Suggested answer May 2019 - Information and System Audit

Suggested Answers ISCA May 2019 - Compiled by Ajmer Din

Download - https://drive.google.com/open?id=1pcLWC7sBnGRhk5RhyA2MBkkA5lpCUcuw

1(a)

Methods of Validating the proposal:

Large organizations would naturally tend to adopt a sophisticated and objective approach to validate the vendor’s proposal. Some of the validation methods are given as follows:

- Checklists: It is the most simple and a subjective method for validation and evaluation. The various criteria are put in check list in the form of suitable questions against which the responses of the various vendors are validated. For example, Support Service Checklists may have parameters like Performance; System development, Maintenance, Conversion, Training, Back-up, Proximity, Hardware and Software.

- Point-Scoring Analysis: Point-scoring analysis provides an objective means of selecting a final system. There are no absolute rules in the selection process, only guidelines for matching user needs with software capabilities. Thus, even for a small business, the evaluators must consider such issues as the company’s data processing needs, its in -house computer skills, vendor reputations, software costs, and so forth.

-Public Evaluation Reports: Several consultancy as well as independent agencies compare and contrast the hardware and software performance for various manufacturers and publish their reports in this regard. This method has been frequently and usefully employed by several buyers in the past. For those criteria, however, where published reports are not available, reports would have to be made to other methods of validation. This method is particularly useful where the buying staff has inadequate knowledge of facts.

- Benchmarking Problems related Vendor’s Solutions: Benchmarking problems related to vendors’ proposals are accomplished by sample programs that represent at least a part of the buyer’s primary work load and include considerations and can be current applications that have been designed to represent planned processing needs. That is, benchmarking problems are oriented towards testing whether a solution offered by the vendor meets the requirements of the job on hand of the buyer.

- Testing Problems: Test problems disregard the actual job mix and are devised to test the true capabilities of the hardware, software or system. For example, test problems may be developed to evaluate the time required to translate the source code (program in an assembly or a high level language) into the object code (machine language), response time for two or more jobs in multi-programming environment, overhead requirements of the operating system in executing a user program, length of time required to execute an instruction, etc. The results, achieved by the machine can be compared and price performance judgment can be made. It must be borne in mind, however that various capabilities to be tested would have to be assigned relative weight - age.

1(b)

Major benefits of governance. These can be summarized as follows:
-  Achieving enterprise objectives by ensuring that each element of the mission and strategy are assigned and managed with a clearly understood and transparent decisions rights and accountability framework;
-  Defining and encouraging desirable behavior in the use of IT and in the execution of IT outsourcing arrangements;
- Implementing and integrating the desired business processes into the enterprise;
- Providing stability and overcoming the limitations of organizational structure;
- Improving customer, business and internal relationships and satisfaction, and reducing internal territorial strife by formally integrating the customers, business units, and external IT providers into a holistic IT governance framework; and
- Enabling effective and strategically aligned decision making for the IT Principles that define the role of IT, IT Architecture, IT Infrastructure, Application Portfolio and Frameworks, Service Portfolio, Information and Competency Portfolios and IT Investment & Prioritization.

1(c)

COBIT 5 provides key management practices for ensuring compliance with external compliances as relevant to the enterprise. The practices are given as follows:

- Identify External Compliance Requirements: On a continuous basis, identify and monitor for changes in local and international laws, regulations, and other external requirements that must be complied with from an IT perspective.

- Optimize Response to External Requirements: Review and adjust policies, principles, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. Consider industry standards, codes of good practice, and best practice guidance for adoption and adaptation

- Confirm External Compliance: Confirm compliance of policies, principles, standards, procedures and methodologies with legal, regulatory and contractual requirements

- Obtain Assurance of External Compliance: Obtain and report assurance of compliance and adherence with policies, principles, standards, procedures and methodologies. Confirm that corrective actions to address compliance gaps are closed in a timely manner.

2 (a)

The performance of evidence collection and understanding the reliability of controls involves the following major issues:

- Data retention and storage: A client’s storage capabilities may restrict the amount of historical data that can be retained “on-line” and readily accessible to the auditor. If the client has insufficient data retention capacities the auditor may not be able to review a whole reporting period transactions on the computer system. For example, the client’s computer system may save data on detachable storage device by summarizing transactions into monthly, weekly or period end balances.

- Absence of input documents: Transaction data may be entered into the computer directly without the presence of supporting documentation e.g. input of telephone orders into a telesales system. The increasing use of EDI will result in less paperwork being available for audit examination.

- Non-availability of audit trail: The audit trails in some computer systems may exist for only a short period of time. The absence of an audit trail will make the auditor’s job very difficult and may call for an audit approach which involves auditing around the computer system by seeking other sources of evidence to provide assurance that the computer input has been correctly processed and output.

- Lack of availability of output: The results of transaction processing may not produce a hard copy form of output, i.e. a printed record. In the absence of physical output it may be necessary for the auditor to directly access the electronic data retained on the client’s computer. This is normally achieved by having the client provide a computer terminal and being granted “read-only” access to the required data files.

- Audit evidence: Certain transactions may be generated automatically by the computer system. For example, a fixed asset system may automatically calculate depreciation on assets at the end of each calendar month. The depreciation charge may be automatically transferred (journalized) from the fixed assets register to the depreciation account and hence to the client’s income and expenditure account.

- Legal issues: The use of computers to carry out trading activities is also increasing. More organizations in both the public and private sector intend to make use of EDI and lectronic trading over the Internet. This can create problems with contracts, e.g. when is the contract made, where is it made (legal jurisdiction), what are the terms of the contract and who are the parties to the contract.

2(b)

The Executive Decision-Making Environment – The type of decisions that executives must make are very broad. Often, executives make these decisions based on a vision they have regarding ‘what it will take to make their enterprise successful.’ To a large extent, executives rely much more on their own intuition than on the sophisticated analytical skills. The intuitive character of executive decision making is reflected strongly in the types of information found most useful to executives.

Five characteristics of the types of information used in executive decision making are given as follows:

- Lack of structure – Many of the decisions made by executives are relatively unstructured. These types of decisions are not as clear-cut as deciding how to debug a computer program or how to deal with an overdue account balance. Also, it is not always obvious, ‘which data are required’ or ‘how to weigh available data when reaching a decision.’

- High degree of uncertainty – Executives work in a decision space that is often characterized by a lack of precedent. For example, when the Arab oil embargo hit in mid 1970s, no such previous event could be referenced for advice. Executives also work in a decision space where results are not scientifically predictable from actions. If prices are lowered, for instance, product demand will not automatically increase.

- Future orientation – Strategic-planning decisions are made in order to shape future events. As conditions change, enterprises must change also. It is the executive’s responsibility to make sure that the organization keeps pointed toward the future. Some key questions about the future include: “How will future technologies affect what the company is currently doing? What will the competition (or the government) do next? What products will consumers demand five years from now?” As one can see, the answers to all of these questions about the future external environment are vital.

- Informal Source – Executives, more than other types of managers, rely heavily on informal source for key information. For example, lunch with a colleague in another firm might reveal some important competitor strategies. Informal sources such as television might also feature news of momentous concern to the executive – news that he or she would probably never encounter in the company’s database or in scheduled computer reports.

- Low level of detail – Most important executive decisions are made by observing broad trends. This requires the executive to be more aware of the large overview than the tiny items. Even so, many executives insist that the answers to some questions can only be found by mucking through details.


2(c)

The following are some of the disadvantages and limitations of the use of the continuous audit system:

- Auditors should be able to obtain resources required from the organization to support development, implementation, operation, and maintenance of continuous audit techniques.

- Continuous audit techniques are more likely to be used if auditors are involved in the development work associated with a new application system.

- Auditors need the knowledge and experience of working with computer systems to be able to use continuous audit techniques effectively and efficiently.

- Continuous auditing techniques are more likely to be used where the audit trail is less visible and the costs of errors and irregularities are high.

- Continuous audit techniques are unlikely to be effective unless they are implemented in an application system that is relatively stable.

3(a)

Various phases of Programme development life cycle

- Planning

Techniques like Work Breakdown Structures (WBS), Gantt charts and PERT (Program Evaluation and Review Technique) Charts can be used to monitor progress against plan.

- Control

The Control phase has two major purposes:
- Task progress in various software life-cycle phases should be monitored against plan and corrective action should be taken in case of any deviations.
- Control over software development, acquisition, and implantation tasks should be exercised to ensure software released for production use is authentic, accurate, and complete.

- Design

A systematic approach to program design, such as any of the structured design approaches or object-oriented design is adopted.

- Coding

Programmers must choose a module implementation and integration strategy (like Top-down, Bottom-up and Threads approach), a coding strategy (that follows the percepts of structured programming), and a documentation strategy (to ensure program code is easi ly readable and
understandable).

- Testing

Three types of testing can be undertaken:
- Unit Testing – which focuses on individual program modules;
- Integration Testing – Which focuses in groups of program modules; and
- Whole-of-Program Testing – which focuses on whole program. These tests are to ensure that a developed or acquired program achieves its specified requirements.

- Operation and Maintenance

Management establishes formal mechanisms to monitor the status of operational programs so maintenance needs can be identified on a timely basis. Three types of maintenance can be used are as follows:
- Repair Maintenance – in which program errors are corrected;
- Adaptive Maintenance – in which the program is modified to meet changing user requirements; and
- Perfective Maintenance - in which the program is tuned to decrease the resource consumption.

3(b)

Tactical Layer: At the tactical layer, security administration is put in place. This includes:

- Timely updates to user profiles, like creating/deleting and changing of user accounts. Auditor needs to check that any change to user rights is a formal process including approval from manager of the employee.

-  IT Risk Management: This function is another important function performed, it includes the following activities:
o Assessing risk over key application controls;
o Conducting a regular security awareness programme on application user ;
o Enabling application users to perform a self-assessment/complete compliance checklist questionnaire to gauge the users’ understanding about application security;
o Reviewing application patches before deployment and regularly monitoring critical application logs;
o Monitoring peripheral security in terms of updating antivirus software;

An auditor should understand the risk associated with each application and obtain a report on periodic risk assessment on the application or self-assessment/compliance reports on the application.

- Interface Security: This relates to application interfaced with another application in an organization. An auditor needs to understand that data flow to and from the application. Security of the interfaced data is also important, especially when unencrypted methods of transmission are used for data transmission.

- Audit Logging and Monitoring: Regular monitoring the audit logs is required. The same is not possible for all transactions, so must be done on an exception reporting basis.

3(c)

(i)

"Electronic Form" with reference to information means any information generated, sent, received or stored in media, magnetic, optical, computer memory, micro film, computer generated micro fiche or similar device;

(ii)

"Information" includes data, message, text, images, sound, voice, codes, computer programmes, software and databases or micro film or computer generated micro fiche;

(iii)

"Key Pair", in an asymmetric crypto system, means a private key and its mathematically related public key, which are so related that the public key can verify a digital signature created by the private key;

4(a)

Characteristics of Software as a Service (SaaS) are as follows:

• One to Many: SaaS services are delivered as one-to-many models where a single instance of the application can be shared by multiple customers.

• Web Access: SaaS services allow the end users to access the application from any location of the device is connected to the Internet.

• Centralized Management: Since SaaS services are hosted and managed from the central location, the SaaS providers perform the automatic updates to ensure that each customer is accessing the most recent version of the application without any user-side updates.

• Multi-device Support: SaaS services can be accessed from any end user devices such as desktops, laptops, tablets, smartphones, and thin clients.

• Better Scalability: Most of the SaaS services leverage PaaS and IaaS for its development and deployment and ensure a better scalability than traditional; software.

• High Availability: SaaS services ensure 99.99% availability of user data as proper backup and recovery mechanisms are implemented.

• API Integration: SaaS services have the capability of integrating with other software or service through standard APIs.

4(b)

For many organizations, a very simple classification criterion of information is given as follows:

- Top Secret: Highly sensitive internal information (e.g. pending mergers or acquisitions; investment strategies; plans or designs) that could seriously damage the organization if such information were lost or made public. Information classified as Top Secret information has very restricted distribution and must be protected at all times. Security at this level should be the highest possible.

- Highly Confidential: Information that, if made public or even shared around the organization, could seriously impede the organization’s operations and is considered critical to its ongoing operations. Information would include accounting information, business plans, sensitive customer information of banks, solicitors and accountants, patient's medical records and similar highly sensitive data. Such information should not be copied or removed from the organization’s operational control without specific authority. Security at this level should be very high.

- Proprietary: Information of a proprietary nature; procedures, operational work routines, project plans, designs and specifications that define the way in which the organization operates. Such information is normally for proprietary use to authorized personnel only. Security at this level should be high.

- Internal Use only: Information not approved for general circulation outside the organization where its loss would inconvenience the organization or management but where disclosure is unlikely to result in financial loss or serious damage to credibility.

Examples would include, internal memos, minutes of meetings, internal project reports. Security at this level should controlled but normal.

- Public Documents: Information in the public domain; annual reports, press statements etc.; which has been approved for public use. Security at this level should minimal.

4(c)

The Insurance Regulatory and Development Authority of India (IRDA) is the apex body overseeing the insurance business in India. It protects the interests of the policyholders, regulates, promotes and ensures orderly growth of the insurance in India. Information System Audit has a significant role to play in the emerging Insurance Sector. Information System Audit aims at providing assurance in respect of Confidentiality, Availability and Integrity for Information systems. It also looks at their efficiency, effectiveness and responsiveness. It focuses on compliance with laws and regulations, which are given as follows:

(i) System Audit: These are as follows:
- All insurers shall have their systems and process audited at least once in three years by a CA firm.
- In doing so, the current internal or concurrent or statutory auditor is not eligible for appointment.
- CA firm must be having a minimum of 3-4 years experience of IT systems of banks or mutual funds or insurance companies.

(ii) Preliminaries
Before proceeding with the audit, the auditor is expected to obtain the following information at the audit location:
- Location(s) from where Investment activity is conducted.
- IT Applications used to manage the Insurer’s Investment Portfolio.
- Obtain the system layout of the IT and network infrastructure including: Server details, database details, type of network connectivity, firewalls other facilities/ utilities (describe).
- Are systems and applications hosted at a central location or hosted at different office?
- Previous Audit reports and open issues / details of unresolved issues from:
o Internal Audit,
o Statutory Audit, and
o IRDA Inspection / Audit.
- Internal circulars and guidelines of the Insurer.
- Standard Operating Procedures (SOP).
- List of new Products/funds introduced during the period under review along with IRDA approvals for the same.
- Scrip wise lists of all investments, fund wise, classified as per IRDA Guidelines, held on date.
- IRDA Correspondence files, circulars and notifications issued by IRDA.
- IT Security Policy.
- Business Continuity Plans.
- Network Security Reports pertaining to IT Assets.

(iii) System Controls: These are as follows:
- There should be Electronic transfer of Data without manual intervention. All Systems should be seamlessly integrated. Audit Trail required at every Data entry point. Procedures for reviewing and maintaining audit trail should be implemented.
- The auditor should comment on the audit trail maintained in the system for various activities. The auditor should review the Front Office Systems (FOS), MOS (Mid Office Systems) and BOS (Back Office Systems) and confirm that the system maintains audit trail for data entry, authorization, cancellation and any subsequent modifications.
- Further, the auditor shall also ascertain that the system has separate logins for each user and maintains trail of every transaction with respect to login ID, date and time for each data entry, authorization and modifications.

5(a)
Components of BCM process

Information Collection
- Business Impact analysis
- Risk Assessment

BCM Strategies

- Organization BCM Strategy
- Process Level BCM Strategy
- Resource Recovery BCM

Development & Implementation

- Implement Management Plan
- Business Continuity Plans

Testing and Maintenance

- Testing of BCM Plans
- BCM Maintenance
- BCM Audit and Review

BCM Strategies
- Assessing Needs
- Designing & Delivering Training
- Measuring Results

5(b)

Information Systems Audits has been categorized into five types:

(i) Systems and Application: An audit to verify that systems and applications are appropriate, are efficient, and are adequately controlled to ensure valid, reliable, timely, and secure input, processing, and output at all levels of a system's activity.


(ii) Information Processing Facilities: An audit to verify that the processing facility is controlled to ensure timely, accurate, and efficient processing of applications under normal and potentially disruptive conditions.

(iii) Systems Development: An audit to verify that the systems under development meet the objectives of the organization and to ensure that the systems are developed in accordance with generally accepted standards for systems development.

(iv) Management of IT and Enterprise Architecture: An audit to verify that IT management has developed an organizational structure and procedures to ensure a controlled and efficient environment for information processing.

(v) Telecommunications, Intranets, and Extranets: An audit to verify that controls are in place on the client (end point device), server, and on the network connecting the clients and servers.

5(c)

Business Intelligence (BI) refers to applications and technologies that are used to collect and provide access and analyze data and information about companies operations. BI software consists of range of tools. Some BI applications are used to analyze performance or internal operations e.g. EIS (executive information system), business planning, finance and budgeting tools.

While others are used to store and analyze data e.g. Data mining, data warehouses , Decision support system etc. Some BI applications are also used to analyze or manage the human resources e.g. customer relationship and marketing tools. A complete Business Intelligence provides consistent and standard information essential in enterprise operations.

6(a)

Well documented SRS may normally contains the following sections: -

Introduction: Goals, Objectives, software context, Scope and Envi ronment of the computer-based system.
- Information Description: Problem description; Information content, flow and structure; Hardware, software, human interfaces for external system elements and internal software functions.
- Functional Description: Diagrammatic representation of functions; Processing narrative for each function; Interplay among functions; Design constraints.
- Behavioral Description: Response to external events and internal controls.
- Validation Criteria: Classes of tests to be performed to validate functions, performance and constraints.
- Appendices: Data flow/Object Diagrams; Tabular Data; Detailed description of algorithms charts, graphs and other such material.
- SRS Review: The development team makes a presentation and then hands over the SRS document to be reviewed by the user or customer. The review reflects the development team’s understanding of the existing processes.

6(b)

Enterprises need to take steps to ensure compliance with cyber laws. Some key steps for ensuring compliance are given below:
- Designate a Cyber Law Compliance Officer as required.
- Conduct regular training of relevant employees on Cyber Law Compliance.
- Implement strict procedures in HR policy for non-compliance.
- Implement authentication procedures as suggested in law.
- Implement policy and procedures for data retention as suggested.
- Identify and initiate safeguard requirements as applicable under various provisions of the Act such as: Sections 43A, 69, 69A, 69B, etc.
- Implement applicable standards of data privacy on collection, retention, access, deletion etc.
- Implement reporting mechanism for compliance with cyber laws.

6(c)

Quality Assurance Management Controls
- Auditors might use interviews, observations and reviews of documentation to evaluate how well Quality Assurance (QA) personnel perform their monitoring role.
- Auditors might evaluate how well QA personnel make recommendations for improved standards or processes through interviews, observations, and reviews of documentation.
- Auditors can evaluate how well QA personnel undertake the reporting function and training through interviews, observations, and reviews of documentation.

OR

Strengths: Major strengths of agile model identified by the experts and practitioners include the following:
- Agile methodology has the concept of an adaptive team, which enables to respond to changing requirements.
- The team does not have to invest time and efforts and finally find that by the time they delivered the product, the requirement of the customer has changed.
- Face to face communication and continuous inputs from customer representative leaves little space for guesswork.