Professional Documents
Culture Documents
Module 1 to 6 Printable Chart-book (1)
Module 1 to 6 Printable Chart-book (1)
INFORMATION
SYSTEM AUDIT
for ISA 3.0 (New Course)
4
th
Edition
MODULE1 : INFORMATION SYSTEMS
AUDIT PROCESS MODULE 6 EMERGING
1 Concepts of IS Audit 1
TECHNOLOGIES
2 IS Audit in Phases 3 1 Arti cial Intelligence 86
3 IS Audit Tools & Techniques 9 INFORMATION 2 Blockchain 89
3 Cloud Computing 91
4
Application Controls Review of
11 SYSTEM AUDIT 3.0 4 Data Analytics 94
Business Applications
Application Controls Review of 5 Internet of ings 98
5 13
Specialised Systems 6 Robotic Process Automation 101
6 IT Enabled Assurance Services 14
www.prokhata.com 1
CA Rajat Agrawal
Module - 1 Information Systems Audit Process Chapter 1 Concepts of IS Audit
AUDIT UNIVERSE CONCEPTS OF INTERNAL CONTROLS
Audit universe consists of all risk areas that could be subject to audit, resulting in a list of possible audit Policies, procedures, practices and organizational Internal Controls IS Controls
engagement that could be performed. It may be organised by: structures which are implemented to reduce risks
in the organisation to an acceptable level. Application IT general
Business Units Product or service lines Processes Programs Systems or controls General Controls Controls Controls
Internal controls are developed to provide reasonable
Bene ts of having an Audit Universe assurance to management that the organization’s business objectives will be achieved and risk will be managed.
It enables the audit activity to be clear about the extent of coverage of key risks and other risk areas each year. Type of IS Controls
Revenue Audit Risk Based Internal High Risk
Tier 1 Low or Full Coverage Preventive Controls: Detective Controls: Corrective Controls:
Stock & Recivable IS Audit Medium Risk
Controls that prevents problems Controls that detect and report the Controls that minimize the impact of
Tier 2 Medium Coverage before they arise. monitor both occurrence a threat. help in Identi cation of the
Credit Forensic Audit operations and inputs. cause of the problem.
Low Risk
Tier 3 Low or No Coverage
ORGANIZATION OF IS AUDIT FUNCTION
e role of the IS Audit function is de ned by the audit charter which de nes the authority, scope and responsibility. Based
AUDIT RISK AND MATERIALITY on the overall guidelines de ned in the audit charter, the audit function is created with speci c roles and responsibilities.
Audit Risk Audit Charter Audit Committee
Risk of Issuing unquali ed report due to the auditor's failure to detect material misstatement. Audit risk is Authority Scope Composition
composed of inherent risk (IR), control risk (CR) and detection risk (DR). Audit risk can be high, moderate or Department
& Responsibility & Constitution
low depending on the sample size selected by the Auditor. (IS Audit Function)
Inherent Risk
Suspectibility of Information resource to material the, destruction or any kind of impairment, assuming that Organization Infrastructure
there are no related internal controls. Inherent risk for audit assignment can be project related, revenues related, Skills and competent human resources CAATs.
resource related. Inherent risk to business can be dependent on nature of business. Aer the implementation of Infrastructure and Orgnization
controls, it is known as residual risk/net risk. • IS audit function should be equipped with sufficient resources to discharge its duties efficiently and effectively.
Control Risk Assurance function perspective: 1002 Organisational Independence
Risk that an error will not be prevented or detected and corrected on a timely basis by the internal control Which organizational structures are required to provide assurance ? e IS audit shall be independent of the area
system. Which information items are required to provide assurance (audit or activity being reviewed to permit objective
Detection Risk universe, audit plan, audit reports, etc.) ? completion of the audit and assurance engagement.
Risk that the IS Auditor’s substantive procedures will not detect an error which could be material. It is the risk
that is in uenced by the actions of an auditor. Internal and External Audit Control Quality Assessment and Peer Reviews
Materiality in case of: Framework • Best auditing practices following the professional standards and
• Ensures the minimum quality of audits. pronouncements,
Finacial Audit Regulatory Audit IS Audit • Policies and procedures for risk • IS Audit function is subject to both internal and external quality
assessment, planning, implementation assessments, peer reviews, certi cation and accreditation.
Value & Volume of Impact of Non- Effect or consequence of and reporting are to be established. • In case of external audit, the audit engagement letter de nes the scope and
Transaction Compliance the risk in terms of potential loss objectives of individual audit assignment.
• Materiality is an important aspect of the professional judgment of the IS Auditor Standards on Audit Performance
• Higher the level of materiality, lower is the risk that an IS auditor is, usually, willing to take. 1004 Reasonable Expectations 1007 Assertions
Measures to assess materiality: • Engagement can be completed in accordance with the IS audit • Assertions against which the subject matter will be
• Criticality of the business processes • Nature, timing and extent of reports and assurance standards. assessed assertions are sufficient, valid and relevant.
• Cost of the system or operation • Nature and quantities of materials handled • Scope of the engagement enables conclusion on the subject
• Potential cost of errors • Service level agreement (SLA) matter and addresses any restrictions. 1006 Pro ciency
• Number of accesses/transactions/inquiries • Penalties for failure to comply • Management understands its obligations and responsibilities • Possess adequate skills and pro ciency in
SA 320 - Audit Materiality is applied when conducting an IS Audit Engagement. with respect to the provision. conducting IS audit
Standards on Materiality as per ITAF (3rd Edition) • Possess adequate knowledge of the subject matter.
1008 Criteria • Maintain professional competence through
1204.3 Select criteria, against which the subject matter will be assessed, appropriate continuing professional education and
1204.1 1204.2 1204.4
Auditor shall consider that are objective, complete, relevant, measurable, understandable, training.
Auditor shall consider Auditor shall consider Auditor shall disclose-
Cumulative effect widely recognised, authoritative and understood by, or available to,
potential weaknesses or audit materiality and its Absence of controls,
of minor control all readers and users of the report. 1005 Due Professional Care
absences of controls which relationship to audit risk control de ciency,
de ciencies or 2 Source of the criteria-relevant authoritative bodies before • Observance of applicable professional audit
could result in a signi cant nature, timing and extent signi cant de ciency or
weaknesses. accepting lesser-known criteria. standards.
de ciency or a material of audit procedures. material weakness.
weakness.
2 www.prokhata.com
CA Rajat Agrawal
Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
CHAPTER 2:
IS AUDIT IN PHASES
INTRODUCTION Audit Charter and Terms of Engagement
Integral Part of Business •IS Audit charter Quality Assurance Process
Controls
Information •
e scope, authority, and responsibilities of the audit function should be the content of an audit charter. •is process is established to understand
Most Critical Asset •Senior management should approve the audit charter of an organization. Auditee’s needs and expectations.
Systems IS Auditor
More vulnerable to the •Prime
Prime reason for review of an organization chart is to get an understanding the authority and responsibility •
e IS Audit standards require IS Auditor
of individuals. to deploy and monitor completion of the
IS Audit Phase •e actions of an IS auditor are primarily in uenced by Audit Charter. assurance assignments with the staff.
•Audit charter provides the overall authority for an auditor to perform an audit. •IS
IS auditor should develop standard
Plan Execute Report
•
e audit function should directly report to the audit committee because it should be independent of the approach, documentation and
Understanding the Analytics procedures, Audit report and business function and should have direct access to the audit committee of the board. methodology with appropriate templates
environment and Compliance and recommendations •
e audit charter should clearly address the four aspects of purpose, responsibility, authority and for various types of assignments.
setting of objectives Substantive Testing Presentation to accountability.
Risk Assessment & Sampling management Communication with Auditee Audit Engagement Letter
Control Identi cation Using CAATs and Effective communication with Auditee involves: (SA) 210 Agreeing the terms of Audit Engagements requires auditor client
Follow up review
Audit Program and evaluating Audit •Describing
Describing the service, its scope and timeliness of delivery to agree on the terms of engagement and document them in the audit
Procedures Evidence •Providing cost estimates engagement letter. IS Audit is performed internally as per audit charter. may
•Describing
Describing problems and possible resolutions be outsourced to an external IS Auditor.
CONDUCTING AN IS AUDIT •Providing
Providing accessible facilities for effective communication, External Auditor
•Determining
Determining relationship between services offered & needs of the Auditee. Internal Auditor
IS Audit is necessary in today’s business environment as business processes Audit Engagement Letter
have been integrated into system and lot of decision is being taken through Audit charter forms a sound basis for communication with Auditee & include
+ Purpose = Audit Charter
these integrated system. Conducting IS Audit provides reasonable assurance references to service level agreements such as: Responsibility Accountability
about coverage of material items. Availability for unplanned work, Delivery of reports, Costs, Response to
Setting up of audit objectives Auditee complaints etc. Authority
• Audit objectives refer to the speci c goals that must be met by the audit. audit. AUDIT SCOPE
One of the basic purposes of any IS audit is to identify control objectives and Scope and objectives are determined through discussion with the auditee management and a speci c risk assessment. scope of audit determined by the
the related controls that address these objectives. management in case of internal audit and is set by statute if it is as per regulatory requirement.
• In absence of established audit objectives, auditor will not be able to determine
key business risks. Audit Planning Before Audit Document
• Control objective refers to how an internal control should function. • Audit Planning ensures that the audit is performed in an effective way and completed in a timely manner. RFP
• ey oen focus on substantiating the existence of internal controls & the • Planning also assists in proper assignment of work to assistants and in coordination of work done by other
Response to RFP
appropriateness of functioning. Auditors and experts.
• ey are invariably set down at the beginning of the audit process. • To plan an audit, the IS auditor is required to have a thorough understanding of business processes, When Audit begins (Communication
• A major purpose of Information Systems audit is whether the internal control business applications, and relevant controls. between auditor & orgnisation
system design is robust and is operated effectively. • IS audit and assurance professionals shall identify and assess risk relevant to the area under review, when Audit Charter
Request for proposal (RFP) planning individual engagements and consider subject matter risk, audit risk and related exposure to the Audit Engagement Letter
An RFP is Standard solicitation document to acquire services. A successful enterprise. en 2 new document/process develop
RFP supports principles of fair, open, and transparent procurement. e best • e rst step in risk-based auditing is to identify areas of high risk.
proposal is awarded the contract though it may, or may not, quote the lowest Audit Scope
• Utilization of resources for high-risk areas is the major bene t of risk based audit planning.
price. IS Auditor can play an important role in preparation and evaluation of • Identifying threats and vulnerabilities is the most important step in a risk assessment. Audit Planning
responses to RFP. • e evaluation of vulnerabilities and threats to the data should be the rst step to conduct a data center
RFP is most oen used to acquire services
services, although it may be used in some review.
circumstances to acquire goods. • Once threats and vulnerabilities are identi ed identifying and evaluating existing controls should be the next
step.
Note:-
Points to Remember :
www.prokhata.com 3
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
OBJECTIVES OF IS CONTROLS
Ensure risk management processes implemented as per the risk management strategy involves risk avoidance, elimination transfer acceptance.
Objectives of IS Controls
Business of the Entity Regulations, Standards, Policy, Procedures, Guidelines & Practices LODR – Listing Obligations & Disclosure Requirements of SEBI on
IS Auditor should obtain a e IS auditor should ensure that speci c regulatory requirements as applicable for the assignment are included as Corporate Governance
preliminary knowledge of one of the primary criteria for evaluation. Identify regulations applicable to the organisation, Identify compliance Audit Committee:
the entity and of the nature requirements. e role of audit committee has sharpened with speci c responsibilities including
of ownership, management, SA 250 “Considerations of laws and regulations in conducting an Audit”: recommending appointment of Auditors and monitoring their independence and
regulatory environment and Auditor has to obtain just a general understanding of the laws and regulations and he should alert the management performance, approval of related party transactions, scrutiny of intercorporate
operations of the entity. of the material non compliances applicable penalties. loans and investments, valuation of undertaking/assets etc.
Organization Structure Information Technology Act 2000 (Amended in 2008): ISO/IEC 27001:
Organizational structure Section 7A:: Audit of Documents etc. maintained in Electronic Form. ISO/IEC 27001:2013 formally speci es an Information Security Management
activities are task allocation, Section 43A: It provides that a body corporate possessing, sensitive personal data and is negligent resulting in System (ISMS), a suite of activities concerning the management of information
coordination and wrongful loss or wrongful gain may be held liable to pay damages no upper limit for the compensation. security risks.
supervision. Organizational Section 66 to 66F and 67: Sending offensive messages using electronic medium IT for unacceptable purposes, ISO/IEC 27001 is basically an Information security management system
structure allows the Dishonestly stolen computer resources, Unauthorized Access to computer resources, Identity the/Cheating established by the International Standards Organization in association with the
allocation of responsibilities by impersonating using computer, Violation of privacy, Cyber terrorism/Offences using computer, Publishing International Electro technical Commission.
for different functions and or transmitting obscene material. e ISMS ensure that the security arrangements are ne-tuned to keep pace with
processes. Section 72A: Disclosure of information, without the consent of the person concerned and in breach of changes to the security threats, vulnerabilities and business impacts.
IT Infrastructure lawful contract has been also made punishable with imprisonment for a term extending to three years or ne ISO/IEC 27001:2013 is a formalized speci cation with two distinct purposes:
IS Auditor has to keep extending to INR 5,00,000 or with both. • It lays out, what an organization can do to implement ISMS.
in mind the present IT Section 404 of Sarbanes Oxley Act, 2002 (SOX) • Can be used as basis for formal compliance assessment.
infrastructure capacities, e independent Auditor is required to opine on the effectiveness of internal controls over nancial reporting ISO/IEC 27002:
the age of hardware in addition on the fair presentation of organization's nancial statements. ISO/IEC 27002: 2013 is a code of practice - a generic, advisory document, not
and soware, licensing Public Company Accounting Oversight Board (PCAOB) a formal speci cation It recommends information security controls addressing
agreements, third party Standard 5 of the PCAOB establishes requirements and provides direction that applies when an Auditor is information security control objectives arising from risks to the con dentiality,
vendor agreements. engaged to perform an audit of management's assessment of the effectiveness of internal control over nancial integrity and availability of information.
reporting.
FRAMEWORK AND BEST PRACTICES OF IS AUDIT
ITAF (3rd edition)
Information Technology Assurance Framework (ITAF) is a comprehensive good-practice-setting reference model that: Establishes standards, De nes terms and concepts, Provides guidance and tools for audit and assurance.
ITAF audit and assurance standards are divided into three categories:
General standards (1000 series) Performance standards (1200 series) Reporting standards (1400 series)
Are the guiding principles under which the IS assurance profession operates. deal with the Deal with the conduct of the assignment assignment management, audit and Address the types of reports, means of communication and the
IS audit and assurance professional’s ethics, independence, objectivity and due care as well assurance evidence, and the exercising of professional judgment and due care. information communicated.
as knowledge, competency and skill.
Note:-
4 www.prokhata.com
CA Rajat Agrawal
Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
Cobit 2019 Framework Principles, Components and Core Models
COBIT 2019 is a globally accepted framework and caters for the governance and management of enterprise information and technology. It helps ensure effective enterprise governance and management of Information and Technology
1: Provide Stakeholder Value: 2: End to End Governance 3: Tailored to Enterprise Needs: 4: Holistic Approach: 5: Governance distinct from 6: Dynamic Governance System:
By maintaining a balance between the realization System: Governance system should be Efficient and effective Management: Each time one or more of the design
of bene ts and the optimization of risk and use of Governance system should customized to the enterprise governance and management of Different types of factors changes impact of these
resources. COBIT 2019 provides all of the required focussing on not only the IT needs, using a set of design factors enterprise I&T require a holistic activities require different changes on the Enterprise Governance
processes and other enablers to support business function but on all technology customise and prioritise the approach, taking into account organizational structures and of Information and Technology
value creation. and information processing. Governance system components. several integrating components. serve different purposes. (EGIT) system must be considered.
Components/Enablers of Governance system are: Using COBIT 2019 for IS Assurance Evaluating the System of Internal Controls Core Governance and Management Objectives
• Processes It is written in a non-technical language and usable “MEA 02 Managed System of Internal Control”, which provides in COBIT 2019
• Organizational structures not only by IT professionals and consultants but guidance on evaluating and assessing internal controls e key
1. Align, Plan and Organise (APO)
• Information ows and items also by senior management. Globally from the GRC management practices evaluating the system of internal controls are:
• People, skills and competence perspective, COBIT has been widely used with COSO by • Monitor internal controls, 2. Build, Acquire and Implement (BAI)
• Policies and procedures management, IT professionals, regulators and Auditors • Review business process controls effectiveness,
3. Deliver, Service and Support (DSS)
• Culture, ethics and behaviour (internal/external) for evaluating governance and • Perform control self-assessment,
• Services, infrastructure and applications management practices from an end to end perspective. • Identify and report control de ciencies. 4. Monitor, Evaluate and Assess (MEA)
RISK ASSESSMENT
IS Auditor should identify all the risks present in the IT Environment. Based on this the required audit strategies, materiality levels and resource requirements can then be developed. IS Auditor can focus on the high-risk areas and decide the
sampling
Guidance on Risk Assessment by ISACA Risk Assessment Use of Risk Assessment in Audit Planning
• Conduct and document, at least annually Procedures and ere are many risk assessment methodologies, computerized and non-
• Quantify and justify the amount of IS audit resources needed related Activities computerized from which the IS Auditor may choose. ese range from
• Seek approval of the risk assessment from the audit stakeholders, Risk assessment simple classi cations of high, medium and low, based on the IS Auditor’s
• Prioritise and schedule IS audit and assurance work based on assessments of risk. procedures shall judgment, to complex scienti c calculations that provide a numeric risk
• Develop a plan that: acts as a framework, considers non-IS audit and, addresses responsibilities set by the audit charter. include: Inquiries of rating. Scoring system is useful in prioritizing audits based on an evaluation
• When planning an individual engagement, professionals should: assess risks & conduct a preliminary assessment of the risks management, Analytical of risk factors. Combination of techniques may be used as well. IS Auditor
relevant to the area, procedures, Observation should consider the level of complexity and detail appropriate for the
• Objectives for each speci c engagement should re ect the results of the preliminary risk assessment., & Inspection. organization.
• Consider prior audits, reviews and ndings, including any remedial activities., Steps of Risk Assessment
• Attempt to reduce audit risk to an acceptable level, and meet the audit objectives, • Identify Relevent Assets or Critical Assets. • Risk Prioritization
• Recognise that the lower the materiality threshold, the more precise the audit expectations and the greater the audit risk., • Identify Vulnerabilities & reats. (Relevant Risks) • Risk Treatment.
• To reduce risk for higher materiality, compensate by either extending the test of controls or substantive testing procedures. • Analyze identi ed relevant risks.
Note:-
Points to Remember :
www.prokhata.com 5
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
GOVERNANCE AND MANAGEMENT CONTROLS
IT General Controls areas
A general controls’ review attempts to gain an overall impression of the controls that are present in the environment surrounding the information systems. IT General controls are controls that are not speci c to any application, but exist in
an IT environment. A general controls’ review would also include the infrastructure and environmental controls such as review of the data centre or information processing facility should cover the adequacy of air conditioning, power supply
and smoke detectors/ re suppression systems, etc. Some of IT General Controls are discussed below:
1.Operating System Controls: 2. Organisational Controls:
It performs the main tasks of ese controls are concerned with the decision-making processes that lead to management and authorization of transactions.
scheduling jobs, managing
hardware and soware resources, (i) Responsibilities and objectives: (ii) Policies, standards, procedures and practices: iii) Job Descriptions: (iv) Segregation of Duties:
maintaining system security, IS functions must be clearly de ned and documented, including systems Policies establish the rules or boundaries of authority ese communicate It refers to concept of distribution of work
enabling multiuser resource soware, application programming and systems development, database delegated to individuals Procedures establish the m a n a g e m e n t ’ s responsibilities. e main purpose is to
sharing, handling interrupts and administration, and operations. e senior manager are responsible for instructions that must be followed for completing the speci c expectations prevent or detect errors or irregularities
maintaining usage records. the effective and efficient utilization of IS resources. assigned tasks. for job performance. by applying suitable controls.
3. Management Controls 4. Financial Controls
Segregation of Duties
Controls adapted to ensure that the information systems function correctly and they meet the strategic business Control over transactions processing using reports
It is concept of distribution of work responsibilities. e
objectives and needs. e controls ow from the top of an organization to down; the responsibility still lies with generated by the computer applications. ere are numerous
main purpose is to prevent or detect errors or irregularities
the senior management. e control consideration includes : nancial control techniques. A few examples are :
by applying suitable controls.
• Authorisation which entails obtaining the authority to
Responsibility : An IT Organization Structure : An IT Steering Committee : Separate who can
perform some act typically accessing assets.
Senior management personnel ere should be a prescribed IT ese communicate • Budgets are estimates of the amount of time or money
responsible for the IS within the organizational structure with management’s speci c expected to be spentduring a particular period, Run live programs Change Programmes
overall organizational structure. documented roles and responsibilities expectations for job performance. project, or event. Access Data Run Programs
Input Data Approve/Reconcile Data
5. Data Management Controls 6. Data Processing Controls Test Programmers Develop Programmes
Access controls are designed to prevent unauthorized individuals from viewing, retrieving, Controls are related to hardware and soware controls are applicable to Enter error in a log Correct the error
computing or destroying data. Back up controls are designed to ensure the availability of data in the on-line transaction processing systems,database administration, media Enter Data Access the database
event of its loss. library, etc.
Following controls are discussed in 11. System Development Controls 12. Computer Centre Security Controls Personal Computers Controls Internet and Intranet Controls
further chapters in detail Ensure that proper documentation Physical security attempts to restrict breach of access. Soware and Safeguard mechanisms for personal ese controls includes building component level
7. Physical Access Controls and authorizations are available data security ensures that there is use of passwords, authorizations, computers, pen drives and external redundancy, avoiding single point of failures,
8. Logical Access Controls for each phase of the system screening and logs of all activity of the entity. Data communication drives etc. against the risk of the using tested and robust systems, hardening of
9. Business Continuity Planning Controls development process. security is implemented by terminal locks, encryption of data, of hardware, data/information. systems, patch management, use of updated anti
10. System Maintenance Controls network administration, sign on user identi ers etc. -virus solutions, rewalls, IDS, encryption etc.
IT Application Controls
Soware could be a payroll system, a retail banking system, an inventory system, and a billing system or, possibly, an integrated ERP. First question to ask application soware review is, "What does the application soware do; what business
function or activities does it perform?" the IS auditor's knowledge of the intricacies of the business is as important. Once this is done, identify the potential risks associated with the business activity/function and to see how these risks are
handled by the soware. IT application controls are, indeed, controls which are in-built in the soware application itself.
Objectives of application controls: 1. Boundary Controls: 2. Input Controls: 3. Processing Controls:
•Input
Input data is accurate, complete, authorized, Controls to ensure that application is restricted only to authorized users. Controls to ensure Controls to ensure that only authorized processing
•Data
Data is processed acceptable time period, Data may be in any stage - in input, processing, transit or output or at that only complete, and integrity of processes and data is ensured.
•Data
Data stored is accurate and complete, rest. accurate and valid Performs validation checks to identify errors during
•Output
Output is accurate and compete. Access controls may be implemented by using any of the logical security data and instructions processing of data. ey are required to ensure both
A record is maintained to track the data from input to storage and to the eventual techniques embedded in the application soware. Separate access control form an input to the the completeness and accuracy of the data being
output categories of application control are. mechanism is required for controlling access to application. application. processed.
4. Data File Controls: 5. Output Controls: 6. Existence Controls: Scope and steps of IS Audit of Application soware
Controls to ensure that data resident Controls to ensure that output is Ensure the continued availability. Existence controls should •Mainly cover: Adherence to business rules,
in the les are maintained consistently delivered to the users in a consistent include backup and recovery procedures of data & also controls •Validations of various data inputs,
with the assurance of integrity & and timely manner in the format that recover the process from a failure. Existence controls should •Logical access control and authorization,
con dentiality of stored data. prescribed/required by the user. also be exercised over output to prevent loss of output in any form. •Exception handling and logging.
6 www.prokhata.com
CA Rajat Agrawal
Chapter 2: IS Audit Phases Module : 1 - Information System Audit Process
CREATION OF RISK CONTROL MATRIX RCM AUDIT SAMPLING, DATA ANALYSIS AND BUSINESS INTELLIGENCE
RCM details the risks that have been identi ed in the Risk Assessment phase. A Audit Sampling
typical RCM would consist of the following: Application of audit procedures to less than 100 percent of the population. IS auditor should consider selection techniques that result in a statistically based
• Series of spreadsheets marking a single process, application (Custom Business representative sample for performing compliance or substantive testing. Statistical sampling should be used when the probability of error is objectively
Application), area (Information security, Logical Security, Physical security). quanti ed. It also helps in mitigating sampling risk. When testing for compliance , attribute sampling is most useful. Discovery sampling is a method
• Each Spread sheet would contain: Risk No, Risk in depth control(s) that is which would best assist auditors when there is concerns of fraud
ideal to counter identi ed risk, control number, control that is implemented
Methods for Sampling SA 530 – Audit Sampling:
by the enterprise to counter the risk
Applies when the auditor has decided to use audit sampling
RCM may be used as Audit Notebook containing details of control owner, process Statistical Non Statistical in performing audit procedures. It deals with the auditor’s use
owner, testing plans and results, evidences, risk ranking, recommendations etc.
of statistical and non-statistical sampling when designing and
SUBSTANTIVE TESTING Random Systematic Haphazard Judgmental selecting the audit sample, performing tests of controls and tests of
Evidence is gathered to evaluate the integrity of individual transactions, data or Sampling Sampling Sampling Sampling details, and evaluating the results from the sample.
other information. Substantive Procedures are tests designed to obtain evidence
to ensure the completeness, accuracy and validity of the data. Substansive tests While designing the sample consider the objectives of the test and attributes. Based on the initial assessment, the sample size can be increased or decreased
can be reduced if internal controls are strong Ex: examining the trial balance. to achieve the objective of assessing the tests of existence and adequacy of control for the IT environment.
cash veri cation, balance con rmation etc. Data Analytics Business Intelligence
COMPLIANCE TESTING e use of Data analytics tools and techniques helps the IS auditor to improve audit approaches. e IS auditor BI can handle enormous amount of
Compliance testing is the process of evidence gathering for the purpose of testing can use data analytics by which insights are extracted from nancial, operational and other forms of electronic structured as well unstructured data to
an organization’s compliance with control procedures. Compliance review data, internal or external to the organization. Determining the objective and scope of analytics will be the rst help identify, develop and otherwise
determines if controls are being applied in accordance with organizational step of conducting data analytics. create new opportunities.
policies. Compliance Procedures help obtain reasonable assurance that those Analytical Review Procedures: CAAT Tools
internal controls on which audit reliance is to be placed are operating effectively. Analytical review procedures may be de ned as substantive tests for a study of comparisons and relationship among data. Underlying attributes of computer
By performing Compliance tests, the IS Auditors can ascertain the existence, based transactional systems make the task of auditing more complex, auditors may be required to rely upon use of CAAT tools.
effectiveness and continuity of the internal control system. Ex: Review of system
access rights, review of rewall settings etc. • Absence of input documents: Data may be entered directly into the computer system without supporting documents.
Difference between Compliance and Substansive testing • Lack of visible transaction trail: e transaction trail may be partly in machine-readable form, or it may exist only for a limited period of time.
Objective of substantive testing is to test individual transactions whereas • High volume of transactions being processed
objective of compliance testing is to test the presence of controls. • Different sources of input and distributed processing.
DESIGN AND OPERATIONAL EFFECTIVENESS
Design Effectiveness Operational Effectiveness System controls:
A walkthrough of a business Testing of Operating Effectiveness refers to actual performance of the Control e evidence of the control will be obtained through obtaining appropriate reports and screen shots.
process and the risks and controls in the IT Environment. Manual controls:
within it can help evaluate its design Sample based self-testing: is Involves the selection of samples, Documented Are subject to human error, auditor should test the quality of the control to gain assurance. Manual controls the
effectiveness for compliance. evidence must be obtained to ascertain that the control has been performed. evidence that the control has been performed should be available through physical records created.
www.prokhata.com 7
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 2: IS Audit Phases
AUDIT EVIDENCE: METHODS Using Work of Another Auditor and Expert
Evidence is any information used by the IS Auditor to determine whether As per area of specialization such as banking, securities trading, insurance, legal experts etc. Based on the nature of assignment, special consideration, Access to
the entity follows the established criteria or objectives, and supports audit systems, Con dentiality restrictions, Use of CAATs, Non-disclosure agreements. Responsibility of the IS Auditor to: Clearly communicate the audit objectives,
conclusions. It is a requirement that the IS Auditor’s conclusions be based scope and methodology , place a monitoring process, Assess appropriateness of reports. ISACA standard 1206: Using the work of other experts.
on sufficient, relevant, competent and appropriate audit evidence. Audit Even though a part of or whole of the audit work may be delegated to the related professional liability is not necessarily delegated. Responsibility of the IS
ndings should be supported by sufficient and appropriate audit audience. Auditor is to Clearly communicate the audit objectives, scope and methodology, place a monitoring process, Assess appropriateness of report.
1. Evaluating Audit Evidance Evaluation of Strengths and Weaknesses: Judging by Materiality
A control matrix is oen utilized in assessing the proper level of controls. Known types of errors that can occur in the area under review are placed on the top
axis and known controls to detect or correct errors are placed on the side axis. e IS Auditor should be aware of compensating controls in areas where controls
Independence of the Quali cations of the Objectivity have been identi ed as weak. Where a compensating control situation occurs when one stronger control supports a weaker one, overlapping controls may exit.
provider of the audit individual providing the of evidence Where two strong cntrols exist.
evidence information/evidence Judging the Materiality of Findings: e IS Auditor must use judgment when deciding which ndings to present to various levels of management. Key to
Timing determining the materiality of audit ndings is the assessment of what would be signi cant to different levels of management.
of the
outside sources is more Objective evidence is more
evidence
reliable than from reliable than evidence that
within the organization requires considerable judgment
*Inventory
2. Types *Cash
of Physical *Securities Risk Ranking
Evidence examination *Tangible FA Risks are typically measured in terms of impact and likelihood of occurrence. Risk rating scales may be de ned in quantitative and/or qualitative terms.
*Notes receivable Quantitative rating scales bring a greater degree of precision and measurability to the risk assessment process.
Con rmation Qualitative terms need to be used when risks do not lend themselves to quanti cation, when credible data is not available, or when obtaining and analysing
3rd party verifying the accuracy
data is not cost-effective.
INTERNAL Substantiate
Documentation Information
Ordinal scales de ne a rank order of importance (e.g., low, medium, or high), interval scales have numerically equal distance(e.g., 1 equals lowest and 3 equals
EXTERNAL included FS highest, but the highest is not 3 times greater than the lowest), and ratio scales have a “true zero” allowing for greater measurability (e.g., a ranking of
10 is 5 times greater than a ranking of 2).
Analytical Comparisons
An example of a Risk Rating Model is : Green Areas identi ed as being low risk, Orange Areas identi ed as medium risk & Red Areas considered to be
procedures Relationships inherently high risk.
Inquiries of Written
Audit Report Structure and Contents
the Client Oral ISACA standards require IS audit professionals shall provide a report to communicate the results including: Identi cation of the enterprise, e scope, nature,
Recalculation timing and extent of the work performed, ndings and recommendations, quali cations or limitations. Exit interview, conducted at the end of the audit
Independent tests
Procedures provides IS Auditor chance to discuss ndings and recommendations with management.
Performance Controls
Observation Presentation techniques could include:
Executive summary an easy to read concise report that presents ndings to management in an understandable manner & Visual presentation: may include
Evidence Preservation slides or computer graphics .
It is also important to preserve the chain of custody. Chain of custody is IS Auditors should be aware that ultimately, they are responsible to senior management and the audit committee of the board of directors. Before communicating
a term that refers to documenting, in detail, how evidence is handled and the results of an audit to senior management, the IS Auditor should discuss the ndings with the management staff of the audited entity. A summary of audit
maintained, including its ownership, transfer and modi cation. is is activities will be presented periodically to the Audit Committee.
necessary to satisfy legal requirements that mandate a high level of con dence Audit Deliverables & Communicating Audit Results
regarding the integrity of evidence. ere is no speci c format for IS audit report. Audit reports will usually have the following structure and content:
Sufficiency and Competency of Audit Evidence 1. Introduction to the report, including audit objectives, limitations audit and scope, the period of audit coverage.
e quality and quantity of evidence must be assessed by the IS Auditor. 2. A good practice is to include audit ndings in separate sections.
ese two characteristics are referred to be competent and sufficient. 3. e IS Auditor’s overall conclusion and opinion on the adequacy of controls
Evidence is competent when it is both valid and relevant. Audit judgment is 4. IS Auditor’s reservations or quali cations.
used to determine when sufficiency is achieved 5. Detailed audit ndings and recommendations.
Management Implementation of Recommendations 6. IS Auditor may choose to present minor ndings to management in an alternative format such as by memorandum.
Auditing is an ongoing process. IS Auditors should have a follow IS Auditor should be concerned with providing a balanced report,describing not only negative issues ndings but positive constructive comments. IS Auditor
up program to determine if agreed on corrective actions have been should exercise independence in the reporting process.
implemented. Although IS Auditors who work for external audit rms may
not necessarily follow this process.
8 www.prokhata.com
CA Rajat Agrawal
Chapter 3 IS Audit Tools & Techniques Module : 1 - Information System Audit Process
CHAPTER 3:
COMPUTER ASSISTED AUDIT TOOLS AND TECHNIQUES
Computer Assisted Audit Techniques
CAAT is a signi cant tool for auditors to gather evidences independently. It provides means to gain access and to analyse data for predetermined audit objectives, and report the audit ndings with evidences. CAAT is the most effective tool
for obtaining audit evidence through digital data. It also provide assurance about data reliability.
Needs for CAAT Types of CAATs
In computerised environments evidence exists on magnetic media and it may not be possible to analyze While selecting the CAAT, IS Auditor is faced with certain critical decisions be required to make, while balancing on the quality and
data without the help of some soware tool(s). ICAI Guidance note on CAAT CAATs may be used in cost of audit:
performing various auditing procedures including:
A. Audit soware developed by the B. Develop his /her own audit C. Use a standard off the shelf
(a) Tests of details of transactions and balances, (d) Sampling programs client. soware. Generalised Audit Soware
(b) Analytical procedures, (e) Tests of application controls,
(c) Tests of general controls, (f) Re-performing calculations First two options requires auditors to be technically competent in programming. Computer audit soware also known as Generalised
Audit Programs (GAS) is readily available with speci c features useful for data interrogation and analysis. Auditors do not require
Purpose of CAATs much expertise and knowledge to be able to use these for auditing purpose. Different types of CAAT are:
It gives auditors ability to maximize their efficiency and effectiveness during audit. IS auditors can use
CAATs to perform tests that would normally be impossible or time consuming to perform manually.
Functional Capabilities of CAATs Generalised Audit Soware (GAS) Specialised Audit Soware (SAS) Utility Soware
•File access : Enables the reading of different record formats and le structures. “e processing of a client’s live les by the Written for special audit purposes Utilities usually come as part of
•File reorganization : Enables the indexing, sorting, merging and linking with another le. auditor’s computer programs”. Computer audit or targeting specialized IT office automation soware, operating
•Data selection: Enables global ltration conditions and selection criteria. soware may be used either in compliance or environments. Speci c to the systems, and database management
•Statistical functions: Enables sampling, strati cation and frequency analysis. substantive tests. Perform functions such as type of business, transaction or IT systems useful in performing
•Arithmetical functions: Enables arithmetic operators and functions. reading data, selecting and analyzing information, environment. Such soware may common data analysis functions such
performing calculations, creating data les and be either developed by the auditee as searching, sorting, appending,
How to use CAATs reporting in a format speci ed by the auditor. or embedded as part of the client’s joining, analysis etc. Utilities
Approach for using CAATs is given below: GAS has standard packages for auditing data. mission critical application soware. are extensively used in design,
1. Set the objective of the CAAT application Typical operations using GAS include: Such soware may also be developed development, testing and auditing
2. Determine the content and accessibility of the entity's les Sampling Items, Extraction Items, Totalling the by the auditor independently. Auditor of application soware, operating
3. De ne the transaction types to be tested total value, Ageing Data, Calculation Input data should take care to get an assurance systems parameters, security
4. De ne the procedures to be performed on the data is manipulated prior to applying selection criteria. on the integrity and security of the soware parameters, security testing,
5. De ne the output requirements soware developed by the client. debugging etc.
6. Identify audit and IT personnel to be involved in design and use of tests for CAATs.
Typical Steps in using GAS
General Uses and Applications of CAATs
i. De ne the audit objectives. vi. Obtain copies of application les be tested.
1. Exception identi cation: Identifying exceptional transactions
ii. Identify the tests vii. Execution of the package
2. Control analysis: Identify whether controls as set have been working as prescribed.
iii. Package input forms viii. Maintain security of output
3. Error identi cation: Identify data which is inconsistent or erroneous.
iv. Compile the package ix. Check test results draw audit conclusions.
4. Statistical sampling: Perform various types of statistical analysis.
v. Programmer’s work must be tested. x. Interface test results with subsequent manual audit work to be done.
5. Fraud detection: Identify potential areas of fraud
6. Veri cation of calculations: Perform various computations to con rm the data stored. Selecting, implementing and using CAATs
7. Existence of records: Identify elds, which have null values. CAATs provide a means to gain access and analyse data for a predetermined audit objective and to report audit ndings with evidence.
8. Completeness of data: Identify whether all elds have valid data. ey help the auditor to obtain evidence directly on the quality of the records produced and maintained in the system.
9. Consistency of data: Identify data, which are inconsistent Some examples of CAATs, which can be used to collect evidence:
10. Duplicate payments: Establish relationship between two or more tables as required and • ACL, IDEA, Knime etc.
identify duplicate transactions. • Utility Soware such as Find, Search, Flowcharting utilities
• Spreadsheets such as Excel
Strategies for using CAATs
• SQL Commands, OS commands
•Identify the goals and objectives of the investigation/audit
• ird party access control soware
•Identify what information will be required
•Determine what the sources of the information
•Identify who is responsible for the information What: When: Where: Why: How:
•Review documentation Objectives Period Sources Reason Types of analysis
•Understand the system generating the data
•Develop a plan for analyzing the data (What, When, Where, Why, and How)
www.prokhata.com 9
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 3 IS Audit Tools & Techniques
Continuous Auditing Approach
Continuous auditing is a process through which an auditor evaluates the particular system(s) and thereby generates audit reports on real time basis.
Techniques for Continuous Auditing
Snapshot Integrated Test Facility (ITF) Systems Control Audit Review File
• e snapshot technique uses a series of sequential data captures referred to as snapshots. Integrated Test Facility (ITF) is a system in which a test pack is pushed through (SCARF)
• Digital pictures of procedures are saved and stored in the memory the production system affecting “dummy” entities. is technique involves embedding
• It is useful when an audit trail is required. Advantages of ITF specially written audit soware in the
Employed for: • Useful in identifying errors and problems that occur in the live environment and organisation’s host application systems
• Analysing and tracking down the ow of data that cannot be traced in the test environment so that the application systems are
• Documenting the logic, input/output controls of the application program sequence of processing. • Validate the accuracy of the system processing. monitored on a continuous basis.
Continuous and Intermittent Simulation Audit Audit Hook System Activity File Interrogation Embedded Audit Facilities
• In this technique, a simulator identi es transactions • Embedding audit modules in application system Producing a log of every event occurring in the system, Consist of program audit procedures inserted into the client’s
as per the prede ned criteria. to capture exceptions or suspicious transaction. both user and computer initiated. Report exceptional application programs and executed simultaneously. is technique
• It is most useful when transaction are to be • Helpful to auditor in identifying irregularities, items of possible audit interest such as unauthorised helps review transactions as they are processed and select items
identi ed as per pre-de ned criteria in a complex such as fraud or error before they gets out of access attempts, unsuccessful login attempts, changes according to audit criteria automatically write details of these items
environment. hand. to master records and the like. to an output le for subsequent audit examination.
Note:-
10 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Application Controls Review of Business Applications Module : 1 - Information System Audit Process
CHAPTER 4:
APPLICATION CONTROLS REVIEW OF BUSINESS APPLICATIONS
Application Control Safeguard assets Application Controls
ese applications are the Help To Maintain data integrity “Application controls" are a subset of internal controls that relate to an application system the information managed by that application. Timeliness,
interface between the user Achieve organisational goals accuracy & reliability of information dependent on application systems used to generate, process, store and report the information. Information conforms
and business functions. Effectively Efficiently to certain criteria what COBIT refers to as business requirements for information.
Internal Controls
Business Application Soware: Selection Parameters A process, affected by an organisation’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the
Key parameters of selection of business application soware achievement of objectives in the following categories:
Business Goal Effectiveness efficiency of operations, Reliability of nancial reporting & Compliance with laws regulations.
E.g. Customer driven, social causes, capitalist mind-set COSO de nes control activities as the policies and procedures that help ensure management directives are carried out.
Nature of Business Objectives of Application Controls
E.g. Generate daily cash Application controls are intended to provide reasonable assurance that management’s objectives relative to a given application will be achieved.
Geographical spread Examples include:
More spread more robust soware required (i) Completeness: Processes all transactions and the resulting information is complete.
Robust means capability to work 24/7 (ii) Accuracy: Processing is accurate & resulting information is accurate.
Volume of transactions (iii) Validity: Only valid transactions are processed.
As the transaction volumes increase organisation business application (iv) Authorisation: Only appropriately authorised transactions are processed.
sowares that can support business for the next few years. (v) Segregation of duties: Application provides for appropriate segregation of duties and responsibilities.
Regulatory structure
Soware which is capable to cater to the compliance requirements. Information Criteria
Key business requirements for information also called as information criteria need to be present in information generated. ese are:
Types of Business Application
Classi cation of Business Application 1. Effectiveness:: Information being relevant and pertinent to the process as well as being delivered in a timely, correct, consistent and
usable manner.
Processing Type Source Function 2. Efficiency: Provision of information through the optimal (most productive and economical) use of resources.
• Batch • Online • Real Time • In house • Brought-in Covered 3. Con dentiality:
dentiality: Protection of sensitive information from unauthorised disclosure.
Type of Business Application on basis of function 4. Integrity: Relates to the accuracy and completeness of information & its validity in accordance with business values and expectations.
Availability: Availability of information as and when required & also with the safeguarding of necessary resources.
5. Availability
Compliance: Complying with the laws, regulations and contractual arrangements to which the process is subject.
6. Compliance
Accounting Banking Application ERP Application Payroll 7. Reliability: Provision of appropriate information for management to operate the organisation and exercise its duciary and governance
Application Banking system has Manage resources Application responsibilities.
• Used for accounting of shied to core banking optimally maximize Software
day to day transactions business applications Economy, Efficiency & that process
• Generate Financial (referred to as CBS) E.g. Effectiveness payrolls for
Information FINACLE, FLEXCUBE, employees
• (E.g. Tally, Tally EX, TCS BaNCS
UDYOG)
Note:-
www.prokhata.com 11
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 4 Application Controls Review of Business Applications
Application Control Objectives and Control Practices
Source Data Source Data Collection Accuracy, Processing Integrity and Validity Output Review, Reconciliation and Transaction
Preparation and and Entry Completeness and Error Handling Authentication and
Authorisation Authenticity Checks Integrity
Prepared by authorised and Correction and resubmission Validate data that were input, Detection of erroneous transactions not dis- Output is handled in an authorised manner, de- Before passing transaction
quali ed personnel taking in of data that were erroneous- or send back for correction as rupt the processing of valid transactions. livered to the appropriate recipient and protected check the data for proper ad-
a/c segregation of duties re- ly input should be performed close to the point of origina- during transmission; dressing, authenticity of or-
garding the origination & ap- without compromising original tion as possible. Veri cation, detection and correction of the accura- igin and integrity of content.
proval of documents. transaction authorisation levels. cy of output occur.
•Design source documents to •Communicate criteria for •Transaction data are veri ed •Authorise
Authorise the initiation of transaction pro- ••Follow
Follow de ned procedures and consider privacy •Establish an agreed-upon
increase accuracy with which timeliness, completeness ac- as close to the data entry cessing. Only appropriate and authorised and security requirements. standard of communication
data can be recorded, control curacy of source documents. point as possible. applications and tools are used. •Take
Take a physical inventory of all sensitive output. and mechanisms necessary
the work ow and facilitate •Use only pre-numbered source •Controls may include se- •Processing
Processing is completely and accurately •Match
Match control totals in the header and/or trailer for mutual authentication,
subsequent reference check- documents. quence, limit, range, valid- performed with automated controls. records of the output to balance with the control •Tag output from transaction
ing. •Communicate who can input, ity, reasonableness, table •Transactions
Transactions failing validation routines totals produced by the system to ensure complete- processing applications to
•Document procedures for edit, authorise, accept and re- look-ups, existence, key ver- are reported and posted to a suspense le. ness. facilitate counterparty au-
preparing source data entry, ject transactions. Implement i cation, check digit, com- Valid transactions is not delayed. Process- •Validate completeness and accuracy of processing thentication, and allow for
ensure proper communication access controls and establish pleteness duplicate and logi- ing failures is kept to allow for root cause before operations performed. content integrity veri ca-
to appropriate and quali ed accountability. cal relationship checks, time analysis. •Business owners review the nal output for reason- tion.
personnel. •Procedures to correct errors, edits. Validation criteria and •Transactions
Transactions failing validation routines are ableness, accuracy and completeness. •Determine authenticity of
•Maintain list of authorised per- override errors and handle parameters should be sub- follow-up until transaction is cancelled. •Application produces sensitive output, de ne who origin. Maintenance of the
sonnel, including signatures. out-of-balance conditions. ject to periodic reviews and •Correct
Correct sequence of jobs has been docu- can receive it, label the output Where necessary, integrity during transmis-
•Source documents include •Generate
Generate error messages as con rmation. mented and communicated to IT opera- send it to special access-controlled output devices. sion.
standard components, contain close to the point of origin as •Establish access control.
control tions.
proper documentation & au- possible. Transactions not be •Segregation
Segregation of duties for Unique and sequential identi er every
•Unique Information Criteria
thorised by management. processed unless errors are entry, modi cation and au- transaction.
•Assigns a unique and sequen- corrected. thorisation of transaction •Maintain the audit trail of transactions pro-
tial identi er every transac- •Errors
Errors and out-of-balance re- data. cessed. For sensitive data listing should- Application and Control Objectives and
tion. ports reviewed by appropriate •Report
Report transactions failing contain before and aer images. Information Criteria
•Return
Return documents that are not personnel. Automated moni- validation and post them to •Maintain the integrity of data during un-
properly authorised /incom- toring tools should be used to a suspense le. expected interruptions in data processing
plete to the submitting orig- identify, monitor and manage •Transactions failing edit and with system and database utilities. Any 1 Source Data Preparation and S P S P S
inators for corrections & log errors. validation routines subject changes approved by the business owner. Authorisation
the fact that they have been •Source
Source documents are safe- to appropriate follow-up un- •Adjustments, overrides and high-value 2 Source Data Collection and S S S P S
returned. stored. til errors are remediated. Al- transactions are reviewed by a supervisor. Entry
low for root cause analysis. •Reconcile le totals. 3 Accuracy, Completeness and S P S P S P P
Authenticity Checks
4 Processing Integrity and P P P P P
Validity
5 Output Review, Reconciliation P S P P P P P
and Error Handling
6 Transaction Authentication S P P P
and Integrity
P= S = Secondary
Primary
12 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Application Controls Review of Specialised Systems Module : 1 - Information System Audit Process
CHAPTER 5:
APPLICATION CONTROLS REVIEW SPECIALISED SYSTEMS
As per SA200 ,Compliance procedures are tests designed to obtain reasonable assurance that those internal controls on which audit reliance is to be placed are in effect. As per ISACA ITAF 1007 “Assertions”, IS Audit and assurance professional
shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.
Review of Application Controls Review of Business Application Controls through use of Audit Procedures
Implemented for a speci c business purpose. Assess whether the business objectives from implementing will be achieved. SA 500 "Audit Evidences"- Auditor while designing tests of controls shall see whether controls so put in place
Need for Application Controls Procedures used to obtain evidance include: are effective.
To draw conclusion on : 1. Inquiry and con rmation 5. Analytical Procedures
• How much reliance to put on entities’ 2. Re-performance 6. Inspection Inquiry and con rmation: Re-performance:
business application system 3. Recalculation 7. Observation Checklist enquire and con rm whether controls are in place. Process test data to see how itresponds.
• Planning IS audit procedures. 4. Computation 8. Other Generally Accepted Methods Evaluate existence of controls.
www.prokhata.com 13
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
CHAPTER 6:
IT ENABLED SERVICES
Classi cation of Audits IT Enabled Servises
Systems and Applications: Inadequate IT management Practices:
Secure input, processing, and output, Solution Opportunity for an IS Auditor
Information Processing Facilities:
Ensure timely, accurate, and efficient processing. Policies should be draed Create appropriate policies
Systems Development: Procedures arise from the policies Assist in development of the procedures
Developed in accordance with generally accepted
standards. Appropriate application soware selected Assist in implementation. Participate in Project Management. Assist as scope Manager in the SDLC process
Management of IT and Enterprise Architecture: Business work ows enforced in the applications Design, develop necessary work ows. Perform a BPR
Ensure a controlled and efficient environment.
Compliance Audits: Perform risk assessment and rank the risks Identify those areas of high risk that need a higher attention.
Conducted to evaluate whether speci c regulatory or Ensure appropriate segregation of duties by ensuring right access is given to Designing roles responsibilities. Review existing roles responsibilities. Identify con icts
industry standards are complied with. the right employees
Examples- Training to be provided Regarding new work ows, procedures
Payment card industry Data security standard audits,
Health insurance portability and accountability act Fraud
audit (HIPAA) etc. Establishment of a strong internal control environment is necessary to deter against fraud perpetration. For internal controls to be effective, they must be constantly evaluated
Operational Audit: for effectiveness and changed as business processes change.
Evaluates the accuracy of internal controls of Fraud Detection
application in operation or logical security systems. Management is primarily responsible for design of IT controls. A well-designed internal control system provides a good deterrence against frauds opportunity for their timely
Financial Audit: detection. Internal controls may fail where these are circumvented by exploiting vulnerabilities or through management facilitated weaknesses in controls or collusions. Legislations
Assess the accuracy of nancial reporting. It oen cast signi cant responsibilities on management, IS Auditors and the audit committee regarding detection and disclosure of any fraud. IS Auditors should observe and exercise due
involves detailed, substantive testing. professional care. IS Auditors should be aware of the possibility and means of perpetrating fraud, IS Auditor may communicate the need for a detailed investigation
Integrated Audits:
Combines nancial ,operational and other types of 1.Information Technology (Amendment) Act 2008: 2. LODR of SEBI: 3. CARO 2003:
audit to assess the overall objectives to safeguard an Casts responsibility on body corporates to protect sensitive Makes the top management accountable Requires verifying the adequacy of internal control procedures and
asset's efficiency and compliance. It can be performed personal information by implementing reasonable security for weaknesses in the internal control determining whether there were any continuing failures to correct
by internal as well as external auditors. practices and procedures. It also recognises and punishes systems. It requires CEOs and CFOs major weaknesses in internal controls. It also requires to report
Administrative Audits: offences committed by companies and individuals through to certify on the effectiveness of the whether any frauds on or by the company had been noticed or reported
Efficiency of operational productivity. the misuse of IT. Internal Controls. during the year.
IS Audits:
National Cyber Security Policy. aims at protecting information and information infrastructure in cyberspace and building capabilities to prevent and respond to cyber threats.
Forensic Audit:
Discovering, disclosing and following up on frauds Standard on Internal Audit (SIA) 11 (SA) 505 “External Con rmations” (SA) 580 “Written SIA 2 SA 240
and crimes. de nes Fraud as: Deals with the Auditors’ use of external Representations” Requires internal auditors Requires an auditor to
Specialized Audit: “An intentional act involving the use con rmation procedures to obtain Deals with the Auditor’s to use their knowledge evaluate whether the
Examine areas such as services performed by third of deception to obtain unjust or illegal audit evidence in accordance with responsibility to obtain and skills to reasonably information obtained
parties. advantage”. A fraud that involves use of the requirements of SA 330 and SA written representations enable them to identify from risk assessment
Control Self-Assessment: Computers and Computer Networks is 500. e reliability of audit evidence from the management and, fraud indicators. procedures and related
Conducted by the business process owners but called a Cyber fraud. ey need to have is in uenced by its source and is where appropriate, those SIA 11 activities indicate
facilitated by the auditors. setting the evaluation appropriate knowledge of relevant standards dependent on the circumstances in charged with governance.
SIA 11 de nes fraud and presence of fraud risk
criteria and executing the evaluation are carried out by and regulations as well as the various data which it was obtained. Audit evidence Written representations do
lays the responsibility factors.
the business owners themselves. analysis tools and techniques available. is more reliable when it is obtained not absolve the IS Auditor
for prevention and SA 315 requires an
Internal Audit/Compliance Reviews: Strengthening the system of internal controls from independent sources outside of from performing his duties
detection of frauds on the auditor to identify risks
Performed by a third party who is not involved in the is the best deterrence to frauds the entity being audited. while conducting the audit.
management and those of material misstatement
functioning of the enabler. More independent than a charged with governance. arising due to fraud.
self-assessment because the auditor is not involved in
SA 315 – Standard on Risk Assessment procedures issued by ICAI is also applicable for risk
the functioning of the enabler.
Functional Audit: assessment pertaining to IS Audit assignment. is requires that the IS Auditor perform Risk
Conducted to evaluate and determine the accuracy of Assessment Activities.
soware functionality.
14 www.prokhata.com
CA Rajat Agrawal
Chapter 6 IT Enabled Assurance Services Module : 1 - Information System Audit Process
Cyber Fraud Investigation
Cyber fraud investigation procedures are:
1. Collecting and analysing documentation. 2. Conducting interviews. 3. Data mining & digital forensics.
Assessment essentially involves: 1. Identifying signi cant risk 2. Assessing their likelihood impact 3.Determining where, how & by whom they may be committed 4. Assessing existing controls would prevent their occurrences.
Cyber Fraud Likelihood Impact Internal Controls
e - Unauthorised access to computer Hardware. (e .g. Data centers, server rooms, network 1. Key Cards, 2. Security Guards, 3. Visitor Logs, 4. Circuit Cameras, 5. Back up & Recovery Plans ,
Low High
devices, etc.) 6. Physical access controls through biometrics,etc.
Identity the - Unauthorised access to personal information of Customers and Employees. 1. Unique user IDs, 2. Strict password policy, 3. IDS & Firewalls, 4. Incident response policy,
Medium High
{e.g. Credit card information of customers, Login IDs & Passwords of employees, etc.) 5. Delete ex-employee access
Information the - Unauthorised access to con dential information of Company. (e.g. 1. Segregation of Duties, 2. Access Logs, 3. Transact ion Logs, 4. Security violation logs, 5.
Medium High
Strategic Plans, Unpublished nancial reports, etc.) Encryption
Copyright Infringement - Unauthorised access to Soware and Databases. {e.g. Soware 1. Block peer-to-peer sharing, 2. Internet Surveillance, 3. Soware Licensing, 4. Information
Medium High
piracy, Peer-to-peer le sharing, etc.) Sharing Policy, 5. Protection of Soware code
Questions for assessments and reviews for each of seven components adapted from COBIT 2019 are given below:
1. Policies and Procedures: 2. Processes: 3. Organisation 4. Culture, Ethics and 5. Information Flows and 6. Services, 7. People, Skills and Competencies:
Documented and approved Approved security policy that senior management Structures: Behaviour: Items: Infrastructure and Expert teams to conduct periodic fraud
Cyber Fraud Governance and conduct cyber fraud risk assessment regularly Clearly de ned roles Employee awareness Proper reporting mechanism Applications: investigations.
Management Program. remedial measures are implemented. andresponsibilities. programs and training. for notifying fraud concerns. Use of technology.
Cyber Forensics: Digital Forensics
Cyber fraud investigation procedures are:
For evidence to be admissible in a court of law, the chain of custody needs to be maintained professionally:
Computer Forensics is a process of
Any electronic document can be used as digital evidence, provided contents of digital evidence are in their original state and have not been tampered with or
Identifying Preserving Analysing modi ed during the process of evidence collection and analysis. e chain of evidence essentially contains information regarding:
• Who had access to the evidence (chronological manner)?
Digital Evidence
• e procedures followed in working with the evidence (such as disk duplication, virtual memory dump etc.)
• Providing assurance that the analysis is based on copies that are identical to the original evidence.
Presenting in a Manner
Fraud investigation Tools and Techniques
Legally acceptable in legal proceedings (CAAT) are the mosteffective tools and techniques to detect fraud. Useful functions available in CAAT are:
1. Strati cation: identify abnormal strata, 6. Trend Analysis,
Integrity and Reliability of evidence can be maintained through: 2. Classi cation: identify abnormal patterns, 7. Gap Test,
•Identi
Identi cation of information that is available and might form the evidence. 3. Summarisation: compute totals, 8. Duplicate Test,
•Retrieving
Retrieving identi ed information and preserving it. Requires being able to 4.Outliers: outside normal range, 9. Relation,
document chain of custody. 5. Benford Law: identify possible fraud areas, 10. Compare.
•Involves
Involves extracting, processing and interpreting the evidence. Control Self Assessment
•Presantation
Presantation to relevant parties for acceptance of evidence. •Allows teams and its managers to directly assess the risk management & control processes .
•Major bene ts of CSA are Early detection of risks, more effective and improved Internal Controls.
•IS Auditor's in CSA is of facilitator.
Note:-
Points to Remember :
www.prokhata.com 15
CA Rajat Agrawal
Module : 1 - Information System Audit Process Chapter 6 IT Enabled Assurance Services
1. THE $ 54 MILLION FRAUD 2. COSMOS BANK FRAUD
What happened? Malware
She opened a secret account in the name of city in which she was only signatory, created false state invoices , wrote checks in name Sent to
of "Treasurer" from city funds, and transfered the amount the the secret account.
ATMs of Cosmos Bank (Intended Target)
How it happened?
• Malware created a proxy server which helped cloned Debit cards to surpass CBS.
Treasurer of a town, Rita Crundwell, embezzle nearly $54 million over two decades & remained undetected in annual audits by
• Fraudsters approved 14800 transactions to withdraw Rs. 80.5 cr (2.5 cr in India).
two independent accounting rms and in annual audit reviews by state regulators.
• Another amt of 13.5 cr transfered to Hongkong based entity through SWIFT.
Why it happened?
Due to lack of segregation of duties. In absence of a city manager, Crundwell had a wide rein over city's nances and set the stage Points to be noted:
for her massive fraud. • is happened because ATMs were running on Microso Xp or other unsupported sowares.
Lesson and tips: • RBI instructed banks to upgrade their soware by June 2019
Roles and responsibilities must be clearly de ned and proper segregation of duties must be done to ensure that no single person 4. WORLDCOM FRAUD
can be maker as well as the checker of a particular transaction ow. Auditors must ensure the existence of internal controls with Assessee recorded expenses as investment and made bogus revenue entries to hide the falling
systems designed to prevent or deter these types of frauds. pro t.
3. e Satyam Fraud
AUDITORS OF WORLDCOM
A case of manipulation of the books of account by in ating revenues through fake invoices.
• Applied data mining techniques to search data using small scrips and ms access.
e Company’s standard billing systems were subverted to generate false invoices to show in ated sales. 7,561 invoices worth Rs.51
• ey searched entire population and found $500 million of debit in ppe account for which invoices
billion (US$1.01 billion) were found hidden in the invoice management system using a Super User ID.
couldn't be found.
e charge framed against the Auditors was that they did not bring the internal control de ciencies to the notice of audit committee.
• Lesson: sampling is not recommended in fraud detection rather analysis of entire population is
Lesson to Auditor: required.
Auditors must remember that anything can be faked in this modern technology driven world and that they need to continuously update
their skills and knowledge in order to keep up with the new challenges.
5. Bangladesh Central Bank Fraud
What Happened
• An Malware attack was waged against Bangladesh Bank, the nation's central bank.
• 35 fraudulent instructions were issued by security hackers via the SWIFT network to illegally transfer close to US $1 billion from the Federal Reserve Bank of New York account belonging to Bangladesh Bank.
• e perpetrators managed to compromise Bangladesh Bank's computer network, observe how transfers are done, and gain access to the bank's credentials for payment transfers.
• ey used these credentials to authorise about three dozen requests to the Federal Reserve Bank of New York to transfer funds from the account of Bangladesh Bank.
Lessons & Tips
• e key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems.
• e Governor of Bangladesh Bank stated that he had foreseen cyber security vulnerabilities one year ago and had hired an American cyber security rm to bolster the rewall, network and overall cyber security of the bank. However, the
bureaucratic hurdles prevented the security rm from starting its operations
Note:-
16 www.prokhata.com
CA Rajat Agrawal
Module : 2 - Governance and Management of Enterprise Information Technology, Risk Management, Compliance & BCM Section
CHAPTER 1: CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
CHAPTER 1:
CONCEPTS OF GOVERNANCE AND MANAGEMENT OF IS
KEY CONCEPTS OF GOVERNANCE
Process + Structures Enterprise Governance Conformance or Corporate Governance Dimension Enterprise Governance Framework
Governance ISO/IEC 38500 : “e system by which • e conformance dimension of governance covers corporate governance issues such Corporate governance Performance
Implemeted by Board
TO organisations are directed and controlled.” ‘e as: roles of the chairman and CEO, role and composition of the board of directors, management Internal Controls Enterprise Risk
Inform Direct Manage Monitor set of responsibilities and practices exercised by Board committees, Controls assurance and Risk management for compliance. Management.
the board and executive management with the • Established oversight mechanisms for the board to ensure that good corporate Risk management strategy has to be adapted,
Activities of Orgnisation
goal of providing strategic direction, ensuring that governance processes are effective. which should be designed and promoted
objectives are achieved, ascertaining that risks are • Include committees composed of independent non-executive directors, particularly by the top management.Objectives of
Achivement of objectives
managed appropriately and verifying that the the audit committee or its equivalent in countries where the two-tier board system Enterprise Governance Bene t realisation Risk
organization’s resources are used responsibly.’ is the norm. Optimisation Resourse Utilisation
Performance or Business Governance Dimension Corporate Governance and Regulatory Requirements Need for Corporate Goveranace
• e performance dimension of governance is pro-active • Companies Act, 2013 - Mandatory Internal Audit and reporting on Internal Financial Controls [sections 138]. Corporate Governance is de ned as the system by company
in its approach. Act requires auditor report to include “whether the company has adequate internal nancial controls system in or enterprise is directed and controlled to achieve the
• Focuses on strategy and value creation with the objective place and the operating effectiveness of such controls objective of increasing shareholder value by enhancing
of helping the board to make strategic decisions, • e Information Technology Act - Provisions relating to maintaining privacy of information and imposed economic performance.
understand its risk appetite and key performance drivers. compliance requirements on management with penalties for non-compliance. Some key concepts of corporate governance are:
• is dimension does not lend itself easily to a regime of • e Sarbanes Oxley Act (SOX) - Implementation and review of internal controls as relating to nancial audit • It provides strategic direction.
standards and assurance as this is speci c to enterprise • SEBI introduced a mandatory audit to ensure that this is maintained as per its norms by all listed companies • Clear assignment of responsibilities incorporating a
goals and varies based on the mechanism to achieve them. as part of corporate governance.. hierarchy of required approvals.
Corporate Governance • Mechanism for the interaction among the board of
De ned as the system by which a company or enterprise is directed and controlled to achieve the objective of increasing shareholder value by enhancing economic performance. directors, senior management and the auditors;
It concerns relationships among the management, Board of Directors, the controlling shareholders and other stakeholders. • Implementing strong internal control systems, including
Good corporate governance requires sound internal control practices such as segregation of incompatible functions, elimination of con ict of interest, establishment of audit internal and external audit functions, risk management
committee, risk management and compliance with the relevant laws and standards including corporate disclosure requirements. Directors of a company are accountable to the functions
shareholders • Monitoring of risk exposures
Corporate Governance Participants • Financial and managerial incentives to act in an
• Board of Directors & Committees appropriate manner.
• Risk & Performance Management • Monitoring
• Business Practices & Ethics • Appropriate information ows internally and to the public.
• Communication • Legal & Regulatory
• Disclosure & Transparency
Enterprise Governance of Information and Technology (EGIT) Implementing EGIT
Sub-set of corporate governance and facilitates implementation of a framework of IS controls within an enterprise as relevant and encompassing all key areas. e key bene ts EGIT in organizations requires understanding concepts
of using EGIT is that it provides a consistent approach integrated and aligned with the enterprise governance approach. of Governance, IT deployment and how IT can be used
IT also acts as a strategic partner which helps enterprises in achieving both competitive and strategic advantage. to implement Governance. EGIT is a blend of these
Reserve Bank of India issues guidelines covering various aspects of secure technology deployment. Guidelines are prepared based on various global best practices such as concepts. Implementing EGIT requires establishing the
COBIT 2019 and ISO 27001. Information technology Rules, 2011 outlines the need for maintaining secrecy of personal and sensitive information and identi es ISO 27001 as right structures with de ned roles and responsibilities,
“Reasonable Security Practices and Procedures” for implementing best practices. implementing relevant processes using best practices.
Implementing EGIT from conformance (corporate)
Conformance Structures Processes perspective would require viewing the enterprise at macro
Area Perfomance (Business) Roles and responsibilities. IT Strategic Information Systems Planning,
(Corporate) level and consider not only the business but also the external
orgnisation structure. CIO on Board. (IT) BSC, Information Economics, linkages. In case of performance (business) the enterprise
Scope Boarc Structure, Roles Strategic decision making and IT strategy sommittee. IT steeriing SLA, COBIT and ITIL, IT Alignment/
and Remuneration value creation has to be viewed at internal level and the focus on the
committee(s) governance maturity models processes and activities within the enterprise.
Addressed via Standards and Codes Best practices, tools and
techniques IT Governance Framework Guidelines for Implementing EGIT
COBIT 2019 implementation guide provides a systematic
Auditability Can be audited for Not easily auditable Relational mechnisms approach with de nes phases and speci c roles and
compiances Active participation and collaboration between principle stakeholders, Partnership responsibilities for implementing EGIT. is approach can
Ovesinght Audit Committee Balnce score cards rewards and incentives, Business/IT co-location, Cross-functional business/IT traning be customized and used by any organization.
Mechanism and rotation.
Governance, Risk and Compliance is a regulatory requirement, and this can be effectively implemented using well established frameworks. ere is need to adapt a macro level and architecture perspective for securing information and
information systems. senior management have to be involved in providing direction on how governance, risk and control are implemented using a holistic approach encompassing all levels from strategy to execution. e Board of directors
have to evaluate, direct and monitor effective use of I&T to achieve enterprise objectives. Best practices framework can be customized to meet stakeholder requirements. IS Auditors can assist management in implementing these frameworks
management have to certify whether Risk management and internal controls have been implemented as per organisation needs and auditors have to certify whether this implementation is appropriate and adequate.
Note:-
APO08-Managed
APO09-Managed
APO10-Managed APO11-Managed APO12-Managed APO13-Managed APO14-Managed
Monitoring Information and
Service
Relationships
Agreements
Vendors Quality Risk Security Data
Technology
MEA02-Managed
System of Internal
BAI07-Managed Control
BAI04-Managed BAI05-Managed
BAI01-Managed BAI06-Managed IT Change
Availability
ailability Organizational
Programs IT Changes Acceptance and
and Capacity Change
Transitioning
BAI08-Managed
knowledge
owledge
BAI09-Managed
Assets
BAI11-Managed
Projects
Pr
MEA03-Managed
Compliance With
External
Focus Area
Requirements
• SME
DSS02-Managed DSS05-Managed DSS06-Managed • Security
DSS01-Managed DSS03-Managed DSS04-Managed
Operations
Service
ice Requests
Problems Continuity
Security Business MEA04-Managed
Assurance
• Risk
and incidents Services Process Controls
• DevOps
• Etc.
Note:-
Note:-
Key Management Practices of IT Compliance Key Metrics for Assessing Compliance Process
Identify Compliance with External Laws and Regulations: IT Compliance with Internal Policies:
Identify changes in local and international laws & regulations. • Number of incidents related to non-compliance to policy;
Cost of IT non-compliance • Percentage of stakeholders who understand policies;
Optimize
Consider industry standards, codes of good practice. No. of IT related non-compliance • Percentage of policies supported by effective standards and working
issues reported to board or causing relating to contractual agreements practices; and
Con rm
public comment with IT service providers; • Frequency of policies review and updates.
Con rm compliance of policies, principles, standards, procedures and
methodologies with legal, regulatory and contractual requirements Coverage of compliance assessments.
Obtain Assurance
Corrective actions to address compliance gaps are closed in a timely manner.
Information Technology Act 2000
e Information Technology Act 2000, (Amended 2008) provides that any organization is collecting PII shall be liable in case absence of reasonable security of such information results in identify the.
Addition with Section 43 A Addition with Section 69B Addition with Section 70B Addition with Section 72A General
• Deals with compensation for failure to • Deals with cyber security Power to central government to move india Punishment for disclosure enterprise appointed designated officer/
protect data. • is section gives power to government that computer resource computer emergency response team, this of information in breach of nodal officer/computer-in-charge to
• Body corporate dealing with sensitive frok which data | Information traffic is occuring can monitor | agency will do data collection information careful contacts. comply with the directions of competent
personal data and negligect in security authorise analysis forecast, take emergency measures, authority/agency details of such designated
will have to pay compensation to affected • Subscriber t assist govt by providing data otherwise liasel to pay. ensure coordination issue guidelines. officer/nodal officer readily available online
person
Section 7A Audit of documents i.e. in Electronic Form: Where in any law there is a provision for audit of documents, that provision shall also be applicable for audit of documents, maintained in electronic form. Section 43A of the (Indian)
Information Technology Act, important to note no upper limit speci ed for the compensation. IT Act 2008 punishes offences Section 66 to 66F and 67 deal with the following crimes:
• Sending offensive messages using electronic medium for unacceptable purposes • Violation of privacy
• Dishonestly stolen computer resource • Cyber terrorism/Offences using computer
• Unauthorized Access to computer resources • Publishing or transmitting obscene material
• Identity the/Cheating by personating using computer
Section 72A imprisonment for a term extending to three years or ne extending to INR 5,00,000 or with both.
Note:-
Note:-
Strategic Alignment of Aligning IT Strategy with Enterprise Strategy Value Optimization Sourcing Processes Capacity Management & Capex and Opex
IT with Business Achieved by ensuring optimization Sourcing is managed through suppliers and Growth Planning Processes Use of IT through
Ensure that IT goals Understand enterprise direction: of the value contribution to the appropriate service agreements. Capacity management is the outside vendors reduces
are aligned with the Consider the current enterprise environment and business from the business processes, Manage service agreements process of planning, sizing and capital expenditure
enterprise goals and business processes, as well as the enterprise strategy and IT services and IT assets. Align IT-enabled services and service continuously optimising IS but increases revenue
there are process goals future objectives. Consider external environment. Bene t of implementing this levels with enterprise needs and capacity in order to meet long expenditure.
are set for the IT goals Assess the current environment, capabilities and process will ensure that enterprise expectations. and short-term business goals Capex stands for Capital
and metrics are designed performance: is able to secure optimal value from Manage Supplier in a cost effective and timely Expenditures and is
for these. Alignment of Assess current internal business and IT capabilities I&T-enabled initiatives services. Ensure that IT-related services provided manner. the money spent of
the IT strategy with the and external IT services develop an understanding Success of the process of ensuring by all types of suppliers meet enterprise Capacity management or generating physical
organizational strategy architecture. business value from use of I&T requirements con guration management assets. Opex stands for
tells us whether IT adds De ne the target IT capabilities: can be measured by evaluating the process is used in order to assess Operating Expenditures
Outsourcing
value to the organization Assessment of the current business process and IT bene ts realized from I&T enabled the effectiveness and efficiency and refers to day to
• IT is one of the key areas which is
or not. environment and issues; consideration of best practices investments and how transparency of the IS operations. day expenses required
outsourced in part or in totality depending
Objective of IT Strategy and validated emerging technologies. of IT costs, bene ts and risk is Capacity includes: to maintain physical
on the criticality of the processes.
Alignment of the Conduct a gap analysis: implemented. • Storage space assets.
• Some of the important tools which are
strategic IT plans with Identify the gaps between the current and target Metrics for value optimization: • Network throughput Capex is what needs to
used to manage and monitor IT service
the business objectives environments and consider the alignment of assets with Percentage of I&T enabled • Human resources be avoided, while Opex
providers are performance targets, service
is done by clearly business outcomes. investments where claimed bene ts • Electronic messaging is something to be kept
level agreements (SLAs), and scorecards.
communicating the De ne the strategic plan and road map: met or exceeded etc. • Customer Relationship under tight control.
• It is critical to note that senior
objectives and associated In cooperation with relevant stakeholders, how IT- Resource Optimization Management
management cannot abdicate its ultimate
accountabilities. related goals will contribute to the enterprise’s strategic e primary objectives of • Quantum of data processed
responsibility for IT service delivery
goals. Include how IT will support IT-enabled investment implementing this process is to Bene ts of good capacity
just because it has been outsourced as
programs, business processes, IT services and IT assets. IT ensure that the resource needs of • Enhanced customer
the responsibility for compliance and
should de ne the initiatives that will be required to close the enterprise are met in the most satisfaction
ensuring performance vests with the
the gaps, the sourcing strategy, and the measurements to optimal manner, I&T costs are • Better justi cation of spending
enterprise.
be used to monitor achievement of goals, then prioritize optimised, and there is an increased
the initiatives and combine them in a high-level road likelihood of bene t realization and
map. readiness for future change.
Communicate the IT strategy and direction:
To appropriate stakeholders and users throughout the
enterprise.
Strategic Scorecard
Strategic Scorecard is a pragmatic and exible tool that is designed to help boards to ful l their responsibilities to contribute to and oversee strategy effectively. enterprise governance framework helps understand the importance of both
conformance and performance to the organization’s long-term success. What the scorecard does is to give the board a simple, but effective process that helps it to focus on the key strategic issues.
•Summarizes the key aspects of the environment in which an organization is operating
•Identi es the (key) strategic options that could have a material impact on the strategicdirection of the organization and helps the board to determine which options will be developed further and implemented.
Strategic Position Strategic Option Strategic Implementation Strategic Risk
•Micro environment • Capabilities e.g. SWOT analysis •Scope change e.g. area, product, market sector •Project milestones and timelines •Informing the board on risks and how they are being managed
•reats from changes • Stakeholders •Direction change e.g. high or low growth, price and quality offers •Pursue or abandon the plan etc. •Measurement of risks
•Business position •Internal controls
Project is initiated once it is approved. Project management practices, Project Management Body of Knowledge (PMBOK®) version ere are signi cant differences in scope, content and wording in each
tools and control frameworks, makes it possible to manage all the 6, IEEE standard Project Management Institute (PMI), of these standards, each approach has its own pros and cons, several
Approaches
relevant aspects like planning, scheduling, resource management, risk elements are common. Some are focused soware development, others
for project
management, sizing and estimation of efforts, milestone achievements, Projects in a Controlled Environment (PRINCE2TM) Office general approach; some focuses on holistic and systemic view, others
management
quality, deliverables and budget monitoring, of a large project. of Government Commerce (OGC) in the UK, are very detailed work ow including templates for document creation.
Capability Maturity Model Integration (CMMI) : Process improvement approach that provides enterprise with the essential elements of effective processes.
Level 0 Incomplete Level 1 Performed Level 2 Managed Level 3 Established Level 4 Predictable Level 5 Optimized
Process is not implemented Implemented process Process is now implemented in a managed fashion Previously described managed process is Previously described process now Previously described process is
or fails to achieve its process achieves its process are appropriately established, controlled and now implemented using a de ned process operates within de ned limits to continuously improved to meet relevant
purpose. purpose maintained capable of achieving its process outcomes achieve its process outcomes current and projected business goals
Portfolio/Program Management Program/Project management Organization Forms: depending upon the nature of business
Program is a group of projects and/or time-bound tasks that are linked together through common
objectives. Programs have a limited time frame (start and end date), predetermined budget, de ned
Functional org. in uenced by the projects: Projectile organization: Matrix project organization:
deliverables/outcomes Program is more complex than a project and many times consists of multiple
ese are business organizations that are involved in ey execute projects. Most IT companies falls under
projects.
production of goods and services. Projects are undertaken For ex, an infrastructure such categories where these
to support the functional activities. For example, a development organization. organizations undertake project to
Portfolio Project/program management office (PMO) manufacturing organization may want to automate Project Manager has only a manage business functions for other
Group of all projects/ PMO governs the processes of project management but is not involved administrative processes (like nance, HR, pay roll etc.) staff function without formal organizations and also executes
programs (related or in management of project content. Includes Management of: Program using IT. e Project Manager is only allowed to advise management authority. projects for customer organization.
unrelated) carried out scope, Program nancials (costs, resources, cash ow, etc.), schedules, peers and team members as to which activities should be
in an organisation. objectives, context, communication, organization. IS Auditor has to understand these organizational forms and their
completed.
implications on controls in SDLC project management activities.
Sub-Program 1.1 (IT Asset and Risk Managementt Project 1.1 (ISO 27001 accreditation) Sub-Program 2.1 (Web based services development) Sub-Program 2.2 (ERP Implementation)
Project 1.1.1 (IT Asset
Project 2.2.1 (Standard ERP con guratuion and Pilot
Management and Project 2.1.1 (Supplier web service application
Project 1.1.1 (IT Risk Management implementation at P1
classi cation automation development- SDLC)
Outsourced FPP) using service manager Project 2.2.2 (ERP roll out at P2 to P5)
Project 2.1.2 (Customer Access and help desk-Web Based application -SDLC)
Project Initiation
Whenever stakeholders in the business or senior management to undertake computerization, a project will have to be initiated. For ex:
•New business application to address a new or existing business process HR management system, billing system, order processing
•Adoption of a new technology invented Internet based advertising for an advertising company .
•Application soware computerization of college admissions
•Migrating
Migrating from text-based computerized system GUI based system old COBOL / XBASE based distributed banking to RDBMS based Core Banking system.
Initiated from any part of the organization, including project is time bound, with speci c start and end dates. A project sponsor and project manager is appointed to execute the further activities. compiled into terms of reference or a project
charter that states the objective of the project. Approval of a project initiation or project request is authorization for a project to begin.
Major activities:
Project initiation team Relationship with customer Plan for project Management procedures Project workbook and project management environment
To complete the project To build stronger customer initiation To achieve successful To organize and collect the tools that will be used for managing the project project workbook is derived from charts,
initiation activities. partnerships and also higher De ne the scope of the completion of project. diagrams and description of the system. Serves as a repository for all project deliverables, inputs, outputs, correspondence,
trust level. project. procedures, and standards established by the project.
Standard process for project management prepare a formal Project Initiation Report that is presented to Senior Management or Board of Directors. Once accepted this becomes formal charter for the project and triggers next phases of SDLC.
Project Management Project Context and Environment Project Communication and Project Objectives Project Management Practices
Methodology • Organization may be running Culture To deliver the de ned outcome/deliverables/product in time, within budget •Many organizations prefer to adopt the practices
• IT projects are divisible into pre- several projects at the same time. Success of project depends and of desired quality. Measurement of success depends upon clearly de ning based on global standards/best practices e.g.
de ned phases. • Relationships between these upon timely communication results that are speci c, measurable, attainable, realistic and timely (SMART). PMBOK, Prince2 etc.
• Begins with the project charter projects have to be established to with stakeholders and affected Work breakdown structure (WBS) •Successful project planning is a risk-based
and ends with the closure of the identify common objectives for the parties through : WBS is a tool used for the project in terms of manageable and controllable management process that is iterative in nature.
project. business. • One-on-one meetings. units of work and forms the baseline for cost and resource planning. •Project management practices for SDLC
• Organizations may adopt • is is a function of a project • Kick-off meetings Work packages (WP) projects also provide standards for systematic
standard processes prescribed portfolio management to help in • Project start workshops Detailed speci cations regarding the WBS can be used to develop work quantitative and qualitative approaches to
by globally accepted standards consolidating common activities • Periodic reporting packages (WP). Each WP must have a distinct owner and a list of main soware size estimating, scheduling, allocating
developed by organizations like Context is based on : Project Manager develop objectives, and may have a list of additional objectives. e WP speci cations resources and measuring productivity.
PMI • Importance of project deliverables and execute communication should include dependencies on other WPs. •Project management to ols like MS project can
• Organizations following a to organization’s objectives. plan so as to inform issues, Task list be adapted to implement techniques to assist
standard project management • Relationship with other projects concerns, if any and to report A list of actions to be carried to complete each work package and includes the Project Manager in controlling the time and
process have higher possibility • Priority based on the business case project progress. assigned responsibilities and deadlines. Task list when merged together forms resources utilized during execution of project.
of completing projects in time, • Start and end time of the project, a project schedule.
within budget and deliverables Project schedules
meeting with expected quality. Work documents containing the start and nish dates, percentage completed,
task dependencies, and resource names of individuals planned to work on
tasks.
Based on impact Identify Risk Assess and Evaluate Risk Manage Risk Monitor risk Evaluate the Risk
Brainstorming session Quantify the likelihood as percentage More important the risk, the more budget should Risk that materializes, Management Process
Business Bene ts Project itself with your team and and the impact of the risk as amount .e be made available for counter-measures. Risk can and act accordingly. Review and evaluate the
create an inventory of “insurance policy” (total impact) that needs be mitigated, avoided, transferred or accepted effectiveness and costs of the
Project sponsor is Project manager possible risks. to be in the project budget is calculated as the depending on its severity, likelihood and cost of Risk Management Process.
responsble to mitigate risk likelihood multiplied by the impact. counter-measures and the organization’s policy.
IS Auditor has to focus on the Risk Management Process as it provides detailed insight on the effectiveness of Project Management.
Project Closing
Projects should be formally closed to provide accurate information on project results, improve future projects and allow an orderly release of project resources. Project closure is to be planned in two situations:
Project deliverables are completed Project is suffering from Risk Materialization and has to be terminated.
1. Project Sponsor should be satis ed system produced is acceptable 4. Achievement of objectives adherence to the Changes in functional requirements, obsolescence of planned technology, availability of new technology,
2. Custody of contracts may need to be assigned schedule, costs, and quality of the project. unforeseen budget constraints, strategy changes etc. planned depending upon the status of project.
3. Survey the project team, development team, users to identify any 5. Post project review in which lessons learned. IS Auditor conducting review aer project closure objectives achieved, time overrun, cost overrun, quality
lessons learned that can be applied to future projects. 6. Release of project teams. of deliverables,
Note:-
1. Characterstics of A well coded program 2. Role of IS Auditor in development phase: 4. Soware Escrow
Reliability Efficiency •Ensure that documentation is complete. e objective of soware escrow is to address the risk of the closure of
Consistency with which a Performance per unit cost •Review QA report on adopting coding standards by developers. vendors of customized written soware .
program operates over a period with respect to relevant •Review the testing and bugs found are reported and sent for rework to developers
Developer End User
of time. However, poor setting of parameters and it should not 3. Some key aspects of development: Escrow Agent Lincensor
Licensor
parameters and hard coding could be unduly affected with the Program Coding Standards: Programming Language:
result in the failure of a program increase in input values. •e logic of the program outlined in the Application programs are coded in the Proprietary materials includes:
Robustness Usability owcharts is converted into program form of statements than converted by •Two
Two copies of the Source Code on magnetic media
Applications’ strength to perform It refers to a user-friendly statements or instructions. the compiler to object code for the •All
All manuals not provided to the licensee
operations in adverse situations interface and easy-to- •For each language, there are speci c rules computer to understand and execute. •Maintenance
Maintenance tools and necessary third-party system utilities
by taking into account all possible understand internal/external concerning format and syntax. •Detailed
Detailed descriptions of necessary non- licenser proprietary soware
High-level general-purpose
inputs and outputs. documentation. •Syntax means vocabulary, punctuation and •Names
Names and addresses of key technical employees that a licensee may hire
COBOL and C
Accuracy Readability grammatical rules •Compilation
Compilation instructions in written format or recorded on video format.
Object oriented
Ability to take care of ‘what it It refers to the ease of •Programmer turnover. C++, JAVA
should not do’.is is of great maintenance of program •Standards
Standards provide simplicity, Scripting language
interest for quality control even in the absence of the interoperability, compatibility, efficient JavaScript, VBScript
personnel and auditors. program developer. utilization of resources and reduce Decision Support or Logic
processing time. LISP and PROLOG.
SDC MODELS
1. Waterfall Model 2. Incremental Model
ese phases include requirements analysis, speci cations and design requirements, coding, nal testing, and release. e e model is designed, implemented and tested incrementally. is model combines the elements of the
traditional approach is applied, an activity is undertaken only when the prior step is completed. waterfall model with the iterative philosophy of prototyping.
Key characteristics e product is decomposed into a number of components, each of which are designed and built separately
• Project is divided into sequential phases, with some overlap and splash back acceptable between phases. (termed as Builds). Each component is delivered to the client when it is complete. is allows partial
• Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time. utilization of product and avoids a long development time. It also creates a large initial capital outlay, and the
• Tight control is maintained over the life of the project through the use of extensive written documentation, as well as through subsequent long wait is avoided.
formal reviews and approval/signoff by the user and information technology management occurring at the end of most Key Features
phases before beginning the next phase. •A series of mini-Waterfalls are performed, where all phases of the Waterfall development model are completed
for a small part of the system, before proceeding to the next increment.
•Mini–Waterfall development of individual increments of the system.
Strengths: Weaknesses:
•e initial soware concept, requirement analysis, and design of architecture and system core are de ned
• Supporting less experienced • In exible, slow, costly, and cumbersome due to signi cant structure and tight controls.
using the Waterfall approach, followed by Iterative Prototyping, which culminates in installation of the nal
project teams. • Project progresses forward, with only slight movement backward.
prototype
• Orderly sequence of development • Little to iterate, essential in situations.
to ensure the Quality, Reliability, • Early identi cation and speci cation of requirements, not be able to clearly de ne
Adequacy and Maintainability of ‘what they need early in the project’. Strengths: Weaknesses:
the developed soware. • Requirement inconsistencies, missing system components and unexpected •Potential exists for exploiting knowledge gained in an early •When utilizing a series of mini-Waterfalls
• System development can be development needs discovered during design and coding are most difficult to handle. increment as later increments are developed. for a small part of the system before moving
tracked and monitored easily. • Problems are oen not discovered until system testing. •Moderate control is maintained over the life of the project onto the next increment, there is usually a
• Conserve resources. • System performance cannot be tested until the system is almost fully coded, and through the use of written documentation and the formal lack of overall consideration of the business
under capacity may be difficult to correct. review and approval/signoff problem and technical requirements for the
• It is difficult to respond to changes, which may occur later in the life cycle, and if •Concrete evidence of project status throughout the life overall system.
undertaken it proves costly and are thus discouraged. cycle. •Each phase of an iteration is rigid and do
• Written speci cations are oen difficult for users to read and thoroughly appreciate. •Flexible and less costly to change scope and requirements. not overlap each other.
• It promotes the gap between users and developers with clear vision of responsibility. •Gradual implementation provides the ability to monitor •Since some modules will be completed
the effect of incremental changes, isolated issues and make much earlier than others, well-de ned
adjustments interfaces are required.
Application Programming Interface (API) Remote Procedure Calls (RPCs) Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL)
Historically, soware written in one language Component Based Technologies An XML language is used to de ne APIs. It is also based on XML.
on a particular platform has used a dedicated such as CORBA and COM that use SOAP will work with any operating system and Used to identify the SOAP speci cation that is to be used for the code module API
Application Programming Interface (API). e Remote Procedure Calls (RPCs) have programming language that understands XML. Used to identify the particular web service accessible via a corporate intranet or across the
use of specialized APIs has caused difficulties in been developed to allow real-time SOAP is simpler than using the more complex Internet by being published to a relevant intranet or Internet web server.
integrating soware modules across platforms. integration of code across platforms. RPC-based approach.
Prototyping Methodology
In order to avoid such bottlenecks and overcome the issues, organizations are increasingly using prototyping techniques Strengths:
to develop smaller systems such as DSS, MIS and Expert systems. e goal of prototyping approach is A prototype may • It improves both user participation in system development.
be a usable system or system component that is built quickly and at a lesser cost, As users work with the prototype, • It is especially useful for resolving unclear objectives and requirements;
they learn about the system criticalities and make suggestions about the ways to manage it. ese suggestions are then • Potential exists for exploiting knowledge gained in an early iteration as later iterations are developed.
incorporated to improve the prototype, which is also used and evaluated. Finally, when a prototype is developed that • It helps to easily identify confusing or difficult functions and missing functionality.
satis es all user requirements, either it is re ned and turned into the nal system or it is scrapped. • It enables to generate speci cations for a production application.
• It encourages innovation and exible designs.
Generic Phases of Model
• It provides for quick implementation of an incomplete, but functional application.
Identify Information System Requirements • It typically results in a better de nition of these users’ needs and requirements than does the traditional systems
In traditional approach, the system requirements are to be identi ed, e design team needs only fundamental development approach.
system requirements to build the initial prototype, • A very short time period is normally required to develop and start experimenting with a prototype. is short time
Develop the Initial Prototype period allows system users to immediately evaluate proposed system changes.
e designers create an initial base model and give little or no consideration to internal controls, but instead • As a result, the information system ultimately implemented should be more reliable and less costly to develop than
emphasize system characteristics such as simplicity, exibility, and ease of use. users to interact with tentative when the traditional systems development approach is employed.
versions of data entry display screens, menus, input prompts, and source documents. Weaknesses:
e users also need to be able to respond to system prompts, make inquiries, judge response times of the system, • Approval process and control are not formal.
and issue commands. • Prototyping makes use of the expertise of both the user and the analyst, thus ensuring better analysis and design, and
Test and Revise: prototyping is a crucial tool in that process.
Aer nishing the initial prototype, the designers rst demonstrate the model to users and then give it to them • Prototype has one major drawback. Many-a-time users do not realize that prototype is not actual system or code but
to experiment and ask users to record their likes and dislikes about the system and recommend changes. Using is just a model.
this feedback, the design team modi es the prototype as necessary and then re-submits the revised model to • Users may think that the system is ready. Whereas actual development starts only aer the prototype is approved.
system users for re-evaluation. us, iterative process of modi cation and reevaluation continues until the users Hence, the actual system may require time before it is ready for implementation and use.
are satis ed. • In the meantime, users may get restless and wonder why there is so much delay.
Obtain User Signoff of the Approved Prototype
Users formally approve the nal version of the prototype, the current design and establishes a contractual
obligation about what the system will, and will not do or provide. Prototyping is not commonly used for developing
traditional MIS and batch processing type of applications such as accounts receivable, accounts payable, payroll,
or inventory management, where the inputs, processing, and outputs are well known and clearly de ned.
Desk Check: Structured Walk-through: Code Inspection: A. Bottom-up interation B. Top-down Integration
In this, programmer himself checks for In this, application developers leads other Program is reviewed by is approach starts with individual modules • Testing starts with the main routine and stubs are
logical syntax errors & deviation from programmer through the text of the program & formal committee with and then covers the full system. For ex: in substituted for subordinate modules.
coding standards. explanation. formal checklists. above example of Internet Banking it will test • An incomplete portion of code put under a function is a
communication between different modules using stub, allowing the function and program to be compiled
Load Testing
smallest level of module like saving bank account, and tested.
• Load testing tests soware by applying maximum load and manipulating large input data.
fund transfer and then statement of accounts to • Once the main module is complete, stubs are replaced
• It's done during normal and peak conditions to evaluate system performance.
ensure previous transaction re ects in statement, with real modules one by one for testing.
• Load testing identi es the soware's maximum capacity and behavior at peak time.
and so on. e disadvantage is that testing of • is process continues until atomic modules are
• Automated tools like Load Runner, Apache JMeter, Silk Performer, Visual Studio Load Test etc. are commonly used for
major decisions/control points is deferred to a reached.
load testing.
later period. • Stub testing is suitable for prototype-based development.
• Virtual Users (V Users) are de ned in the automated testing tool to verify the load testing.
• e number of users can be increased or decreased based on requirements.
Regression Testing System Testing
Each time a new module is added or A Process in which system is tested. It begins either when soware as a whole in operational or well de ned subsets of the soware's functionality have been implemented. Its purpose is to ensure
any modi catin is made in soware, that new or modi ed system functions properly. is test is conducted in non production test environment. e type of system testing are as follows:
it changes. New data ow path are
established, new input, output & control A. Recovery Testing B. Security Testing C. Stress Testing D. Perfomance Testing
logic are invoked. is changes may cause It test how well application is able to It is the process to determine that information It is used to determine stability of given Performed on various parameters like
problems with functions that previously recover from crashes, hardware failure system protects data & maintains intended system. It involves testing beyond normal response time, speed of processing,
worked awlessly. It ensure that changes & other similar problems. It is the forced functionality. It covers basic security concepts operational capacity, oen to a breaking effectiveness use of a resources (RAM, CPU
or correction have not introduced new failure of the soware in variety of like Con dentiality, integrity, Authentication, point to observe result. It is peformed by etc.), network, etc. It compares new system's
faults. It used same data as used in original ways to verify that recovery is properly Authorization & Availability. It ensures existence inputting large quantity of data during peak performance with that of similar system using
test. performed. & execution of access control in new system. hours to test its performance. well de ned benchmarks.
A Con guration Management Tool supports change and release management by supporting following activities: Soware Con guration Management requires following tasks to be performed:
1. Identi cation of items affected by a proposed change 1. Develop Con guration Management Plan.
2. Help in impact assessment by providing information 2. Baseline Application and Associated Assets.
3. Recording con guration items affected by changes 3. Analyze results of Con guration Control.
4. Implementation of changes as per authorization 4. Develop Monitoring of Con guration Status.
5. Registering of con guration item changes when authorized changes and releases are implemented 5. Develop Release Procedures.
6. Recording of original con guration to enable rollback if an implemented change fails 6. De ne and implement Con guration Control activities (such as identi cation and recording of Change Requests.)
7. Preparing a release to avoid human errors and resource costs 7. Update the Con guration Status Accounting Database.
Post-implementation review
Process of determining and evaluating whether system is working as per requirement and objective of the business. e objective of these
reviews are to how much project meets its requirement is aligned with business needs. Also used nd out the outcomes, faults which can be used
in future to improve thier performances. IS auditor's should focus on adequacy and effectiveness of these security controls during these reviews.
Designs and Implementation of Application Controls BUSINESS PROCESSES AND APPLICATION CONTROLS
Management should identify control requirements based on business risks and include them in functional Business Process controls are activities designed to achieve the broad range of management objectives for the
requirements. process as a whole. Application Controls, on the other hand, are the sub-set of Business Process controls that
Management can optimize control design through a balance of various control activities, such as: relate speci cally to the applications and related information used to enable those business processes.
•Choosing whether a control should be manual, automated, or a hybrid
•Deciding whether to design a control to prevent errors or detect them Business Risks and Information Processing
•Determining the frequency, proximity, and role of individuals in control activities Automated solutions can be much more reliable than manual procedures, this will be the case only if the key
•Assessing the cost-bene t of adding control activities to reduce risks. risks within the automated solutions have been identi ed and appropriate controls have been implemented.
Testing of control activities is essential to ensure they operate as intended, and should be included in system Examples of some key information-related risks and information processing-related risks include:
accreditation activities. Incomplete and/or inaccurate information processing
A clearly documented trail of testing automated application controls and manual controls associated with hybrid is risk relates to errors that may be made during the collection, input or processing of information.
controls can provide necessary evidence to demonstrate their effective operation and reinforce their viability and Invalid or unauthorized transactions being processed
user understanding. While the previous risk relates to errors that may be made relative to processing legitimate business
Business management and IT management share responsibility for designing and implementing Application transactions, this risk relates to the risk of erroneous or illegitimate transactions being processed.
Controls, with business management accountable for ensuring control requirements are met and IT management Unauthorized changes to standing data
responsible for developing controls in line with requirements. is is the risk of unauthorized changes to information subsequent to processing by the system.
Bypasses, overrides, manual entries that circumvent controls
APPLICATION CONTROLS AND THE SYSTEM DEVELOPMENT LIFE CYCLE is is the risk of misuse of bypasses, overrides or manual entries to avoid automated Application
• Various SDLC models exist for application development or acquisition, including the popular Waterfall and Controls (these functions are inherent in most, if not all, application systems).
Agile approaches. Inefficiencies
• Waterfall is based on sequential phases of development, while Agile includes multiple iterations of small pieces Risk relates to incurring unnecessary cost or delays during collection, input, processing, output or
of functionality. transfer of information.
• Regardless of the SDLC approach, integrating design, development, and implementation of Application Loss of con dentiality
Controls is crucial. is risk relates to the inadvertent or intentional disclosure of information that has been identi ed by
• De ning Application Controls should be a discrete step in each SDLC process, along with steps associated with management to be sensitive or con dential (such as for business or regulatory compliance reasons).
de ning other business functionality requirements. Unavailability of information
Information is not available when required, causing unnecessary processing delays and inability to
make appropriate decisions.
Control criteria:
Management Assertion On Internal Assertion By Management Shareholders And Capital Internal Controls Over Appropriately Designed And Are Internal Control Framework
Controls Markets Financial Reporting Operating Effectively Such As Coso
Cio "Sub-Certi cation To e Chief 'Certi cation' By e Cio Control And Relevant To Appropriately Designed Accordance With Cobilt
Financial Officer (Cfo)/Ceo Financial Reporting
Detection Risk
e risk of incorrect conclusions being drawn by an assurance provider regarding material misstatements in the subject matter
is known as detection risk. It is affected by the risk of material error or control failure and the risk that the assurance provider
will not detect these errors or control failures. e risk of material error has two components:
www.prokhata.com 55
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 1 Information Systems Management
Roles & Responsibilities :
Every task in on organisatin is divided into process & each process owner has a speci c job to perform.
User Data System Administrator Steering Committee
Term user data explains the position of the data, in the data hierarchy of the Responsible for creating new system user accounts and changing permissions Ensures that all stakeholders impacted by security considerations are involved
organisation. of existing user accounts in the Information Security Management process.
Data /InformationOwner Database Administrator Security Manager
Responsible for the protection, classi cation, backup strategies and for use of A technical expert who maintains the database and provides all due care to Responsible for implementing the Information and Cyber Security & de ning
this information. ey ensures that security controls have been implemented ensure data security and data integrity. security strategy and policies for an organisation
in accordance with the information classi cation Network Administrator CISO
Data Custodian Responsible for installing, supporting, maintaining and upgrading computer Responsible for Information and Cyber Security and data privacy of the
Responsible for storing, maintaining, backup, provisioning and protecting the networks to run the computer networks up and running. organisation.
data on behalf of Data Owner. Process Owner CIO
System Owner Responsible for effective and efficient working of one or more process, each Responsible for digital initiatives of the organisation.
Responsible for design, development, integration, operation and maintenance of which may process and store data owned by different information owners.
of these equipment is called as a System Owner. It also ensure that adequate CTO
User Manager Responsible for Information and Communication Technologies
security is built once the applications and systems have been acquired and are User manager have ultimate responsibility for all user IDs and information
ready for use in the production department (infrastructure) of an organisation.
assets owned by company employees.
Human Resource Management
Human Resource Management (HRM) is the management of personnel in an organisation. e role of HRM in Information and Cyber Security is three-fold, as per ISO 27001, and is given below –
Prior to employment During employment Termination or change of employment
Background checking of personnel before employment and de ning Information Security awareness, education and training apart from Information Security related checks during exit of employees, terms & conditions
functional and Information and Cyber Security related terms of employment functional training. Rewarding or penalising for security breach. in respect of Information Security shall continue aer employee exit as well.
Training & Education
Intruction Led Training E-Learning Simulation Based Training Hands on Coaching or Group Discussions Role Playing Management Speci c
Traditional type of O n - d e m a n d Training provided through training mentoring A trainer gives a case study A trainer assigns roles to students Activities
employee training which Computer Based computer soware on virtual A student is given A trainer gives in the group of students and by providing a real-life Training is for nding
takes place in a classroom Training (CBT) given reality device. is type of actual equipment personal attention to and asks them to discuss situation, asks them to perform managerial and leadership
with a trainer in the role through videos, training is available for highly or system, which students and guides the case in the group these roles. observe the role played qualities, behavioural skills,
of a teacher. presentations, tests skilled sectors such as, aviation, can be used to them to enhance observes the performance and then discuss, deliberate and project management skills in
and various courses. energy and power. become familiar. their skills. of the groups. learn the subjects students.
Supply Chain Management (SCM) Customer Relationship Management (CRM)
Management of the entire chain of producing nished foods from raw materials. Information Systems brought dramatic Helps in delivering this value by exacting customer needs regarding quality, price pre and post sales
changes in the way in which SCM was managed prior to Information Systems. ese are listed below – support etc. Satisfy customer needs, Information Systems have done a substantial progress.
E-Commerce, Electronic Data Interchange (EDI), Barcode Scanning, Data Warehouse, Enterprise Resource Planning E-Commerce, Data Warehouse, Enterprise Resource, Internet Technologies, Payment Gateways, Soware &
(ERP), Internet Technologies, Mobile Communications, Payment Gateways, Fin-Techs, Soware & Applications. Applications, Data Mining, Arti cial Intelligence, Business Analytics.
Issues and Challenges of Information Systems Management
1. New Technology 2. Personal Devices 3. Interoperability 4. User Systems 5. Cyber Security reats 6. Data Control
Technology is changing Due to portable and hand-held Challenges of managing Security hazards such as data Weak security policies & procedures, Lack To overcome challenges like Data Corruption, Data
double fold. devices organisations nd it difficult interoperability with existing or leakage, through alternative of standardisation, Lack of Proper Control unavailability, Data leakage, Data e, Data privacy,
to control the use of such devices. legacy systems. connectivity. & user training about security are reason proper cyber security measures such as Data Leakage
for Cyber Security reats. Protection (DLP) solutions need to be implemented.
7. Trained manpower 8. Management Support Outsourced Vendors
IT Department (Vendors) Manufacturing Department (Customer)
Providing training on latest technology for work-force Providing senior management
involves heavy costs and difficulties and difficulties are support for monitoring and 10 .Fourth Party Risk 9. Service Level Agreements
also faced in retaining trained work-force. supervisory responsibilities. Risks of data leakage, data privacy, non- Clear scope of service, metrics measurement, responsibilities etc.
compliance to the regulatory guidelines etc. Within Organisation
56 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Information Systems Operations Module - 4 Information Systems Operations and Management
CHAPTER 2:
INFORMATION SYSTEMS OPERATIONS
Information Systems Operations Asset Management
An operation is a procedure to set forth or produce a desired result. Operations • Control and protection of the hardware & soware IT assets Like- installation of Operating system, Applications, Network infrastructure like cabling,
totally depend on business and its objectives. Information systems Operations, in Ethernet switches, Routers and cyber security equipment such as antivirus, rewall, IPS/IDS (Intrusion Protection System, Intrusion Detection
this regard are – : 1.Procurement of IT 5.Con guration System) and SIEM (Security Incident and Event Management System) tools etc
Systems Management • For better monitoring and tracking of IT assets, it is very important for IT head and respective administrators to continuously scrutinise and supervise,
various process requirements in the organisation.
2.Service to the 6.Security
Information IT head need to continuously scrutinise and supervise following process:
users Operations
Systems • Upgrading existing infrastructure • Procurement of new devices and soware
3.Data Operations 7.Log • Phase out the legacy hardware or soware • Licensing of soware
Management Management • Declare and dispose of E-Waste • Development of soware (either in-house or outsourced)
4.Server 8.Application and IT asset management methodology Bene t of IT asset management
Administration Operating System Support IT assets can be managed through the process of IT asset management as follows – • Proper risk assessment & management of assets is possible.
It is worth mentioning here that, IT function should be capable of, to handle the IT • With concept of Stores (Physcial or virtual). • Proper decision making is possible.
operations and be able to assess the user’s requirements. Seven areas of interest need • Tracing system for assets using RFID. • Asset tracking, monitoring and control.
to be met are - • Policy for life of the equipment. • Proper audit is possible
1. Availability of IT 4. Sustained • Concept of check-in and check-out of an asset from asset inventory. • Dealing with asset lifecycle.
manpower training programs • Accountability for Asset Acquisition
2. Approved Policies, Standards, Change Management
5. Cyber Security
procedures and guidelines User’s • Procure new hardware and/or soware or make necessary changes to existing infrastructure
3. Mix of Domain and technical Requirements • Manage changes with Minimum cost, Minimum business disruptions, Good Quality.
6. Data Privacy
Experts Change management process:
7. Management support Change Management results in efficient changes, with proper documentation and continued stability of operations.
www.prokhata.com 57
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 2 Information Systems Operations
Con guration Management Log Management
Con guration management is planning, identifying, and managing the con guration with proper procedure and A log is a record of the events generated from computer, peripherals, communication networks, rewall, IPS/IDS,
controlled changes, so as to maintain authenticity, accountability and integrity, throughout the life cycle of the UTMs etc.
hardware, rmware (in-built into hardware) or soware. Logs provide the following details – Log management involves
To make con guration management successful, it is important for the organisation to implement following practices - • Date of event • Identi cation of log events to be recorded
Practice For Con guration Management • Time of Event • Log collection – collecting events in a log le
• Details of the user responsible for the event • Log Aggregation
i. Policy, Standards, Procedures and guidelines. ii. Formation of Change control board
• Action details of the user • Storage of aggregated logs
iii. Documentation iv. Pre-Launch Testing • Analysis & Reporting
v. Proper training and skills upgradation of personnel vi. Timeliness
1. Creation of User pro le
vii. Clear Scope of Work viii. Optimisation e HR department creates an employee's user pro le upon joining the company. Aer induction training, the head of
Con guration Management Constraints the department assigns a role and provides a computer to perform the job responsibilities. e employee logs into the
• Lack of IT Manpower. • Incomplete, poor or absence of scope of work system using their assigned role.
• Absence of Change control board. • Delayed Responses User pro le contains following information such as Name of the user, Department, Email address, Intercom Number
• Absence of Policy, Procedure and Guidlines. • No pre-launch testing or Mobile number, Active Directory & Computer name as per active directory.
• Poor Quality of the con guration • No fund availability from the organisation 5. Deleting user pro le 2. User Account types
A User pro le is deleted by a. User account
Con guration Management Process User Management
the IT department on the b. Guest account
Con guration management process in an organisation is generally based on the industry best practice. Adherence to User management requires
request sent by the Human c. Super user account
policies, standards, guidelines and procedures aligns the con guration management process with the objectives of IT creating a user pro le, user account
Resource department. d. Database account
department, which in turn is aligned to the objectives of the organisation. e con guration management process is setup, user account modi cation,
Account termination e. Network user account
explained as follows - account termination(suspension)
request may be based on f. Network Directory account
1. Con guration Items(CI) 3. Con guration Status Accounting(CSA) the following – and deleting a user pro le on the g. Internet Access account
IT department identi es the Con guration Items required CSA is more about documentation and a. Termination of the Information system (IS) of the h. Email account
to be con gured as per the Con guration Management communication of information in forms of status employee organisation. i. Biometric Access account
Policy of the organisation. report, needed to control and monitor con guration. b. Resignation of the j. ERP or other application account
• Device and Soware need to be con gured It may be used for the following – employee 2.1 User account have following
• Present versions i. Operations & Maintenance team c. Death of the employee information
• Test bed for testing con guration changes ii. Security Operations Centre team
4. Account termination a. User name
• Tools & Techniques iii. Information about latest version or con guration
A user Account is terminated by the IT department, only b. password
2. Con guration Control iv. Project or Program Management Team
when the request is approved and sent by the Human c. Mobile number
Con guration control is the term used throughout the v. Audit team
Resource department and not by the employee’s parent d. Department code
lifecycle of any hardware or soware con guration change vi. Soware Developer and Soware testing team
department. Account termination request sent by the e. Network/Cloud Drive associated.
management. Con guration control refers to the following- 4. Con guration Auditing Human Resource department for the employee is based 2.2 Bene ts
i. Description of Change/s Con guration auditing is used to provide quality on the following – •Improved User Management, Access
ii. Approver authority assurance for the con guration changes done. a. Termination of the employee Controls, integration of systems,
iii. Resources, funds and prescribed downtime 5. Locking the Con guration b. Resignation of the employee performance, Accountability,
iv. Change in Scope of work Once the con guration is nalised, to avoid c. Employee on Deputation Authenticity, Authorization & Security.
v. Quality Assurance unauthorised changes, con guration can be locked. d. Employee seriously ill and on long medical leave •Helpdesk setup is easier - either online
vi. Time frame e. Death of the employee or offline
Version Control
Due to changes in hardware or soware, a different release or version of the system is coming in existence. If changes 3. Account Modi cation
are frequent, such as 10-15 changes a week, then it is necessary to keep track of new releases or versions. is is done Account modi cation may be requested by a user to IT department, through his user management. Depending upon
through Version Control. Characteristics of version are Version number, Date, Included and excluded features the change of role of a user, transfer of an employee or promotion of an employee changes are required in the account
VCS provides assistance to IT team with following - Bene ts of a good (VCS) are pro le. Two types of account modi cation described as follows –
• Repository of the contents • Remote team coordination in development
• Record of Previous versions • Improvement in Scalability (growth of system) 3.1 By the Administrative 3.2 By the User
• Provide access to older versions • Fast, Efficient and reliable User department administrator, modi es account for the following- A user may change certain information related
• Maintaining logs for accounting and details of • Integrity in Version is maintained a. Department code to his/her account as detailed below –
changes • Improved Accountability b. Authorisation a. Password
• Immutability (locking of version) c. Drive mapping b. Other demographic details such as contact
• Atomic Transactions (Atomic – lowest possible unit) d. Transfer of account from one office location to another address, mobile phone etc.
58 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Information Systems Operations Module - 4 Information Systems Operations and Management
Operation Helpdesk & User Assistance Operations Performance Measurement
Help desk is a resource intensive function implemented by the IT department, to support users for using Information systems. IT department Some important operations performance metrics are as follows –
caters to users with various services such as –
Availability
Availability is Measurement of continued operation of Information System for a user.
IT department caters to users with Help desk personnel can be contacted by Helpdesk personnel, help the user for various Mean Time Between Failure (MTBF) over a period of time is the metrics of IS system
various services such as – the user in the following manners– hurdles related to the Information systems and availability. It measures the system performance and serviceability to the users of an
• a. Email • a. Intercom try to resolve them as given below – organisation.
• b. Internet • b. Call Centre • a. Password reset
• c. ERP • c. Email Incident
• b. Soware related issues
• d. Database Management System • d. Chatting Incident is a deviation from the normal operations of an IS system. Any incident
• c. Drive related issues
• e. Active Directory • e. Video Conferencing occurred, needs remedial action to restore back the operations of the IS system. e
• d. Network related issues
• f. PC Desktop and Peripherals • f. Messenger Chatting restoration time of the system, including incident period, is the measure of downtime
• e. Database related issues
• g. Soware • g. Physically attending the user of the system.
• f. Email related issues
• h. Network • g. Internet related issues Quality
Levels of Help desk support - Quality of an IS System is a measure of the intended performance in intended time at
ere are following types of help desk support categories available, either through a call centre or in-house help desk facility - intended place.
Productivity
Level 0 Helpdesk - Level 1 Helpdesk - IS system productivity is a measure of rate of doing work of a resource such as a system
Mostly, Level 0 support is automated and self- Level 1 support is given for other basic services such as con guration changes, or human resource. is needs to be measured in combination of quality.
service type of support, wherein a user can solve troubleshooting. Users can talk to helpdesk personnel related to issues such as password
the problem him/herself. Self-services such reset support, email support. If helpdesk personnel is unable to resolve the issue, then the Return on Investment (ROI)
password/s resetting fall in this category of help issue is escalated to the next level i.e. Level 2. Level 1 support is considered as “ rst aid” Return on Investment (ROI), measures the gain or loss generated on an investment
desk. support. relative to the amount of money invested. ROI is usually expressed as a percentage.
Value Creation
Level 2 Helpdesk - Level 3 Helpdesk -
If a system provides desired functioning, is cost effective with desired productivity and
Level 2 support is provided by supervisory staff Level 3 support is next level of advanced trouble shooting. If an incident is not solved
quality, then then the system is said to be creating a “value” for it’s users.
of Level 1 personnel, for escalated issues such and gets elevated to this level, it is considered as a “Problem” and resolution may require
as advance troubleshooting and installation of substantial changes to the system. Change management process may be invoked for this
computing devices or soware. level of support.
Level 4 Helpdesk -
Level 4 support is generally given by the device manufacturer or system developer. If an issue has come to this level, it may be required to be
resolved by launching a new release or version of the device or product.
Note:-
Points to Remember :
www.prokhata.com 59
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 3 Soware Operations & Management
CHAPTER 3:
SOFTWARE OPERATIONS & MANAGEMENT
Introduction to Soware Infrastructure
Manual Testing Automation Testing Hybrid Testing White Box Testing Black Box Testing Grey Box Testing Unit Testing
Tester performs Automation tools such Human perspective is Tester, who is Functional testing Performs both Black Each program(unit) is tested performed by the developer him/herself.
these tests on a test as Selenium, HP-UFT tested during manual knowledgeable about tester does not know Box and to some Integration/Interface Testing
site by preparing test and Ranorex etc. testing whereas internal working of the the internal structure extent White Box (not Top Down Approach, Bottom Up Approach, Sandwich Approach: start
cases and test data. are available, to test automated testing tests soware, performs the of the soware. Tester fully) testing. at top or bottom level and depending on situation move downward or
Results of the test a soware. used for manually cumbersome testing. submits input to the upward.
are documented and modern web-based tests e.g. performance soware and expects
undesired functioning systems. testing with large data. speci ed output. System Testing
is informed to Generally for technical performance, volume of data etc.
developers (e.g. User Acceptance Testing (UAT)
defects, bugs, invalid User department, for which the soware is developed, is given the
cases etc) soware on a test site for user-level testing.
Note:-
60 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
Soware Maintenance
Soware maintenance is any changes done to a soware aer it is in operation. Error corrections, Alteration, Deletion, performance Optimization, Security patches updation.
Note:-
Points to Remember :
www.prokhata.com 61
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 3 Soware Operations & Management
System Architecture
DBMS- Database Management System
Data Object oriented
User Web Server Application Business tier or logic tier RDBMS is
Facts and gures about Person entity: Employee, student, patient
Presentation tier / Server Relational most widely
a situation. Data needs
public facing tier used Place entity: State, region, branch etc
to be processed with a Network,
Sequential Query Language (SQL) Database Server program (processing Object entity: Machine, Building, Automobile etc
instructions) to Hierarchical,
Components Event entity: Sale, Registration, Renewal etc.
get meaningful Type of Database
information. Entity Concept entity: Account, Course, Work Centre, Desk
Data De nition Language Data Manipulation Language
DDL – Create table, Drop table, Alter DML – 4 commands Insert, Update, Design of data stored in the database on a
Physical Schema:
table Delete, Select records in a table secondary storage
Data Control Language Logical design of the database into rows and
DCL – Grant access or Revoke access Conceptual columns. mapped to the physical schema.
Schema
Security Schema: used by database designers, DBAs and
Multiple views, Key Reference, ACID Test, Data Integrity, programmers in soware development.
Other related security controls: User views the database at user level. used to
External Schema:
i. Strong and Multifactor authentication interact with the users.
ii. Segregation of web server and RDBMS server
iii. Encrypted data in database
iv. Use of Web application Firewall
RDBMS Table
Rows
Column
Tuple
v. Patching
Relation: Relation is shown through one or more tables.
vi Audit logging
DBMS views Metadata: Data about data similar to index of a book.
Developers ensure name Primary Key No tow row have the same primary key
dependent, content dependent Column/s which can uniquely identify
and context dependent controls Primary key cannot be null
a record(tuple) in a database table.
through views. ACID Properties: A is Atomicity, C is Consistency, I is Isolation Keys If a link (referential link) is established
Foreign Key
and D is Durability. Column in a table which is the primary key cannot be deleted or
Multiuser and
Atomicity primary key of another table. is is modi ed.
Concurrent Access Data Integrity
Concurrency controls “Either a transaction is completed or not done at all”. business for a “Referential Integrity” between
Maintained by programming
(such as ACID transaction has one or more debit and one or more credit the two tables.
various constraints applied
transactions) need to Transaction should be de ned in such a way that both the
to data “check” constraint on Isolation of data and application
be ensured so that, debit/s and credit/s are completed or none takes place.
age column can be set to 18 Data isolation is possible in an RDBMS because the conceptual(logical) schema
transactions are properly to 60 years, Consistency cannot be seen by database designer or DBA or programmer. It is internally
updated in database Transaction should be de ned in such a way that it leaves the mapped to physical schema by RDBMS soware.
tables. database in consistent state.
Normalization
Isolation
Record-design technique developed by Dr Codd to avoid certain design
RDBMS supports transactions of many users at the same time.
anomalies. Process of breaking down a table into more tables until the other
transaction should be de ned in such a way that, another transaction
columns in the table are dependent only on the key/s columns of the table.
does not have effect on any other transaction.
Transaction
Durability
Transaction is a unit of work done on a database. Inserting a record in a table is
longevity of the transaction is committed i.e. completed and saved, it is
an “Insert” transaction.
written to the persistent storage, is secordary storage or hard disk.
62 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Soware Operations & Management Module - 4 Information Systems Operations and Management
Network Services
Interconnected Computers
Local Area Network (LAN) Wide Area Network (WAN) Metropolitan Area Network Personal Area Network (PAN) Storage area Network (SAN) Virtual Private Network
Room or a building Different geographic areas. Requires services of a network service (MAN) Personal workspace storing large amount of data (VPN)
provider. Requires services of a network service provider. Metropolitan area such as a city
TCP/IP DARPA Network Services ISO OSI
TCP/IP protocol is Application Layer Transport Layer Internet Layer Link Layer When packets nally reach the destination,
given in the following data is taken and broken TCP layer assures data Internet Layer (IP and other routing Link layer converts the packets into assembled back into data and are given to the
A user submits his/her down into packets by delivery to the nal receiver protocol) provides a correct path to the bits and puts them on wire (copper application soware of the nal receiver. e
data to be sent to another the Application Layer by taking acknowledgement packets by routing them through network of wire or bre optic etc) or throughair, packets go through reverse journey from Link
connected computer. of TCP/IP. of each data packet. devices such as switches, routers, servers etc. by using Ethernet protocol. Layer to IP to TCP and then to Application Layer.
Note:-
Points to Remember :
www.prokhata.com 63
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 3 Soware Operations & Management
Backup Strategies
Backup Considerations
1. Backup Policy 2. What to Backup 3. Backup 4. Backup Storage 5. Backup Retention 6. Testing 7. Training 8. Tape Control
Organisations should Decide which data should be Frequency Location Period tested regularly so that Not all data will be backed by IT Many organisations
establish backup policy backed up. E.g. Ecommerce critical data may stored safely and Backup policy decides when needed it can Department. Users may have their use magnetic tapes for
for guiding IT department data, nancial data, employee’s be backed up every securely preferably at how long backup/s be correctly restored. important data stored in their laptops backing up of data. and
and users. de ne retention data, email data, data of day, every hour or a separate geographic should be retained. Organisations setup or desktops. It is the user’s responsibility may require a tape library
period of the backup data. various applications, system immediately (known location. Another copy separate systems for to backup this data. erefore, adequate management system. is
To implement the policy, logs and system con guration as mirroring of data). of the backup can be restoring backup training must be provided to the users system allows automated
management needs to les etc. are critical in nature kept near the primary data and test it about backup policy and backup system. tape backup, management
develop backup procedures and need to be backed up on site, so that if needed, it for correctness of IT personnel also needs training on and restoration of data on
as well. priority basis. can be easily procured. restoration. backup policy and backup procedures. tapes.
Backup Methods
1. A Full backup 2. Incremental Backup 3. Differential Backup 4. Virtual Full Backups
Full database is taken everytime irrespective of earlier backup. Backup of changes only done to the data. Every incremental backup is Backup is taken of all the changes happened A synchronised backup, wherein rst time
It requires more time and storage then other backup types. stored on the media as a separate data. aer the last full backup. a full backup is taken and subsequently
Incremental backup is the fastest & requires least storage amongst all of the It requires more time & storage than whenever change takes place, the backup is
backup methods. incremental backup but less than full backup. synchronised for the changes.
Patch Management
Part of soware maintenance:
1.Acquiring the patch from vendor or vendor approved agency, 2. Testing the patch on a test site, 3. Installing the patch, 4. Reporting about the updation, 5. Audit of patch
Characteristics Bene t
Sound Policy and Patch Scanner Efficient Patch Deployment Review & Report Risk Mitigation Compliances to Soware System Productivity With Latest
Procedure Find out missing Tested in a test environment Comparison between patch mitigates security risks Standards Integrity improves productivity Features
patches and generate before they can be applied on scanner report and patch related to viruses, Trojans, Updating soware of a system, since it improves usage of
a report for review, production site/s. Patching testing report. Review and other security aws latest patches with may incorporate new new features which
by IT team. desktops and laptops can of these reports indicate which were inadvertently is now becoming technology features. are provided by
be done efficiently through bene ts of patches installed. present in the soware. a compliance soware developers.
Active Directory. Soware developers are requirement,
continuously improving their
soware for functionality,
Note:- security, bugs removal.
64 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Incident Response and Management Module - 4 Information Systems Operations and Management
CHAPTER 4:
INCIDENT RESPONSE AND MANAGEMENT
Incident Handling & Response
Incident is de ned as deviation from normal operation of a process. ere are many incidents such as– Cyber attack by hackers, Breach in cyber security, Attack on National Critical Infrastructure, Virus or Malware induction, Hacking &
Advance Persistent threat, Miscon guration of System, Soware malfunction & Human error in IT department.
Organisations need to prepare themselves for handling and responding to these incidents. Organisations need resources, planning and systematic preparation in this regard.
Organisations usually face lot of challenges such as- Identi cation of IT assets, Identi cation of an incident, Analysis of incidents, Scan through bulk of Information and logs, Criteria for zeroing on an incident, IT assets actually damaged
due to incident, loss of data, Source of incident, Modus Operandi, Impact analysis, Forensic Investigation of incident and collecting evidence, Fixing the responsibility.
Incident Response Process
www.prokhata.com 65
CA Rajat Agrawal
Module - 4 Information Systems Operations and Management Chapter 4 Incident Response and Management
Security Operation Centre (SOC)
Detect, alert and respond to all the activities of IS Infrastructure
SOC Characteristics
Policy, Standards and Guidelines Technology
Organisation must have a sound Technology plays important role in operations of SOC for Log Analysis, Network Analysis, Monitoring
Monitorin
Agent
policy related to the SOC and its Malware Analysis, Forensic Analysis, Cryptosystems, signature database updates, packet LLogs
ogs & Level-1
Computer Events SEM
activities. ltering, packet inspection, data analytics and reverse engineering systems.
It takes the following steps to acquire correct technology – Collection
Top management support
Top management should provide 1. Preparing speci cations for technology by SOC team. Collecter
Co
Collect
cter
er
continuous support in terms of 2. Discussions with various Vendors. Logs SIEM Alertt Incident
investment, resources and people to 3. Getting POCs (Proof of Concept) from vendors. Tool
To
the SOC. Top management should 4. Preparation of Feasibility study report by SOC team. Server Agent
5. Getting quotations/tenders from Vendors based on RFP. Incident
have a meeting at least once in a Infrastructure
IS Infrastruct
Infrastru cture Report Team
Quarter with CISO. 6. Initiating procurement process.
7. Finalising vendor. SIM
Investment 8. PO (Purchase order) to vendor and getting con rmation. Level-2
Leve
Level-l-2
SOC requires adequate investment, 9. Signing Contract with vendor. (Analyse
(Analyse)
for 24x7 operations. Investment may 10. Implementation of Technology by SOC team along with vendor experts.
be for purchasing equipment, Agent
11. Training provided by vendor to SOC.
devices, soware etc (Capex) and Database
day-to-day operational expenditure Environment Analytics & Reporting Physical Controls Investigation
(Opex). Objectives of the SOC use data SOC should also have general physical
SOC should align analytics to create controls & speci c physical controls.
People with business insightful metrics and SOCs are augmented with a different Agent
Two levels of employees. Level 1 ey objectives. performance measures. physical space with no sign boards of the
will be monitoring 24x7. organisation.
Level 2 doing deep analysis of alerts Continuous Improvement Network
and incidents. SOC is always under continuous monitoring of the organisation for the necessary Equipment
Process & Procedures improvements.
To have documented proper Following actions should be taken for continuous improvement of SOC –
procedures and guidelines for speedy 1. Periodic assessment of upgrading skills
IB-CART
identi cation and resolution of cyber 2. 360-degree feedback of SOC from various stakeholders
security incidents. 3. Lessons learned by SOC team aer every incident
4. Augmentation of new technology as per need
5. Budget provisions as needed CERT-in External Intelligence Security Database
6. Top management support
SIEM Tool and their Utility
Deployment of SIEM Tool SIEM Tools Utility
Scope of Work (SOW) SIEM tool provides the following
advantages a. Discover vulnerabilities
Operation: Security: Compliance: SIEM Core b. Uncover threats
• To do continuous monitoring, detecting, alerting Collects logs arranges them in a common SIEM provided auto generated reports related e SIEM core is the logic of the SIEM, which c. Monitoring
and responding to cyber-security incidents. format, assesses them, correlates them to security posture of an organisation can is composed of multiple soware. d. Compliance
• SIEM tool should enable SOC for continuous and then develops the security posture be taken up for audits. For the compliance SIEM core handles the following areas - e. Security pro le
operations for 24x7 throughout year. of the IS infrastructure. e security purpose auditee must ensure the following- 1. Risk Assessment for IS infrastructure f. Internal Intelligence
• Number of correlated les to be stored and kind posture is provided to cyber security a. Asset list maintained in a company vis-a-vis 2. Correlation of events collected by the g. Alerts
of reports need to be provided. team of the organisation as a feedback. asset that SIEM is monitoring collector and external intelligence h. Reporting
Use case details b. Scope of work 3. Any Deviation in normal operations of IS i. Incident Management
c. Logs and events Infrastructure j. Forensic Investigation
d. SOC detail processes 4. Data Mining & Data Analysis
e. Security posture database 5. Real-Time Monitoring and alerts
SIEM f. Reporting 6. Cyber Security posture
g. Latency in conversion of alert into incident 7. Correlated data for Forensic & Investigation
IS Infrastructure Report 8. Reports
66 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Incident Response and Management Module - 4 Information Systems Operations and Management
Computer Emergency Response Team (CERT)
US government, started in 1988, Government of India started CERT-In operational in January 2004.
IT Act 2008 - 70B Indian Computer Emergency Response Team to serve as national agency for incident
response.
• Central Government appoint an agency called the Indian Computer Emergency Response Team.
• Central Government shall provide the agency with a Director General other officers and employees.
• e salary and allowances and terms and conditions of the Director General may be prescribed.
• Performing the following functions:
a. collection, analysis and dissemination of information on cyber incidents
b. forecast and alerts of cyber security incidents
c. Emergency measures
d. Coordination of cyber incidents response activities
e. Issue guidelines, advisories of cyber incidents
• Any service provider who fails to provide the requested information or comply with the requirements shall
be subject to a punishment of one year imprisonment or a ne of one lakh rupees, or both.
Indian Banks – Centre for Analysis of Risks and reat (IB-CART)
IB-CART was established in 2014 to address cybersecurity in the banking sector. It has a total of 90 users
from over 60 public, private and foreign banks in India. e IB-CART advisory council has 9 members with
representation from public and private sector banks and CERT-IN.
www.prokhata.com 67
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 1 Introduction to Protection of Information Assets
CHAPTER 1:
INTRODUCTION TO PROTECTION OF INFORMATION ASSETS
Risk Response Cyber/Computer Attacks
Avoid Backdoor Logic Bomb
Response by deciding not to use technology for select business operation. It is a Bypass which is a means of access for authorised access. ey are Malicious Legitimate programs, to which malicious code has been added. eir
Transfer program that listens for commands on a certain TCP or UDP port. Backdoors destructive action is programmed to “blow up” on occurrence of a logical
Where organizations pass on the responsibility of implementing controls allow an attacker to perform a certain set of actions on a host, such as acquiring event. Anti-malware and use of application from trusted source may be
to another entity. For example, insuring against nancial losses with passwords or executing arbitrary commands. Use of licensed soware, patch preventive controls.
insurance company by paying suitable premium. updates, disabling default users & debugging function and using anti-malware Piggybacking
soware are the controls against backdoor. Unauthorized access using a terminal that is already logged on with an
Accept
Blue Jacking authorized ID and le unattended. idle session timeout.
If risk assessed is within the risk appetite, management may decide not to
Sending of unsolicited messages over Bluetooth to Bluetoothenabled devices. Salami e
implement control and accept the risk.
Turning off Bluetooth, selecting hidden mode, and ignoring and/or deleting Minor attacks those together results in a larger attack. By having proper
Mitigate messages, can prevent blue jacking.
To implement controls by incurring additional cost to reduce the assessed segregation of duties and proper control over code it may be prevented.
Buffer Over ow
impact to bring it within acceptable limits. Sensitive Data Exposure
An Anomaly where a program, while writing data to a buffer, overruns the buffer's
Information Security Objectives Data may be compromised without extra protection, such as encryption
boundary and overwrites adjacent memory locations. Run-time protection features
at rest or in transit, and requires special precautions when exchanged
Con dentiality are controls for buffer over ow.
with the browser. Data leakage prevention tools may prevent.
Preserves authorized restrictions on information access and disclosure, Cyber Stalking
including means for protecting personal privacy and proprietary Use of the Internet or other electronic means to stalk or harass an individual, Injection
information. group, or organization. Maintaining cyber hygiene and avoid disclosing sensitive Occur when untrusted data is sent to an interpreter as part of a command
information are preventive control. or query. Input validation, security audits and vulnerability, threat and
Integrity
risk (VTR) are peventive controls.
Guards against improper information modi cation or destruction, and Cyber Terrorism
includes ensuring information non-repudiation and authenticity. Use of the Internet to conduct violent acts that result in, or threaten, loss of life Trojan
Availability or signi cant bodily harm. Passive defense for this attack is essentially target Self-contained, no replicating program that, while appearing to be
Ensures timely and reliable access to and use of information. hardening. benign, actually has a hidden malicious purpose. Sound policies and
procedures should be in place and anti-malware soware should be
reat Modeling Tools Cyber Warfare
installed.
Process by which potential threats can be identi ed, enumerated, and Use of technology to attack a nation, causing comparable harm to actual warfare.
mitigations can be prioritized. Attack vector is a path or means by which an Limiting employee access to classi ed information and installing soware updates Virus
attacker can gain unauthorized access to a computer or network to deliver a may help to prevent this attack. Virus self-replicates triggered through user interaction, such as opening
payload or malicious outcome. a le or running a program. Sound policies and procedure anti-malware
Data Diddling
OWASP soware.
Changing of data before or during entry into the computer system. File encryption
It works to improve the security of soware. OWASP Top 10 is a standard checksum or message digest may prevent such attacks. Compiled Viruses
awareness document for developers and web application security. Denial of Service Executed by an operating system & includes le infector viruses,
Globally recognized by developers as the rst step towards more secure Attempt to make a machine or network unavailable to its intended users Web which attach themselves to executable programs; boot sector viruses,
coding. application rewall may help toprevent DOS attack. which infect the master boot records of hard drives.
DREAD Model DNS Spoo ng Interpreted Viruses
Categories Description Data is introduced into a (DNS) resolver's cache, causing the name server to Executed by an application, macro viruses take advantage of macro
D Damage potential How many assets can be affected? return an incorrect IP address, diverting traffic to the attacker's computer. Keeping programming language to infect application documents and
R Reproducibility How easily the attack can be reproduced? resolver private and protected is one of the controls against DNS spoo ng. document templates, while scripting viruses infect scripts that are
E Exploitability How easily the attack can be launched? understood by scripting languages processed by services on the OS.
Email Spoo ng
A Affected users What is the number of affected users? Creation of email messages with a forged sender address. core email protocols Worm
D Discoverability How easily the vulnerability can be found? do not have any mechanism for authentication, making it common for spam and Self-replicating, self-contained program Sound policies and procedure
phishing emails Con guring reverse proxy may detect email spoo ng antimalware.
STRIDE Model
Identity e Network Service Worms Mass Mailing Worms
reat Desired Property
Deliberate use of someone else's identity Use of strong password, multi factor Takes advantage of vulnerability in a Similar to an email-borne
S Spoo ng (False identity) Authenticity
authentication, monitoring transactions of the account are some preventive control network service to propagate itself. virus but is self- contained.
T Tampering Integrity
R Repudiation Non-repudiation Keystroke Logger Web Defacement
I Information disclosure(Leak of Data) Con dentiality Monitors and records keyboard use. to retrieve the data from the host, Use of key Attack on a website that changes the visual appearance of a website or a
encryption soware and installing anti malware. web page. Security audits and vulnerability, threat and risk (VTR).
D Denial of service Availability
68 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Introduction to Protection of Information Assets Module - 5 Protection of Information Assets
Information Systems Controls
Control is de ned as Mechanism that provides reasonable assurance that business objective will be achieved and undesired events are prevented, detected or corrected. Information system auditing includes reviewing the implemented system
or providing consultation and evaluating the reliability of operational effectiveness of controls. It ensure the desired outcome from business process is not affected.
1. Need for Control 2. Objectives of Control 4. Types of Internal Controls
•Organizational Costs of Data Loss. Control objective is de ned as "Statement of the desired result or purpose to be achieved by
•Incorrect Decision Making implementing control procedures in a particular IT process or activity". Two main purposes: Preventive Controls Detective Controls Corrective Controls
•Costs of Computer Abuse • Outline the policies of the organization Design to create a desired level or Designed to build a Designed to reduce the
•High Costs of Computer Error • A benchmark for evaluating whether control objectives are met. resistance and its goal is to Predict the historical evidence of impact or correct an error
•Maintenance of Privacy e objective of controls is to reduce or if possible, eradicate the causes of the exposure to probable loss. potential problems before they occur. the events or activities once it has been detected.
•Controlled evolution of computer Some categories of exposures are: Control considerations : Include – Employing quali ed directly related to the directly related to bringing
Use •Errors or omissions in data, procedure, processing, judgment •Lack of understanding of IS risks personnel, segregation of duties, reliability. Ex. Hash back business operations
•Information Systems auditing and comparison. amongst management & user. access control, documentation etc. totals, Check Points, etc. to normal. Ex. Backup &
•Asset Safeguarding •Improper authorizations and improper accountability with •Absence or inadequate IS control Restoration procedure etc.
•Data Integrity regards to procedures, framework. Control Rating By An Auditor:
•System Effectiveness •processing, judgment and comparison. •Complexity
Complexity of implementation Very High : Controls are implemented and are extremely effective.
•System Efficiency •Inefficient activity in procedures, processing and comparison. of controls. High : Controls are implemented and are highly effective.
3. Internal Controls Moderate : Controls are implemented and are moderately effective.
Internal Control Framework: Comprises policies, procedures, practices, and organizational structure that gives reasonable assurance to Low : Low effectiveness.
achieve business objectives.Controls are broken into discrete activities and supporting processes, which can be either manual or automated. Negligible : Controls are not implemented.
Risk and Control Ownership
Each risk should have an owner, owner is a person or position that has close interests in the processes affected due to risks. e owner/s of the risk/s also own any control/s associated with those risks and is accountable for monitoring their
effectiveness. It ensure that all risks have been addressedthrough appropriate controls and that all controls are justi ed by the risks that mandate the requirements for those controls.
Periodic Review and Monitoring of Risk and Controls
Aer implementation of the risk responses, management needs to monitor the actual activities to ensure that the identi ed risk stays within an acceptable threshold. To ensure that risks are reviewed and updated organizations must have a
process that will ensure the review of risks. e best processes are:
e risk assessment exercise may be conducted All incidents and lesson learned must be Change management processes should proactively review the possible New initiatives and projects must be considered
aer prede ned period say at least annually. used to review the identi ed risk risks and ensure that they are part of organization’s risk register. only aer risk assessment.
Controls Assessment Control Self-Assessment Role of IS Auditor in Information Risk Management
The rst step is to review e actual testing of the controls is performed by Facilitator for conducting risk assessment workshops to provide objective assurance to the board on the effectiveness of an organization’s Risk
the risk register & control staff whose day-to day role is within the area of the Management framework plan the audit cycle according to the perceived risk. i.e. plan for higher frequency for high-risk business processes areas.
catalogue and ensure organization that is being examined as they have
that associated risk is the greatest knowledge of how the processes operate.
Key roles that an auditor can perform are: ere are activities, which an auditor should not perform, to maintain his
responded appropriately. e two common techniques for performing the
1. To give assurance on risk management process independence:
next step is to review control evaluations are:
2. To give assurance that the risks are being evaluated correctly 1. Setting the risk appetite
procedure documents. 1.Workshops 2.Surveys or questionnaires.
3. Evaluate Risk Management process 2. Imposing risk management process
4. Review the management of key risks. 3. Taking decision on risk responses
4. To implement risk response on management’s behalf.
www.prokhata.com 69
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 2 Administrative Controls of Information Assets
CHAPTER 2:
ADMINISTRATIVE CONTROLS OF INFORMATION ASSETS
Information Security Management Senior Management Commitment and Support
Ensure con dentiality, integrity and availability (CIA) of information assets. Commitment and support of senior management are imperative for successful establishment and continuance of an information security management
e primary control for implementing protection strategy is de ning and program. Executive management endorsement of essential security requirements provides the basis for ensuring that security expectations are met at all levels
implementing information security policy. of the enterprise.
Key elements of information security management include: Critical Success Factors to Information Security Management
• Senior management commitment and support,
• Policies and procedures, Alignment with business Organizational culture Establish and Adoption of standard Spend resources wisely
• Organization structure and roles and responsibilities, objectives Ensure that the framework enforce an Enable organization to have and transparently
• Security awareness and education, e Management needs to establish followed to implement, information consistent implementation Expenditures on controls
• Monitoring, security policy in line with business maintain, monitor and security program across the enterprise. It helps should be prioritized
• Compliance, objectives, to ensure that all Information improve Information Focus is protecting in providing assurance that all and unnecessary
• Incident handling and response. Security elements are strategically Security is consistent with information assets required aspects of information resource utilization may
• Continual improvement aligned. the organizational culture. of the organization. security have been covered. be avoided.
Information Security Organization
• Information security is responsibility of entire organization and accountability of senior management.
• e position must be strategically placed within the Organization and visibly supported by top management while carrying out the duties in an effective and independent manner.
• De ning security responsibilities for every person and position as part of his/her role within organization and documented in their job description.
Segregation of Duties e ‘Four Eyes’ (Two-Person) Principle Rotation of Duties ‘Key Man’ Policy
Having more than one person required to complete a task. For each transaction, there must be at least two individuals necessary for Rotation of employees’ assigned jobs throughout Where a single individual is critical to
No individual should have the ability to carry out every step of its completion. While one individual may create a transaction, the other their employment. Designed to promote exibility the business, insurance policies may
a sensitive business transaction. SoD implements an appropriate higher designation should be involved in con rmation/ authorization In of employees and to keep employees interested be taken out to cover losses resulting
level of checks and balances upon the activities of individuals. this way, strict control is kept over system soware and data, into staying with the company/ organization. from his or her death or incapacity.
Information Security Policies, Procedures, Standards and Guidelines
Information Security policy will de ne management’s intent on how the security objectives should be achieved. Aer policies are outlined, standards are adopted/de ned to set the mandatory rules that will be used to implement the policies.
Guideline is typically a collection of system speci c or procedural speci c "suggestions" for best practice. Information security management, administrators, and engineers create procedures from the standards and guidelines that follow the
policies. Information Security Policy is an overview or generalization of an organization’s security needs.
1. Components of Information Security Policies 3. Controls over Policy
Statement, Scope, Objective, Ownership, Roles and Responsibility, Business requirement of Information security, Policy Exceptions, Compliance & Periodic review. Information security policies need to be
2. Other Common Security Policies maintained, reviewed and updated regularly.
It is necessary to review the security policies
Data Classi cation and Privacy Policies: Password Policy to ensure that they are in line with the senior
•Organization
Organization shall hold non-public personal information in strict con dence except as required or authorized by law and only to such persons e policy de nes High-level management’s intent. Security policies are
who are authorized to receive it. con guration of password to be reviewed periodically, generally annually
•Adopt
Adopt procedures for the administrative, technical and physical safeguarding of all non-public personal information. used within organization to access or, aer incident or, as a part of change
•Any
Any entity that utilizes information provided by the organization to carry out its responsibilities, shall have signed and agreed to abide by the the information assets. For ex. management process.
terms of the data privacy and security policy. •Password length must be more •Periodically, generally annually OR
Acceptable Use of Information Assets Policy: than 8 characters •Aer incident OR
Set of rules that restrict the ways in which the information resources (Data, Application Systems, Technology, Facilities and People) may be used. •Password must meet complexity •As a part of change management process
AUP oen reduces the potential for legal action that may be taken by a user, and oen with little prospect of enforcement. requirements, such as upper
Physical Access and Security Policy 4. Exceptions to the Policy
case, lower case, numeric and Policies are generic and sometimes cannot
Security measures that are designed to restrict unauthorized access to facilities, equipment and resources, and to protect personnel and assets from special characters
damage or harm. It involves the use of multiple layers of interdependent systems, which include CCTV surveillance, security guards, Biometric •Password must have de ned be enforced in speci c situations; In such
access, RFID cards, etc. situations, it is necessary to ensure there are
maximum age suitable compensating controls so that the risks
Asset Management Policy
•Password must have de ned mitigated by enforcement of policy are within
De nes the business requirements for Information assets protection. It includes assets like servers, desktops, handhelds, soware, network devices.
Network Security Policy minimum age acceptable level.
Overall rules for organization’s network access, determines how policies are enforced and lays down some of the basic architecture of the company •Password must have history
security/ network security environment. control
70 www.prokhata.com
CA Rajat Agrawal
Chapter 2 Administrative Controls of Information Assets Module - 5 Protection of Information Assets
Information Classi cation
Provide organizations with a systematic approach to protect information consistently across the organization. · Databases, · Data les, · Back-up media, · On-line magnetic media, · Off-line magnetic media, · Paper, · System documentation, ·
User manuals, · Training material, · Operational or support procedures, · Continuity plans, · Fall-back arrangements.
Information follows a life cycle consisting stages such as :- origination, dra, approved/signed, received, stored, processed, transmission, archived, discarded, destruction etc.
Bene ts from Information Classi cation Information Classi cation Policy
• It provides a systematic approach to protecting information consistently • Structure of classi cation schema.
• Help in determining the risk associated in case of loss and thus prevent ‘over-protecting’ and/or ‘under-protecting’. • Information owners and custodians.
• Used to demonstrate that the organization is meeting compliance requirements. • Protection levels for each class of information de ned by schema.
• Ensure that security controls are only applied to information that requires such protection which reduces operational costs of protecting information. Owners are responsible for assigning classi cations to information assets.
• Enforce access control policies by using the classi cation label to determine if an individual can gain access to a piece of information. Information classi cation shall be embedded in the information itself.
Classi cation Schema
Information Description When unauthorized disclosure, alteration Examples
Category or destruction of that data could:
Information is not con dential and can be made public without any implications for Cause low or no risk Product brochures widely distributed | Information widely available in the public
Unclassi ed/ Company. domain, including publicly available Company web site areas | Sample downloads
Public of Company soware that is for sale | Financial reports required by regulatory
authorities | Newsletters for external transmission
• Requires special precautions to ensure the integrity and con dentiality of the data by Cause a moderate level of risk • Passwords and information on corporate security procedures
protecting it from unauthorized modi cation or deletion. • Know-how used to process client information
Sensitive
• Requires higher than normal assurance of accuracy and completeness. • Standard Operating Procedures used in all parts of Company’s business
• All Company-developed soware code, whether used internally or sold to clients
Information received from clients in any form for processing in production by Company. Cause a signi cant level of risk • Client media
Client
e original copy of such information must not be changed in any way without written • Electronic transmissions from clients
Con dential
permission from the client. e highest possible levels of integrity, con dentiality, and • Product information generated for the client by company
Data
restricted availability are vital.
Information collected and used by Company in the conduct of its business to employ Cause a highest level of risk • Salaries and other personnel data
Company
people, to log and ful l client orders, and to manage all aspects of corporate nance. • Accounting data and internal nancial reports
Con dential
Access to this information is very restricted within the company. e highest possible • Con dential customer business data and con dential contracts
Data
levels of integrity, con dentiality, and restricted availability are vital. • Company business plans
e Concept of Responsibility in Information Security Training & Education
A broad program that includes training, education, awareness, and outreach must be developed to deliver
Ownership
a multitude of security messages through various means to all employees. Formal, instructor led training,
For security and control the ownership is delegated to an employee or group of employees who need to use these assets. Users
computer or Internet-based training, videos, conferences, forums, and other technology based and traditional
not only have right to use the asset but also are responsible to ensure that the asset is well maintained, accurate and up to date.
delivery methods are all examples of what must be part of the integrated security training, education, and
Custodianship
awareness program.
Owner may delegate responsibility to a custodian. Owner should clearly state the responsibilities and associated levels of
Important considerations for security awareness training program are:
authority of the custodian on the assets, but nally management responsibility will always reside with the owner.
Controlling Mandatory security awareness
In all information, security areas there are key tasks, which can be called control points. It is at these control points that the actual Ensure that security awareness training is mandatory for all staff
information security mechanism has its application. Training for third parties:
Ensure that all third parties who are having access to an organization's information assets
Human Resources Security
Training is required before access is granted:
e management of human resources security and privacy risks is necessary during all phases of employees’ association with
Security awareness training commences with a formal induction process designed to introduce the
the organization. Following are the some of the recommended safeguards: Job descriptions and screening, User awareness and
organization's information security policies and expectations before access granted to information or services.
training, A disciplinary process, and An exit process must exist.
Acknowledge policy:
Pre-employment: Ensure that all have acknowledged that they have read and understood the organization's information
De ning roles and responsibilities of the job, de ning appropriate access to sensitive information for the job, and security / acceptable use policy.
determining candidate's screening levels. Training at least annually:
During employment: Ensure that all target audience including the third party are given security awareness training at least once
Receive periodic reminders of their responsibilities and receive ongoing, updated security awareness training in a year.
Termination or change of employment:
Access must be revoked immediately upon termination of an employee and third parties from the organization.
www.prokhata.com 71
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 2 Administrative Controls of Information Assets
Implementation of Information Security Policies Issues and Challenges of Information Security Management
Appropriate implementation of information security policy helps in minimizing internal security breaches that are accidental and unintentional.
Organization’s strategic drivers
Following may help in smooth and successful implementation of information security policies.
Strategic drivers and needs of the organization may con ict with the
Increasing Awareness actions required to ensure that assets and processes remain productive.
Information security department should understand the level of employee awareness in order to determine the effectiveness of information security
policy. Regulatory requirements
Just as the organization must expose itself to its environment to operate, so
Communicating Effectively
must it be willing to accept the limitations imposed by regulators.
Ensuring that employees understand the reason to comply with information security policies communications guidelines include:
• Target communications for various user communities. Information security as an aerthought
• Provide a list of policy updates in the annual training. It is a norm to follow a checklist to understand whether any of the security
• Supplement primary communications vehicles with website and newsletter articles. ‘holes’ remained unplugged.
Simplify Enforcement Lack of integration in system design and security design
• Creating a manageable number of policies & convincing employees to comply with every policy. Development duality is a phenomenon where systems and security design
• Making policies understandable for target audiences by Using language that is suited for target users. are undertaken in parallel rather than in an integrated manner.
• Making it easy to comply
• Integrating security with business processes so employees will not need to bypass security procedures while doing business operations.
• Aligning policies with job requirements
• Generating a higher level of compliance by creating realistic, workable policies shall help.
Integrating Security with the Corporate Culture
Making employees a partner in the security Making security policy part of a larger Tying security policies to company's code of
challenge: compliance initiative: business conduct:
• e security team is there to help them • Work with human resources, legal, and • Educate employees on vital compliance -
instead of to police them. other compliance teams information security for overall success.
72 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
CHAPTER 3:
PHYSICAL AND ENVIRONMENTAL CONTROLS
Objectives of Physical Access Controls
An access control system determines who is allowed, where they are allowed, and when they are allowed to enter or exit. Physical access controls restrict physical access to resources and protect them from intentional and unintentional loss
or impairment. Assets to be protected could include: Primary computer facilities, Cooling system facilities, Microcomputers, Telecommunications equipment and lines, including wiring closets Sensitive areas such as buildings, individual
rooms or equipment.
www.prokhata.com 73
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
Physical Security Control Techniques
Choosing and Designing a Secure Site Perimeter Security
Local considerations Guards Perimeter Intrusion Detectors Secured Distribution Carts
What is the local rate of crime. Guards are commonly deployed in perimeter control, Photoelectric Sensors Dry Contact Switches One of the concerns in batch
External services depending on cost and sensitivity of resource to be Photoelectric sensors Metallic foil tape on output control is to get the
e relative proximity of local emergency services. secured. While guards are capable of applying subjective receive a beam of light from windows or metal printed hardcopy reports
Visibility intelligence, they are also subject to the risks of social a light-emitting device, contact switches (which may include con dential
Facilities such as data centres should not be visible or identi able from the engineering. creating a Grid of white on doorframes to materials) securely by the
outside, i.e. no windows or directional sign. Dogs light, or invisible infrared detect when a door intended recipients. Distribution
Windows ey are reliable, and have a keen sense of smell and light. An alarm is activated or window has been trolleys with xed containers
Windows are normally not acceptable in a data centre(if exists it must be hearing but can't make judgement calls. when the beams are broken. opened. secured by locks respective
translucent & shatterproof) to avoid data leakage through electromagnetic Compound Walls and Perimeter Fencing Video Cameras user team holds the keys of the
radiation emitted by monitors. Securing against unauthorized boundary access helps Provide preventive and detective control. It have to relevant container.
Doors in deterring casual intruders. Ineffective against a be supplemented by security monitoring and guards Controlled Single Point Access
Doors in the computer centre must resist forcible entry and have a re-rating determined intruder. for taking corrective action. Identifying and eliminating or
equal to the walls. Emergency exits must be clearly marked and monitored Lighting Identi cation Badge disabling entry from all entry
or alarmed. Extensive outside lighting of entrances or parking areas Special identi cation badge such as employee cards, points except one.
Security Management can discourage casual intruders. privileged access pass, and visitor passes etc. enable Cable Locks
Dead Man Doors tracking movement of personnel. Plastic-covered steel cable that
Controlled user registration procedure Pair of doors. First entry door must close and lock so Manual Logging chain a PC, laptop or peripherals
Rights of physical access are given only to persons entitled thereto, based on that only one person is permitted. Used to reduce the All visitors to the premises are prompted to sign a to the desk or other immovable
the principles of least privileges. risk of piggy backing visitor’s register/log. objects.
Audit trails Bolting Door Locks Electronic Logging Port Controls
Audit trails and access control logs are vital because management needs to It requires traditional metal key to gain entry. Record the date and time of entry and exit of the Devices that secure data ports
know when access attempts occurred and who attempted them. is must Combination or Cipher Locks cardholder by requiring the person to swipe the card (such as a oppy drive
record: Also known as cipher locks, use a numeric keypad or can be made with electronic or biometric devices or a serial or parallel port) and
• e date and time of the access attempt dial to gain entry. Controlled Single Point Access prevent their use.
• Whether the attempt was successful or not Electronic Door Locks Identifying and eliminating or disabling entry from Switch Controls
• Where the access was granted Use electronic card readers, smart card readers or optical all entry points except one. Cover for the on/off switch
• Who attempted the access? scanners to gain entry. It has following advantages: Controlled Visitor Access Peripheral Switch Controls
• Who modi ed the access privileges •Provide high level of securities than others. Pre-designated responsible employee or security Lockable switches that prevent a
Reporting and incident handling procedure •Distinguish between various categories of users. staff escorts all visitors. device such as a keyboard from
Once an Unauthorized event is detected, appropriate procedures should be in ••Restricted through special internal code. Bonded Personnel being used.
place to enable reporting. Security administrator should be kept noti ed. •Duplication is difficult. Contractors or employees being required to execute Biometric Mouse
Emergency Procedures •Can be deactivated from central electronic control a nancial bond. Such bond does not improve Specially designed mouse usable
e implementation of emergency procedures and employee training and mechanism. security but reduces nancial impact due to only by pre-determined/pre-
knowledge of these procedures is an important part of administrative physical •Includes card swallow which aer number of failed improper access/misuse of information resources. registered person based on the
controls. ese procedures should be clearly documented, readily accessible attempts activates audible alarm. Wireless Proximity Readers physiological features
(including copies stored of-site in the event of a disaster), and updated Biometric Door Locks Card reader senses the card in possession of a user Laptops Security
periodically. Enable access based on physiological features such as in the general area (proximity) and enables faster Cable locks, biometric mice/
voice, ngerprint, hand geometry, Retina scan etc. and access. ngerprint/iris recognition and
Human Resource Controls known as more sophisticated method. It has High cost Alarm Systems/Motion Detectors encryption of the data available
ese includes providing identity cards, , provided training in physical security, of acquisition, implementation and maintenance. It is Provide detective controls and highlight security to protect laptops and data
monitoring behaviour etc. One of most important control is process of providing time consuming. breaches to prohibited areas. therein.
access cards to employees, vendor personnel working onsite and visitors.
Smart Cards
74 www.prokhata.com
CA Rajat Agrawal
Chapter 3 Physical and Environmental Controls Module - 5 Protection of Information Assets
Auditing Physical Access Controls
Auditing physical access requires that the auditor to review the physical access risks and controls to form an opinion on the effectiveness of these controls. is involves risk assessment, review of documentation and testing of controls.
Risk Assessment Controls Assessment Review of Documentation Testing of Controls is involves:
e auditor should satisfy himself that e auditor based on the risk Planning for review of physical • Tour of organizational facilities • Printer rooms. • Interviewing personnel to get information of
the risk assessment procedure adequately pro le evaluates whether access controls requires examination • Computer storage rooms. • Disposal yards and bins. procedures.
covers periodic and timely assessment physical access controls are in of relevant documentation such as • Communication closets. • All points of entry/exit • Observation of safeguards and physical
of all assets, physical access threats, place and adequate to protect the security policy and procedures, • Backup and Off-site facilities. • Glass windows and walls access procedures.
vulnerabilities of safeguards and exposures. the IS assets against the risks. premises plans, building plans, etc • Review of Physical access procedures including user registration and authorization, special access authorization,
logging, periodic review, supervision etc.
• Employee termination procedures should provide withdrawal of rights such as retrieval of physical devices such as
smart cards, access tokens, deactivation of access rights and its appropriate communication to relevant constituents
in the organization.
• Examination of physical access logs and reports includes examination of incident reporting logs and problem
resolution reports.
Environmental Controls
Environmental threats to information assets include threats primarily relating to facilities and supporting infrastructure, which house and support the computing equipment, media and people. IS Auditor should review all factors that
adversely affect con dentiality, integrity and availability of the information, due to undesired changes in the environment or ineffective environmental controls.
Walls Ceilings Floors Fire-resistant walls, oors and Concealed protective wiring Media protection
Walls must Issues of concern If the oor is a concrete slab, the concerns are the physical weight it can bear and its ceilings Power and Communication Location of media libraries,
have acceptable regarding ceilings are the re rating. Electrical cables must be enclosed in metal conduit, and data cables must e construction of IPF should cables should be laid in reproof cabinets, kind of
re rating. weight-bearing rating be enclosed in raceways, Ideally, an IPF should be located between oors and not at use re resistant materials for separate re-resistant panels media used (fungi resistant,
and the re rating. or near the ground oor, nor should it be located at or near the top oor. walls, oors and ceilings. and ducts. heat resistant)
Emergency Plan
Disasters can cause environmental threats & to mitigate these risks, organizations should have evacuation plans, prominently display evacuation paths, and establish reporting procedures. Regular inspections, testing, and supervision of
environmental controls should be carried out, with results escalated as needed. Emergency evacuation plans should account for the layout of premises, shut down of equipment, & activation of re suppression systems. Incident handling
procedures and protocols should also be included in administrative procedures.
www.prokhata.com 75
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 3 Physical and Environmental Controls
Maintenance Plans Ventilation and Air Conditioning
MTBF and MTTR: Controlled temperature in the IPF is crucial for the maintenance
A comprehensive maintenance and inspection plan is critical to the success of environmental of internal components of equipment and processing. Dedicated
security and controls. Failure modes of each utility, risks of utility failure, should be identi ed, parameterized and documented. is includes estimating the MTBF power circuits for air conditioning units should be installed, and
(Mean Time between Failures) and MTTR (Mean Time to Repair). Planning for Environmental controls would need to evaluate alternatives with low MTBF or installing intake vents should be protected to prevent toxins from entering
redundant units. Stocking spare parts on site and training maintenance personnel can reduce MTTR. It is better that MTBF should be high and MTTR should be low. the facility.
Power Supplies
Many aspects may threaten power system, the most common being noise and voltage uctuations. Noise in power systems refers to the presence of electrical radiation in the system. ere are several types of noise, the most common being
electromagnetic interference (EMI) and radio frequency interference (RFI). Voltage uctuations are classi ed as Sag (momentary low voltage), Brownout (prolonged low voltage), and Spike (momentary high voltage), Surge (prolonged high
voltage) and Blackouts (complete loss of power).
Uninterruptible power supply (UPS)/generator Electrical surge protectors/line conditioners Power leads from two sub-stations
UPS consist of battery backup that interfaces with the external power. Cleanses the incoming power supply of such quality problems and deliver Electric power lines may be exposed to many environmental and physical
On interruption in external power supply, the power continues to supply clean power for the equipment. ese are most effective control to protect threats. To protect against such exposures, redundant power lines from a
from the battery. UPS can be on-line or off-line, but for computerized against short-term reduction in electrical power as well as against a high- different grid supply should be provided for. Interruption of one power supply
environment, on-line UPS is mandated. voltage power burst. should result in the system immediately switching over to the stand-by line.
Fire Detection and Suppression System
Improper maintenance of temperature leads to damage of internal components.
Smoke and Fire Detectors Fire Alarms Emergency Power Off Water Detectors Fire Suppression Systems
Smoke and re detectors activate audible Manually activated re When necessity of immediate Risks to IPF equipment Rated as either Class A, B, or C based upon their material composition. Fires caused by
alarms or re suppression systems on sensing a alarms switches should power shutdown arises from ooding and common combustibles (like wood, cloth, paper, rubber, most plastics) are classed as Class A
particular degree of smoke or re. Such detectors be located at appropriate emergency power-off switches water logging can be and are suppressed by water or soda acid (or sodium bicarbonate). Fires caused by ammable
should be placed at appropriate places, above locations prominently should be provided. ere controlled by use of liquids
and below the false ceiling, in ventilation and visible and easily accessible should be one within the water detectors placed and gases are classed as Class B and are suppressed by Carbon Dioxide (CO), soda acid, or
cabling ducts. In case of critical facilities, such in case of re (but should computer facility and another under false ooring or FM200. Electrical res are classi ed as Class C res and are suppressed by Carbon Dioxide(CO),
devices must be linked to a monitoring station not be easily capable just outside the computer near drain hole. or FM200. Fire caused by ammable chemicals and metals (such as magnesium and sodium)
(such as re station). Smoke detector should of misuse during other facility. Such switches should are classed as Class D and are suppressed by Dry Powder (a special smothering and coating
supplement and not replace re suppression times). be easily accessible agent). Class D res usually occur only at places like chemical laboratories and rarely occur in
systems. office environments.
(a) Water Based Systems (b) Gas Based Systems
76 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
CHAPTER 4:
LOGICAL ACCESS CONTROLS
Objectives of Logical Access Controls Paths of Logical Access
To ensure that authorized users can access the information resources as per their role and responsibilities by providing access on “need to Auditor has to identify and document the possible logical access paths permitting access to
know and need to do” basis. It is all about protection of information assets in all three states, namely: rest, in transit and at process. information resources, which may involve testing security at various systems.
Logical Access Attacks and Exposures Access Control Mechanism
e primary function of logical access control is to allow authorized access and prevent unauthorized access. Access control
Masquerading Social Engineering mechanism is actually a three-step process as depicted in the gure below:
It mean Disguising or Impersonation. is is an attack on the weakest link i.e. human .Different
It may be attempted through Stolen means including spoo ng and masquerading resulting in Identi cation: Authentication: Authorization:
logon IDs and passwords, through person revealing con dential information. Identi cation is a process by which a Authentication is a mechanism e authenticated user is allowed
nding security gaps in programs, Phishing user provides a claimed identity to the through which the user’s claim to perform a pre-determined set
or bypassing the authentication User receives a mail requesting to provide authentication system such as an account number. is veri ed by the system. of actions on eligible resources.
mechanism. information. e mail and link appear to be actual
Piggybacking originator. Ignorant users click on the link and provide It is necessary to apply access control at each layer of an organization’s information system architecture to control and monitor access
Unauthorized access to information con dential information. in and around the controlled area.
by using a terminal that is already Vishing Identi cation Techniques
logged on with an authorized ID Uses the similar technique as Phishing over telephone. Identi cation is a process by which a user provides a claimed identity to the system such as an account number. Authentication is the
(identi cation) and le unattended. Key Logger process of verifying that the identity claimed by the user is actually true or false. e three categories of authentication factors are:
Wiretapping Perpetrator installs soware that captures the key sequence Something the user knows (e.g., a password) , Something the user has (e.g., a token or smart card), and Something the user is (a
Tapping a communication cable to used by the user including login information. ere physical / biometric comparison)
collect information being transmitted. are hardware key loggers available that are connected to Individual authentication strength increases when multiple authentication technologiesand techniques are combined and used.
Denial of Service system where keyboard is attached. Single-factor authentication uses any one of these authentication factors. Two-factor or dual factor authentication uses two factors
Perpetrator attempts to send multiple Malware and the three-factor authentication uses all the three factors. Once the user is authenticated, the system must be con gured to
sessions requests, resulting in non- Captures and transmits the information from compromised validate that the user is authorized (has a valid need-to-know) for the resource and can be held accountable for any actions taken. A
availability of sessions for legitimate system. Intentionally causes disruption and harm or default denial policy, where access to the information resource is denied unless explicitly permitted should be mandated.
users. circumvent or subvert the existing system’s function.
Authentication Techniques
Weaknesses of Logon Mechanism Recommended Practices for Strong Passwords Attacks on Logon/Password Systems
•Passwords are easily shared. •System should be con gured to must change password on rst
•Users
Users oen advertently or login. Brute Force Dictionary Attack Trojan Spoo ng Attacks Piggybacking
inadvertently reveal passwords •System should be con gured to force password change Attacker tries out every Based on the Malicious Attacker plants a Trojan Unauthorized user may wait for
•Repeated use of the same password periodically e.g. once in 60 days. possible technique to hit assumption that soware, can program, which masquerades an authorized user to log in and
•If a password is too short or too •System should be con gured for minimum age of the password. on the successful match. users tend to use be used to as the system’s logon screen, leave a terminal unattended..
easy, it can be guessed •Concurrent logins should not be permitted. e attacker may also common words as steal access gets the logon and password is can be controlled by
•Password is too long or too •Passwords should not be too short and should not use name of use various password passwords which control lists, information and returns automatically logging out
complex, may be forgotton user, pet names, cracking soware tools can be found in a passwords control to the genuine access from the session aer a pre-
•Common words found in dictionary or such other attributes. that assist in this effort. dictionary. control mechanism. determined period of inactivity
www.prokhata.com 77
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
5. Token Based Authentication 6. Biometric Authentication
Biometrics offers authentication based on “what the user is”. Biometrics are automated mechanism, which
Memory tokens Smart tokens uses physiological and behavioural characteristics to determine or verify identity. Fingerprint,Facial Scan
e cards contain visible information such as name, identi cation number, photograph and such A small processor chip, ,Hand Geometry Signature etc are example.
other information about the user and a magnetic strip or memory chip. To gain access to a system, which enables storing Due to the complexity of data, biometrics suffer from two types of error viz. False Rejection Rate (FRR) which
the user in possession of a memory token may be required to swipe his card through a card reader, dynamic information is wrongfully rejecting a rightful user and False Acceptance Rate (FAR) which involves an unauthorized user
which reads the information on the magnetic strip/memory token and passes onto the computer on the card. being wrongfully authenticated as a right user. us, FRR and FAR tend to inversely related. An overall metric
for veri cation to enable access. used is the Crossover/Equal Error Rate, which is the point at which FRR equals FAR.
Authorization Techniques: Operating Systems
Operating systems are fundamental to provide security to computing systems. e operating system supports the execution of applications and any security constraints de ned at that level must be enforced by the operating system. e
operating system must also protect itself because compromise would give access to all the user accounts and all the data in their les. Most operating systems use the access matrix as security model. An access matrix de nes which processes
have what types of access to speci c resources. General operating systems access control functions include:
• Authentication of the user & User Management • Restrict Logon IDs to speci c workstations and / or speci c times • Manage :Password Policy, Account Lockout Policy • Manage audit policy • Log events and report capabilities
User Registration Privilege User Management Default Users Management Password Management User Access Rights Management
is is generally done based on the job Access privileges are to be Applications, operating systems and databases purchased • Allocations of password which is generally done by system Periodic review of user's access
responsibilities and con rmed by User aligned with job requirements from vendor have provision for default users with administrators rights is essential process to detect
manager. is must be approved by and responsibilities. ese are administrative privileges required for implementation • Secure communication of password to appropriate user possible excess rights due to changes
information owner. User registration de ned and approved by the and/or maintenance of application, OS or database. • Force change on rst login by the user so as to prevent possible in responsibilities, emergencies,
process must answer: information asset owner. It is expected that these password must be changed misuse by system administrators and other changes. ese reviews
• Why the user is granted the access? In these cases manual immediately as soon as system is implemented. While • Storage of password is generally should not be done in plain must be conducted by information
• Has the data owner approved the monitoring and periodic reviewing these access controls IS auditor must ensure text. Most system stores password as hash of actual password. owner and administrators
access? reviews are compensating that these user ID are either disabled, or passwords • Password expiry must be managed as per policy. Users facilitates by providing available
• Has the user accepted the controls to correct the have been changed and suitably controlled by the must change passwords periodically and system should be accesses recorded in system.
responsibility? situation. organization. con gured to expire the password aer prede ned period.
Network Access Control
Process of managing access for use of network-based services
Policy on use of network services Segregation of networks Network connection and Enforced path Clock synchronization
An enterprise wide applicable Based on the sensitive information handling routing control Based on risk assessment, it is necessary to specify the Clock synchronization is useful control to ensure
internet service requirements function; say a VPN connection between e traffic between networks exact path or route connecting the networks; say for that event and audit logs maintained across an
aligned with the business need policy a branch office and the head-office this should be restricted, based on example internet access by employees will be routed enterprise are in synch and can be correlated.
based on business needs for using the network is to be isolated from the internet identi cation of source and through a rewall. And to maintain a hierarchical access In modern networks this function is centralized
Internet services is the rst step. usage service availability for employees. authentication access policies. levels for both internal and external user logging. and automated.
78 www.prokhata.com
CA Rajat Agrawal
Chapter 4 Logical Access Controls Module - 5 Protection of Information Assets
Application Access Controls Database Access Controls
Applications are most common assets that accesses information. Hence it is necessary to control the accesses to application. Most modern applications provide independent user and DBA can build pro le with settings de ned
access privilege management mechanism for example ERP, Core Banking applications. Ideally database administrators and system administrators are only roles that need to have access to by security policies. ese pro les are then
database and operating system respectively. IS auditors may have to review accesses at all layers i.e. application, database and/or operating systems. e access to information is prevented assigned to roles de nes to performs functions
by application speci c menu interfaces, which limit access to system function. A user is allowed to access only to those items he is authorized to access. on database like view, update, delete, commit.
ese roles are then assigned to users created
Sensitive system isolation Event logging Monitor system use on database. Generally these are stored in
Based on the critical constitution of a system in an enterprise it may even be necessary to run maintain extensive logs for all types Based on the risk assessment a constant user table. Databases also provide storing of
the system in an isolated environment. Monitoring system access and use is a detective control, of events. It is necessary to review if monitoring of some critical systems is password hash for each user thus DBA can
to check if preventive controls discussed so far are working. If not, this control will detect and logging is enabled and the logs are essential. the frequency of the review would access but may not nd out the password of
report any unauthorized activities. archived properly. be based on criticality of operation users.
Operating System Access Control
Automated Terminal log-on User identi cation and Password Use of system utilities Duress alarm to safeguard Terminal/Session Limitation of connection
terminal procedures authentication management system Programs that help to manage users time out time
identi cation e log-on procedure e users must be identi ed and An operating system critical functions of the operating If users are forced to execute Log out the user De ne the available time
Ensures a particular does not provide authenticated in a fool proof could enforce system. system—for example, some instruction under threat, if the terminal slot. Do not allow any
session could only unnecessary help or manner. Depending on risk selection of good addition or deletion of users. the system should provide a is inactive for a transaction beyond this time
be initiated from a information, which assessment, more stringent methods passwords. Internal Obviously, this utility should not means to alert the authorities. de ned period. is period. For example, no
particular location or could be misused by like Biometric Authentication or storage of password be accessible to a general user. Use An example could be forcing will prevent misuse computer access aer 8.00
computer terminal. an intruder. Cryptographic means like Digital should use one-way and access to these utilities should a person to withdraw money in absence of the p.m. and before 8.00 a.m.—
Certi cates should be employed. encryption algorithms be strictly controlled and logged. from the ATM. legitimate user. or on a Saturday or Sunday
Identify Management and Access Controls
Identity Management, also called IDAM, is the task of controlling the User Access Provisioning Lifecycle on Information Systems. It includes the task of maintaining the identity of a user, actions they are authorized to perform. It also includes
the management of descriptive information about the user and how and by whom that information can be accessed and modi ed. e core objective of an IdM system in a corporate setting is: one identity per individual. And once that
digital ID has been established, it has to be maintained, modi ed and monitored throughout what is called the "User access lifecycle." So IdM systems provide administrators with the tools and technologies to change a user's role, to track
user activities and to enforce policies
Privileged Logons
Privileged user is a user who has been allocated powers within the computer system, which are signi cantly greater than those available to the majority of users. Such persons will include, for example, the system administrator(s) and Network
administrator(s) who are responsible for keeping the system available and may need powers to create new user pro les as well as add to or amend the powers and access rights of existing users. Privileged access should be assigned based upon
function and job necessity and are subject to approval by the information owner.
Single Sign-On (SSO)
Single Sign-On addresses the practical challenge of logging on multiple times to access different resources. In SSO, a user provides one ID and password per work session and is automatically logged on to all the required applications. For SSO
security, the passwords should not be stored or transmitted in the clear. SSO can be implemented by using scripts that replay the users’ multiple logins or by using authentication servers to verify a user’s identity. Most popular being LDAP
(Open Source) and Active directory (AD) (Microso directory service based on LDAP) where user groups and roles are de ned for every user and accesses are granted based on access control matrix. ere are some applications like Kerberos
are also available
www.prokhata.com 79
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 4 Logical Access Controls
Access Controls in Operating Systems
is topic covers how authorization mechanism is applied to subjects and objects. Subject of operating systems are (active) entities that communicate with the system and use its resources. Objects on the other hand are entities of the operating
system that are accessed (requested) by the subject. e access control mechanism should ensure that subjects gain access to objects only if they are authorized to. Depending on areas of usage, there are three types of access control used:
Mandatory access control Discretionary access control Role based access control:
It is a multi-level secure access control In this type of access control, every object has an owner. e owner (subject) grants access to his resources (objects) for other In some environments, it is problematical to determine who the
mechanism. It de nes a hierarchy of levels users and/or groups. ere are two ways how to implement the matrix. Either the system assigns the rights to the objects or to the owner of resources is. In role based systems, users get assigned
of security. A security policy de nes rules subjects. On the other hand capability matrixes are used to store rights together with subjects. In the case of capability matrixes roles based on their functions in that system. ese systems are
by which the access is controlled. we would have to deal with biometrics, so in common operating systems access control lists are used to implement discretionary centrally administered, they are nondiscretionary. An example
access control. is a hospital.
Audit Trail
Primary objective of access controls is x the accountability to individual user for the activities performed by them. is can be done only by generating and reviewing activity logs. Logs are also called ‘audit trail’. It is a record of
system activities that enables the reconstruction and examination of the sequence of events of a transaction, from its inception to output of nal results. Because of their importance, audit logs should be protected at the highest level
of security in the information system.
Internal and external attempts to gain Patterns and history of Unauthorized privileges Occurrences of intrusions and their
unauthorized access to a system accesses granted to users resulting consequences
Auditing Logical Access Controls
Following are some of factors critical while evaluating logical access controls:
• Understanding of an organization’s information security framework
• Selection and implementation of appropriate access controls
• Top management’s commitment
• Management controls
• Explicit access permission to information or systems
• Periodic review / audit of access permission
Evaluate whether logical Interview information Evaluate the existence and Evaluate the various logical Test the effectiveness Test the Evaluate and review Evaluate mechanisms
access policies and owners, users and custodians implementation of procedures security techniques and and efficiency appropriateness of the documentation for vulnerability
standards exist and are to evaluate their knowledge and mechanisms for logical mechanisms for their effective of logical access system con guration of controls over analysis in access
effectively communicated and skills on implementation access to ensure protection of implementation, operation and controls and parameter privileged and special control features and
and implemented. of logical access controls. organizational information assets. administration. settings. purpose logons. soware
80 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Network Security Controls Module - 5 Protection of Information Assets
CHAPTER 5:
NETWORK SECURITY CONTROLS
Network related controls are important since it is the rst layer of architecture that is generally is focus of attacker. erefore networks are also far more vulnerable to external and internal threats than are standalone systems. Organization
level general controls like physical security (cables, intruders trying to connect to network), environmental security (ensuring segregation between electrical and data cables, protecting cables from rodents), access controls, security policies
(acceptable usage of internet) are applicable to network security. In addition one needs to look at network speci c controls
Network reats and Vulnerabilities
Objective of Network Security Controls: ere are three main objectives of network security controls.
Con dentiality: Maintaining the con dentiality and privacy of information and information assets, Integrity: Maintaining the con dentiality and privacy of information and information assets,
assets,Availability:
Availability: Keeping the information and
network resources available to the authorisedstakeholders.
1. Information Gathering 2. Exploiting communication subsystem 3. Protocol Flaws 5. Message Con dentiality reats
A serious attacker will spend a lot of time obtaining vulnerabilities Internet protocols are publicly posted for scrutiny. Many problems Mis-delivery:
as much information as s/he can about the target Eavesdropping and wiretapping: with protocols have been identi ed by reviewers and corrected before Message mis-delivery happens mainly due to
before launching an attack. e techniques to gather An attacker (or a system administrator) is the protocol was established as a standard. ese aws can be exploited congestion at network elements which causes
information about the networks are examined below: eavesdropping by monitoring all traffic passing by an attacker. For example FTP is known to transmit communication buffers to over ow and packets dropped.
Port scan: through a node. (e administrator might including user id and password in plain text. Sometimes messages are mis-delivered
Easy way to gather information is to use a port have a legitimate purpose, such as watching for 4. Impersonation because of some aw in the network hardware
scanner. For a particular IP address, reports which inappropriate use of resources.) A more hostile To impersonate another person or process. An impersonator may foil or soware.
ports respond to messages and which of several term is wiretap, which means intercepting authentication by any of the following means: Occasionally, however, a destination address
known vulnerabilities seem to be present. communications through some effort. Passive will be modi ed or some router or protocol
Authentication foiled by guessing:
Social engineering: wiretapping is just “listening,” just like will malfunction, causing a message to be
Guess the identity and authentication details of the target, by using
Involves using social skills and personal interaction eavesdropping. But active wiretapping means delivered to someone other than the intended
common passwords, the words in a dictionary, variations of the user
to get someone to reveal security-relevant injecting something into the communication recipient. All of these “random” events are
name, default passwords, etc.
information. stream quite uncommon.
Authentication foiled by eavesdropping or wiretapping:
Reconnaissance: Microwave signal tapping: Exposure:
Account and authentication details are passed on the network without
Gathering discrete bits of information from various An attacker can intercept a microwave e content of a message may be exposed
encryption, they are exposed to anyone observing the communication.
sources and then putting them together to make transmission by interfering with the line of sight in temporary buffers, at switches, routers,
Authentication foiled by avoidance:
a coherent picture. Ex : Dumpster Diving which between sender and receiver. It is also possible to gateways, and intermediate hosts throughout
A awed operating system may be such that the buffer for typed
means looking through items that have been pick up the signal from an antenna located close the network.
characters in a password is of xed size, counting all characters typed,
discarded in garbage bins or waste paper baskets. to the legitimate antenna. Traffic analysis (or traffic ow analysis):
including backspaces for correction. If a user types more characters
One might nd network diagrams, printouts of Satellite signal interception: Sometimes not only is the message itself
than the buffer would hold, the over ow causes the operating system
security device con gurations, system designs and Potential for interception in satellite sensitive but the fact that a message exists is
to by-pass password comparison.
source code, telephone and employee lists, and more. communication are high but due to multiplexed also sensitive.
Non-existent authentication:
Reconnaissance may also involve eavesdropping. communication, the cost of extracting is high. Some systems have “guest” or “anonymous” accounts to allow 6. Message Integrity reats
Operating system and application ngerprinting: Wireless: outsiders to access things the systems want to release to the public. • Changing some or all of the content of a
Here the attacker wants to know which commercial reats arise in the ability of intruders to ese accounts allow access to unauthenticated users. message
server application is running, what version, and intercept and spoof a connection. Wireless Well-Known authentication: • Replacing a message entirely, including the
what the underlying operating system and version signals are strong upto 60 meters. One system administration account installed, having a default date, time, and sender/ receiver identi cation
are. While the network protocols are standard and Optical ber: password. Administrators fail to change the passwords or delete these • Reusing (replaying) an old message
vendor independent, each vendor has implemented It is not possible to tap an optical system without accounts, creating vulnerability. • Combining pieces of different messages into
the standard independently, so there may be minor detection because Optical ber carries light Spoo ng and masquerading: one false message
variations in interpretation and behaviour. energy which does not emanate a magnetic eld. Both of them are impersonation. • Changing the apparent source of a message.
Bulletin boards and chats: Zombies and BOTnet: Session hijacking: • Redirecting or destroying or deleting a
Support exchange of information among the BOTnets is a term (robotic network) used for Session hijacking is intercepting and carrying on a session begun by message.
hackers. virtual network of zombies. BOTnet operator another entity. In this case the attacker intercepts the session of one
Documentation: launches malware/virus on system that once of the two entities. In an e-commerce transaction, just before a user Attacks:
Vendors themselves sometimes distribute activated remains on system and can be activated places his order and gives his address, credit number etc. the session Active wiretrap
information that is useful to an attacker. remotely.Zombies have been used extensively could be hijacked by an attacker. Trojan horse impersonation
Malware: to send e-mail spam. is allows spammers to Man-in-the-middle attack: Compromised host
Attacker use malware like virus or worms to avoid detection and presumably reduces their Man-in-the-middle usually participates from the start of the session,
scavenge the system receive information over bandwidth costs, since the owners of zombies whereas a session hijacking occurs aer a session has been established.
network. pay for their own bandwidth.
www.prokhata.com 81
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 5 Network Security Controls
7. Web Site Defacement Distributed Denial of Service
Web sites are designed so that their code is downloaded and executed in the client (browser). is enables In distributed denial of service (DDoS) attack more than one machine are used by the attacker to attack the target. ese multiple
an attacker to obtain the full hypertext document and all programs and references programs embedded machines are called zombies that act on the direction of the attacker and they don’t belong to the attacker.
in the browser. Most websites have quite a few common and well known vulnerabilities that an attacker
reats from Cookies, Scripts and Active or Mobile Code
can exploit.
Cookies:
8. Denial of Service
Cookies are NOT executable. ey are data les created by the server that can be stored on the client machine and fetched
Connection ooding: by a remote server usually containing information about the user on the client machine. Anyone intercepting or retrieving
is is the oldest type of attack where an attacker sends more data than what a communication a cookie can impersonate the cookie’s legitimate owner.
system can handle, thereby preventing the system from receiving any other legitimate data. Even if an Scripts:
occasional legitimate packet reaches the system, communication will be seriously degraded. Clients can invoke services by executing scripts on servers. A malicious user can monitor the communication between a
Ping of death: browser and a server to see how changing a web page entry affects what the browser sends and then how the server reacts.
Ping is an ICMP protocol which requests a destination to return a reply, intended to show that the e common scripting languages for web servers, CGI (Common Gateway Interface), and Microso’s active server pages
destination system is reachable and functioning. Since ping requires the recipient to respond to the (ASP) have vulnerabilities that can be exploited by an attacker.
ping request, all the attacker needs to do is send a ood of pings to the intended victim. It is possible Active code:
to crash, reboot or otherwise kill a large number of systems by sending a ping of a certain size from Active code or mobile code is a general name for code that is downloaded from the server by the client and executed on
a remote machine. the client machine. e popular types of active code languages are Java, JavaScript, VBScript and ActiveX controls. Such
Traffic redirection: executable code is also called applet. A hostile applet is downloadable code that can cause harm on the client’s system.
A router is a device that forwards traffic on its way through intermediate networks between a source Because an applet is not screened for safety when it is downloaded and because it typically runs with the privileges of its
host’s network and a destination’s. So if an attacker can corrupt the routing, traffic can disappear. invoking user, a hostile applet can cause serious damage.
DNS attacks:
By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing
of any traffic, or ensure that packets intended for a particular host never reach their destination.
Broken authentication: Cross-site XSS: Insecure deserialization: Security Sensitive data exposure:
Application functions application takes untrusted data A direct object reference occurs when miscon guration: Many web applications do not
related to authentication and sends it to a web browser a developer exposes a reference to Secure settings should be properly protect sensitive data,
Injection and session management without proper validation or an internal implementation object, de ned, implemented, such as credit cards, tax IDs, and
Injection aws, such as SQL, OS, and LDAP injection occur are oen not escaping. XSS allows attackers such as a le, directory, or database and maintained, as authentication credentials. Sensitive
when untrusted data is sent to an interpreter as part of a implemented correctly, to execute scripts in the victim’s key. Without an access control defaults are oen data deserves extra protection such
command or query. e attacker’s hostile data can trick the allowing attackers to browser which can hijack user check or other protection, attackers insecure. Additionally, as encryption at rest or in transit,
interpreter into executing unintended commands or accessing compromise passwords, sessions, deface web sites, or can manipulate these references to soware should be kept as well as special precautions when
data without proper authorization. keys, or session tokens redirect the user to malicious sites. access unauthorized data. up to date. exchanged with the browser.
82 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Network Security Controls Module - 5 Protection of Information Assets
Network Security Control Mechanism - Network Architecture
Cryptography:
Method of protecting information and communications through the use of codes so that only those for whom the information is intended can read and process it. two essential elements of cryptography, algorithm and key.
www.prokhata.com 83
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 5 Network Security Controls
Malicious Code Firewalls
Malicious code is the name used for any program that adds to, deletes or modi es legitimate soware for the purpose of Intranet
intentionally causing disruption. Examples of malicious code include viruses, worms, Trojan Horses, and logic bombs. An intranet is a network that employs the same types of services, applications, and protocols present in an
Newer malicious code is based on mobile Active X and Java applets. Internet implementation, without involving external connectivity. For example, an enterprise network employing
Viruses the TCP/IP protocol suite, along with HTTP for information. Resultant protected network may be referred to as
A computer virus is a type of malware (program) that attaches itself to a le and gets transmitted. When executed, it the personnel intranet. Intranet are typically implemented behind rewall environments.
damages the infected system and also replicates by inserting copies of itself. Viruses oen perform some type of harmful
Extranets
activity on infected hosts, such as stealing hard disk space or CPU time, accessing private information, corrupting data,
An extranet is usually a business-to-business intranet; that is, two intranets are joined via the Internet. ey exist
displaying political or humorous messages on the user's screen, spamming their contacts, or logging their keystrokes.
outside a rewall environment. Extranets employ TCP/IP protocols, along with the same standard applications
Motives for creating viruses can include seeking pro t; desire to send a political message, personal amusement.
and services. Within an extranet, options are available to enforce varying degrees of authentication, logging, and
Master boot record (MBR) viruses: Affects the boot sector of storage device further infects when the storage is accessed.
encryption.
Stealth viruses: Hide themselves by tampering the operating system to fool antivirus
Polymorphic viruses: Can modify themselves and change their identity into two billion different identities thus able to Securing a Firewall
hide themselves from antivirus soware. Firewall platforms should be implemented on systems containing operating system builds that have been
Macro viruses: Most prevalent computer viruses and can easily infect many types of applications, such as Microso stripped down and hardened for security applications. Firewalls should never be placed on systems built with all
Excel and Word. possible installation options.
Logic bomb/Time bomb: Logic bombs are malicious code added to an existing application to be executed at a later date. •Any
Any unused networking protocols should be removed from the rewall operating system build.
ese can be intentional or unintentional. •Any
Any unused network services or applications should be removed or disabled.
Worms •Any
Any unused user or system accounts should be removed or disabled.
Worms are stand-alone viruses that are they are transmitted independently and executes themselves. •Applying
Applying all relevant operating system patches is also critical.
Trojan Horse •Unused
Unused physical network interfaces should be disabled or removed
Malicious code hidden under legitimate program, such as a game or simple utility. Trojans are primarily used by attackers
Intrusion Detection Systems
to infect the system and then get control remotely to make that system work for them.
Perimeter controls, rewall, and authentication and access controls block certain actions, some users are admitted
Malware Protection Mechanisms
to use a computing system. Most of these controls are preventive. Many studies, however, have shown that most
Antivirus computer security incidents are caused by insiders. Intrusion detection systems complement these preventive
Most of the antivirus soware utilizes a method known as signature detection to identify potential virus infections controls as the next line of defence. An intrusion detection system (IDS) is a device, usually another separate
on a system. Essentially, they maintain an extremely large database that contains the known characteristics computer, which monitors activity to identify malicious or suspicious events. An IDS is a sensor that raises an alarm
(signatures) of all viruses.. Antivirus tools have three types of controls :- if speci c things occur. e alarm can range from writing an entry in an audit log. e functions performed by IDS
1. Active monitor: Monitors traffic and activity to check the viruses. are:
2. Repair or quarantine: to remove the virus from le/mail or quarantines and reports. • Monitoring users and system activity
3. Scheduled scan: Users are prompted for scanning the storages to detect virus already present that were not • Auditing system con guration for vulnerabilities and mis-con gurations
detected by active monitors. • Managing audit trails
Incident handling Many intrusion detection systems are also capable of interacting with rewalls. For example, if an intrusion
Incident Handling is an action plan for dealing with virus attack, intrusions, cyber-the, denial of service, detection system detects a denial of service attack in progress, it can instruct certain rewalls to automatically block
re, oods, and other security-related events. It is comprised of a six step process: Preparation, Identi cation, the source of the attack. e two general types of intrusion detection systems are signature based and heuristic.
Containment, Eradication, Recovery, and Lessons Learned. In case of virus incidents it is most essential to nd out Signature-based intrusion detection systems perform simple pattern-matching and report situations that match a
root cause to ensure that the incident does not recur. pattern corresponding to a known attack type. Heuristic intrusion detection systems, also known as anomaly based,
Training and awareness programs: build a model of acceptable behaviour and ag exceptions to that model; for the future, the administrator can mark
is covers: Enforcing policy on use of removable devices, Handling of mail attachments, Accessing Internet, a agged behaviour as acceptable. Intrusion detection devices can be network based or host based. A network-based
Ensuring antivirus is updated. IDS is a stand-alone device attached to the network to monitor traffic throughout that network; a host-based IDS
runs on a single workstation or client or host, to protect that one host.
84 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Network Security Controls Module - 5 Protection of Information Assets
Wireless Security reats and Risk Mitigation
Wireless networking presents many advantages like network con guration and recon guration is easier, faster, and less expensive. However, wireless technology also creates new threats and alters the existing information security risk pro le.
For example, because communication takes place "through the air" using radio frequencies, the risk of interception is greater than with wired networks. If the message is not encrypted, or encrypted with a weak algorithm, the attacker can
intercept and read it. Wireless network has numerous vulnerabilities such as:
Ad-hoc networks: Non-traditional networks: MAC spoo ng: Man-in-the-middle attacks: Accidental association: Denial of service:
Ad-hoc networks are Non-traditional networks such as e MAC address is hard-coded on a attacker secretly intercepts When a user turns on a computer and it latches on to a It is an attempt to make a
de ned as peer-to peer personal network Bluetooth devices are network interface card (NIC) and cannot the electronic messages going wireless access point from a neighbouring organisation’s machine not available to
networks between not safe from cracking and should be be changed. However, there are tools between the sender and the overlapping network, the user may not even know that its intended user. Wireless
wireless computers that regarded as a security risk. Even barcode which can make an operating system receiver and then capture, this has occurred. However, it is a security breach in that network provides numerous
do not have an access readers, handheld PDAs, and wireless believe that the NIC has a MAC address insert and modify messages proprietary organisation information is exposed and now opportunities to increase
point in between them. printers and copiers should be secured. different that it’s real MAC address. during message transmission there could exist a link from one organisation to the other. productivity and manage costs.
Encryption: Signal-hiding techniques: Anti-virus and anti-spyware soware: Default passwords: MAC address:
e best method e easiest options include: Turning off the service set identi er (SSID) broadcasting Computers on a wireless network need Wireless routers generally come with standard Wireless routers usually
for protecting the by wireless access points and reducing signal strength to the lowest level that still the same protections as any computer default password that allows you to set up and have a mechanism
con dentiality of provides requisite coverage. More effective, but also more costly methods for connected to the Internet. Install anti- operate the router. ese default passwords are to allow only devices
information transmitted reducing or hiding signals include: using directional antennas to constrain signal virus and anti-spyware soware, and also available on the web. Default passwords with particular MAC
over wireless networks is to emanations within desired areas of coverage or using signal emanation-shielding keep them up-to-date. If your rewall should be changed immediately aer its addresses access to the
encrypt all wireless traffic. techniques, also referred to as TEMPEST to block emanation of wireless signals. was shipped in the “off ” mode, turn it on. installation. network.
Endpoint Security
Methodology of protecting the corporate network when accessed via remote devices such as laptops or other wireless and mobile devices. Usually, endpoint security is a security system that consists of security soware, located on a centrally
managed and accessible server or gateway within the network, in addition to client soware being installed on each of the endpoints (or devices). While endpoint security soware differs by vendor, you can expect most soware offerings to
provide antivirus, antispyware, personal rewall and also a host intrusion prevention system.
Voice-over IP Security Controls
Voice-over IP VOIP Security: Following are the VoIP security:
Methodology for delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such Encryption:
as the Internet. Other terms commonly associated with VoIP are IP telephony, Internet telephony, voice over broadband Means of preserving the con dentiality of transmitted signals.
(VoBB) and broadband telephony. e term Internet telephony speci cally refers to the provisioning of communications
services (voice, fax, SMS, voice-messaging) over the public Internet, rather than via the public switched telephone Physical security:
network (PSTN). e digital information is packetized and transmission occurs as Internet Protocol (IP) Even if encryption is used, physical access to VoIP servers and gateways
www.prokhata.com 85
CA Rajat Agrawal
Module - 5 Protection of Information Assets Chapter 5 Network Security Controls
Vulnerability Assessment and Penetration Testing
Used by organizations to evaluate the effectiveness of information security implementation. As its name implies, penetration testing is a series of activities undertaken to identify and exploit security vulnerabilities. A penetration test is
performed by team of experts. is team simulates attack using similar tools and techniques used by hackers.
Penetration Testing Scope Types of Penetration Testing Risks Associated with Penetration
e scope of a penetration testing is to determine whether Testing
an organization’s security vulnerabilities can be exploited Application security testing: Penetration test team may fail to
and its systems compromised. Penetration testing can have Many organizations offer access to core business functionality through web-based applications. is type of access introduces identify signi cant vulnerabilities;
a number of secondary objectives, including testing the new security vulnerabilities. e objective of application security testing is to evaluate the controls over the application and its Misunderstandings and mis-
security incident identi cation and response capability of process ow. Areas of evaluation may include the application’s usage of encryption to protect the con dentiality and integrity communications may inadvertently
the organization of information, how users are authenticated, integrity of the Internet user’s session with the host application, and use of cookies trigger events or responses that may not
Penetration Testing Strategies Denial of service (DoS) testing: have been anticipated or planned for
e goal of DoS testing is to evaluate the system’s susceptibility to attacks that will render it inoperable so that it will “deny external experts perform penetration
External testing: service,” that is, drop or deny legitimate access attempts. testing, it is necessary to enforce non-
Refers to attacks on the organization’s network disclosure agreement
perimeter using procedures performed from outside War dialing:
the organization’s systems as they are visible to hacker. Systematically calling a range of telephone numbers in an attempt to identify modems, remote access devices and maintenance
is can be a Blind test where testing expert has been connections of computers. Once a modem or other access device has been identi ed, analysis and exploitation techniques are
provided with limited information. performed to assess whether this connection can be used to penetrate the organization’s information systems network.
Organisation Network Maintenance
Internal testing: connections of
Internal testing is performed from within the Telephone no. to identify
computers analysis
organization’s technology environment. Remote Maintenance and exploitation to
Hacker Modem
Access Device connections of computers penetrate techniques
Targeted testing:
Oen referred to as the “lights-turned-on” approach Wireless network penetration testing:
involves both the organization’s IT team and the Sometimes referred to as “war-driving,” hackers have become pro cient in identifying wireless networks simply by “driving”
penetration testing team being aware of the testing or walking around office buildings with their wireless network equipment. e goal of wireless network testing is to identify
activities. Test is focused more on the technical setting. security gaps or aws in the design, implementation or operation of the organization’s wireless network.
A targeted test typically takes less time and effort to Social engineering:
complete than blind testing, but may not provide as •Oen used in conjunction with blind and double blind testing, this refers to techniques using social interaction
complete a picture security vulnerabilities and response •Posing
Posing as a representative of the IT department’s help desk
capabilities of the organization. •Posing
Posing as an employee and gaining physical access to restricted areas.
•Intercepting mail, courier packages.
Monitoring Controls Auditing Network Security Controls
Most controls implemented for network generates lot of logs related to activities • Locating logical access paths by reviewing network diagrams
as per rule set. ere are various tools available in market that helps organizations • Recognizing logical access threats, risks and exposures
in collecting these logs, co-relating them based on possible use cases and generate • Evaluating logical network security policies and practices
alerts for important logs. ese tools are known as Security Incident and event • Evaluate network event logging and monitoring
management (SIEM) tools. Organizations use these tools and establish a security • Evaluating effectiveness of logical access security with respect to network security components such as:
operations center (SOC) to monitor these logs, analyse alerts and record incidents • Firewalls and ltering routers - architecture, con guration setting as per rewall security policy, port services, anti-virus con guration, reporting and
and events to be responded. Broad Objectives of SOC are: management controls
• Detect attacks and malware • Intrusion detection systems - architecture, con guration, interface with other security applications, reporting and management controls
• Enhance incident response capability • Virtual private networks - architecture, devices, protocol, encryption process integration with rewall security, change management
• Detect Advanced persistent threats • Security protocols - selection of appropriate protocol, seamless security integration of protocols between devices running different protocols
• Compliance requirements • Encryption - selection of appropriate encryption methods to various application processes
• Middleware controls -with respect to identi cation, authentication and authorization, management of components and middleware change management.
86 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Arti cial Intelligence Module - 6 Emerging Technologies
CHAPTER 1:
ARTIFICIAL INTELLIGENCE
Arti cial Intelligence
Simulate human capabilities, based on predetermined set of rules.
Machine Learning :
Use of computing resources that have the ability to learn,
Traditional acquire and apply knowledge and skills. Arti cial Intelligence
DATA ese system that can modify its behaviour on the DATA
Computer Output Rules basis of experience also known as cognitive systems. Computer Program Rules
Program Rules Output Rules
A Neural Network Deep learning Cognitive computing Computer vision Natural language processing (NLP)
Machine learning made up of Uses huge neural networks with many layers of e ultimate goal is for a machine to Relies on pattern recognition and deep learning Ability of computers to analyze,
interconnected units that processes processing units, taking advantage of advances in simulate human processes through the When machines can process, analyze and understand and generate human language,
information by responding to inputs, computing power and improved training techniques ability to interpret images and speech – understand images, they can capture images or including speech. It allows humans to
relaying information between each unit. to learn complex patterns in large amounts of data. and then speak coherently in response. videos in real time and interpret their surroundings. communicate with computers.
Deep Learning
Translation Machine Learning Why AI is important?
Predictive Analytics
Classi cation & Clustering Natural Language Processing (NPL) • AI automates repetitive learning
Speech to text • adds intelligence to existing products
Information Extraction Speech ARTIFICIAL
Text to Speech • analyzes more and deeper data using neural networks
Export System INTELLIGENCE • Achieves incredible accuracy through deep neural networks
Accounting Knowledge Required
Planing Scheduling & Optimization AI • Gets the most out of data.
Robotics • When algorithms are self-learning, the data itself can become intellectual
Image Recognition property.
Vision
Machine Vision
Types of AI
www.prokhata.com 87
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 1 Arti cial Intelligence
Problem Types & Analytic Techniques used in AI
Type Description Example Technique
Classi cation Categorize new inputs as belonging to one of a set of identifying whether an image contains a specigic type object Dog or Cat? Convolutional Neutral Network ,Logistics Regression
categories.
Continuous Estimate the next numeric value in a sequence. Prediction particularly when it is appied to time series data E.g. forecasting the sales for a product, Feed forward Netural Networks Linear regression
Estimation based on a set of input data such as previous sales gures, consumer sentiment, and weather.
Clustering Individual data instances have a set of common or Creaing a set of consumer segments based on data about individual consumers, including K-means, Affinity propagation
similar characteristics. demographics, perferences, and buyer behavior.
Anomaly Determine whether speci c inputs are out of e Fraud detection Money Laundering Support Vector Machines, K-Nearest neighbors, Neural
Detection ordinary. Networks
Recommendations Systems that provide recommendations, based on a set Suggest the product to buy for a customer, based on the buying patterns of similar individuals, Collaborative ltering
of training data. and the observed behavior of the speci c person E.g. Net ix, Amazon
Advantages of AI Disadvantages of AI
Examples in Finance
Pattern Recognition in Banking
• E.g. customer’s salary account in a bank • Burst in Withdrawals - Number of Transactions
• Multiple credits in account other than salary credit • Burst in Deposits - Amount
• Sizeable increase in Cash to Non-Cash Transaction Ratio - large cash deposits and cash withdrawals • Burst in Withdrawals - Amount
• Many transactions with a few related accounts • Unusual applications for Demand Dras against cash.
• Burst in Deposits - Number of Transactions • Transactions that are too high or low in value in relation to customer’s pro le
Use Cases
AI in nance: JPMorgan Chase: Wells Fargo: Plantation:
AI is disrupting the nancial industry through personal nance A Contract Intelligence (COiN) platform utilizing Natural Language Processing has been Uses an AI-driven chatbot through Recently AI was used in accurate
apps like Mint,Turbo Tax, which collect personal data and provide launched. e platform processes legal documents and extracts essential data from them. the Facebook Messenger platform drone-based planting in mass-
nancial advice. IBM Watson is being used for home buying, and By using machine learning, the platform could review 12,000 commercial credit agreements to communicate with users and scale using seedpods at a much
soware now handles a signi cant portion of trading on Wall Street. in just a few hours instead of the typical 360,000 man-hours required for manual review. provide assistance with passwords and lower cost for the purpose of re-
accounts. greening the planet.
88 www.prokhata.com
CA Rajat Agrawal
Chapter 1 Arti cial Intelligence Module - 6 Emerging Technologies
Impact on Audit
• For all organizations, audit should include AI in its risk assessment and also consider using AI in its risk-based audit plan. • AI must be dealt with, disciplined methods to evaluate and improve the effectiveness of risk management,
• To avoid impairment to both independence and objectivity, auditor should not be responsible for implementation of AI processes, control and governance process.
policies and procedures. • Fraud Investigator can use Arti cial Intelligence in detecting the fraud. While statistical & data analysis is
• Auditor should provide assurance on management of risks related to the reliability of the underlying algorithms and the data on used to detect fraud passively, arti cial intelligence detects fraud actively and directly besides improving
which the algorithms are based. speed of processing.
Scenarios wherein Arti cial intelligence techniques can be used for fraud management:
Data mining Expert system Machine learning and pattern recognition Neural network
To classify, cluster and segment the data and also Store all the human expertise Machine learning can also be unsupervised and be used to learn and Fraud detection system is totally based on the human brain working
automatically nd associations and rules in the data, and then using stored human establish baseline behavioural pro les for various entities and further used inherent nature of neural networks includes the ability to learn and
which may point towards interesting patterns of fraud. intelligence to detect fraud. to nd meaningful anomalies related to fraud or any other transactions. ability to capture and represent complex input/output relationship.
Risks and Chanllenges
Risks of AI Challenges for AI
AI is Unsustainable: Computing is not that Advanced: Probability:
Computer chips have rare earth materials like Selenium Machine Learning and deep learning techniques require a series of calculations to Probability that is the mathematical uncertainty behind AI predictions still remains
increased mining of these materials is irreversibly damaging make very quickly as an unclear region for organizations.
our environment. Fewer people support: Data Privacy and security:
Lesser Jobs: AI does not have enough use cases few organizations interested in putting money into Machine learning systems depend on the data, which is oen sensitive and personal
Businesses prefer machines instead of humans to increase the development of AI-based products. in nature. Due to this systematic learning, these ML systems can become prone to
their pro tability, thus reducing the jobs that are available Creating Trust: data breach and identity the.
for the human workforce. People don’t feel comfortable when they don’t understand how the decision was Algorithm bias:
made. AI has not been able to create trust among people. Bad data is oen associated with, ethnic, communal, gender or racial biases. If the
A threat to Humanity: One Track Minds: bias hidden in the algorithms, which take crucial decisions, goes unrecognized, could
Biggest risk associated with AI is that machines would gain AI implementations are highly specialized. It is built just to perform a single task and lead to unethical and unfair results.
sentience and turn against humans in case they go rogue. keep AIs need to be trained just to make sure that their solutions do not cause other Data Scarcity:
issues. Datasets that are applicable to AI applications to learn are really rare.
Governance and Controls
AI governance establishes accountability and oversight, helps to ensure that those responsible have the necessary skills and expertise to effectively monitor and helps to ensure the organizations values are re ected in its AI activities.
Professional Opportunities
• Provides CAs with the opportunity to automate and de-skill time-consuming and repetitive work and focus on higher value work, so that they can consolidate their role as advisers on nance and business.
• CAs possess the domain knowledge and experience to create the relevant learning algorithms for identifying patterns in Finance and Audit.
• CAs should work closely with AI programmers to convert their functional ideas into reality.
• e profession can exploit technology and potentially change the scope of what it means to be a CA. e CFO of the future will need to know as much about technology as they do about nancial management.
Note:-
www.prokhata.com 89
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 2: Blockchain
CHAPTER 2:
BLOCKCHAIN
Block chain refers to the transparent, thrustless, and publicly accessible ledger that allows us to securely transfer the ownership of units
of value using public key encryption and proof of work methods.
e technology uses decentralized consensus to maintain the network, which means it is not centrally controlled by a bank, corporation,
or government. In fact, the larger the network grows and becomes increasingly decentralized, the more secure it becomes.
At its most basic level, blockchain is literally just a chain of blocks, but not in the traditional sense of those words. When we say the 1 2 3
words “block” and “chain” in this context, we are actually talking about digital information (the “block”) stored in a public database
(the “chain”).
Evolution of Blockchain
In 2008, Satoshi Nakamoto published a paper describing a peer-to-peer electronic cash system, which became the basis for Bitcoin. Hash 1Z8F Hash 6BQ1 Hash 3H4Q
Cryptocurrencies use cryptography to secure transactions and eliminate the need for a centralized entity. An open-source program Previous Hash 0000 Previous Hash 1Z8F Previous Hash 6BQ1
implementing the Bitcoin protocol was released shortly aer, and anyone can join the network by installing it. e cryptocurrency has Data->Hash->Hash Of the Previous Block
since gained popularity.
Technologies at Make Blockchain Possible
Peer-to-peer network (distributed ledger)— Public key infrastructure (blockchain addresses)— Hash function (miner)—
Node is connected to all other nodes and is not reliant on Technology uses both asymmetric and symmetric encryption to ensure secure transactions. Public Key Used to guarantee records are not changed, ensuring the
any central authority. e ledger is “synced” to all nodes Infrastructure (PKI) generates a pair of keys (public and private) for identifying parties and maintaining the integrity of the entire system. takes an input of variable
and becomes public. Nodes trust adjacent nodes, but verify integrity of transactions. e public key is distributed freely, while the private key is kept by the key owner and length and creates a xed-length output known as a message
transactions before recording them (trust, but verify). (P2P) used to decrypt messages and sign them. Parties create private keys to secure their wallet and public keys to submit digest. is is a one-way process, meaning that original
networks are easy to manage, but slow and susceptible to transaction requests. Wallets can be online, soware-based, in a secured drive, or paper-based. input cannot be recreated from the message digest.
attack (such as a denial-ofservice [DoS] attack).
Principles of block chain
Advantages and Desadvantages of Block Chain
Distributed Database: Peer-to-Peer Transmission: Transparency: Irreversibility of Records: Computational Logic:
Pros Each party on a block Communication occurs directly Every transaction and Records cannot be altered, Block chain transactions can be tied to
• Cost reductions by eliminating third-party chain has access to the between peers instead through a its associated value are because they are linked to computational logic and in essence programmed.
veri cation entire database and its central node. Each node stores & visible to anyone with every transaction record So, users can set up algorithms and rules that
• Decentralization makes it harder to tamper with complete history. forwards information to other nodes. access to the system. that came before them automatically trigger transactions between nodes.
• Transactions are secure and efficient
• Transparent technology Examples in Finance
Cons
• Signi cant technology cost associated with mining Payments and reconciliations: Issuance, ownership and transfer of nancial information: Clearing and settlement latency:
bitcoin Transactions can occur directly between two parties A blockchain-based securities market allows traders to buy On the blockchain, the entire lifecycle of a
• Low transactions per second on frictionless P2P basis. e blockchain technology’s or sell stocks directly on exchanges or directly to other market trade, including its execution, clearing and
• History of use in illicit activities application has the potential to reduce risk, transaction costs participants in a P2P manner without the intermediary’s settlement can occur at a trade level, lowering
• Susceptibility to being hacked. and to improve speed, efficiency and transparency. services provided by a broker or clearing house. post-trade latency and reducing counterparty.
Use Cases
Barclays adopted blockchain technology for enhanced security Blockchain technology helps manufacturers track goods, deliveries, and production activities in supply DHL, a global logistics leader, is working with Accenture
and transparency in their transaction processes. ey encrypted chain management, providing transparency to consumers. Projects like Ambrosus and Vechain focus on to integrate blockchain technology with the pharmaceutical
and managed the rst trade documentation on a blockchain food safety and product authenticity, allowing consumers to con rm the source and quality of goods they industry. Transparency, accurate data, security and trust are
network, saving signi cant time and money. purchase. absolute musts for the pharmaceutical sector.
90 www.prokhata.com
CA Rajat Agrawal
Chapter 2: Blockchain Module - 6 Emerging Technologies
Impact on Audit Risks and Challenges Governance and Controls Professional Opportunities
Blockchain technology could be used to streamline Vendor Risks: Governance Framework: Assist in evaluating the functional design:
nancial reporting and audit processes. Each audit Most organizations lack the required technical skills e enterprise has an adequate governance As Chartered Accountants we could assist in
begins with different information and schedules and expertise to design and deploy a blockchain- framework to provide oversight for blockchain analysing the business requirement and decide if
that require an auditor to invest signi cant time based system and implement smart contracts technology. the case is t for blockchain platform.
when planning an audit. completely in-house. Management Oversight: Evaluation of Proof of Concept:
In a blockchain, the auditor could have near real- Credential Security: Provides assurance that the enterprise’s strategic Before the solution is deployed a Prototype oen
time data access via read-only nodes on blockchains. A public Blockchain-based system, any individual objectives are not adversely affected by risk related known as Proof of Concept is prepared. Chartered
By giving auditors access to unalterable audit who has access to the private key of a given user, to blockchain technology Accountants could assist in evaluating / designing
evidence, the pace of nancial reporting and which enables him/her to “sign” transactions on the Proof of Concept. CA Could assist in designiing
Regulatory Risk:
auditing could be improved. the public ledger, will effectively become that user, evaluating Prototypes also known as Proof of
To ensure that the enterprise’s strategic objectives
While the audit process may become more because most current systems do not provide multi- are not adversely affected. concept.
continuous, auditors will still have to apply factor authentication. Assessment of Risks in Implementation:
professional judgment when analysing accounting Business Continuity:
Legal and Compliance: e enterprise business continuity plan Chartered Accountants may assist in assessment of
estimates and other judgments made by It is a new territory in all aspects without any legal risk before implementation of blockchain platform.
management in the preparation of nancial incorporates elements that address the effective
or compliance precedents to follow, which poses a operation of blockchain technology. Impact on Audit:
statements. Auditors will also need to evaluate and serious problem for manufacturers and services
test internal controls over the data integrity of all Vendor Management: Understanding the impact of blockchain on the
providers. accounting and audit profession is of paramount
sources of relevant nancial information. Ensure ongoing alignment between the enterprise’s
Data security and con dentiality: strategic objectives and blockchain solutions. importance for Chartered Accountants.
Smart Contracts and Oracles, which are embedded
into the blockchain, are new roles to take up. Checks It is feasible that hackers may be able to obtain the Audit of Smart Contracts and Oracle:
Secure key distribution and management
such as interface testing, events, which trigger keys to access the data on the disturbed ledger, Contracting parties may want to engage an
policies:
transactions into the blockchain, are areas where considering the users having multiple point of assurance provider to verify that smart contracts
Helps to manage cryptography functions,
the auditors may have to focus. access. are implemented with the correct business logic.
key access control, key rotation methods and
Another area for audit could be in the area of Scalability issues: validations of crypto algorithms’ implementation.
"service audit", where an auditor can give assurance Relating to the size of blockchain ledger that
Secure APIs and Integrations:
on the conformity of controls in place. might lead to centralization as it's grown over time
ird-party remittances, E-KYC and smart
and required some record management which is
contracting applications are integrated with
casting a shadow over the future of the blockchain
blockchain platform. APIs exposed to third
technology.
parties should not reveal any sensitive data to
Interoperability between block chains: adversaries. APIs and its integrations should
ere are new blockchain networks showing handle authentications, payload security, and
up, which lead to new chains that offer different session management.
speeds, network processing, usecases. Blockchain
interoperability aims to improve information
sharing across diverse blockchain networks.
ese cross-chain services improve blockchain
interoperability and also make them more practical
for daily usage
Processing power and time:
Required to perform encryption algorithms for all
the objects involved in Blockchain -based ecosystem
are very diverse and comprised of devices that have
very different computing capabilities, and not all of
them will be capable of running the same encryption
algorithms at the desired speed.
Storage will be a hurdle:
Ledger has to be stored on the nodes themselves,and
the ledger will increase in size as time passes. at
is beyond the capabilities of a wide range of smart
devices such as sensors, which have very low storage
capacity.
www.prokhata.com 91
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 3: Cloud Computing
CHAPTER 3:
CLOUD COMPUTING
Cloud is a set of resources, such as, processors and memory, which are put in a big pool. Cloud computing is using a remote server hosted on internet to store ,manage & process data rather than local server or a personal computer As per
the requirement, cloud assigns resources to the client, who then connects them over the network.
92 www.prokhata.com
CA Rajat Agrawal
Chapter 3: Cloud Computing Module - 6 Emerging Technologies
Cloud Computing Deployment Models
Private Cloud Public Cloud Hybrid Cloud Community Cloud
• Resides within the boundaries of an organization and is • Can be used by the general public • Combination of public, private and • exclusive use by a speci c community of consumers from
used exclusively for the organization’s bene ts • Administrated by third parties or vendors over the community cloud. organizations that have shared concerns
• Built primarily by IT departments within enterprises Internet • Normally a vendor has a private cloud • owned, managed, and operated by one or more of the
• Optimize utilization of infrastructure resources • e services are offered on pay-per-use basis and forms a partnership with public cloud organizations in the community, a third party or some
• Can either be Managed by • Business models like SaaS (Soware-as-a-Service) and provider or vice versa combination of them
• Private to the organization and managed by the single other service models are also provided Characteristics of Hybrid Cloud • may exist on or off premises
organization (On-Premise Private Cloud) Public Cloud-Characteristics Scalable: • suitable for organizations that cannot afford a private cloud
• Can be managed by third party (Outsourced Private Highly Scalable: • e hybrid cloud has the property and cannot rely on the public cloud either
Cloud) • e resources in the public cloud are large in number of public cloud with a private cloud Characteristics of Community Cloud
Private Cloud-Characteristics and the service providers make sure that all requests environment and as the public cloud Collaborative and Distributive Maintenance:
Secure are granted. is scalable. • no single company has full control over the whole cloud.
• Deployed and managed by the organization itself Affordable: Partially Secure: • Usually distributive and hence better cooperation
• Least probability of data being leaked out of the cloud. • Offered to the public on a pay-as-you-go basis; • e private cloud is considered as provides better results.
Central Control: • User has to pay only for what he or she is using secured and public cloud has high risk Partially Secure:
• Managed by the organization itself, Less Secure: of security breach. • possibility that the data may be leaked from one
• No need for the organization to rely on anybody other • Offered by a third party & they may have full control Stringent SLAs: organization to another, though it is safe from the
than operations. over the cloud, depending upon the service model. • Overall, the SLAs are more stringent external world.
Weak Service Level Agreements (SLAs): Highly Available: than the private cloud and might be as Cost Effective:
• SLAs are agreements between the user and the service • Anybody from any part of the world can access the per the public cloud service providers. • As the complete cloud is being shared by several
provider public cloud with proper Complex Cloud Management: organizations or community, not only the responsibility
• Formal SLAs do not exist or are weak as it is between Stringent SLAs: • Cloud management is complex as gets shared; the community cloud becomes cost effective
the organization and user of the same organization. • SLAs strictly and violations are not avoided it involves more than one type of too.
• High availability and good service may or may not be Advantages deployment models and also the Advantages of Community Clouds are as follows:
available and is dependent upon SLAs. • Widely used at affordable costs number of users is high. • Establishing a low-cost private cloud.
Advantages • Deliver highly scalable and reliable applications Advantages • Collaborative work on the cloud.
• Improve average server utilization • No need for establishing infrastructure for setting up • Highly scalable and gives the power of • Sharing of responsibilities among the organizations.
• Reduces costs and maintaining the cloud. both private and public clouds. • better security than the public cloud.
• Higher Security & Privacy of User • Strict SLAs are followed. • Provides better security than the Limitation
• Higher automations possible • ere is no limit for the number of users public cloud. • Autonomy of the organization is lost
Limitation Limitations Limitation • some of the security features are not as good as the
• Invest in buying, building and managing the clouds • Security • Security features are not as good as the private cloud
independently • Organizational autonomy are not possible. private cloud and complex to manage • Not suitable in the cases where there is no collaboration.
1. Governance of Cloud Computing Services: 3. IT Risk Management: 5. Legal Compliance: 7. Certi cations:
Governance functions are established to ensure A process to manage IT risk exists and is e service provider and customer establish bilateral agreements and procedures to Service provider security
effective and sustainable management processes that integrated into the organization’s overall ensure contractual obligations are satis ed, and these obligations address the compliance assurance is provided through
result in transparency of business decisions, clear lines ERM framework. IT risk management requirements of both the customer and service provider. Legal issues relating to ISO 27001 Certi cation.
of responsibility, information security in alignment metrics are available for the information functional, jurisdictional and contractual requirements are addressed to protect both
with regulatory and customer organization standards, security function to manage risk within the parties, and these issues are documented, approved and monitored. e use of cloud
and accountability. risk appetite of the data owner. computing should not invalidate or violate any customer compliance requirements.
2. Enterprise Risk Management: 4. ird-party Management: 6. Right to Audit: 8. Service Transition Planning:
Risk management practices are implemented to e customer recognizes the outsourced relationship e right to audit is clearly de ned and satis es the Planning for the migration of data, such as meta data and
evaluate inherent risk within the cloud computing with the service provider. e customer understands its assurance requirements of the customer’s board of access, is essential to reducing operational and nancial risk
model, identify appropriate control mechanisms and responsibilities for controls, and the service provider has directors, audit charter, external auditors and any at the end of the contract. e transition of services should be
ensure that residual risk is within acceptable levels. provided assurances of sustainability of those controls. regulators having jurisdiction over the customer. considered at the beginning of contract negotiations.
Professional Opportunities
Cloud computing provides a host of opportunities. A few of them are detailed below:
(a) Assessment with respect to costs and bene ts on migration to cloud versus in-housetools (d) Consulting with respect to the migration from traditional facilities to cloud based infrastructure.
(b) Cloud based solution Implementation for clients (e) Training to the user staff as regards the operating of these facilities;
(c) Assessment on the model of cloud to be deployed and the variants for the same. (f) IT audit of these facilities
94 www.prokhata.com
CA Rajat Agrawal
Chapter 4: Data Analytics Module - 6 Emerging Technologies
CHAPTER 4:
DATA ANALYSTICS
• Data Analytics is de ned as the science of examining raw and unprocessed data with the intention of drawing conclusions from the information thus derived.
• It involves a series of processes and techniques designed to take the initial data sanitizing the data, removing any irregular or distorting elements and transforming it into a form appropriate for analysis so as to facilitate decision-making.
• In simple terms, data analytics refers to the science of examining raw data with the purpose of drawing conclusions about that information.
• From an accountant’s perspective Data Analytics is a generic term for Computer Assisted Audit Tools and Techniques (CAATTs) and covers the collection of tools, techniques and best practices to access and analyse digital data.
• Data Analytics empowers auditors to use technology to audit digital data thereby giving access to 100% of the data and to analyse data to infer insights from information.
• Data Analytics enables auditors to optimise audit time and add value.
ere are two types of professionals in the eld of Data Analytics.
1. Descriptive Analytics: 2. Diagnostic Analytics: 3. Predictive Analytics: 4. Prescriptive analytics: 5. Cognitive Analytics: Proactive action and recognizing patterns using Big Data and AI.
Provides insight based on past Examines the cause of past Assist in understanding the Analytics assist in identifying
Descriptive Prescriptive Predictive Cognitive
information. It is used in the result and is used in variance future and provide foresight by the best option to choose to
•What Happend? •How to make it •What could •What to do why &
report generation, providing analysis and interactive identifying pattern in historical achieve the desired outcome
•Why did it happen? Happen? Happen? how?
basic editor function along dashboards to examine the data. It can be used to predict an through optimization
with the horizontal and vertical causes of past outcome. accounts receivable balanceand techniques and machine Historical data helps Forecast futre per- Proactive action and
analysis of nancial statement. collection period for each learning. Prescriptive understand past per- Analysis that suggest fomance events and recognising patterns
customer and to develop Analytics is used in identi ng fomance & for root a prescribed action results using big data
models with indicators that actions to reduce the couse analysis
prevent control failures. collection period of accounts Tools Used Tools Used Tools Used Tools Used
receivable and to optimize the •Standard Reports •Business Intelligence •Forecasting •AI
use of payable discounts. •Adhoc Queries •Heuristic mechods •Predictive Mod- •Machine Learning
•Statistical Analyysus •Optimization etc. eling •Neural Networks
•Graphics etc. •Deep Learning
•Pattern Recognition
www.prokhata.com 95
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
Data Analytics Functions
1 Column Statistic Displays column wise statistics of all numeric data and numeric, date and character columns. Tp Pro le and analyse data at a Macro Level
2 Identify Duplicates & Gaps Identify Duplicates in a series of data or displays all successive numeric numbers with de ned intervals. Identify Duplicate POs, Duplicate Vendor Payments, Duplicate Vendors, Payments
without descriptions
3 Same-Same Different Identify Duplicates in a series of data which have certain elds which are common and certain elds which are Identify Duplicates based on same GSTN, different location, name etc
different.
4 Pareto Displays items in two separate tabs of 80:20
5 ABC Analysis Displays items in three separate categories as per the same percentage given for each category. Pro ling Payments into High, Medium & Low
6 Quadrant/Pattern Analysis Displays items in four quadrants as per the speci c same percentage given for each category.
7 Relative Size Displays the variation between highest value and 2nd highest value (in terms of difference and proportion). Deriving vendor ratio of highest and 2nd highest bill and check ratios beyond a
Factor (RSF) "x%"
8 Max Variance Factor (MVF) Displays the variation between highest and lowest value (in terms of difference and proportion). Deriving vendor ratio of highest and least bill and check ratios beyond a "x%"
9 Benford Law Displays variance in patterns of numeric data based on Benford Law for rst digit beginning with 1 to 9. Identify Payments which fall as an exception to Benford's Law
It states that lists of numbers from many real-life sources of data are distributed in a speci c and non-uniform way.
Number 1 appears about 30% of the time. Subsequently the number 2 occurs
less frequently, number 3, number 4, all the way down to 9 which occurs less than once in twenty
10 Authentication Check Compare & Verify if the amounts processed are within the limits and approval hierarchy. Verify Segregation of Duties, instances of exceeding limits
11 Pivot Table / MIS Summarizes data by sorting, averaging, or summing and grouping the raw data MIS can summarise by criteria such Summarise and reporting payments based on de ned rules
as day, day of the week, month etc.
12 Outliers Displays instances of transactions beyond "x" times the average, mean, standard deviation etc Identify Payments beyond "x" times the average, standard deviation etc.
13 Sounds Like/ Identify vendors with similar names, which sound same based on the phonetics Identify duplicate / fake Vendors created
Soundex/Fuzzy Match
14 Aging Analysis Computes difference of selected two date columns & strati es on speci ed intervals for computed date difference. Identify cases of payments made beyond a speci ed date
15 Trendlines Displays trendline as per different rules con gured using sparklines or chart.
16 3-Way Matching Displays records aer joining data from up to three worksheets based on common/ uncommon column values. Identify cases of mismatch between PO, RR and Payment
17 Analytical Review Displays the difference between values of two numeric columns in number and in percentage. Analyse the quantitative and other related information
18 Back-Dated Entries Identify back-dated entries, duplicates/gaps based on selected numeric/alphanumeric eld related to date eld based Identify instances of prior period payments and other related checks
19 Beneish MScore e Beneish model is a statistical model that uses nancial ratios calculated with accounting data of a speci c Identify exceptions to the Benish Score and analyse further
company in order to check if it is likely that the reported earnings of the company have been manipulated
20 Identify Outliers by Masks Displays records that do not match a de ned mask where 'C' represents characters and 'N' represents numbers. Identify transactions which do not follow a speci c pattern.
21 Sampling Perform Sampling by Outliers, Characters, Numeric, Risk weightage, statistics, quadrants, clusters, interval Sample based on exceptions to test the controls and perform substantive procedures
22 Splitting Vouchers Multiple vouchers raised on same date or similar dates having cumulatively are higher than the approval limit
23 Rounding off Identify high value and round sum vouchers
24 Weekend Payments Identify entries / payments made on weekends Identify policy exceptions
25 Vouchers with Blank Identifying vouchers of different elds
Reference and Narrations which are blank
96 www.prokhata.com
CA Rajat Agrawal
Chapter 4: Data Analytics Module - 6 Emerging Technologies
Steps involved in applying Analytics on Data
Curate / Cleansing the Data Pro le the Data Analyze the Data Investigate Document
It refers to transforming data in It refers to the act of analyzing It refers to examining the data in detail to discover It refers to observing or querying the data in detail. is involves It refers to automatically
standard structure to be usable for data the data contents to get an essential features by breaking data into speci c systematic examination of data by making a detailed inquiry or documenting functions
analytics as required. is includes overall perspective data. is components by grouping, identifying and reviewing search to discover facts and insights to be arrive at a conclusion. performed using data analytics
speci c functions for cleaning data helps in validating data at speci c features. is includes functions for is includes functions for advanced analysis such as Pareto, ABC, soware. is includes
by removing speci c characters, a macro level and assessing identifying gaps/duplicates, unique, outliers, format, Quadrant, Cluster, MIS, Statistical, querying data; consolidate/ collate functions such as rerun,
transforming data, deleting speci c whether data is correct and and changes between two sets of data, sampling, data, Relative Size Factor, Benford Law and relating, comparing and refresh, audit log, indexing, etc.
data and transposing data. complete. ltering, split data and fuzzy match. joining les based on speci c criteria.
Examples of Data Analytics soware and Testing tools Advance tools for Analytics
e value of Data Analytics is in what it brings through its effective implementation. Data Analytics can be
performed using various types of soware such as: Hadoop Python programming
MS Excel: Open source cloud computing platform allows storage & Very powerful, open source and exible programming
Spreadsheet soware of Microso has various features useful for auditors. processing of massive amount of data language that is easy to learn, use and has powerful
General Audit Soware: R programming libraries for data manipulation, management and analysis.
Add-in for MS Excel with speci c CAAT functions. Examples include eCAAT, Power BI (limited features) Open source programming language soware that provides Matlab
General Audit Soware: data scientists with a variety of features of analyzing data. Its simplest syntax is easy to learn and resembles C or C++
Data Analysis Soware with speci c CAAT functions. Examples include eCAAT, Tableau, Knime, IDEA, Julia
ACL etc. New programming language that can ll the gaps with respect to improving visualization and libraries for data analytics.
Application Soware:
Standard and Ad-hoc Reporting and Query features available or speci c functionalities designed for
auditors. Example Audit modules in certain applications / ERP have a few Data Analytics features.
Specialized Audit Soware:
Audit soware designed to work in speci c soware.
Examples in Finance
Impact on Audit
Audit rms, both big and small, use data analytics to improve audit quality and add value to their clients. ey may either create their own data analytics platforms or acquire off-the-shelf packages. ese tools use visual methods to present
data, allowing auditors to identify trends and correlations. By extracting and manipulating client data, auditors can better understand the client's information and identify risks. Data analytics tools can turn all the data into pre-structured
presentations and generate audit programs tailored to client-speci c risks or provide data directly into computerized audit procedures. Using data analytics for assurance requires an understanding of business processes and relevant techniques
to speci c areas of control to identify conformances, deviations, exceptions, and variances in the digital data being audited.
Financial Statement Assertions can be evaluated by auditors by using data analytics on the relevant digital data. For example, nancial data can be evaluated for:
www.prokhata.com 97
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 4: Data Analytics
Risks and Challenges
• 1. e introduction of data • 2. Data privacy and • 3. Completeness and integrity - • 4. Compatibility issues • 5. Train the Audit staff may not • 7. e data obtained must be held for
analytics for audit rms isn’t con dentiality -e copying e extracted client data may not be with client systems be competent to understand the several years in a form which can be retested.
without challenges to overcome. and storage of client data risks guaranteed specialists are oen required may render standard exact nature of the data and output As large volumes will be required rms may
At present there is no speci c breach. is data could be to perform the extraction and there may tests ineffective if data to draw appropriate conclusions, need to invest in hardware to support such
regulation or guidance which misused by the rms or illegal be limitations to the data extraction is not available in the training will need to be provided storage or outsource data storage which
covers all the uses of data analytics access obtained if the rm’s data where either the rm does not have expected formats which can be expensive compounds the risk of lost data or privacy
within an audit and this results security is weak or hacked which the appropriate tools or understanding • 6. Insufficient or inappropriate evidence retained on le due issues.
in difficulty establishing quality may result in serious legal and of the client data to ensure that all data to failure to understand or document the procedures and inputs • 8. An expectation gap among stakeholders
guidelines. Other issues which can reputational consequences is collected. is may especially be the fully. For example, a screen shot on le of the results of an audit who think that because the auditor is testing
arise with the introduction of data case where multiple data systems are procedure performed by the data analytic tool may not record 100% of transactions in a speci c area, the
analytics as an audit tool include: used by a client. the input conditions and detail of the testing. client’s data must be 100% correct.
Professional Opportunities
Organizations in industries across the world are shiing their strategies because of data. Google, Net ix or Amazon, for example. With a data driven approach in mind, companies are looking to hire people to manage their data and uncover
the value and meaning behind the information they are collecting. As such, data-driven career opportunities and careers in data analytics abound for people with data analysis skills.
Chartered Accountants having a domain expertise in the eld of nance, audit, taxes and compliance should now equip themselves with these tools and skill sets. is will enable them to audit digital data with ease, save time and provide value
added services to clients. Since Analytics is utilized in varied elds, there are numerous job titles which are coming into picture:
• Analytics Business Consultant
• Analytics Architect / Engineer
• Business Intelligence and Analytics Consultant
• Metrics and Analytics Specialist
• Preparation of MIS and Dashboards including Visualization Solutions
• Monitor tracking of Key Performance Indicators (KPIs) and Key Result Areas (KRAs).
Note:-
98 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Internet of ings Module - 6 Emerging Technologies
CHAPTER 5:
INTERNET OF THINGS
e Internet of ings, or IoT,, is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identi ers (UIDs) and the ability to transfer data over a network
without requiring human-to-human or human-to-computer interaction.
How it works?
An IoT ecosystem consists of web-enabled smart devices that use embedded processors, sensors and communication hardware to collect, send and act on data they acquire from their environments. IoT devices, share the data collected
through sensors by connecting to an IoT gateway or other edge device. From these devices the data is either sent to the cloud to be analysed or analysed locally. Sometimes, these devices communicate with other related devices and act on
the information they get from one another. e devices do most of the work without human intervention, although people can interact with the devices for instance, to set them up, give them instructions or access the data. e connectivity,
networking and communication protocols used with these web-enabled devices largely depend on the speci c IoT applications deployed.
1. Improved business insight and customer 2. Efficiency and productivity gains 3. Asset tracking and waste 4. Cost and downtime reductions 5. Newer business models
experience Ford is using body-tracking technology in a special reduction One of the bene ts of these new insights is e IoT offers companies the opportunity
Companies use IoT to gain insights into their suit for its workers at a plant in Spain to make data- Closely linked to efficiency oen a reduction in operational expenditure to gain insights into their customers and
business operations and improve the customer driven changes to its vehicle production processes, and productivity is the drive and downtime. For example, the rapid their product usage, leading to more
experience. is helps them ful ll customer needs making them safer and more efficient. e technology to reduce waste, to which IoT emergence of digital twin technology - digital efficient and productive processes. It also
better. For example, IoT in a shopping environment tracks workers' movements to design less physically tracking is integral. e more models of physical assets built from real-time allows companies to move towards new
reduces friction in the buying experience and stressful workstations. Ford is enabling data-driven IoT components in a business data, either in pure data form or as exportable revenue streams by offering subscription-
improves inventory control and supply chain changes to its vehicle production processes, making operation, the more it stands to 3D representations - is a key competitive based services that utilize the connected
management. is is done by gathering data about them safer and more efficient. bene t from IoT implementation. differentiator in industrial IoT applications. nature of their products.
popular products and cross-selling opportunities.
Examples in Finance
www.prokhata.com 99
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 5 Internet of ings
Use Cases
DeTect
DeTect Technologies is an IoT start-up that offers asset integrity
management solutions, including pipeline condition monitoring
and structural health monitoring for hard-to-reach assets. eir
technology helps reduce productivity losses due to breaches and is
used by several Fortune 500 companies.
TagBox
TagBox uses IoT to create sustainable and reliable cold chains, offering
comprehensive solutions for real-time visibility of the entire chain,
helping reduce product spoilage, meet compliance requirements, cut
energy costs, prevent the and pilferage, and optimize transportation
costs.
Impact on Audit
IoT based automation and intelligent systems can ensure that the presence of personnel is detected and their physical appearance checked for ensuring the safety measures have been taken care by the worker, every check conducted leaves an
audit trail and if there are exceptions found and alarms raised with evidences. Also, if the situation got corrected the issue or alarm raised could get closed. No longer there may be a need for any such evidences of compliance as the compliance
is ensured automatically.
Yes, IoT assisted accounting has the potential to provide CAs with real-time access to transactional data and increase the IoT makes it easier for organizations to keep tabs on their resources, in relation to Inventory and Assets, and
effectiveness of continuous auditing processes. It can also help with risk evaluation and quick issue assessment and remediation, that has direct implications for the accountants who are responsible for overseeing the budget and its relation
leading to real-time management for businesses and CAs. is can ultimately lead to more efficient and effective accounting to assets.
practices. IoT also helps in reducing time lapse between an event and its recording for more timely decision making and
Quality will hardly need any sample checks as all the items will go through a compulsory test. Every item would have its own facilitating assessment of process-driven activities.
set of quality requirements embedded and would reach out to instruments which can verify a speci c parameter; thus, each end With IoT in place, there would be more data, more action, more observation, and reduction of immediate
product would have its size veri ed by a machine, based on the speci cations embedded. direct human impact.
e documentation is one thing that may be solved on its own since the work ow or process maps which would be used Technologies such as Drone can help gathering evidences to support assertions and perform audit
for automation themselves are good enough documentation. Also, the need for documentation now gets reduced from much faster and in fact in real time. is could be used for physical veri cation of inventory, assessing
instructional purposes since it is the IoT data, which drives the processes. the mines and quarries etc.
100 www.prokhata.com
CA Rajat Agrawal
Chapter 5 Internet of ings Module - 6 Emerging Technologies
Risk and Challenges
Soware update and patches Hardware Lifespan Security and privacy issues
e time for a patch to be released may be longer than the typical cycle for non-IoT devices (if a patch is released at IoT devices have their own life cycle, oen with IoT promises to provide unprecedented and ubiquitous
all). Enterprises as well as individual consumers can review an IoT vendor’s website to determine frequency of patches built-in obsolescence. Components like non- access to the devices that make up everything from assembly
and compare the schedule against vulnerability dates using a Common Vulnerabilities and Exposures database. is replaceable batteries in IoT devices require life cycle lines, health and wellness devices, and transportation
comparison can provide a level of assurance that third-party soware developers have adequate policies regarding planning and asset-management processes speci c systems to weather sensors. Unfettered access to that much
vulnerability assessment and patching. to IoT. data poses major security and privacy challenges, including:
Insufficient authentication/ Lack of transport level Insecure web/mobile interface Default credentials Lack of secure code Privacy concerns
authorization encryption most IoT-based solutions have a web/mobile interface for most devices practices Many devices used in healthcare collect personal
a huge number of users and most devices fail to encrypt device management or for consumption of aggregated and sensors are services and business information, creating privacy risks as they collect
devices rely on weak and simple data that are being transferred, data. is web interface is found to be prone to the Open con gured to use the logic would be developed and aggregate data. e regular purchase of different
passwords and authorizations. even when the devices are Web Application Security Project (OWASP) Top 10 default username/ without adhering to foods, for example, could reveal a buyer's religion
Many devices accept passwords using the Internet. vulnerabilities, such as poor session management, weak passwords. secure coding practices. or health information. is is one of the privacy
such as “1234.” credentials and cross-site scripting vulnerabilities. challenges associated with IoT in healthcare.
Challenges Governance and Controls
ere are many challenges facing the implementation of IoT. e scale of IoT application IoT solutions are complex. e integration of connected devices and IT services poses major challenges in networking, communication, data volume,
services is large, covers different domains and involves multiple ownership entities. real-time data analysis, and security. IoT solutions involve many different technologies and require complex development cycles, including signi cant
ere is a need for a trust framework to enable users of the system to have con dence testing and ongoing monitoring. To overcome these challenges, IT organizations must:
that the information and services are being exchanged in a secure environment. • Develop a comprehensive technical strategy to address the complexity
•Insecure web interface • Insecure cloud interface • Develop a reference architecture for their IoT solution
•Insufficient authentication/authorization • Insecure mobile interface • Develop required skills to design, develop, and deploy the solution
•Insecure network services • Insufficient security con gurability • De ne your IoT governance processes and policies
•Lack of transport encryption • Insecure soware/ rmware IoT solution governance can be viewed as the application of business governance, IT governance, and enterprise architecture (EA) governance. In
•Privacy concerns • Poor physical security effect, IoT governance is an extension to IT governance, where IoT governance is speci cally focused on the lifecycle of IoT devices, data managed by
the IoT solution, and IoT applications in an organization’s IT landscape. IoT governance de nes the changes to IT governance to ensure the concepts
and principles for its distributed architecture are managed appropriately and are able to deliver on the stated business goals.
Professional Opportunies
IoT will bring CAs new opportunities for client service in the areas of business process design and data analysis. Clients will need CAs to help set up accounting and recording systems, such as dashboards that aggregate data received from the
IoT. CAs may also be hired to provide opinions on the security of the IoT. Consumers and industry want assurance that information and systems will be private. When the IoT takes off, CAs will be asked to give their professional opinions on
the systems that third parties rely on, unlike today where we are only asked for assurance in special circumstances.
Note:-
www.prokhata.com 101
CA Rajat Agrawal
Module - 6 Emerging Technologies Chapter 6 Robotic Process Automation
CHAPTER 6:
ROBOTIC PROCESS AUTOMATION
Robotic process automation is the term used for soware tool that automates human activities that are manual, rule-based and repetitive. ey work by replicating the actions of a human interacting with soware applications to perform tasks
such as data entry, process standard transactions. It is a computer coded soware, programs that perform repeated tasks based on rules de ned, and can work across functions and applications. Example: A process of reviewing the approved
time sheet and raising the invoice in the ERP to the appropriate client and sending an email to the client and following up as a part of receivable management could be automated as the process is standardised and reasonably repetitive..
RPA is Computer-Coded Soware ✔ ✘ RPA is Not Walking, Talking Auto-bots A few of the key objective of implementing RPA are as follows:
RPA is Programs that replace humans performing repetitive rules- based tasks ✔ ✘ RPA is Not Physically existing machines processing paper • Improve accuracy • Skill upgradation of personnel
• Reduction of monotonous work • Cost saving
RPA is Program ✔ ✘ RPA is Not Arti cial intelligence or voice recognition and reply soware
• Higher efficiency • Improve customer experience
Examples in Finance Use Cases, ICICI Bank
Banks are using RPA soware robots to handle the entire RPA soware robots can provide signi cant bene ts RPA is being utilized for KYC Using robotic process automation (RPA), the bank’s operations
credit card application process, including gathering required to e-commerce websites and logistics companies by authentication and updating customer, department deployed 200 robotics soware programs. e
documents, credit and background checks, decision making, automating activities such as fetching data from provider vendor, and employee documentation. development helped the ICICI Bank to process around 10 lakh
and card issuance. e process is highly systematic and can be databases and tracking shipments for delivery through is results in faster processing, error- transactions per day. Today, the RPA is helping to process more
easily managed by the robots. GPS, without the need for human intervention. free results, and increased efficiency. than 2 million transactions daily.
Impact on Audit Risks and Challenges: Robotic Process Automation like all technology and innovation initiatives come with disruption and risks associated.
e following are the areas where auditors should concentrate:
• Free up capacity to focus on higher priorities RPA strategy risks: Tool selection risks: Launch/project risks: Operational/execution risks:
• Enhance ability to add valuable insight RPA can drive innovation ere is a risk of RPA-washing in the market To mitigate the risks of a failed RPA project launch, Operational risks can arise if
• Need to develop new testing approaches and competitiveness, but due to hype, where vendors overstate their organizations need to prevent technical and organizations do not establish a clear
• Consider for changes to internal audit staffing model businesses may fail to fully automation capabilities. Some may only nancial failures. Adopting RPA in departments operating model when deploying RPA
• Need to understand technology realize its potential due to offer screen-scraping which can lead to high with high headcounts just to generate more & can lead to confusion over roles-
• Opportunity to in uence control design wrong goals, expectations, maintenance and errors. Companies need to savings can fail due to the large load of changing responsibilities between humans and
• Potential to increase audit efficiency or under-resourcing. carefully choose the right tools for their needs. processes and exception handling. bots
RPA Challenges
Shortage of skilled resources Lack of proper team structure Unable to automate end-to-end cases Vaguely de ned business continuity plans
•
e demand for RPA is increasing, but there is a shortage of Lack of knowledge about processes and Some processes require integration with Organizations may have unrealistic expectations about RPA projects
skilled resources in the market sharing of resources between multiple machine learning and OCR engines, but these requiring little to no maintenance, but in reality, they do require maintenance
•Experienced
Experienced RPA professionals expect high salaries, which projects can pose risks in achieving set technologies can be costly and may not always for identifying new scenarios and issues in production environments,
may not be nancially viable for some companies. milestones. meet business expectations. de ning execution schedules, and mitigation plans during failures.
Governance and Controls
A governance structure that de nes roles and responsibilities for automation activities will help deliver successful RPA initiatives. Key elements include:
Ownership Deployment framework Operational risk/ data security Enterprise management RPA Vision/roadmap
involve legal, risk, IT and other teams calibrate production and development create a cross-functional team to communicate the bene ts: RPA helps to eliminate repetitive, non- create a center of excellence (COE) early in the
that are involved in the process due environments to ensure smooth RPA clear temporary backlogs in case value- adding tasks so employees can make greater impact in their journey to accelerate adoption of RPA across
to automated. It includes process- deployment. Ensure IT is aware of of bot failure and maintain people roles. Involve HR to support employee’s up-skilling, which increases the enterprise. Set deadlines for achieving
speci c subject matter expert (SMEs) RPA, enabled processes. Ensure change in critical processes for error free employee morale and improve productivity. Employees should be intelligent automation to leverage the full
for insight in the process nuances. management process is in place. delivery. prepared to work along with the soware robots. value of automation.
Professional Opportunities
Many exciting new jobs will be created by RPA as automation will require a new type of skill set. e creation of new types of job opportunities will outweigh the displaced jobs. is research validates the con dence in the creation of new
types of industries requiring new kinds of functions and skills.
e McKinsey Global Institute estimated in its December 2017 reports that by 2030, automation will drive between 75 and 375 million people to reskill themselves and switch occupations. Robotic Process Automation (RPA) is not replacing
accountants but evolving their role and augmenting their effectiveness through automation. It is a progressive, positive, and necessary shi that is creating the digital workspace for accounting and nance professionals to focus on the greatest
value they can provide to their organisation.
102 www.prokhata.com
CA Rajat Agrawal
ALL INDIA RANKERS FORM PROKHATA
2 Steps Formula
CONTACT US
www.prokhata.com
support@prokhata.com
+91 8319130080