Suggested answers November 2018 - Information system control and audit ISCA

1.a

STEP 1: Present Process Documentation

In this step, the present business process is analysed and documented. The key deliverable of this step includes the well-defined short-comings of the present processes and the overall business requirements.

This step includes the following activities:

· Understanding the business and the objectives for which it exists;

· Documenting the existing business processes; and

· Analysis of the documented processes.

STEP 2: Proposed Process Documentation

This step is to design the new process requirements for the system. The design is based on the new system requirements and the changes proposed.

The activities include the following:

· Understanding of the business processes necessary to achieve the business objectives;

· Designing the new processes; and

· Documentation of the new process, preferably using of CASE tools.

STEP 3: Implementation of New Process

This step is to implement largely the new as well as modified processes at the entity.

The critical activities may include the following:

· Validating the new process;

· Implementing the new process; and

· Testing the new process.

· It has been mentioned that system development effort is triggered in two basic situations, first due to stress and second due to opportunity.

· Business Process Design is largely based on nature of system i.e. whether it is typically integrated, automatic and manual.

· The idea of business process design has different implications when the same is being designed for integrated, automatic or manual system.

Each nature of system needs a special design consideration, which may be understood by looking at the following case descriptions.

1.b.

i. Policy on use of network services: An enterprise wide policy applicable to internet service requirements aligned with the business need for using the Internet services is the first step. Selection of appropriate services and approval to access them should be part of this policy.

ii. Enforced path: Based on risk assessment, it is necessary to specify the exact path or route connecting the networks; e.g., internet access by employees will be routed through a firewall and proxy.

iii. Segregation of networks: Based on the sensitive information handling function; say a VPN connection between a branch office and the head-office, this network is to be isolated from the internet usage service.

iv. Network connection and routing control: The traffic between networks should be restricted, based on identification of source and authentication access policies implemented across the enterprise network facility.

v. Security of network services: The techniques of authentication and authorization policy should be implemented across the organization's network.

vi. Firewall: Organizations connected to the Internet and Intranet often implements an electronic firewall to insulate their network from intrude. A Firewall is a system that enforces access control between two networks. To accomplish this, all traffic between the external network and the organization's Intranet must pass through the firewall. Only authorized traffic between the organization and the outside is allowed to pass through the firewall. The firewall must be immune to penetrate from both outside and inside the organization. In addition to insulating the organization's network from external networks, firewalls can be used to insulate portions of the organization's Intranet from internal access also.

vii. Encryption: Encryption is the conversion of data into a secret code for storage in databases and transmission over networks. The sender uses an encryption algorithm and the original message called the clear text is converted into cipher text. This is decrypted at the receiving end. The encryption algorithm uses a key. The more bits in the key, the stronger are the encryption algorithms. Two general approaches are used for encryption viz. private key and public key encryption.

viii. Call Back Devices: It is based on the principle that the key to network security is to keep the intruder off the Intranet rather than imposing security measure after the criminal has connected to the intranet. The call- back device requires the user to enter a password and then the system breaks the connection. If the caller is authorized, the call back device dials the caller's number to establish a new connection. This limits access only from authorized terminals or telephone numbers and prevents an intruder masquerading as a legitimate user. This also helps to avoid the call forwarding and man-in-the middle attack.

ix. Recording of Transaction Log: An intruder may penetrate the system by trying different passwords and user ID combinations. All incoming and outgoing requests along with attempted access should be recorded in a transaction log. The log should record the user ID, the time of the access and the terminal location from where the request has been originated.

1.c

An enterprise with BCM uses training as a tool to initiate a culture of BCM in all the

Stakeholders by:

· Developing a BCM program more efficiently;

· Providing confidence in its stakeholders (especially staff and customers) in its ability to handle business disruptions;

· Increasing its resilience over time by ensuring BCM implications are considered in decisions at all levels; and

· Minimizing the likelihood and impact of disruptions

Development of a BCM culture is supported by:

· Leadership from senior personnel in the enterprise;

· Assignment of responsibilities;

· Awareness raising;

· Skills training; and

· Exercising plans.

1.d

Auditors might use SCARF to collect the following types of information:

a) Application System Errors - SCARF audit routines provide an independent check on the quality of system processing, whether there are any design and programming errors as well as errors that could creep into the system when it is modified and maintained.

b) Policy and Procedural Variances - Organizations have to adhere to the policies, procedures and standards of the organization and the industry to which they belong. SCARF audit routines can be used to check when variations from these policies, procedures and standards have occurred.

c) System Exception - SCARF can be used to monitor different types of application system exceptions. For Example: salespersons might be given some leeway in the prices they charge to customers. SCARF can be used to see how frequently salespersons override the standard price.

d) Statistical Sample -Some embedded audit routines might be statistical sampling routines, SCARF provides a convenient way of collecting all the sample information together on one file and use analytical review tools thereon.

e) Snapshots and Extended Records - Snapshots and extended records can be written into the SCARF file and printed when required.

f) Profiling Data - Auditors can use embedded audit routines to collect data to build profiles of system users. Deviations from these profiles indicate that there may be some errors or irregularities.

g) Performance Measurement - Auditors can use embedded routines to collect data that is useful for measuring or improving the performance of an application system.

2.a

a) Understanding the Technology: This could include consideration of the following:

a. Analysis of business processes and level of automation,

b. Assessing the extent of dependence of the enterprise on Information Technology to carry on its businesses i.e. Role of IT in the success and survival of business,

c. Understanding technology architecture which could be quite diverse such as a distributed architecture or a centralized architecture or a hybrid architecture and understanding extended enterprise architecture wherein the organization systems connect seamlessly with other stakeholders such as vendors (SCM), customers (CRM), employees (ERM) and the government

d. Studying network diagrams to understand physical and logical network connectivity,

e. Knowledge of various technologies and their advantages and limitations is a critical competence requirement for the auditor. For Example: authentication risks relating to e-mail systems,

f. Studying Information Technology policies, standards, guidelines and procedures.

2.b

• The reduction of redundant controls and related time to execute (audit, test and remediate);

• The reduction in control failures in all key areas;

• The reduction of expenditure relating to Legal, regulatory and review areas;

• Reduction in overall time required for audit for key business areas;

• Improvement through streamlining of processes and reduction in time through automation of control and compliance measures;

• Improvement in timely reporting of regular compliance issues and remediation measures; and

• Dashboard of overall compliance status and key issues to senior management on a real-time basis as required.

2.c

Remote access to work:

It provides mobile workforce with remote access to work order details, such as work order location, contact information, required completion date, asset history relevant warranties/service contracts.
Real-time Updation of work:

It enables mobile sales personnel to update work order status in real-time, facilitating excellent communication.
Access to corporate services:

It facilitates access to corporate services and information at any time, from anywhere.
Access to the corporate Knowledgebase:

It provides remote access to the corporate Knowledgebase at the job location.
Improve management effectiveness:

Improve management effectiveness by enhancing information quality, information flow, and ability to control a mobile workforce.

3.a

On the basis of the functionality, these are of two types:


(i)Pure Cyber Frauds: Frauds, which exists only in cyber world. They are borne out of use of technology. For example: Website hacking.


(ii) Cyber Enabled Frauds: Frauds, which can be committed in physical world also but with use of technology; the size, scale and location of frauds changes. For example: Withdrawal of money from bank account by stealing PIN numbers.

· Phishing: It is the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

· Network Scanning: It is a process to identify active hosts of a system, for purpose of getting information about IP addresses etc.

· Virus/Malicious Code: As per Section 43 of the Information Technology Act, 2000, "Computer Virus" means any computer instruction, information, data or program that destroys, damages, degrades or adversely affects the performance of a computer resource or attaches itself to another computer resource and operates when a program, data or instruction is executed or some other event takes place in that computer resource;

· Spam: E-mailing the same message to everyone on one or more Usenet News Group or LISTSERV lists is termed as spam.

· Website Compromise/Malware Propagation: It includes website defacements. Hosting malware on websites in an unauthorized manner.

· Cracking: Crackers are hackers with malicious intentions.

· Eavesdropping: It refers to the listening of the private voice or data transmissions, often using a wiretap.

· E-mail Forgery: Sending e-mail messages that look as if someone else sent it is termed as E-mail forgery.

· E-mail Threats: Sending a threatening message to try and get recipient to do something that would make it possible to defraud him is termed as E-mail threats.

· Scavenging: This is gaining access to confidential information by searching corporate records.

3.b

· To grant legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication commonly referred to as `electronic commerce' in place of paper based methods of communication;

· To give legal recognition to Digital signatures for authentication of any information or matter, which requires authentication under any law;

· To facilitate electronic filing of documents with Government departments;

· To facilitate electronic storage of data;

· To facilitate and give legal sanction to electronic fund transfers between banks and financial institutions;

· To give legal recognition for keeping of books of accounts by banker's in electronic form

3.c

a) Scheduled Maintenance: Scheduled maintenance is anticipated and can be planned for operational continuity and avoidance of anticipated risks. For Example: the implementation of a new inventory coding scheme can be planned in advance, security checks may be promulgated etc.

b) Rescue Maintenance: Rescue maintenance refers to previously undetected malfunctions that were not anticipated but require immediate troubleshooting solution. A system that is properly developed and tested should have few occasions of rescue maintenance.

c) Corrective Maintenance: Corrective maintenance deals with fixing bugs in the code or defects found during the executions. A defect can result from design errors, logic errors coding errors, data processing and system performance errors. The need for corrective maintenance is usually initiated by bug reports drawn up by the end users. Examples of corrective maintenance include correcting a failure to test for all possible conditions or a failure to process the last record in a file.

d) Adaptive Maintenance: Adaptive maintenance consists of adapting software to changes in the environment, such as the hardware or the operating system. The term environment in this context refers to the totality of all conditions and influences, which act from outside upon the system, for Example: business rule, government policies, work patterns, software and hardware operating platforms. The need for adaptive maintenance can only be recognized by monitoring the environment.

e) Perfective Maintenance: Perfective maintenance mainly deals with accommodating to the new or changed user requirements and concerns functional enhancements to the system and activities to increase the system's performance or to enhance its user interface.

f) Preventive Maintenance: Preventive maintenance concerns with the activities aimed at increasing the system's maintainability, such as updating documentation, adding comments, and improving the modular structure of the system. The long-term effect of corrective, adaptive and perfective changes increases the system's complexity. As a large program is continuously changed, its complexity, which reflects deteriorating structure, increases unless work is done to maintain or reduce it. This work is known as preventive change.

4.a

Electronic signature" means authentication of any electronic record by a subscriber by means of the electronic technique specified in the second schedule and includes digital signature. "Electronic Signature Certificate" means an Electronic Signature Certificate issued under section 35 and includes Digital Signature Certificate.

Section 3A

(1) Notwithstanding anything contained in section 3 (Overuling conditions to be satisfied which are given in section 3 for authentication of electronic record), but subject to the provisions of sub-section (2) a subscriber may authenticate any electronic record by such electronic signature or electronic authentication technique which-

a. is considered reliable; and

b. may be specified in the Second Schedule

(2) For the purposes of this section any electronic signature or electronic authentication technique shall be considered reliable if-

a. the signature creation data or the authentication data are, within the context in which they are used, linked to the signatory or, as the case may be, the authenticator and of no other person;

b. the signature creation data or the authentication data were, at the time of signing, under the control of the signatory or, as the case may be, the authenticator and of no other person;

c. any alteration to the electronic signature made after affixing such signature is detectable;

d. any alteration to the information made after its authentication by electronic signature is detectable; and it fulfils such other conditions which may be prescribed.

4.b

• Understand enterprise direction: Consider the current enterprise environment and business processes, as well as the enterprise strategy and future objectives. Consider also the external environment of the enterprise (industry drivers, relevant regulations, basis for competition).

• Assess the current environment, capabilities and performance: Assess the performance of current internal business and IT capabilities and external IT services, and develop an understanding of the enterprise architecture in relation to IT. Identify issues currently being experienced and develop recommendations in areas that could benefit from improvement. Consider service provider differentiators and options and the financial impact and potential costs and benefits of using external services.

• Define the target IT capabilities: Define the target business and IT capabilities and required IT services. This should be based on the understanding of the enterprise environment and requirements; the assessment of the current business process and IT environment and issues; and consideration of reference standards, best practices and validated emerging technologies or innovation proposals.

• Conduct a gap analysis: Identify the gaps between the current and target environments and consider the alignment of assets (the capabilities that support services) with business outcomes to optimize investment in and utilization of the internal and external asset base. Consider the critical success factors to support strategy execution.

• Define the strategic plan and road map: Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT- related goals will contribute to the enterprise's strategic goals. Include how IT will support IT-enabled investment programs, business processes, IT services and IT assets. IT should define the initiatives that will be required to close the gaps, the sourcing strategy, and the measurements to be used to monitor achievement of goals, then prioritize the initiatives and combine them in a high level road map.

• Communicate the IT strategy and direction: Create awareness and understanding of the business and IT objectives and direction, as captured in the IT strategy, through communication to appropriate stakeholders and users throughout the enterprise.

4.c

• All systems work for predetermined objectives and the system is designed and developed accordingly,

• A system has a number of interrelated and interdependent subsystems or components. No subsystem can function in isolation; it depends on other subsystems for its inputs. If one subsystem or component of a system fails; in most of the cases, the whole system does not work (Depending upon interrelatibility of subsystems)

• The way a subsystem works with another subsystem is called interaction. The different subsystems interact to achieve the goal of the system.

• The work done by individual subsystems is integrated to achieve the central goal of the system. The goal of individual subsystem is of lower priority than the goal of the entire system.
5.a
Monitor Internal Controls:

Continuously monitor, benchmark and improve the IT control environment and control framework to meet organizational objectives.
Review Business Process Controls Effectiveness:

Review the operation of controls, including a review of monitoring and test evidence to ensure that controls within business processes operate effectively.
Perform Control Self-assessments:

Encourage management and process owners to take positive ownership of control improvement through a continuing program of self-assessment to evaluate the completeness and effectiveness of management's control over processes, policies and contracts.
Identify and Report Control Deficiencies:

Identify control deficiencies and analyse and identify their underlying root causes. Escalate control deficiencies and report to stakeholders.
Ensure that assurance providers are independent and qualified:

The entities performing assurance should demonstrate an appropriate attitude and appearance, competence in the skills and knowledge necessary to perform assurance, and adherence to codes of ethics and professional standards.
Plan Assurance Initiatives:

Plan assurance initiatives based on enterprise objectives and conformance objectives, assurance objectives and strategic priorities, inherent risk resource constraints, and sufficient knowledge of the enterprise.

Scope assurance initiatives:

Define and agree with management on the scope of the assurance initiative, based on the assurance objectives.
Execute assurance initiatives:

Execute the planned assurance initiative. Report on identified findings. Provide positive assurance opinions, where appropriate, and recommendations for improvement relating to identified operational performance, external compliance and internal control system residual risks.

5.b

· Reliability: It refers to the consistency with which a program operates over a period of time. However, poor setting of parameters and hard coding of some data, subsequently could result in the failure of a program after some time.

· Robustness: It refers to the applications' strength to uphold its operations in adverse situations by taking into account all possible inputs and outputs of a program in case of least likely situations.

· Accuracy: It refers not only to 'what program is supposed to do', but should also take care of 'what it should not do'. The second part becomes more challenging for quality control personnel and auditors.

· Efficiency: It refers to the performance per unit cost with respect to relevant parameters and it should not be unduly affected with the increase in input values.

· Usability: It refers to a user-friendly interface and easy-to-understand internal/external documentation.

· Readability: It refers to the ease of maintenance of program even in the absence of the program developer.

5.c

Private

· Improves average server utilization;

· High level of security and privacy to the user.

Public

a. Affordable: The cloud is offered to the public on a pay-as-you-go basis; hence the user has to pay only for what he or she is using (using on a per-hour basis) and this does not involve any cost related to the deployment. There is no need for establishing infrastructure for setting up and maintaining the cloud.


b. Highly Available: It is highly available because anybody from any part of the world can access the public cloud with proper permission, and this is not possible in other models as geographical or other access restrictions might be there.

6.a

Factors influencing an organization toward controls and audit of computers and the impact of the information systems audit function on organizations are depicted are:

• Costs of Data Loss in Organization: Data is a critical resource of an organisation for its present and future process and its ability to adapt and survive in a changing environment.

• Cost of Incorrect Decision Making: Management and operational controls taken by managers involve detection, investigations and correction of the processes. These high level decisions require accurate data to make quality decision rules.

• Costs of Computer Abuse: Unauthorised access to computer systems, malwares, unauthorised physical access to computer facilities and unauthorised copies of sensitive data can lead to destruction of assets (hardware, software, data, information etc.)

• Cost of Computer Hardware, Software and Personnel: These are critical resources of an organisation, which has a credible impact on its infrastructure and business competitiveness.

• Costs of Computer Error: In a computerised enterprise environment where many critical business processes are performed, a data error during entry or process would cause great damage.

• Cost of Privacy leaks: Today, data collected in a business process contains private information about an individual too. These data were also collected before computers but now, there is a fear that privacy has eroded beyond acceptable levels.

• Controlled evolution of computer Use: Use of Technology and reliability of complex computer systems cannot be guaranteed and the consequences of using unreliable systems can be destructive.

6.c

Numerous transmissions must wait for the clearance of the line before data being transmitted.

Data that is waiting to be transmitted are liable to unauthorized access called asynchronous attack.

i. Subversive Threats: An intruder attempts to violate the integrity of some components in the sub-system.

Subversive attacks can provide intruders with important information about messages being transmitted and the intruder can manipulate these messages in many ways. An intruder attempts to violate the integrity of some components in the sub-system by:

1. Invasive tap: By installing it on communication line, s/he may read and modify data.

2. Inductive tap: It monitors electromagnetic transmissions and allows the data to be read only.

3. Wire-tapping: This involves spying on information being transmitted over telecommunication network.

4. Piggybacking: This is the act of following an authorized person through a secured door or electronically attaching to an authorized telecommunication link that intercepts and alters transmissions.

7.a

Benefits of Expert Systems

(1) Expert Systems preserve knowledge that might be lost through retirement, resignation or death of an acknowledged company expert.

(2) Expert Systems put information into an active-form so it can be summoned almost as a real-life expert might be summoned.

(3) Expert Systems assist novices/beginners in thinking the way experienced professional do.

(4) Expert Systems are not subjected to such human fallings as fatigue, being too busy, or being emotional.

(5) Expert Systems can be effectively used as a strategic tool in the areas of marketing products, cutting costs and improving products.

7.b

• The need for the audit to be conducted within a reasonable period of time and at a reasonable cost.

• The matter of difficulty, time, or cost involved is not in itself a valid basis for the auditor to omit an audit procedure for which there is no alternative or to be satisfied with audit evidence that is less than persuasive.

• Fraud, particularly fraud involving senior management or collusion.

• The existence and completeness of related party relationships and transactions.

• The occurrence of non-compliance with laws and regulations. Future events or conditions that may cause an entity to cease to continue as a going concern.

7.c

Advantage of BYOD are as follows:

a. Happy Employees: Employees love to use their own devices when at work. This also reduces the number of devices an employee has to carry; otherwise he would be carrying his personal as well as organization provided devices.



b. Lower IT budgets: The employees could involve financial savings to the organization since employees would be using the devices they already possess, thus reducing the outlay of the organization in providing devices to them.



c. IT reduces support requirement: IT department does not have to provide end user support and maintenance for all these devices resulting in cost savings.



d. Early adoption of new Technologies: Employees are generally proactive in adoption of new technologies that result in enhanced productivity of employees leading to overall growth of business.

7.d

Auditing physical access requires the auditor to review the physical access risk and controls to form an opinion on the effectiveness of the physical access controls.  This involves the following:

· Risk Assessment: The auditor must satisfy him/herself that the risk assessment procedure adequately covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of safeguards and exposures there from.


· Controls Assessment: The auditor based on the risk profile evaluates whether the physical access controls are in place and adequate to protect the IS assets against the risks.

Review of Documents: It requires examination of relevant documentation such as the security policy and procedures, premises plan, building plans, inventory list and cabling diagrams.

7.e

Limitations of MIS — Major Limitations of MIS are given as follows:

1. Quality of output is directly proportionate of quality of input. The quality of the outputs of MIS is basically governed by the quality of input and processes.

2. MIS is not a substitute for effective management, which means that it cannot replace managerial judgment in making decisions in different functional areas. It is merely an important tool in the hands of executives for decision making and problem solving.

3. MIS may not have requisite flexibility to quickly update itself with the changing needs of time, especially in fast changing and complex environment.

4. MIS cannot provide tailor-made information packages suitable for the purpose of every type of decision made by executives.