an
accident.
2.5 Information Security Policies, Procedures, Standards and

Guidelines
Information Security policy will define management’s intent on how the security objectives
should be achieved. It will also encompass the view on risk and will define security
initiatives/controls to meet business objectives. Information security policies, guidelines and
procedures affect the entire organization and, as such, should have the support and
suggestions of end users, executive management, auditors, security administration, IS
personnel and legal counsel. After policies are outlined, standards are adopted/defined to set
the mandatory rules that will be used to implement the policies. A standard is typically a
collection of system-specific or procedural-specific requirements that must be met by
everyone. Procedures are the detailed activities for implementation of policies.
Every policy should have corresponding procedures. Some policies may have multiple
guidelines, which are recommendations as to how the policies can be implemented smoothly.
A guideline is typically a collection of system specific or procedural specific "suggestions" for
best practice. They are not requirements to be met, but are strongly recommended. Effective
security policies make frequent references to standards and guidelines that exist within an
19
organization. Finally, information security management, administrators, and engineers create

procedures from the standards and guidelines that follow the policies.
A security policy is a document that defines the scope of security needed by the organization
and discusses the information assets that need protection and the extent to which protection
is required. The Information Security Policy is an overview or generalization of an
organization’s security needs. It should clearly define why security is important and what
assets are valuable. The formulations of policies are based on outcome of risk assessment
process. Organizations may have polices depending upon culture of organization, nature of
business, compliance requirements, geographical and regional environment within which
organization is operating.
2.5.1 Components of Information Security Policies

 Statement
 Scope
 Objective
 Ownership
 Roles and Responsibility
 Business requirement of Information security
 Policy Exceptions
 Compliance
 Periodic review
2.5.2 Other Common Security Policies

Every organization may have different polices depending upon nature and focus of business
and the result of risk assessment process; however, some of the common policies are
discussed here.
Data Classification and Privacy Policies
It is the policy of the Organization to protect against the unauthorized access, use, corruption,
disclosure, and distribution of non-public personal information in its possession, and to comply
with all applicable laws and regulations regarding such information. It generally covers:
 The organization shall hold non-public personal information in strict confidence and
shall not release or disclose such information to any person except as required or
authorized by law and only to such persons who are authorized to receive it.
 The organization shall adopt procedures for the administrative, technical and physical
safeguarding of all non-public personal information.
20
 The organization shall ensure that an entity controlled by it, or any other entity that
utilizes information provided by the organization to carry out its responsibilities, shall
have signed and agreed to abide by the terms of the data privacy and security policy or
shall have adopted a data privacy and security policy that is substantially similar to the
organization policy.
Acceptable Use of Information Assets Policy
An Acceptable Use Policy (AUP), also known as an Acceptable Usage policy or Fair Use
policy, is a set of rules that restrict the ways in which the information resources (Data,
Application Systems, Technology, Facilities and People) may be used. AUP often reduces the
potential for legal action that may be taken by a user, and often with little prospect of
enforcement.
Acceptable use policies are an integral part of the framework of information security policies; it
is often common practice to ask new members of an organization to sign an AUP before they
are given access to its information systems. For e.g. it may state that no user of company’s
Internet facility will use for personal purpose.
Physical Access and Security Policy
Physical security describes security measures that are designed to restrict unauthorized
access to facilities, equipment and resources, and to protect personnel and assets from
damage or harm (such as espionage, theft, or terrorist attacks). Physical security involves the
use of multiple layers of interdependent systems, which include CCTV surveillance, security
guards, Biometric access, RFID cards, access cards protective barriers, locks, access control
protocols, and many other techniques.
Asset Management Policy
This policy defines the business requirements for Information assets protection. It includes
assets like servers, desktops, handhelds, software, network devices etc. Besides, it covers all
assets used by an organization- owned or leased. E.g., asset management involves asset
acquisition, identification, storage, movement, accounting, disposal etc.
Network Security Policy
A network security policy defines the overall rules for organization’s network access,
determines how policies are enforced and lays down some of the basic architecture of the
company security/ network security environment.
Password Policy
This policy defines high-level configuration of password to be used within organization to
access the information assets. For example:
 Password length must be more than 8 characters
21
 Password must meet complexity requirements, such as upper case, lower case,
numeric and special characters
 Password must have defined maximum age
 Password must have defined minimum age
 Password must have history control
2.5.3 Controls over Policy

Information security policies need to be maintained, reviewed and updated regularly. This is
required due to changes in environment, information technology, threat scenarios, business
processes, business strategy, and organizational structures. It is necessary to review the
security policies periodically to ensure that they are in line with the senior management’s
intent. Typically, security policies are reviewed:
 Periodically, generally annually OR
 After incident OR
 As a part of change management process
2.5.4 Exceptions to the Policy

Policies are generic and sometimes cannot be enforced in specific situations; a process for
defining and approving exceptions must be defined. In such situations, it is necessary to
ensure there are suitable compensating controls so that the risks mitigated by enforcement of
policy are within acceptable level. Such exceptions should be for a predefined period, must be
removed when stipulated period and reviewed periodically. For example: legacy application
does not provide for implementing password policy. An exception may be approved with
additional strong compensating control over access granting process or application accesses.
This exception may be approved for a specific period of time, during which application should
be modified to comply with password policy.
2.6 Information Classification

Data is a representation of facts, concepts, or instructions in a formalized manner suitable for
communication, interpretation, or processing by humans or by automatic means. It is held by
the company on its own behalf and/or is entrusted to it by others. It is also information (original
or derived) organized for analysis or used to make decisions.
Information classification can provide organizations with a systematic approach to protect
information consistently across the organization and for all versions of information (original,
copies, discarded, outdated etc.). Information follows a life cycle consisting of one or more of
stages such as origination, draft, approved/signed, received, stored, processed, transmission,
22
archived, discarded, destruction etc. The organization is expected to protect information,

during its lifecycle in a consistent manner. The state in which information exists can also
influence how a piece of information should be protected.
2.6.1 Benefits from Information Classification

 Information classification can help in determining the risk associated in case of loss and
thus prevent ‘over-protecting’ and/or ‘under-protecting’, ensuring that information is
adequately protected (e.g. against unauthorized disclosure, theft and information
leakage)
 Information classification can be used to demonstrate that the organization is meeting
particular compliance requirements (e.g. Personal Data Protection Bill) and regulation
(e.g. RBI)
 Information classification helps to ensure that security controls are only applied to
information that requires such protection. This may reduce the cost of protecting
information.
 Information classification can help enforce access control policies by using the
classification label to determine if an individual can gain access to a piece of
information (e.g. information labelled as secret can only be accessed by individuals that
have been granted a security clearance of secret)
2.6.2 Information Classification Policy

An information classification policy is one of the critical components of Information Security.
An information security classification policy addresses the following:
 Objective of classification of information assets
 Structure of classification schema (categories of classes)
 Information owners and custodians
 Protection levels for each class of information defined by schema
 Classification method using impact on business if information is breached or not
available and possibility (Likelihood) of breach.
 Policy also determines the responsibility and accountability of Information owners,
custodians and users.
 Generally, owners are responsible for assigning classifications to information assets
according to the standard information classification system (schema and method)
adopted by the organization.
 Where practicable, the information classification shall be embedded in the information
itself.
23
2.6.3 Classification Schema

Most organization may follow following classes: Top secret, confidential, sensitive, internal
and public. Following table describes the general description of classification schema,
however organization may adopt different schema depending upon requirement, nature of
business, compliance requirements etc.
Information Description Example

Category
Unclassified/ When the unauthorized disclosure, Information widely available in the
Public alteration or destruction of that public domain, including publicly
data could cause low or no risk available Company web site areas
Sensitive When the unauthorized disclosure, All Company-developed software
alteration or destruction of that code, whether used internally or sold
data could cause a moderate level to clients
of risk
Client When the unauthorized disclosure, Product information generated for the
Confidential alteration or destruction of that client by company
Data data could cause a significant Client’s data such as name, age, sex
level of risk etc., Feedback given by the client
Company When the unauthorized disclosure, Confidential customer business data
Confidential alteration or destruction of that and confidential contracts
Data data could cause a highest level of
risk
2.7 The Concept of Responsibility in Information Security

Responsibilities are defined duties of individual within an organization; once a responsibility is
assigned, it is usual for an individual to be held responsible for satisfactory performance. The
main types of role within an information security structure are given below:
2.7.1 Ownership
Organization has acquired (instead of “has acquired” “acquires”) a number of assets required
for business operations. The organization is legal owner of these assets. However, for security
and control the ownership is delegated to an employee or group of employees who need to
use these assets. In other words, users not only have right to use the assets but also are
responsible for the safekeeping of assets.
Every asset of the organization including the information assets should have a clearly defined
24
‘owner’. The owner should then have a defined set of responsibilities. Authorization is the
essential statement where an owner gives their assent to an activity happening.
2.7.2 Custodianship
In some instances, an owner is not able to manage a particular asset on a day-to-day basis,
perhaps for logical or technical reasons. In this scenario, the owner may delegate
responsibility to a custodian. The owner should clearly state the requirements; the
responsibilities and associated levels of authority of the custodian on the assets but finally
management responsibility will always reside with the owner. Example of custodian is a
database administrator.
2.7.3 Controlling
In all information, security areas there are key tasks, which can be called control points. It is at
these control points that the actual information security mechanism has its application. For
example, a system administrator acts as a control on who has access to information
resources. They carry out the task of adding and deleting user identifiers from the system or
modifying the task of adding available to them, and therefore effectively control the activities
of the owner, or other designated authority.
2.7.4 Human Resources Security

Employees handling personnel data in an organization need to receive appropriate awareness
training and regular updates in an effort to safeguard the information entrusted to them.
Appropriate roles and responsibilities assigned for each job function needs to be defined and
documented in alignment with the organization's security policy.
The management of human resources security and privacy risks is necessary during all
phases of employees’ association with the organization. Training and education are intended
to individuals with focus to prevent data disclosure, recognize information security problems
and incidents, and respond according to the needs of their job role(s). Following are the some
of the recommended safeguards:
 Job descriptions and screening,
 User awareness and training,
 A disciplinary process, and
 An exit process must exist to equip employees to operate securely and use information
appropriately, and ensure the revocation of access privileges when a user's relationship
with the organization ends.
The objectives of human resources security is to ensure that all employees and third parties
(having access to organizations’ information assets) are qualified and understand their roles
25
and responsibilities of their job duties and that access is removed once employment is
terminated. The three areas of Human Resources Security are:
 Pre-employment: It includes defining roles and responsibilities of the job, defining
appropriate access to sensitive information for the job, and determining candidate's
screening levels - all in accordance with the company's information security policy.
 During employment: Employees and third parties those who have access to sensitive
information in the organization should receive periodic reminders of their responsibilities
and receive ongoing, updated security awareness training to ensure their understanding
of current threats and corresponding information security practices to mitigate
corresponding risks.
 Termination or change of employment: To prevent unauthorized access to sensitive
information, access must be revoked immediately upon termination/separation of an
employee and third parties from the organization. This also includes the return of the
assets of the organization.
2.8 Training and Education

Various computer crime studies show that the threat from insider’s ranges from 60% to 90%.
This does not mean that more than 60% of the employees in an organization are trying to hack
into the system. It does also mean that employees, whether intentionally or accidentally, may
allow some form of harm to the system. This includes having weak passwords, sharing their
passwords with others, installing illegal copy of screensaver or downloading shareware from
the Internet. Thus, employees need to be made aware about the information security policies
of the company and how to practice good computer security skills.
An integrated security training, awareness, and education program must be based on a
validated training strategy and include a formal course curriculum in addition to other learning
interventions designed to deliver the appropriate security information and messages to all
levels of employees. To do this, a broad program that includes training, education, awareness,
and outreach must be developed to deliver a multitude of security messages through various
means to all employees. Formal, instructor led training, computer or Internet-based training,
videos, conferences, forums, and other technology based and traditional delivery methods are
all examples of what must be part of the integrated security training, education, and
awareness program. Some of the important considerations for security awareness training
program are:
 Mandatory security awareness: Ensure that security awareness training is mandatory
for all staff (including senior management).
 Training for third parties: Ensure that all third parties who are having access to an
organization's information assets should also receive information security awareness
training.
26
 Training is required before access is granted: Security awareness training

commences with a formal induction process designed to introduce the organization's
information security policies and expectations before access granted to information or
services. (I think it should be “first time access” granted, otherwise giving training every
time, the access is taken is impossible)
 Acknowledge policy: Ensure that all target audience including the third party have
acknowledged that they have read and understood the organization's information
security / acceptable use policy.
 Training at least annually: Ensure that all target audience including the third party
(having access to company information and information systems) are given security
awareness training at least once in a year.
 Cyber security training: Use of Information Technology by banks and their
constituents has grown rapidly and is now an integral part of the operational strategies
of banks, subsequently; cyber security risk has become part of the business risk.
Government and regulators are also directing enterprises to implement controls for
cyber security risk and generate awareness at all levels. In the present scenario, in
banks, it has become board level agenda. There is need for greater awareness of cyber
security risk and issues by the senior management of banks, so as to strengthen cyber
resilience. With a view to enhance the management's awareness in banks, of the IT and
cyber security issues in a systematic and structured manner, the RBI has designed
awareness/certification program customized for senior management. The expectation is
that, such a programme will enable senior management to contribute more effectively in
the matters relating to implementation, review and monitoring of the cyber security
strategy of their bank, by imparting a better appreciation of the ever-evolving cyber risk-
threat universe.
2.9 Implementation of Information Security Policies

Appropriate implementation of information security policy helps in minimizing internal security
breaches that are accidental and unintentional. Educating employees about the importance of
complying information security policies is most important process. In addition, following may
help in smooth and successful implementation of information security policies.
2.9.1 Increasing Awareness

The success of information security policy depends upon employee’s understanding and
compliance in routine operations. Information security department should understand the level
of employee awareness in order to determine the effectiveness of information security policy.
In this context, a survey may help to determine the level of employees’ awareness. Some of
the aspect regarding which questions may be included in the survey:
27
 Do employees know that there are security policies?

 Do they know the distribution point?
 Are the policies easily accessible?
 Have all the employees read the policies?
 Do the employees understand the policies?
2.9.2 Communicating Effectively

While explaining security policies to new hires or sharing updates with employees, clear
communication through established channels is critical. Ensuring that employees understand
the reason to comply with information security policies is also an important aspect of
communication. Additional communications guidelines include:
 Target communications for various user communities.
 Provide a list of policy updates in the annual training.
 Supplement primary communications vehicles with website and newsletter articles.
2.9.3 Simplify Enforcement

The compliance of information security policies should be enforced through the senior
management communications. Following dimensions may help in compliance of information
security policies in day-to-day operations.
 Creating a manageable number of policies: Keeping the number of policies
manageable so users can more easily find the policy that they need in their routine
activity.
 Making policies understandable for target audiences: Using language that is suited
for target users with examples that how a user shall adhere to the information security
policy.
 Making it easy to comply: Including employee’s feedback during policy review to get
better sense and ease of compliance.
 Integrating security with business processes: Integrating information security policy
compliance into business processes, so employees will not need to bypass security
procedures while doing business operations.
 Aligning policies with job requirements: Information security policy should be in line
with job requirements.
28
2.9.4 Integrating Security with the Corporate Culture

Integrating security into the corporate culture helps to convince employees that information
security is central to the success of business. This approach can foster a feeling of community
and encourage everyone to feel that their support to comply with information security policies
is important.
 Making employees a partner in the security challenge: Establish good relationships
and use the awareness program to encourage business leaders to drive security within
their organizations. Employees will be more likely to support security initiatives if they
feel that the security team is there to help them instead of to police them.
 Making security policy part of a larger compliance initiative: Work with human
resources, legal, and other compliance teams so that there is importance, credibility,
and urgency attached to any policy related training or communication.
 Tying security policies to company's code of business conduct: Educate
employees to understand that their compliance with information security initiatives is
integral to overall appropriate behaviour and critical to success of business.
2.10 Issues and Challenges of Information Security

Management
An organization may face various challenges in Information Security Management. Some
common challenges are:
 Organization’s strategic drivers: The strategic drivers and needs of the organization
may conflict with the actions required to ensure that assets and processes remain
productive. Finding the right balance between protecting the organization’s core assets
and processes and enabling them to do their job becomes a challenge for security
management—and a significant barrier to effectiveness.
 Regulatory requirements: Another consideration for information security management
is the organization’s regulatory environment. Just as the organization must expose itself
to its environment to operate, so must it be willing to accept the limitations imposed by
regulators. This brings another level of challenges that affects the organization’s ability
to be effective at security management.
 Information security as an afterthought: The problem of information security is to
consider it as an afterthought. Once an information system has been implemented, it is
a norm to follow a checklist to understand whether any of the security ‘holes’ remained
unplugged. While the information security community has recognized the inadequacy of
checklists as a means to address security concerns, the checklist culture has, however,
prevailed. Therein resides the problem of information security being considered as an
29
afterthought. Checklists are important as a starting point or as a tool to ensure that you
are not missing out anything but should not be totally relied upon.
 Lack of integration in system design and security design: Development duality is a
phenomenon where systems and security design are undertaken in parallel rather than
in an integrated manner. This largely occurs when systems developers fail to recognize
the security requirements at the onset of the development process.
2.11 Summary
Information security management has become more important over the years due to increased
use of information system for conducting business. Information security management is a
business issue and it needs to be properly integrated into the organization’s overall business
goals and objectives because security issues may negatively affect the resources, which
is(remove “which is”) having dependency on the organization. The objectives of information
security are to provide confidentiality, integrity and availability to data and resources. The
need for complex networks is due to complexity of business operations and delivering
products and services to the customers. These networks have evolved from centralized
environments to distributed environments.
2.12 Questions
1. The Primary objective of implementing Information security management is to:
A. Ensure reasonable security practices
B. Comply with internal audit requirements
C. Adopt globally recognized standards
D. Protect information assets
2. Which of the following is primary function of information security policies?
A. Align information security practices with strategy
B. Communicate intent of management to stakeholders
C. Perform risk assessment of IT operations and assets
D. Ensure compliance with requirements of standards
3. Information security policies are set of various policies addressing different
information systems areas based on the IT infrastructure of organization. Which
of the following policy is most common in all organizations?
A. Acceptable use policy
30
B. BYOD (Bring Your Own Device) policy

C. Data encryption policy
D. Biometric security policy
4. Protecting integrity of data primarily focuses on:
A. Intentional leakage of data
B. Accidental loss of data
C. Accuracy and completeness
D. Data backup procedures
5. Which of the following is primary reason for periodic review of security policy?
A. Compliance requirements
B. Changes on board of directors’
C. Changes in environment
D. Joining of new employees
6. Which of the following is best evidence indicting support and commitment of
senior management for information security initiatives?
A. Directive for adopting global security standard
B. Higher percentage of budget for security projects
C. Assigning responsibilities for security to IT head
D. Information security is on monthly meeting agenda
7. Which of the following is a concern for compliance with information security
policy?
A. Decrease in low risk findings in audit report
B. High number of approved and open policy exceptions
C. Security policy is reviewed once in two years
D. Security policy is signed by Chief Information Officer
8. Which of the following is Primary purpose of Information classification?
A. Comply with regulatory requirement
B. Assign owner to information asset
C. Provide appropriate level of protection
D. Reduce costs of data protection
31
9. Classification of information is primarily based on:

A. Where the information is stored?
B. Who has access to information?
C. What will happen if information is not available?
D. Why attachments to mail are encrypted?
10. Which of the following best helps in classifying the information within
organizations?
A. Using minimum classes in classification schema
B. Conducting training on classification schema
C. Labelling all information based on classification schema
D. Determining storage based on classification schema

1. A is the correct answer. The primary objective of information security management is to
provide adequate level of protection to information security assets.
2. B is the correct answer. Policies are vehicle to communicate management’s intent to all
stakeholders. Information security practices are aligned with business objectives and
not with the strategy. Information security policies are defined as outcome of risk
assessment. Compliance with standard is not primary function of policies.
3. C is the correct answer. Acceptable use policy that address the use of information
assets by users is most common in all organizations that depends upon IT. Policies in
other option depend upon organization’s use of BYOD or Encryption or Biometric.
4. C is the correct answer. Integrity primarily refers to reliability that is achieved by
implementing controls to ensure accuracy and completeness of data.
5. C is the correct answer. Changes in environment introduce new risks. In order to
address them it is necessary to review the information security policy based on
assessment of new risks. Other options are secondary reasons.
6. D is the correct answer. Without senior management’s support, information security
cannot have a success. Senior management is involved many activities in effective
information security initiative. Reviewing progress of information security in monthly
meeting is one of them. Other options may or may not indicate unless there is more
evidence to conclude.
7. B is the correct answer. Policy exceptions are temporary and must be reviewed and
closed as per defined plan. Increased number of exceptions indicates that the policy
32
provisions may not be appropriate and hence need to be reviewed. Other options are
not concerning.
8. C is the correct answer. Primary purpose of information classification is to provide
appropriate level of protection to information assets. Options A, B and D are the
secondary with respect to information classification.
9. C is the correct answer. It helps in assessing the risks associated and determine the
protection level i.e. class of information. A, B and C are determined based on
classification.
10. B is the correct answer. Training users on how to classify information as per definition
provided in classification schema shall best help users in classifying the information. A.
Number of classes shall depend upon organization’s objectives. C and D are performed
after classification of information.
33
Chapter 3
Physical and Environmental Controls
3.1 Introduction
Prior to use of computers and communications technology, most business assets were in
physical form and securing them was primarily controlled manually. However, technology has
also enabled attackers to launch successful attack without being physically near the victim
organization. Today, there is a computer on almost every desk, and access to devices and
resources is spread throughout the environment, besides, organizations have several remote
and mobile users.
Use of technology has also added a requirement to ensure that the environmental controls are
in place so that the technology deployed can perform as expected. For example, computer
uses electrical energy to process, store and transmit data. In the process, they generate heat.
This heat can affect the small electronic circuits within computers resulting in non-availability
of technology. This means the environment must be able to provide and sustain climatic
conditions like appropriate level of temperature and humidity, dust free environment.
3.2 Objectives of Physical Access Controls

An access control system determines who is allowed, where they are allowed, and when they
are allowed to enter or exit. Physical Access controls seek to safeguard the information
resources from physical access exposures. Physical access controls restrict physical access
to resources and protect them from intentional and unintentional loss or impairment. Assets to
be protected could include:
 Primary computer facilities
 Cooling system facilities
 Microcomputers
 Telecommunications equipment and lines, including wiring closets Sensitive areas such
as buildings, individual rooms or equipment.
3.3 Physical Security Threats and Exposures

3.3.1 Sources of Physical Security Threats
The sources of physical access threats can be broadly divided into the following based on the
nature of access. The perpetrators or source of physical threats can be as follows:
 Physical access to IS resources by unauthorized personnel

 Authorized personnel having pre-determined rights of access, misusing their rights in a
manner prejudicial to the interests of the organization
 Authorized personnel gaining access to information systems resources for which they
are not authorized. (i.e. gaining access to resources beyond their rights of “need to
know; need to do”)
 Interested or Informed outsiders such as competitors, thieves, organized criminals and
hackers
 Former Employees/ outsourced agencies former employees
 Accidental/Ignorant who unknowingly perpetrates a violation
 Discontented or disgruntled employees. Outsourced agencies employees
 Employees on strike or issues at outsourced agency
 Employees under termination or suspended and pending termination
 Addicted to substances or gamblers
 Experiencing financial or emotional problems
3.3.2 Physical Access Exposures to Assets

 Unintentional or Accidental: Authorized personnel or unauthorized personnel
unintentionally gaining physical access to IS resources.
 Deliberate: Unauthorized personnel may deliberately gain access or authorized
personnel may deliberately gain access to information resources, for which they are not
permitted or do not possess rights of access.
 Losses: Improper physical access to IS resources may result in losses to organization,
which can result in compromising confidentiality, Integrity and availability of information
system resources.
3.4 Physical Security Control Techniques

Define physical security controls and protection levels at each layer (viz. Deterrence, Access
Control, Detection and Identification):
3.4.1 Choosing and Designing a Secure Site

Organizations may have following consideration during initial planning for information
processing facility (IPF) or data centre site:
35
 Local considerations: What is the local rate of crime (such as forced entry and
burglary)?
 External services: The relative proximity of local emergency services, such as police,
fire, and hospitals or medical facilities.
 Visibility: Facilities such as data centres should not be visible or identifiable from the
outside, that is, no windows or directional signs.
 Windows: Windows are normally not acceptable in a data centre to avoid data leakage
through electromagnetic radiation emitted by monitors. If they do exist, however, they
must be translucent (semi-transparent, i.e. allowing light without being able to view
things clearly) and shatterproof.
 Doors: Doors in the computer centre must resist forcible entry and have a fire-rating
equal to the walls. Emergency exits must be clearly marked and monitored or alarmed.
Electric door locks on emergency exits should revert to a disabled state if power
outages occur to enable safe evacuation. While this may be considered a security
issue, personnel safety always takes precedence, and these doors should be manned
in an emergency.
3.4.2 Security Management

 Controlled user registration procedure: It should be ensured that rights of physical
access are given only to persons entitled thereto and to the extent necessary, based on
the principles of least privileges.
 Audit trails. With respect to physical security, audit trails and access control logs are
vital because management needs to know when access attempts occurred and who
attempted them. The audit trails or access logs must record the following:
o The date and time of the access attempt
o Whether the attempt was successful or not
o Where the access was granted (which door, for example)
o Who attempted the access?
o Who modified the access privileges at the supervisor level?
 Reporting and incident handling procedure: Once an unauthorized event is detected,
appropriate procedures should be in place to enable reporting of such incidents and
effectively handling to mitigate losses. The security administrator should be kept
notified of such incidents. He may use such history to effect modifications to the
security policy.
36
3.4.3 Emergency Procedures

The implementation of emergency procedures and employee training and knowledge of these
procedures is an important part of administrative physical controls. These procedures should
be clearly documented, readily accessible (including copies stored of-site in the event of a
disaster), and updated periodically.
3.4.4. Human Resource Controls

These includes identification of employees and visitors, providing identity cards, assigning
responsibilities, provided training in physical security, monitoring behaviour, escorting
terminated or resigned / retired employees. One of most important control is process of
providing access cards to employees, vendor personnel working onsite and visitors. The
process should aim in preventing generation of false cards, modifying contents of cards,
accounting for lost cards and reconciliation of cards to detect missing/lost cards. In addition, a
process to grant, change and revoke access must be in place.
3.4.5 Perimeter Security

 Guards: Guards are commonly deployed in perimeter control, depending on cost and
sensitivity of resource to be secured. While guards are capable of applying subjective
intelligence, they are also subject to the risks of social engineering. They are useful
whenever immediate, discriminating judgment is required.
 Dogs: Dogs are used in perimeter security, they are reliable, and have a keen sense of
smell and hearing. However, they cannot make judgment calls the way humans can.
 Compound Walls and Perimeter Fencing: A common method of securing against
unauthorized boundary access to the facility. It helps in deterring casual intruders but is
ineffective against a determined intruder.
 Lighting: Lighting is also one of the most common forms of perimeter or boundary
protection. Extensive outside lighting of entrances or parking areas can discourage
casual intruders.
 Dead Man Doors: Dead man doors use a pair of doors. For the second door to
operate, the first entry door must close and lock so that only one person is permitted in
the holding area. This effectively reduces the risk of piggybacking.
 Bolting Door Locks: This is the most commonly used means to secure against
unauthorized access to rooms, cabins, and closets. It requires traditional metal key to
gain entry. Unauthorized individuals could still gain access to the processing center
along with an authorized individual. This is cheap yet a reasonably effective technique,
however control over physical custody and inventory of keys is required.
37
 Combination or Cipher Locks: Combination door locks, also known as cipher locks,
use a numeric keypad or dial to gain entry. They do not prevent or reduce the risk of
piggybacking since unauthorized individuals may still gain access to the restricted area.
 Electronic Door Locks: Such locks may use electronic card readers, smart card
readers or optical scanners to gain entry. They do not prevent or reduce the risk of
piggybacking, since unauthorized individuals may still gain access to the restricted
area.
 Biometric Door Locks: These are some of the most secure locks since they enable
access based on physiological features such as voice, fingerprint, hand geometry,
retina or iris. However, they do not prevent or reduce the risk of piggybacking.
 Perimeter Intrusion Detectors - The two most common types of physical perimeter
detectors are based on either photoelectric sensors or dry contact switches.
o Photoelectric Sensors - Photoelectric sensors receive a beam of light from a
light-emitting device, creating a grid of either visible white light, or invisible
infrared light. An alarm is activated when the beams are broken. The beams can
be physically avoided if seen; therefore, invisible infrared light is often used.
o Dry Contact Switches - Dry contact switches and tape is probably the most
common type of perimeter detection. This can consist of metallic foil tape on
windows or metal contact switches on doorframes to detect when a door or
window has been opened.
 Video Cameras: Cameras provide preventive and detective control. Closed-Circuit
Television (CCTV) cameras have to be supplemented by security monitoring and
guards for taking corrective action. The location of such cameras and recording,
retention of tapes, images for future playback should be decided based on information
security strategy.
 Identification Badge: Special identification badge such as employee cards, privileged
access pass, and visitor passes etc. enable tracking movement of personnel. This may
also be a card with signature and or photo identity. Security staff to permit or deny
access and to detect unauthorized access physically examines identification badges.
 Manual Logging: All visitors to the premises are prompted to sign a visitor’s register
recording the date and time of entry and exit, name of entrant, organization, purpose
etc. The visitor may also be required to authenticate his identity by means of a business
card, photo identification card, driver’s license etc.
 Electronic Logging: Electronic card users may be used to record the date and time of
entry and exit of the cardholder by requiring the person to swipe the card both time of
entry and exit. This is a faster and more reliable method for restricting access to
38
employees and pre- authorized personnel. This security mechanism can be made with
electronic or biometric devices.
 Controlled Single Point Access: Physical access to the facility is granted through a
single guarded entry point. This involves identifying and eliminating or disabling entry
from all entry points except one. Multiple entry points may dilute administration of
effective security.
 Controlled Visitor Access: A pre-designated responsible employee or security staff
escorts all visitors such as maintenance personnel, contract workers, vendors, and
consultants for a specified time period (unless they are for long-term, in that case guest
access may be provided).
 Bonded Personnel: This is useful in situation where physical access to sensitive
facilities is given to employees or the contract employees. Bonding (contractors or
employees being required to execute a financial bond), such bond does not improve
security but reduces financial impact due to improper access/misuse of information
resources.
 Wireless Proximity Readers. A proximity reader does not require physical contact
between the access card and the reader. The card reader senses the card in
possession of a user in the general area (proximity) and enables access.
 Alarm Systems/Motion Detectors. Alarm systems provide detective controls and
highlight security breaches to prohibited areas such as access to areas beyond
restricted hours, violation of direction of movement. For example, in specific areas,
entry only or exit only doors are used. Motion detectors are used to sense unusual
movement within a predefined interior security area and thus detect physical breaches
of perimeter security, and may sound an alarm.
 Secured Distribution Carts: One of the concerns in batch output control is to get the
printed hardcopy reports (which may include confidential materials) securely by the
intended recipients. In such cases, distribution trolleys with fixed containers secured by
locks are used. The respective user team holds the keys of the relevant container.
 Cable Locks: A cable lock consists of a plastic-covered steel cable that chain a PC,
laptop or peripherals to the desk or other immovable objects.
 Port Controls: Port controls are devices that secure data ports (such as a floppy drive
or a serial or parallel port) and prevent their use.
 Switch Controls: A switch control is a cover for the on/off switch, which prevents a
user from switching on or off the power.
 Peripheral Switch Controls: These types of controls are lockable switches that
prevent a device such as a keyboard from being used.
39
 Biometric Mouse: The input to the system uses a specially designed mouse, which is
usable only by pre-determined/pre-registered person based on the physiological
features of the user.
 Laptops Security: Securing laptops and portables represent a significant challenge,
especially since; loss of laptops creates loss of confidentiality, integrity and availability.
Cable locks, biometric mice/fingerprint/iris recognition and encryption of the data is
some of the means available to protect laptops and data therein.
3.4.6 Smart Cards

A smart card used for access control is of the following types:
 Photo-Image Cards: Photo-image cards are simple identification cards with the photo
of the bearer for identification.
 Digital-Coded Cards: Digitally encoded cards contain chips or magnetically encoded
strips (possibly in addition to a photo of the bearer). The card reader may be
programmed to accept or deny entry based on an online access control computer and
can also provide information about the date and time of entry.
 Wireless Proximity Readers: A proximity reader does not require the user to
physically insert the access card. The card reader senses the card in possession of a
user in the general area (proximity) and enables access.
3.5 Auditing Physical Access Controls

Auditing physical access requires that the auditor to review the physical access risks and
controls to form an opinion on the effectiveness of these controls. This involves risk
assessment, review of documentation and testing of controls.
 Risk Assessment: The auditor should satisfy himself that the risk assessment
procedure adequately covers periodic and timely assessment of all assets, physical
access threats, vulnerabilities of safeguards and exposures.
 Controls Assessment: The auditor based on the risk profile evaluates whether
physical access controls are in place and adequate to protect the IS assets against the
risks.
 Review of Documentation: Planning for review of physical access controls requires
examination of relevant documentation such as the security policy and procedures,
premises plans, building plans, inventory list, cabling diagrams etc.
 Testing of Controls: IS auditor should review physical access controls for their
effectiveness. This involves:
40
 Tour of organizational facilities including outsourced and offsite facilities.

 Physical inventory of computing equipment and supporting infrastructure.
 Interviewing personnel can also provide information on the awareness and
knowledge of procedures.
 Observation of safeguards and physical access procedures. This would also
involve inspection of:
 Core computing facilities.
 Computer storage rooms.
 Communication closets.
 Backup and Off-site facilities.
 Printer rooms.
 Disposal yards and bins.
 Inventory of supplies and consumables. Some special considerations also
involve the following:
 All points of entry/exit
 Glass windows and walls
 Moveable and modular cubicles
 Ventilation/Air-conditioning ducts
 False Ceiling and flooring panels.
 Review of Physical access procedures including user registration and
authorization, special access authorization, logging, periodic review, supervision
etc.
 Employee termination procedures should provide withdrawal of rights such as
retrieval of physical devices such as smart cards, access tokens, deactivation of
access rights and its appropriate communication to relevant constituents in the
organization.
 Examination of physical access logs and reports includes examination of incident
reporting logs and problem resolution reports.
3.6 Environmental Controls

This section examines the risks to IS resources arising from undesired changes in the
environment. Environmental threats to information assets include threats primarily relating to
41
facilities and supporting infrastructure, which house and support the computing equipment,
media and people. IS Auditor should review all factors that adversely affect confidentiality,
integrity and availability of the information, due to undesired changes in the environment or
ineffective environmental controls.
3.7 Objectives of Environmental Controls

The objects of environment controls are the same as discussed in the section on physical
controls. However, from the perspective of environmental exposures and controls, information
systems resources may be categorized as follows:
 Hardware and Media
 Information Systems Supporting Infrastructure or Facilities
 Documentation
 Supplies
 People
3.8 Environmental Threats and Exposures

Exposures from environmental threats may lead to total or partial loss of computing facilities,
equipment, documentation and supplies causing loss or damage to organizational data and
information and more importantly people. It may significantly and adversely impact the
availability, integrity and confidentiality of information. The threats can be broadly classified as
Natural and Man-made.
3.8.1 Natural Threats and Exposure

 Natural disasters such as earthquakes, floods, volcanoes, hurricanes and tornadoes
 Extreme variations in temperature such as heat or cold, snow, sunlight, etc.
 Static electricity
 Humidity, vapours, smoke and suspended particles
 Insects and organisms such as rodents, termites and fungi
 Structural damages due to disasters
 Pandemic due to virus etc.
3.8.2 Man-made Threats Exposure

 Fire due to negligence and human action
 Threats from terrorist activities
42
 Power – uncontrolled/unconditioned power, blackout, transient, spikes, surges, low

voltage
 Equipment failure
 Failure of Air-conditioning, Humidifiers, Heaters
 Food particles and residues, undesired activities in computer facilities such as smoking.
 Structural damages due to human action/inaction and negligence
 Electrical and Electromagnetic Interference (EMI) from Generators, motors.
 Radiation
 Chemical/liquid spills or gas leaks due to human carelessness or negligence
3.9 Techniques of Environmental Controls

The IS supporting infrastructure and facilities should provide the conducive environment for
the effective and efficient functioning of the information processing facility (IPF). Based on the
risk assessment, computing equipment, supporting equipment, supplies, documentation and
facilities should be appropriately protected to reduce level of risks from environmental threats
and hazards or exposures. Following are list of controls, which are to be implemented.
3.9.1 Choosing and Designing a Safe Site

 Natural disasters. Natural disasters can include weather-related problems (wind,
snow, flooding, and so forth) and earthquake may adversely impact the IPF. While
establishing IPF, organization should consider issues related to probability of natural
disaster.
 Windows: Windows are normally not acceptable in the data centre. If they do exist,
however, they must be translucent and shatterproof.
 Doors: Doors in the computer centre must resist forcible entry and have a fire-rating
equal to the walls. Emergency exits must be clearly marked and monitored or alarmed.
Electric door locks on emergency exits should revert to a disabled state if power
outages occur to enable safe evacuation. While this may be considered a security
issue, personnel safety always takes precedence, and these doors should be manned
in an emergency.
3.9.2 Facilities Planning

As part of facilities planning, the security policy should provide for specific procedures for
analysis and approval of facilities building and refurbishment plan. Depending on the size and
nature of computing facilities, a separate function should exist for facilities planning and
management. The following aspects need to be considered in this context:
43
The documentation of physical and geographical location and arrangement of computing

facilities and environmental security procedures should be modified promptly for any changes
thereto. Access to such documentation should be strictly controlled.
 Walls: Entire walls, from the floor to the ceiling, must have an acceptable fire rating.
Closets or rooms that store media must have a high fire rating.
 Ceilings: Issues of concern regarding ceilings are the weight-bearing rating and the fire
rating.
 Floors: If the floor is a concrete slab, the concerns are the physical weight it can bear
and its fire rating. If it is a raised flooring the fire rating, its electrical conductivity
(grounding against static build-up), and that it employs a non-conducting surface
material are major concerns. Electrical cables must be enclosed in metal conduit, and
data cables must be enclosed in raceways, with all abandoned cable removed.
Openings in the raised floor must be smooth and nonabrasive, and they should be
protected to minimize the entrance of debris or other combustibles. Ideally, an IPF
should be located between floors and not at or near the ground floor, nor should it be
located at or near the top floor.
 Fire-resistant walls, floors and ceilings: The construction of IPF should use fire-
resistant materials for walls, floors and ceilings. Depending on application and
investment, manufacturers offer materials with varied fire ratings. Fire rating resistance
of at least 2 hours is generally recommended.
 Concealed protective wiring: Power and Communication cables should be laid in
separate fire-resistant panels and ducts. The quality rating of power cables should
match the load and manufacturers specifications.
 Media protection: Location of media libraries, fireproof cabinets, kind of media used
(fungi resistant, heat resistant).
3.9.3 Emergency Plan

Disasters result in increased environmental threats e.g. smoke from a fire in the
neighbourhood or in some other facility of the organization would require appropriate control
action, evacuation plan should be in place and evacuation paths should be prominently
displayed at strategic places in the organization.
Reporting procedures should be in place to enable and support reporting of any environmental
threats to a specified controlling authority. Periodic inspection, testing and supervision of
environmental controls should form a part of the administrative procedures. The tests of such
inspection, tests and drills should be escalated to appropriate levels in the organization.
Documented and tested emergency evacuation plans should consider the physical outlay of
the premises and orderly evacuation of people, shut down of power and computer equipment,
44
activation of fire suppression systems. Administrative procedures should also provide for
Incident Handling procedures and protocols due to environmental exposures.
3.9.4 Maintenance Plans

A comprehensive maintenance and inspection plan is critical to the success of environmental
security and controls. Preventive maintenance plan and management procedures should be in
place. This is a critical aspect of environmental control procedures, negligence in respect of
which can lead to exposing the IPF to risks. Environmental controls should be documented
and a suitable preventive maintenance should be put in place administered through schedules
and logs.
 MTBF and MTTR: Failure modes of each utility, risks of utility failure, should be
identified, parameterized and documented. This includes estimating the MTBF (Mean
Time between Failures) and MTTR (Mean Time to Repair). Planning for Environmental
controls would need to evaluate alternatives with low MTBF or installing redundant
units. Stocking spare parts on site and training maintenance personnel can reduce
MTTR. It is better that MTBF should be high and MTTR should be low.
3.9.5 Ventilation and Air Conditioning

The temperature in the IPF should be controlled depending on the type of equipment and
processing. Improper maintenance of temperature leads to damage of internal components.
Air conditioning units should have dedicated power circuits. Similar to water drains, the AC
system should provide outward, positive air pressure and have protected intake vents to
prevent air carried toxins from entering the facility.
3.9.6 Power Supplies

Power supply should conform to computing equipment manufacturer specifications. Many
aspects may threaten power system, the most common being noise and voltage fluctuations.
Noise in power systems refers to the presence of electrical radiation in the system. There are
several types of noise, the most common being electromagnetic interference (EMI) and radio
frequency interference (RFI). Voltage fluctuations are classified as Sag (momentary low
voltage), Brownout (prolonged low voltage), and Spike (momentary high voltage), Surge
(prolonged high voltage) and Blackouts (complete loss of power). Some of the controls to
ensure uninterrupted delivery of clean power are:
 Uninterruptible power supply (UPS)/generator: UPS usually consist of battery
backup or diesel generator that interfaces with the external power supplied to the
equipment. On interruption in external power supply, the power continues to supply
from the battery. Depending on the application, UPS are available with battery backup
45
of a few minutes to a number of days. UPS can be on-line or off-line, but for
computerized environment, on-line UPS is mandated.
 Electrical surge protectors/line conditioners: Power supply from external sources
such a grid and generators are subject to many quality problems such as spikes,
surges, sag and brown outs, noise, etc. Surge protectors, spike busters and line
conditioners are equipment, which cleanses the incoming power supply of such quality
problems and delivery clean power for the equipment.
 Power leads from two sub-stations: Failure of continued power supply to some high
consumption continuous processing could even result in concerns regarding public
safety such as refineries, nuclear reactors and hospitals. Electric power lines may be
exposed to many environmental and physical threats such as foods, fire, lightning,
careless digging, etc. To protect against such exposures, redundant power lines from a
different grid supply should be provided for. Interruption of one power supply should
result in the system immediately switching over to the stand-by line.
3.9.7 Fire Detection and Suppression System

Smoke and Fire Detectors
Smoke and fire detectors activate audible alarms or fire suppression systems on sensing a
particular degree of smoke or fire. Such detectors should be placed at appropriate places,
above and below the false ceiling, in ventilation and cabling ducts. In case of critical facilities,
such devices must be linked to a monitoring station (such as fire station). Smoke detector
should supplement and not replace fire suppression systems.
Fire Alarms
Manually activated fire alarms switches should be located at appropriate locations prominently
visible and easily accessible in case of fire (but should not be easily capable of misuse during
other times). By manual operation of switch or levers, these devices activate an audible alarm
and may be linked to monitoring stations both within and/or outside the organization.
Emergency Power Off
When necessity of immediate power shutdown arises during situations such as computer
facility fire or emergency evacuation, emergency power-off switches should be provided.
There should be one within the computer facility and another just outside the computer facility.
Such switches should be easily accessible should be shielded to prevent accidental use.
Water Detectors
Risks to IPF equipment from flooding and water logging can be controlled by use of water
detectors placed under false flooring or near drain hole. Water detectors should be placed on
all unattended or unmanned facilities. Water detectors on detecting water activate an audible
alarm.
46
Fire Suppression Systems

Combustibles are rated as either Class A, B, or C based upon their material composition, thus
determining which type of extinguishing system or agent is used. Fires caused by common
combustibles (like wood, cloth, paper, rubber, most plastics) are classed as Class A and are
suppressed by water or soda acid (or sodium bicarbonate). Fires caused by flammable liquids
and gases are classed as Class B and are suppressed by Carbon Dioxide (CO), soda acid, or
FM200. Electrical fires are classified as Class C fires and are suppressed by Carbon Dioxide
(CO), or FM200. Fire caused by flammable chemicals and metals (such as magnesium and
sodium) are classed as Class D and are suppressed by Dry Powder (a special smothering and
coating agent). Class D fires usually occur only at places like chemical laboratories and rarely
occur in office environments. Note that using the wrong type of extinguisher while suppressing
a fire can be life threatening. Broadly, Fire Suppression systems for facilities are classed into
Water based systems and Gas based systems.
(a) Water Based Systems
Wet pipe sprinklers: In this case, sprinklers are provided at various places in the ceiling or
on the walls and water is charged in the pipes. As generally implemented, a fusible link in the
nozzle melts in the event of a heat rise, causing a valve to open and allowing water to flow.
These are considered the most reliable but they suffer from the disadvantage of leakage,
breakage of pipes exposing the IPF to the risks of dampness and equipment suffering water
damage.
Dry-pipe sprinklers: These are similar to the wet pipe sprinklers except that in these, the
water is not kept charged in pipes but pipes remain dry and upon detection of heat rise by a
sensor, water is pumped into the pipes. This overcomes the disadvantage with wet pipe
systems of water leakages etc.
Pre-action: At the present, this is the most recommended water-based fire suppression
system for a computer room. It combines both the dry and wet pipe systems by first releasing
the water into the pipes when heat is detected (dry pipe) and then releasing the water flow
when the link in the nozzle melts (wet pipe). This feature enables manual intervention before a
full discharge of water on the equipment occurs.
(b) Gas Based Systems
Carbon dioxide: Such systems discharge CO2 thus effectively cutting of oxygen supply from
the air, which is a critical component for combustion. However, CO 2 being potentially lethal for
human life, such systems are recommended only in unmanned computer facilities or in
portable or hand-held fire extinguishers.
FM200: FM200 is an inert gas, does not damage equipment as water systems do and does
not leave any liquid or solid residues, however it is not safe for humans as it reduces the
levels of oxygen.
47
3.10 Auditing Environmental Controls

As part of audit procedures, the audit of environmental controls requires the IS auditor to
conduct physical inspections and observe practices, which may include the following activities:
 Inspect the IPF and examine the construction with regard to the type of materials used
for construction by referring to the appropriate documentation.
 Visually examine the presence of water and smoke detectors, examine power supply
arrangements to such devices, testing logs, etc.
 Examine location of fire extinguishers, fire-fighting equipment and refilling date of fire
extinguishers and ensure they are adequate and appropriate.
 Examine emergency procedures, evacuation plan and marking of fire exits. If
considered necessary, the IS Auditor can also require a mock drill to test the
preparedness with respect to disaster.
 Examine documents for compliance with legal and regulatory requirements as regards
fire safety equipment, external inspection certificate, shortcomings pointed out by other
inspectors/auditors.
 Examine power sources and conduct tests to assure quality of power, effectiveness of
power conditioning equipment, generators, simulate power supply interruptions to test
effectiveness of back-up power.
 Examine environmental control equipment such as air-conditioning, dehumidifiers,
heaters, ionizers etc.
 Examine complaint logs and maintenance logs to assess if MTBF and MTTR are within
acceptable levels.
 Observe activities in the IPF for any undesired activities such as smoking, consumption
of eatables etc.
 As part of the audit procedures, the IS auditor should document all findings as part of
working papers. The working papers could include audit assessment, audit plan, audit
procedure, questionnaires, and interview sheets, inspection charts, etc.
3.11 Summary
This chapter deals with the physical and environmental threats and their control and audit
procedures on information system assets. The first step in providing a secured physical
environment for the information system assets is listing the various assets in the computing
environment. These assets could range from hardware, software, facilities and people that
form the computing environment. The next step is to identify the various threats and
48
vulnerabilities the assets are exposed to. These threats could include unauthorized access to
the resources, vandalism, and public disclosure of confidential information. The main source
of threats is from outside people and the employees of the organization. However, the
information assets are exposed to various other sources of threats like natural damage due to
environmental factors like food, earthquake, fire and rain etc.
3.12 Questions
1. Which of the following is first action when a fire detection system raises the
alarm?
A. Turn off the air conditioner
B. Determine type of fire
C. Evacuate the facility
D. Turn off power supply
2. Which of the following are most important controls for unmanned data center?
A. Access control for entry and exit for all doors
B. The humidity levels need not be maintained
C. The temperature must be at sub-zero level
D. Halon gas-based fire suppression system
3. Primary purpose of access controlled dead man door, turnstile, mantrap is to:
A. Prevent unauthorized entry
B. Detect perpetrators
C. Meet compliance requirement
D. Reduce cost of guard
4. Which of the following is the main reason for appointing human guards at main
entrance of facilities?
A. Address visitors’ requirements to visit
B. Issue the access cards to visitors
C. Cost of automation exceeds security budget
D. Deter the unauthorized persons
5. Which of the following is a major concern associated with biometric physical
access control?
49
A. High acceptability
B. High false positives
C. High false negatives
D. High cost
6. Which of the following evidence is best to provide assurance on automated
environmental controls?
A. Annual maintenance contract with vendor
B. Simulation testing of devices during audit
C. Device implementation report by vendor
D. Documented results of periodic testing
7. What are the problems that may be caused by humidity in an area with electrical
devices?
A. High humidity causes excess electricity, and low humidity causes corrosion
B. High humidity causes power fluctuations, and low humidity causes static
electricity
C. High humidity causes corrosion, and low humidity causes static electricity
D. High humidity causes corrosion, and low humidity causes power fluctuations.
8. Automated access controls open doors based on access cards, pins, and/or
biometric devices and are powered by electricity. Which of the following is the
best policy in case of power failure?
A. Keep the door in locked state
B. Open door and appoint guard
C. Find root cause of power failure
D. Arrange for battery backup
9. While selecting site for a data center which of the site is best to be selected?
A. On topmost floor to delay the unauthorized visitor to reach
B. In the basement not easily accessible to perpetrator
C. On ground floor so that users can access it easily
D. On middle floor to strike the balance for above concerns
50
10. Which of the following is main reason for not allowing mobile devices into data
center?
A. Unauthorized changes and access in configuration
B. Prevent photography of data center layout
C. User can provide information to attacker on phone
D. Mobile devices generate wireless communication

1. C is the correct answer. Life safety takes precedence. Although other answers are
important steps human life always is a priority.
2. A is the correct answer. Unmanned data center requires strong physical access
controls and environmental access controls too. However most essential are strong
access controls. B, C and D are inappropriate controls. Halon is environmentally
hazardous gas.
3. A is the correct answer. Primary purpose of all types of physical access control is to
prevent unauthorized entry. Other objectives are secondary.
4. A is the correct answer. Human guard makes decisions and can address visitor’s
requirement and direct them appropriately. Others are supplementary functions.
5. B is the correct answer. False positive is a concern in biometric access security as it
results in unauthorized access. Other option does not result in unauthorized access.
6. D is the correct answer. Automated environmental controls must be tested periodically
by expert and provide report on effective performance of equipment. Simulated tests
may not be possible for all controls. AMC is a contract; periodic testing is performance
of contract.
7. C is the correct answer. High humidity can cause corrosion, and low humidity can cause
excessive static electricity. Static electricity can short out devices or cause loss of
information.
8. B is the correct answer. Best policy is to keep door open and appoint guard temporarily
for monitoring accesses. Keeping doors locked shall be a problem in evacuation in case
of emergency. Finding root cause can be done independently. Arranging Battery
backup after power failure is not right policy.
9. D is the correct answer. Top floor and basement have risk of seepage and flooding.
Ground floor has risk of easy attack.
10. A is the correct answer. Mobile devices can be connected to servers, resulting in
unauthorized changes. Other concerns are secondary.
51
Chapter 4
4.1 Introduction
Today information systems store and process a wide variety of data in centrally hosted system
and provide access to the same to a large number of users. Keeping data stored centrally on
a system contributes to cost effective and efficient information sharing and processing.
Information that is residing on a system and accessed by many users has an associated risk
of unauthorized access. Logical access controls are a means of addressing concerns
associated with unauthorized accesses. Logical access controls are protection mechanisms
that limit users' access to data and restrict their access on the system.
4.2 Objectives of Logical Access Controls

The objective of logical access controls is to ensure that authorized users can access the
information resources as per their role and responsibilities. This is achieved by providing
access on “need to know and need to do” basis using principle of least privileges. It means
that it should be just sufficient for one to perform one’s duty without any problem or restraint.
Logical access controls are all about protection of information assets in all three states,
namely: rest, in transit and at process.
4.3 Paths of Logical Access

An IS auditor has to identify and document the possible logical access paths permitting access
to information resources, which may involve testing security at various systems viz. hardware,
system software, database management system, application software, access control
software. Each of these routes has to be subjected to appropriate controls in order to secure it
from the possible logical access exposures.
Fig. 4.1: Paths of Logical Access
4.4 Logical Access Attacks and Exposures

Improper logical access can result in loss or damage to information and resources leading to
undesirable consequences for an organization. It can also result in violation of the
confidentiality or integrity or availability of information. There are various types of exposures
related to logical access controls; some of the technical attacks are discussed below:
 Masquerading: It is a means of disguising or impersonation. The attacker pretends to
be an authorized user of a system in order to gain access to or to gain greater
privileges than they are authorized for. A masquerade may be attempted using stolen
logon IDs and passwords, through finding security gaps in programs, or bypassing the
authentication mechanism. The attempt may come from within the organization such as,
from an employee or from an outside user through some connection from the public
network. Weak authentication provides one of the easiest ways for a masquerade. Once
the attacker has logged in, they may have full access to the organization's critical data,
and (depending on the privilege level they pretend to have) may be able to modify and
delete software and data or make changes.
 Piggybacking: Unauthorized access to information by using a terminal that is already
logged on with an authorized ID (identification) and left unattended.
 Wiretapping: Tapping a communication cable to collect information being
transmitted.
53
 Denial of Service: One way of denial of service is to choke the bandwidth by

connection flooding. The perpetrator attempts to send multiple sessions requests,
resulting in non-availability of sessions for legitimate users.
 Social Engineering: This is an attack on the weakest link i.e. human. The perpetrators
uses different means including spoofing and masquerading resulting in person revealing
confidential information like user ID, Password, PIN and any such information required
for login as authorized user. Social engineering attack may result into physical or logical
attacks.
 Phishing: User receives a mail requesting to provide authentication information by
clicking on embedded link. The mail and link appear to be actual originator e.g. Bank.
Ignorant users click on the link and provide confidential information. The most popular
attacks on banking systems in the recent times, they target innocent users, using a
combination of social engineering, e-mail and fake websites to con the user to click on a
link embedded in an apparently authentic mail from a reputed bank. The link takes the
users (generally a customer of the bank) to a look-alike Bank website that gets the
personal details of the user including details such as PIN and Internet banking
password, which is then exploited by the hacker.
 Vishing: Uses the similar technique over telephone.
 Key Logger: Perpetrator installs software that captures the key sequence used by the
user including login information. Key logger can be sent thru mail or infected pen drive.
There are hardware key loggers available that are connected to system where keyboard
is attached.
 Malware: Specially designed programs that captures and transmits the information from
compromised system. Malicious software (also called “Malware”) intentionally causes
disruption and harm or circumvent or subvert the existing system’s function. Examples
of malware include viruses, worms, trojan Horses, and logic bombs. Newer malicious
code is based on Active X and Java applets.
4.5 Access Control Mechanism

The primary function of logical access control is to allow authorized access and prevent
unauthorized access. Access control mechanism is actually a three-step process as depicted
in the figure below:
 Identification: Identification is a process by which a user provides a claimed identity to
the system such as an account number.
 Authentication: Authentication is a mechanism through which the user’s claim is
verified by the system.
54
 Authorization: The authenticated user is allowed to perform a pre-determined set of

actions on eligible resources.
The primary function of access control is to allow authorized access and prevent unauthorized
access to information resources in an organization. Therefore, it may become necessary to
apply access control at each layer of an organization’s information system architecture to
control and monitor access in and around the controlled area. This includes operating system,
network, database and application systems. In each of these layers, attributes may include
some form of identification; authentication and authorization and logging and reporting of user
activities. Interfaces exist between operating system access control software and other system
software access control programs such as those of routers, firewalls etc. that manage and
control access from outside or within organization networks. On the other side, operating
system access control software may interface with databases and / or application system
access controls to application data.
4.5.1 Identification Techniques

Implementing the right process of confirming the identity is a challenge. Authentication is the
process of verifying that the identity claimed by the user is actually true or false. Users are
authenticated using one of three authentication factors or techniques. The three categories of
authentication factors are:
 Something the user knows (e.g., a password),
 Something the user has (e.g., a token or smart card), and
 Something the user is (a physical / biometric comparison)
Fig. 4.2: Multi-factor Authentication
55
A – Password
B – Identified Badge
C – Fingerprint
D – Bank Card and PIN
E – Smart Card with Biometric template
F – Fingerprint Detectors with PIN entry
G – Identifying Badge with Photograph and associated Password
Single-factor authentication uses any one of these authentication factors. Two-factor or dual
factor authentication uses two factors and the three-factor authentication uses all the three
factors. Individual authentication strength increases when multiple authentication technologies
and techniques are combined and used. Authorized access to an information resource
requires identification and authentication of the person requesting access.
Once the user is authenticated, the system must be configured to validate that the user is
authorized (has a valid need-to-know) for the resource and can be held accountable for any
actions taken. A default denial policy, where access to the information resource is denied
unless explicitly permitted should be mandated. The decision to grant or deny access to an
information resource is the responsibility of the information owner.
4.5.2 Authentication Techniques

As stated above, authentication may be through remembered information, possessed tokens,
or physiological features. We shall examine each class of authentication techniques.
Fig. 4.3: What you have (Token), what you know (password/PIN) and
who you are (Physiological features)
4.5.2.1 Passwords and PINs
 Password: This is the most common authentication technique that depends on
remembered information. The user, initially, identifies him using his login-id to the
56
system and then provides the password information. Once the system is able to match
and is successful for both fields, the system authenticates the user and enables access
to resources based on the access control matrix. However, if a match is not successful,
the system returns a message (such as “Invalid User-id or password”), preventing
access to resources.
 Personal Identification Numbers (PINs): Is a type of password, usually a 4-digit
numeric value that is used in certain systems to gain access, and authenticate. The PIN
should be randomly generated such that a person or a computer cannot guess it in
sufficient time and attempt by using a guess and check method. PINs are commonly
used for gaining access to Automated Teller Machines (ATMs).
4.5.2.2 One-Time Passwords
One-time passwords solve the problems of user-derived passwords. With one-time
passwords, each time the user tries to log on he is given a new password. Even if an attacker
intercepts the password, he will not be able to use it to gain access because it is good for only
one session and predetermined limited time period. For example, one-time password for
online card transaction is provided by bank to user on registered mobile is valid for 100
seconds only. One-time passwords typically use a small hardware device or software that
generates a new password every time. The server also has the same software running, so
when a user types in his password, the server can confirm whether it is the correct password.
Each time the user logs on, he has a new password, and so it is more secure.
4.5.2.3 Challenge Response System
An alternative to one-time passwords is challenge response system. Instead of having the
device just blindly generating a password, a user identifies himself to the server, usually by
presenting his user ID. The server then responds with a challenge, which is usually a short
phrase of letters and numbers. The user types the challenge into the device and, based on the
challenge, the device responds with an output. The user sends that output to the server. This
scheme is slightly more complicated, but it allows the password to be based on changing input
rather than just time.
4.5.2.4 Passphrase
A passphrase is a sequence of words or other text used to control access to a computer
system, program or data. A passphrase is similar to a password in usage, but is generally
longer for added security. Passphrases are often used to control both access to, and
operation of, cryptographic programs and systems, especially those that derive an encryption
key from a passphrase. Passphrases are stronger than passwords because of:
 They usually are (and always should be) much longer—20 to 30 characters or more is
typical—making some kinds of brute force attacks entirely impractical.
57
 If well chosen, they will not be found in any phrase or quote dictionary, so such
dictionary attacks will be almost impossible.
 They can be structured to be more easily memorable than passwords without being
written down, reducing the risk of hardcopy theft.
Weaknesses of Logon Mechanism
Logon/password access security is based on information to be remembered by the user (what
the user knows). This results in the following weaknesses:
 Passwords are easily shared.
 Users often advertently or inadvertently reveal passwords
 Repeated use of the same password could lead to being easily guessed by others.
 If a password is too short or too easy, the chances of it being guessed are quite high.
 If a password is too long or too complex, the user may forget or may write it down.
 If many applications are to be accessed by one user, many passwords have to be
remembered.
Recommended Practices for Strong Passwords
 The user should not share the authentication information viz. password.
 The password should be easy for the user to remember but hard for the perpetrator to
guess.
 System should be configured to must change password on first login.
 System should be configured to force password change periodically e.g. once in 60
days.
 System should be configured for minimum age of the password.
 Concurrent logins should not be permitted.
 Passwords should not be too short and should not use name of user, pet names,
common words found in dictionary or such other attributes.
 Password combination should be random and use alphabetic, numeric and special
characters (such as “$”, “#”, “^”, etc.).
 Passwords should be stored in an encrypted form using one-way encryption.
 System should be configured for password history control; e.g. System will not accept
last five passwords
58
Attacks on Logon/Password Systems

Due to their inherent weaknesses, logon-id/password is vulnerable to various kinds of
malicious attacks. Some of the common attacks on such systems are discussed below:
 Brute Force: It is a form of attack, wherein attacker tries out every possible technique
to hit on the successful match. The attacker may also use various password cracking
software tools that assist in this effort.
 Dictionary Attack: It is based on the assumption that users tend to use common words
as passwords, which can be found in a dictionary.
 Trojan: it is malicious software, which the attacker can use to steal access control lists,
passwords or other information.
 Spoofing Attacks: In this technique, the attacker plants a Trojan program, which
masquerades as the system’s logon screen, gets the logon and password information
and returns control to the genuine access control mechanism. Once the information is
obtained, the attacker uses the information to gain access to the system resources.
 Piggybacking: As stated earlier, an unauthorized user may wait for an authorized user
to log in and leave a terminal unattended. This can be controlled by automatically
logging out from the session after a pre-determined period of inactivity or by using
password-protected screen savers.
4.5.2.5 Token Based Authentication
Objects that a user is required to possess for identification and authentication are known as
tokens. In general, tokens are of two type:
 Memory tokens: It is most common form of tokens; the cards contain visible
information such as name, identification number, photograph and such other
information about the user and a magnetic strip or memory chip. This magnetic strip or
memory chip stores static information about the user. In order to gain access to a
system, the user in possession of a memory token may be required to swipe his card
through a card reader, which reads the information on the magnetic strip/memory token
and passes onto the computer for verification of the stored information to enable
access. E.g., Employee badges with encoded magnetic strips. Where two-factor
authentication is adopted, the user is not only required to have his card read by a card-
reading device but also required to key in remembered information (passwords, PIN) to
gain access to the system resources. E.g. Bank ATM Card.
 Smart tokens: In this case, the card or device contains a small processor chip, which
enables storing dynamic information on the card. Besides static information about the
user, the smart tokens can store dynamic information such as bank balance, credit
limits etc. In general, smart tokens are processor based and contain a processor chip.
Smart tokens are capable of processing data within their chip.
59
4.5.2.6 Biometric Authentication

Biometrics offers authentication based on “what the user is”. Biometrics are automated
mechanism, which uses physiological and behavioural characteristics to determine or verify
identity. Physiological biometrics are based on measurements and data derived from direct
measurement of a part of the human body. Behavioural biometrics are based on
measurements and data derived from an action and indirectly measure characteristics of the
human body. Some of the biometric characteristics, which are used, are:
 Fingerprint
 Facial Scan
 Hand Geometry
 Signature
 Voice
 Keystroke Dynamics
 Iris Scanners
 Retina Scanners
Registration or enrolment of the individuals’ physical or behavioural characteristics involves
capture of information, digitizing and storage of the biometric data. Based on the data read by
the sensor, the image or digitized data is compared to the stored data to obtain a match. If the
match succeeds, authentication is successful. However due to the complexity of data,
biometrics suffer from two types of error viz. False Rejection Rate (FRR) which is wrongfully
rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized
user being wrongfully authenticated as a right user. Ideally a system should have a low false
rejection and low false acceptance rate. Most biometric systems have sensitivity levels, which
can be tuned. The more sensitive a system becomes, FAR drops while FRR increases. Thus,
FRR and FAR tend to inversely related. An overall metric used is the Equal Error Rate (EER),
which is the point at which FRR equals FAR. Finger print-based biometric controls are quite
popular and widely deployed in data centres.
4.5.3 Authorization Techniques: Operating Systems

Operating systems are fundamental to provide security to computing systems. The operating
system supports the execution of applications and any security constraints defined at that
level must be enforced by the operating system. The operating system must also protect itself
because compromise would give access to all the user accounts and all the data in their files.
The operating system isolates processes from each other, protects the permanent data stored
in its files, and provides controlled access to shared resources. Most operating systems use
the access matrix as security model. An access matrix defines which processes have what
60
types of access to specific resources. General operating systems access control functions
include:
 Authentication of the user
 User Management
 Restrict Logon IDs to specific workstations and / or specific times
 Manage account policies
o Password Policy
o Account Lockout Policy
 Manage audit policy
 Log events and report capabilities
Pluggable Authentication Modules
 The pluggable authentication module (PAM) framework provides system administrators
with the ability to incorporate multiple authentication mechanisms into an existing
system using pluggable modules. Applications enabled to make use of PAM can be
plugged-in to new technologies without modifying the existing applications. This
flexibility allows administrators to do the following:
 Select any authentication service on the system for an application
 Use multiple authentication mechanisms for a given service
 Add new authentication service modules without modifying existing applications
 Use a previously entered password for authentication with multiple modules
 A general authentication scheme independent of the authentication mechanism may be
used
File Permissions
In most operating systems, every file is owned by a user and can be accessed by its owner,
group or public, depending upon access permissions. When a user creates a file or directory,
that user becomes the default owner of that file or directory. A user may be member of one
group or many groups. Further, a user owner of a file may not be part of the group at also may
have access to the file. Again, most operating systems have at least three types of file
permissions; read, write and execute (execute permission is only for executable programs and
not every file). The users have to be given at least read access to many of the system files.
Access Control Lists (ACL)
An access control list is a table that tells, which access rights each user has to a particular
61
system object, such as a directory/folder or an individual file. Each object has a security
attribute that identifies its access control list. The list has an entry for each system user with
his access privileges. The most common privileges include the ability to read a file (or all the
files in a directory), to write to the file or files, and to execute the file (if it is an executable file,
or program). Following table is an example of access control list:
User Resource Database X Database Y
User A Read & Write Write

User B Read Read & Write
4.6 Logical Access Control Techniques

4.6.1 Logical Access Controls Policy and Procedures
Logical access control policy is part of overall information Security policy. It states a set of
rules, principles, and practices that determine how access controls are to be implemented.
Logical access control policy typically covers the following:
 User management
 User responsibilities
 Network access controls
 Application access controls
 Database access controls
 Operating system access controls
4.6.1.1 User Management
It is a process to manage access privileges for identified and authorized users. The steps
involved are:
 User registration
 Privilege user management
 Password management
 Review and monitoring accesses
 Revocation of access privilege
User Registration
It refers to identifying a user who needs to access information asset. This is generally done
62
based on the job responsibilities confirmed by User manager. Information owner must approve
this. User registration process should answer:
 Why the user is granted the access?
 Has the data owner approved the access?
 Has the user accepted the responsibility?
4.6.1.2 Privilege User Management
Access privileges are to be aligned with job requirements and responsibilities. The job
requirements are defined and approved by the information asset owner. For example, an
operator at the order counter shall have direct access to order processing activity of the
application system or an assistant in Bank may have access to enter transaction and a
manager can only approve but cannot enter/modify the transaction. Changes in privileges are
common activity based, on changes in roles of users. Sometimes some users are provided
additional privileges for temporary period or during emergencies. Revoking them should be
part of process. Many times, application or database privilege management does not provide
for automatic revocation of such accesses. In such cases, manual monitoring and periodic
reviews are compensating controls to correct the situation.
4.6.1.3 Default Users Management
Applications, operating systems and databases purchased from vendor have provision for
default users with administrative privileges required for implementation and/or maintenance of
application, OS or database. Many-a-times there are multiple default users in the products.
The user ID and Passwords for these default users are published by the vendor in their
user/system manuals. It is expected that these default users’ names and passwords must be
changed as soon as system is implemented. While reviewing logical access controls, IS
auditor must ensure that default user-ids are either disabled, or their passwords have been
changed and suitably controlled by the organization.
4.6.1.4 Password Management
Password management should be taken care of, based on the password policy. Following are
some of the Password management functions:
 Allocations of password which is generally done by system administrators
 Secure communication of password to the user
 Force change on first login by the user so as to prevent possible misuse by system
administrators
 Storage of password should not be done in clear text. Most of the systems store
passwords as hash value of the password.
63
 During authentication process, passwords should be transmitted by generating hash

and should be compared with stored hash.
 Password expiry must be managed as per policy. Users must change passwords
periodically and system should be configured to expire the password after predefined
period. Users’ account should be locked after predefined number of unsuccessful login
attempts.
 Reissue password after confirming the identity of users, in case of expired passwords
or if users have forgotten the passwords. This process is typically same as allocation of
password.
 Educating users is a critical component about passwords, and making them responsible
for their password.
4.6.1.5 User Access Rights Management
Following are some of the aspects with respect to user access rights management:
 Periodic review of user’s access rights is essential process to detect possible excess
rights due to change in responsibilities, emergencies, and other changes.
 Information owner must conduct periodic review of the access rights.
 There should be predefined period of account lifetime, after which user re-registration
process should be started.
 Multiple login sessions should not be permitted.
 Wherever, there is possibility of conflict of interest, access controls should be
automated.
4.6.2 Network Access Control

Network access controls refers to the process of managing access for use of network-based
services like shared resources, access to cloud based services, remote login, intranet and
Internet access. There are various tools and techniques used to manage these accesses.
Network based tools and techniques like protocol control, service monitoring is discussed in
network security chapter.
 Policy on use of network services: An enterprise should have a policy that specifies
the use on Internet and Internet based services while using organization’s devices.
 Segregation of networks: An enterprise should have segregation of networks,
depending upon the sensitivity of business function applications.
 Network connection and routing control: The traffic between networks should be
controlled, based on identification of source and authentication across the enterprise
network.
64
 Enforced path: Based on risk assessment, it is necessary to specify the exact path or
route connecting the networks; say, for example Internet access by employees will be
routed through a firewall.
 Clock synchronization: Clock synchronization is useful control to ensure that event
and audit logs maintained across an enterprise are in synch and can be correlated. This
helps in auditing and tracking of transactions along with date and time that is uniform
across organization. In modern networks, this function is centralized and automated.
This may also be useful in case of legal dispute.
4.6.3 Application Access Controls

Applications are most common assets that accesses information. Users invoke the
programs/modules of application to access, process and communicate information. Hence, it
is necessary to control the accesses to application. Most modern applications provide
independent user and access privilege management mechanism for example ERP, Core
Banking applications.
The access to information is prevented by application specific menu interfaces, which limit
access to application function. A user is allowed to access only to those items he/she is
authorized to access. Controls are implemented on the access rights of users, for example,
read, write, delete, and execute. In addition, ensure that sensitive output is sent only to
authorized terminals and locations.
 Sensitive system isolation: Based on the criticality of an application system in an
enterprise, it may even be necessary to run the system in an isolated environment. This
may be implemented through creating multiple DMZs. For example, Internet Banking
application is kept in separate DMZ. (DMZ – Demilitarised Zone)
 Event logging: In application systems, it is easy and viable to maintain extensive logs
for all types of events. It is necessary to review if logging is enabled and the logs are
archived properly.
 Monitor system use: Based on the risk assessment a constant monitoring of some
critical applications is essential. Define the details of types of accesses, operations,
events and alerts that will be monitored. The extent of detail and the frequency of the
review would be based on criticality of operation and risk factors. The log files are to be
reviewed periodically and attention should be given to any gaps.
4.6.4 Database Access Controls

Database access control is a method of allowing access to company's sensitive data only to
those people (database users) who are allowed to access such data and to restrict access to
unauthorized persons. In DBMS environment, DBA has typically access to the entire database
65
he/she administers. To address this problem, solutions have been proposed including the
segregation of DBAs from user data, as in the case of the Oracle Database Vault product, and
techniques for joint administration of critical database objects.
Oracle Database Vault restricts access to specific areas in an Oracle database from any user,
including users who have administrative access. For example, company can restrict
administrative access to employee salaries, customer medical records, or other sensitive
information. This enables company to apply fine-grained access control to its’ sensitive data in
a variety of ways. It hardens company’s Oracle Database instance and enforces industry
standard best practices in terms of separating duties from traditionally powerful users. Most
importantly, it protects the data from super-privileged users but still allows them to maintain
the Oracle databases. Oracle Database Vault is an integral component of the enterprise.
4.6.5 Operating System Access Control

Operating system provides the platform for an application to use various information system
resources and performs the specific business function. Hence, protecting operating system
access is extremely crucial. Some of the key controls of operating system are outlined here:
 Automated terminal identification: This will help to ensure that a particular session
could only be initiated from a particular location or computer terminal.
 Terminal log-on procedures: The log-on procedure should provide appropriate
controls, which could prevent misuse by an intruder.
 User identification and authentication: The users must be identified and
authenticated in a defined manner. Depending on risk assessment, more stringent
methods like Biometric Authentication or Cryptographic means such as Digital
Certificates should be employed.
 Password management system: An operating system could enforce selection of good
passwords. Internal storage of passwords should use one-way hashing algorithms and
the password file should not be accessible to users.
 Use of system utilities: System utilities are the programs that help to manage critical
functions of the operating system—for example, addition or deletion of users.
Obviously, this utility should not be accessible to a general user. Use and access to
these utilities should be strictly controlled and logged.
 Duress alarm to safeguard users: If users are forced to execute some instruction
under threat, the system should provide a means to alert the administrator.
 Terminal/Session time out: Log out the user if the terminal is inactive for a defined
period. This will prevent piggybacking.
 Limitation of connection time: Define the available time slot. Do not allow any
66
transaction beyond this time period. For example, no computer access after 8.00 pm
and before 8.00 am or on a Saturday or Sunday.
4.7 Identity Management and Access Controls

Identity and access management (also called IDAM) is a framework of policies and
technologies for ensuring that proper people in an enterprise have the appropriate access to
technology resources.
The task of IDAM is controlling the user access provisioning lifecycle on Information Systems.
It maintains the identity of a use and actions they are authorized to perform. It also includes
the management of descriptive information about the user and how and by whom that
information can be accessed and modified.
Fig. 4.4: Components of identity management
The core objective of an IDAM system is setting one identity per individual. Therefore, IDAM
system provides administrators the tools and technologies to enforce logical access control
policies on an ongoing basis across an entire enterprise and to ensure compliance with
corporate policies, legal and regulatory requirements.
Privileged Logons
Privileged user is a user who has been allocated powers within the computer system, which
are significantly greater than those available to the majority of users. Such persons will
include, for example, the system administrator(s) and Network administrator(s) who are
responsible for keeping the system available and may need powers to create new user profiles
as well as add to or amend the access rights of existing users.
Privileged access should be assigned based upon function and job necessity and are subject
to approval by the information owner. All Users that have access to privileged accounts should
67
be assigned their own user ID for normal business use. Privileged Users must use their
personal user IDs for conducting non-privileged activities. Wherever possible the User must
login to a system using their personal user ID prior to invoking a privileged account.
4.8 Single Sign-On (SSO)

Single Sign-On addresses the practical challenge of logging on multiple times to access
different resource. In SSO, a user provides one ID and password per work session and is
automatically logged on to all the required applications.
The advantages of SSO include having the ability to use stronger passwords, easier
administration of changing or deleting the passwords, and requiring less time to access
resources. Some of the common implementation of SSO is as under:
1. Active Directory (AD)
AD is a directory service implemented by Microsoft for Windows domain networks. An AD
domain controller authenticates and authorizes all users and computers in a Windows domain
type network—assigning and enforcing security policies for all computers and installing or
updating software. For example, when a user logs into a computer that is part of a Windows
domain, Active Directory checks the submitted credential to determine whether the user is a
system administrator or normal user. Active Directory makes use of Lightweight Directory
Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry
standard application protocol for accessing and maintaining distributed directory information
services over an Internet Protocol (IP) network. Directory services play an important role in
developing intranet and Internet applications by allowing the sharing of information about
users, systems, networks, services, and applications throughout the network. A common
usage of LDAP is to provide a "single sign on" where one password for a user is shared
between many services, such as applying a company login code to web pages (so that staff
log in only once to company computers, and then are automatically logged into the company
intranet)
2. Kerberos
Kerberos is effective in open, distributed environments where network connections to other
heterogeneous machines are supported and the user must prove identity for each application
and service. Kerberos assumes a distributed architecture and employs one or more Kerberos
servers to provide an authentication service. This redundancy can avoid a potential single
point of failure issue. The primary use of Kerberos is to verify that users are who they claim to
be and the network components they use are contained within their permission profile. To
accomplish this, a trusted Kerberos server issues “tickets” to users. These tickets have a
limited life span and are stored in the user’s credential cache.
68
3. Weakness of Single Sign-on

SSO has a number of weaknesses that can make it vulnerable to attack. Some of these are:
 It is a single point of failure. If one password is compromised, the attacker can have
access to all privileges of users whose password is compromised.
 It is difficult to implement when organization has legacy applications or applications that
cannot be plugged in with SSO.
 Maintaining SSO is tedious and prone to human errors.
4.9 Access Controls in Operating Systems

This topic covers how authorization mechanism is applied to subjects and objects. Subject of
operating systems are (active) entities that communicate with the system and use its
resources. The best example for a subject is the user or a process. Objects (passive) on the
other hand are entities of the operating system that are accessed (requested) by the subject.
The access control mechanism should ensure that subjects gain access to objects only if they
are authorized to. Depending on areas of usage, there are three types of access controls:
 Mandatory access control: It is a multi-level secure access control mechanism. It
defines a hierarchy of levels of security. A security policy defines mandatory access
control.
 Discretionary access control: In this type of access control, every object has an
owner. The owner (subject) grants access to his resources (objects) for other users
and/or groups. The matrix defines the whole state of the system concerning the rights of
individual users. Access control lists are used to store the rights with object.
 Role based access control: In some environments, it is problematical to determine the
ownership of resources. In role-based systems, users are assigned roles based on their
job functions in the information system environment. These systems are centrally
administered and are nondiscretionary in nature.
4.10 Audit Trail

Primary objective of audit trail is to fix accountability to individual user for the activities
performed by them. Generating and reviewing activity logs can do this. However, many times,
IT persons are reluctant to enable logs since logs are resource consuming. It requires
additional storage, separate access controls, and in some cases programming efforts. The
issue can be resolved by defining priorities based on risk assessment results and logs for
required activities like system administration, changes in configuration, access to sensitive
information, business transactions, may be enabled. Logs are also called ‘audit trail’. It is a
record of activities generated by the system that enables the reconstruction and examination
69
of the sequence of events of a transaction, from its inception to output of results. Violation
reports present significant, security-oriented events that may indicate either actual or
attempted policy transgressions reflected in the audit trail. Information owner to identify any
unauthorized change or access should regularly review violation reports. Audit information
comprises a history of transactions, including who processed the transaction, the date and
time of the transition, where the transaction occurred, and related information. An audit of
information system security searches for the following:
 Internal and external attempts to gain unauthorized access to a system
 Patterns and history of accesses
 Unauthorized privileges granted to users
 Occurrences of intrusions and their resulting consequences
Depending upon requirements, logs are generated at various levels. At application level, logs
of business transaction with time stamp are generated. Administrator activity logs at
application level, data base level, network device level and operating system level are critical
to ensure security. Because of their importance, the integrity of the audit logs should be
maintained.
4.11 Auditing Logical Access Controls

Following are some of factors critical while evaluating logical access controls:
 Understanding of an organization’s information security framework
 Selection and implementation of appropriate access controls
 Top management’s commitment
 Management controls
 Explicit access permission to information or systems
 Periodic review / audit of access permission
Audit Test Procedures
IS Auditor should:
 Evaluate whether logical access policies and standards exist and are effectively
communicated and implemented.
 Interview information owners, users and custodians to evaluate their knowledge and
skills on implementation of logical access controls.
 Evaluate the existence and implementation of procedures and mechanisms for logical
access to ensure protection of organizational information assets.
70
 Evaluate the various logical security techniques and mechanisms for their effective
implementation, operation and administration.
 Test the effectiveness and efficiency of logical access controls
 Test the appropriateness of system configuration and parameter settings.
 Test the compliance of system configuration with the organizational information security
policy, standards and manufacturer baseline security requirements.
 Test the existence and implementation of process of authorization for configuration of
access security settings and parameters and changes thereto.
 Evaluate and review the documentation of controls over privileged and special purpose
logons
 Evaluate the existence of procedure for control over purchase, custody and
management of system utilities. Many systems utilities are powerful and can break
through the various levels of access security.
 Verify the control of authorization, operation and termination over use of tokens such as
memory and smart cards.
 Verify the control over special terminals and devices. For instance, a hub may be
exposed physically but with proper levels of encryption, logical security of information
can be ensured.
 Verify the security practices relating to unattended terminals, security of data in transit
and control over production resources.
 Verify the logging of transactions and events.
 Evaluate mechanisms for vulnerability analysis in s access control features and
software
 Evaluate the effectiveness of user management procedures
 Test user profiles and group profiles to determine the access privileges and controls
thereon.
 Review audit trails, access violation reports in respect of all privileged logons and
special user accounts
 Review the adequacy of process for monitoring and incident handling procedures
 Review the control over systems files and directories containing critical hardware and
systems software configuration and parameter files such as driver information, etc.
 Review the control over application files and directories containing application
programs, support files, program libraries, parameter files, initialization files, etc.
71
 Evaluate the control over production data and directories containing production files and
production resources.
 Verify whether bypassing of security procedures is being done, if any.
4.12 Summary
When deciding on a logical access control strategy, it is important to review compliance and
internal security requirements necessary to protect access to information assets. This can
best be achieved by conducting a risk analysis that identifies the typical threats and
vulnerabilities. Most important consideration is identifying users, type of access, and the
asset. It is best to adopt a least privilege policy on the basis of “need to know, need to do”.
Auditor should know that access control defines how users should be identified, authenticated,
and authorized. This is generally addressed in information security policies and procedures,
hence the starting point of audit of logical access controls should be to understand the policies
and procedures and ensure that these are implemented uniformly across the organization.
4.13 Questions
1. Which of the following pair of authentications can be considered as two factors?
A. Password and passphrase
B. Passphrase and PIN
C. Token and access card
D. Access card and PIN
2. Which of the following is primary requirement of granting user access to
information asset?
A. Identification
B. Authorization
C. Authentication
D. Need to know
3. Mandatory access controls are those controls that are:
A. Based on global standards
B. Defined by security policy
C. Part of compliance requirements
D. Granted by asset owner
72
4. Which of the following is a major concern associated with Single-Sign-on?

A. Multiple passwords are noted
B. User may select easy password
C. It is a single point of failure
D. High maintenance cost
5. Which of the following non-compliance with information security policy is most
difficult to detect or get evidence for?
A. Use of removable media
B. Password sharing by user
C. Access to banned web sites
D. Passing information over phone
6. Which of following processes in user access management is most essential to
detect errors and omissions resulting in unauthorized or excess accesses to
users?
A. Identification
B. Authentication
C. Authorization
D. Review
7. While auditing compliance with password policy, IS auditor observed that
configuration of password parameters in system is as per information security
policy. Which of the following the auditor should verify?
A. Review enforcement for sample users
B. Verify all assets have same configuration
C. Review log for password configuration
D. Interview users on policy enforcement
8. One-time password is considered strong because they are:
A. Active for short period
B. Communicated on mobile
C. Unique for each user
D. Unique for session
73
9. Which of the following attack to break the user password is difficult to control?
A. Brute Force
B. Dictionary attack
C. Spoofing
D. Social engineering
10. Which of the following is a primary objective of implementing logical access
controls?
A. Identify users on the system
B. Fixing accountability of actions
C. Authorize users based on role
D. Compliance with policy

1. D is correct answer. The three factors are what a user knows (PIN, Password, and
Passphrase), what user possesses (Access card, Token) and what unique
characteristics of user (Biometric). Use of any two factors for authentication is called
two factors. Option A, B and C use only one factor.
2. A is correct answer. Identification of user is first and primary requirement of granting
access. Next will be authentication method to be established and finally finding
authorization levels based on role that also addresses need to know.
3. B is correct answer. Mandatory accesses are those controls that are to be applied
uniformly across organization and are defined by information security policy. D is
discretionary access controls. B and C generally do not specify such requirements.
4. C is correct answer. Single point of failure is a major concern. One password if
compromised, all accesses for that user are available to perpetrator.
5. B is correct answer. Password sharing by user is most difficult to get evidence for or
detect. Others can be monitored or enforced using technology.
6. D is correct answer. Periodic user access review helps in ensuring that all users have
appropriate level of accesses. This happens due to changes in internal environment like
role, emergency, resignation and retiring of employees. In such situations sometimes
revocation of accesses is missed out, which can be corrected during review.
7. C is correct answer. Review of log for password configuration may disclose the
compliance of policy because policy is configured in the system through password
74
configuration. This may also detect unwarranted changes made by a malicious user
(who obtains administrative access) in the password configuration. However, option A
and D may provide assurance for compliance of password policy configurations in the
system, not the policy itself. Option D is not relevant.
8. A is correct answer. Strength of one-time password is that it is active for short time, if
user does not login during that time the one-time password expires. One-time password
is unique for each session and user; however, it is not a strength. It can be
communicated by suitable means.
9. D is correct answer. In Social engineering attacks, the weakest link is unsuspecting
human user. Attacker uses techniques to compel users to reveal passwords and other
confidential information. For example, in Phishing. Other options are technology-based
attacks and can be detected or controlled.
10. C is correct answer. Primary objective of implementing access controls is to restrict
access to authorized people. Fixing accountability of actions is the primary objective of
audit trail. Others are means to implement access controls not objectives.
75
Chapter 5
Network Security Controls
5.1 Introduction
We have seen the use of networks for business communication and application hosting in e-
learning, in this section, we will review the risks and controls that are specific to networked
environment. Now-a-days, real life organizations are using large and complex network
infrastructure. Hence, it is necessary to focus on enterprise architecture as a whole for
designing and implementing controls. Network related controls are important since it is the
first layer of architecture that is generally having focus of attacker. Therefore networks are
also far more vulnerable to external and internal threats.
Organization level general controls like physical security (cables, intruders trying to connect to
network), environmental security (ensuring segregation between electrical and data cables,
protecting cables from rodents), access controls, security policies (acceptable usage of
information assets) are applicable to network security. In addition one needs to look at
network specific controls to ensure that organization’s information security objectives are
achieved.
5.2 Objective of Network Security Controls

There is threat of interception of information when it travels on intranet or Internet. Malicious
users, hackers, adversaries may try to gain unauthorized access to organization’s data or
information. Non-availability of information assets to interested parties may also adversely
impact the organization. There are three main objectives of network security controls.
 Confidentiality: Maintaining the confidentiality and privacy of information and
information assets when it travels on the network. Interception may be a concern to this.
 Integrity: Ensuring the correctness and completeness of data or information traversing
the network. There may be attempt to tamper data in-transit or data stored on
information systems by exploiting the vulnerabilities of network devices or channels.
Unauthorized manipulation of data during transit may question the integrity of the data.
 Availability: Keeping the information and network resources available to the authorised
stakeholders. Denial of service or distributed denial of service is a major threat to the
availability of information.
5.3 Network Threats and Vulnerabilities

This section describes the various kinds of vulnerabilities and threats associated with
networks, that aim to compromise the confidentiality, integrity, or availability of data. However
it needs to be understood that most of these threats operate in tandem and it is difficult to
associate them with network security alone. The threats and vulnerabilities are listed under
the following heads:
 Information Gathering
 Communication Subsystem Vulnerabilities
 Protocol Flaws
 Impersonation
 Message Confidentiality Threats
 Message Integrity Threats
 Web Site Defacement
 Denial of Service
Information Gathering
A serious attacker will spend a lot of time obtaining as much information as s/he may have
about the target before launching an attack. The techniques to gather information about the
networks are examined below:
 Port scan: An easy way to gather network information is to use a port scanner, a
program that, for a particular IP address, reports which ports respond to messages and
which of several known vulnerabilities seem to be present.
 Social engineering: Social engineering involves using social skills and personal
interaction to get someone to reveal security-relevant information and perhaps even to
do something that permits an attack. The point of social engineering is to persuade the
victim to be helpful. The attacker often impersonates someone occupying a senior
position inside the organization and is in some difficulty. The victim provides the
necessary assistance without verifying the identity of the caller, thus compromising
security.
 Reconnaissance: Reconnaissance is the general term for collecting information. In
security, it often refers to gathering discrete bits of information from various sources
and then putting them together to make a coherent picture. One commonly used
reconnaissance technique is “dumpster diving.” It involves looking through items that
have been discarded in garbage bins or waste paper baskets. One might find network
diagrams, printouts of security device configurations, system designs and source code,
telephone and employee lists, and more. Even outdated printouts may be useful.
 Operating system and application fingerprinting: Here the attacker wants to know
77
which commercial server application is running, what version, and what the underlying
operating system and version are. How a system responds to a prompt (for instance, by
acknowledging it, requesting retransmission, or ignoring it) can also reveal the system
and version. New features also offer a clue, for example a new version will implement a
new feature but an old version will reject the request. All these peculiarities, sometimes
called the operating system or application fingerprint, can mark the manufacturer and
version.
 Bulletin boards and chats: Bulletin boards and chat rooms support exchange of
information among the hackers. Attackers can post their latest exploits and techniques,
read what others have done, and search for additional information on systems,
applications, or sites.
 Documentation: The vendors themselves sometimes distribute information that is
useful to an attacker. For example, resource kits distributed by application vendors to
other developers can also give attackers tools to use in investigating a product that can
subsequently be the target of an attack.
 Malware: Attacker may use malware like virus or worms to scavenge the system and
keep sending information to attacker over network without the knowledge of system
user.
Exploiting communication subsystem vulnerabilities
 Eavesdropping and wiretapping: An attacker can pick off the content of a
communication passing in unencrypted form. The term eavesdrop implies overhearing
without expending any extra effort. For example, an attacker (or a system administrator)
is eavesdropping by monitoring all traffic passing through a node. (The administrator
might have a legitimate purpose, such as watching for inappropriate use of resources.)
A more hostile term is wiretap, which means intercepting communications through some
effort. Passive wiretapping is just “listening,” just like eavesdropping. But active
wiretapping means injecting something into the communication stream. A wiretap can
be done in such a manner that neither the sender nor the receiver of a communication
will know that the contents have been intercepted.
 Microwave signal tapping: Microwave signals are broadcast through the air, making
them more accessible to outsiders. An attacker can intercept a microwave transmission
by interfering with the line of sight between sender and receiver. It is also possible to
pick up the signal from an antenna located close to the legitimate antenna.
 Satellite signal interception: In satellite communication, the potential for interception
is even greater than with microwave signals. However, because satellite
communications are heavily multiplexed, the cost of extracting a single communication
is rather high.
78
 Wireless: Wireless networking is becoming very popular, but threats arise in the ability
of intruders to intercept and spoof a connection. A wireless signal is strong for
approximately 30 to 60 meters. A strong signal can be picked up easily. Wireless also
has a second problem, the possibility of unauthorized use of a network connection, or a
theft of service.
 Optical fiber: It is not possible to tap an optical system without detection. Further
optical fiber carries light energy, not electricity, which does not emanate a magnetic
field as electricity does. Therefore, an inductive tap is impossible on an optical fiber
cable. However, the repeaters, splices, and taps along a cable are places at which data
may be intercepted more easily than in the fiber cable itself.
 Zombies and BOTnet: BOTnets is a term (robotic network) used for virtual network of
zombies. BOTnet operator launches malware/virus on system that once activated
remains on system and can be activated remotely. This malware helps the BOTnet
operator use the compromised system (Zombie) remotely with to launch attack or
collect information. For example Zombies have been used extensively to send e-mail
spam. This allows spammers to avoid detection and presumably reduces their
bandwidth costs, since the owners of zombies pay for their own bandwidth.
Protocol Flaws
Internet protocols are publicly posted for scrutiny. Many problems with protocols have been
identified by reviewers and corrected before the protocol was established as a standard.
Despite this process of peer review, flaws exist in many of the commonly used protocols.
These flaws can be exploited by an attacker. For example FTP is known to transmit
communication including user id and password in plain text.
Impersonation
In many instances, an easy way to obtain information about a network is to impersonate
another person or process. An impersonator may foil authentication by any of the following
means:
 Authentication foiled by guessing: Guess the identity and authentication details of
the target, by using common passwords, the words in a dictionary, variations of the user
name, default passwords, etc.
 Authentication foiled by eavesdropping or wiretapping: When the account and
authentication details are passed on the network without encryption, they are exposed
to anyone observing the communication on the network. These authentication details
can be reused by an impersonator until they are changed.
 Authentication foiled by avoidance: A flawed operating system may be such that the
buffer for typed characters in a password is of fixed size, counting all characters typed,
79
including backspaces for correction. If a user types more characters than the buffer
would hold, the overflow causes the operating system to by-pass password comparison
and act as if a correct authentication has been supplied. Such flaws or weaknesses can
be exploited by anyone seeking unauthorized access.
 Non-existent authentication: Here the attacker circumvents or disables the
authentication mechanism at the target computer. If two computers trusts each other’s
authentication an attacker may obtain access to one system through an authentication
weakness (such as a guest password) and then transfer to another system that accepts
the authenticity of a user who comes from a system on its trusted list. The attacker may
also use a system that has some identities requiring no authentication. For example,
some systems have “guest” or “anonymous” accounts to allow outsiders to access
things the systems want to release to the public. These accounts allow access to
unauthenticated users.
 Well-Known authentication: Most vendors often sell computers with one system
administration account installed, having a default password. Or the systems come with
a demonstration or test account, with no required password. Some administrators fail to
change the passwords or delete these accounts, creating vulnerability.
 Spoofing and masquerading: Both of them are impersonation. Refer to chapter on
logical access controls for details.
 Session hijacking: Session hijacking is intercepting and carrying on a session begun
by another entity. In this case the attacker intercepts the session of one of the two
entities that have entered into a session and carry it over in the name of that entity. For
example, in an e- commerce transaction, just before a user places his order and gives
his address, credit number etc. the session could be hijacked by an attacker.
 Man-in-the-middle attack: A man-in-the-middle attack is a similar to session hijacking,
in which one entity intrudes between two others. The difference between man-in-the-
middle and hijacking is that a man-in-the-middle usually participates from the start of
the session, whereas a session hijacking occurs after a session has been established.
The difference is largely semantic and not particularly significant.
Message Confidentiality Threats
An attacker can easily violate message confidentiality (and perhaps integrity) because of the
public nature of networks. Eavesdropping and impersonation attacks can lead to a
confidentiality or integrity failure. Here we consider several other vulnerabilities that can affect
confidentiality.
 Mis-delivery: Message mis-delivery happens mainly due to congestion at network
elements which causes buffers to overflow and packets dropped. Sometimes messages
80
are mis- delivered because of some flaw in the network hardware or software. Most
frequently, messages are lost entirely, which is an integrity or availability issue.
Occasionally, however, a destination address will be modified or some router or
protocol will malfunction, causing a message to be delivered to someone other than the
intended recipient. All of these “random” events are quite uncommon. More frequent
than network flaws are human errors, caused by mistyping an address.
 Exposure: The content of a message may be exposed in temporary buffers, at
switches, routers, gateways, and intermediate hosts throughout the network; and in the
workspaces of processes that build, format, and present the message. A malicious
attacker can use any of these exposures as part of a general or focused attack on
message confidentiality.
 Traffic analysis (or traffic flow analysis): Sometimes not only is the message itself
sensitive but the fact that a message exists is also sensitive. For example, if a wartime
enemy sees a large amount of network traffic between headquarters and a particular
unit, the enemy may be able to infer that significant action is being planned involving
that unit. In a commercial setting, messages sent from the president of one company to
the president of a competitor could lead to speculation about a takeover or conspiracy
to fix prices.
Message Integrity Threats
In most cases, the integrity or correctness of a communication is more important than its
confidentiality. Some of the threats which could compromise integrity are by:
 Changing some or all of the content of a message
 Replacing a message entirely, including the date, time, and sender/ receiver
identification
 Reusing (replaying) an old message
 Combining pieces of different messages into one false message
 Changing the apparent source of a message
 Redirecting a message
 Destroying or deleting a message These attacks can be perpetrated in the ways already
stated, including:
 Active wiretap
 Trojan horse Impersonation
 Compromised host or workstation
81
Web Site Defacement

Web site defacement is common not only because of its visibility but also because of the ease
with which one can be done. Web sites are designed so that their code is downloaded and
executed in the client (browser). This enables an attacker to obtain the full hypertext
document and all programs and references programs embedded in the browser. This
essentially gives the attacker the information necessary to attack the web site. Most websites
have quite a few common and well known vulnerabilities that an attacker can exploit.
Denial of Service
Denial of Service (DoS) attacks lead to loss of network availability. The electronic threats are
more serious and less obvious. Some of them are described below:
 Connection flooding: This is the oldest type of attack where an attacker sends more
data than what a communication system can handle, thereby preventing the system
from receiving any other legitimate data. Even if an occasional legitimate packet
reaches the system, communication will be seriously degraded.
 Ping of death: It is possible to crash, reboot or otherwise kill a large number of
systems by sending a ping of a certain size from a remote machine. This is a serious
problem, mainly because this can be reproduced very easily, and from a remote
machine. Ping is an ICMP protocol which requests a destination to return a reply,
intended to show that the destination system is reachable and functioning. Since ping
requires the recipient to respond to the ping request, all the attacker needs to do is
send a flood of pings to the intended victim.
 Traffic redirection: A router is a device that forwards traffic on its way through
intermediate networks between a source host’s network and a destination’s. So if an
attacker can corrupt the routing, traffic can disappear.
 DNS attacks: DNS attacks are actually a class of attacks based on the concept of
domain name server. A domain name server (DNS) is a table that converts domain
names like www.icai.org into network addresses like 202.54.74.130, a process called
resolving the domain name or name resolution. By corrupting a name server or causing
it to cache spurious entries, an attacker can redirect the routing of any traffic, or ensure
that packets intended for a particular host never reach their destination.
Distributed Denial of Service
In distributed denial of service (DDoS) attack more than one machine are used by the attacker
to attack the target. These multiple machines are called zombies that act on the direction of
the attacker and they don’t belong to the attacker. These machines have some vulnerability
that can be exploited to use it to attack another machine. The attacker exploits vulnerabilities
in multiple machines and uses them to attack the target simultaneously. In addition to their
82
tremendous multiplying effect, distributed denial-of-service attacks are a serious problem

because they are easily launched by using scripts.
Threats from Cookies, Scripts and Active or Mobile Code
Some of the vulnerabilities relating to data or programs that are downloaded from the server
and used by the client are as follows:
 Cookies: Cookies are NOT executable. They are data files created by the server that
can be stored on the client machine and fetched by a remote server usually containing
information about the user on the client machine. Anyone intercepting or retrieving a
cookie can impersonate the cookie’s legitimate owner.
 Scripts: Clients can invoke services by executing scripts on servers. A malicious user
can monitor the communication between a browser and a server to see how changing a
web page entry affects what the browser sends and then how the server reacts. With
this knowledge, the malicious user can manipulate the server’s actions. The common
scripting languages for web servers, CGI (Common Gateway Interface), and Microsoft’s
active server pages (ASP) have vulnerabilities that can be exploited by an attacker.
 Active code: Active code or mobile code is a general name for code that is downloaded
from the server by the client and executed on the client machine. The popular types of
active code languages are Java, JavaScript, VBScript and ActiveX controls. Such
executable code is also called applet. A hostile applet is downloadable code that can
cause harm on the client’s system. Because an applet is not screened for safety when it
is downloaded and because it typically runs with the privileges of its invoking user, a
hostile applet can cause serious damage.
5.4 Current Trends in Attacks

Most attacks and threats discussed above are being in use for a considerable time.
Organizations being aware of their existence mostly ensure that controls are in place to
prevent, detect and/or recover from these attacks. However attackers are always a step
ahead. Attackers are now using other means to attack systems. Some of these are discussed
below.
Exploiting Application Vulnerabilities
With use of internet based technologies and clouds, organizations have hosted applications
that can be accessed from internet and/or intranet. These applications might contain
vulnerabilities and if exploited can compromise security of information. Attackers try to exploit
these vulnerabilities to launch the attacks, like SQL Injection, Cross site scripting etc. OWASP
(Open Web Application Security Project) identifies top ten security threats every year. Threats
identified in 2017(This is latest at the time of writing this material) are listed below. (Source:
www.owasp.org)
83
 Injection: Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when
untrusted data is sent to an interpreter as part of a command or query. The attacker’s
hostile data can trick the interpreter into executing unintended commands or accessing
data without proper authorization.
 Broken authentication: Application functions related to authentication and session
management is often implemented incorrectly, allowing attackers to compromise
passwords, keys, or session tokens, or to exploit other implementation flaws to assume
other users’ identities temporarily or permanently.
 Sensitive data exposure: Many web applications and APIs do not properly protect
sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify
such weakly protected data to conduct credit card fraud, identity theft, or other crimes.
Sensitive data may be compromised without extra protection, such as encryption at rest
or in transit, and requires special precautions when exchanged with the browser.
 XML external entities (XXE): Many older or poorly configured XML processors
evaluate external entity references within XML documents. External entities can be
used to disclose internal files using the file URI handler, internal file shares, internal
port scanning, remote code execution, and denial of service attacks.
 Broken access control: Restrictions on what authenticated users are allowed to do are
often not properly enforced. Attackers can exploit these flaws to access unauthorized
functionality and/or data, such as access other users’ accounts, view sensitive files,
modify other users’ data, change access rights, etc.
 Security misconfiguration: Security misconfiguration is the most commonly seen
issue. This is commonly a result of insecure default configurations, incomplete or ad
hoc configurations, open cloud storage, misconfigured HTTP headers, and verbose
error messages containing sensitive information. Not only must all operating systems,
frameworks, libraries, and applications be securely configured, but also, they must be
patched/upgraded in a timely fashion.
 Cross-site XSS: XSS flaws occur whenever an application includes untrusted data in a
new web page without proper validation or escaping, or updates an existing web page
with user-supplied data using a browser API that can create HTML or JavaScript. XSS
allows attackers to execute scripts in the victim’s browser, which can hijack user
sessions, deface web sites, or redirect the user to malicious sites.
 Insecure deserialization: Insecure deserialization often leads to remote code
execution. Even if deserialization flaws do not result in remote code execution, they can
be used to perform attacks, including replay attacks, injection attacks, and privilege
escalation attacks.
84
 Using components with known vulnerabilities: Components, such as libraries,

frameworks, and other software modules, run with the same privileges as the
application. If a vulnerable component is exploited, such an attack can facilitate serious
data loss or server takeover. Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and
impacts.
 Insufficient logging & monitoring: Insufficient logging and monitoring, coupled with
missing or ineffective integration with incident response, allows attackers to further
attack systems, maintain persistence, pivot to more systems, and tamper, extract, or
destroy data. Most breach studies show time to detect a breach is over 200 days,
typically detected by external parties rather than internal processes or monitoring.
Advanced Persistent Threat (APT)
A sustained targeted attack on identified subject, which remains undetected for a prolonged
time period. Attacker tries to introduce malware to compromise the system. For this, attacker
uses possible social engineering methods. Once the system is compromised the malware
resides in the system. Since malware is specifically written, antivirus may not be able to detect
it. This malware is designed to send small bits of information from the attacked system to the
attacker, without getting detected by network based controls, like anomaly detection, traffic
analysis etc. The attack continues for a longer duration, till all required confidential information
about organization is received by the attacker or as long as the attack is undetected.
5.5 Network Security Controls Mechanism

This section examines controls available to ensure network security from the various identified
threats and vulnerabilities.
5.5.1 Network Architecture

The architecture or design of a network may have a significant effect on its security. Some of
the major considerations are:
 Segmentation/zoning: Segmentation/zoning can limit the potential for harm in a
network in two important ways. Segmentation reduces the number of threats, and
isolates network, thereby, giving better control. A more secure design will use multiple
segments. Since the web server has to be exposed to the public, that server should not
have other more sensitive, functions on it or residing on the same segment such as
user authentication or access to the database. (Figure 5.1).
 Redundancy: Another key architectural control is redundancy, allowing a function to be
performed on more than one node. Instead of having a single web server; a better
design would be to have two servers, using a “failover mode”. In failover mode, the
85
servers communicate with each other periodically, determining if the other is still active.
If one fails, the other takes over processing.
 Eliminate single points of failure: Good network architecture provides for its
availability by eliminating single points of failure. This is true for all critical components
including servers, network devices and communication channels in a network.
Fig. 5.1: Segmented Architecture
5.5.2 Cryptography
Cryptography is a branch of cryptology. It is a method of protecting information and
communications through the use of codes so that only those for whom the information is
intended can read and process it. The pre-fix "crypt" means "hidden" or "vault" and the suffix
"graphy" stands for "writing." There are two essential elements of cryptography, one is
algorithm and the other is key.
Cryptanalysis: The goal of cryptanalysis is to find some weakness or insecurity in a
cryptographic scheme, thus permitting its subversion or evasion.
86
Cryptology
Cryptography Cryptanalysis
5.5.2.1 Types of Cryptography

Mainly, the types of cryptography depend upon the algorithm used for encrypting and
decrypting a message. There are three types of cryptographies.
 Secret-key cryptography or symmetric-key cryptography
 Public key Cryptography or Asymmetric key cryptography
 Hash Function or message digest
 Symmetric key cryptography (or symmetric encryption) uses same key to encrypt
and decrypt the messages. Such a method of encrypting information has been largely
used in the past decades and it is still in use to facilitate secret communication between
governments and defence establishments. Symmetric-key cryptography refers to
encryption methods in which both the sender and receiver share the same key.
Symmetric key ciphers or algorithms are implemented as either block ciphers or stream
ciphers. A block cipher encrypts input in blocks of plaintext as opposed to individual
characters that is used by a stream cipher. A significant disadvantage of symmetric
ciphers is the key management necessary to distribute them securely.
 Asymmetric or public key cryptography: Asymmetric cryptography, also known as
public key cryptography, uses private key and public key pair to encrypt and decrypt
messages. The keys are simply large prime numbers that have been paired together
mathematically but are not identical (asymmetric). One key of the pair can be shared
with everyone; it is called the public key and the other should be ket secret, which is
private key. Under this system a pair of keys is used to encrypt and decrypt messages.
A public key is used for encryption and a private key is used for decryption. A private
key is used to establish non-repudiation. Public key and Private Key are unique key pair
but different.
 Hash function: A hash function is a one way and used to map data of arbitrary size to
fixed-size values. The values returned by a hash function are called hash values, hash
codes, message digests, cryptographic checksum or simply hashes. Hash function has
three characteristics:
87
o It is one-way encryption.
o It gives message digest or hash value of fixed length. Length of massage digest
or hash value depends upon hashing algorithm.
o It is always unique to the text. Any change in the text, results in changing the
message digest or hash value dynamically.
Examples of hashing algorithms are MD5, SHA1, SHA2, SHA3 (Secured Hashing Algorithm)
etc.
A cryptographic hash function must ensure that the following is computationally infeasible:
 Determining the content of a message from its Cryptographic Checksums
 Finding “collisions”, wherein two different messages have the same Cryptographic
Checksums.
Cryptographic checksums are also known as message digests, message authentication
codes, integrity check-values, modification detection codes, or message integrity codes.
5.5.2.2. Public Key Infrastructure (PKI)
 A public key infrastructure (PKI) is a set of roles, policies, hardware, software and
procedures needed to create, manage, distribute, use, store and revoke digital
certificates and manage public-key encryption.
 Public-key cryptography uses a key pair to encrypt and decrypt content. The key pair
consists of one public and one private key that are mathematically related. Public keys
, which may be disseminated widely, and private keys which are known only to the
owner of the digital certificate.
Components of PKI
Digital Certificates: A Digital Certificate is a digitally signed document that associates a
public key with a individual or web site. The certificate can be used to verify that a public key
belongs to an individual or web site. In a typical public key infrastructure (PKI) scheme, the
signature will be of a certifying/ certification authority (CA). The signatures on a certificate are
attestations by the certificate signer that the identity information and the public key belong
together.
In general it is issued by certifying authorities. However, private digital certificates may also be
generated. Private digital certificates are not acceptable by the legal systems.
Types of digital certificates:
 Digital Signing Certificate: Issued to the Individuals
 Digital Encryption Certificate: Issued to individuals or servers
 Code Signer (Software code)
88
Contents of a Typical Digital Certificate

 Serial number: Used to uniquely identify the certificate.
 Subject: The person or entity identified.
 Signature: The algorithm used to create the signature.
 Issuer: The entity that verified the information and issued the certificate.
 Valid-from: The date from which the certificate is valid.
 Valid-to: The expiration date.
 Public key: The public key to encrypt a message to the named subject.
 Thumbprint algorithm: The algorithm used to hash the certificate.
 Thumbprint: The hash itself to ensure that the certificate has not been tampered with.
Digital Signatures
 It is signed message digest or hash value of the document. With digital certificate,
message digest or hash value of the digital documents are signed and digital signature
is affixed to the documents. Private key is used for generating the digital signature.
 Digital Signature is a process that guarantees that the contents of a message have not
been altered in transit. When you, the server, digitally sign a document, you add a one-
way hash (encryption) of the message content using your private key.
Controller of Certifying Authority
 The Controller of Certifying Authorities (CCA) has been appointed by the Central
Government under section 17 of the Act for purposes of the IT Act. The Office of the
CCA came into existence on November 1, 2000. It aims at promoting the growth of E-
Commerce and E- Governance through the wide use of digital signatures.
 The Controller of Certifying Authorities (CCA) has established the Root Certifying
Authority (RCAI) of India under section 18(b) of the IT Act to digitally sign the public
keys of Certifying Authorities (CA) in the country. The RCAI is operated as per the
standards laid down under the Act.
 The CCA certifies the public keys of CAs using its own private key, which enables users
in the cyberspace to verify that a licensed CA issues a given certificate. For this
purpose it operates, the Root Certifying Authority of India(RCAI). The CCA also
maintains the Repository of Digital Certificates, which contains all the certificates issued
to the CAs in the country.
89
Certifying Authority (CA)

Certifying Authorities are Trusted Third Parties (TTP) to verify and vouch for the identities of
entities in the electronic environment. The trust in the CA is the foundation of trust in the
certificate as a valid credential. In India, the IT Act (Information Technology Act) provides for
the Controller of Certifying Authorities (CCA), the body under Ministry of Electronics and
Information Technology to license and regulate the working of Certifying Authorities and also
to ensure that none of the provisions of the IT Act are violated.
Certificate Revocation List (CRL)
Certificate Revocation List (CRL) is a list of certificates (or more specifically, a list of serial
numbers for certificates) that have been revoked, and therefore entities presenting those
certificates should no longer be trusted. The list enumerates revoked certificates along with
the reason(s) for revocation. The dates of certificate issue, and the entities that issued them,
are also included. The CRL file is itself signed by the CA to prevent tampering. The CA that
issues the corresponding certificates always issues the CRL. When a potential user attempts
to access a server, the server allows or denies access based on the CRL entry for that
particular user.
5.5.2.3 Quantum Cryptography
Quantum cryptography is the science of exploiting quantum mechanical properties to perform
cryptographic tasks. The best-known example of quantum cryptography is quantum key
distribution, which offers an information-theoretically secure solution to the key exchange
problem. The advantage of quantum cryptography lies in the fact that it allows the completion
of various cryptographic tasks that are proven or assumed to be impossible using only
classical (i.e. non-quantum) communication. For example, it is impossible to copy data
encoded in a quantum state. If one attempts to read the encoded data, the quantum state will
be changed. This could be used to detect eavesdropping in quantum key distribution.
5.5.2.4 Application of Cryptographic Systems
In electronic transmissions it is essential to protect from threats relating to confidentiality,
integrity, authentication and non-repudiation. A system is needed that protects against these
security concerns. To address these security concerns, we have cryptographic systems like:
 Transport Layer Security
 IPsec
 SSH
 Secure Multipurpose Internet Mail Extension (SMIME)
90
Secure Socket Layer (SSL) / Transport Layer Security (TLS)

 The Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the most widely
deployed security protocol used today. SSL was first developed by Netscape and
subsequently became Internet standard known as TLS (Transport Layer Security).The
main differences between SSL and TLS are technical in terms of the generation of key
material.
 SSL/TLS are essentially protocols that provide a secure channel between two machines
operating over the Internet or an internal network. In today’s Internet focused world, the
SSL protocol is typically used when a web browser has to securely connect to a web
server over the inherently insecure Internet. SSL allows sensitive information such as
credit card numbers, social security numbers, and login credentials to be transmitted
securely.
Transport Layer Security (TLS)
1. Browser connects to a web server (website) secured with SSL. Browser requests that
the server identify itself.
2. Server sends a copy of its SSL Certificate, including the server’s public key.
3. Browser checks the certificate root against a list of trusted CAs and to verify that the
certificate is not expired, not revoked, and that its common name is valid for the website
that it is connecting to. If the browser trusts the certificate, it creates, encrypts, and
sends back a symmetric session key, encrypted with the server’s public key.
4. Server decrypts the symmetric session key using its private key and sends back an
acknowledgement encrypted with the session key to start the encrypted session.
5. Server and Browser now encrypt all transmitted data with the session key.
Almost any service on the Internet can be protected with TLS. TLS is being used for
 Secure online credit card transactions.
 Secure system logins and any sensitive information exchanged online e.g. secure
Internet Banking session
 Secure cloud-based computing platforms.
 Secure connection between E-mail Client and E-mail Server.
91
 Secure transfer of files over https and FTP(s) services.

Secure intranet based traffic such as internal networks, file sharing, extranets, and database
connections.
Internet Protocol Security (IPSEC)
Virtual Private Network (VPN)
VPNs connect private networks through untrusted networks like the Internet; they establish a
tunnel and use strong encryption to provide privacy and strong authentication to guarantee
identity, so they are more secure than traditional networks. VPN provides confidentiality and
integrity over insecure or untrusted intermediate networks. IPsec enables VPN and ensures
secure communication.
A virtual private network (VPN) is created by building a secure communications link between
two nodes by emulating the properties of a point-to-point private link. A VPN can be used to
facilitate secure remote access into a network, securely connect two networks together, or
create a secure data tunnel within a network. Encryption coupled with access controls
(including firewalls) can provide users with the same level of privacy that can be provided on a
private network, even when the communication traverses a part of the public network.
IPsec
IPsec is encryption at IP (network layer); it protects any application data across IP Network.
That is the reason applications need not be specifically designed for use of IPsec. IPsec is a
framework for a set of protocols used for security. IPsec is useful for implementing virtual
private networks and for remote user access through dial-up connection to private networks. A
big advantage of IPsec is that security arrangements can be handled without requiring
changes to individual user computers. IPsec is implemented at end routers/firewalls or clients.
IPsec operates in two modes:
 Transport mode (for end-to-end) provides secure connection between two end points.
In this mode data is encrypted but the header of the packet is not encrypted
 Tunnel mode (for VPN): With tunnel mode, the entire IP packet is encrypted and a new
header is added to the packet for transmission through the VPN tunnel.
92
Secure Shell (SSH)

 SSH is usually used for UNIX systems and encrypts the commands getting transmitted.
It works in a client-server mode and both ends of the client/server connections are
authenticated using digital certificates.
Secure Multipurpose Internet Mail Extension (SMIME)

 S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key
encryption and signing of MIME data. Multipurpose Internet Mail Extensions (MIME) is
an Internet standard that extends the format of email messages to support text in
character sets other than ASCII, as well as attachments of audio, video, images, and
application programs. Message bodies may consist of multiple parts, and header
information may be specified in non-ASCII character sets.
5.5.3 Remote Access Security

Remote access technologies can be defined as those data networking technologies that are
focused on providing the remote user with access into a network, while maintaining the
principal tenets of Confidentiality, Availability, and Integrity. There are many obvious
advantages to employing secure remote network access, such as the following:
 Reducing networking costs by using the Internet to replace expensive dedicated
network lines
 Providing employees with flexible work styles such as mobile computing
 Building more efficient ties with customers, suppliers, and employees
Dial Back Procedures
In a networked computing environment, user may often require access to the systems
resources from remote locations. Dial-back systems are a control to ensure that access is
made only from authorized lines or locations. When a user dials into the server and identifies
itself, the server records the request and disconnects the call. Then server calls the user at a
93
pre-determined number and then enables the user to access the resources based on
authentication. A weakness in this procedure is call forwarding. An unauthorized person could
enable calls to a pre-determined number to be forwarded to the number designated by him,
thus enabling him to gain unauthorized access to the resources.
Other Controls
To minimize the risk of unauthorized dial-in access, remote users should never store their
passwords in plain text login scripts on notebooks and laptops.
Authentication Servers
In widely dispersed networked environment, it is crucial to accomplish user management and
enabling authorized access to users including to mobile users. In such circumstances all
access control is transferred to a centralized or decentralized access authentication
mechanism. Two of the popular applications of remote authentication mechanisms depending
on centralized/decentralized access authentication implementations are TACACS (Terminal
Access Controller Access Control System) and RADIUS (Remote Authentication Dial in User
Service). Some of the features of such systems are:
 Enable secure remote access
 Facilitates centralized user management
 Facilitates centralized access monitoring and control
 Enables modification of users access permission centrally
 Provides event logging and extended audit trails
5.5.4 Malicious Code

Malicious code is the name used for any program that adds to, deletes or modifies legitimate
software for the purpose of intentionally causing disruption and harm or to circumvent or
subvert the existing system’s function. Examples of malicious code include viruses, worms,
Trojan Horses, and logic bombs. Newer malicious code is based on mobile Active X and Java
applets.
Viruses
A computer virus is a type of malware (program) that attaches itself to a file and gets
transmitted. When executed, it damages the infected system and also replicates by inserting
copies of itself (possibly modified) into other computer programs, data files, or the boot sector
of the hard drive. When this replication succeeds, then affected areas are known as "infected".
Viruses often perform some type of harmful activity on infected hosts, such as consuming hard
disk space or CPU time, accessing private information, corrupting data, displaying political or
humorous messages on the user's screen, spamming their contacts, or logging their
94
keystrokes. However, not all viruses carry a destructive payload or attempt to hide
themselves—the defining characteristic of viruses is that they are self-replicating computer
programs which install themselves without the user's consent.
Viruses are classified based on the type of damage they do when infected. The major types
are:
 Master boot record (MBR) viruses: Affects the boot sector of storage device and
further infects when the storage is accessed.
 Stealth viruses: Stealth viruses hide themselves by tampering the operating system to
fool antivirus software into thinking that everything is functioning normally.
 Polymorphic viruses: Polymorphic viruses are difficult to detect because they can
modify themselves and change their identity thus able to hide themselves from antivirus
software
 Macro viruses: Macro viruses are the most prevalent computer viruses and can easily
infect many types of applications, such as Microsoft Excel and Word.
 Logic bomb/Time bomb: Logic bombs are malicious code added to an existing
application to be executed at a later date. These can be intentional or unintentional. For
example Year 2000 problem was an unintentional logic bomb. Every time the infected
application is run, the logic bomb checks the date to see whether it is time to run the
code. If not, control is passed back to the main application and the logic bomb waits. If
the date condition is correct, the rest of the logic bomb’s code is executed and the
result can be anything from a harmless message to a system crash.
Worms
Worms are stand-alone viruses in that, they are transmitted independently and execute
themselves.
Trojan Horse
It is a malicious code hidden under legitimate program, such as a game or simple utility.
Attackers, to infect the system and then get control remotely, to make that system work for
them, primarily use Trojans.
Malware Protection Mechanisms
Various countermeasures that can be deployed to protect against virus are:
Anti-virus: Antivirus is most common protection from virus. Most of the antivirus software
utilizes a method known as signature detection to identify potential virus attack on a system.
Antivirus tools have three types of controls:
 Active monitor: Monitors traffic and activity to check the viruses. Although most tools
95
use signatures, few have developed heuristic scan abilities to look for possible
malicious codes.
 Repair or quarantine: These tools try to remove the virus from file/mail or quarantines
and reports.
 Scheduled scan: Users are prompted for scanning the storages to detect virus already
present that were not detected by active monitors.
Incident handling: Incident Handling is an action plan for dealing with malware attack. In
case of malware incidents it is most essential to find out root cause to stop the reoccurrence.
Training and awareness programs: Human resources are the weakest link in information
security. Periodic training and awareness programs need to be organized to ensure that
employees and other third party users are made aware of the risks arising out of malware
attack. This covers:
 Enforcing policy on use of removable devices
 Handling of mail attachments particularly from unknown senders
 Accessing Internet
 Ensuring antivirus is updated and scheduled scan are performed
5.5.5. Firewalls
The technical details of firewalls, their types and configurations have been dealt with in the e-
learning. Only certain specialized applications of firewalls for network security are dealt with
here.
Intranet
An intranet is a network that employs the same types of services, applications, and protocols
present in an Internet implementation, without involving external connectivity. For example, an
enterprise network employing the TCP/IP protocol suite, along with HTTP for information
dissemination would be considered an Intranet. Most organizations currently employ some
type of intranet, although they may not refer to the network as such. Within the internal
network (intranet), many smaller intranets can be created by the use of internal firewalls. As
an example, an organization may protect its personnel network with an internal firewall, and
the resultant protected network may be referred to as the personnel intranet. Since intranets
utilize the same protocols and application services present on the Internet, many of the
security issues inherent in Internet implementations are also present in intranet
implementations. Therefore, intranets are typically implemented behind firewall environments.
Extranets
An extranet is usually a business-to-business intranet; that is, two intranets are joined via the
96
Internet. The extranet allows limited, controlled access to remote users via some form of
authentication and encryption such as provided by a VPN. Extranets share nearly all of the
characteristics of intranets, except that extranets are designed to exist outside a firewall
environment. By definition, the purpose of an extranet is to provide access to potentially
sensitive information to specific remote users or organizations, but at the same time denying
access to general external users and systems. Extranets employ TCP/IP protocols, along with
the same standard applications and services. Many organizations and agencies currently
employ extranets to communicate with clients and customers. Within an extranet, options are
available to enforce varying degrees of authentication, logging, and encryption.
Securing a Firewall
Firewall platforms should be implemented on systems containing operating system builds that
have been stripped down and hardened for security applications. The hardening procedure
used during installation should be tailored to the specific operating system undergoing
hardening. Some often-overlooked issues include the following:
 Any unused networking protocols should be removed from the firewall operating system
build. Unused networking protocols can potentially be used to bypass or damage the
firewall environment.
 Any unused network services or applications should be removed or disabled. Unused
applications are often used to attack firewalls because many administrators neglect to
implement default-restrictive firewall access controls. In addition, unused network
services and applications are likely to run using default configurations, which are
usually much less secure than production-ready application or service configurations.
 Any unused user or system accounts should be removed or disabled. This particular
issue is operating system specific, since all operating systems vary in terms of which
accounts are present by default as well as how accounts can be removed or disabled.
 Applying all relevant operating system patches is also critical. Since patches and hot
fixes are normally released to address security-related issues, they should be
integrated into the firewall build process. Patches should always be tested on a non-
production system prior to rollout to any production systems.
 Unused physical network interfaces should be disabled or removed from the server
chassis.
5.5.6 Intrusion Detection Systems

An intrusion detection system (IDS) is a device, usually another separate device, which
monitors activity to identify malicious or suspicious events. An IDS is a sensor that raises an
alarm if specific event occurs. The alarm can range from writing an entry in an audit log, to
something significant, such as alerting the system security administrator. An IDS receives
inputs from sensors. It saves those inputs, analyses them, and takes some controlling action.
97
The functions performed by IDS are:

 Monitoring users and system activity
 Auditing system configuration for vulnerabilities and mis-configurations
 Assessing the integrity of critical system and data files
 Recognizing known attack patterns in system activity
 Identifying abnormal activity through statistical analysis
 Managing audit trails and highlighting user violation of policy or normal activity
 Correcting system configuration errors
 Installing and operating traps to record information about intruders
 Special considerations in audit of remote access and network security.
Many intrusion detection systems are also capable of interacting with firewalls in order to bring
a reactive element to the provision of network security services. Firewalls that interact with
intrusion detection systems are capable of responding to perceived remote threats
automatically, without the delays associated with a human response. For example, if an
intrusion detection system detects a denial of service attack in progress, it can instruct certain
firewalls to automatically block the source of the attack (although, false positives responses
can occur).
The two general types of intrusion detection systems are signature based and heuristic.
 Signature-based intrusion detection systems perform simple pattern-matching and
report situations that match a pattern corresponding to a known attack type.
 Heuristic intrusion detection systems, also known as anomaly based, build a model
of acceptable behaviour and flag exceptions to that model; for the future, the
administrator can mark a flagged behaviour as acceptable so that the heuristic IDS will
now treat that previously unclassified behaviour as acceptable.
Intrusion detection devices can be network based or host based. A network-based IDS is a
standalone device attached to the network to monitor traffic throughout that network; a host-
based IDS runs on a single workstation or client or host, to protect that one host.
5.6 Wireless Security Threats and Risk Mitigation

A wireless network is a type of computer network that uses wireless data connections for
connecting network nodes. It is a method by which enterprise (office), homes, etc. avoids the
costly process of introducing cables into a building, or as a connection between various
equipment locations.
98
Wireless networking presents many advantages like network configuration and reconfiguration
is easier, faster, and less expensive. However, wireless technology also creates new threats
and alters the existing information security risk profile. For example, because communication
takes place "through the air" using radio frequencies, the risk of interception is greater than
with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the
attacker can intercept and read it, thereby compromising confidentiality.
Wireless network has numerous vulnerabilities such as:
 Ad-hoc networks: Ad-hoc networks can pose a security threat. Ad-hoc networks are
defined as peer-to peer networks between wireless computers that do not have an
access point in between them.
 Non-traditional networks: Non-traditional networks such as personal network
Bluetooth devices are not safe and should be regarded as a security risk. Even barcode
readers, handheld PDAs, and wireless printers and copiers should be secured. IT
personnel who have narrowly focused on laptops and access points commonly overlook
these non- traditional networks.
 MAC spoofing: MAC spoofing is a technique for changing a factory-assigned Media
Access Control (MAC) address of a network interface on a networked device. The MAC
address is hard-coded on a network interface card (NIC) and cannot be changed.
However, there are tools, which can make an operating system believe that the NIC has
a MAC address different from it’s real MAC address.
 Man-in-the-middle attacks: A man-in-the-middle attack is an attack which is active
eavesdropping. The attacker makes independent connections with the victims and
relays messages between them to make them believe they are talking directly to each
other over a private connection, when in fact the entire conversation is controlled by the
attacker. The attacker becomes capable enough to capture, insert and modify
messages during message transmission.
 Accidental association: Unauthorized access to organization’s wireless and wired
networks can come from a number of different methods and intents. One of these
methods is referred to as “accidental association”. When a user turns on a computer
and it latches on to a wireless access point from a neighboring organization’s
overlapping network, the user may not even know that this has occurred. However, it is
a security breach in that, proprietary organization information is exposed and now there
could exist a link from one organization to the other. This is especially true if the laptop
is also hooked to a wired network.
 Denial of service: It is an attempt to make a machine not available to its intended user.
Wireless network provides numerous opportunities to increase productivity and manage costs.
Most common controls, which are implemented in wireless environment, are:
99
 Encryption: The best method for protecting the confidentiality of information

transmitted over wireless networks is to encrypt all wireless traffic. WPA3 (Wi-Fi
Protected Access version 3) is the latest application for encrypting Wi-Fi
communication.
 Signal-hiding techniques: In order to intercept wireless transmissions, attackers first
need to identify and locate wireless networks. Turning off the service set identifier
(SSID) broadcast by wireless access points and reducing signal strength to the lowest
level that still provides requisite coverage are the options available. More effective, but
also more costly methods for reducing or hiding signals include: using directional
antennas to constrain signal emanations within desired areas of coverage or using
signal emanation-shielding techniques, also referred to as TEMPEST
(Telecommunications Electronics Materials Protected from Emanating Spurious
Transmissions) to block emanation of wireless signals.
 Anti-virus and anti-spyware software: Computers on a wireless network need the
same protections as any computer connected to the Internet. Install anti-virus and anti-
spyware software, and keep them up-to-date.
 Default passwords: Wireless routers generally come with standard default password
that allows you to set up and operate the router. These default passwords are also
available on the web. Default passwords should be changed immediately after its
installation.
 MAC address: Every computer that is able to communicate with a network is assigned
its own unique Media Access Control (MAC) address. Wireless routers usually have a
mechanism to allow only devices with particular MAC addresses access to the network.
5.7 Endpoint Security

 In network security, endpoint security refers to a methodology of protecting the
corporate network when accessed via remote devices such as laptops or other wireless
and mobile devices. Each device with a remote connection to the network creates a
potential entry point for security threats. Endpoint security is designed to secure each
such access from the end point (device) to the network resources.
 Usually, endpoint security is a security system that consists of security software,
located on a centrally managed and accessible server or gateway within the network, in
addition to client software being installed on each of the endpoints (or devices). The
server authenticates logins from the endpoints and also updates the device software
when needed. As an end-point wants to make an access to the network, the server
software authenticates the device and checks whether it conforms to the security policy
of the organization before allowing the access.
100
 Endpoint security is becoming a more common information security function and greater
concern as more employees bring consumer mobile devices to work and companies
allow its mobile workforce to use these devices on the corporate network.
5.8 Voice-over IP Security Controls

Voice-over IP
Voice over Internet Protocol (VoIP) is a methodology for delivery of voice communications and
multimedia sessions over Internet Protocol (IP) networks, such as the Internet. Other terms
commonly associated with VoIP are IP telephony, Internet telephony, and voice over
broadband (VoBB). The term Internet telephony specifically refers to the provisioning of
communications services (voice, fax, SMS, voice-messaging) over the public Internet, rather
than via the public switched telephone network (PSTN). In VoIP the digital information is
packetized and transmitted as Internet Protocol (IP) packets over a packet-switched network.
VoIP is available on many smartphones, personal computers, and on Internet access devices.
Calls and SMS text messages may be sent over 3G, 4G or Wi-Fi.
VOIP Security
VoIP systems rely on a data network, which means security weaknesses and the types of
attacks associated with any data network are possible. VoIP, voice is converted into IP
packets that may travel through many network access points. Therefore the data is exposed to
many more possible points of attack that could be used for interception by intruders. Following
are the VoIP security:
 Encryption: Encryption is a means of preserving the confidentiality of transmitted
signals.
 Physical security: Even if encryption is used, physical access to VoIP servers and
gateways may allow an attacker to perform traffic analysis and derive call information
from encrypted messages.
 Anti-virus and firewalls: Computers, which use software for VoIP connections should
be protected with a personal firewall, along with anti malware. This provides basic
protection against attacks on the data segment that could be traversed to the voice
segment.
 Segregation of voice and data segments: IP-based telephony provides a platform for
telephone calls over an existing IP data network. However, in order to maintain quality
of service (QoS), scalability, manageability, and security, voice and data should be
separated using different logical networks as far as possible. Segmenting IP voice from
a traditional IP data network greatly enhances the mitigation of VoIP attacks.
101
5.9 Vulnerability Assessment and Penetration Testing

Vulnerability Assessment and Penetration Testing (VAPT) is used by organizations to evaluate
the effectiveness of information security implementation. As its name implies, penetration
testing is a series of activities undertaken to identify and exploit security vulnerabilities. The
idea is to find out how easy or difficult it might be for someone to “penetrate” an organization’s
security controls or to gain unauthorized access to its information and information systems.
Team of experts performs a VAPT. This team simulates attack using similar tools and
techniques used by hackers. Penetration test cannot be expected to identify all possible
security vulnerabilities because Penetration testing is conducted at a point in time. New
technology, new hacker tools and changes to an organization’s information system
infrastructure may create exposures not anticipated during the penetration testing. Hence
organizations perform these tests periodically.
Penetration Testing Scope
The scope of a penetration testing is to determine whether an organization’s information
security vulnerabilities can be exploited and its systems may be compromised. Penetration
testing can have a number of secondary objectives, including testing the security incident
identification and response capability of the organization, exploiting vulnerabilities, testing
employee security awareness or testing users’ compliance with information security policies.
Penetration Testing Strategies
Various strategies for penetration testing, based on specific objectives to be achieved,
include:
External testing: External testing refers to attacks on the organization’s network perimeter
using procedures performed from outside the organization’s systems, as they are visible to
hacker. This can be a Blind test where testing expert has been provided with limited
information.
Internal testing: It is performed from within the organization’s information systems
environment. The focus is to understand what could happen if the network perimeter were
successfully penetrated or what an authorized user could do to penetrate specific information
resources within the organization’s network.
Targeted testing: (often referred to as the “lights-turned-on” approach) involves both the
organization’s IT team and the penetration testing team being aware of the testing activities
and being provided information concerning the target and the network design. A targeted
testing approach may be more efficient and cost-effective when the objective of the test is
focused more on the technical setting, or on the design of the network, than on the
organization’s incident response and other operational procedures. A targeted test typically
takes less time and effort to complete than blind testing, but may not provide a complete a
picture of security vulnerabilities and response capabilities of the organization.
102
Types of Penetration Testing

In addition to the penetration testing strategies to be used, consideration should be given to
the types of testing the testing team is to carry out. These could include:
Application security testing: Many organizations offer access to core business functionality
through web-based applications. The objective of application security testing is to evaluate the
controls over the application and its process flow. Areas of evaluation may include the
application’s usage of encryption to protect the confidentiality and integrity of information, how
users are authenticated, integrity of the Internet user’s session with the host application, and
use of cookies (a block of data stored on a customer’s computer that is used by the web
server application).
Denial of service (DoS) testing: The goal of DoS testing is to evaluate the system’s
susceptibility to such attack that will render it inoperable. Decisions regarding the extent of
Denial of Service testing to be incorporated into a penetration testing exercise will depend on
the relative importance of ongoing, continued availability of the information systems and
related processing activities.
War dialing: War dialing is a technique for systematically calling a range of telephone
numbers in an attempt to identify modems, remote access devices and maintenance
connections of computers that may exist on an organization’s network. Once a modem or
other access device has been identified, analysis and exploitation techniques are performed to
assess whether this connection can be used to penetrate the organization’s information
systems network.
Wireless network penetration testing: The introduction of wireless networks, whether
through formal, approved network configuration management or the inadvertent actions of
users, introduces additional security exposures. Sometimes referred to as “war driving,”
hackers have become proficient in identifying wireless networks simply by “driving” or walking
around office buildings with their wireless network equipment. The goal of wireless network
testing is to identify security gaps or flaws in the design, implementation or operation of the
organization’s wireless network.
Social engineering: Often used in conjunction with blind and double blind testing, this refers
to techniques using social interaction, typically with the organization’s employees, suppliers
and contractors, to gather information and penetrate the organization’s systems. Such
techniques could include:
 Posing as a representative of the IT department’s help desk and asking users to divulge
their user account and password information;
 Posing as an employee and gaining physical access to restricted areas that may house
sensitive information;
103
 Intercepting mail, courier packages or even trash to search for sensitive information on
printed materials. Social-engineering activities can test a less technical, but equally
important, security component; the ability of the organization’s people to contribute to,
or prevent, unauthorized access to information and information systems.
Risks Associated with Penetration Testing
While management sponsors the penetration testing activities, however, such testing
represents some level of risk. Some of the key risks include the following:
 The penetration test team may fail to identify significant vulnerabilities;
 Misunderstandings and miscommunications may result in the test objectives not being
achieved;
 Testing activities may inadvertently trigger events or responses that may not have been
anticipated or planned for (such as notifying law enforcement authorities);
 Sensitive security information may be disclosed, increasing the risk of the organization
being vulnerable to external attacks.
 Generally, external experts perform penetration testing, hence it is necessary to enforce
non- disclosure agreement and also classify content of report as confidential, since it
will contain the vulnerabilities within the system.
5.10 Monitoring Controls

 Most controls implemented for network, generates lot of logs related to activities as per
rule set. Monitoring and reviewing these logs is a mammoth task and needs lot of
efforts and resources. There are various tools available in market that helps
organizations in collecting these logs, co-relating them based on possible use cases
and generate alerts for important logs. This way the efforts can be minimized. These
tools are known as Security Incident and event management (SIEM) tools.
Organizations use these tools and establish a security operations center (SOC) to
monitor these logs, analyse alerts and record incidents and events to be responded.
Also resources required to manage these tools are specially trained and skilled.
5.11 Auditing Network Security Controls

Auditing networked computing environments presents significant complexities. Networking
enables several virtual machines to operate together using a limited set of systems resources,
irrespective of the barriers of geographic location of the user and systems infrastructure. For
example, a customer can now access his bank account from anywhere in the world. This
means that logical paths open up enabling access through insecure networks and diverse
computing infrastructures. Audit of network security requires the auditor to take special
104
considerations and plan accordingly to achieve his audit objectives. The considerations while
auditing network security are:
 Locating logical access paths by reviewing network diagrams
 Identifying network topologies, virtual paths spanning across LANs, WANs and the open
networks such as shared networks and the Internet
 Recognizing logical access threats, risks and exposures in the networked environment
 Identifying and controlling over access paths used for distributed processing and
distributed databases
 Evaluating network management and change control with respect to technical
components such as modems, switches, routers, firewalls, VPNs, network management
and access control software, encryption, protocols, middleware controls and Internet
security
 Identifying information resource owners can be quite complex since in a distributed
computing environment, an application process can span several systems and
networks, including that outside the organization’s control
 Evaluating logical network security policies and practices
 Evaluate network event logging and monitoring
 Evaluating effectiveness of logical access security with respect to network security
components such as:
 Firewalls and filtering routers - architecture, configuration setting as per firewall security
policy, port services, anti-virus configuration, reporting and management controls
 Intrusion detection systems - architecture, configuration, interface with other security
applications, reporting and management controls
 Virtual private networks - architecture, devices, protocol, encryption process integration
with firewall security, change management
 Security protocols - selection of appropriate protocol, seamless security integration of
protocols between devices running different protocols
 Encryption - selection of appropriate encryption methods to various application
processes
 Middleware controls - middleware design and access control with respect to
identification, authentication and authorization, management of components and
middleware change management.
105
5.12 Summary
Networks are veins of market place. Organizations cannot imagine implementing information
system without networks. Networks have added most important attribute to business
performance, that is efficiency. However it is not without risks. This has helped organizations
in expanding their business empire and also attackers, in remaining anonymous. Most security
breaches today are due to availability of networks. And therefore it is most essential for
organizations to protect their networks, in order to ensure that reasonable security has been
implemented. IS auditors, also must focus on the network security. Although sometimes, it
may not be in scope, but considering the architecture, auditors cannot perform any IS audit
without evaluating network controls
Cryptography is the science and art of coding messages, provide us a method to transmit
messages over open networks, like Internet and still achieve the objectives of confidentiality,
integrity, authenticity and non-repudiation. Digital certificates provide a means to digitally sign
the message. PKI offers us the infrastructure to manage the Asymmetric keys, and a means of
certifying the authenticity of holder of key. Cryptographic systems provide ability of secure
communication over networks. Many Secure protocols and frameworks have application of
cryptographic techniques like SSL, HTTPS, IPsec, SSH, SET and S-MIME to name a few.
5.13 Questions
1. Which of the following is a method used to gather information about the
communication network?
A. Reconnaissance
B. Brute force
C. Eavesdropping
D. Wiretapping
2. Message digest helps organization in getting assurance on:
A. Communication delivery
B. Data availability
C. Data integrity
D. Data confidentiality
3. While auditing organization’s network which of the following control IS auditor
must verify first?
A. Encrypted communication
106
B. Network zoning
C. Firewall configuration
D. Penetration test report
4. Cryptographic checksum is a network control that:
A. Adds a parity bit after adding the data bits.
B. Translates data in a file into a hash value.
C. Transmits the data after encryption.
D. Translates the data into a parity checksum combination.
5. Primary function of Security operations center (SOC) is to:
A. Define baseline
B. Configure firewall
C. Monitor logs
D. Implement Antivirus
6. The intrusion detection monitoring on a host for data integrity attack by malicious
software is a:
A. Technical control
B. Corrective control
C. Detective Control
D. Preventive Control
7. Which of the following is most important while performing penetration testing?
A. Maintain secrecy about testing
B. Get consent from affected stakeholders
C. Report to be provided to all users
D. Perform test after office hours
8. Most web based application attacks can be prevented by:
A. Input validation
B. Encryption
C. Penetration test
D. Access controls
107
9. Social engineering attacks can best be prevented by:

A. Intrusion detection system
B. Strong access controls
C. Two factor authentication
D. Awareness training
10. Which of the following is a type of malware that does not use system resources
for execution of malicious codes?
A. Virus
B. Logic bomb
C. Trojan
D. Worm

1. A is correct answer. Other methods are active attacks on network after getting
information about networks.
2. C is correct answer. Message digest is a hash function that helps in confirming integrity
of data communicated over network.
3. B is correct answer. Network segmentation or zoning is first control to implement
network security. Other controls depend upon segmentation.
4. B is correct answer. Checksum is a type of hash that is used to check integrity of data
after communication. It is different that parity bit that adds an extra bit for each byte and
word.
5. C is correct answer. Primary function of SOC is to collect and monitor logs based on
identified rules. It also defines correlation between various logs and identifies possible
incidents, which are communicated to respective asset owners. A is role of security
manager; B and D are roles of network team.
6. C is correct answer. Intrusion detection detects the possible intrusion attempt. It does
not prevent or corrects it. It is a control implemented using technology.
7. B is correct answer. It is most essential to get consent from affected asset owners
before performing test, so that they can ensure that operations are not affected.
Maintaining secrecy shall depend upon type of test. Report must be kept confidential
and accessed only by select few. Test generally is performed when it will have least
impact, but is not most important.
108
8. A is correct answer. Most web application attacks like SQL injection can be prevented
by validating input, which can reject the attackers input that can exploit vulnerability.
Encryption may or may not prevent an attack. Penetration test shall provide input on
vulnerability that must be closed. Access controls may prevent some attacks.
9. D is correct answer. Social engineering attack is attack on human and hence no
technology can prevent it. Awareness training best prevents it.
10. D is correct answer. Worms are self-executable. Rest of the options use system
resources for execution of malicious codes.
References
 Security in Computing, 3rd Edition, By Charles P. Pfleeger, Shari Lawrence Pfleeger
Published Dec 2, 2002 by Prentice Hall.
 ISA 2.0 Background Study Material
 http://compnetworking.about.com/
 http://theirm.org/
 http://www.cert.org/
 http://www.isaca.org/
 http://www.iso.org/iso/home/standards/iso31000.htm
 http://www.webopedia.com
 https://na.theiia.org/Pages/IIAHome.aspx
 https://www.dataprotection.ie/
 www.ehow.com
 www.en.wikipedia.org
 www.firesafetyinstitute.org
 www.resources.infosecinstitute.com/access-control-models-and- methods
 www.technet.microsoft.com/en-us
 https://owasp.org/www-project-top-ten/
 https://en.wikipedia.org/wiki/Threat_model#Threat_modeling_tools
 https://en.wikipedia.org/wiki/DREAD_(risk_assessment_model)
 https://en.wikipedia.org/wiki/STRIDE_(security)
 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-83r1.pdf
 https://en.wikipedia.org/wiki/Separation_of_duties
109
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
ISA

(Modules 1 to 6)
Background Material
ISBN - 978-81-8441-995-5
INFORMATION SYSTEMS
AUDIT 3.0 COURSE
Module - 6
Emerging Technologies
Module - 6
Tel (Direct): +91 120 3045992/961
New Delhi
Background Material
on
Module-6 :

New Delhi
DISCLAIMER
ISBN : 978-81-8441-995-5


Foreword

President, ICAI
Place: New Delhi
iv
Preface

systems deployment.
modules.
3.0.
assurance services.

vi
Contents
Learning Objectives....................................................................................................................... ix
6.1. Artificial Intelligence ....................................................................................................... 1
6.1.1 Meaning ................................................................................................................ 1
6.1.2 Examples in Finance ............................................................................................. 8
6.1.3 Use Cases ............................................................................................................. 9
6.1.4 Impact on Audit ..................................................................................................... 9
6.1.5 Risks and Challenges.......................................................................................... 11
6.1.6 Governance and Controls ................................................................................... 12
6.1.7 Professional Opportunities .................................................................................. 12
6.2. Blockchain ..................................................................................................................... 14
6.2.1. Meaning .............................................................................................................. 14
6.2.2. Examples in Finance ........................................................................................... 16
6.2.3. Use Cases ........................................................................................................... 17
6.2.4. Impact on Audit ................................................................................................... 17
6.2.5. Risks and Challenges.......................................................................................... 18
6.2.6. Governance and Controls ................................................................................... 19
6.2.7. Professional Opportunities .................................................................................. 20
6.3. Cloud Computing .......................................................................................................... 22
6.3.1. Meaning .............................................................................................................. 22
6.3.2. Cloud Computing Architecture, Environment and Service Model ........................ 24
6.3.3. Security Frameworks in Cloud ............................................................................ 31
6.3.4. Impact on Audit and auditors............................................................................... 32
6.4. Data Analytics ............................................................................................................... 37
6.4.1. Meaning .............................................................................................................. 37

6.4.3. Use Cases ........................................................................................................... 44
6.4.4. Impact on Audit ................................................................................................... 44
6.5. Internet of Things .......................................................................................................... 47
6.5.1. Meaning .............................................................................................................. 47
6.5.3. Use Cases ........................................................................................................... 50
6.5.4. IoT and Smart Cities............................................................................................ 50
6.5.5. Impact on Audit ................................................................................................... 51
6.6. Robotic Process Automation ....................................................................................... 56
6.6.1. Meaning .............................................................................................................. 56
6.6.3. Use Cases ........................................................................................................... 57
6.6.4. Impact on Audit ................................................................................................... 57
viii
Learning Objectives:
● Understand concepts of the following Emerging Technologies and the evolving
landscape
○ Artificial Intelligence, Blockchain, Cloud Computing, Data Analytics, Internet of
Things and Robotic Process Automation
● Understand the Impact on the Profession
● Understand the Risks in Emerging Technologies
● Evaluate the approach of Governance and Controls in these Technologies
● Understand the inter-relationship with these emerging technologies.
● Understand Role of Professionals
6.1 Artificial Intelligence
6.1.1 Meaning
Artificial intelligence (AI) is an advanced computer system that can simulate human
capabilities, based on predetermined set of rules. Some of the activities computers with
artificial intelligence are designed for include:
• Speech recognition
• Learning
• Planning
• Problem solving
Machine Learning
It refers to the use of computing resources that have the ability to learn, acquire and apply
knowledge and skills. These cognitive systems have the potential to learn from business
related interactions and deliver evidence-based responses to transform how organizations
think, act and operate.
TRADITIONAL
DATA COMPUTER
OUTPUT
PROGRAM
ARTIFICIAL INTELLIGENCE
DATA COMPUTER
PROGRAM
OUTPUT
Fig. 6.1.1 Comparison between Traditional Systems and AI based systems

Common Terminologies used in AI

AI works by combining large amounts of data with fast, iterative processing and intelligent
algorithms, allowing the software to learn automatically from patterns or features in the data.
AI is a broad field of study that includes many theories, methods and technologies, as well as
the following major subfields:
• Machine learning automates analytical model building. It uses methods from neural
networks, statistics, operations research and physics to find hidden insights in data
without explicitly being programmed for where to look or what to conclude.
• A neural network is a type of machine learning that is made up of interconnected units
(like neurons) that processes information by responding to inputs, relaying information
between each unit. The process requires multiple passes at the data to find connections
and derive meaning from the raw data.
• Deep learning uses huge neural networks with many layers of processing units, taking
advantage of advances in computing power and improved training techniques to learn
complex patterns in large amounts of data. Common applications include image and
speech recognition.
• Cognitive computing is a subfield of AI that strives for a natural, human-like
interaction with machines. Using AI and cognitive computing, the ultimate goal is for a
machine to simulate human processes through the ability to interpret images and
speech – and then speak coherently in response.
• Computer vision relies on pattern recognition and deep learning to recognize what’s in
a picture or video. When machines can process, analyze and understand images, they
can capture images or videos in real time and interpret their surroundings.
• Natural language processing (NLP) is the ability of computers to analyze, understand
and generate human language, including speech. The next stage of NLP is natural
language interaction, which allows humans to communicate with computers using
normal, everyday language to perform tasks.
2
Fig: 6.1.2 AI Streams

Why AI is important?
• AI automates repetitive learning and discovery through data. AI performs frequent, high-
volume, computerized tasks reliably and without fatigue. For this type of automation,
human inquiry is still essential to set up the system and ask the right questions.
• AI adds intelligence to existing products. In most cases, AI will not be sold as an
individual application. Rather, products you already use will be improved with AI
capabilities, much like Siri, which was added as a feature to a new generation of Apple
products.
• AI adapts through progressive learning algorithms to let the data do the programming.
AI finds structure and regularities in data so that the algorithm acquires a skill. The
algorithm becomes a classifier or a predictor. Back propagation is an AI technique that
allows the model to adjust, through training and added data.
• AI analyzes more and deeper data using neural networks that have many hidden layers.
AI has changed with incredible computer power and big data. You need lots of data to
train deep learning models because they learn directly from the data. The more data
you can feed them, the more accurate they become.
• AI achieves incredible accuracy through deep neural networks - which was previously
impossible. For example, your interactions with Alexa, Google Search and Google
Photos are all based on deep learning and they keep getting more accurate, the more
we use them.
• AI gets the most out of data. When algorithms are self-learning, the data itself can
become intellectual property. Since the role of the data is now more important than ever
before, it can create a competitive advantage.
3
Types of AI
Artificial Intelligence can be divided in various types which are based on capabilities and
based on functionally of AI.
AI: Based on Capabilities
1. Weak AI or Narrow AI:
• Narrow AI is a type of AI, which is able to perform a dedicated task with
intelligence. The most common and currently available AI is Narrow AI in the
world of Artificial Intelligence.
• Narrow AI cannot perform beyond its field or limitations, as it is only trained for
one specific task. Hence it is also termed as weak AI. Narrow AI can fail in
unpredictable ways if it goes beyond its limits.
• Some Examples of Narrow AI are playing chess, purchasing suggestions on e-
commerce site, self-driving cars, speech recognition, and image recognition.
2. General AI:
• General AI is a type of intelligence, which could perform any intellectual task with
efficiency like a human.
• The idea behind the general AI to make such a system that could be smarter and
think like a human.
• Currently, there is no such system exist which could come under general AI and
can perform any task as perfect as a human.
3. Super AI:
• Super AI is a level of Intelligence of Systems at which machines could surpass
human intelligence and can perform any task better than human with cognitive
properties. It is an outcome of general AI.
• Some key characteristics of strong AI include capability include the ability to
think, to reason, solve the puzzle, make judgments, plan, learn, and
communicate by its own.
• Super AI is still a hypothetical concept of Artificial Intelligence.
AI: Based on functionality
1. Reactive Machines
• Purely reactive machines are the most basic types of Artificial Intelligence
systems.
4
• Such AI systems do not store information or past experiences for future actions.
• These machines only focus on current scenarios and react as per possible best
action.
2. Limited Memory
• Limited memory machines can store past experiences or some data for a short
period of time.
• These machines can use stored data for a limited time period only.
• Self-driving cars are one of the best examples of Limited Memory systems.
These cars can store recent speed of nearby cars, the distance of other cars,
speed limit, and other information to navigate the road.
3. Theory of Mind
• Theory of Mind AI should understand the human emotions, people, beliefs, and
be able to interact socially like humans.
• This type of AI machines is still not developed, but researchers are making lots of
efforts and improvement for developing such AI machines.
4. Self-Awareness
• Self-awareness AI is the future of Artificial Intelligence. These machines will be
super intelligent, and will have their own consciousness, sentiments, and self-
awareness.
• These machines will be smarter than human mind.
• Self-Awareness AI does not exist in reality still and it is a hypothetical concept.
AI Platforms
The following are a few of the AI Platforms
• IBM – Watson Analytics
• Google – Deep Mind – Tensor Flow
• Microsoft – Cognitive Services
• Amazon – AWS AI Services
• Facebook – FB Learner Flow
AI and Speech Recognition
Speech recognition is technology that can recognize spoken words, which can then be
converted to text. A subset of speech recognition is voice recognition, which is the technology
5
for identifying a person based on their voice. Speech recognition has become increasingly
embedded in our everyday lives with voice-driven applications like Amazon’s Alexa, Apple’s
Siri, Microsoft’s Cortana, or the many voice-responsive features of Google.
The technology to support voice-powered interfaces is growing powerful by the day. With the
advancements in artificial intelligence and ample amount of speech data that can be easily
mined for machine learning purposes, it would not be surprising if it becomes the next
dominant user interface.
Problem Types & Analytic Techniques used in AI
TYPE DESCRIPTION EXAMPLE TECHNIQUE
Classification Categorize new inputs Identifying whether an CNNs, Logistic

as belonging to one of a image contains a Regression
set of categories specific type of object
Dog or Cat?
Continuous Estimate the next Prediction particularly Feed forward

Estimation numeric value in a when it is applied to Neural Networks,
sequence time series data E.g. Linear Regression
forecasting the sales
for a product, based
on a set of input data
such as previous sales
figures, consumer
sentiment, and
weather
Clustering Individual data instances Creating a set of K-means,

have a set of common or consumer segments
Affinity propagation
similar characteristics based on data about
individual consumers,
including
demographics,
preferences, and buyer
behavior
Anomaly Determine whether Fraud detection Support Vector

Detection specific inputs are out of Machines, K-
6
TYPE DESCRIPTION EXAMPLE TECHNIQUE

the ordinary Money Laundering Nearest Neighbors,
Neural Networks
Recommendations Systems that provide Suggest the product to Collaborative

recommendations, buy for a customer, filtering
based on a set of based on the buying
training data patterns of similar
individuals, and the
observed behavior of
the specific person
E.g. Netflix, Amazon
Advantages of AI
1. Error Reduction: Artificial intelligence helps us in reducing the error and the chance of
reaching accuracy with a greater degree of precision. It is applied in various studies such as
exploration of space.
2. Difficult Exploration: Artificial intelligence and the science of robotics can be put to
use in mining and other fuel exploration processes. These complex machines can also be
used for exploring the ocean floor and hence overcome the human limitations.
3. Daily Application: Computed methods for automated reasoning, learning and
perception have become a common phenomenon in our everyday lives. We are also hitting
the road for long drives and trips with the help of GPS. The smartphone is an apt and
everyday example of how we use artificial intelligence. When we take a picture, the artificial
intelligence algorithm identifies and detects the person’s face and tags the individuals when
we are posting our photographs on social media sites.
4. Digital Assistants: Highly advanced organizations use avatars that are replicas or
digital assistants that can actually interact with the users, thus saving the need for human
resources. Emotions are associated with moods that can cloud judgment and affect human
efficiency. This is completely ruled out for machine intelligence.
5. Repetitive Jobs: Repetitive jobs, which are monotonous in nature, can be carried out
with the help of machine intelligence. Machines think faster than humans and can be put to
multi-tasking. Machine intelligence can be employed to carry out dangerous tasks. Their
parameters, unlike humans, can be adjusted. Their speed and time are calculation-based
parameters only.
7
6. No Breaks: Machines, unlike humans, do not require frequent breaks and

refreshments. They are programmed for long hours and can continuously perform without
getting bored or distracted or even tired.
Disadvantages of AI
1. High Cost: Creation of artificial intelligence requires huge costs, as they are very
complex machines. Their repair and maintenance also require huge costs. They have software
programs, which need frequent up gradation to cater to the needs of the changing
environment and the need for the machines to be smarter by the day.
2. No Replicating Humans: Intelligence is believed to be a gift of nature. Machines do
not have any emotions and moral values. They perform what is programmed and cannot make
the judgment of right or wrong. Even cannot take decisions if they encounter a situation
unfamiliar to them. They either perform incorrectly or breakdown in such situations.
3. No Improvement with Experience: Unlike humans, artificial intelligence cannot be
improved with experience. With time, it can lead to wear and tear. It stores a lot of data but the
way it can be accessed and used is very different from human intelligence. Machines are
unable to alter their responses to changing environments. We are constantly bombarded by
the question of whether it is really exciting to replace humans with machines.
4. No Original Creativity: These are not the forte of artificial intelligence. While they can
help you design and create, they are no match to the power of thinking that the human brain
has or even the originality of a creative mind. Human beings are highly sensitive and
emotional intellectuals. Their thoughts are guided by the feelings that completely lacks in
machines. The inherent intuitive abilities of the human brain cannot be replicated.
5. Unemployment: Replacement of humans with machines can lead to large-scale
unemployment. Humans can unnecessarily be highly dependent on the machines if the use of
artificial intelligence becomes rampant. They will lose their creative power and will become
lazy. Also, if humans start thinking in a destructive way, they can create havoc with these
machines.
6.1.2 Examples in Finance

1. Pattern Recognition in Banking: A number of variables have to be considered in
order to establish whether a transaction or set of transactions is suspicious
 E.g. customer’s salary account in a bank
 Multiple credits in account other than salary credit
 Sizeable increase in Cash to Non-Cash Transaction Ratio - large cash deposits and
cash withdrawals
8
 Many transactions with a few related accounts

 Burst in Deposits - Number of Transactions
 Burst in Withdrawals - Number of Transactions
 Burst in Deposits - Amount
 Burst in Withdrawals - Amount
 Unusual applications for Demand Drafts against cash.
 Transactions that are too high or low in value in relation to customer’s profile
 Computers will learn the past behavioural pattern of the customer based on historical
transactions and may identify unusual activities
2. Artificial Intelligence is widely used in banking apps as it provides a faster, more
accurate assessment of a potential borrower, at less cost, and accounts for a wider variety of
factors, which leads to a better-informed, data-backed decision. Credit scoring provided by AI
is based on more complex and sophisticated rules compared to those used in traditional credit
scoring systems. It helps lenders distinguish between high default risks applicants and those
who are credit-worthy but lack an extensive credit history.
6.1.3 Use Cases

1. AI in finance: AI in personal finance applications, such as Mint or Turbo Tax, is
disrupting financial institutions. These applications collect personal data and provide financial
advice. Other programs, such as IBM Watson, have been applied to the process of buying a
home. Today, software performs much of the trading on Wall Street.
2. JPMorgan Chase: Launched a Contract Intelligence (COiN) platform that leverages
Natural Language Processing, one of the machine learning techniques. The solution
processes legal documents and extracts essential data from them. Manual review of 12,000
annual commercial credit agreements would typically take up around 360,000 man-hours.
However, machine learning may allow reviewing the same number of contracts in a just a few
hours.
3. Wells Fargo: Uses an AI-driven chatbot through the Facebook Messenger platform to
communicate with users and provide assistance with passwords and accounts.
4. Plantation: Recently AI was used in accurate drone-based planting in mass-scale using
seedpods at a much lower cost for the purpose of re-greening the planet.
6.1.4 Impact on Audit

Auditor can be engaged through critical and distinct activities related to artificial intelligence:
9
 For all organizations, audit should include AI in its risk assessment and also consider
using AI in its risk-based audit plan.
 For organizations exploring AI, audit should be actively involved in AI projects from the
beginning, providing advice and insight, contributing to successful implementation. To
avoid impairment to both independence and objectivity, auditor should not be
responsible for implementation of AI processes, policies and procedures.
 Auditor should provide assurance on management of risks related to the reliability of the
underlying algorithms and the data on which the algorithms are based.
 AI must be dealt with, disciplined methods to evaluate and improve the effectiveness of
risk management, control and governance process.
 Fraud Investigator can use Artificial Intelligence in detecting the fraud. While statistical
& data analysis is used to detect fraud passively, artificial intelligence detects fraud
actively and directly besides improving speed of processing.
It is to be noted that Operational managers should own and manage AI risks on a day-to-day
basis and the auditors should assess operational-level AI policies and procedures, verifying
that control objectives are adequate and working as designed. Further, Compliance, ethics,
risk management, and information privacy and security are some other requirements that
likely to draw attention towards some aspect of AI risks.
Scenarios wherein Artificial intelligence techniques can be used for fraud management:
1. Data mining - is the process of discovering the patterns in large data sets involving
methods at the intersection of machine learning, statistics and database systems. So, data
mining is to classify, cluster and segment the data and also automatically find associations
and rules in the data, which may point towards interesting patterns of fraud.
2. Expert system – knowledge based expert system is used to develop software that
store all the human expertise and then using stored human intelligence to detect fraud.
3. Machine learning and pattern recognition – machine learning is closely related to
computational statistics, which also focuses on prediction making through the use of
information technologies. Machine learning can also be unsupervised and be used to learn
and establish baseline behavioural profiles for various entities and further used to find
meaningful anomalies related to fraud or any other transactions.
4. Neural network – fraud detection system is totally based on the human brain working
principal. Neural network technology has made a computer system capable of reasoning. The
inherent nature of neural networks includes the ability to learn and ability to capture and
represent complex input/output relationship.
10
6.1.5 Risks and Challenges

Risks of AI
1. AI is Unsustainable: Intelligent machines have characteristically high computing
powers contributed by an array of several processers. These computer chips have rare earth
materials like Selenium as a major constituent. The increased mining of these materials is
irreversibly damaging our environment at a rapid pace.
2. Lesser Jobs: There is no doubt that machines do routine and repeatable tasks much
better than humans. Many businesses would prefer machines instead of humans to increase
their profitability, thus reducing the jobs that are available for the human workforce.
3. A threat to Humanity: He has also stated publicly that AI is the biggest threat to
human civilization in the future. This means that the dystopian future that sci-fi movies show is
not impossible. The biggest risk associated with AI is that machines would gain sentience and
turn against humans in case they go rogue.
Challenges for AI
1. Computing is not that Advanced: Machine Learning and deep learning techniques
that seem most beneficial require a series of calculations to make very quickly (in
microseconds or nanoseconds or faster than that).
2. Fewer people support: AI implementation does not have enough use cases in the
market. And without it, no organization would be interested to invest money in AI-based
projects. It clearly means that there have been comparatively few organizations interested in
putting money into the development of AI-based products.
3. Creating Trust: People don’t feel comfortable when they don’t understand how the
decision was made. For instance, banks use simple algorithms that are based on linear math
and it is easy to explain the algorithm and how they arrived from input to output. Hence,
somewhere AI has not been able to create trust among people. And the only solution that
seems to this problem is to let people understand that this technology really works.
4. One Track Minds: A big problem that should be taken into account is that most of the
AI implementations are highly specialized. And it is built just to perform a single task and keep
learning to become better and better at it. This means that AIs need to be trained just to make
sure that their solutions do not cause other issues. Specifically, all those areas that are
beyond those that designed to consider.
5. Probability: Organizations working on AI-based products cannot demonstrate clearly
about their vision and what they have achieved with the help of AI techniques. Moreover, such
kind of confusion has surrounded the minds of people. And ultimately, a probability that is the
11
mathematical uncertainty behind AI predictions still remains as an unclear region for

organizations.
6. Data Privacy and security: Most of the AI applications are based on massive volumes
of data to learn and make intelligent decisions. Machine learning systems depend on the data,
which is often sensitive and personal in nature. Due to this systematic learning, these ML
systems can become prone to data breach and identity theft. European Union has
implemented the General Data Protection Regulation (GDPR) that makes sure the complete
protection of personal data. Likewise, the India has introduced “The Personal Data Protection
Bill”
7. Algorithm bias: A big problem with AI systems is that their level of goodness or
badness depends on the much data they are trained on. Bad data is often associated with,
ethnic, communal, gender or racial biases. Proprietary algorithms are used to find out
information like who granted bail, whose loan is sanctioned etc. If the bias hidden in the
algorithms, which take crucial decisions, goes unrecognized, could lead to unethical and
unfair results.
8. Data Scarcity: It is the fact that organizations have access to more data in the present
time than ever before. However, datasets that are applicable to AI applications to learn are
really rare. However, the most powerful AI machines are those that are trained on supervised
learning.
6.1.6 Governance and Controls

AI governance refers to the structure, process and procedures implemented to direct, manage
and monitor the AI activities of the organization in pursuit of achieving the organization’s
objectives. The level of formality and structure for an organization’s AI governance should be
vary based on the specific characteristics of the organization. Regardless of the specific
approach, however, AI governance establishes accountability and oversight, helps to ensure
that those responsible have the necessary skills and expertise to effectively monitor and helps
to ensure the organizations values are reflected in its AI activities. AI activities must result in
decisions and actions that are in line with the ethical, social, legal responsibilities of the
organization.
6.1.7 Professional Opportunities

 At the same time, emerging technologies are changing the ways of business. This
provides CAs with the opportunity to automate and de-skill time-consuming and
repetitive work and focus on higher value work, so that they can consolidate their role
as advisers on finance and business. By being informed about new technologies as
they evolve and assessing their implications CAs can minimize the burdens and
maximize the benefits to organizations.
12
 CAs possess the domain knowledge and experience to create the relevant learning
algorithms for identifying patterns in Finance and Audit
 CAs should work closely with AI programmers to convert their functional ideas into
reality. These concepts and thought process can be extended to various other business
sectors beyond Finance Audit.
 The future may see most of the business transactions flowing through neural networks,
which will learn patterns of behaviour and send out real time alerts of any suspicious
transactions for investigation.
 The profession can exploit technology and potentially change the scope of what it
means to be a CA. The CFO of the future will need to know as much about technology
as they do about financial management. CAs must embrace technology to be relevant
in the profession and to ensure sustainability and growth in this digital era.
13
6.2 Blockchain
6.2.1 Meaning
Block chain refers to the transparent, thrustless, and publicly accessible ledger that allows us
to securely transfer the ownership of units of value using public key encryption and proof of
work methods.
The technology uses decentralized consensus to maintain the network, which means it is not
centrally controlled by a bank, corporation, or government. In fact, the larger the network
grows and becomes increasingly decentralized, the more secure it becomes.
At its most basic level, blockchain is literally just a chain of blocks, but not in the traditional
sense of those words. When we say the words “block” and “chain” in this context, we are
actually talking about digital information (the “block”) stored in a public database (the “chain”).
Fig. 6.2.1 Blockchain

Evolution of Blockchain
In the year 2008, an individual or group writing under the name of Satoshi Nakamoto
published a paper entitled “Bitcoin: A Peer-To-Peer Electronic Cash System”. This paper
described a peer-to-peer version of the electronic cash that would allow online payments to be
sent directly from one party to another without going through a financial institution. Bitcoin was
the first realization of this concept. Now word cryptocurrencies are the label that is used to
describe all networks and mediums of exchange that uses cryptography to secure
transactions-as against those systems where the transactions are channelled through a
centralized trusted entity. A few months later, an open source program implementing the new
protocol was released that began with the Genesis block of 50 coins. Anyone can install this
open source program and become part of the bitcoin peer-to-peer network. It has grown in
popularity since then.
14
Technologies That Make Blockchain Possible

1. Peer-to-peer network (distributed ledger)—Today, creating and maintaining ledgers
requires the use of some third party (i.e., title office, bank, court, voting records, debit cards,
checks, contracts). The ledger’s rules can be somewhat vague and require interpretation.
Interpretation can cause inconsistency. It is important to trust the third party because the
ledger cannot be seen by the enterprise. Such ledgers are centralized and have an authority
of their own. In a decentralized ledger, each node is connected to all other nodes and is not
reliant on any central authority. The ledger is “synced” to all nodes and becomes public.
Nodes trust adjacent nodes, but verify transactions before recording them (trust, but verify).
This is distributed ledger architecture and is a key component of a blockchain. In distributed
ledger architecture, transactions are read (validated) and written (appended). Peer-to-peer
(P2P) networks are easy to manage, but slow and susceptible to attack (such as a denial-of-
service [DoS] attack). The use of a P2P network is a critical component of blockchain. A P2P
network has no central hierarchy with all nodes maintaining a copy of the entire ledger at all
times.
2. Public key infrastructure (blockchain addresses)—How does one trust “unknown”
parties? Cryptography (an algorithm) is used to create trust in the transaction between
untrusted participants. Specifically, public key infrastructure (PKI) is a component of the
blockchain. The technology uses asymmetric encryption (compared to symmetric
cryptography, which uses the same secret key to encrypt and decrypt data) to identify parties
(via digital signature) along with the integrity of the transactions (message digest). With PKI, a
pair of keys (public and private) is generated. The public key is freely distributed. The owner
of the pair keeps the private key. Anything can be encrypted with the public key but can only
be decrypted with the private key. The private key of the sender can also be used to digitally
sign the message. It is critical that the owner of the private key protect it so the corresponding
public key can be used to verify the identity of the sender. If the private keys are
compromised, the entire system is compromised. Users in the network (all the nodes) must
acquire public keys. Parties create a private key to maintain their wallet and a public key to
submit a transaction request to the network. Users can have an infinite number of wallets.
Wallets can be online exchange, software based, in a secured drive or paper based. Public
keys are hashed in multiple iterations to create user addresses called blockchain addresses,
guaranteeing the anonymity of the parties. A different address is used for each transaction.
3. Hash function (miner)—Hash functions are used throughout the entire blockchain
process to guarantee records are not changed, ensuring the integrity of the entire system. A
hash function takes an input of variable length and creates a fixed-length output known as a
message digest. This is a one-way process, meaning that original input cannot be recreated
from the message digest. This process allows one to check if the input was changed. If so, the
process will produce a different output.
15
Advantages and Disadvantages of Block chain

Pros
• Improved accuracy by removing human involvement in verification
• Cost reductions by eliminating third-party verification
• Decentralization makes it harder to tamper with
• Transactions are secure and efficient
• Transparent technology
Cons
• Significant technology cost associated with mining bitcoin
• Low transactions per second
• History of use in illicit activities
• Susceptibility to being hacked.
Principles of block chain
1. Distributed Database: Each party on a block chain has access to the entire database
and its complete history. No single party controls the data or the information. Every party can
verify the records of its transaction partners directly, without an intermediary.
2. Peer-to-Peer Transmission: Communication occurs directly between peers instead of
through a central node. Each node stores and forwards information to all other nodes.
3. Transparency: Every transaction and its associated value are visible to anyone with
access to the system. Each node, or user, on a block chain has a unique 30-plus-character
alphanumeric address that identifies it. Users can choose to remain anonymous or provide
proof of their identity to others. Transactions occur between block chain addresses.
4. Irreversibility of Records: Once a transaction is entered into the database and the
accounts are updated, the records cannot be altered, because they are linked to every
transaction record that came before them (hence the term “chain”). Various computational
algorithms and approaches are deployed to ensure that the recording on the database is
permanent, chronologically ordered, and available to all others on the network.
5. Computational Logic: The digital nature of the ledger means that block chain
transactions can be tied to computational logic and in essence programmed. So, users can set
up algorithms and rules that automatically trigger transactions between nodes.

(a) Payments and reconciliations: Transactions can occur directly between two parties
16
on frictionless P2P basis. The blockchain technology’s application has the potential to reduce
risk, transaction costs and to improve speed, efficiency and transparency.
(b) Issuance, ownership and transfer of financial information: A blockchain-based
securities market allows traders to buy or sell stocks directly on exchanges or directly to other
market participants in a P2P manner without the intermediary’s services provided by a broker
or clearing house.
(c) Clearing and settlement latency: On the blockchain, the entire lifecycle of a trade,
including its execution, clearing and settlement can occur at a trade level, lowering post-trade
latency and reducing counterparty.
6.2.3 Use Cases

(a) Barclays placed themselves at the forefront of adoption by implementing the security
and transparency aspects of blockchain technology into their transaction processes.
It included the first trade documentation to be encrypted and managed on a blockchain
network. The use of a decentralized ledger to store and send the documents saved the bank’s
significant time and money on the transaction.
(b) Through the use of blockchain technology, manufacturers can identify the original
sources of goods, deliveries, and production activities all through a supply chain management
process. This can give average consumers the ability to confirm the source of goods and
items that they buy, which can go a long way toward pushing back on counterfeit items or
misrepresented foodstuffs. There are a few notable projects that use blockchain technology
for supply chain management transparency, such as Ambrosus, which targets the safety and
origins of food products, and Vechain, a blockchain-based platform that allows both
consumers and retailers to confirm the authenticity and quality of purchased products.
(c) Another industry in which integrity and transparency provided by blockchain is important
in the pharmaceutical industry. When dealing with medical prescriptions, drug records, patient
treatment data, and the transportation of expensive medical equipment and other medicinal
items that can spell life or death for a patient, transparency, accurate data, security, and trust
are absolute musts. A blockchain provides all of this. DHL, a global logistics leader, is
working together with Accenture, a global management and professional services company, to
integrate blockchain technology with the pharmaceutical industry to improve serialization
accuracy

 Blockchain technology offers an opportunity to streamline financial reporting and audit
processes. Today, account reconciliations, trial balances, journal entries, sub-ledger
extracts, and supporting spreadsheet files are provided to an auditor in a variety of
17
electronic and manual formats. Each audit begins with different information and
schedules that require an auditor to invest significant time when planning an audit.
 In a blockchain, the auditor could have near real-time data access via read-only nodes
on blockchains. This may allow an auditor to obtain information required for the audit in
a consistent, recurring format. With blockchain-enabled digitization, auditors could
deploy more automation, analytics and machine-learning capabilities such as
automatically alerting relevant parties about unusual transactions on a near real-time
basis. Supporting documentation, such as contracts, agreements, purchase orders, and
invoices could be encrypted and securely stored or linked to a blockchain. By giving
auditors access to unalterable audit evidence, the pace of financial reporting and
auditing could be improved.
 While the audit process may become more continuous, auditors will still have to apply
professional judgment when analysing accounting estimates and other judgments made
by management in the preparation of financial statements. In addition, for areas that
become automated, they will also need to evaluate and test internal controls over the
data integrity of all sources of relevant financial information.
 At the same time, an auditor would also have newer roles in this ecosystem. Auditing
Smart Contracts and Oracles, which are embedded into the blockchain, are new roles to
take up. Checks such as interface testing, events, which trigger transactions into the
blockchain, are areas where the auditors may have to focus.
 Another area could be audit of consortium blockchains, where as a “Service Auditor” the
auditor can validate the system and set up, and give assurance to the participants on
the conformity of controls in place.

An organization’s risk management team should analyse, assess and design mitigation plans
for risks expected to emerge from implementation of blockchain-based frameworks. The
following are the most common risks noted:
(a) Vendor Risks: Most organizations, looking to deploy blockchain-based applications,
lack the required technical skills and expertise to design and deploy a blockchain-based
system and implement smart contracts completely in-house, i.e. without reaching out for
vendors of blockchain applications. The value of these applications is only as strong as
the credibility of the vendors providing them. Given the fact that the Blockchain-as-a-
Service (BaaS) market is still a developing market, a business should meticulously
select a vendor that can perfectly sculpture applications that appropriately address the
risks that are associated with the blockchain.
18
(b) Credential Security: Even though the blockchain is known for its high-security levels, a
blockchain-based system is only as secure as the system’s access point. When
considering a public Blockchain-based system, any individual who has access to
the private key of a given user, which enables him/her to “sign” transactions on
the public ledger, will effectively become that user, because most current systems do
not provide multi-factor authentication. Also, loss of an account’s private keys can lead
to complete loss of funds, or data, controlled by this account; this risk should be
thoroughly assessed.
(c) Legal and Compliance: It is a new territory in all aspects without any legal or
compliance precedents to follow, which poses a serious problem for manufacturers and
services providers. This challenge alone will scare off many businesses from using
blockchain technology.
(d) Data security and confidentiality: Not all data on a distributed ledger should be
accessible and available to others. It is feasible that hackers may be able to obtain the
keys to access the data on the disturbed ledger, considering the users having multiple
point of access.
(e) Scalability issues: Relating to the size of blockchain ledger that might lead to
centralization as it's grown over time and required some record management which is
casting a shadow over the future of the blockchain technology.
(f) Interoperability between block chains: There are new blockchain networks showing
up, which lead to new chains that offer different speeds, network processing, use-
cases. Blockchain interoperability aims to improve information sharing across diverse
blockchain networks. These cross-chain services improve blockchain interoperability
and also make them more practical for daily usage
(g) Processing power and time: Required to perform encryption algorithms for all the
objects involved in Blockchain -based ecosystem given the fact that ecosystems are
very diverse and comprised of devices that have very different computing capabilities,
and not all of them will be capable of running the same encryption algorithms at the
desired speed.
(h) Storage will be a hurdle: Blockchain eliminates the need for a central server to store
transactions and device IDs, but the ledger has to be stored on the nodes themselves,
and the ledger will increase in size as time passes. That is beyond the capabilities of a
wide range of smart devices such as sensors, which have very low storage capacity.

The following are critical points to be kept in mind while implementing / assessing a
blockchain based solution:
19
1. Governance Framework: The enterprise has an adequate governance framework to

provide oversight for blockchain technology.
2. Management Oversight: Management oversight provides assurance that the
enterprise’s strategic objectives are not adversely affected by risk related to blockchain
technology (internal or external).
3. Regulatory Risk: Regulatory risk has been identified and is appropriately mitigated (or
accepted and monitored), to ensure that the enterprise’s strategic objectives are not
adversely affected.
4. Business Continuity: The enterprise’s business continuity plan incorporates elements
that address the effective operation of blockchain technology.
5. Vendor Management: Vendor contract administration and operational processes
ensure ongoing alignment between the enterprise’s strategic objectives and blockchain
solutions.
6. Secure key distribution and management policies: Policies and processes around
crypto keys and their distribution during block chain implementation helps to manage
cryptography functions, key access control, key rotation methods and validations of
crypto algorithms’ implementation.
7. Secure APIs and Integrations: Third-party remittances, E-KYC and smart contracting
applications are integrated with blockchain platform. APIs exposed to third parties
should not reveal any sensitive data to adversaries. APIs and its integrations should
handle authentications, payload security, and session management and design security
risks.

Even though the technology of Blockchain is evolving constantly, as Chartered Accountants,
we can use our domain expertise in the following ways:
1. Assist in evaluating the functional design: Blockchain is not a problem for every
solution. It requires an eco-system and set of players to assist. As Chartered
Accountants we could assist in analysing the business requirement and decide if the
case is fit for blockchain platform.
2. Evaluation of Proof of Concept: Before the solution is deployed a Prototype often
known as Proof of Concept is prepared. Chartered Accountants could assist in
evaluating / designing the Proof of Concept.
3. Assessment of Risks in Implementation: Every new technology comes with some
inherent risk. An assessment of the risks involved in implementation is critical.
20
Chartered Accountants may assist in assessment of risk before implementation of

blockchain platform.
4. Impact on Audit: Understanding the impact of blockchain on the accounting and audit
profession is of paramount importance for Chartered Accountants. This also requires
change in approach of audit and accounting.
5. Audit of Smart Contracts and Oracle: Smart contracts and Oracles can be embedded
in a blockchain to automate business processes. Contracting parties may want to
engage an assurance provider to verify that smart contracts are implemented with the
correct business logic.
21
6.3 Cloud Computing

6.3.1 Meaning
National Institute of Standards and Technology (NIST) defines cloud computing as:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand, network access
to a shared pool of configurable computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned and released with minimal
management efforts or service provider interaction.”
Cloud Computing means the use of computing resources as a service through networks, like
internet. It is the use of various services, such as software development platforms, servers,
storage, and software, over the different networks, often referred to as the "cloud." Ex: Google
apps.
It is a combination of hardware and software computing resources delivered as a network
service. The location of physical server and devices is not known to end user. Service
customers of cloud computing use “what they need on internet” and “pay only for what they
use”.
In simpler terms, cloud is a set of resources, such as, processors and memory, which are put
in a big pool. As per the requirement, cloud assigns resources to the client, who then connects
them over the network. Further, clouds are multi-tenant by nature, i.e., multiple different
consumers share the same pool of resources but are isolated and segregated from each other
Cloud computing has become a great solution for providing a flexible, on-demand, and
dynamically scalable computing infrastructure for many applications. Cloud computing also
presents a significant technology trend, and it is already obvious that it is reshaping
information technology processes and the IT marketplace. For cloud computing to reach the
full potential promised by the technology, it must offer solid information security.
Features / Characteristics
Following are essential characteristics of Cloud Computing as defined by NIST –
(i) Resource Pooling is the most fundamental characteristic of cloud computing. The
provider abstracts resources and collects them into a pool, portions of which can be
allocated to different consumers.
(ii) Cloud provides usage on-demand self-service, i.e., consumers manage their resources
themselves, without having to talk to a human administrator.
(iii) All resources on cloud are available over a network and there is no direct physical
access.
22
(iv) Rapid elasticity allows consumers to expand or contract the resources they use from
the pool thereby enabling them to match resource consumption with demand.
(v) Measured service meters what is provided to ensure that consumers only use what they
are allotted, and, if necessary, to charge them for it.
Further, ISO/IEC 17788 lists six key characteristics, the rest of which are identical to the NIST
characteristics. The only addition is multitenancy, which is distinct from resource pooling.
Advantages of Cloud Computing
 Cost Efficiency
o Most cost-efficient method to maintain and upgrade. More productivity is
achieved with fewer systems and hence cost per unit of project
 Reduce spending on technology infrastructure
o Minimal upfront spending and pay as you go
 Unlimited Storage
o Storing information in the cloud gives us almost unlimited storage capacity with
an option to scale
 Backup & Recovery
o Backing it up and restoring the same is relatively much easier than storing the
same on a physical device
 Automatic Software Integration
o Software integration is usually something that occurs automatically and be
customized with great ease.
 Easy Access to Information and Globalize the workforce
o Access the information from anywhere
 Reduce Capital costs
o No need to spend huge money on hardware, software etc.
 Quick Deployment
o The entire system can be fully functional in a matter of a few minute depending
upon technology
 Less Personnel training and minimize maintenance and licensing software
o Fewer people to do more work
 Improved Flexibility and effective monitoring of projects
o Quick changes possible
23
Dis-advantages of Cloud computing

 Internet Connectivity: Cloud Platforms require Internet Connectivity almost all the
times and is difficult to operate under certain regions. If the Internet is lost, then access
to data and applications are also lost.
 Technical Issues: This technology is always prone to outages and other technical
issues. Even the best cloud service providers run into this kind of trouble, in spite of
keeping up high standards of maintenance.
 Security in the Cloud: Surrendering all the company’s sensitive information to a third-
party cloud service provider could potentially put the company to great risk.
 Prone to Attack: Storing information in the cloud could make the company vulnerable
to external hack attacks and threats. Nothing on the Internet is completely secure and
hence, there is always the lurking possibility of stealth of sensitive data.
 Availability: Depending on vendor, customers may face restrictions on availability of
applications, OS etc.
 Interoperability: Ability of two or more applications to support a business need to work
together is an issue as all applications may not reside with single cloud vendor or two
vendors having different application may not co-operate.
6.3.2 Cloud Computing Architecture, Environment and Service Model

(a) Cloud Computing Deployment Models
Fig. 6.3.1 Cloud Deployment models
24
Private Cloud
 resides within the boundaries of an organization and is used exclusively for the
organization’s benefits
 built primarily by IT departments within enterprises
 Optimize utilization of infrastructure resources
 can either be
– private to the organization and managed by the single organization (On-Premise
Private Cloud) or
– can be managed by third party (Outsourced Private Cloud)
Private Cloud – Characteristics
 Secure:
– Deployed and managed by the organization itself
– least probability of data being leaked out of the cloud.
 Central Control:
– managed by the organization itself,
– no need for the organization to rely on anybody other than operations.
 Weak Service Level Agreements (SLAs):
– SLAs are agreements between the user and the service provider
– Formal SLAs do not exist or are weak as it is between the organization and user
of the same organization.
– High availability and good service may or may not be available and is dependent
upon SLAs.
 Advantages
– Improve average server utilization
– Reduces costs
– Higher Security & Privacy of User
– Higher automations possible
 Limitation
– Invest in buying, building and managing the clouds independently
25
Fig. 6.3.2 Private Cloud

Public Cloud
 can be used by the general public
 administrated by third parties or vendors over the Internet
 the services are offered on pay-per-use basis
 Business models like SaaS (Software-as-a-Service) and other service models are also
provided
Characteristics of Public Cloud
 Highly Scalable:
o The resources in the public cloud are large in number and the service providers
make sure that all requests are granted.
 Affordable:
o Offered to the public on a pay-as-you-go basis;
o User has to pay only for what he or she is using
 Less Secure:
o Offered by a third party and they may have full control over the cloud, depending
upon the service model.
 Highly Available:
o Anybody from any part of the world can access the public cloud with proper
permission.
26
 Stringent SLAs:
o SLAs strictly and violations are not avoided
 Advantages
o widely used at affordable costs
o deliver highly scalable and reliable applications
o no need for establishing infrastructure for setting up and maintaining the cloud.
o Strict SLAs are followed.
o There is no limit for the number of users
 Limitations
o Security
o Organizational autonomy are not possible.
Hybrid Cloud
 Combination of public, private and community cloud.
 Normally a vendor has a private cloud and forms a partnership with public cloud
provider or vice versa
Fig. 6.3.3 Hybrid Cloud

Characteristics of Hybrid Cloud
 Scalable:
– The hybrid cloud has the property of public cloud with a private cloud
environment and as the public cloud is scalable.
 Partially Secure:
– The private cloud is considered as secured and public cloud has high risk of
security breach.
27
 Stringent SLAs:
– Overall, the SLAs are more stringent than the private cloud and might be as per
the public cloud service providers.
 Complex Cloud Management:
– Cloud management is complex as it involves more than one type of deployment
models and also the number of users is high.
 Advantages
– highly scalable and gives the power of both private and public clouds.
– Provides better security than the public cloud.
 The limitation
– security features are not as good as the private cloud and complex to manage
Community Cloud
 exclusive use by a specific community of consumers from organizations that have
shared concerns
 owned, managed, and operated by one or more of the organizations in the community,
a third party or some combination of them
 may exist on or off premises
 suitable for organizations that cannot afford a private cloud and cannot rely on the
public cloud either
Characteristics of Community Cloud
Fig. 6.3.4 Community Cloud

 Collaborative and Distributive Maintenance:
– no single company has full control over the whole cloud.
28
– Usually distributive and hence better cooperation provides better results.

 Partially Secure:
– possibility that the data may be leaked from one organization to another, though
it is safe from the external world.
 Cost Effective:
– As the complete cloud is being shared by several organizations or community,
not only the responsibility gets shared; the community cloud becomes cost
effective too.
 Advantages of Community Clouds are as follows:
– Establishing a low-cost private cloud.
– Collaborative work on the cloud.
– Sharing of responsibilities among the organizations.
– better security than the public cloud.
 Limitation
– Autonomy of the organization is lost
– some of the security features are not as good as the private cloud
– Not suitable in the cases where there is no collaboration.
(b) Service Models of Cloud Computing
 Cloud computing is a model that enables the end users to access the shared pool of
resources such as computer, network, storage, database and application as an on-
demand service without the need to buy or own it.
 The services are provided and managed by the service provider, reducing the
management effort from the end user side.
Fig. 6.3.5 Cloud service Models
29
Fig. 6.3.6 Customer control in Cloud Service Models

Infrastructure as a Service (IaaS)
 A hardware-level service, provides computing resources such as processing power,
memory, storage, and networks for cloud users
 Changes the computing from a physical infrastructure to a virtual infrastructure through
virtual computing; storage;
 The IT architects need not maintain the physical servers
 Examples of IaaS Amazon Web Services (AWS), Google Compute Engine, OpenStack
and Eucalyptus.
Platform as a Service (PaaS)
 Deliver a computing platform including operating system, programming language
execution environment, database, and web server
 App developers can develop and run their software solutions on a cloud platform
without the cost and complexity of acquiring hardware /software
 For example- Google AppEngine, Windows Azure Compute etc
 Following are provided:
– Programming Language
– Application Frameworks:
– Database:
– Other Tools:
30
Software as a Service (SaaS)

 Provides ability to the end users to access an application over the Internet that is
hosted and managed by the cloud service provider.
 End users are exempted from managing or controlling an application the development
platform, and the underlying infrastructure.
 Delivered as an on-demand service over the Internet, there is no need to install the
software to the end-user’s devices.
 Provides users to access large variety of applications over Internet that are hosted on
service provider’s infrastructure
 E.g. Google Drive / Docs, online photo editing software
6.3.3 Security Frameworks in Cloud

A security framework is a coordinated system of tools and behaviours in order to monitor data
and transactions that are extended to where data utilization occurs, thereby providing end-to-
end security. The benefits of security frameworks are to protect vital processes and the
systems that provide those operations.
The leading frameworks and guidelines to meet regulatory requirements are as follows:
 Cyber Security Framework (NIST, 2013, 2014; SANS, 2016).
 Control Objectives for Information and Related Technology (COBIT 2019).
 Statement on Standards for Attestation Engagements 18 (SSAE 18) reports include
SOC 1,
 financial reporting; SOC 2, IT controls; and SOC 3, attestation.
 Cloud Security Alliance (CSA) provides comprehensive guidance on how to establish a
secure baseline for cloud operations. CSA maintains the Security, Trust and Assurance
Registry (STAR) cloud provider registry (CSA, 2015).
 General Data Protection Regulation (GDPR) lays down rules relating to the protection of
natural persons with regard to the processing of personal data and rules relating to the
free
 movement of personal data.
 ISO/IEC 17788:2014 provides an overview of cloud computing along with a set of terms
and definitions and is applicable to all types of organizations.
 ISO/IEC 27017:2015: Information technology — Security techniques — Code of
practice for information security controls based on ISO/IEC 27002 for cloud services. It
provides guidelines for information security controls applicable to the provision and use
31
of cloud services by providing additional implementation guidance for relevant controls

specified in ISO/IEC 27002 and additional controls with implementation guidance that
specifically relate to cloud services.
6.3.4 Impact on Audit and auditors

Cloud computing is transforming business IT services, but it also poses significant risks that
need to be planned for. The following are few of the additional areas of review for auditors:
 Does the organization’s strategy for the cloud link to the overall business strategy?
 Are the audit teams knowledgeable about the differences in cloud computing services
and do they apply the right approach to deliver effective audit coverage?
 Is there a clear understanding of the difference between the organization and the cloud,
and where the technology boundary starts and stops?
 What is the IT General Controls on the Cloud enforced by the organization?
 Have there been any independent audits / review of the Cloud environment?
 Are there periodical audits performed by the Cloud Service Provider and how are the
high-risk issues dealt with?
 Is the existing audit risk assessment process flexible enough to differentiate between
the ranges of cloud services that might be used?
 How does the audit work complement the wider supplier assessments that are
considering both third- and fourth-party risks?
 Has sufficient explanation been provided to key internal parties, including directors and
the audit committee, to highlight the business reasoning or impact of cloud provision?
 How will samples be selected and are there opportunities to employ data analytics,
either via the service provider or in-house, to enable complex analysis that caters for
peaks and troughs in provision?

Applications processed in the cloud have similar implications for the business as traditional
outsourcing. These include:
 Loss of business focus
 Solution failing to meet business and/or user requirements; not performing as expected;
or not integrating with strategic IT plan, information architecture and technology
direction
 Incorrect solution selected or significant missing requirements
32
 Contractual discrepancies and gaps between business expectations and service

provider capabilities
 Control gaps between processes performed by the service provider and the
organization
 Compromised system security
 Invalid transactions or transactions processed incorrectly
 Reduced system availability and questionable integrity of information
 Poor software quality, inadequate testing and high number of failures
 Failure to respond to relationship issues with optimal and approved decisions
 Unclear responsibilities and accountabilities
 Inaccurate billings
 Litigation, mediation or termination of the agreement, resulting in added costs and/or
business disruption and/or total loss of the organization
 Inability to satisfy audit/assurance charter and requirements of regulators or external
auditors
 Reputation
 Fraud
In addition to above, Cloud computing has certain specific risks:
 Greater dependency on third parties:
– Increased vulnerabilities in external interfaces
– Increased risks in aggregated data centres
– Immaturity of the service providers with the potential for service provider going
concern issues
– Increased reliance on independent assurance processes
 Increased complexity of compliance with laws and regulations:
– Greater magnitude of privacy risks
– Transborder flow of personally identifiable information
– Affecting contractual compliance
 Reliance on the Internet as the primary conduit to the organization’s data introduces:
33
– Security issues with a public environment

– Availability issues of Internet connectivity
 Due to the dynamic nature of cloud computing:
– The location of the processing facility may change according to load balancing
– The processing facility may be located across international boundaries
– Operating facilities may be shared with competitors
– Legal issues (liability, ownership, etc.) relating to differing laws in hosting
countries may put data at risk
Fig. 6.3.7 Risk and Challenges in Cloud Computing

Governance, generically, may be defined as an agreed-upon set of policies and standards,
which is:
 Based on a risk assessment and an-agreed upon framework,
 Inclusive of audit, measurement, and reporting procedures, as well as enforcement of
policies and standards.
In a multi-enterprise or multi-deployment cloud environment, participants agree to promote
and establish joint expectations for security and service levels. Governance will also define
34
the process for any response to a breach of protocol, and the set of decision makers who are
responsible for mitigation and communication.
The following are critical for having a Governance in place:
(a) Governance of Cloud Computing Services: Governance functions are established to
ensure effective and sustainable management processes that result in transparency of
business decisions, clear lines of responsibility, information security in alignment with
regulatory and customer organization standards, and accountability.
(b) Enterprise Risk Management: Risk management practices are implemented to
evaluate inherent risk within the cloud computing model, identify appropriate control
mechanisms and ensure that residual risk is within acceptable levels.
(c) IT Risk Management: A process to manage IT risk exists and is integrated into the
organization’s overall ERM framework. IT risk management metrics are available for
the information security function to manage risk within the risk appetite of the data
owner.
(d) Third-party Management: The customer recognizes the outsourced relationship with
the service provider. The customer understands its responsibilities for controls, and the
service provider has provided assurances of sustainability of those controls.
(e) Legal Compliance: The service provider and customer establish bilateral agreements
and procedures to ensure contractual obligations are satisfied, and these obligations
address the compliance requirements of both the customer and service provider. Legal
issues relating to functional, jurisdictional and contractual requirements are addressed
to protect both parties, and these issues are documented, approved and monitored. The
use of cloud computing should not invalidate or violate any customer compliance
requirements.
(f) Right to Audit: The right to audit is clearly defined and satisfies the assurance
requirements of the customer’s board of directors, audit charter, external auditors and
any regulators having jurisdiction over the customer.
(g) Certifications: Service provider security assurance is provided through ISO 27001
Certification.
(h) Service Transition Planning: Planning for the migration of data, such as meta data
and access, is essential to reducing operational and financial risk at the end of the
contract. The transition of services should be considered at the beginning of contract
negotiations.

Cloud computing provides a host of opportunities. A few of them are detailed below:
35
(a) Assessment with respect to costs and benefits on migration to cloud versus in-house
tools
(b) Cloud based solution Implementation for clients
(c) Assessment on the model of cloud to be deployed and the variants for the same.
(d) Consulting with respect to the migration from traditional facilities to cloud based
infrastructure.
(e) Training to the user staff as regards the operating of these facilities;
(f) IT audit of these facilities
36
6.4 Data Analytics

6.4.1 Meaning
Data Analytics is defined as the science of examining raw and unprocessed data with the
intention of drawing conclusions from the information thus derived. It involves a series of
processes and techniques designed to take the initial data sanitizing the data, removing any
irregular or distorting elements and transforming it into a form appropriate for analysis so as to
facilitate decision-making.
In simple terms, data analytics refers to the science of examining raw data with the purpose of
drawing conclusions about that information.
From an accountant’s perspective Data Analytics is a generic term for Computer Assisted
Audit Tools and Techniques (CAATTs) and covers the collection of tools, techniques and best
practices to access and analyse digital data. Data Analytics empowers auditors to use
technology to audit digital data thereby giving access to 100% of the data and to analyse data
to infer insights from information. Data Analytics enables auditors to optimise audit time and
add value.
There are two types of professionals in the field of Data Analytics.
1. The Data Scientist whose focus is on use of various statistical techniques to data. He/
she is involved in developing intelligent applications, which help users to draw inference from
data.
2. The Data Analyst whose focus is on drawing insights from data from a business
perspective. He/she is a business domain expert who uses simple/easily available features of
MS Excel, application software, querying tools, utilities or data analytics to access, analyze
and interrogate data.
Developing functionality using memory power and speed of technology, to access and analyse
massive amounts of data is the job of data scientist. However, what query is to be run on what
data and how to draw inference as applicable to real life situations is the job of CAs/Data
Analysts.
Common Terminologies Used in Data Analytics
 Data Warehouse
It is electronic storage of large amount of data collected from varied sources to provide
meaningful business insights. It is separate from Transactional databases. It is also known as
Decision Support Database or Executive Information System. It has three components:
- Data sources from operational systems such as ERP, CRM, SCM, Excel
- Data Staging Area when data is cleaned and ordered
- Data Access Area where data is warehoused & presented
37
Example – Airlines use it to analyse route profitability, Retail chains use it for tracking
customer buying patterns, Banking uses it to analyse the performance of its product.
Data Warehouse is an architecture and Big Data is a technology to handle huge data. If an
organization wants to know what is going on in its operations or next year planning based on
current year performance data etc – it is preferable to choose data warehousing as it needs
reliable data.
If organization needs to compare with a lot of big data, which contain valuable information and
help them to take a better decision like how to lead more revenue or more profitability or more
customers etc, they obviously preferred Big Data approach.
 DATA MARTS
These are the subsets of Data Warehouse used by specific business groups like HR, Finance,
Sales, Inventory, Procurement & Resourcing. They are much smaller than Data Warehouses
and usually controlled by a specific department.
 BUSINESS INTELLIGENCE (BI)
It encompasses a variety of data analysis tools & applications that access the data within Data
Warehouse and creates reports & dashboards used in decision making
 DATABASE
It is generally used to capture and store data from a single source, such as an invoice
transactional system. Databases aren’t designed to run across very large data sets.
 DATA LAKE
It is a central storage for all kinds of structured, semi structured or unstructured raw data
collected from multiple sources even outside of company’s operational systems.
Therefore, it is not a good fit for average business analytics but used as a playground by Data
Scientists & other data experts as it allows more types of data analytics. It can be used for text
searches, machine learning & real-time analytics.
 DATA SCIENCE
It is a combination of three skills: Statistical/Mathematical, Coding & Domain/Business
knowledge.
Types of data analytics
1. Descriptive Analytics: provides insight based on past information. It is used in the
report generation, providing basic editor function along with the horizontal and vertical
analysis of financial statement.
2. Diagnostic Analytics: examines the cause of past result and is used in variance
analysis and interactive dashboards to examine the causes of past outcome.
38
3. Predictive Analytics: assist in understanding the future and provide foresight by

identifying pattern in historical data. It can be used to predict an accounts receivable balance
and collection period for each customer and to develop models with indicators that prevent
control failures.
4. Prescriptive analytics: analytics assist in identifying the best option to choose to
achieve the desired outcome through optimization techniques and machine learning.
Prescriptive Analytics is used in identify actions to reduce the collection period of accounts
receivable and to optimize the use of payable discounts.
5. Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI.
Fig 6.4.1 : Evolution of Analytics and linkage with AI

Data Analytics Functions
The below are a few of the Data Analytics Functions along with a few illustrations on where
these could be applied in the field of audit:
# Type of Description Where to Apply
Function
1 Column Displays column-wise statistics of all To Profile and analyse data
Statistics numeric, date and numeric, date and at a Macro Level
character columns
2 Identify Identify Duplicates in a series of data Identify Duplicate POs,
Duplicates & or displays all successive numeric Duplicate Vendor Payments,
Gaps numbers with defined intervals Duplicate Vendors, Payments
without descriptions
3 Same-Same Identify Duplicates in a series of data Identify Duplicates based on
which have certain fields which are same GSTN, different
39
Different common and certain fields which are location, name etc
different
4 Pareto Displays items in two separate tabs of Profiling Payments into High,
80:20 Medium & Low
5 ABC Analysis Displays items in three separate
categories as per the same
percentage given for each category.
6 Quadrant / Displays items in four quadrants as
Pattern per the specific same percentage
Analysis given for each category.
7 Relative Size Displays the variation between highest Deriving vendor ratio of
Factor (RSF) value and 2nd highest value (in terms highest and 2nd highest bill
of difference and proportion). and check ratios beyond a
"x%"
8 Max Variance Displays the variation between highest Deriving vendor ratio of
Factor (MVF) and lowest value (in terms of highest and least bill and
difference and proportion). check ratios beyond a "x%"
9 Benford Law Displays variance in patterns of Identify Payments which fall
numeric data based on Benford Law as an exception to Benford's
for first digit beginning with 1 to 9. Law
It states that lists of numbers from

many real-life sources of data are
distributed
in a specific and non-uniform way.
Number 1 appears about 30% of the
time. Subsequently the number 2
occurs
less frequently, number 3, number 4,
all the way down to 9 which occurs
less than once in twenty
10 Authentication Compare & Verify if the amounts Verify Segregation of Duties,
Check processed are within the limits and instances of exceeding limits
approval hierarchy.
11 Pivot Table / Summarizes data by sorting, Summarise and reporting
averaging, or summing and grouping payments based on defined
40
MIS the raw data rules

MIS can summarise by criteria such as
day, day of the week, month etc.
12 Outliers Displays instances of transactions Identify Payments beyond "x"
beyond "x" times the average, mean, times the average, standard
standard deviation etc deviation etc.
13 Sounds Like / Identify vendors with similar names, Identify duplicate / fake
Soundex / which sound same based on the Vendors created
Fuzzy Match phonetics
14 Aging Analysis Computes difference of selected two Identify cases of payments
date columns & stratifies on specified made beyond a specified
intervals for computed date difference. date
15 Trendlines Displays trendline as per different
rules configured using sparklines or
chart.
16 3-Way Displays records after joining data Identify cases of mismatch
Matching from up to three worksheets based on between PO, RR and
common/ uncommon column values. Payment
17 Analytical Displays the difference between Analyse the quantitative and
Review values of two numeric columns in other related information
number and in percentage.
18 Back-Dated Identify back-dated entries, Identify instances of prior
Entries duplicates/gaps based on selected period payments and other
numeric/alphanumeric field related to related checks
date field based
19 Beneish M- The Beneish model is a statistical Identify exceptions to the
Score model that uses financial ratios Benish Score and analyse
calculated with accounting data of a further
specific company in order to check if it
is likely that the reported earnings of
the company have been manipulated
20 Identify Displays records that do not match a Identify transactions which do
Outliers by defined mask where 'C' represents not follow a specific pattern.
Masks characters and 'N' represents
numbers.
41
21 Sampling Perform Sampling by Outliers, Sample based on exceptions

Characters, Numeric, Risk weightage, to test the controls and
statistics, quadrants, clusters, interval perform substantive
procedures
22 Splitting Multiple vouchers raised on same date Identify policy exceptions
Vouchers or similar dates having cumulatively
are higher than the approval limit
23 Rounding off Identify high value and round sum
vouchers
24 Weekend Identify entries / payments made on
Payments weekends
25 Vouchers with Identifying vouchers of different fields
Blank which are blank
Reference and
Narrations
Steps involved in applying Analytics on Data

1. Curate / Cleansing the Data – refers to transforming data in standard structure to be
usable for data analytics as required. This includes specific functions for cleaning data by
removing specific characters, transforming data, deleting specific data and transposing data.
2. Profile the Data– refers to the act of analyzing the data contents to get an overall
perspective data. This helps in validating data at a macro level and assessing whether data is
correct and complete.
3. Analyze the Data– refers to examining the data in detail to discover essential features
by breaking data into specific components by grouping, identifying and reviewing specific
features. This includes functions for identifying gaps/duplicates, unique, outliers, format, and
changes between two sets of data, sampling, filtering, split data and fuzzy match.
4. Investigate - refers to observing or querying the data in detail. This involves systematic
examination of data by making a detailed inquiry or search to discover facts and insights to be
arrive at a conclusion. This includes functions for advanced analysis such as Pareto, ABC,
Quadrant, Cluster, MIS, Statistical, querying data; consolidate/ collate data, Relative Size
Factor, Benford Law and relating, comparing and joining files based on specific criteria.
5. Document – refers to automatically documenting functions performed using data
analytics software. This includes functions such as rerun, refresh, audit log, indexing, etc.
42
Examples of Data Analytics software and Testing tools

The value of Data Analytics is in what it brings through its effective implementation. Data
Analytics can be performed using various types of software such as:
 MS Excel: Spreadsheet software of Microsoft has various features useful for auditors.
 General Audit Software: Add-in for MS Excel with specific CAAT functions. Examples
include eCAAT, Power BI (limited features)
 General Audit Software: Data Analysis Software with specific CAAT functions.
Examples include eCAAT, Tableau, Knime, IDEA, ACL etc.
 Application Software: Standard and Ad-hoc Reporting and Query features available or
specific functionalities designed for auditors. Example Audit modules in certain
applications / ERP have a few Data Analytics features.
 Specialized Audit Software: Audit software designed to work in specific software.
Advance tools for Analytics
1. Hadoop - open source cloud computing platform allows storage & processing of
massive amount of data
2. R programming – open source programming language software that provides data
scientists with a variety of features of analyzing data.
3. Python programming – very powerful, open source and flexible programming language
that is easy to learn, use and has powerful libraries for data manipulation, management
and analysis.
4. Matlab – its simplest syntax is easy to learn and resembles C or C++
5. Julia – is a new programming language that can fill the gaps with respect to improving
visualization and libraries for data analytics.

1. BFSI - Banks and financial services firms use analytics to differentiate fraudulent
transactions from legitimate business transactions. By applying analytics and machine
learning, they can define normal activity based on a customer’s history and distinguish it from
unusual behaviour indicating fraud. The analysis systems suggest immediate actions, such as
blocking irregular transactions, which stops fraud before it occurs and improves profitability.
2. Compliance and Regulation - Financial services firms operate under a
heavy regulatory framework, which requires significant levels of monitoring and reporting and
requires deal monitoring and documentation of the details of every trade. This data is used for
trade surveillance that recognizes abnormal trading patterns.
43
6.4.3 Use Cases

Uber is a popular smartphone application that allows you to book a cab. Uber makes
extensive use of big data. Uber has to maintain a large database of drivers, customers, and
several other records. It is therefore, rooted in Big Data and makes use of it to derive insights
and provide the best services to its users. Uber shares the big data principle with
crowdsourcing. That is, registered drivers in the area can help anyone who wants to go
somewhere.
Uber contains a database of drivers. Therefore, whenever you hail for a cab, Uber matches
your profile with the most suitable driver. It calculates the time taken through various
algorithms that also make use of data related to traffic density and weather conditions.
Uber makes the best use of data science to calculate its surge pricing. When there are less
drivers available to more riders, the price of the ride goes up and if the demand for Uber rides
is less, then Uber charges a lower rate. This dynamic pricing is rooted in Big Data and makes
excellent usage of data science to calculate the fares based on the parameters.

The larger audit firms and increasingly smaller firms utilize data analytics as part of their audit
offering to reduce risk and to add value to the client. Bigger firms often have the resources to
create their own data analytics platforms whereas smaller firms may opt to acquire an off the
shelf package. There is no one universal audit data analytics tool but there are many forms
developed in house by firms. These tools are generally developed by specialist staff and use
visual methods such as graphs to present data to help identify trends and correlations.
For auditors, the main driver of using data analytics is to improve audit quality. It allows
auditors to more effectively audit the large amounts of data held and processed in IT systems
in larger clients. Auditors can extract and manipulate client data and analyses it. By doing so
they can better understand the client’s information and better identify the risks. Data analytics
tools have the power to turn all the data into pre-structured forms/presentations that are
understandable to both auditors and clients and even to generate audit programs tailored to
client-specific risks or to provide data directly into computerized audit procedures thus
allowing the auditor to more efficiently arrive at the result.
Using Data Analytics for assurance requires understanding of business processes and
application of relevant techniques to specific areas of control to identify conformances,
deviations, exceptions and variances in the digital data being audited. For example, when data
analytics is used to obtain audit evidence in a financial statement audit, it is used for:
 Discovering and analyzing patterns, deviations and inconsistencies, and
 Extracting other useful information in the underlying or related data through analysis,
44
 Modelling and Visualization for the purpose of planning or performing the audit.
Financial Statement Assertions can be evaluated by auditors by using data analytics on the
relevant digital data. For example, financial data can be evaluated for:
 Completeness: Whether all transactions and the resulting information are complete.
 Accuracy: Whether all transactions are processed accurately and as intended and the
resulting information is accurate.
 Validity: Whether only valid transactions are processed, and the resulting information is
valid.
 Authorization: Whether only appropriately authorized transactions have been
processed.
 Segregation of duties: Whether controls regarding appropriate segregation of duties and
responsibilities as defined by management are working as envisaged.
 Compliance: Whether all applicable compliances are complied with, within the required
timeframe.
 Cut off: Whether only the transactions for the period which they belong are accounted.

The introduction of data analytics for audit firms isn’t without challenges to overcome. At
present there is no specific regulation or guidance which covers all the uses of data analytics
within an audit and this results in difficulty establishing quality guidelines. Other issues which
can arise with the introduction of data analytics as an audit tool include:
• Data privacy and confidentiality -the copying and storage of client data risks breach of
confidentiality and data protection laws as the audit firm now stores a copy of large
amounts of detailed client data. This data could be misused by the firms or illegal
access obtained if the firm’s data security is weak or hacked which may result in serious
legal and reputational consequences
• Completeness and integrity of the extracted client data may not be guaranteed-
specialists are often required to perform the extraction and there may be limitations to
the data extraction where either the firm does not have the appropriate tools or
understanding of the client data to ensure that all data is collected. This may especially
be the case where multiple data systems are used by a client.
• Compatibility issues with client systems may render standard tests ineffective if data is
not available in the expected formats
• Audit staff may not be competent to understand the exact nature of the data and output
to draw appropriate conclusions, training will need to be provided which can be
expensive
45
• Insufficient or inappropriate evidence retained on file due to failure to understand or

document the procedures and inputs fully. For example, a screen shot on file of the
results of an audit procedure performed by the data analytic tool may not record the
input conditions and detail of the testing.
• The data obtained must be held for several years in a form which can be retested. As
large volumes will be required firms may need to invest in hardware to support such
storage or outsource data storage which compounds the risk of lost data or privacy
issues
• An expectation gap among stakeholders who think that because the auditor is testing
100% of transactions in a specific area, the client’s data must be 100% correct.

Organizations in industries across the world are shifting their strategies because of data.
Google, Netflix or Amazon, for example. With a data driven approach in mind, companies are
looking to hire people to manage their data and uncover the value and meaning behind the
information they are collecting. As such, data-driven career opportunities and careers in data
analytics abound for people with data analysis skills.
Chartered Accountants having a domain expertise in the field of finance, audit, taxes and
compliance should now equip themselves with these tools and skill sets. This will enable them
to audit digital data with ease, save time and provide value added services to clients. Since
Analytics is utilized in varied fields, there are numerous job titles which are coming into
picture:
• Analytics Business Consultant
• Analytics Architect / Engineer
• Business Intelligence and Analytics Consultant
• Metrics and Analytics Specialist
• Preparation of MIS and Dashboards including Visualization Solutions
• Monitor tracking of Key Performance Indicators (KPIs) and Key Result Areas (KRAs).
Chartered Accountants should be aware that Data Analytics can be used, not just in
Assurance or for assisting in Compliance, it could open a huge world of opportunities beyond
that.
46
6.5 Internet of Things

6.5.1 Meaning
The internet of things, or IoT, is a system of interrelated computing devices, mechanical and
digital machines, objects, animals or people that are provided with unique identifiers (UIDs)
and the ability to transfer data over a network without requiring human-to-human or human-to-
computer interaction.
How it works?
An IoT ecosystem consists of web-enabled smart devices that use embedded processors,
sensors and communication hardware to collect, send and act on data they acquire from their
environments. IoT devices, share the data collected through sensors by connecting to an IoT
gateway or other edge device. From these devices the data is either sent to the cloud to be
analysed or analysed locally. Sometimes, these devices communicate with other related
devices and act on the information they get from one another. The devices do most of the
work without human intervention, although people can interact with the devices for instance, to
set them up, give them instructions or access the data.
The connectivity, networking and communication protocols used with these web-enabled
devices largely depend on the specific IoT applications deployed.
Fig. 6.5.1 IoT Systems
47
Benefits of IoT
The internet of things offers a number of benefits to organizations, enabling them to:
• Monitor their overall business processes;
• Improve the customer experience;
• Save time and money;
• Enhance employee productivity;
• Integrate and adapt business models;
• Make better business decisions; and
• Generate more revenue.
IoT encourages companies to rethink the ways they approach their businesses, industries and
markets and gives them the tools to improve their business strategies.
Advantages of IoT
1. Improved business insight and customer experience – companies are gaining much
greater insights into their business operations and how their customers use their products or
services. When a company understands how its customers use its products, they can better
fulfill their needs and improve the customer experience.
Example: In a shopping environment, IoT is all about reducing friction in the buying
experience and helping customers to interact with products, often in a virtual or augmented
reality environment, pre-purchase. And as with many customer-facing types of IoT
implementation, there are other benefits too: improved stock/inventory control and supply
chain management, for example, as reams of data is gathered about popular products and up-
or cross-selling opportunities.
2. Efficiency and productivity gains - Employees at Ford’s Valencia Engine Assembly
Plant in Spain are using a special suit equipped with body-tracking technology.
The technology is similar to the motion-tracking systems that record how athletes sprint or
turn, or actors move and speak. Ford has been using the same type of technology to design
less physically stressful workstations to enhance its manufacturing processes. By accurately
tracking its workers’ movements, Ford is enabling data-driven changes to its vehicle
production processes, making them safer and more efficient.
3. Asset tracking and waste reduction - Closely linked to efficiency and productivity is
the drive to reduce waste, to which IoT tracking is integral. The more IoT components in a
business operation, the more it stands to benefit from IoT implementation.
48
4. Cost and downtime reductions - One of the benefits of these new insights is often a
reduction in operational expenditure and downtime. For example, the rapid emergence of
digital twin technology - digital models of physical assets built from real-time data, either in
pure data form or as exportable 3D representations - is a key competitive differentiator in
industrial IoT applications.
5. Newer business models - IoT revolve around efficiency, productivity, and process
monitoring and companies recognize the scope for it to provide them with information about
their customers and how they use their products. The IoT also allows organizations to move
away from conventional business models to new revenue streams. The data acquired often
holds value in itself, but, more significantly, customers can be offered subscription-based
services that draw on the connected nature of the company’s products, often offsetting the
initial cost of entry.

 Inventory Tracking and Management
IoT inventions can help you in tracking and managing inventory by giving you automatically
controlled options. IoT software and devices can be installed in your storage units and
warehouses, which can help in managing inventory changes while your personnel can invest
their time in more cognitively demanding tasks.
 Fraud prevention
Fraud prevention is a primary concern for financial institutions, which constantly invest in and
seek new ways of curbing misuse of their offerings. Major financial corporations have already
successfully implemented AI based anti-fraud systems. With fraud prevention having such a
high priority, IoT will be a definite game changer in this area.
Misuse of debit/credit cards can be prevented by having IoT enabled security systems at
points of use, such as ATMs, which have more personal and secure methods of authorization.
 Optimized capacity management
Banks constantly aim to expand their network of offices and ATMs, while managing the
existing units with maximum efficiency. Using IoT enabled monitoring to track the number of
customer units per day, the average queue time can be measured to determine the optimal
number of personnel and counters at each branch. Decisions regarding new branches can
also be made easier by using the distribution data of customers with respect to location. The
same can be done to optimize the number and location of cash dispensing machines based on
usage.
49
6.5.3 Use Cases

1. DeTect Technologies an IoT start-up, focuses on asset integrity management,
especially in the conventional oil and gas industry, and has built a unique, patented
technology for pipeline condition monitoring in real-time using a long-range ultrasonic sensor
for temperatures of up to 350 degrees Celsius. The solution helps reduce productivity losses
due to a breach. The company also offers Noctuan intelligent solution for structural health
monitoring on hard-to-reach assets such as stacks, columns, pipe racks, vessels, tanks,
boilers, chimneys etc, and has several Fortune 500 companies as its clients.
2. TagBox uses IoT automation and analytics as the foundation of its cold chain supply
business. It helps clients create reliable and sustainable cold chains through comprehensive
solutions that use IoT, advanced analytics, as well as automation and control, which gives
real-time visibility of the entire cold chain (cold storage, cold transit and retail refrigeration).
This helps reduce product spoilage, helps meet compliance requirements, cuts energy costs,
prevents theft and pilferage, decreases cargo insurance premiums, and optimizes
transportation costs.
Source: yourstory.com
6.5.4 IoT and Smart Cities

Ever since the concept of a smart city was introduced, IoT (Internet of Things) has been
considered the key infrastructure in a smart city. While the perspective of “smart city” differs
from region to region and country to country, it is generally understood as using information
and communication technologies (ICT) to solve the various urbanisation challenges starting
from lighting, parking, traffic management, housing and urban development, waste
management, sewage treatment etc. It can be described in a wide sense as the convergence
of ICT, the ecological environment, energy technologies, and support facilities within urban
and residential environments.
50
Fig. 6.5.2 Few of the applications of IoT in Smart Cities. Source: Internet
Few Benefits of IoT in creating Smart Cities

 Better Management of traffic and reduced congestion on roads
 Improved crime detection and surveillance
 Reduction in pollution
 Savings in Power and electricity
 Improvised safety for citizens
 Increased efficiency in parking
 Better waste and sewage management

 With IoT assisted accounting, CAs would be able to automatically receive all associated
data through a digital system, which could help CAs gain access to real-time
transactional data, along with many controls and exposures in the existing operations,
increasing the need for continuous auditing processes. This will also allow a wider and
more comprehensible risk evaluation, which will help to quicken issue assessment and
51
remediation. It will also offer real-time management which will enable businesses and
CAs alike to respond to issues immediately.
 IoT makes it easier for organizations to keep tabs on their resources, in relation to
Inventory and Assets, and that has direct implications for the accountants who are
responsible for overseeing the budget and its relation to assets.
 IoT also helps in reducing time lapse between an event and its recording for more
timely decision making and facilitating assessment of process-driven activities.
 With IoT in place, there would be more data, more action, more observation, and
reduction of immediate direct human impact.
 Technologies such as Drone can help gathering evidences to support assertions and
perform audit much faster and in fact in real time. This could be used for physical
verification of inventory, assessing the mines and quarries etc.
 IoT based automation and intelligent systems can ensure that the presence of
personnel is detected and their physical appearance checked for ensuring the safety
measures have been taken care by the worker, every check conducted leaves an audit
trail and if there are exceptions found and alarms raised with evidences. Also, if the
situation got corrected the issue or alarm raised could get closed. No longer there may
be a need for any such evidences of compliance as the compliance is ensured
automatically.
 IoT cloud-based workplace and process enhancements will lead to ground-breaking
transformations. The workplace is now touted to be commonplace for humans as well
as robots to work together. The raw materials needed get demanded or pulled from the
repositories or warehouses based on the jobs at hand and planned for the day. The raw
materials automatically routed to the place of work. Every step moved ahead in the
workflow gets detected or communicated to get additional inputs and take the outputs to
the next step in the process. This kind of a self-managed factory setup will have the all
the statistics and logs around the process already created and available.
 Quality will hardly need any sample checks as all the items will go through a
compulsory test. Every item would have its own set of quality requirements embedded
and would reach out to instruments which can verify a specific parameter; thus, each
end product would have its size verified by a machine, based on the specifications
embedded.
 The documentation is one thing that may be solved on its own since the workflow or
process maps which would be used for automation themselves are good enough
documentation. Also, the need for documentation now gets reduced from instructional
purposes since it is the IoT data, which drives the processes.
52

 Software updates and patches – the time for a patch to be released may be longer
than the typical cycle for non-IoT devices (if a patch is released at all). Enterprises as
well as individual consumers can review an IoT vendor’s website to determine
frequency of patches and compare the schedule against vulnerability dates using a
Common Vulnerabilities and Exposures database. This comparison can provide a level
of assurance that third-party software developers have adequate policies regarding
vulnerability assessment and patching.
 Hardware lifespan – IoT devices have their own life cycle, often with built-in
obsolescence. Components like non-replaceable batteries in IoT devices require life
cycle planning and asset-management processes specific to IoT.
 Security and privacy issues – IoT promises to provide unprecedented and ubiquitous
access to the devices that make up everything from assembly lines, health and
wellness devices, and transportation systems to weather sensors. Unfettered access to
that much data poses major security and privacy challenges, including:
• Insufficient authentication/authorization—a huge number of users and devices rely on
weak and simple passwords and authorizations. Many devices accept passwords such
as “1234.”
• Lack of transport level encryption—most devices fail to encrypt data that are being
transferred, even when the devices are using the Internet.
• Insecure web/mobile interface—most IoT-based solutions have a web/mobile interface
for device management or for consumption of aggregated data. This web interface is
found to be prone to the Open Web Application Security Project (OWASP) Top 10
vulnerabilities, such as poor session management, weak credentials and cross-site
scripting vulnerabilities.
• Default credentials—most devices and sensors are configured to use the default
username/passwords.
• Lack of secure code practices—services and business logic would be developed
without adhering to secure coding practices.
• Privacy concerns—devices used in the health care domain collect at least one piece of
personal information; the majority of devices collect details such as username and date
of birth. Privacy risk arises as the objects within the IoT collect and aggregate
fragments of data that relate to their service. For example, the regular purchase of
different food types may divulge the religion or health information of the buyer. This is
one of the aspects of privacy challenges with respect to IoT.
53
Challenges
There are many challenges facing the implementation of IoT. The scale of IoT application
services is large, covers different domains and involves multiple ownership entities. There is a
need for a trust framework to enable users of the system to have confidence that the
information and services are being exchanged in a secure environment.
 Insecure web interface
 Insufficient authentication/authorization
 Insecure network services
 Lack of transport encryption
 Privacy concerns
 Insecure cloud interface
 Insecure mobile interface
 Insufficient security configurability
 Insecure software/firmware
 Poor physical security

IoT solutions are complex. The integration of connected devices and IT services poses major
challenges in networking, communication, data volume, real-time data analysis, and security.
IoT solutions involve many different technologies and require complex development cycles,
including significant testing and ongoing monitoring.
To overcome these challenges, IT organizations must:
 Develop a comprehensive technical strategy to address the complexity
 Develop a reference architecture for their IoT solution
 Develop required skills to design, develop, and deploy the solution
 Define your IoT governance processes and policies
IoT solution governance can be viewed as the application of business governance, IT
governance, and enterprise architecture (EA) governance. In effect, IoT governance is an
extension to IT governance, where IoT governance is specifically focused on the lifecycle of
IoT devices, data managed by the IoT solution, and IoT applications in an organization’s IT
landscape. IoT governance defines the changes to IT governance to ensure the concepts and
principles for its distributed architecture are managed appropriately and are able to deliver on
the stated business goals.
54

IoT will bring CAs new opportunities for client service in the areas of business process design
and data analysis. Clients will need CAs to help set up accounting and recording systems,
such as dashboards that aggregate data received from the IoT.
CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry
want assurance that information and systems will be private. When the IoT takes off, CAs will
be asked to give their professional opinions on the systems that third parties rely on, unlike
today where we are only asked for assurance in special circumstances
55
6.6 Robotic Process Automation

6.6.1 Meaning
Robotic process automation is the term used for software tool that automates human activities
that are manual, rule-based and repetitive. They work by replicating the actions of a human
interacting with software applications to perform tasks such as data entry, process standard
transactions.
It is a computer coded software, programs that perform repeated tasks based on rules
defined, and can work across functions and applications.
Example: A process of reviewing the approved time sheet and raising the invoice in the ERP
to the appropriate client and sending an email to the client and following up as a part of
receivable management could be automated as the process is standardised and reasonably
repetitive.
Fig. 6.6.1 Robotic Process Automation

A few of the key objective of implementing RPA are as follows:
 Improve accuracy
 Reduction of monotonous work
 Higher efficiency
 Manage controls
 Skill upgradation of personnel
 Cost saving
 Improve customer experience
56

These are few instances / examples in Finance
1. Banks have “appointed” RPA software robots to take up the complete responsibility of
the initiating a credit card application, to gather all the required documents from the
individuals, make the necessary credit checks, background checks on itself, decision making
whether or not an individual is eligible for a credit card based on the details that are provided
in the step earlier, issue a new card if they are eligible and on successful delivery of the card
the case can be closed. The whole process is so systematic that this can be easily handed to
the RPA software robots comfortably.
2. E-Commerce websites and Logistics companies can reap loads of benefits from the
RPA software robots as these kinds of activities can be fully automated without the
intervention of any human being at all. Since these details can be fetched from the provider
databases and the shipments can be tracked for delivery over GPS, this can comfortably be
automated.
3. RPA is being used to manage the KYC authentication and to update the regular
processing of the customers / vendors / employee’s documentation. This will ensure faster
processing of the transactions, quick and error-free results and at the same time improve
efficiency of the process.
6.6.3 Use Cases

ICICI Bank, one of India’s major financial institutions, started its automation journey in 2016. It
was one of the first private lenders to adopt software robotics on such a large scale. Using
robotic process automation (RPA), the bank’s operations department deployed 200 robotics
software programs. The development helped the ICICI Bank to process around 10 lakh
transactions per day. Today, the RPA is helping to process more than 2 million transactions
daily.

While there is a need to understand the impact of any technology from an audit perspective,
the following are the areas where auditors should concentrate:
 Need to understand technology
 Opportunity to influence control design
 Potential to increase audit efficiency
 Free up capacity to focus on higher priorities
 Enhance ability to add valuable insight
 Need to develop new testing approaches
57
 Consider for changes to internal audit staffing model

Robotic Process Automation like all technology and innovation initiatives come with disruption
and risks associated.
1. RPA strategy risks: RPA is a powerful technology that can drive innovation, improve
customer service and maximize competitiveness for its organizational adopters, but often
businesses fail to deliver its full value by setting up the wrong goals and expectations, or
misusing it for one-off, isolated areas. These can lead to under-resourcing the RPA initiative,
inhibiting it from reaching its full potential.
2. Tool selection risks: Just like cloud washing, RPA-washing can be a real risk due to
the market hype. Many vendors claim automation capabilities that lack basics. For example,
some vendors just offer screen-scraping which can lead to high maintenance for error
correction or changes if it lacks full screen automation features. Due to its nuance, companies
can end up often times choosing the wrong tool/s for their needs.
3. Launch/project risks: To mitigate risks of a project launch fail, organizations would
need to prevent technical failures and financial failures. For example, companies that choose
to adopt RPA in departments with the most headcount in order to generate more savings fail
due to large load of changing processes and exception handling.
4. Operational/execution risks: Operational risks occur when robots get deployed into
operations without a proper operating model. If enterprises don't define roles, and rush into
training, responsibilities can be blurred when bots go into production, humans can find
themselves confused on their roles.
RPA Challenges
1. Shortage of skilled resources – RPA is booming with the increase in the requirements
of today’s market, but, however, there is a shortage of skilled resources in the RPA market.
Procuring resources while starting a new project and back filling a key resource in case of
attrition poses a great threat to the success of any project. Also, RPA professionals with
extensive experience expect lucrative packages, which might not be financially viable for
some of the companies.
2. Lack of proper team structure - Dedicated teams with clearly defined roles for each
and every individual to ensure the hand-offs happen on time with the expected standards.
Lack of adequate knowledge about the processes to be followed and sharing of resources
between multiple projects poses a risk in achieving the set milestones for RPA projects.
3. Unable to automate end-to-end cases - In some of the processes, not all the steps
can be automated directly by using rule-based RPA tools. Instead it would require integration
with Machine learning algorithms, and OCR engines. However, these additional technology
58
components will cost extra money and skill set which might not produce the expected results
to the business leaders.
4. Vaguely defined business continuity plans - The expectation about RPA projects is
set in such a way that once the bots are deployed in production, there should be minimum to
no maintenance required to ensure smooth delivery. However, the reality is that it does
require maintenance in terms of identification of new unhandled scenarios during bot
execution. Issues are faced in production environments, defining bot execution schedules
based on requirements from multiple business units operating from different time zones and
mitigation plans during major failures.

A governance structure that defines roles and responsibilities for automation activities will help
deliver successful RPA initiatives.
Key elements include:
1. Ownership – involve legal, risk, IT and other teams that are involved in the process
due to automated. It includes process-specific subject matter expert (SMEs) for insight in the
process nuances.
2. Deployment framework – calibrate production and development environments to
ensure smooth RPA deployment. Ensure IT is aware of RPA, enabled processes. Ensure
change management process is in place.
3. Operational risk/ data security – create a cross-functional team to clear temporary
backlogs in case of bot failure and maintain people in critical processes for error free delivery.
4. Enterprise management – communicate the benefits: RPA helps to eliminate
repetitive, non-value- adding tasks so employees can make greater impact in their roles.
Involve HR to support employee’s up-skilling, which increases employee morale and improve
productivity. Employees should be prepared to work along with the software robots.
5. RPA Vision/roadmap – create a center of excellence (COE) early in the journey to
accelerate adoption of RPA across the enterprise. Set deadlines for achieving intelligent
automation to leverage the full value of automation.

Many exciting new jobs will be created by RPA as automation will require a new type of skill
set. The creation of new types of job opportunities will outweigh the displaced jobs. This
research validates the confidence in the creation of new types of industries requiring new
kinds of functions and skills.
The McKinsey Global Institute estimated in its December 2017 reports that by 2030,
59
automation will drive between 75 and 375 million people to reskill themselves and switch
occupations.
Robotic Process Automation (RPA) is not replacing accountants but evolving their role and
augmenting their effectiveness through automation. It is a progressive, positive, and
necessary shift that is creating the digital workspace for accounting and finance professionals
to focus on the greatest value they can provide to their organisation.
Source / References
 https://www.isaca.org/pages/default.aspx
 https://www.aicpa.org/
 https://www.cimaglobal.com/
 https://www.accaglobal.com/in/en.html
 https://www.nist.gov/
 Various Blogs on the Internet
Recommended Reading
 ICAI Publication on "Guide to Cloud Computing for Accountants"
 ICAI "E- learning on Robotics Process Automation"
 ICAI Concept Paper on "Blockchain Technology - Adoption Trends and Implications for
Accountancy Profession"
 ICAI Concept Paper on "Embracing Robotic Process Automation - Opportunities and
Challenges for Accountancy Profession"
 Webinars organized by Digital Accounting and Assurance Board of ICAI
 ICAI Journals
 ISACA Publications / Tech Briefs on Emerging Technologies
 ISACA Audit Programs on Emerging Technologies
MCQs
1. What does P2P technology stand for?
a. Password to Password
b. Peer to Peer
60
c. Product to Product
d. Private Key to Public Key
2. What is Blockchain?
a. A distributed ledger on a peer to peer network
b. A type of cryptocurrency
c. An exchange
d. A centralized ledger
3. Which of the following is not a step involved in RPA?
a. Preparation of project
b. Development of business cases
c. Implementation of RPA
d. Data Cleaning
4. Which of the following statements about RPA is false?
a. It is walking talking robot
b. It is a computer coded software
c. These are programs that replace human repetitive tasks
d. These perform in cross functional platforms
5. Which of the following is a system of inter-connected and inter-related computing
devices which have ability to transfer the data over network:
a. Blockchain
b. Internet of Things
c. Robotic Process Automation
d. Artificial Intelligence
6. Which one is simplest form of analytics?
a. Predictive
b. Descriptive
c. All of the mentioned
d. Prescriptive
61
7. The method by which companies analyze customer data or other types of

information in an effort to identify patterns and discover relationships between
different data elements is often referred to as:
a. Customer data management
b. Data mining
c. Data digging
d. None of the above
8. Which of the following is a central storage for all kinds of structured, semi
structured or unstructured raw data collected from multiple sources even outside
of company’s operational systems?
a. Data Warehouse
b. Data Lake
c. Database
d. Data marts
9. Which of the following tools best describe Predictive Analytics?
a. Simulation
b. Statistical Analysis
c. Machine Learning
d. Graphical reports
10. Which of the following is not a cloud deployment model?
a. Private
b. Public
c. IaaS
d. Hybrid
11. Which of the following is not a stream of AI?
a. Machine Learning
b. Big Data
c. Speech Recognition
d. Natural language processing (NLP)
62
12. Which of the following is not an example for AI Platform?

a. Watson
b. Tensor Flow
c. AWS AI
d. Microsoft Power BI
Answers
1. Option b – Peer to Peer
P2P stands for Peer to Peer Technology where every participant acts as an individual
peer in the network
2. Option a - A distributed ledger on a peer to peer network
Blockchain is a distributed ledger on a peer to peer network
3. Option d – Data Cleaning
Data Cleaning is not an activity within RPA. Preparation of project, Development of
business cases and Implementation of RPA are steps within the RPA project.
4. Option a - It is walking talking robot
RPA is not a walking talking robot. It is instead a computer coded software, that replace
human repetitive tasks which can perform in cross functional platforms
5. Option b - Internet of things
The internet of things, or IoT, is a system of interrelated computing devices, mechanical
and digital machines, objects, animals or people that are provided with unique
identifiers (UIDs) and the ability to transfer data over a network without requiring
human-to-human or human-to-computer interaction.
6. Option b – Descriptive Analytics
Descriptive analytics is a preliminary stage of data processing that creates a summary
of historical data to yield useful information and possibly prepare the data for further
analysis
7. Option b – Data Mining
Data mining refers to a method where companies analyze customer data or other types
of information in an effort to identify patterns and discover relationships between
different data elements.
8. Option b – Data Lake
63
Data Lake is a central storage for all kinds of structured, semi structured or
unstructured raw data collected from multiple sources even outside of company’s
operational systems.
9. Option a – Simulation
Predictive Analytics analyses the past behaviour and makes predictions about the
future to identify the new trends. Simulation is one such technique used in predictive
analytics. Graphical reports and statistical analysis are more commonly associated with
historical / descriptive analytics. Machine Leaning is used in Cognitive analytics.
10. Option c – IaaS
Private, Public and Hybrid are cloud deployment models. IaaS is a Cloud Service Model
as per NIST categorisation.
11. Option b – Big Data
Big Data refers to huge and voluminous data characterised by volume, variety and
velocity. Machine Leaning, Speech recognition and NLP are streams in AI.
12. Option d – Microsoft Power BI
Microsoft Power BI is a predominantly a Data Analytics Platform. Watson, Tensor Flow
and AWS AI are AI Platforms.
64
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................
Notes
………………………...................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
..........……………………………………………….........
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................................……………………
…………………………...............................................
...................................................................................
........................................………………......................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
...................................................................................
......................................……………………………..…
.……………................................................................
...................................................................................
...................................................................................

Disa Book

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Disa Book

Uploaded by

Copyright:

Available Formats

ISA Background Material

INFORMATION SYSTEMS AUDIT 3.0 COURSE

Digital Accounting and Assurance Board

Revised Edition : August, 2020

Committee/Department : Digital Accounting and Assurance Board

Website : www.icai.org/ https://pqc.icai.org

Price : ` 750/- (For Complete Set)

Published by : The Publication Directorate on behalf of

Printed by : Sahitya Bhawan Publications,

CA. Atul Kumar Gupta

CA. Manu Agrawal CA. Dayaniwas Sharma

Chapter 2: IS Audit in phases 23–91

Chapter 3: Computer Assisted Audit Tools and Techniques 92–104

Chapter 4: Application Controls Review 105–118

Chapter 5: Application controls review- Specialised systems 119–129

Chapter 6: IT Enabled services 130–147

Appendix 1: RFP from Bank for IS Audit of application software 148

1.4 Concepts of Audit

competence. This can be acquired through a combination of general education, technical

1.5 Concept of IS Audit and Auditing in a Computerized

1.5.2 IS Audit and Audit of Computerised Environment

1.6 Concept of IT Risk

 considers a full life-cycle of IT related business activities, including transformation

1.6.2 Risk Management

1.7 Risk Based Auditing

1.8 Audit Universe

1.8.1 Benefits of having an Audit Universe

1.9 Audit Risk and Materiality

1.9.1 Audit Risk

1.10 Concepts of Internal Controls

1.10.1 Types of Internal Controls

1.10.2 Types of IS Controls

1.11 Organization of IS Audit Function

1.11.1 Infrastructure and Organization

1.11.2 Internal and External Audit Control Framework

1.11.3 Quality Assessment and Peer Reviews

1.11.4 Standards on Audit Performance

1.13 Case Study

Turn Around Time Penalty

51-60 days 30% of total fees payable

(a) Resources may not be allocated to the areas of highest concern.

(b) Budgets are more likely to be met by the IS audit staff.

1.15 Answers and Explanations

Plan Execute Report

Risk assessment & Presentation to

Audit program and Using CAATs and

2.3 Conducting an IS Audit

2.3.2. Request for proposal (RFP)

some audit assignments. An RFP is a standard solicitation document used by various

2.4 Audit Charter and Terms of Engagement

2.4.2 Audit Engagement Letter

of client personnel. Hence, on-going communication with the auditee is critical.

2.4.3 Communication with Auditee

2.4.4 Quality Assurance Process

2.5 Audit Scope

2.6 Audit Planning

2.7 Objectives of IS Controls

2.7.1 Principles of Fiduciary

2.7.2 Principles of Quality

2.7.3 Principles of Security (CIA)

2.8 Understanding the IT Environment of Auditee

2.8.1 Business of the Entity

2.8.2 Organization Structure

2.8.4 Regulations, Standards, Policy, Procedures, Guidelines &