Skip to main content

Suggested answers - ISCA November 2020

1(a) Benefits of COBIT 5

COBIT 5 frameworks can be implemented in all sizes of enterprises and have following benefits

- A comprehensive framework such as COBIT 5 enables enterprises in achieving their objectives for the governance and management of enterprise IT.

- The best practices of COBIT 5 help enterprises to create optimal value from IT by maintaining a balance between realizing benefits and optimizing risk levels and resource use.

- Further, COBIT 5 enables IT to be governed and managed in a holistic manner for the entire enterprise, taking in the full end-to-end business and IT functional areas of responsibility, considering the IT related interests of internal and external stakeholders.

- COBIT 5 helps enterprises to manage IT related risk and ensures compliance, continuity, security and privacy.

- COBIT 5 enables clear policy development and good practice for IT management including increased business user satisfaction.

- The key advantage in using a generic framework such as COBIT 5 is that it is useful for enterprises of all sizes, whether commercial, not-for-profit or in the public sector.

- COBIT 5 supports compliance with relevant laws, regulations, contractual agreements and policies.

1(b)  Before proceeding with the Information Systems Audit as per the provisions of IRDA (Insurance Regulatory and Development Authority of India), an IS auditor is expected to obtain the following information at the audit location:

• Location(s) from where Investment activity is conducted.

• IT Applications used to manage the Insurer’s Investment Portfolio.

• Obtain the system layout of the IT and network infrastructure including: Server details, database details, type of network connectivity, firewalls other facilities/ utilities.

• Are systems and applications hosted at a central location or hosted at different office?

• Previous Audit reports and open issues / details of unresolved issues from Internal Audit, Statutory Audit, and IRDA Inspection / Audit.

• Internal circulars and guidelines of the Insurer.

• Standard Operating Procedures (SOP).

• List of new Products/funds introduced during the period under review along with IRDA approvals for the same.

• Scrip-wise lists of all investments, fund wise, classified as per IRDA Guidelines, held on date.

• IRDA Correspondence files, circulars and notifications issued by IRDA.

• IT Security Policy.

1(c) The audit objective and scope has a significant bearing on the skill and competence requirements of an IS auditor. The set of skills that is generally expected to be with an IS auditor include:

- Sound knowledge of business operations, practices and compliance requirements;

- Should possess the requisite professional technical qualification and certifications ;

- A good understanding of information Risks and Controls;

- Knowledge of IT strategies, policy and procedural controls;

- Ability to understand technical and manual controls relating to business continuity; and

- Good knowledge of Professional Standards and Best Practices of IT controls and security.

2(a) Remote and distributed data processing applications can be controlled in many ways. Some of these are given as follows:

- Remote access to computer and data files through the network should be implemented.

- Having a terminal lock can assure physical security to some extent.

- Applications that can be remotely accessed via modems and other devices should be controlled appropriately.

- Terminal and computer operations at remote locations should be monitored carefully and frequently for violations.

- In order to prevent the unauthorized user’s access to the system, there should be proper control mechanisms over system documentation and manuals.

- Data transmission over remote locations should be controlled. The location which sends data should attach needed control information that helps the receiving location to verify the genuineness and integrity.

- When replicated copies of files exist at multiple locations it must be ensured that all are identical copies contain the same information and checks are also done to ensure that duplicate data does not exist.

2(b) Major properties that an application should possess to qualify for Expert System development are given as follows:

• Availability: One or more experts can communicate ‘how they go about solving the problems to which the Expert System will be applied’.

• Complexity: Solution of the problems for which the Expert Systems will be used is a complex task that requires logical inference processing, which would not be easily handled by conventional information processing.

• Domain: The domain, or subject area, of the problem is relatively small and limited to a relatively well-defined problem area.

• Expertise: Solutions to the problem require the efforts of experts. That is, only a few possess the knowledge, techniques, and intuition needed.

• Structure: The solution process must be able to cope with ill-structured, uncertain, missing, and conflicting data, and a dynamic problem-solving situation.

2(c) Section 73 - Penalty for publishing Electronic Signature Certificate false in certain particulars

(1) No person shall publish a Electronic Signature Certificate or otherwise make it available to any other person with the knowledge that -

(a) the Certifying Authority listed in the certificate has not issued it; or

(b) the subscriber listed in the certificate has not accepted it; or

(c) the certificate has been revoked or suspended,

unless such publication is for the purpose of verifying a digital signature created prior to such suspension or revocation.

(2) Any person who contravenes the provisions of sub-section (1) shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both.

3(a) Determine if a disaster recovery/business resumption plan exists and was developed using a sound methodology that includes the following elements:

- Identification and prioritization of the activities, which are essential to continue functioning.

- The plan is based upon a business impact analysis that considers the impact of the loss of essential functions.

- Operations managers and key employees participated in the development of the plan.

- The plan identifies the resources that will likely be needed for recovery and the location of their availability.

- The plan is simple and easily understood so that it will be effective when it is needed.

- The plan is realistic in its assumptions.

3(b) Risk Management Strategies: 

When risks are identified, and analyzed, it is not always appropriate to implement controls to counter them. Some risks may be minor, and it may not be cost effective to implement expensive control processes for them. Various risk management strategies are explained as follows:

• Tolerate/Accept the risk. One of the primary functions of management is managing risk. Some risks may be considered minor because their impact and probability of occurrence is low. In this case, consciously accepting the risk as a cost of doing business is appropriate, as well as periodically reviewing the risk to ensure its impact remains low.

• Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of a particular technology, supplier, or vendor. The risk can be eliminated by replacing the technology with more robust products and by seeking more capable suppliers and vendors.

• Transfer/Share the risk. Risk mitigation approaches can be shared with trading partners and suppliers. A good example is outsourcing infrastructure management. In such a case, the supplier mitigates the risks associated with managing the IT infrastructure by being more capable and having access to more highly skilled staff than the primary organization. Risk also may be mitigated by transferring the cost of realized risk to an insurance provider.

• Treat/mitigate the risk. Where other options have been eliminated, suitable controls must be devised and implemented to prevent the risk from manifesting itself or to minimize its effects.

• Turn back. Where the probability or impact of the risk is very low, then management may decide to ignore the risk.

3(c) Certain characteristics of Private Cloud are as follows:

• Secure: The private cloud is secure as it is deployed and managed by the organization itself, and hence there is least chance of data being leaked out of the cloud.

• Central Control: As usual, the private cloud is managed by the organization itself, there is no need for the organization to rely on anybody and its controlled by the organization itself.

• Weak Service Level Agreements (SLAs): SLAs play a very important role in any cloud service deployment model as they are defined as agreements between the user and the service provider in private cloud. In private cloud, either Formal SLAs do not exist or are weak as it is between the organization and user of the same organization. Thus, high availability and good service may or may not be available.

4(a) Audit trails can be used to support security objectives in the following three ways:

• Detecting Unauthorized Access: Detecting unauthorized access can occur in real time or after the fact. The primary objective of real-time detection is to protect the system from outsiders who are attempting to breach system controls. A real-time audit trail can also be used to report on changes in system performance that may indicate infestation by a virus or worm. Depending upon how much activity is being logged and reviewed; real-time detection can impose a significant overhead on the operating system, which can degrade operational performance. After-the-fact detection logs can be stored electronically and reviewed periodically or as needed. When properly designed, they can be used to determine if unauthorized access was accomplished, or attempted and failed.

• Reconstructing Events: Audit analysis can be used to reconstruct the steps that led to events such as system failures, security violations by individuals, or application processing errors. Knowledge of the conditions that existed at the time of a system failure can be used to assign responsibility and to avoid similar situations in future. Audit trail analysis also plays an important role in accounting control. For example, by maintaining a record of all changes to account balances, the audit trail can be used to reconstruct accounting data files that were corrupted by a system failure.

• Personal Accountability: Audit trails can be used to monitor user activity at the lowest level of detail. This capability is a preventive control that can be used to influence behavior. Individuals are likely to violate an organization’s security policy if they know that their actions are not recorded in an audit log.

4(b) Logical access control pertaining to Application and Monitoring System Access Control

Information access restriction

The access to information is prevented by application specific menu interfaces, which limit access to system function. A user is allowed to access only to those items, s/he is authorized to access. Controls are implemented on the access rights of users, For example, read, write, delete, and execute. And ensure that sensitive output is sent only to authorized terminals and locations.

Sensitive system isolation

Based on the critical constitution of a system in an enterprise, it may even be necessary to run the system in an isolated environment.

Monitoring system access and use is a detective control, to check if preventive controls discussed so far are working. If not, this control will detect and report any unauthorized activities.

Event logging

In Computer systems, it is easy and viable to maintain extensive logs for all types of events. It is necessary to review if logging is enabled and the logs are archived properly. An intruder may penetrate the system by trying different passwords and user ID combinations. All incoming and outgoing requests along with attempted access should be recorded in a transaction log. The log should record the user ID, the time of the access and the terminal location from where the request has been originated. 

Monitor system use 

Based on the risk assessment, a constant monitoring of some critical systems is essential. Define the details of types of accesses, operations, events and alerts that will be monitored. The extent of detail and the frequency of the review would be based on criticality of operation and risk factors. The log files are to be reviewed periodically and attention should be given to any gaps in these logs.

Clock synchronization

Event logs maintained across an enterprise network plays a significant role in correlating an event and generating report on it. Hence, the need for synchronizing clock time across the network as per a standard time is mandatory.

4(c) (i) "Access" 

with its grammatical variations and cognate expressions means gaining entry into, instructing or communicating with the logical, arithmetical, or memory function resources of a computer, computer system or computer network;

4(c) (ii) "Intermediary" 

with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;

4(c) (iii) "Asymmetric Crypto System" 

means a system of a secure key pair consisting of a private key for creating a digital signature and a public key to verify the digital signature;

5(a) (i) Key characteristics of Waterfall Model are given as follows:

• Project is divided into sequential phases, with some overlap and splash back acceptable between phases.

• Emphasis is on planning, time schedules, target dates, budgets and implementation of an entire system at one time.

• Tight control is maintained over the life of the project through use of extensive written documentation, as well as through formal reviews and approval/signoff by the user and information technology management occurring at the end of most phases before beginning the next phase.

5(a) (ii) Strengths:

The fundamental strength of the waterfall model has made it quite popular and handy among the fraternity. Major strengths are given as follows:

- It is ideal for supporting less experienced project teams and project managers or project teams, whose composition fluctuates.

- The orderly sequence of development steps and design reviews help to ensure the quality, reliability, adequacy and maintainability of the developed software.

- Progress of system development is measurable.

- It enables to conserve resources.

5(b) Following are some of the important implications of Information Systems in business:

• Information Systems help managers in efficient decision-making to achieve organizational goals.

• An organization will be able to survive and thrive in a highly competitive environment on the strength of a well-designed Information system.

• Information Systems help in making right decision at the right time i.e. just on time.

• A good Information System may help in generating innovative ideas for solving critical problems.

• Knowledge gathered though Information systems may be utilized by managers in unusual situations.

• Information System is viewed as a process; it can be integrated to formulate a strategy of action or operation.

5(c) Web 2.0 finds applications in different fields, some of which are as follows:

• Social Media: Social Media/Social Network is an important application of web 2.0 as it provides a fundamental shift in the way people communicate and share information. The social web offers a number of online tools and platforms that could be used by the users to share their data, perspectives, and opinions among other user communities.

• Marketing: Web 2.0 offers excellent opportunities for marketing by engaging customers in various stages of the product development cycle. It allows the marketers to collaborate with consumers on various aspects such as product development, service enhancement, and promotion. Collaboration with the business partners and consumers can be improved by the companies by utilizing the tools provided by Web 2.0 paradigm. Consumer-oriented companies use networks such as Twitter and Facebook as common elements of multichannel promotion of their products.

• Education: Web 2.0 technologies can help the education scenario by providing students and faculty with more opportunities to interact and collaborate with their peers. By utilizing the tools of Web 2.0, the students get the opportunity to share what they learn with other peers by collaborating with them.

6(a) Major audit issues of operational layer regarding application security audit are given as follows:

• User Accounts and Access Rights: This includes defining unique user accounts and providing them access rights appropriate to their roles and responsibilities. Auditor needs to always ensure the use of unique user IDs, and these needs to be traceable to individuals

for whom they are created. In case, guest IDs are used, then these should be tested. Likewise, vendor accounts and third-party accounts should be reviewed. In essence, users and applications should be uniquely identifiable.

• Password Controls: In general, password strength, password minimum length, password age, password non-repetition and automated lockout after three attempts should be set as a minimum. Auditor needs to check whether there are applications where password controls are weak. In case such instances are found, then auditor may look for compensating controls against such issues.

• Segregation of Duties: As frauds due to lack of segregations increase across the world, importance of the Segregation of Duties also increases. As defined earlier, Segregation of duties is a basic internal control that prevents or detects errors and irregularities by assigning to the responsibility for initiating and recording transactions and custody of assets to separate individuals. Example to illustrate:

o Record keeper of asset must not be asset keeper.

o Cashier who creates a cash voucher in system, must not have right to authorize payments.

o Maker must not be checker. Auditor needs to check that there is no violation of above principle. Any violation may have serious repercussions, the same needs to be immediately communicated to those charged with governance.

6(b) There are five categories of tests that a programmer typically performs on a program unit.

Such typical tests are described as follows:

• Functional Tests: Functional Tests check ‘whether programs do, what they are supposed to do or not’. The test plan specifies operating conditions, input values, and expected results, and as per this plan, programmer checks by inputting the values to see whether the actual result and expected result match.

• Performance Tests: Performance Tests should be designed to verify the response time, the execution time, throughput, primary and secondary memory utilization and the traffic rates on data channels and communication links.

• Stress Tests: Stress testing is a form of testing that is used to determine the stability of a given system or entity. It involves testing beyond normal operational capacity, often to a breaking point, to observe the results. These tests are designed to overload a program in various ways. The purpose of a stress test is to determine the limitations of the program. For example, during a sort operation, the available memory can be reduced to find out whether the program can handle the situation.

• Structural Tests: Structural Tests are concerned with examining the internal processing logic of a software system. For example, if a function is responsible for tax calculation, the verification of the logic is a structural test.

• Parallel Tests: In Parallel Tests, the same test data is used in the new and old system and the output results are then compared.

6(c) The organization must implement control procedures over source documents to account for each document, as described below:

- Use pre-numbered source documents: Source documents should come pre-numbered from the printer with a unique sequential number on each document. Source document numbers enable accurate accounting of document usage and provide an audit trail for tracing transactions through accounting records.

- Use source documents in sequence: Source documents should be distributed to the users and used in sequence. This requires the adequate physical security be maintained over the source document inventory at the user site. When not in use, documents should be kept under lock and key and access to source documents should be limited to authorized persons.

- Periodically audit source documents: Missing source documents should be identified by reconciling document sequence numbers. Periodically, the auditor should compare the numbers of documents used to date with those remaining in inventory plus those voided due to errors. Documents not accounted for should be reported to management.

Or

6(c) Physical Component 'Modem' affecting reliability of Communication subsystem

- Increases the speed with which data can be transmitted over a communication line.

- Reduces the number of line errors that arise through distortion if they use a process called equalization.

- Reduces the number of line errors that arise through noise.


Comments

Post a Comment

Popular posts from this blog

All MCQs CA Course - May 2019 Paper with Changed pattern

Hello everyone, following are various Multiple choice questions from different subjects. I Hope you will like it Happy reading Section Z - ISCA MCQ and Important One Words Paper 6: Information Systems Control and Audit (Old Course) Official ICAI MCQ 1. Arrange in chronological order of their assessment. a. Risk b. Threat c. Vulnerability d. Impact (a) a,b,c,d (b) c,b,a,d (c) d,c,b,a (d) c,b,d,a 2. Complete the sentence. "_______ " is not a RISK management strategy. (a) Define (b) Eliminate (c) Share (d) Mitigate 3. COBIT 5 principles include all except, (a) Meeting Stakeholder Needs (b) Covering Enterprise End To End (c) Separating Governance From Management (d) Enabling Better Controls 4. Creating a Governance, Risk and Compliance (GRC) framework is responsibility of ____________. (a) Management (b) Auditors (c) Board of Directors (BoD) (d) Auditor and BoD 5. Best definition to define a HUMAN being in terms of System. (a) Physical, Prob
2 comments
Read more

Suggested answers November 2018 - Advance accounting Old Course IPCC

November 2018 Following are answers, a care is taken to answer them correctly, however, if any mistakes are identified by you, kindly share with me, I would love to hear them and will incorporate changes accordingly. Question Covered in post 1(a), 1(b), 1(c), 1(d), 2, 3(a),  3(b), 4, 5(a), 5(b),  6(b), 7(a), 7(b), 7(c),  7(d), 7(e) Question Pending 6(a) 1(a) (i) Annual lease rent = Rs. 32,500 (ii) Income = 26,000, 32,500, 39,000 (iii) Depreciation = Rs. 20,000, Rs. 25,000, Rs. 30,000 1(b) (i) Prior period Item adjustment Prior Period A/c Dr. To Salary Payable Salary payable A/c Dr To Cash Prior period item shall be disclosed separately (ii) Wages with retrospective effect It is not taken as error or omission in the preparation of Financial statements and hence this is not a prior period item, additional liability of Rs. 75,000 shall be included in current year Salary 1(c) (i) Present obligation as a result of a past obligating ev
28 comments
Read more

Similarities between Delhi and Sikkim

 Delhi and Sikkim are although very different in terms of culture, tradition and food however both have some similarities. The first similarity is the area, both Delhi and Sikkim are small where as Sikkim ranks twenty seventh in terms of covered area and similarly Delhi ranks thirty first in terms of covered area. There is high literacy rate in Delhi and Sikkim, Delhi literacy rate is 86.21% and Sikkim's literacy rate is 82.6% which is also thirteenth in rank. Delhi and Sikkim have high human development index, Delhi ranks Fifth with 0.746 HDI and Sikkim ranks tenth with 0.716 HDI. Both Delhi and Sikkim comes in Northern portion of India and shares almost same latitude. Both Delhi and Sikkim are great heritage of culture and language hub.
Post a Comment
Read more