BUSINESS PROCESSES MODULE 2
○ Responsibility of the audit is to add value
MODULE 2 - PART 1
BUSINESS PROCESSES
● interrelated set of cross-functional activities
or events that result in the delivery of a
specific product or service to a customer.
● controlled by policies, procedures, practices
and organizational structures designed to
provide reasonable assurance that a business
process will achieve its objectives
○ Policies vs. procedures
■ Policies - what the company wants to
achieve
■ Procedures - step-by-step process
BUSINESS PROCESS OWNERS
The individual responsible for identifying process
requirements, approving process design and
managing process performance, and should be at
an appropriately high level in an organization to
have authority to commit resources to
process-specific risk management activities.
IS AUDITOR
Understand and be able to evaluate the business
processes of the organization they are auditing.
● This includes a test and evaluation of the design
and implementation of the operation of controls
and the monitoring and testing of evidence to
ensure that the internal controls within the
business processes operate effectively.
The
INTERNAL AUDIT FUNCTION
PURPOSE
● Evaluate and test the design and execution of
controls implemented by management.
AUTHORITY
● Provides the right of access to records, the
limitations and processes to be audited.
RESPONSIBILITY
● To add value to the enterprise, ensuring that
organizational perspectives such as strategy,
mission and regulatory/compliance
expectations are integrated in its work, and to
abide by professional expectations.
○ Auditors - watchdogs
■ How? Provide recommendations
■ Corrective action para maayos yung
findings
ACCOUNTABILITY
● Includes distribution of written
communications, monitoring and reporting of
management's processes, reporting of the
audit and assurance function's performance
metrics, quality assurance process, reporting
to those charged with governance and
oversight (BOD) and staffing rules for audit
engagements.
○ We need to monitor if na-address na
yung mga issue
IS AUDIT CAN BE A PART OF INTERNAL AUDIT
● function as an independent group
● integrated within a financial and operational
audit to provide IT-related control assurance
to the financial or management auditors
MANAGEMENT OF THE IS AUDIT FUNCTION
ORGANIZATIONAL INDEPENDENCE
● Free from conflicts of interest and undue
influence in all matters related to audit and
assurance engagement.
● Any impairment of independence (in fact or
appearance) is identified and disclosed to the
appropriate parties.
Board should approve the:
● charter
● risk-based plan
● IS budget and resource plan
● decision regarding the appointment and
removal of the Chief Audit Executive
● Remuneration of the Chief Audit Executive
AUDIT CHARTER
● An audit charter is an overarching
document that covers the entire scope of
audit activities in an entity
● engagement letter – more focused on a
particular audit exercise that is sought to be
initiated in an organization with a specific
objective in mind
INDEPENDENCE IN FACT
1
 Module 2: Business Processes
● The state of mind that permits the expression
of a conclusion without being affected by
influences that compromise professional
judgment, allowing an individual to act with
integrity, and exercise objectivity and
professional skepticism.
INDEPENDENCE IN APPEARANCE
● The avoidance of facts and circumstances
that are so significant that a reasonable and
informed third party, having knowledge of all
relevant information, including safeguards
applied, would reasonably conclude a firm's
or a member of the assurance team's
integrity, objectivity or professional
skepticism has been compromised.
IT audit and assurance practitioners shall be
objective in all matters related to audit and
assurance engagements.
OBJECTIVITY
● unbiased mental attitude that allows IS
auditors to perform engagements in such a
manner that they believe in their work
product and that no quality compromises are
made.
● objectivity requires that IS auditors do not
subordinate their judgment on audit matters
to others.
REASONABLE EXPECTATION
● The engagement can be completed in
accordance with applicable IT audit and
assurance standards and. where required,
other industry standards or applicable laws
and regulations that will result in a
professional opinion or conclusion.
● The scope of the engagement enables a
conclusion on the subject matter and that any
scope limitations are addressed
● management understands its obligations and
responsibilities with respect to providing
appropriate, relevant and timely information
required to perform the engagement
DUE PROFESSIONAL CARE
● Exercise due diligence and professional care.
● maintain high standards of conduct and
character, and they will refrain from engaging
in acts that may discredit themselves or the
profession.
● privacy and confidentiality of information
obtained during the course of the auditor's
duties should be maintained.
● information should not be used for personal
benefit, nor should the information be
disclosed unless required by legal authority.
PROFICIENCY
● a collective term that refers to the knowledge,
skills, and other competencies required of
internal auditors to effectively carry out their
professional responsibilities.
● encompasses consideration of current
activities, trends, and emerging issues. to
enable relevant advice and recommendations
THE IS AUDIT
● collectively with others assisting with the
audit and assurance engagement, shall
possess the professional competence to
perform the work required.
● possess adequate knowledge of the subject
matter to perform their roles in IT audit and
assurance engagements.
● shall maintain professional competence
through appropriate continuing professional
education and training.
AUDIT PLANNING
● Conducted at the beginning of the audit
process to establish the overall audit strategy
and detail the specific procedures to be
carried out to implement the strategy and
complete the audit.
● Short-term planning considers audit issues
that will be covered during the year.
● Long-term planning relates to audit plans
that will consider risk-related issues regarding
changes in the organization's IT strategic
direction that will affect the organization's IT
environment.
AUDIT UNIVERSE
● collective grouping of auditable 'components'
● sometimes also called auditable areas, units
or entities – that support the development of
the audit plan and help to identify
appropriate audit coverage that the chief
audit executive can then prioritize
LIST OF ALL PROCESSES
2
 Module 2: Business Processes

6. Perform a risk and ls to help in designing the

audit plan
Qualitative/Quantitative Risk Assessment
7. set the audit scope and objectives
8. Develop the audit approach or strategy
High 9. Assign personnel resources to audit
● A process issue may result in damage to the 10. Address audit logistics
reputation of the organization that will take
more than six months to recover. EFFECTS OF LAW AND REGULATIONS ON IS
● You need to calibrate your risk assessment AUDITING
● Di pwede na high risk lahat kasi baka may mali
● Establishment of regulatory requirements
sa risk assessment
● Responsibilities assigned to corresponding
entities
Medium
● Financial, operational and IS audit functions
● A process issue may result in damage to the
reputation of the organization that will take
THINGS TO CONSIDER
less than six months to recover.
● Legal requirements placed on audit or IS
Low Audit
● Legal requirements placed on the auditee and
● A process issue may result in damage to the
its systems, data m management, reporting,
reputation of the organization that will take
etc.
less than three months to recover.
● Audit Priorities
● Can you use risk assessment in the audit plan? STEPS TO DETERMINE COMPLIANCE WITH
● Pwede kahit isa or dalawa yung piliin depende EXTERNAL REQUIREMENTS
sa company.
● Identify those government or other relevant
external requirements dealing with
THINGS TO CONSIDER ● Document applicable laws and regulations
● Assess whether the management of the
● Analysis of short-term and long-term issues
organization and the IT function have
should occur at least annually
considered the relevant external requirements
● Results of analysis should be reviewed by
in making plans and in setting policies.
audit senior management/audit committee or
standards and procedures, as well as business
board of directors
application features
● Annual planning should be updated if any key
● Review internal IT
aspects of risk environment have changed
department/function/activity documents that
address adherence to laws
INDIVIDUAL AUDIT PLAN
● Determine adherence to established
1. Gain an understanding of the organization's procedures that address these requirements
mission, objectives, purpose and processes, ● Determine if there are procedures in place to
which include information and processing ensure contracts or agreements with external
requirements such as availability. integrity. IT services providers reflect any legal
security, and business technology and requirements related to responsibilities
information confidentiality
2. Gain or understanding of the organization's
MODULE 2 - PART 2
governance structure and practices related to
the audit objectives
3. Understand business environment of the
BUSINESS PROCESS APPLICATIONS AND
auditee
CONTROLS
4. Review prior working papers - support audit
findings
5. Identify stated contents such as policies, E-COMMERCE
standards and required guidelines,
procedures, and organization structure

3
 Module 2: Business Processes
● buying and selling of goods online as well as
customer support or relationships between
businesses
● technology used can include the internet,
multimedia, web browsers, proprietary
networks, automated teller machines and
home banking, and the traditional approach
to electronic data interchange.
TYPES OF E-COMMERCE
BUSINESS TO CONSUMER (B to C)
● Business conducted between organizations
BUSINESS TO BUSINESS (B to B)
● Business conducted between organizations
and its customers (personalization.
membership, ordering. invoicing. shipping.
inventory replacement, etc.)
CONSUMER TO BUSINESS (C to B)
● Business conducted between a consumer and
o business. This is when customers sell their
products or services to a business
BUSINESS TO GOVERNMENT (B to G)
● Business conducted between an organization
and a public administration where the
governmental organization promotes
awareness and growth of e-commerce
CONSUMER TO CONSUMER (C to C)
● Business conducted between customers
primarily using a third-party platform
CONSUMER TO GOVERNMENT (C to G)
● Business conducted between a consumer and
a public administration
TYPICAL E-COMMERCE ARCHITECTURES
SINGLE-TIER ARCHITECTURE
● client-based application running on a single
computer
TWO-TIER ARCHITECTURE
● composed of client and server
THREE-TIER ARCHITECTURE
● presentation tier displays information that
users can access directly such as a web page
or an operating system's graphical user
interface
● The application tier controls an application's
functionality by performing detailed
processing
○ data for analyzing website usage
● To provide full functionality and achieve back
-end efficiencies, an ecommerce system may
involve connections to inhouse legacy systems
accounting. inventory management or an
enterprise resource planning system or
business partner systems
● For security reasons, persistent customer data
should not be stored on web servers that are
exposed directly to the Internet data tier is
usually comprised of the database servers,
file shares, etc. and the data access layer that
encapsulates the persistence mechanisms and
exposes the data
THINGS TO CONSIDER
● Databases play a key role in most
e-commerce systems maintaining data for
website pages analyzing webs usage
● To provide full functionality and achieve back
-end efficiencies, an e-commerce system may
involve connections to in-house legacy
systems accounting. inventory management
or an enterprise resource planning system—or
business partner systems
● For security reasons, persistent customer data
should not be stored on web servers that are
exposed directly to the Internet
E-COMMERCE RISKS
CONFIDENTIALITY
● Potential consumers are concerned about
providing unknown vendors with personal
(sometimes sensitive) information for a
number of reasons including the possible theft
of credit card information from the vendor
following a purchase
INTEGRITY
● Data, both in transit and in storage, could be
susceptible to unauthorized alteration or
deletion
AVAILABILITY
4
 Module 2: Business Processes
● The Internet allows customers to do business
on a 24/7 weekly basis. Hence, high
availability is important, with any system’s
failure becoming immediately apparent to
customers or business partner
AUTHENTICATION AND NONREPUDIATION
● The parties to an electronic transaction should
be in a known and trusted business
relationship, which requires that they prove
their respective identities before executing
the transaction to prevent man-in-the-middle
attacks
● there must be some manner of ensuring that
the transacting parties cannot deny that the
transaction was completed and the terms on
which it was completed
POWER SHIFT TO CUSTOMERS
● The Internet gives consumers unparalleled
access to market
● Organizations participating in e-business
need to make their offerings attractive and
seamless in terms of service delivery
● To avoid losing their competitive advantage
of doing business online, organizations need
to enhance their services, differentiate from
the competition and build additional value
E-COMMERCE REQUIREMENTS
● Building a business case (IT as an enabler)
● Developing a clear business purpose
● Using technology to first improve costs
● Building a business case around the four C’s:
customers, costs, competitors and capabilities
Top-Level Commitment
● E-commerce cannot succeed without a clear
vision and strong commitment from the top of
an organization
Business Process Reconfiguration
● Technology is not the key innovation needed to
make E-commerce work, but it is the ingenuity
needed to envision how that technology can
enable the company to fundamentally
reconfigure some of its basic business
processes
Links to Legacy System
● Organizations must take seriously the
requirement to accelerate response times,
provide real interaction to customers and
customize responses to individual customers.
WHAT SHOULD IS AUDITOR REVIEW IN
E-COMMERCE
● Interconnection agreements prepared prior to
engaging in an e-commerce agreement.
These agreements can be as simple as
accepting terms of use to detailed terms and
conditions to be in place before the
e-commerce interconnections are established
● Security mechanisms and procedures that,
taken together, constitute a security
architecture for e-commerce (e.g., Internet
firewalls, public key infrastructure [PKI],
encryption, certificates, and password
management)
● Firewall mechanisms that are in place to
mediate between the public network (the
Internet) and an organization’s private
network
● A process whereby participants in an
e-commerce transaction can be identified
uniquely and positively (e.g., a process of
using some combination of public and private
key encryption and certifying key pairs)
● Procedures in place to control changes to an
e-commerce presence
● E-commerce application logs, which are
monitored by responsible personnel. This
includes OS logs and console messages,
network management messages, firewall logs
and alerts, router management messages,
intrusion detection alarms, application and
server statistics, and system integrity checks
● Methods and procedures to recognize security
breaches when they occur
● Features in e-commerce applications to
reconstruct the activity performed by the
application
● Protections in place to ensure that data
collected about individuals are not disclosed
without the individuals’ consent nor used for
purposes other than that for which they are
collected
● Means to ensure confidentiality of data
communicated between customers and
vendors
● Mechanisms to protect the presence of
e-commerce and supporting private networks
from computer viruses and to prevent them
from propagating viruses to customers and
vendors
5
 Module 2: Business Processes

● Features within the e-commerce architecture ● necessary in mapping the transaction, writing
to keep all components from failing and allow the partner's profile and tells the system
them to repair themselves, if they should fail where to send each transaction and how to
● Plans and procedures to continue handle errors and exceptions
e-commerce activities in the event of an ○ Para siyang blueprint ng buyer and seller
extended outage of required resources for
normal processing
EDI SYSTEM SOFTWARE
● Commonly understood practices and
procedures to define management’s ● includes transmission, translation and storage
intentions for the security of e-commerce of transactions initiated by or destined for
● Shared responsibilities within an organization application processing
for ecommerce security ○ Mas dominant ang web-based EDI
● Communications from vendors to customers ● EDI is also an application system in that the
about the level of security in an ecommerce functions it performs are based on business
architecture needs and activities. The applications,
● Regular programs of audit and assessment of transactions and trading partners supported
the security of e-commerce environments and will change over time, and the intermixing of
applications to provide assurance that transactions, purchase orders, shipping notices,
controls are present and effective invoices and payments in the EDI process
makes it necessary to include application
processing procedures and controls in the EDI
MODULE 2 - PART 3
process.
● In reviewing EDI, an IS auditor should be
aware of the two approaches related to EDI:
ELECTRONIC DATA INTERCHANGE
the traditional proprietary version of EDI used
● the electronic transmission of transactions by large companies and government parties,
(information) between two organizations and the development of EDI through the
● promotes a more efficient paperless publicly available commercial infrastructure
environment can replace the use of standard offered through the Internet.
documents, including invoices or purchase ● The difference between the approaches relates
orders to cost, where use of a public commercial
infrastructure such as the Internet provides
EDI SYSTEM REQUIRES significantly reduced costs versus development
of a customized proprietary approach. From a
security standpoint, risk associated with not
COMMUNICATION SOFTWARE having a completely trustworthy relationship
● moves data from one point to another, flags arise in addressing Internet security and risk.
the start and end of an EDI transmission, and
determines how acknowledgments are FUNCTIONS OF TRADITIONAL EDI
transmitted and reconciled (more in-depth
discussion of communications software can
be found in Domain 4 of CISA Review Manual) COMMUNICATION HANDLER
○ Moves data from one point ● Process for transmitting and receiving
○ Software na nag communicate between electronic documents between trading
two system partners via dial-up lines, public-switched
network, multiple dedicated lines or a
TRANSLATION SOFTWARE value-added network (VAN)
● helps build a map and shows how the data ● VAN receives all the outbound transactions
fields from the application correspond to from an organization, sorts them by
elements of an EDI standard. Later, it uses destination and passes them to recipients
this map to convert data back and forth when they log on to check their mailbox and
between the application and EDI formats receive transmissions
- Di dumadaan sa internet. May sariling line
yung parties - facilitated by a value added
EDI STANDARD
network

6
 Module 2: Business Processes
EDI INTERFACE
● Interface function that manipulates and
routes data between the application system
and the communications handler
● EDI translator translates the data between
the standard format and trading partner's
proprietary format
● Application interface moves electronic
transactions to or from the application
systems and performs data mapping. It may
generate and send functional
acknowledgments, verify the identity of
partners and check the validity of
transactions by checking transmission
information against a trading partner master
file
- Interface = border; siya yung pagitan ng
nakikita ng user and computer itself, since
EDI dalawa ang nag uusap.
APPLICATION SYSTEM
● The programs that process the data sent to,
or received from, the trading partner
● Application-initiated transactions (such as
purchase orders from the purchasing system)
are passed to a common application interface
for storage and interpretation
- The programs that process the data sent to
or received from the trading partner.
WEB-BASED EDI BECOME POPULAR
● Access through internet services providers
offers generic network access for all
connected computers, whereas VAN services
have typically used a proprietary network or a
network gateway linked with a specific set of
proprietary networks. The result is a
substantially reduced cost to EDI applications
● Attract new partners via web-based sites to
exchange information, take orders, and link
the website to back-end order processing and
financial systems via EDI
● New security products are available to
address issues of confidentiality,
authentication, data integrity, and
nonrepudiation of origin and return
- Traditional = VAN
- Safe ba yung web based na EDI? Mas safe
yung traditional.
ELECTRONIC DATA INTERCHANGE RISKS
● Transaction authorization.
● Loss of business continuity/corruption of EDI
applications.
● Unauthorized access to electronic
transactions.
● Deletion or manipulation of transactions prior
to the prior establishment of application
controls.
● Loss or duplication of EDI transmissions.
● Loss of confidentiality and improper
distribution of EDI transactions while in the
possession of third-party.
ELECTRONIC DATA INTERCHANGE PROCESS
CONTROLS
● Standards should be set to indicate that the
message format and content are valid to
avoid transmission errors
● Controls should be in place to ensure that
standard transmissions are properly
converted for the application software by the
translation application
● The receiving organization must have controls
in place to test the reasonableness of
messages received. This should be based on a
trading partner’s transaction history or
documentation received that substantiates
special situations
● Controls should be established to guard
against manipulation of data in active
transactions, files and archives. Attempts to
change records should be recorded by the
system for management review and attention.
● Procedures should be established to
determine messages are only form authorized
parties and transmissions are properly
authorized
● Direct or dedicated transmission channels
among the parties exist to reduce the risks of
tapping into the transmission lines
● Data should be encrypted using algorithms
agreed on by the parties involved
● Electronic signature should be in the
transmissions to identify the source and
destination
● Message authentication codes should exist to
ensure that what is sent is received
CONTROL ON RECEIPT OF INBOUND
TRANSACTIONS
CONTROL OBJECTIVE
● All inbound EDI transactions are accurately
and completely received (communication
7
 Module 2: Business Processes
phase), translated (translation phase), passed
to an application (application interface
phase), and processed only once
● Use appropriate encryption techniques when
using public internet infrastructures for
communication in assuring confidentiality,
authenticity and integrity of transactions
● Perform edit checks to identify errors. Unusual
or invalid transactions prior to updating an
application
● Perform additional computerized checking to
assess transaction reasonableness, validity,
etc.
● Log each inbound transaction on receipt (log
conserve as an audit trail, so dapat lahat ng
inbound transaction nasa audit log and
vice-versa)
● Use control totals on receipt of transactions to
verify the number and value of transactions
to be passed to each application, reconcile
totals between applications and trading
[partners
● Segment count totals are built into the
transaction set trailer by the sender
● Use control techniques in the processing of
individual transaction such as check digits on
control fields, loop or repeat counts
● Ensure the exchange of control totals of
transactions send and received between
trading partners at predefined intervals
● Maintain a record if the number of messages
receive/sent and validate these with the
trading partners periodically
● Arrange for security over temporary files and
data transfer to ensure that inbound
transactions are not altered or erased
between time of transaction receipt and
application updates
○ Dapat di nagbabago yung files upon
transmission
● Hash totals - sum of meaningless information
● Pagdating ng invoice kay seller - inbound
CONTROLS ON OUTBOUND TRANSACTIONS
CONTROL OBJECTIVE
Only properly authorized outbound transactions are
processed. This includes the objectives that
outbound EDI messages are initiated on
authorization, that they contain only preapproved
transaction types and that they are sent only to
valid trading partners
● Control the setup and change of trading
partner details
○ Dapat may segregation of duties
● Compare transactions with trading partner
transaction profiles
● Match the trading partner number to the
trading master file
○ Dapat yung system kaya talagang gawin
yun. May defined list ng trading partners)
● Limit the authority of users within the
organization to initiate specific EDI
transactions.
● Segregate initiation and transmission
responsibilities for high-risk transactions.
● Document management sign-off on
programmed procedures and subsequent
changes
○ Pag pinirmahan they assume na part ng
responsibilities nila yun, dapat din may
date para alam ng users kung ano una nila
kailangan gawin
● Log all payment transactions to a separator
● Report large (value) or unusual transactions
for review prior to or after transmission
● Log outbound transactions in a secure
temporary file until authorized and due for
transmission
● Require paperless authorization that would
establish special access to authorization fields
(probably two levels, requiring the
intervention of different users) within the
computer system.
IT AUDITOR’S ROLE IN THE EDI BUSINESS
PROCESS
● Internet encryption processes put in place to
ensure authenticity, integrity, confidentiality
and nonrepudiation of transactions
○ Ensure that the encryption key is only
known to trading partners
● Edit check to identify erroneous ..
● Additional computerized checking to assess
transaction reasonableness and validity
● Each inbound transaction to ensure that it is
logged on receipt
○ All should be recorded in the log
8
 Module 2: Business Processes
● The use of control totals on receipt of
transactions to verify the number and value
of transactions to be passed to each
application and reconcile totals between
applications and with trading partners
○ Kung ano yung nilipat mo sa kabila yun
din dapat marereceive niya (echo checks)
● Segment count totals built into transaction set
trailers by the sender
● Transaction set count totals built into the
functional group headers by the sender
● Batch control totals built into the functional
group headers by the sender
The validity of the sender against trading
partner details by:
● The use of control fields within an EDI
message at either the transaction, function,
group or interchange level (often within the
EDI header, trailer or control record)
● The use of VAN sequential control numbers or
reports (if applicable)
● The sending of an acknowledgment
transaction to inform the sender of message
receipt. The sender should then match this
against a file/log of EDI messages sent.
○ Echo checks
EDI AUDITORS ALSO INVOLVE
AUDIT MONITORS
● Devices can be installed at EDI workstations
to capture transactions as they are received.
● Such transactions can be stored in a
protected file for use by the auditor.
● Consideration should be given to storage
requirements for voluminous amounts of data.
EXPERT SYSTEMS
● Most advanced
● Within the context of using the computer
system for internal control checks,
consideration should be given to having audit
monitors evaluate the transactions received.
● Based upon judgmental rules, the system can
determine the audit significance of such
transactions and provide a report for the
auditor’s use.
- May depend on decision tree
- Costly
MODULE 2 - PART 4
ELECTRONIC MAIL
Email may be the most heavily used feature of the
Internet or local area networks in an organization.
At the most basic level, the email process can be
divided into two principal components:
● Mail servers — Hosts that deliver, forward
and store mail
● Clients — Interface with users, allowing users
to read, compose, send and store email
messages
When a user sends an email message, it is first
broken up by the Transmission Control Protocol
(TCP) into Internet Protocol (IP) packets. Those
packets are then sent to an internal router, which
examines the address and decides whether the
mail is to be delivered inside or outside the
network. If the mail is meant for an internal client,
the mail is delivered to them. If the mail is to be
delivered outside the network, it may pass through
a firewall, which will determine if it can be sent or
received.
POINT-OF-SALE SYSTEMS
● enable the capture of data at the time and
place that sales transactions occur. The most
common payment instruments to operate
with POS are credit and debit cards.
● POS terminals may have attached peripheral
equipment—such as optical scanners to read
bar codes, magnetic card readers for credit or
debit cards, or electronic readers for smart
cards—to improve the efficiency and accuracy
of the transaction recording process.
○ Ex. payment to GCash
● IS must determine whether any cardholder
data, such as primary account numbers
(PANs) or personal identification numbers
(PINs), are stored on the local POS system.
● Any such information, if stored on the POS
system, should be encrypted using strong
encryption methods. Certain data, such as
card verification value (CVV) numbers, can
never be stored on these devices.
9
 Module 2: Business Processes

1. Effective management oversight of ebanking

activities
ELECTRONIC BANKING (EBANKING)
2. Establishment of a comprehensive security
● Operational control process
● Reputational 3. Comprehensive due diligence and
● Credit management oversight process for
● Liquidity outsourcing relationships and other
● Legal third-party dependencies
○ Terms and conditions - Since it is a collaboration between
● Strategic different internet providers, siyempre may
● Market (FX, Interest, etc.) relationship sa third party
- Due diligence - titignan nila yung
ELECTRONIC BANKING RISK MANAGEMENT character ng counterparty nila kung
CHALLENGES trustworthy ba

● The speed of change relating to technological

SECURITY CONTROLS
and service innovation in e-banking increases
the challenge to ensure that adequate 1. Authentication of ebanking customers
strategic assessment, risk analysis and - Biometrics - password, pin
security reviews are conducted prior to 2. Nonrepudiation and accountability for
implementing new e-banking applications. ebanking transactions
● Transactional e-banking websites and - Magrerequire ng OTP
associated retail and wholesale business - Additional layer of control
applications are typically integrated as much 3. Appropriate measures to ensure SoD
as possible with legacy computer systems to - Side mismo ng bank
allow more straight-through processing of 4. Proper authorization controls within
electronic transactions. ebanking systems, databases and
● Ebanking increases a bank’s dependence on applications
information technology thereby increasing the 5. Data integrity of ebanking transactions,
technical complexity of many operational and records and information
security issues and furthering a trend toward 6. Establishment of clear audit trails for
more partnerships, alliances and outsourcing ebanking transaction.
arrangements with third parties such as 7. Confidentiality of key bank information
Internet service providers, telecommunication
companies and other technology firms. LEGAL AND REPUTATIONAL RISK
○ One of the risk is the availability of MANAGEMENT
information, dahil nag-rerely ka sa 1. Appropriate disclosures for ebanking services
internet, pwedeng di mo ma-access yung - May inaccept kang terms and condition
information 2. Privacy of customer information
● The Internet significantly magnifies the - Deposit - bank secrecy law, di pwede
importance of security controls, customer silipin yung deposit mo
authentication techniques, data protection, 3. Capacity, business continuity and
audit trail procedures and customer privacy contingency planning to ensure availability of
standards. ebanking systems and services
○ Protect the confidentiality of your clients, 4. Incident response planning
di mo dapat dinidisclose, mataas na level - May nangyayaring events sa organization
of protection dapat ang ginagawa mo – virus, malware, phishing email
- Di naman lahat ng incident kailangan
RISK MANAGEMENT CONTROLS FOR aksyunan ng organization
EBANKING 5. Compliance to banking sector directives (e.g.,
Basel Accords)
Effective risk management controls for ebanking - Banks is one of the heavy regulated
include the following controls: industries

BOARD AND MANAGEMENT OVERSIGHT

ELECTRONIC FUNDS TRANSFER

10
 Module 2: Business Processes
● EFT is the electronic transfer of funds between
a buyer, a seller and their respective financial
institutions.
○ Kahit sino kahit di buyer seller (ex. Parents
mo binigyan ka ng allowance)
● EFT allows parties to move money from one
account to another account, replacing
traditional check writing and cash collection
procedures.
○ Ex. InstaPay, PesoNet
● EFT transactions usually function via an
internal bank transfer from one party’s
account to another or via a clearinghouse
network.
WHAT SHOULD IS AUDITOR REVIEW IN EFT
● physical security of unissued plastic cards
● the procedures used to generate PINs,
procedures used to issue cards and PINs
● conditions under which the consumer uses the
access devices
● contract with the switch and the third-party
audit of the switch operations
● interface between the EFT system and the
application systems that process the accounts
from which funds are transferred
● availability of funds or adequacy of credit
limits should be verified before funds are
transferred
● backup arrangements or other methods used
to ensure continuity of operations
● alternative audit trails available
SECURITY IN AN EFT ENVIRONMENT
ENSURES THAT:
● All the equipment and communication
linkages are tested to effectively and reliably
transmit and receive data.
○ During SDLC → user acceptance testing
○ May mga di gumaganang equipment
● Each party uses security procedures that are
reasonably sufficient for affecting the
authorized transmission of data and for
protecting business records and data from
improper access.
○ For the confidentiality of information
● There are guidelines set for the receipt of
data and to ensure that the receipt date and
time for data transmitted are the date and
time the data have been received.
○ Kung kailan mo siya tinransmit sa isa
ganon din sa kabila
● On receipt of data, the receiving party will
immediately transmit an acknowledgment or
notification to communicate to the sender
that a successful transmission occurred.
● Data encryption standards are set.
● Standards for unintelligible transmissions are
set.
○ Unintelligible transmission - may maling
data tapos di mo nabasa
● Regulatory requirements for enforceability of
electronic data transmitted and received are
explicitly stated.
AUTOMATED TELLER MACHINE (ATM)
● An ATM is a specialized form of the POS
terminal that is designed for the unattended
use by a customer of a financial institution.
● These machines customarily allow a range of
banking and debit operations—especially
financial deposits and cash withdrawals.
RECOMMENDED INTERNAL CONTROL
GUIDELINES FOR ATM
● Written policies and procedures covering
personnel, security controls, operations,
disaster recovery credit and check
authorization, floor limits, override,
settlement, and balancing
● Reconciliation of all general ledger accounts
related to retail EFTs and review of exception
items and suspense accounts
○ Since possible na ibang ATM ang
ginagamit sa general ledger
● Procedures for PIN issuance and protection
during storage
● Procedures for the security of PINs during
delivery and the restriction of access to a
customer’s account after a small number of
unsuccessful attempts
● Systems designed, tested and controlled to
preclude retrieval of stored PINs in any non
encrypted form. Application programs and
other software containing formulas,
algorithms and data used to calculate PINs
must be subject to the highest level of access
for security purposes.
○ Top secret: how to generate pins
● Controls over plastic card procurement, which
should be adequate and include a written
agreement between the card manufacturer
and the bank that details control procedures
and methods of resolution to be followed if
problems occur
● Controls and audit trails of the transactions
that have been made in the ATM. This should
include internal registration in the ATM, either
11
 Module 2: Business Processes
in internal paper or digital media, depending
on regulation or laws in each country and on
the hosts that are involved in the transaction.
IS AUDITOR’S ROLE IN USE OF ATM
To perform an audit of ATMs, an IS auditor should
undertake the following actions:
● Review controls (physical security) to prevent
introduction of malware.
● Review measures to establish proper customer
identification and maintenance of their
confidentiality.
● Review file maintenance and retention system
to trace transactions.
○ Retention system - policy of organization
regarding safe keeping of documents.
Dinedestroy agad yung documents
depending sa law or policy
● Review exception reports to provide an audit
trail.
○ Exception reports - iba-iba yung tawag
per banks
○ Ex. suspicious activity, maraming
unsuccessful attempts - pwedeng lumabas
sa report
● Review daily reconciliation of ATM
transactions including:
○ Review SoD in the opening of the ATM
and recount of deposit.
■ Dapat dalawa sila doon
○ Review the procedures made for the
retained cards.
■ Hiwalay dapat ang custody ng pin
and cards
■ Destroy unclaimed cards (dapat)
● Review encryption key change management
procedures.
○ Review physical security measures to
ensure security of the ATM and the
money contained in the ATM.
■ Common: installation of CCTVs
○ Review the ATM card slot, keypad and
enclosure to prevent skimming of card
data and capture of PIN during entry.
■ Skimming of ATM - doon sa slot
mismo ng ATM, ireread na niya yung
card, yung keypad fake din siya
nakaconnect, once na nakaconnect
pwede makuha info mo
■ As a precautionary measure, tignan
mo yung atm mo
INTERACTIVE VOICE RESPONSE (IVR)
● Phone technology that allows a computer to
detect voice and touch tones using a normal
phone call.
○ Ex. “Press 1” chuchuchu
● The caller uses the telephone keypad to select
from preset menu choices provided by the
IVR.
● The IVR system then responds with
prerecorded or dynamically generated audio
to further direct callers or route the caller to a
customer service representative.
An IS auditor should ensure that there are controls
over such systems in place to prevent unauthorized
individuals from entering system-level commands
that may permit them to change or rerecord menu
options.
PURCHASE ACCOUNTING SYSTEM
Most purchase accounting systems perform three
basic accounting functions:
ACCOUNTS PAYABLE PROCESSING
● Recording transactions in the accounts
payable records
- Minsan yung mga businesses uses A/P
para mamaximize yung use of funds
GOODS RECEIVED PROCESSING
● Recording details of goods received but not
yet invoiced
ORDER PROCESSING
● Recording goods ordered but not yet received
- Kabaliktaran ng goods received
processing
IMAGE PROCESSING
● Method of manipulating or altering an image
to achieve a desired result, typically for
improving its visual quality or extracting
useful information from it. It involves a
variety of techniques and algorithms to
modify or analyze images, and it is a
fundamental component of computer vision,
artificial intelligence, and many other fields.
○ Example: filter
BENEFITS FROM USING IMAGING SYSTEM
Most businesses that perform image processing
obtain benefits from using the imaging system.
12
 Module 2: Business Processes

Examples of potential benefits are: 5. SOFTWARE SECURITY

● Item processing (e.g., signature storage and
● Security controls over image system
retrieval)
documents are critical to protect institutions
● Immediate retrieval via a secure optical
and customer information from unauthorized
storage medium
access and modifications.
● Increased productivity
● The integrity and reliability of the imaging
● Improved control over paper files
system database are related directly to the
● Reduced deterioration due to handling
quality of controls over access to the system.
● Enhanced disaster recovery procedures
6. TRAINING
IS AUDITOR SHOULD BE AWARE ON:
● Inadequate training of personnel scanning the
documents can result in poor-quality
1. PLANNING document images and indexes, and the early
destruction of original documents. The
● The lack of careful planning in selecting and
installation and use of imaging systems can be
converting paper systems to document
a major change for department personnel.
imaging systems can result in excessive
They must be trained adequately to ensure
installation costs, the destruction of original
quality control over the scanning and storage
documents and the failure to achieve expected
of imaging documents as well as the use of the
benefits.
system to maximize the benefits of converting
● Critical issues include converting existing
to imaging systems.
paper storage files and integration of the
imaging system into the organization workflow
and electronic media storage to meet audit MODULE 2 - PART 5
and document retention legal requirements.

2. AUDIT INDUSTRIAL CONTROL SYSTEMS (ICS)

● Imaging systems may change or eliminate the
traditional controls as well as the checks and SUPERVISORY CONTROL AND DATA
balances inherent in paper-based systems. ACQUISITION
Audit procedures may have to be redesigned for controlling, monitoring, and analyzing industrial
and new controls designed into the automated devices and processes
process.
DISTRIBUTED CONTROL SYSTEMS
3. REDESIGN OF WORKFLOW
platform for automated control and operation of a
● Institutions generally redesign or reengineer plant or industrial process
workflow processes to benefit from imaging
technology. PROGRAMMABLE LOGIC CONTROLLERS
type of tiny computer that can receive data
4. SCANNING DEVICES
through its inputs and send operating instructions
● Scanning devices are the entry point for image through its outputs
documents and a significant risk area in
imaging systems. They can disrupt workflow if
the scanning equipment is not adequate to
handle the volume of documents or the
equipment breaks down. The absence of
controls over the scanning process can result in
poor quality images, improper indexing, and
incomplete or forged documents being entered
into the system. Procedures should be in place
to ensure that original documents are not
destroyed before determining that a good
image has been captured.

13
 Module 2: Business Processes
ICS RISK FACTORS
● Blocked or delayed flow of information
through ICS networks, which could disrupt
ICS operation.
● Unauthorized changes to instructions,
commands or alarm thresholds, which could
damage, disable or shut down equipment,
create environmental impacts, and/or
endanger human life.
○ It is important to take note that no matter
how expensive the IT assets of an
organization have, the safety of human life
remains the top priority.
● Inaccurate information sent to system
operators, either to disguise unauthorized
changes or to cause the operators to initiate
inappropriate actions, which could have
various negative effects.
○ Thus it is imperative to verify the
authorization and propriety of the
transmitted information
● ICS software or configuration settings
modified, or ICS software infected with
malware, which could have various negative
effects. A compromised system would render
it ineffective.
○ It is important to add layers of control,
such as antivirus software to prevent the
infection of malware on the other hand
any modification of the system should be
scrutinized, and tested prior to its release
to the live production.
● Interference with the operation of safety
systems, which could endanger human life.
○ Hence, safety protocols should always be
in place.
ICS CONTROLS
● Restricting logical access to the ICS network
and network activity. This includes using a
demilitarized zone (DMZ) network
architecture with firewalls to prevent network
traffic from passing directly between the
corporate and ICS networks and having
separate authentication mechanisms and
credentials for users of the corporate and ICS
networks.
○ This can be achieved by installing access
control software.
● The ICS should also use a network topology
that has multiple layers, with the most
critical communications occurring in the
most secure and reliable layer.
● Restricting physical access to the ICS
network and devices. Unauthorized physical
access to components could cause serious
disruption of the ICS’s functionality. A
combination of physical access controls
should be used, such as locks, card readers
and/or guards.
● Protecting individual ICS components from
exploitation. This includes deploying security
patches in as expeditious a manner as
possible, after testing them under field
conditions; disabling all unused ports and
services; restricting ICS user privileges to only
those that are required for each person’s role;
tracking and monitoring audit trails; and
using security controls such as antivirus
software and file integrity checking software,
where technically feasible, to prevent, deter,
detect and mitigate malware.
● Maintaining functionality during adverse
conditions. This involves designing the ICS so
that each critical component has a redundant
counterpart. Additionally, if a component
fails, it should fail in a manner that does not
generate unnecessary traffic on the ICS or
other networks, or does not cause another
problem elsewhere, such as a cascading
event.
● Restoring the system after an incident.
Incidents are inevitable, and an incident
response plan is essential. A major
characteristic of a good security program is
how quickly a system can be recovered after
an incident has occurred.
ARTIFICIAL INTELLIGENCE
● Knowledge is acquired and used.
● Goals are generated and achieved.
14
 Module 2: Business Processes
● Information is communicated.
● Collaboration is achieved.
● Concepts are formed.
● Languages are developed.
AI fields include, among others:
● Expert systems
● Natural and artificial (such as programming)
languages
● Neural networks
● Intelligent text management
● Theorem proving
● Abstract reasoning
● Pattern recognition
● Voice recognition
● Problem solving
● Machine translation of foreign languages
- Nonetheless AI should never be the sole basis
for forming our conclusion, it can aid us in
decision making but never a substitute of our
professional judgment.
EXPERT SYSTEMS
are an area of AI and perform a specific function or
are prevalent in certain industries. An expert
system allows the user to specify certain basic
assumptions or formulas and then uses these
assumptions or formulas to analyze arbitrary
events. Based on the information used as input to
the system, a conclusion is produced.
Advantages:
● Capturing the knowledge and experience of
individuals
● Sharing knowledge and experience
● Enhancing personnel productivity and
performance
● Automating highly (statistically) repetitive
tasks (help desk, score credits, etc.)
● Operating in environments where a human
expert is not available (e.g., medical
assistance on board of a ship, satellites)
KNOWLEDGE BASE (KB) contains specific
information or fact patterns associated with
particular subject matter and the rules for
interpreting these facts. The KB interfaces with a
database in obtaining data to analyze a particular
problem in deriving an expert conclusion.
The information in the KB can be expressed in
several ways:
● Decision trees - used questionnaires to lead
the user to a series of choices until the
conclusion is reached.
● Rules - an expression of declarative
knowledge through the use of if and
relationships.
● Semantic nets - use a graph in which the
nodes represent physical or conceptual
objects, and the arcs describe the relationship
between the nodes. resemble a data flow
diagram, and make use of inheritance
mechanisms to prevent duplication of data.
additionally, the inference engine shown is a
program that uses the knowledge base and
determines the most appropriate outcome
based on the information supplied by the user.
● Knowledge interface - inclusion of knowledge
from an expert into the system without the
traditional mediation of a software engineer.
● Data interface - is the collection of data from
nonhuman sources through an expert system.
IS AUDITOR’S ROLES IN EXPERT SYSTEMS
● Understand the purpose and functionality of
the system
● Assess the system’s significance to the
organization and related businesses
processes as well as the associated potential
risk
● Review the adherence of the system to
corporate policies and procedures
● Review the decision logic built into the system
to ensure that the expert knowledge or
intelligence in the system is sound and
accurate
● Review procedures for updating information
in the KB
● Review security access over the system,
specifically the KB
● Review procedures to ensure that qualified
resources are available for maintenance and
upgrading
SUPPLY CHAIN MANAGEMENT
● is linking the business processes between the
related entities such as the buyer and the
seller. The link is provided to all the connected
areas such as managing logistics and the
exchange of information, services and goods
among supplier, consumer, warehouse,
wholesale/retail distributors and the
manufacturer of goods.
○ Technology serves as the catalyst for its
expansion. The Internet creates the bridge
for communicating among different
business partners. Proper implementation
of supply chain management could lead to
15
 Module 2: Business Processes
efficiency, reduced cost and significant
savings.
CUSTOMER RELATIONSHIP MANAGEMENT
● is the combination of practices, strategies and
technologies that companies use to manage
and analyze customer interactions and data
throughout the customer lifecycle. The goal is
to improve customer service relationships and
assist with customer retention and drive sales
growth.
○ Customers are the life blood of every
business. Hence we need to understand
their needs and wants to satisfy them. This
emphasizes the importance of focusing on
information relating to transaction, data
preferences, purchase patterns, status
contact history, demographic information
and service trends of customers, rather
than on products.
OPERATIONAL CRM
● Concerned with maximizing the utility of the
customer’s service experience while also
capturing useful data about the customer
interaction.
● Ex. Feedback report, live chat system
ANALYTICAL CRM
● Seeks to analyze information captured by the
organization about its customers and their
interactions with the organization into
information that allows greater value to be
obtained from the customer base.
● CRM analytics makes storing, organizing,
analyzing your customer information easy which
makes it easier to make smart decisions. Well
analyze data is a vital tool for building
successful strategies which can be made
possible by an analytical CRM a typical
analytical CRM is composed of:
○ Online Analytical Processing (OLAP) -
organizes large sets of data simultaneously.
○ Data Mining - analyze data to solve
business problems by identifying patterns
and relationships.
○ Data Warehousing - collects and archives
data from multiple systems.
MODULE 2 - PART 6
USING THE SERVICES OF OTHER AUDITORS
AND EXPERTS
As mentioned in the previous module, the audit
function should have collective knowledge from
different individuals. However, there is still a chance
that there are highly technical fields beyond the
current skills and expertise of the audit function.
Services of other experts for the engagement might
be needed to fill in the gap.
USING THE SERVICES OF OTHER EXPERTS
● Assess and approve the adequacy of the
other experts’ professional qualifications,
competencies, relevant experience, resources,
independence and quality-control processes
prior to the engagement.
○ The expert should have the necessary skill
set in training, which the audit team is
lacking. In addition, the experts should be
likewise independent both in fact and in
appearance.
● Assess, review and evaluate the work of other
experts as part of the engagement and
document the conclusion on the extent of use
and reliance on their work.
○ The usefulness and appropriateness of the
report as well as the impact of significant
findings on the overall audit objectives
should likewise be assessed.
● Determine whether the work of other experts,
who are not part of the engagement team, is
adequate and complete to conclude on the
current engagement objectives.
○ We can exercise our professional judgment
and review of their working papers to
achieve this objective.
● Determine whether the work of other experts
will be relied upon and incorporated directly
or referred to separately in the report.
○ If other experts' access to records or
systems is prohibited by enterprise internal
policies, practitioners should determine
the appropriate extent of use and reliance
on the other experts' work.
● Apply additional test procedures to gain
sufficient and appropriate evidence in
circumstances where the work of other
experts does not provide sufficient and
appropriate evidence.
○ This can be done through test of controls
and substantial extent of testing.
● Provide an audit opinion or conclusion, and
include any scope limitation where required
16
 Module 2: Business Processes
evidence is not obtained through additional
test procedures.
FACTORS TO BE CONSIDERED
● Restrictions on outsourcing of audit/security
services provided by laws and regulations
○ There are some jurisdictions that might not
allow the outsourcing of the audit function.
Hence the chief audit executive should be
aware of the laws and regulations
governing the organization.
● Audit charter or contractual stipulations
○ Outsourcing for outsourcing services
should be documented in the audit charter
in order for the work of the expert to be
considered in the audit objectives of the IS
audit function.
● Impact on overall and specific IS audit
objectives
○ Is the hiring of experts really necessary?
○ Is the function to be audited critical?
○ The IS audit function should conduct cost
benefit analysis before engaging the work
of other experts.
● Impact on IS audit risk and professional
liability
○ It is important to understand that
although a part or the whole of the audit
work may be delegated to an external
service provider, the related professional
liability is not necessarily delegated. At the
end of the day, the responsibility still rests
with the IS audit function.
● Scope of work proposed to be outsourced and
approach
○ This should be documented in the
agreement between the IS audit function
and third party experts. We should clearly
communicate the audit objectives, scope,
and methodology through a formal
engagement letter.
● Supervisory and audit management controls
○ Monitoring process for regular review of
the work of the external service provider
with regard to planning, supervision,
review, and documentation should be
established by IS audit function.
● Method and modalities of communication of
results of audit work
○ This should also be agreed upon with the
experts.
● Compliance with legal and regulatory
stipulations
○ If outsourcing is allowed under the
jurisdiction where the organization is
situated, the chief audit executive should
be wary of the prudential requirements to
comply with the regulations.
● Compliance with applicable professional
standards
○ Just like the IS auditors who are governed
by ISACA, other professionals should
adhere with their respective and globally
accepted standards. We should also
consider their compliance on the code of
ethics of their profession.
OTHER REQUIREMENTS
● Testimonials/references and background
checks.
○ Due diligence should be performed on the
character in capability of the expert.
● Access to systems, premises and records.
○ Considering that the experts are outsiders
from the organization, their access should
be on a need to know basis their access to
the records, whether physical or logical
should be revoked once their assignment
is finished.
● Confidentiality restrictions to protect
customer-related information.
○ Confidential information should not be
compromised when securing the services
of the expert.
● Use of computer-assisted auditing techniques
and other tools to be used by the external
audit service provider.
○ Only the tools, methodologies necessary
for their objective should be granted to the
expert. Likewise, this should be
agreed-upon and documented in the
engagement letter or contract.
● Standards and methodologies for
performance of work and documentation.
○ As much as possible, this should be
aligned with the methodologies of the ICS
audit function.
● Nondisclosure agreements.
○ Third party experts should be required to
sign this contract since it provides legal
indemnification in case information were
disclosed by the experts, without the
consent or permission of the organization.
17